[isar-cip-core][PATCH 0/7] SWUpdate/secure boot for ARM, related recipe updates

public inbox for cip-dev@lists.cip-project.org
 help / color / mirror / Atom feed

From: Jan Kiszka <jan.kiszka@siemens.com>
To: cip-dev@lists.cip-project.org
Cc: Christian Storm <christian.storm@siemens.com>,
	Quirin Gylstorff <quirin.gylstorff@siemens.com>
Subject: [isar-cip-core][PATCH 0/7] SWUpdate/secure boot for ARM, related recipe updates
Date: Mon, 11 Jul 2022 21:40:51 +0200	[thread overview]
Message-ID: <cover.1657568458.git.jan.kiszka@siemens.com> (raw)

Finally, this enables also 32-bit ARM for UEFI-based SWUpdate and secure
boot, analogously to ARM64. We need to update EFI Boot Guard to 0.12 and
also bump the cip-kernel-config revision for this. U-Boot is updated to
fix a security bug in its hash validation code for signed UEFI binaries.

One special patch is needed for the efibootguard plugin: mcopy from
buster does not work properly with recursive copying, and that breaks
the boot partition setup.

Jan

Jan Kiszka (7):
  linux-cip: Update cip-kernel-config revision
  efibootguard: Do not rely on mcopy to perform recursive copies
  efibootguard: Update to release 0.12
  u-boot-qemu-arm64: Update to 2022.07
  u-boot-qemu-arm64: Generalize the recipe
  Add support for ARM-based swupdate/secure boot image
  ci: Add qemu-arm target for secure boot with swupdate

 .gitlab-ci.yml                                |  12 ++
 Kconfig                                       |   4 +-
 conf/machine/qemu-arm.conf                    |   5 +
 conf/machine/qemu-arm64.conf                  |   2 +
 kas/opt/efibootguard.yml                      |   1 +
 ...bootguard_0.11.bb => efibootguard_0.12.bb} |   5 +-
 ...efile-Drop-nostdinc-for-EFI-binaries.patch |  28 -----
 ...-rtc_mktime-and-mktime64-Y2038-ready.patch | 107 ------------------
 recipes-bsp/u-boot/files/secure-boot.cfg      |   6 -
 recipes-bsp/u-boot/files/secure-boot.cfg.tmpl |   6 +
 .../u-boot/u-boot-qemu-arm64_2022.07.bb       |  16 +++
 recipes-bsp/u-boot/u-boot-qemu-arm_2022.07.bb |  16 +++
 ...rm64_2022.04.bb => u-boot-qemu-common.inc} |  11 +-
 recipes-kernel/linux/linux-cip-common.inc     |   2 +-
 .../wic/plugins/source/efibootguard-boot.py   |   1 +
 .../wic/plugins/source/efibootguard-efi.py    |   7 +-
 start-qemu.sh                                 |   4 +-
 wic/qemu-arm-efibootguard-secureboot.wks.in   |   1 +
 wic/qemu-arm-efibootguard.wks.in              |   1 +
 19 files changed, 80 insertions(+), 155 deletions(-)
 rename recipes-bsp/efibootguard/{efibootguard_0.11.bb => efibootguard_0.12.bb} (85%)
 delete mode 100644 recipes-bsp/efibootguard/files/0001-Makefile-Drop-nostdinc-for-EFI-binaries.patch
 delete mode 100644 recipes-bsp/u-boot/files/0001-lib-date-Make-rtc_mktime-and-mktime64-Y2038-ready.patch
 delete mode 100644 recipes-bsp/u-boot/files/secure-boot.cfg
 create mode 100644 recipes-bsp/u-boot/files/secure-boot.cfg.tmpl
 create mode 100644 recipes-bsp/u-boot/u-boot-qemu-arm64_2022.07.bb
 create mode 100644 recipes-bsp/u-boot/u-boot-qemu-arm_2022.07.bb
 rename recipes-bsp/u-boot/{u-boot-qemu-arm64_2022.04.bb => u-boot-qemu-common.inc} (77%)
 create mode 120000 wic/qemu-arm-efibootguard-secureboot.wks.in
 create mode 120000 wic/qemu-arm-efibootguard.wks.in

-- 
2.35.3

next             reply	other threads:[~2022-07-11 19:41 UTC|newest]

Thread overview: 8+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-07-11 19:40 Jan Kiszka [this message]
2022-07-11 19:40 ` [isar-cip-core][PATCH 1/7] linux-cip: Update cip-kernel-config revision Jan Kiszka
2022-07-11 19:40 ` [isar-cip-core][PATCH 2/7] efibootguard: Do not rely on mcopy to perform recursive copies Jan Kiszka
2022-07-11 19:40 ` [isar-cip-core][PATCH 3/7] efibootguard: Update to release 0.12 Jan Kiszka
2022-07-11 19:40 ` [isar-cip-core][PATCH 4/7] u-boot-qemu-arm64: Update to 2022.07 Jan Kiszka
2022-07-11 19:40 ` [isar-cip-core][PATCH 5/7] u-boot-qemu-arm64: Generalize the recipe Jan Kiszka
2022-07-11 19:40 ` [isar-cip-core][PATCH 6/7] Add support for ARM-based swupdate/secure boot image Jan Kiszka
2022-07-11 19:40 ` [isar-cip-core][PATCH 7/7] ci: Add qemu-arm target for secure boot with swupdate Jan Kiszka

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=cover.1657568458.git.jan.kiszka@siemens.com \
    --to=jan.kiszka@siemens.com \
    --cc=christian.storm@siemens.com \
    --cc=cip-dev@lists.cip-project.org \
    --cc=quirin.gylstorff@siemens.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox