From mboxrd@z Thu Jan  1 00:00:00 1970
X-GM-THRID: 7180261367669063680
X-Received: by 2002:a2e:95cb:0:b0:27a:3eff:2e61 with SMTP id y11-20020a2e95cb000000b0027a3eff2e61mr770904ljh.402.1671784913348;
        Fri, 23 Dec 2022 00:41:53 -0800 (PST)
X-BeenThere: isar-users@googlegroups.com
Received: by 2002:a05:6512:5d5:b0:4a2:3951:eac8 with SMTP id
 o21-20020a05651205d500b004a23951eac8ls126931lfo.0.-pod-prod-gmail; Fri, 23
 Dec 2022 00:41:52 -0800 (PST)
X-Google-Smtp-Source: AMrXdXtwEOCdE2+UI8nvTUEk1gl1E0v7uy4zQzf6jYDHzYtADR7IXiu0IsKNcwtb8Ntri5P9JDVx
X-Received: by 2002:a05:6512:3e21:b0:4a4:68b7:deb7 with SMTP id i33-20020a0565123e2100b004a468b7deb7mr4395016lfv.19.1671784912012;
        Fri, 23 Dec 2022 00:41:52 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1671784911; cv=none;
        d=google.com; s=arc-20160816;
        b=FI4cKm9Ck3LeBO3vs8Bs44vVhDZH0SOi6Z8hYHaAiFHih/J5fZhJmprABow1XC8AwS
         wvwJjnZBkuj7K7lEk7LWBiA/nAPfV5m/NL5vkqsHEj8nB4Zu9Maf4hwQlpf9eTh4W201
         vDeF3r8z0y7gRIcnmwdwRILo5iMBRZscUu5YjCaehHNZLdJTOdmBiamMXWTnRj/Sxs0C
         koPf3S1j2s0fQYsFKJ4jPqwqlWZBOHg3Eat4ugRVe2KiFdTVaGr28XoQwNjfjGA6AO38
         vC1Xs3mP3PMT3oky25VJTDws/VEgNMCHmq3LdvMPJI3QDjzeSXfmUgRbxQqHbzrE343F
         xV7Q==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=feedback-id:content-transfer-encoding:mime-version:references
         :in-reply-to:message-id:date:subject:cc:to:from:dkim-signature;
        bh=AQldIes9Ev9SF01rbjAk9TWWyGYvlH9JAzCBplfgp2A=;
        b=NKCznkc0P0jfljhl/kYu2iRHcq311x2hqtTuEXMcMAUHumrCQz+AVmLGD08JOP3lH+
         1T20kmE/whCMJlZlNGdS7Jex5wKetCBEKfln3+Edlopya4aXxk5Zc78zuGJ3PLvAk+8f
         a7omhxfyy2TlFGEaDDD/vC0LcQ62SBnzCUKAeBVuEr66wACffA3vmpLk9AD4t8zBPBc0
         ZmvizPECj/vEhrgt+dGVQFLYartqnvx/poJeOXEN5F4fdjkVnjE/GdG/0CMVILwtxSlE
         //OSXxvqAlZELjze+TWcbNp1nKifb3XUBpGfQvunizpImET/NSEHGrDUaFAjSZeY0c4v
         RJCg==
ARC-Authentication-Results: i=1; gmr-mx.google.com;
       dkim=pass header.i=@siemens.com header.s=fm1 header.b=QY179POf;
       spf=pass (google.com: domain of fm-72506-202212230841512b5e11b060fe3a008c-w8deqg@rts-flowmailer.siemens.com designates 185.136.64.226 as permitted sender) smtp.mailfrom=fm-72506-202212230841512b5e11b060fe3a008c-W8Deqg@rts-flowmailer.siemens.com;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=siemens.com
Return-Path: <fm-72506-202212230841512b5e11b060fe3a008c-W8Deqg@rts-flowmailer.siemens.com>
Received: from mta-64-226.siemens.flowmailer.net (mta-64-226.siemens.flowmailer.net. [185.136.64.226])
        by gmr-mx.google.com with ESMTPS id w2-20020a05651234c200b004b49cc7bf6asi131741lfr.9.2022.12.23.00.41.51
        for <isar-users@googlegroups.com>
        (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128);
        Fri, 23 Dec 2022 00:41:51 -0800 (PST)
Received-SPF: pass (google.com: domain of fm-72506-202212230841512b5e11b060fe3a008c-w8deqg@rts-flowmailer.siemens.com designates 185.136.64.226 as permitted sender) client-ip=185.136.64.226;
Authentication-Results: gmr-mx.google.com;
       dkim=pass header.i=@siemens.com header.s=fm1 header.b=QY179POf;
       spf=pass (google.com: domain of fm-72506-202212230841512b5e11b060fe3a008c-w8deqg@rts-flowmailer.siemens.com designates 185.136.64.226 as permitted sender) smtp.mailfrom=fm-72506-202212230841512b5e11b060fe3a008c-W8Deqg@rts-flowmailer.siemens.com;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=siemens.com
Received: by mta-64-226.siemens.flowmailer.net with ESMTPSA id 202212230841512b5e11b060fe3a008c
        for <isar-users@googlegroups.com>;
        Fri, 23 Dec 2022 09:41:51 +0100
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1;
 d=siemens.com; i=felix.moessbauer@siemens.com;
 h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc:References:In-Reply-To;
 bh=AQldIes9Ev9SF01rbjAk9TWWyGYvlH9JAzCBplfgp2A=;
 b=QY179POf0UbfgBRa+9JPz3LNnqIEMgHyZuOu6UPfhEX8JsH1BtSwUe2aiIffQLUjJ9mr4f
 iJqjKi2Yz6Twm5e96H/6Ad0lhio/UvXVlwvs4ALmSYDuJ5ChJB85NHi0uWy+/lhowVcBFyki
 aHfN7bIdqF6dCLAsmlyBfeMozI7c0=;
From: Felix Moessbauer <felix.moessbauer@siemens.com>
To: isar-users@googlegroups.com
Cc: tobias.preclik@siemens.com,
	christian.storm@siemens.com,
	Felix Moessbauer <felix.moessbauer@siemens.com>
Subject: [PATCH 08/10] add new machine qemuamd64-sb and corresponding mc
Date: Fri, 23 Dec 2022 08:40:56 +0000
Message-Id: <20221223084058.1899957-9-felix.moessbauer@siemens.com>
In-Reply-To: <20221223084058.1899957-1-felix.moessbauer@siemens.com>
References: <20221223084058.1899957-1-felix.moessbauer@siemens.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Flowmailer-Platform: Siemens
Feedback-ID: 519:519-72506:519-21489:flowmailer
X-TUID: vWx18o6YOHgE

