From: "Dinesh Kumar" <dinesh.kumar@toshiba-tsip.com>
To: cip-dev@lists.cip-project.org
Subject: Re: [cip-dev] [isar-cip-core][PATCH v2] README.secureboot: Corrections
Date: Wed, 05 May 2021 21:46:50 -0700 [thread overview]
Message-ID: <1707.1620276410983872256@lists.cip-project.org> (raw)
In-Reply-To: <77651949-83ac-5a97-4ccb-b047d9f21867@siemens.com>
[-- Attachment #1: Type: text/plain, Size: 4656 bytes --]
On Thu, May 6, 2021 at 12:24 AM, Quirin Gylstorff wrote:
>
>
>
> On 5/5/21 6:47 PM, Jan Kiszka wrote:
> > Dinesh, your citation settings are broken. When sending plaintext, as it
> > is common on public lists, you need to set the mark "> " at the
> > beginning of all cited line.
> >
> > On 30.04.21 16:06, Dinesh Kumar wrote:
> >> On Fri, Apr 30, 2021 at 06:19 AM, Quirin Gylstorff wrote:
> >>
> >> From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
> >>
> >> - Add code block for key insertion for better visibility
> >> - Correct the template for user-generated keys
> >> - Add information where to store the keys
> >>
> >> Add build command for user generated keys
> >>
> >> Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
> >> ---
> >>
> >> Changes in V2:
> >> - remove unnecessary new-lines
> >>
> >> doc/README.secureboot.md | 20 +++++++++++++++-----
> >> 1 file changed, 15 insertions(+), 5 deletions(-)
> >>
> >> diff --git a/doc/README.secureboot.md b/doc/README.secureboot.md
> >> index 84131bb..0996edc 100644
> >> --- a/doc/README.secureboot.md
> >> +++ b/doc/README.secureboot.md
> >> @@ -119,6 +119,7 @@ to the current directory. OVMF_VARS_4M.fd
> >> contains no keys can be instrumented f
> >> scripts/start-efishell.sh secureboot-tools
> >> ```
> >> 4. Start the KeyTool.efi FS0:\KeyTool.efi and execute the the
> >> following steps:
> >>
> >> +```
> >>
> >> Do you want to mention qemu-system-x86_64 --version should be 5.2.0 or
> >> higher as default Debian buster has older version of qemu and this step
> >> fails with older version.
> >> Also these steps can't be executed remotely as it launches UI window for
> >> QEMU, so it should be done locally.
> >
> > Feel free to send a patch (or MR if that is easier) that adjust things,
> > Dinesh.
> >
> >>
> >> -> "Edit Keys"
> >> -> "The Allowed Signatures Database (db)"
> >> -> "Add New Key"
> >> @@ -132,35 +133,44 @@ scripts/start-efishell.sh secureboot-tools
> >> -> "Replace Key(s)"
> >> -> Change/Confirm device
> >> -> Select "PK.auth" file
> >> +```
> >> 5. quit QEMU
> >>
> >> ### Build image
> >>
> >> Build the image with a signed efibootguard and unified kernel image
> >> with the snakeoil keys by executing:
> >> +
> >> ```
> >> kas-container build
> >>
> kas-cip.yml:kas/board/qemu-amd64.yml:kas/opt/ebg-swu.yml:kas/opt/ebg-secure-boot-snakeoil.yml
> >> ```
> >>
> >> -For user-generated keys, create a new option file. This option file
> >> could look like this:
> >> +For user-generated keys, create a new option file in the
> >> repository. This option file could look like this:
> >> ```
> >> header:
> >> version: 10
> >> includes:
> >> - - opt/ebg-swu.yml
> >> - - opt/ebg-secure-boot-initramfs.yml
> >> + - kas/opt/ebg-swu.yml
> >> + - kas/opt/ebg-secure-boot-base.yml
> >>
> >> local_conf_header:
> >> secure-boot: |
> >> IMAGER_BUILD_DEPS += "ebg-secure-boot-secrets"
> >> IMAGER_INSTALL += "ebg-secure-boot-secrets"
> >> - user-keys:
> >> + user-keys: |
> >> SB_CERTDB = "democertdb"
> >> SB_VERIFY_CERT = "demo.crt"
> >> SB_KEY_NAME = "demo"
> >> ```
> >>
> >> -Replace `demo` with the name of the user-generated certificates.
> >> +Replace `demo` with the name of the user-generated certificates.
>
> I added the following sentence to the README for the keys:
>
> The formating is off:
> >> The user-generated certificates
> >> +need to stored in the folder
> >> `recipes-devtools/ebg-secure-boot-secrets/files`.
>
>
> Dinesh is that sufficient?
Yes, Quirin, that's sufficient to point it out.
>
> Quirin
> >> +
> >> +Build the image with user-generated keys by executing the command:
> >> +
> >> +```
> >> +kas-container build
> >> kas-cip.yml:kas/board/qemu-amd64.yml:kas/opt/ebg-swu.yml:<path to
> >> the new option>.yml
> >> +```
> >>
> >> ### Start the image
> >>
> >> Where are you taking care of my below point? I don't see it yet
> >>
> >> Keys and certs generated by scripts/generate_secure_boot_keys.sh are
> >> not available to build command, so I have to move them in
> >> recipes-devtools/ebg-secure-boot-secrets/files/ folder to make it work
> >>
> >
> > Quirin?
> >
> > Jan
> >
>
[-- Attachment #2: Type: text/plain, Size: 428 bytes --]
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#6434): https://lists.cip-project.org/g/cip-dev/message/6434
Mute This Topic: https://lists.cip-project.org/mt/82480976/4520388
Group Owner: cip-dev+owner@lists.cip-project.org
Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/8129055/4520388/727948398/xyzzy [cip-dev@archiver.kernel.org]
-=-=-=-=-=-=-=-=-=-=-=-
next prev parent reply other threads:[~2021-05-06 4:46 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-04-30 12:19 [cip-dev][isar-cip-core][PATCH] README.secureboot: Corrections Quirin Gylstorff
2021-04-30 12:28 ` Jan Kiszka
2021-04-30 13:15 ` [cip-dev][isar-cip-core][PATCH v2] " Quirin Gylstorff
2021-04-30 14:06 ` [cip-dev] [isar-cip-core][PATCH " Dinesh Kumar
2021-05-05 16:47 ` Jan Kiszka
2021-05-05 18:47 ` Quirin Gylstorff
2021-05-06 4:46 ` Dinesh Kumar [this message]
2021-05-06 4:39 ` Dinesh Kumar
2021-04-30 14:51 ` [cip-dev][isar-cip-core][PATCH " Jan Kiszka
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1707.1620276410983872256@lists.cip-project.org \
--to=dinesh.kumar@toshiba-tsip.com \
--cc=cip-dev@lists.cip-project.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox