* [cip-dev][isar-cip-core][PATCH] README.secureboot: Corrections @ 2021-04-30 12:19 Quirin Gylstorff 2021-04-30 12:28 ` Jan Kiszka 2021-04-30 13:15 ` [cip-dev][isar-cip-core][PATCH v2] " Quirin Gylstorff 0 siblings, 2 replies; 9+ messages in thread From: Quirin Gylstorff @ 2021-04-30 12:19 UTC (permalink / raw) To: dinesh.kumar, jan.kiszka, cip-dev; +Cc: Quirin Gylstorff [-- Attachment #1: Type: text/plain, Size: 2500 bytes --] From: Quirin Gylstorff <quirin.gylstorff@siemens.com> - Add code block for key insertion for better visibility - Correct the template for user-generated keys - Add information where to store the keys Add build command for user generated keys Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com> --- doc/README.secureboot.md | 23 ++++++++++++++++++----- 1 file changed, 18 insertions(+), 5 deletions(-) diff --git a/doc/README.secureboot.md b/doc/README.secureboot.md index 84131bb..12787cf 100644 --- a/doc/README.secureboot.md +++ b/doc/README.secureboot.md @@ -119,6 +119,7 @@ to the current directory. OVMF_VARS_4M.fd contains no keys can be instrumented f scripts/start-efishell.sh secureboot-tools ``` 4. Start the KeyTool.efi FS0:\KeyTool.efi and execute the the following steps: +``` -> "Edit Keys" -> "The Allowed Signatures Database (db)" -> "Add New Key" @@ -132,35 +133,47 @@ scripts/start-efishell.sh secureboot-tools -> "Replace Key(s)" -> Change/Confirm device -> Select "PK.auth" file +``` 5. quit QEMU ### Build image + + Build the image with a signed efibootguard and unified kernel image with the snakeoil keys by executing: + ``` kas-container build kas-cip.yml:kas/board/qemu-amd64.yml:kas/opt/ebg-swu.yml:kas/opt/ebg-secure-boot-snakeoil.yml ``` -For user-generated keys, create a new option file. This option file could look like this: +For user-generated keys, create a new option file in the repository. This option file could look like this: ``` header: version: 10 includes: - - opt/ebg-swu.yml - - opt/ebg-secure-boot-initramfs.yml + - kas/opt/ebg-swu.yml + - kas/opt/ebg-secure-boot-base.yml local_conf_header: secure-boot: | IMAGER_BUILD_DEPS += "ebg-secure-boot-secrets" IMAGER_INSTALL += "ebg-secure-boot-secrets" - user-keys: + user-keys: | SB_CERTDB = "democertdb" SB_VERIFY_CERT = "demo.crt" SB_KEY_NAME = "demo" ``` -Replace `demo` with the name of the user-generated certificates. +Replace `demo` with the name of the user-generated certificates. The user-generated certificates +need to stored in the folder `recipes-devtools/ebg-secure-boot-secrets/files`. + +Build the image with user-generated keys by executing the command: + +``` +kas-container build kas-cip.yml:kas/board/qemu-amd64.yml:kas/opt/ebg-swu.yml:<path to the new option>.yml +``` + ### Start the image -- 2.20.1 [-- Attachment #2: Type: text/plain, Size: 428 bytes --] -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#6403): https://lists.cip-project.org/g/cip-dev/message/6403 Mute This Topic: https://lists.cip-project.org/mt/82479716/4520388 Group Owner: cip-dev+owner@lists.cip-project.org Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/8129055/4520388/727948398/xyzzy [cip-dev@archiver.kernel.org] -=-=-=-=-=-=-=-=-=-=-=- ^ permalink raw reply related [flat|nested] 9+ messages in thread
* Re: [cip-dev][isar-cip-core][PATCH] README.secureboot: Corrections 2021-04-30 12:19 [cip-dev][isar-cip-core][PATCH] README.secureboot: Corrections Quirin Gylstorff @ 2021-04-30 12:28 ` Jan Kiszka 2021-04-30 13:15 ` [cip-dev][isar-cip-core][PATCH v2] " Quirin Gylstorff 1 sibling, 0 replies; 9+ messages in thread From: Jan Kiszka @ 2021-04-30 12:28 UTC (permalink / raw) To: Q. Gylstorff, dinesh.kumar, cip-dev [-- Attachment #1: Type: text/plain, Size: 2808 bytes --] On 30.04.21 14:19, Q. Gylstorff wrote: > From: Quirin Gylstorff <quirin.gylstorff@siemens.com> > > - Add code block for key insertion for better visibility > - Correct the template for user-generated keys > - Add information where to store the keys > > Add build command for user generated keys > > Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com> > --- > doc/README.secureboot.md | 23 ++++++++++++++++++----- > 1 file changed, 18 insertions(+), 5 deletions(-) > > diff --git a/doc/README.secureboot.md b/doc/README.secureboot.md > index 84131bb..12787cf 100644 > --- a/doc/README.secureboot.md > +++ b/doc/README.secureboot.md > @@ -119,6 +119,7 @@ to the current directory. OVMF_VARS_4M.fd contains no keys can be instrumented f > scripts/start-efishell.sh secureboot-tools > ``` > 4. Start the KeyTool.efi FS0:\KeyTool.efi and execute the the following steps: > +``` > -> "Edit Keys" > -> "The Allowed Signatures Database (db)" > -> "Add New