On Fri, Apr 30, 2021 at 06:19 AM, Quirin Gylstorff wrote:<br />
<blockquote>From: Quirin Gylstorff &lt;quirin.gylstorff@siemens.com&gt;<br /><br />- Add code block for key insertion for better visibility<br />- Correct the template for user-generated keys<br />- Add information where to store the keys<br /><br />Add build command for user generated keys<br /><br />Signed-off-by: Quirin Gylstorff &lt;quirin.gylstorff@siemens.com&gt;<br />---<br /><br />Changes in V2:<br />- remove unnecessary new-lines<br /><br />doc/README.secureboot.md | 20 +++++++++++++++-----<br />1 file changed, 15 insertions(+), 5 deletions(-)<br /><br />diff --git a/doc/README.secureboot.md b/doc/README.secureboot.md<br />index 84131bb..0996edc 100644<br />--- a/doc/README.secureboot.md<br />+++ b/doc/README.secureboot.md<br />@@ -119,6 +119,7 @@ to the current directory. OVMF_VARS_4M.fd contains no keys can be instrumented f<br />scripts/start-efishell.sh secureboot-tools<br />```<br />4. Start the KeyTool.efi FS0:\KeyTool.efi and execute the the following steps:</blockquote>
<blockquote>+```</blockquote>
Do you want to mention&nbsp;qemu-system-x86_64 --version should be 5.2.0 or higher as default Debian buster has older version of qemu and this step fails with older version.<br />Also these steps can't be executed remotely as it launches UI window for QEMU, so it should be done locally.<br />
<blockquote>-&gt; "Edit Keys"<br />-&gt; "The Allowed Signatures Database (db)"<br />-&gt; "Add New Key"<br />@@ -132,35 +133,44 @@ scripts/start-efishell.sh secureboot-tools<br />-&gt; "Replace Key(s)"<br />-&gt; Change/Confirm device<br />-&gt; Select "PK.auth" file<br />+```<br />5. quit QEMU<br /><br />### Build image<br /><br />Build the image with a signed efibootguard and unified kernel image<br />with the snakeoil keys by executing:<br />+<br />```<br />kas-container build kas-cip.yml:kas/board/qemu-amd64.yml:kas/opt/ebg-swu.yml:kas/opt/ebg-secure-boot-snakeoil.yml<br />```<br /><br />-For user-generated keys, create a new option file. This option file could look like this:<br />+For user-generated keys, create a new option file in the repository. This option file could look like this:<br />```<br />header:<br />version: 10<br />includes:<br />- - opt/ebg-swu.yml<br />- - opt/ebg-secure-boot-initramfs.yml<br />+ - kas/opt/ebg-swu.yml<br />+ - kas/opt/ebg-secure-boot-base.yml<br /><br />local_conf_header:<br />secure-boot: |<br />IMAGER_BUILD_DEPS += "ebg-secure-boot-secrets"<br />IMAGER_INSTALL += "ebg-secure-boot-secrets"<br />- user-keys:<br />+ user-keys: |<br />SB_CERTDB = "democertdb"<br />SB_VERIFY_CERT = "demo.crt"<br />SB_KEY_NAME = "demo"<br />```<br /><br />-Replace `demo` with the name of the user-generated certificates.<br />+Replace `demo` with the name of the user-generated certificates. The user-generated certificates<br />+need to stored in the folder `recipes-devtools/ebg-secure-boot-secrets/files`.<br />+<br />+Build the image with user-generated keys by executing the command:<br />+<br />+```<br />+kas-container build kas-cip.yml:kas/board/qemu-amd64.yml:kas/opt/ebg-swu.yml:&lt;path to the new option&gt;.yml<br />+```<br /><br />### Start the image</blockquote>
Where are you taking care of my below point? I don't see it yet<br />
<blockquote>Keys and certs generated by scripts/generate_secure_boot_keys.sh are not available to build command, so I have to move them in recipes-devtools/ebg-secure-boot-secrets/files/ folder to make it work</blockquote>
<blockquote><br />-- <br />2.20.1</blockquote>