Re: [cip-dev] [isar-cip-core][PATCH v2] README.secureboot: Corrections

["Dinesh Kumar" <dinesh.kumar@toshiba-tsip.com>]

[-- Attachment #1.1: Type: text/plain, Size: 3296 bytes --]

On Fri, Apr 30, 2021 at 06:19 AM, Quirin Gylstorff wrote:

> 
> From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
> 
> - Add code block for key insertion for better visibility
> - Correct the template for user-generated keys
> - Add information where to store the keys
> 
> Add build command for user generated keys
> 
> Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
> ---
> 
> Changes in V2:
> - remove unnecessary new-lines
> 
> doc/README.secureboot.md | 20 +++++++++++++++-----
> 1 file changed, 15 insertions(+), 5 deletions(-)
> 
> diff --git a/doc/README.secureboot.md b/doc/README.secureboot.md
> index 84131bb..0996edc 100644
> --- a/doc/README.secureboot.md
> +++ b/doc/README.secureboot.md
> @@ -119,6 +119,7 @@ to the current directory. OVMF_VARS_4M.fd contains no
> keys can be instrumented f
> scripts/start-efishell.sh secureboot-tools
> ```
> 4. Start the KeyTool.efi FS0:\KeyTool.efi and execute the the following
> steps:

> 
> +```

Do you want to mention qemu-system-x86_64 --version should be 5.2.0 or higher as default Debian buster has older version of qemu and this step fails with older version.
Also these steps can't be executed remotely as it launches UI window for QEMU, so it should be done locally.

> 
> -> "Edit Keys"
> -> "The Allowed Signatures Database (db)"
> -> "Add New Key"
> @@ -132,35 +133,44 @@ scripts/start-efishell.sh secureboot-tools
> -> "Replace Key(s)"
> -> Change/Confirm device
> -> Select "PK.auth" file
> +```
> 5. quit QEMU
> 
> ### Build image
> 
> Build the image with a signed efibootguard and unified kernel image
> with the snakeoil keys by executing:
> +
> ```
> kas-container build
> kas-cip.yml:kas/board/qemu-amd64.yml:kas/opt/ebg-swu.yml:kas/opt/ebg-secure-boot-snakeoil.yml
> 
> ```
> 
> -For user-generated keys, create a new option file. This option file could
> look like this:
> +For user-generated keys, create a new option file in the repository. This
> option file could look like this:
> ```
> header:
> version: 10
> includes:
> - - opt/ebg-swu.yml
> - - opt/ebg-secure-boot-initramfs.yml
> + - kas/opt/ebg-swu.yml
> + - kas/opt/ebg-secure-boot-base.yml
> 
> local_conf_header:
> secure-boot: |
> IMAGER_BUILD_DEPS += "ebg-secure-boot-secrets"
> IMAGER_INSTALL += "ebg-secure-boot-secrets"
> - user-keys:
> + user-keys: |
> SB_CERTDB = "democertdb"
> SB_VERIFY_CERT = "demo.crt"
> SB_KEY_NAME = "demo"
> ```
> 
> -Replace `demo` with the name of the user-generated certificates.
> +Replace `demo` with the name of the user-generated certificates. The
> user-generated certificates
> +need to stored in the folder
> `recipes-devtools/ebg-secure-boot-secrets/files`.
> +
> +Build the image with user-generated keys by executing the command:
> +
> +```
> +kas-container build
> kas-cip.yml:kas/board/qemu-amd64.yml:kas/opt/ebg-swu.yml:<path to the new
> option>.yml
> +```
> 
> ### Start the image

Where are you taking care of my below point? I don't see it yet

> 
> Keys and certs generated by scripts/generate_secure_boot_keys.sh are not
> available to build command, so I have to move them in
> recipes-devtools/ebg-secure-boot-secrets/files/ folder to make it work

> 
> 
> --
> 2.20.1

[-- Attachment #1.2: Type: text/html, Size: 3557 bytes --]

[-- Attachment #2: Type: text/plain, Size: 428 bytes --]


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#6409): https://lists.cip-project.org/g/cip-dev/message/6409
Mute This Topic: https://lists.cip-project.org/mt/82480976/4520388
Group Owner: cip-dev+owner@lists.cip-project.org
Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/8129055/4520388/727948398/xyzzy [cip-dev@archiver.kernel.org]
-=-=-=-=-=-=-=-=-=-=-=-