Key" > @@ -132,35 +133,47 @@ scripts/start-efishell.sh secureboot-tools > -> "Replace Key(s)" > -> Change/Confirm device > -> Select "PK.auth" file > +``` > 5. quit QEMU > > ### Build image > > + > + These two look spurious. > Build the image with a signed efibootguard and unified kernel image > with the snakeoil keys by executing: > + > ``` > kas-container build kas-cip.yml:kas/board/qemu-amd64.yml:kas/opt/ebg-swu.yml:kas/opt/ebg-secure-boot-snakeoil.yml > ``` > > -For user-generated keys, create a new option file. This option file could look like this: > +For user-generated keys, create a new option file in the repository. This option file could look like this: > ``` > header: > version: 10 > includes: > - - opt/ebg-swu.yml > - - opt/ebg-secure-boot-initramfs.yml > + - kas/opt/ebg-swu.yml > + - kas/opt/ebg-secure-boot-base.yml > > local_conf_header: > secure-boot: | > IMAGER_BUILD_DEPS += "ebg-secure-boot-secrets" > IMAGER_INSTALL += "ebg-secure-boot-secrets" > - user-keys: > + user-keys: | > SB_CERTDB = "democertdb" > SB_VERIFY_CERT = "demo.crt" > SB_KEY_NAME = "demo" > ``` > > -Replace `demo` with the name of the user-generated certificates. > +Replace `demo` with the name of the user-generated certificates. The user-generated certificates > +need to stored in the folder `recipes-devtools/ebg-secure-boot-secrets/files`. > + > +Build the image with user-generated keys by executing the command: > + > +``` > +kas-container build kas-cip.yml:kas/board/qemu-amd64.yml:kas/opt/ebg-swu.yml:<path to the new option>.yml > +``` > + Unneded new-line? > > ### Start the image > > Jan -- Siemens AG, T RDA IOT Corporate Competence Center Embedded Linux [-- Attachment #2: Type: text/plain, Size: 428 bytes --] -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#6404): https://lists.cip-project.org/g/cip-dev/message/6404 Mute This Topic: https://lists.cip-project.org/mt/82479716/4520388 Group Owner: cip-dev+owner@lists.cip-project.org Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/8129055/4520388/727948398/xyzzy [cip-dev@archiver.kernel.org] -=-=-=-=-=-=-=-=-=-=-=- ^ permalink raw reply [flat|nested] 9+ messages in thread
* [cip-dev][isar-cip-core][PATCH v2] README.secureboot: Corrections 2021-04-30 12:19 [cip-dev][isar-cip-core][PATCH] README.secureboot: Corrections Quirin Gylstorff 2021-04-30 12:28 ` Jan Kiszka @ 2021-04-30 13:15 ` Quirin Gylstorff 2021-04-30 14:06 ` [cip-dev] [isar-cip-core][PATCH " Dinesh Kumar 2021-04-30 14:51 ` [cip-dev][isar-cip-core][PATCH " Jan Kiszka 1 sibling, 2 replies; 9+ messages in thread From: Quirin Gylstorff @ 2021-04-30 13:15 UTC (permalink / raw) To: dinesh.kumar, jan.kiszka, cip-dev; +Cc: Quirin Gylstorff [-- Attachment #1: Type: text/plain, Size: 2540 bytes --] From: Quirin Gylstorff <quirin.gylstorff@siemens.com> - Add code block for key insertion for better visibility - Correct the template for user-generated keys - Add information where to store the keys Add build command for user generated keys Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com> --- Changes in V2: - remove unnecessary new-lines doc/README.secureboot.md | 20 +++++++++++++++----- 1 file changed, 15 insertions(+), 5 deletions(-) diff --git a/doc/README.secureboot.md b/doc/README.secureboot.md index 84131bb..0996edc 100644 --- a/doc/README.secureboot.md +++ b/doc/README.secureboot.md @@ -119,6 +119,7 @@ to the current directory. OVMF_VARS_4M.fd contains no keys can be instrumented f scripts/start-efishell.sh secureboot-tools ``` 4. Start the KeyTool.efi FS0:\KeyTool.efi and execute the the following steps: +``` -> "Edit Keys" -> "The Allowed Signatures Database (db)" -> "Add New Key" @@ -132,35 +133,44 @@ scripts/start-efishell.sh secureboot-tools -> "Replace Key(s)" -> Change/Confirm device -> Select "PK.auth" file +``` 5. quit QEMU ### Build image Build the image with a signed efibootguard and unified kernel image with the snakeoil keys by executing: + ``` kas-container build kas-cip.yml:kas/board/qemu-amd64.yml:kas/opt/ebg-swu.yml:kas/opt/ebg-secure-boot-snakeoil.yml ``` -For user-generated keys, create a new option file. This option file could look like this: +For user-generated keys, create a new option file in the repository. This option file could look like this: ``` header: version: 10 includes: - - opt/ebg-swu.yml - - opt/ebg-secure-boot-initramfs.yml + - kas/opt/ebg-swu.yml + - kas/opt/ebg-secure-boot-base.yml local_conf_header: secure-boot: | IMAGER_BUILD_DEPS += "ebg-secure-boot-secrets" IMAGER_INSTALL += "ebg-secure-boot-secrets" - user-keys: + user-keys: | SB_CERTDB = "democertdb" SB_VERIFY_CERT = "demo.crt" SB_KEY_NAME = "demo" ``` -Replace `demo` with the name of