From mboxrd@z Thu Jan 1 00:00:00 1970 X-GM-THRID: 7236642328891359232 X-Received: by 2002:a05:6402:2690:b0:506:6a99:ef53 with SMTP id w16-20020a056402269000b005066a99ef53mr772832edd.2.1684912091127; Wed, 24 May 2023 00:08:11 -0700 (PDT) X-BeenThere: isar-users@googlegroups.com Received: by 2002:aa7:d783:0:b0:50b:f4e3:a863 with SMTP id s3-20020aa7d783000000b0050bf4e3a863ls2247573edq.1.-pod-prod-01-eu; Wed, 24 May 2023 00:08:09 -0700 (PDT) X-Google-Smtp-Source: ACHHUZ7HqMr/J6RyP0ynec02V1Qhokt5kZNX8Za6hBi/T/AP6To0Zvg9HstvRmGck4TtFKRWapM4 X-Received: by 2002:a17:907:940b:b0:96f:bc31:5e0b with SMTP id dk11-20020a170907940b00b0096fbc315e0bmr11289868ejc.64.1684912089508; Wed, 24 May 2023 00:08:09 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1684912089; cv=none; d=google.com; s=arc-20160816; b=r+UTDg1eW8/mt4wraab+Vh7e3gl1fQmqQuxhT6ewEk6O50aBU2ZSI5vNm8riGz0xj+ m3qrAndmUk/d0JjX7y5jCHeLkVnl0Z6Uj6rum/z9Em30hgNHzussle7nrYO1HMrMy2co Pd8i6f4BvvGNwCRMsyqmeGJsQfTNJt6FW6q8U1bzFlFUJ1AK1uBjoRaaBnkbSl7lzfLr plg0XJNaYV5f9uJgjqfFedWEovPiHFjoeocS+H9XqbeeEif0x04h5G9rAWIVw+L3AwOF QpBqTiMCKyGK+HXj5FK6vhGBauinuRzpSyuLWVbOqur/BPCT673TOd+KKtU1ze5/wtfH HWlw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=feedback-id:content-transfer-encoding:mime-version:message-id:date :subject:cc:to:from:dkim-signature; bh=3Eo4FL0n/ykIttAN7o2LE8oFYHOAwYUqxGAbnoVTvr8=; b=chSZnK/i4Scmi8h7zVRpkOGkjr0DqOYQeavsxTWMqg2Qi0DdlN27joO74M01zOTR1/ PsVoalqslt0PQqw3lYzCX8RK3g1mQNayrMGwPdGONKgwPufGW0KNqY19QuyQCj2rTS8H dMpEW9vDEn0PTne9jw08CHAhtPSRJYi6+noSMjTBVP0q6FnUoY5Ex5Ig5hsLs/jScO/1 8EkYaMjtru/QYZ8VMQgf/0zWZ6xxrbmgLt4veE9x3Ut0hNqd9W4dlgqRuoS5g2rrKqh3 zwPNYPUr0ACblBmt4TtwOtgbP3AOeGLSgCuY7advYAR2cPyfKZAAbMxhuL2In1p2kpBJ r7rg== ARC-Authentication-Results: i=1; gmr-mx.google.com; dkim=pass header.i=@siemens.com header.s=fm1 header.b=YZqfYMfb; spf=pass (google.com: domain of fm-72506-20230524070809579d07529846853102-l2vder@rts-flowmailer.siemens.com designates 185.136.65.227 as permitted sender) smtp.mailfrom=fm-72506-20230524070809579d07529846853102-L2vdEr@rts-flowmailer.siemens.com; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=siemens.com Return-Path: Received: from mta-65-227.siemens.flowmailer.net (mta-65-227.siemens.flowmailer.net. [185.136.65.227]) by gmr-mx.google.com with ESMTPS id jx26-20020a170907761a00b0096f6a9166cbsi990778ejc.0.2023.05.24.00.08.09 for (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Wed, 24 May 2023 00:08:09 -0700 (PDT) Received-SPF: pass (google.com: domain of fm-72506-20230524070809579d07529846853102-l2vder@rts-flowmailer.siemens.com designates 185.136.65.227 as permitted sender) client-ip=185.136.65.227; Authentication-Results: gmr-mx.google.com; dkim=pass header.i=@siemens.com header.s=fm1 header.b=YZqfYMfb; spf=pass (google.com: domain of fm-72506-20230524070809579d07529846853102-l2vder@rts-flowmailer.siemens.com designates 185.136.65.227 as permitted sender) smtp.mailfrom=fm-72506-20230524070809579d07529846853102-L2vdEr@rts-flowmailer.siemens.com; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=siemens.com Received: by mta-65-227.siemens.flowmailer.net with ESMTPSA id 20230524070809579d07529846853102 for ; Wed, 24 May 2023 09:08:09 +0200 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=felix.moessbauer@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc; bh=3Eo4FL0n/ykIttAN7o2LE8oFYHOAwYUqxGAbnoVTvr8=; b=YZqfYMfbZZI8+JGGkNpHHaw7EtdeXCi/aJkMv+itEWgcyudeMwtyseLjNRHCZIVYqlp2Aj t5aAHVWAHJv5/P5oxzISj8qHIvP23+J6Zls0gML0rBBOjePpCMS78x9yreucg9JHilcKAFUZ dZORJrIhQNX4SJZcDnzdY9zyM4POg=; From: Felix Moessbauer To: isar-users@googlegroups.com Cc: Felix Moessbauer Subject: [PATCH 1/1] docs: document debian secure boot workflow Date: Wed, 24 May 2023 07:07:38 +0000 Message-Id: <20230524070738.193693-1-felix.moessbauer@siemens.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-72506:519-21489:flowmailer X-TUID: ZEPPkvw28FOy This patch documents the example secure boot workflow based on MOK enrollment. The workflow itself is included in meta-isar for some time, but the documentation was only part of the cover letter of that series. This is now added to the user_manual.md. Signed-off-by: Felix Moessbauer --- doc/user_manual.md | 57 ++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 57 insertions(+) diff --git a/doc/user_manual.md b/doc/user_manual.md index 120cfebd..e07b76d8 100644 --- a/doc/user_manual.md +++ b/doc/user_manual.md @@ -983,6 +983,63 @@ To explicitly build a package for the build host architecture (in cross build scenarios, or when generating an SDK), Isar automatically provides a `-native` target for all dpkg package recipes. +### Using the Debian Secure Boot chain + +In case no modification of the bootloader or kernel is required, you can use the +`qemuamd64-sb-bullseye` machine to create an image that can be bootet on amd64 machines +where Secure Boot (SB) with the MS keys is enabled. This works, because it implements +the Debian SB boot chain (shim -> debian grub -> debian kernel). However, none of these +components must be modified, as this would break the signatures and by that cannot be +bootet anymore. + +Please note, that this workflow is just intended for prototyping. It also does not +cover SB with self-signed bootloaders or kernels. Do NOT use it for productive images, as +the key handling needs to be implemented differently (e.g. the private key needs to be +stored in a TPM). + +The example consists of two parts: + +- create an image using the debian SB boot chain for MOK deployment +- create and sign a custom kernel module + +**Build the key deployment image:** + +```bash +bitbake mc:qemuamd64-sb-bullseye:isar-image-base +``` + +**Start the image:** (consider adding `-enable-kvm` to get some decent performance): + +```bash +start_vm -a amd64-sb -d bullseye -s +``` + +**Check if SB is actually enabled (detected):** + +```bash +dmesg | grep -i secure +# prints something like UEFI Secureboot is enabled +``` + +**Try to load the example-module (it should fail):** + +```bash +modprobe example-module +# this should fail as it is signed with a non trusted key +``` + +**Enroll our MOK and reboot into the MOK manager:** + +```bash +mokutil --import /etc/sb-mok-keys/MOK/MOK.der +``` + +Use the previously definded password to enroll the key, then reboot. + +**Boot self-signed image**: + +Now the image should be up again and `modprobe example-module` should work. + ### Cross Support for Imagers If `ISAR_CROSS_COMPILE = "1"`, the imager and optional compression tasks -- 2.34.1