Re: [cip-dev] [isar-cip-core][PATCH v2] README.secureboot: Corrections

["Dinesh Kumar" <dinesh.kumar@toshiba-tsip.com>]

[-- Attachment #1: Type: text/plain, Size: 4462 bytes --]

On Wed, May  5, 2021 at 10:17 PM, Jan Kiszka wrote:

>
> Dinesh, your citation settings are broken. When sending plaintext, as it
> is common on public lists, you need to set the mark "> " at the
> beginning of all cited line.

Yes, just now I have changed settings and made it plaintext while replying, earlier it was HTML. I hope it will fix this issue.
Thanks for pointing it.

> On 30.04.21 16:06, Dinesh Kumar wrote:
> > On Fri, Apr 30, 2021 at 06:19 AM, Quirin Gylstorff wrote:
> > 
> >     From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
> > 
> >     - Add code block for key insertion for better visibility
> >     - Correct the template for user-generated keys
> >     - Add information where to store the keys
> > 
> >     Add build command for user generated keys
> > 
> >     Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
> >     ---
> > 
> >     Changes in V2:
> >     - remove unnecessary new-lines
> > 
> >     doc/README.secureboot.md | 20 +++++++++++++++-----
> >     1 file changed, 15 insertions(+), 5 deletions(-)
> > 
> >     diff --git a/doc/README.secureboot.md b/doc/README.secureboot.md
> >     index 84131bb..0996edc 100644
> >     --- a/doc/README.secureboot.md
> >     +++ b/doc/README.secureboot.md
> >     @@ -119,6 +119,7 @@ to the current directory. OVMF_VARS_4M.fd
> >     contains no keys can be instrumented f
> >     scripts/start-efishell.sh secureboot-tools
> >     ```
> >     4. Start the KeyTool.efi FS0:\KeyTool.efi and execute the the
> >     following steps:
> > 
> >     +```
> > 
> > Do you want to mention qemu-system-x86_64 --version should be 5.2.0 or
> > higher as default Debian buster has older version of qemu and this step
> > fails with older version.
> > Also these steps can't be executed remotely as it launches UI window for
> > QEMU, so it should be done locally.
> 
> Feel free to send a patch (or MR if that is easier) that adjust things,
> Dinesh.
   Sure, I will do that.
> > 
> >     -> "Edit Keys"
> >     -> "The Allowed Signatures Database (db)"
> >     -> "Add New Key"
> >     @@ -132,35 +133,44 @@ scripts/start-efishell.sh secureboot-tools
> >     -> "Replace Key(s)"
> >     -> Change/Confirm device
> >     -> Select "PK.auth" file
> >     +```
> >     5. quit QEMU
> > 
> >     ### Build image
> > 
> >     Build the image with a signed efibootguard and unified kernel image
> >     with the snakeoil keys by executing:
> >     +
> >     ```
> >     kas-container build
> >
> kas-cip.yml:kas/board/qemu-amd64.yml:kas/opt/ebg-swu.yml:kas/opt/ebg-secure-boot-snakeoil.yml
> >     ```
> > 
> >     -For user-generated keys, create a new option file. This option file
> >     could look like this:
> >     +For user-generated keys, create a new option file in the
> >     repository. This option file could look like this:
> >     ```
> >     header:
> >     version: 10
> >     includes:
> >     - - opt/ebg-swu.yml
> >     - - opt/ebg-secure-boot-initramfs.yml
> >     + - kas/opt/ebg-swu.yml
> >     + - kas/opt/ebg-secure-boot-base.yml
> > 
> >     local_conf_header:
> >     secure-boot: |
> >     IMAGER_BUILD_DEPS += "ebg-secure-boot-secrets"
> >     IMAGER_INSTALL += "ebg-secure-boot-secrets"
> >     - user-keys:
> >     + user-keys: |
> >     SB_CERTDB = "democertdb"
> >     SB_VERIFY_CERT = "demo.crt"
> >     SB_KEY_NAME = "demo"
> >     ```
> > 
> >     -Replace `demo` with the name of the user-generated certificates.
> >     +Replace `demo` with the name of the user-generated certificates.
> >     The user-generated certificates
> >     +need to stored in the folder
> >     `recipes-devtools/ebg-secure-boot-secrets/files`.
> >     +
> >     +Build the image with user-generated keys by executing the command:
> >     +
> >     +```
> >     +kas-container build
> >     kas-cip.yml:kas/board/qemu-amd64.yml:kas/opt/ebg-swu.yml:<path to
> >     the new option>.yml
> >     +```
> > 
> >     ### Start the image
> > 
> > Where are you taking care of my below point? I don't see it yet
> > 
> >     Keys and certs generated by scripts/generate_secure_boot_keys.sh are
> >     not available to build command, so I have to move them in
> >     recipes-devtools/ebg-secure-boot-secrets/files/ folder to make it work
> > 
> 
> Quirin?
> 
> Jan
> 
> -- 
> Siemens AG, T RDA IOT
> Corporate Competence Center Embedded Linux
>

[-- Attachment #2: Type: text/plain, Size: 428 bytes --]


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#6433): https://lists.cip-project.org/g/cip-dev/message/6433
Mute This Topic: https://lists.cip-project.org/mt/82480976/4520388
Group Owner: cip-dev+owner@lists.cip-project.org
Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/8129055/4520388/727948398/xyzzy [cip-dev@archiver.kernel.org]
-=-=-=-=-=-=-=-=-=-=-=-