the user-generated certificates. +Replace `demo` with the name of the user-generated certificates. The user-generated certificates +need to stored in the folder `recipes-devtools/ebg-secure-boot-secrets/files`. + +Build the image with user-generated keys by executing the command: + +``` +kas-container build kas-cip.yml:kas/board/qemu-amd64.yml:kas/opt/ebg-swu.yml:<path to the new option>.yml +``` ### Start the image -- 2.20.1 [-- Attachment #2: Type: text/plain, Size: 428 bytes --] -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#6407): https://lists.cip-project.org/g/cip-dev/message/6407 Mute This Topic: https://lists.cip-project.org/mt/82480976/4520388 Group Owner: cip-dev+owner@lists.cip-project.org Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/8129055/4520388/727948398/xyzzy [cip-dev@archiver.kernel.org] -=-=-=-=-=-=-=-=-=-=-=- ^ permalink raw reply related [flat|nested] 9+ messages in thread
* Re: [cip-dev] [isar-cip-core][PATCH v2] README.secureboot: Corrections 2021-04-30 13:15 ` [cip-dev][isar-cip-core][PATCH v2] " Quirin Gylstorff @ 2021-04-30 14:06 ` Dinesh Kumar 2021-05-05 16:47 ` Jan Kiszka 2021-04-30 14:51 ` [cip-dev][isar-cip-core][PATCH " Jan Kiszka 1 sibling, 1 reply; 9+ messages in thread From: Dinesh Kumar @ 2021-04-30 14:06 UTC (permalink / raw) To: cip-dev [-- Attachment #1.1: Type: text/plain, Size: 3296 bytes --] On Fri, Apr 30, 2021 at 06:19 AM, Quirin Gylstorff wrote: > > From: Quirin Gylstorff <quirin.gylstorff@siemens.com> > > - Add code block for key insertion for better visibility > - Correct the template for user-generated keys > - Add information where to store the keys > > Add build command for user generated keys > > Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com> > --- > > Changes in V2: > - remove unnecessary new-lines > > doc/README.secureboot.md | 20 +++++++++++++++----- > 1 file changed, 15 insertions(+), 5 deletions(-) > > diff --git a/doc/README.secureboot.md b/doc/README.secureboot.md > index 84131bb..0996edc 100644 > --- a/doc/README.secureboot.md > +++ b/doc/README.secureboot.md > @@ -119,6 +119,7 @@ to the current directory. OVMF_VARS_4M.fd contains no > keys can be instrumented f > scripts/start-efishell.sh secureboot-tools > ``` > 4. Start the KeyTool.efi FS0:\KeyTool.efi and execute the the following > steps: > > +``` Do you want to mention qemu-system-x86_64 --version should be 5.2.0 or higher as default Debian buster has older version of qemu and this step fails with older version. Also these steps can't be executed remotely as it launches UI window for QEMU, so it should be done locally. > > -> "Edit Keys" > -> "The Allowed Signatures Database (db)" > -> "Add New Key" > @@ -132,35 +133,44 @@ scripts/start-efishell.sh secureboot-tools > -> "Replace Key(s)" > -> Change/Confirm device > -> Select "PK.auth" file > +``` > 5. quit QEMU > > ### Build image > > Build the image with a signed efibootguard and unified kernel image > with the snakeoil keys by executing: > + > ``` > kas-container build > kas-cip.yml:kas/board/qemu-amd64.yml:kas/opt/ebg-swu.yml:kas/opt/ebg-secure-boot-snakeoil.yml > > ``` > > -For user-generated keys, create a new option file. This option file could > look like this: > +For user-generated keys, create a new option file in the repository. This > option file could look like this: > ``` > header: > version: 10 > includes: > - - opt/ebg-swu.yml > - - opt/ebg-secure-boot-initramfs.yml > + - kas/opt/ebg-swu.yml > + - kas/opt/ebg-secure-boot-base.yml > > local_conf_header: > secure-boot: | > IMAGER_BUILD_DEPS += "ebg-secure-boot-secrets" > IMAGER_INSTALL += "ebg-secure-boot-secrets" > - user-keys: > + user-keys: | > SB_CERTDB = "democertdb" > SB_VERIFY_CERT = "demo.crt" > SB_KEY_NAME = "demo" > ``` > > -Replace `demo` with the name of the user-generated certificates. > +Replace `demo` with the name of the user-generated certificates. The > user-generated certificates > +need to stored in the folder > `recipes-devtools/ebg-secure-boot-secrets/files`. > + > +Build the image with user-generated keys by executing the command: > + > +``` > +kas-container build > kas-cip.yml:kas/board/qemu-amd64.yml:kas/opt/ebg-swu.yml:<path to the new > option>.yml > +``` > > ### Start the image Where are you taking care of my below point? I don't see it yet > > Keys and certs generated by scripts/generate_secure_boot_keys.sh are not > available to build command, so I have to move them in > recipes-devtools/ebg-secure-boot-secrets/files/ folder to make it work > > > -- > 2.20.1 [-- Attachment #1.2: Type: text/html, Size: 3557 bytes --] [-- Attachment #2: Type: text/plain, Size: 428 bytes --] -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#6409): https://lists.cip-project.org/g/cip-dev/message/6409 Mute This Topic: https://lists.cip-project.org/mt/82480976/4520388 Group Owner: cip-dev+owner@lists.cip-project.org Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/8129055/4520388/727948398/xyzzy [cip-dev@archiver.kernel.org] -=-=-=-=-=-=-=-=-=-=-=- ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [cip-dev] [isar-cip-core][PATCH v2] README.secureboot: Corrections 2021-04-30 14:06 ` [cip-dev] [isar-cip-core][PATCH " Dinesh Kumar @ 2021-05-05 16:47 ` Jan Kiszka 2021-05-05 18:47 ` Quirin Gylstorff 2021-05-06 4:39 ` Dinesh Kumar 0 siblings, 2 replies; 9+ messages in thread From: Jan Kiszka @ 2021-05-05 16:47 UTC (permalink / raw) To: cip-dev, Dinesh Kumar, Quirin Gylstorff [-- Attachment #1: Type: text/plain, Size: 3984 bytes --] Dinesh, your citation settings are broken. When sending plaintext, as it is common on public lists, you need to set the mark "> " at the beginning of all cited line. On 30.04.21 16:06, Dinesh Kumar wrote: > On Fri, Apr 30, 2021 at 06:19 AM, Quirin Gylstorff wrote: > > From: Quirin Gylstorff <quirin.gylstorff@siemens.com> > > - Add code block for key insertion for better visibility > - Correct the template for user-generated keys > - Add information where to store the keys > > Add build command for user generated keys > > Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com> > --- > > Changes in V2: > - remove unnecessary new-lines > > doc/README.secureboot.md | 20 +++++++++++++++----- > 1 file changed, 15 insertions(+), 5 deletions(-) > > diff --git a/doc/README.secureboot.md b/doc/README.secureboot.md > index 84131bb..0996edc 100644 > --- a/doc/README.secureboot.md > +++ b/doc/README.secureboot.md > @@ -119,6 +119,7 @@ to the current directory. OVMF_VARS_4M.fd > contains no keys can be instrumented f > scripts/start-efishell.sh secureboot-tools > ``` > 4. Start the KeyTool.efi FS0:\KeyTool.efi and execute the the > following steps: > > +``` > > Do you want to mention qemu-system-x86_64 --version should be 5.2.0 or > higher as default Debian buster has older version of qemu and this step > fails with older version. > Also these steps can't be executed remotely as it launches UI window for > QEMU, so it should be done locally. Feel free to send a patch (or MR if that is easier) that adjust things, Dinesh. > > -> "Edit Keys" > -> "The Allowed Signatures Database (db)" > -> "Add New Key" > @@ -132,35 +133,44 @@ scripts/start-efishell.sh secureboot-tools > -> "Replace Key(s)" > -> Change/Confirm device > -> Select "PK.auth" file > +``` > 5. quit QEMU > > ### Build image > > Build the image with a signed efibootguard and unified kernel image > with the snakeoil keys by executing: > + > ``` > kas-container build > kas-cip.yml:kas/board/qemu-amd64.yml:kas/opt/ebg-swu.yml:kas/opt/ebg-secure-boot-snakeoil.yml > ``` > > -For user-generated keys, create a new option file. This option file > could look like this: > +For user-generated keys, create a new option file in the > repository. This option file could look like this: > ``` > header: > version: 10 > includes: > - - opt/ebg-swu.yml > - - opt/ebg-secure-boot-initramfs.yml > + - kas/opt/ebg-swu.yml > + - kas/opt/ebg-secure-boot-base.yml > > local_conf_header: > secure-boot: | > IMAGER_BUILD_DEPS += "ebg-secure-boot-secrets" > IMAGER_INSTALL += "ebg-secure-boot-secrets" > - user-keys: > + user-keys: | > SB_CERTDB = "democertdb" > SB_VERIFY_CERT = "demo.crt" > SB_KEY_NAME = "demo" > ``` > > -Replace `demo` with the name of the user-generated certificates. > +Replace `demo` with the name of the user-generated certificates. > The user-generated certificates > +need to stored in the folder > `recipes-devtools/ebg-secure-boot-secrets/files`. > + > +Build the image with user-generated keys by executing the command: > + > +``` > +kas-container build > kas-cip.yml:kas/board/qemu-amd64.yml:kas/opt/ebg-swu.yml:<path to > the new option>.yml > +``` > > ### Start the image > > Where are you taking care of my below point? I don't see it yet > > Keys and certs generated by scripts/generate_secure_boot_keys.sh are > not available to build command, so I have to move them in > recipes-devtools/ebg-secure-boot-secrets/files/ folder to make it work > Quirin? Jan -- Siemens AG, T RDA IOT Corporate Competence Center Embedded Linux [-- Attachment #2: Type: text/plain, Size: 428 bytes --] -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#6429): https://lists.cip-project.org/g/cip-dev/message/6429 Mute This Topic: https://lists.cip-project.org/mt/82480976/4520388 Group Owner: cip-dev+owner@lists.cip-project.org Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/8129055/4520388/727948398/xyzzy [cip-dev@archiver.kernel.org] -=-=-=-=-=-=-=-=-=-=-=- ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [cip-dev] [isar-cip-core][PATCH v2] README.secureboot: Corrections 2021-05-05 16:47 ` Jan Kiszka @ 2021-05-05 18:47 ` Quirin Gylstorff 2021-05-06 4:46 ` Dinesh Kumar 2021-05-06 4:39 ` Dinesh Kumar 1 sibling, 1 reply; 9+ messages in thread From: Quirin Gylstorff @ 2021-05-05 18:47 UTC (permalink / raw) To: Jan Kiszka, cip-dev, Dinesh Kumar [-- Attachment #1: Type: text/plain, Size: 4276 bytes --] On 5/5/21 6:47 PM, Jan Kiszka wrote: > Dinesh, your citation settings are broken. When sending plaintext, as it > is common on public lists, you need to set the mark "> " at the > beginning of all cited line. > > On 30.04.21 16:06, Dinesh Kumar wrote: >> On Fri, Apr 30, 2021 at 06:19 AM, Quirin Gylstorff wrote: >> >> From: Quirin Gylstorff <quirin.gylstorff@siemens.com> >> >> - Add code block for key insertion for better visibility >> - Correct the template for user-generated keys >> - Add information where to store the keys >> >> Add build command for user generated keys >> >> Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com> >> --- >> >> Changes in V2: >> - remove unnecessary new-lines >> >> doc/README.secureboot.md | 20 +++++++++++++++----- >> 1 file changed, 15 insertions(+), 5 deletions(-) >> >> diff --git a/doc/README.secureboot.md b/doc/README.secureboot.md >> index 84131bb..0996edc 100644 >> --- a/doc/README.secureboot.md >> +++ b/doc/README.secureboot.md >> @@ -119,6 +119,7 @@ to the current directory. OVMF_VARS_4M.fd >> contains no keys can be instrumented f >> scripts/start-efishell.sh secureboot-tools >> ``` >> 4. Start the KeyTool.efi FS0:\KeyTool.efi and execute the the >> following steps: >> >> +``` >> >> Do you want to mention qemu-system-x86_64 --version should be 5.2.0 or >> higher as default Debian buster has older version of qemu and this step >> fails with older version. >> Also these steps can't be executed remotely as it launches UI window for >> QEMU, so it should be done locally. > > Feel free to send a patch (or MR if that is easier) that adjust things, > Dinesh. > >> >> -> "Edit Keys" >> -> "The Allowed Signatures Database (db)" >> -> "Add New Key" >> @@ -132,35 +133,44 @@ scripts/start-efishell.sh secureboot-tools >> -> "Replace Key(s)" >> -> Change/Confirm device >> -> Select "PK.auth" file >> +``` >> 5. quit QEMU >> >> ### Build image >> >> Build the image with a signed efibootguard and unified kernel image >> with the snakeoil keys by executing: >> + >> ``` >> kas-container build >> kas-cip.yml:kas/board/qemu-amd64.yml:kas/opt/ebg-swu.yml:kas/opt/ebg-secure-boot-snakeoil.yml >> ``` >> >> -For user-generated keys, create a new option file. This option file >> could look like this: >> +For user-generated keys, create a new option file in the >> repository. This option file could look like this: >> ``` >> header: >> version: 10 >> includes: >> - - opt/ebg-swu.yml >> - - opt/ebg-secure-boot-initramfs.yml >> + - kas/opt/ebg-swu.yml >> + - kas/opt/ebg-secure-boot-base.yml >> >> local_conf_header: >> secure-boot: | >> IMAGER_BUILD_DEPS += "ebg-secure-boot-secrets" >> IMAGER_INSTALL += "ebg-secure-boot-secrets" >> - user-keys: >> + user-keys: | >> SB_CERTDB = "democertdb" >> SB_VERIFY_CERT = "demo.crt" >> SB_KEY_NAME = "demo" >> ``` >> >> -Replace `demo` with the name of the user-generated certificates. >> +Replace `demo` with the name of the user-generated certificates. I added the following sentence to the README for the keys: The formating is off: >> The user-generated certificates >> +need to stored in the folder >> `recipes-devtools/ebg-secure-boot-secrets/files`. Dinesh is that sufficient? Quirin >> + >> +Build the image with user-generated keys by executing the command: >> + >> +``` >> +kas-container build >> kas-cip.yml:kas/board/qemu-amd64.yml:kas/opt/ebg-swu.yml:<path to >> the new option>.yml >> +``` >> >> ### Start the image >> >> Where are you taking care of my below point? I don't see it yet >> >> Keys and certs generated by scripts/generate_secure_boot_keys.sh are >> not available to build command, so I have to move them in >> recipes-devtools/ebg-secure-boot-secrets/files/ folder to make it work >> > > Quirin? > > Jan > [-- Attachment #2: Type: text/plain, Size: 428 bytes --] -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#6431): https://lists.cip-project.org/g/cip-dev/message/6431 Mute This Topic: https://lists.cip-project.org/mt/82480976/4520388 Group Owner: cip-dev+owner@lists.cip-project.org Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/8129055/4520388/727948398/xyzzy [cip-dev@archiver.kernel.org] -=-=-=-=-=-=-=-=-=-=-=- ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [cip-dev] [isar-cip-core][PATCH v2] README.secureboot: Corrections 2021-05-05 18:47 ` Quirin Gylstorff @ 2021-05-06 4:46 ` Dinesh Kumar 0 siblings, 0 replies; 9+ messages in thread From: Dinesh Kumar @ 2021-05-06 4:46 UTC (permalink / raw) To: cip-dev [-- Attachment #1: Type: text/plain, Size: 4656 bytes --] On Thu, May 6, 2021 at 12:24 AM, Quirin Gylstorff wrote: > > > > On 5/5/21 6:47 PM, Jan Kiszka wrote: > > Dinesh, your citation settings are broken. When sending plaintext, as it > > is common on public lists, you need to set the mark "> " at the > > beginning of all cited line. > > > > On 30.04.21 16:06, Dinesh Kumar wrote: > >> On Fri, Apr 30, 2021 at 06:19 AM, Quirin Gylstorff wrote: > >> > >> From: Quirin Gylstorff <quirin.gylstorff@siemens.com> > >> > >> - Add code block for key insertion for better visibility > >> - Correct the template for user-generated keys > >> - Add information where to store the keys > >> > >> Add build command for user generated keys > >> > >> Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com> > >> --- > >> > >> Changes in V2: > >> - remove unnecessary new-lines > >> > >> doc/README.secureboot.md | 20 +++++++++++++++----- > >> 1 file changed, 15 insertions(+), 5 deletions(-) > >> > >> diff --git a/doc/README.secureboot.md b/doc/README.secureboot.md > >> index 84131bb..0996edc 100644 > >> --- a/doc/README.secureboot.md > >> +++ b/doc/README.secureboot.md > >> @@ -119,6 +119,7 @@ to the current directory. OVMF_VARS_4M.fd > >> contains no keys can be instrumented f > >> scripts/start-efishell.sh secureboot-tools > >> ``` > >> 4. Start the KeyTool.efi FS0:\KeyTool.efi and execute the the > >> following steps: > >> > >> +``` > >> > >> Do you want to mention qemu-system-x86_64 --version should be 5.2.0 or > >> higher as default Debian buster has older version of qemu and this step > >> fails with older version. > >> Also these steps can't be executed remotely as it launches UI window for > >> QEMU, so it should be done locally. > > > > Feel free to send a patch (or MR if that is easier) that adjust things, > > Dinesh. > > > >> > >> -> "Edit Keys" > >> -> "The Allowed Signatures Database (db)" > >> -> "Add New Key" > >> @@ -132,35 +133,44 @@ scripts/start-efishell.sh secureboot-tools > >> -> "Replace Key(s)" > >> -> Change/Confirm device > >> -> Select "PK.auth" file > >> +``` > >> 5. quit QEMU > >> > >> ### Build image > >> > >> Build the image with a signed efibootguard and unified kernel image > >> with the snakeoil keys by executing: > >> + > >> ``` > >> kas-container build > >> > kas-cip.yml:kas/board/qemu-amd64.yml:kas/opt/ebg-swu.yml:kas/opt/ebg-secure-boot-snakeoil.yml > >> ``` > >> > >> -For user-generated keys, create a new option file. This option file > >> could look like this: > >> +For user-generated keys, create a new option file in the > >> repository. This option file could look like this: > >> ``` > >> header: > >> version: 10 > >> includes: > >> - - opt/ebg-swu.yml > >> - - opt/ebg-secure-boot-initramfs.yml > >> + - kas/opt/ebg-swu.yml > >> + - kas/opt/ebg-secure-boot-base.yml > >> > >> local_conf_header: > >> secure-boot: | > >> IMAGER_BUILD_DEPS += "ebg-secure-boot-secrets" > >> IMAGER_INSTALL += "ebg-secure-boot-secrets" > >> - user-keys: > >> + user-keys: | > >> SB_CERTDB = "democertdb" > >> SB_VERIFY_CERT = "demo.crt" > >> SB_KEY_NAME = "demo" > >> ``` > >> > >> -Replace `demo` with the name of the user-generated certificates. > >> +Replace `demo` with the name of the user-generated certificates. > > I added the following sentence to the README for the keys: > > The formating is off: > >> The user-generated certificates > >> +need to stored in the folder > >> `recipes-devtools/ebg-secure-boot-secrets/files`. > > > Dinesh is that sufficient? Yes, Quirin, that's sufficient to point it out. > > Quirin > >> + > >> +Build the image with user-generated keys by executing the command: > >> + > >> +``` > >> +kas-container build > >> kas-cip.yml:kas/board/qemu-amd64.yml:kas/opt/ebg-swu.yml:<path to > >> the new option>.yml > >> +``` > >> > >> ### Start the image > >> > >> Where are you taking care of my below point? I don't see it yet > >> > >> Keys and certs generated by scripts/generate_secure_boot_keys.sh are > >> not available to build command, so I have to move them in > >> recipes-devtools/ebg-secure-boot-secrets/files/ folder to make it work > >> > > > > Quirin? > > > > Jan > > > [-- Attachment #2: Type: text/plain, Size: 428 bytes --] -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#6434): https://lists.cip-project.org/g/cip-dev/message/6434 Mute This Topic: https://lists.cip-project.org/mt/82480976/4520388 Group Owner: cip-dev+owner@lists.cip-project.org Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/8129055/4520388/727948398/xyzzy [cip-dev@archiver.kernel.org] -=-=-=-=-=-=-=-=-=-=-=- ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [cip-dev] [isar-cip-core][PATCH v2] README.secureboot: Corrections 2021-05-05 16:47 ` Jan Kiszka 2021-05-05 18:47 ` Quirin Gylstorff @ 2021-05-06 4:39 ` Dinesh Kumar 1 sibling, 0 replies; 9+ messages in thread From: Dinesh Kumar @ 2021-05-06 4:39 UTC (permalink / raw) To: cip-dev [-- Attachment #1: Type: text/plain, Size: 4462 bytes --] On Wed, May 5, 2021 at 10:17 PM, Jan Kiszka wrote: > > Dinesh, your citation settings are broken. When sending plaintext, as it > is common on public lists, you need to set the mark "> " at the > beginning of all cited line. Yes, just now I have changed settings and made it plaintext while replying, earlier it was HTML. I hope it will fix this issue. Thanks for pointing it. > On 30.04.21 16:06, Dinesh Kumar wrote: > > On Fri, Apr 30, 2021 at 06:19 AM, Quirin Gylstorff wrote: > > > > From: Quirin Gylstorff <quirin.gylstorff@siemens.com> > > > > - Add code block for key insertion for better visibility > > - Correct the template for user-generated keys > > - Add information where to store the keys > > > > Add build command for user generated keys > > > > Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com> > > --- > > > > Changes in V2: > > - remove unnecessary new-lines > > > > doc/README.secureboot.md | 20 +++++++++++++++----- > > 1 file changed, 15 insertions(+), 5 deletions(-) > > > > diff --git a/doc/README.secureboot.md b/doc/README.secureboot.md > > index 84131bb..0996edc 100644 > > --- a/doc/README.secureboot.md > > +++ b/doc/README.secureboot.md > > @@ -119,6 +119,7 @@ to the current directory. OVMF_VARS_4M.fd > > contains no keys can be instrumented f > > scripts/start-efishell.sh secureboot-tools > > ``` > > 4. Start the KeyTool.efi FS0:\KeyTool.efi and execute the the > > following steps: > > > > +``` > > > > Do you want to mention qemu-system-x86_64 --version should be 5.2.0 or > > higher as default Debian buster has older version of qemu and this step > > fails with older version. > > Also these steps can't be executed remotely as it launches UI window for > > QEMU, so it should be done locally. > > Feel free to send a patch (or MR if that is easier) that adjust things, > Dinesh. Sure, I will do that. > > > > -> "Edit Keys" > > -> "The Allowed Signatures Database (db)" > > -> "Add New Key" > > @@ -132,35 +133,44 @@ scripts/start-efishell.sh secureboot-tools > > -> "Replace Key(s)" > > -> Change/Confirm device > > -> Select "PK.auth" file > > +``` > > 5. quit QEMU > > > > ### Build image > > > > Build the image with a signed efibootguard and unified kernel image > > with the snakeoil keys by executing: > > + > > ``` > > kas-container build > > > kas-cip.yml:kas/board/qemu-amd64.yml:kas/opt/ebg-swu.yml:kas/opt/ebg-secure-boot-snakeoil.yml > > ``` > > > > -For user-generated keys, create a new option file. This option file > > could look like this: > > +For user-generated keys, create a new option file in the > > repository. This option file could look like this: > > ``` > > header: > > version: 10 > > includes: > > - - opt/ebg-swu.yml > > - - opt/ebg-secure-boot-initramfs.yml > > + - kas/opt/ebg-swu.yml > > + - kas/opt/ebg-secure-boot-base.yml > > > > local_conf_header: > > secure-boot: | > > IMAGER_BUILD_DEPS += "ebg-secure-boot-secrets" > > IMAGER_INSTALL += "ebg-secure-boot-secrets" > > - user-keys: > > + user-keys: | > > SB_CERTDB = "democertdb" > > SB_VERIFY_CERT = "demo.crt" > > SB_KEY_NAME = "demo" > > ``` > > > > -Replace `demo` with the name of the user-generated certificates. > > +Replace `demo` with the name of the user-generated certificates. > > The user-generated certificates > > +need to stored in the folder > > `recipes-devtools/ebg-secure-boot-secrets/files`. > > + > > +Build the image with user-generated keys by executing the command: > > + > > +``` > > +kas-container build > > kas-cip.yml:kas/board/qemu-amd64.yml:kas/opt/ebg-swu.yml:<path to > > the new option>.yml > > +``` > > > > ### Start the image > > > > Where are you taking care of my below point? I don't see it yet > > > > Keys and certs generated by scripts/generate_secure_boot_keys.sh are > > not available to build command, so I have to move them in > > recipes-devtools/ebg-secure-boot-secrets/files/ folder to make it work > > > > Quirin? > > Jan > > -- > Siemens AG, T RDA IOT > Corporate Competence Center Embedded Linux > [-- Attachment #2: Type: text/plain, Size: 428 bytes --] -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#6433): https://lists.cip-project.org/g/cip-dev/message/6433 Mute This Topic: https://lists.cip-project.org/mt/82480976/4520388 Group Owner: cip-dev+owner@lists.cip-project.org Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/8129055/4520388/727948398/xyzzy [cip-dev@archiver.kernel.org] -=-=-=-=-=-=-=-=-=-=-=- ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [cip-dev][isar-cip-core][PATCH v2] README.secureboot: Corrections 2021-04-30 13:15 ` [cip-dev][isar-cip-core][PATCH v2] " Quirin Gylstorff 2021-04-30 14:06 ` [cip-dev] [isar-cip-core][PATCH " Dinesh Kumar @ 2021-04-30 14:51 ` Jan Kiszka 1 sibling, 0 replies; 9+ messages in thread From: Jan Kiszka @ 2021-04-30 14:51 UTC (permalink / raw) To: Q. Gylstorff, dinesh.kumar, cip-dev [-- Attachment #1: Type: text/plain, Size: 2821 bytes --] On 30.04.21 15:15, Q. Gylstorff wrote: > From: Quirin Gylstorff <quirin.gylstorff@siemens.com> > > - Add code block for key insertion for better visibility > - Correct the template for user-generated keys > - Add information where to store the keys > > Add build command for user generated keys > > Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com> > --- > > Changes in V2: > - remove unnecessary new-lines > > doc/README.secureboot.md | 20 +++++++++++++++----- > 1 file changed, 15 insertions(+), 5 deletions(-) > > diff --git a/doc/README.secureboot.md b/doc/README.secureboot.md > index 84131bb..0996edc 100644 > --- a/doc/README.secureboot.md > +++ b/doc/README.secureboot.md > @@ -119,6 +119,7 @@ to the current directory. OVMF_VARS_4M.fd contains no keys can be instrumented f > scripts/start-efishell.sh secureboot-tools > ``` > 4. Start the KeyTool.efi FS0:\KeyTool.efi and execute the the following steps: > +``` > -> "Edit Keys" > -> "The Allowed Signatures Database (db)" > -> "Add New Key" > @@ -132,35 +133,44 @@ scripts/start-efishell.sh secureboot-tools > -> "Replace Key(s)" > -> Change/Confirm device > -> Select "PK.auth" file > +``` > 5. quit QEMU > > ### Build image > > Build the image with a signed efibootguard and unified kernel image > with the snakeoil keys by executing: > + > ``` > kas-container build kas-cip.yml:kas/board/qemu-amd64.yml:kas/opt/ebg-swu.yml:kas/opt/ebg-secure-boot-snakeoil.yml > ``` > > -For user-generated keys, create a new option file. This option file could look like this: > +For user-generated keys, create a new option file in the repository. This option file could look like this: > ``` > header: > version: 10 > includes: > - - opt/ebg-swu.yml > - - opt/ebg-secure-boot-initramfs.yml > + - kas/opt/ebg-swu.yml > + - kas/opt/ebg-secure-boot-base.yml > > local_conf_header: > secure-boot: | > IMAGER_BUILD_DEPS += "ebg-secure-boot-secrets" > IMAGER_INSTALL += "ebg-secure-boot-secrets" > - user-keys: > + user-keys: | > SB_CERTDB = "democertdb" > SB_VERIFY_CERT = "demo.crt" > SB_KEY_NAME = "demo" > ``` > > -Replace `demo` with the name of the user-generated certificates. > +Replace `demo` with the name of the user-generated certificates. The user-generated certificates > +need to stored in the folder `recipes-devtools/ebg-secure-boot-secrets/files`. > + > +Build the image with user-generated keys by executing the command: > + > +``` > +kas-container build kas-cip.yml:kas/board/qemu-amd64.yml:kas/opt/ebg-swu.yml:<path to the new option>.yml > +``` > > ### Start the image > > Thanks, applied. Jan -- Siemens AG, T RDA IOT Corporate Competence Center Embedded Linux [-- Attachment #2: Type: text/plain, Size: 428 bytes --] -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#6412): https://lists.cip-project.org/g/cip-dev/message/6412 Mute This Topic: https://lists.cip-project.org/mt/82480976/4520388 Group Owner: cip-dev+owner@lists.cip-project.org Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/8129055/4520388/727948398/xyzzy [cip-dev@archiver.kernel.org] -=-=-=-=-=-=-=-=-=-=-=- ^ permalink raw reply [flat|nested] 9+ messages in thread
end of thread, other threads:[~2021-05-06 4:46 UTC | newest] Thread overview: 9+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2021-04-30 12:19 [cip-dev][isar-cip-core][PATCH] README.secureboot: Corrections Quirin Gylstorff 2021-04-30 12:28 ` Jan Kiszka 2021-04-30 13:15 ` [cip-dev][isar-cip-core][PATCH v2] " Quirin Gylstorff 2021-04-30 14:06 ` [cip-dev] [isar-cip-core][PATCH " Dinesh Kumar 2021-05-05 16:47 ` Jan Kiszka 2021-05-05 18:47 ` Quirin Gylstorff 2021-05-06 4:46 ` Dinesh Kumar 2021-05-06 4:39 ` Dinesh Kumar 2021-04-30 14:51 ` [cip-dev][isar-cip-core][PATCH " Jan Kiszka
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox