From mboxrd@z Thu Jan  1 00:00:00 1970
X-GM-THRID: 7180261367669063680
X-Received: by 2002:a05:600c:a4a:b0:3d8:f22e:118f with SMTP id c10-20020a05600c0a4a00b003d8f22e118fmr352191wmq.144.1671784875895;
        Fri, 23 Dec 2022 00:41:15 -0800 (PST)
X-BeenThere: isar-users@googlegroups.com
Received: by 2002:a1c:cc05:0:b0:3c6:efd6:9cd8 with SMTP id h5-20020a1ccc05000000b003c6efd69cd8ls2179397wmb.0.-pod-control-gmail;
 Fri, 23 Dec 2022 00:41:14 -0800 (PST)
X-Google-Smtp-Source: AMrXdXs+PqkTQcz7Cgm+yxnGk+fb2EV+u3TSHcX6qOsBxqwbK2SOCAqfCStDJl7mbS8c/FR9Qkci
X-Received: by 2002:a05:600c:4651:b0:3c6:e63e:24e with SMTP id n17-20020a05600c465100b003c6e63e024emr6318209wmo.37.1671784874463;
        Fri, 23 Dec 2022 00:41:14 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1671784874; cv=none;
        d=google.com; s=arc-20160816;
        b=P25jeezTQn2OS2hQM1KM54NIChbrX8Gvm1uqGgZH+GbOy7xLHOTwBZx2UCvTJpPehK
         INer46FkhGkHUuoyJw1I/ybdautRMLLjbjQBhI/hijt4TwSBF4ORl6blKCB3t4ri9dD8
         v0ZSvpWLaaZzeiOc8s6Ix4uNNnhaUt93JVbPfjW+oqfNa0wb5hJuXjkpXCsf4QRt3eF1
         GjDYp9qt/IIhGTk3Vxw9VhNXl4rcsypgnJq65ADMxsDLpecJpMAWO5H8m04N88nI0Ytz
         vb7GBC1PfRdx2E8CG5N6Ib1rZQHY8QUn16FIVynmUSNzya24YyXFc7sZlfANXBcPbfEZ
         iIfQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=feedback-id:content-transfer-encoding:mime-version:message-id:date
         :subject:cc:to:from:dkim-signature;
        bh=d6xoRSYbJb1HfWYjyJWtXoxLIrl8IhEuK6eriu0RqAo=;
        b=Fg5sbIHSSMJ7KcckhWE3A69Ix5IygHvq9617c3cFhzZXKB1PIohcxckpBfcx3wtdzA
         ZnQPR99v4JIIZa+MKhUoUo7RnxMPRP6fufhZjUWrxXzgJKAK7zNDqfoTO5RYRGk+fx04
         xVx3WlSIcweSuw5yKgcxFWEKOxqBVIT6T14r+XHK8UGpm1FmNtVwxNXeTz0uee8C7MSQ
         rd4L+cVFkQzoV0ycNDabJNl59o1ErvxN7TApuNvYCkj8Jzcj1IR9GS2X/Du4jnzwS6RJ
         NGP+VP+PSCmDrqsceu8NUkh1z7PoJxj1z/+KGa/bHuqWpcS8PC5MLprMk/Z9sdt2FFks
         0TjQ==
ARC-Authentication-Results: i=1; gmr-mx.google.com;
       dkim=pass header.i=@siemens.com header.s=fm1 header.b=GZrza4Pp;
       spf=pass (google.com: domain of fm-72506-20221223084113856df366c99e805a90-crc5zw@rts-flowmailer.siemens.com designates 185.136.65.225 as permitted sender) smtp.mailfrom=fm-72506-20221223084113856df366c99e805a90-CRc5zW@rts-flowmailer.siemens.com;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=siemens.com
Return-Path: <fm-72506-20221223084113856df366c99e805a90-CRc5zW@rts-flowmailer.siemens.com>
Received: from mta-65-225.siemens.flowmailer.net (mta-65-225.siemens.flowmailer.net. [185.136.65.225])
        by gmr-mx.google.com with ESMTPS id 187-20020a1c19c4000000b003d340165492si550684wmz.1.2022.12.23.00.41.14
        for <isar-users@googlegroups.com>
        (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128);
        Fri, 23 Dec 2022 00:41:14 -0800 (PST)
Received-SPF: pass (google.com: domain of fm-72506-20221223084113856df366c99e805a90-crc5zw@rts-flowmailer.siemens.com designates 185.136.65.225 as permitted sender) client-ip=185.136.65.225;
Authentication-Results: gmr-mx.google.com;
       dkim=pass header.i=@siemens.com header.s=fm1 header.b=GZrza4Pp;
       spf=pass (google.com: domain of fm-72506-20221223084113856df366c99e805a90-crc5zw@rts-flowmailer.siemens.com designates 185.136.65.225 as permitted sender) smtp.mailfrom=fm-72506-20221223084113856df366c99e805a90-CRc5zW@rts-flowmailer.siemens.com;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=siemens.com
Received: by mta-65-225.siemens.flowmailer.net with ESMTPSA id 20221223084113856df366c99e805a90
        for <isar-users@googlegroups.com>;
        Fri, 23 Dec 2022 09:41:13 +0100
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1;
 d=siemens.com; i=felix.moessbauer@siemens.com;
 h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc;
 bh=d6xoRSYbJb1HfWYjyJWtXoxLIrl8IhEuK6eriu0RqAo=;
 b=GZrza4PpyGFqh0c0HRKzR/lMK3DF5y0pt6Q81pZZnB64XmP/5EYyTs1A5REPCy457XLLEe
 gzETu82EE0jU9ttD/KGw4d9slbQ3zdc9r5mEjW52/9X/igC0ZnyAEgCvPjRnNmmAw8ChvHWW
 0E8dS9HviX91dyke6ZtHKmYZGSTkk=;
From: Felix Moessbauer <felix.moessbauer@siemens.com>
To: isar-users@googlegroups.com
Cc: tobias.preclik@siemens.com,
	christian.storm@siemens.com,
	Felix Moessbauer <felix.moessbauer@siemens.com>
Subject: [PATCH 00/10] Add support for secureboot using Debian boot chain
Date: Fri, 23 Dec 2022 08:40:48 +0000
Message-Id: <20221223084058.1899957-1-felix.moessbauer@siemens.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Flowmailer-Platform: Siemens
Feedback-ID: 519:519-72506:519-21489:flowmailer
X-TUID: 1QMtFcUXtN8G

This series adds basic infrastructure to create ISAR images that
can be bootet on a stock amd64 machine with secureboot and MS keys.
Even if this comes with A LOT of limitations, we believe that this
is a very needed feature: More and more systems have Secureboot (SB)
enabled as default (MS keys enrolled) and often SB itself cannot be
turned off. Having support for that in ISAR makes it possible to
create two-staged images, where one image is used to configure the
SB (enroll keys, configure MOK) and then boot the actual target image.

Currently, in this situation a debian live image has to be used to
do the configuration (if the firmware graphical interface does not
support it).

When reviewing, please not the following:

- this series is in a very early state, but fully works in a QEMU
  as well as on some stock laptops
- it is AMD64 only and that will not change (Debian limitations)
- we need to make changes in the bootimg-efi-isar.py WIC plugin.
  These are additions only and are very debian specific, hence these
  should also remain ISAR only and not be proposed for OE
- the key handling topic (p6-8) is not mature from a conceptual
  perspective. Anyways, we do not want to spend too much time on it
  as this is just an example how key management could be done
- testing infrastructure is completely missing and that will not change
  soon, as we need to maintain a state across reboots of the qemu.
- These patches provide an easy way to create an image with any (signed)
  stock debian kernel that boots on most (all) SB enabled AMD64 machines.
  For that, no EFI config is required.

The series is structured as following:

p1-p3:  bare minimal support to boot with secureboot
p4,5:   module signing
p6-end: examples and helpers

Try it out:

Build it:
bitbake mc:qemuamd64-sb-bullseye:isar-image-base

Start it (consider adding -enable-kvm to get some decent performance):
start_vm -a amd64-sb -d bullseye -s

Check if SB is actually enabled (detected):
dmesg | grep secure
prints something like UEFI Secureboot is enabled

Try to load the example-module (it should fail):
modprobe example-module

Enroll our MOK and reboot:
mokutil --import /etc/sb-mok-keys/MOK/MOK.der

Now, use the previously definded password to enroll the key, then reboot.

Now our image should be up again and modprobe example-module should work.

Best regards,
Felix
Siemens AG

Felix Moessbauer (10):
  wic: add option to use debian EFI shim
  add debian sb chain bootloader dependencies
  add example wic file for sb debian boot chain
  style: split overlong line in module.inc
  add support to sign kernel modules
  add example to generated and distribute MOK data
  add signed variant of example-module
  add new machine qemuamd64-sb and corresponding mc
  fix: only append kargs and extra_kargs if set
  start_vm: add support for secureboot

 meta-isar/conf/local.conf.sample              |  1 +
 meta-isar/conf/machine/qemuamd64-sb.conf      | 20 ++++++++++++++
 .../multiconfig/qemuamd64-sb-bullseye.conf    | 12 +++++++++
 .../example-module/example-module-signed.bb   | 14 ++++++++++
 .../sb-mok-keys/files/Makefile.tmpl           | 27 +++++++++++++++++++
 .../sb-mok-keys/sb-mok-keys.bb                | 23 ++++++++++++++++
 .../sb-mok-public/files/rules                 | 12 +++++++++
 .../sb-mok-public/sb-mok-public.bb            | 17 ++++++++++++
 .../wic/canned-wks/sdimage-efi-sb-debian.wks  | 10 +++++++
 meta/conf/distro/debian-common.conf           |  3 +++
 .../linux-module/files/debian/rules.tmpl      |  3 +++
 meta/recipes-kernel/linux-module/module.inc   | 15 ++++++++++-
 .../wic/plugins/source/bootimg-efi-isar.py    | 16 +++++++++++
 scripts/start_vm                              | 10 ++++++-
 14 files changed, 181 insertions(+), 2 deletions(-)
 create mode 100644 meta-isar/conf/machine/qemuamd64-sb.conf
 create mode 100644 meta-isar/conf/multiconfig/qemuamd64-sb-bullseye.conf
 create mode 100644 meta-isar/recipes-kernel/example-module/example-module-signed.bb
 create mode 100644 meta-isar/recipes-secureboot/sb-mok-keys/files/Makefile.tmpl
 create mode 100644 meta-isar/recipes-secureboot/sb-mok-keys/sb-mok-keys.bb
 create mode 100644 meta-isar/recipes-secureboot/sb-mok-public/files/rules
 create mode 100644 meta-isar/recipes-secureboot/sb-mok-public/sb-mok-public.bb
 create mode 100644 meta-isar/scripts/lib/wic/canned-wks/sdimage-efi-sb-debian.wks

-- 
2.34.1