[PATCH 00/10] Add support for secureboot using Debian boot chain

[Felix Moessbauer <felix.moessbauer@siemens.com>]

This series adds basic infrastructure to create ISAR images that
can be bootet on a stock amd64 machine with secureboot and MS keys.
Even if this comes with A LOT of limitations, we believe that this
is a very needed feature: More and more systems have Secureboot (SB)
enabled as default (MS keys enrolled) and often SB itself cannot be
turned off. Having support for that in ISAR makes it possible to
create two-staged images, where one image is used to configure the
SB (enroll keys, configure MOK) and then boot the actual target image.

Currently, in this situation a debian live image has to be used to
do the configuration (if the firmware graphical interface does not
support it).

When reviewing, please not the following:

- this series is in a very early state, but fully works in a QEMU
  as well as on some stock laptops
- it is AMD64 only and that will not change (Debian limitations)
- we need to make changes in the bootimg-efi-isar.py WIC plugin.
  These are additions only and are very debian specific, hence these
  should also remain ISAR only and not be proposed for OE
- the key handling topic (p6-8) is not mature from a conceptual
  perspective. Anyways, we do not want to spend too much time on it
  as this is just an example how key management could be done
- testing infrastructure is completely missing and that will not change
  soon, as we need to maintain a state across reboots of the qemu.
- These patches provide an easy way to create an image with any (signed)
  stock debian kernel that boots on most (all) SB enabled AMD64 machines.
  For that, no EFI config is required.

The series is structured as following:

p1-p3:  bare minimal support to boot with secureboot
p4,5:   module signing
p6-end: examples and helpers

Try it out:

Build it:
bitbake mc:qemuamd64-sb-bullseye:isar-image-base

Start it (consider adding -enable-kvm to get some decent performance):
start_vm -a amd64-sb -d bullseye -s

Check if SB is actually enabled (detected):
dmesg | grep secure
prints something like UEFI Secureboot is enabled

Try to load the example-module (it should fail):
modprobe example-module

Enroll our MOK and reboot:
mokutil --import /etc/sb-mok-keys/MOK/MOK.der

Now, use the previously definded password to enroll the key, then reboot.

Now our image should be up again and modprobe example-module should work.

Best regards,
Felix
Siemens AG

Felix Moessbauer (10):
  wic: add option to use debian EFI shim
  add debian sb chain bootloader dependencies
  add example wic file for sb debian boot chain
  style: split overlong line in module.inc
  add support to sign kernel modules
  add example to generated and distribute MOK data
  add signed variant of example-module
  add new machine qemuamd64-sb and corresponding mc
  fix: only append kargs and extra_kargs if set
  start_vm: add support for secureboot

 meta-isar/conf/local.conf.sample              |  1 +
 meta-isar/conf/machine/qemuamd64-sb.conf      | 20 ++++++++++++++
 .../multiconfig/qemuamd64-sb-bullseye.conf    | 12 +++++++++
 .../example-module/example-module-signed.bb   | 14 ++++++++++
 .../sb-mok-keys/files/Makefile.tmpl           | 27 +++++++++++++++++++
 .../sb-mok-keys/sb-mok-keys.bb                | 23 ++++++++++++++++
 .../sb-mok-public/files/rules                 | 12 +++++++++
 .../sb-mok-public/sb-mok-public.bb            | 17 ++++++++++++
 .../wic/canned-wks/sdimage-efi-sb-debian.wks  | 10 +++++++
 meta/conf/distro/debian-common.conf           |  3 +++
 .../linux-module/files/debian/rules.tmpl      |  3 +++
 meta/recipes-kernel/linux-module/module.inc   | 15 ++++++++++-
 .../wic/plugins/source/bootimg-efi-isar.py    | 16 +++++++++++
 scripts/start_vm                              | 10 ++++++-
 14 files changed, 181 insertions(+), 2 deletions(-)
 create mode 100644 meta-isar/conf/machine/qemuamd64-sb.conf
 create mode 100644 meta-isar/conf/multiconfig/qemuamd64-sb-bullseye.conf
 create mode 100644 meta-isar/recipes-kernel/example-module/example-module-signed.bb
 create mode 100644 meta-isar/recipes-secureboot/sb-mok-keys/files/Makefile.tmpl
 create mode 100644 meta-isar/recipes-secureboot/sb-mok-keys/sb-mok-keys.bb
 create mode 100644 meta-isar/recipes-secureboot/sb-mok-public/files/rules
 create mode 100644 meta-isar/recipes-secureboot/sb-mok-public/sb-mok-public.bb
 create mode 100644 meta-isar/scripts/lib/wic/canned-wks/sdimage-efi-sb-debian.wks

-- 
2.34.1