The newly added machine qemuamd64-sb provides a bare minimal config to
boot an ISAR image on a stock amd64 system with secureboot enabled and
default MS keys renrolled. To make that work, we use the stock debian
bootloader chain, which is the debian-shim (signed by MS) that loads
grub (signed by Debian) that loads a vanilla debian kernel (signed by
debian). By that, this configuration will only work with official debian
kernels for the inital boot. Once this is bootet, we can use the running
system to modify the MOK and / or control the signatures that are
allowed to be loaded by the firmware.

The qemuamd64-sb-bullseye multiconfig extends that pattern and adds
support to modify the MOK. For that, we add the mok shim helper (.efi)
and the mokutil userspace tool to modify the MOK.

Signed-off-by: Felix Moessbauer <felix.moessbauer@siemens.com>
---
 meta-isar/conf/local.conf.sample              |  1 +
 meta-isar/conf/machine/qemuamd64-sb.conf      | 20 +++++++++++++++++++
 .../multiconfig/qemuamd64-sb-bullseye.conf    | 12 +++++++++++
 3 files changed, 33 insertions(+)
 create mode 100644 meta-isar/conf/machine/qemuamd64-sb.conf
 create mode 100644 meta-isar/conf/multiconfig/qemuamd64-sb-bullseye.conf

diff --git a/meta-isar/conf/local.conf.sample b/meta-isar/conf/local.conf.sample
index 57d0620..77b3a32 100644
--- a/meta-isar/conf/local.conf.sample
+++ b/meta-isar/conf/local.conf.sample
@@ -53,6 +53,7 @@ BBMULTICONFIG = " \
     qemuamd64-stretch \
     qemuamd64-buster \
     qemuamd64-bullseye \
+    qemuamd64-sb-bullseye \
     qemuamd64-bookworm \
     container-amd64-stretch \
     container-amd64-buster \
diff --git a/meta-isar/conf/machine/qemuamd64-sb.conf b/meta-isar/conf/machine/qemuamd64-sb.conf
new file mode 100644
index 0000000..c581ab3
--- /dev/null
+++ b/meta-isar/conf/machine/qemuamd64-sb.conf
@@ -0,0 +1,20 @@
+# This software is a part of ISAR.
+# Copyright (C) 2022 Siemens AG
+
+DISTRO_ARCH ?= "amd64"
+
+KERNEL_NAME ?= "amd64"
+
+IMAGE_FSTYPES ?= "wic"
+WKS_FILE ?= "sdimage-efi-sb-debian"
+IMAGER_INSTALL += "${GRUB_DEBIAN_SB_CHAIN}"
+
+IMAGE_INSTALL += "sshd-regen-keys"
+
+QEMU_ARCH ?= "x86_64"
+QEMU_MACHINE ?= "q35"
+QEMU_CPU ?= ""
+QEMU_DISK_ARGS ?= "-drive file=##ROOTFS_IMAGE##,format=raw -global driver=cfi.pflash01,property=secure,value=on -drive if=pflash,format=raw,unit=0,file=/usr/share/OVMF/OVMF_CODE_4M.ms.fd,readonly=on"
+
+MACHINE_SERIAL ?= "ttyS0"
+BAUDRATE_TTY ?= "115200"
diff --git a/meta-isar/conf/multiconfig/qemuamd64-sb-bullseye.conf b/meta-isar/conf/multiconfig/qemuamd64-sb-bullseye.conf
new file mode 100644
index 0000000..19a105e
--- /dev/null
+++ b/meta-isar/conf/multiconfig/qemuamd64-sb-bullseye.conf
@@ -0,0 +1,12 @@
+# This software is a part of ISAR.
+MACHINE ?= "qemuamd64-sb"
+DISTRO ?= "debian-bullseye"
+
+# include public keys
+IMAGE_INSTALL += "sb-mok-public"
+# include signed example module
+IMAGE_INSTALL += "example-module-signed-${KERNEL_NAME}"
+
+# add MOK utilities to insert MOK into EFI
+IMAGER_INSTALL += "${GRUB_DEBIAN_SB_MOK}"
+IMAGE_PREINSTALL += "mokutil"
-- 
2.34.1