From: Felix Moessbauer <felix.moessbauer@siemens.com>
To: isar-users@googlegroups.com
Cc: tobias.preclik@siemens.com, christian.storm@siemens.com,
Felix Moessbauer <felix.moessbauer@siemens.com>
Subject: [PATCH 08/10] add new machine qemuamd64-sb and corresponding mc
Date: Fri, 23 Dec 2022 08:40:56 +0000 [thread overview]
Message-ID: <20221223084058.1899957-9-felix.moessbauer@siemens.com> (raw)
In-Reply-To: <20221223084058.1899957-1-felix.moessbauer@siemens.com>
The newly added machine qemuamd64-sb provides a bare minimal config to
boot an ISAR image on a stock amd64 system with secureboot enabled and
default MS keys renrolled. To make that work, we use the stock debian
bootloader chain, which is the debian-shim (signed by MS) that loads
grub (signed by Debian) that loads a vanilla debian kernel (signed by
debian). By that, this configuration will only work with official debian
kernels for the inital boot. Once this is bootet, we can use the running
system to modify the MOK and / or control the signatures that are
allowed to be loaded by the firmware.
The qemuamd64-sb-bullseye multiconfig extends that pattern and adds
support to modify the MOK. For that, we add the mok shim helper (.efi)
and the mokutil userspace tool to modify the MOK.
Signed-off-by: Felix Moessbauer <felix.moessbauer@siemens.com>
---
meta-isar/conf/local.conf.sample | 1 +
meta-isar/conf/machine/qemuamd64-sb.conf | 20 +++++++++++++++++++
.../multiconfig/qemuamd64-sb-bullseye.conf | 12 +++++++++++
3 files changed, 33 insertions(+)
create mode 100644 meta-isar/conf/machine/qemuamd64-sb.conf
create mode 100644 meta-isar/conf/multiconfig/qemuamd64-sb-bullseye.conf
diff --git a/meta-isar/conf/local.conf.sample b/meta-isar/conf/local.conf.sample
index 57d0620..77b3a32 100644
--- a/meta-isar/conf/local.conf.sample
+++ b/meta-isar/conf/local.conf.sample
@@ -53,6 +53,7 @@ BBMULTICONFIG = " \
qemuamd64-stretch \
qemuamd64-buster \
qemuamd64-bullseye \
+ qemuamd64-sb-bullseye \
qemuamd64-bookworm \
container-amd64-stretch \
container-amd64-buster \
diff --git a/meta-isar/conf/machine/qemuamd64-sb.conf b/meta-isar/conf/machine/qemuamd64-sb.conf
new file mode 100644
index 0000000..c581ab3
--- /dev/null
+++ b/meta-isar/conf/machine/qemuamd64-sb.conf
@@ -0,0 +1,20 @@
+# This software is a part of ISAR.
+# Copyright (C) 2022 Siemens AG
+
+DISTRO_ARCH ?= "amd64"
+
+KERNEL_NAME ?= "amd64"
+
+IMAGE_FSTYPES ?= "wic"
+WKS_FILE ?= "sdimage-efi-sb-debian"
+IMAGER_INSTALL += "${GRUB_DEBIAN_SB_CHAIN}"
+
+IMAGE_INSTALL += "sshd-regen-keys"
+
+QEMU_ARCH ?= "x86_64"
+QEMU_MACHINE ?= "q35"
+QEMU_CPU ?= ""
+QEMU_DISK_ARGS ?= "-drive file=##ROOTFS_IMAGE##,format=raw -global driver=cfi.pflash01,property=secure,value=on -drive if=pflash,format=raw,unit=0,file=/usr/share/OVMF/OVMF_CODE_4M.ms.fd,readonly=on"
+
+MACHINE_SERIAL ?= "ttyS0"
+BAUDRATE_TTY ?= "115200"
diff --git a/meta-isar/conf/multiconfig/qemuamd64-sb-bullseye.conf b/meta-isar/conf/multiconfig/qemuamd64-sb-bullseye.conf
new file mode 100644
index 0000000..19a105e
--- /dev/null
+++ b/meta-isar/conf/multiconfig/qemuamd64-sb-bullseye.conf
@@ -0,0 +1,12 @@
+# This software is a part of ISAR.
+MACHINE ?= "qemuamd64-sb"
+DISTRO ?= "debian-bullseye"
+
+# include public keys
+IMAGE_INSTALL += "sb-mok-public"
+# include signed example module
+IMAGE_INSTALL += "example-module-signed-${KERNEL_NAME}"
+
+# add MOK utilities to insert MOK into EFI
+IMAGER_INSTALL += "${GRUB_DEBIAN_SB_MOK}"
+IMAGE_PREINSTALL += "mokutil"
--
2.34.1
next prev parent reply other threads:[~2022-12-23 8:41 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-12-23 8:40 [PATCH 00/10] Add support for secureboot using Debian boot chain Felix Moessbauer
2022-12-23 8:40 ` [PATCH 01/10] wic: add option to use debian EFI shim Felix Moessbauer
2022-12-23 8:40 ` [PATCH 02/10] add debian sb chain bootloader dependencies Felix Moessbauer
2022-12-23 8:40 ` [PATCH 03/10] add example wic file for sb debian boot chain Felix Moessbauer
2022-12-23 8:40 ` [PATCH 04/10] style: split overlong line in module.inc Felix Moessbauer
2022-12-23 8:40 ` [PATCH 05/10] add support to sign kernel modules Felix Moessbauer
2022-12-23 8:40 ` [PATCH 06/10] add example to generated and distribute MOK data Felix Moessbauer
2023-02-03 6:05 ` Jan Kiszka
2022-12-23 8:40 ` [PATCH 07/10] add signed variant of example-module Felix Moessbauer
2022-12-23 8:40 ` Felix Moessbauer [this message]
2022-12-23 8:40 ` [PATCH 09/10] fix: only append kargs and extra_kargs if set Felix Moessbauer
2022-12-23 8:40 ` [PATCH 10/10] start_vm: add support for secureboot Felix Moessbauer
2023-01-27 5:07 ` Uladzimir Bely
2023-01-27 8:11 ` Moessbauer, Felix
2023-01-27 8:41 ` Florian Bezdeka
2023-01-27 9:10 ` Uladzimir Bely
2023-01-25 7:17 ` [PATCH 00/10] Add support for secureboot using Debian boot chain Uladzimir Bely
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20221223084058.1899957-9-felix.moessbauer@siemens.com \
--to=felix.moessbauer@siemens.com \
--cc=christian.storm@siemens.com \
--cc=isar-users@googlegroups.com \
--cc=tobias.preclik@siemens.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox