From: Jan Kiszka <jan.kiszka@siemens.com>
To: cip-dev@lists.cip-project.org
Cc: Quirin Gylstorff <quirin.gylstorff@siemens.com>,
Christian Storm <christian.storm@siemens.com>
Subject: [isar-cip-core][PATCH 00/12] Fixes and improvements for SWUpdate images, kernel/config update
Date: Wed, 4 May 2022 21:45:48 +0200 [thread overview]
Message-ID: <cover.1651693560.git.jan.kiszka@siemens.com> (raw)
Various update and enhancement I try to summarize here:
- qemu-arm64 enabling for SWUpdate/secure boot using the UEFI pattern
- update to EFI Boot Guard 0.11
- switch to unified kernel images built by EFI Boot Guard
- fix for verity setups with CONFIG_DM_VERITY=m
- improve error handling when mounting /etc overlay
- update to latest CIP kernels and cip-kernel-config
Jan
Jan Kiszka (12):
initramfs-etc-overlay-hook: Improve error reporting of script
initramfs-etc-overlay-hook: Install overlay module
initramfs-abrootfs-hook: Remove obsolete patch
Rework secure boot key handling and signing recipes
linux-cip: Update cip-kernel-config for QEMU and ipc227e
linux-cip: Update to 4.19.239-cip72 and 5.10.112-cip6
efibootguard: Update to 0.11 release
efibootguard: Use new unified kernel image generation
efibootguard: Add support for embedding DTBs into unified kernel
images
u-boot-qemu-arm64: Add recipe for customized version based on 2022.04
Enable SWUpdate with and w/o secure boot for QEMU arm64
start-qemu.sh: Add support for SWUpdate and secure boot mode to arm64
Kconfig | 6 +-
conf/machine/qemu-arm64.conf | 3 +
doc/README.secureboot.md | 22 ++--
kas/opt/ebg-secure-boot-snakeoil.yml | 10 +-
kas/opt/efibootguard.yml | 6 +-
...bootguard_0.10.bb => efibootguard_0.11.bb} | 4 +-
...efile-Drop-nostdinc-for-EFI-binaries.patch | 28 +++++
.../0001-configure-Fix-aarch64-EFI-arch.patch | 28 -----
.../efibootguard/files/debian/control.tmpl | 2 +-
.../files/debian/efibootguard.install | 3 +-
...-rtc_mktime-and-mktime64-Y2038-ready.patch | 107 ++++++++++++++++++
recipes-bsp/u-boot/files/rules | 40 +++++++
recipes-bsp/u-boot/files/secure-boot.cfg | 6 +
.../u-boot/u-boot-qemu-arm64_2022.04.bb | 50 ++++++++
.../ebg-secure-boot-secrets_0.1.bb | 51 ---------
.../ebg-secure-boot-secrets/files/README.md | 1 -
.../files/control.tmpl | 12 --
.../files/sign_secure_image.sh.tmpl | 22 ----
.../ebg-secure-boot-signer_0.1.bb | 26 +++++
.../files/sign_secure_image.sh | 33 ++++++
.../ebg-secure-boot-snakeoil_0.1.bb | 34 ------
.../files/control.tmpl | 12 --
.../files/sign_secure_image.sh | 36 ------
.../files/PkKek-1-snakeoil.key | 27 +++++
.../files/PkKek-1-snakeoil.pem | 21 ++++
.../secure-boot-key_0.1.bb | 14 +++
.../secure-boot-secrets.inc | 34 ++++++
.../secure-boot-snakeoil_0.1.bb | 17 +++
.../files/debian-local-patch | 103 -----------------
.../files/etc-overlay.hook | 25 ++++
.../files/etc-overlay.script | 4 +-
.../initramfs-etc-overlay-hook_0.1.bb | 3 +
recipes-kernel/linux/linux-cip-common.inc | 2 +-
...5-cip70.bb => linux-cip_4.19.239-cip72.bb} | 2 +-
...106-cip4.bb => linux-cip_5.10.112-cip6.bb} | 2 +-
.../wic/plugins/source/efibootguard-boot.py | 42 ++++---
start-qemu.sh | 67 +++++++----
wic/qemu-arm64-efibootguard-secureboot.wks.in | 15 +++
wic/qemu-arm64-efibootguard.wks.in | 13 +++
39 files changed, 558 insertions(+), 375 deletions(-)
rename recipes-bsp/efibootguard/{efibootguard_0.10.bb => efibootguard_0.11.bb} (90%)
create mode 100644 recipes-bsp/efibootguard/files/0001-Makefile-Drop-nostdinc-for-EFI-binaries.patch
delete mode 100644 recipes-bsp/efibootguard/files/0001-configure-Fix-aarch64-EFI-arch.patch
create mode 100644 recipes-bsp/u-boot/files/0001-lib-date-Make-rtc_mktime-and-mktime64-Y2038-ready.patch
create mode 100755 recipes-bsp/u-boot/files/rules
create mode 100644 recipes-bsp/u-boot/files/secure-boot.cfg
create mode 100644 recipes-bsp/u-boot/u-boot-qemu-arm64_2022.04.bb
delete mode 100644 recipes-devtools/ebg-secure-boot-secrets/ebg-secure-boot-secrets_0.1.bb
delete mode 100644 recipes-devtools/ebg-secure-boot-secrets/files/README.md
delete mode 100644 recipes-devtools/ebg-secure-boot-secrets/files/control.tmpl
delete mode 100644 recipes-devtools/ebg-secure-boot-secrets/files/sign_secure_image.sh.tmpl
create mode 100644 recipes-devtools/ebg-secure-boot-signer/ebg-secure-boot-signer_0.1.bb
create mode 100644 recipes-devtools/ebg-secure-boot-signer/files/sign_secure_image.sh
delete mode 100644 recipes-devtools/ebg-secure-boot-snakeoil/ebg-secure-boot-snakeoil_0.1.bb
delete mode 100644 recipes-devtools/ebg-secure-boot-snakeoil/files/control.tmpl
delete mode 100644 recipes-devtools/ebg-secure-boot-snakeoil/files/sign_secure_image.sh
create mode 100644 recipes-devtools/secure-boot-secrets/files/PkKek-1-snakeoil.key
create mode 100644 recipes-devtools/secure-boot-secrets/files/PkKek-1-snakeoil.pem
create mode 100644 recipes-devtools/secure-boot-secrets/secure-boot-key_0.1.bb
create mode 100644 recipes-devtools/secure-boot-secrets/secure-boot-secrets.inc
create mode 100644 recipes-devtools/secure-boot-secrets/secure-boot-snakeoil_0.1.bb
delete mode 100644 recipes-initramfs/initramfs-abrootfs-hook/files/debian-local-patch
create mode 100644 recipes-initramfs/initramfs-etc-overlay-hook/files/etc-overlay.hook
rename recipes-kernel/linux/{linux-cip_4.19.235-cip70.bb => linux-cip_4.19.239-cip72.bb} (72%)
rename recipes-kernel/linux/{linux-cip_5.10.106-cip4.bb => linux-cip_5.10.112-cip6.bb} (72%)
create mode 100644 wic/qemu-arm64-efibootguard-secureboot.wks.in
create mode 100644 wic/qemu-arm64-efibootguard.wks.in
--
2.34.1
next reply other threads:[~2022-05-04 19:46 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-05-04 19:45 Jan Kiszka [this message]
2022-05-04 19:45 ` [isar-cip-core][PATCH 01/12] initramfs-etc-overlay-hook: Improve error reporting of script Jan Kiszka
2022-05-04 19:45 ` [isar-cip-core][PATCH 02/12] initramfs-etc-overlay-hook: Install overlay module Jan Kiszka
2022-05-04 19:45 ` [isar-cip-core][PATCH 03/12] initramfs-abrootfs-hook: Remove obsolete patch Jan Kiszka
2022-05-04 19:45 ` [isar-cip-core][PATCH 04/12] Rework secure boot key handling and signing recipes Jan Kiszka
2022-05-04 19:45 ` [isar-cip-core][PATCH 05/12] linux-cip: Update cip-kernel-config for QEMU and ipc227e Jan Kiszka
2022-05-04 19:45 ` [isar-cip-core][PATCH 06/12] linux-cip: Update to 4.19.239-cip72 and 5.10.112-cip6 Jan Kiszka
2022-05-04 19:45 ` [isar-cip-core][PATCH 07/12] efibootguard: Update to 0.11 release Jan Kiszka
2022-05-04 19:45 ` [isar-cip-core][PATCH 08/12] efibootguard: Use new unified kernel image generation Jan Kiszka
2022-05-04 19:45 ` [isar-cip-core][PATCH 09/12] efibootguard: Add support for embedding DTBs into unified kernel images Jan Kiszka
2022-05-04 19:45 ` [isar-cip-core][PATCH 10/12] u-boot-qemu-arm64: Add recipe for customized version based on 2022.04 Jan Kiszka
2022-05-04 19:45 ` [isar-cip-core][PATCH 11/12] Enable SWUpdate with and w/o secure boot for QEMU arm64 Jan Kiszka
2022-05-04 19:46 ` [isar-cip-core][PATCH 12/12] start-qemu.sh: Add support for SWUpdate and secure boot mode to arm64 Jan Kiszka
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=cover.1651693560.git.jan.kiszka@siemens.com \
--to=jan.kiszka@siemens.com \
--cc=christian.storm@siemens.com \
--cc=cip-dev@lists.cip-project.org \
--cc=quirin.gylstorff@siemens.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox