From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from shymkent.ilbers.de ([unix socket]) by shymkent (Cyrus 2.5.10-Debian-2.5.10-3+deb9u2) with LMTPA; Wed, 17 Jul 2024 16:48:04 +0200 X-Sieve: CMU Sieve 2.4 Received: from mail-pf1-f187.google.com (mail-pf1-f187.google.com [209.85.210.187]) by shymkent.ilbers.de (8.15.2/8.15.2/Debian-8+deb9u1) with ESMTPS id 46HEm2IN019735 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Wed, 17 Jul 2024 16:48:03 +0200 Received: by mail-pf1-f187.google.com with SMTP id d2e1a72fcca58-70b0e67e335sf5251920b3a.2 for ; Wed, 17 Jul 2024 07:48:03 -0700 (PDT) ARC-Seal: i=3; a=rsa-sha256; t=1721227676; cv=pass; d=google.com; s=arc-20160816; b=jMoJybJ0obeC4K33fQ91fbJ2bEtaw99gsIeze3M/1MEyKc+h/IRxRYb1en51C/wm+1 RG6R6Xww03s5g4arivOOI8tBdK/Hil4ltXcmw5c2Yqv7chkkDgsjg4FdBMfTgqjRHXbG ujaOzZbFe/vef0tpvhR3N1Mi/G1PDq4RVkgASztNBxfLoPOtxB5iXzD1Q/UfsTHBDITN nElalm5klSVI8bAu06+2xHX/WmqJ1NECErjbUI4SjuV6hHTjOVkVBADBADRG7VlI5ZBu /IgvzqQqbpqu2vg1fVloNl/1S3mJBsljhBn5LJywDJGdkE69sZvUI7ihUPT/jsQzJR5O 1yWQ== ARC-Message-Signature: i=3; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:reply-to:mime-version :content-transfer-encoding:in-reply-to:autocrypt:from :content-language:references:cc:to:subject:user-agent:date :message-id:dkim-signature; bh=MQcnCn2dSCNdTAhxMAWkUkXFvgHjVSDahJJZvPWHcsk=; fh=Zl9xrx1NtDA644SREN53E7rxp5ytOz3o9N8P4xdUpFc=; b=UCcp07LGQ3UJNagyB3sIrnnElYTgz3Pmx1cyWoC/+IK2gpXVn45o2kkR1ToDjZdjcD dsHAPOMTg4l5F80hGfG9bSj1TKc1+HhQ5YoSGCbvWHV3uJB8qkbovdl8qp4SacAXJnAp U65u37n8yHR0OWP0hFnFYtRSdR7bMaNCDosXbZWd6zGun85z67zniQBMnyc442Fo9eba +I72TjIpMPYTeayfi4wdnmFOXb2ms2LOt3OOVF5xP9R7hMSd9YwEvoHT+0/ZOq5vkYAS MneCWgcMwgxH4Goj4Njv0tvIQqPuLiZ5VS57UYc5giaFJ/g7i9SIjcJ8Li5fadiHkHWR Ydkw==; darn=isar-build.org ARC-Authentication-Results: i=3; gmr-mx.google.com; dkim=pass header.i=@siemens.com header.s=selector2 header.b=ZcD+ju1j; arc=pass (i=1 spf=pass spfdomain=siemens.com dkim=pass dkdomain=siemens.com dmarc=pass fromdomain=siemens.com); spf=pass (google.com: domain of quirin.gylstorff@siemens.com designates 2a01:111:f400:7e1a::608 as permitted sender) smtp.mailfrom=quirin.gylstorff@siemens.com; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=siemens.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlegroups.com; s=20230601; t=1721227676; x=1721832476; darn=isar-build.org; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:reply-to :x-original-authentication-results:x-original-sender:mime-version :content-transfer-encoding:in-reply-to:autocrypt:from :content-language:references:cc:to:subject:user-agent:date :message-id:from:to:cc:subject:date:message-id:reply-to; bh=MQcnCn2dSCNdTAhxMAWkUkXFvgHjVSDahJJZvPWHcsk=; b=KCZJ2EZUbFHnT/VH067kFrz0PcnkFb3EHnAeAt60I78kV/piVABUYaz2qpnCl7atLl 2V5c/KBQpMFhrdqvKYUsF9vu5zgFaBgg6fkAN1KQEcXWwQ/eaOcLEziX6s56WVO4PpYG RH9MVQslTZp1dqg4OfJFSabu+c24Whs5V6kiD6SFCRgYPIRgrmMDUXkMBaOJtPvBEpNN FImWw8HclfwHuHHuOYhS5x/de93CFpj6lHICycEC07zE3WQS+dbRcCcdX+woV8yN0H6o Znxw6LJnIs0lmjw4W88UemdSGL/xlMPuk190GJi+es32nnyFtuKDcgUZIbd5e1QKS5H4 V0DQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1721227676; x=1721832476; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :x-spam-checked-in-group:list-id:mailing-list:precedence:reply-to :x-original-authentication-results:x-original-sender:mime-version :content-transfer-encoding:in-reply-to:autocrypt:from :content-language:references:cc:to:subject:user-agent:date :message-id:x-beenthere:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=MQcnCn2dSCNdTAhxMAWkUkXFvgHjVSDahJJZvPWHcsk=; b=mMRAWoy7sYZrsCwBayK2HiWsF8mjj3ysf0nw5qvqfgDBlLxPulh5pRCAWUmeTpoRIS HhAaIAwskTQ/HjzXp1HUrEHrJX3g9UvVmEJ5hDQQ3R36dBBLw1WIveb75ZFpy1edLz73 34k6D8SSFX4YjNE2N8nicnUfStdBhrVli/Dl1R1RmzY1riTce90/rY5XDEf3tjt8lLG5 caDBghxZRi4mbtkV50EzNM+zDT5cHJ0prOvWxECFblx1cNdfuOyBeAvmpd+Ws4ivlcBQ nkRUk9O15a6iKSEpKgcEX3TyQjXgTtFMWAdH/ZsaRFbViPjJSPa2Qu0eu016mz42DGzr yPQA== X-Forwarded-Encrypted: i=3; AJvYcCWhvfuQIno2hL64H+cyi39BOUnuHD2GXcSjvU14v6v36u78T/vyfKG+29jXV6JYr14HVZsTIS0CzLEFm/SuIrYO41g= X-Gm-Message-State: AOJu0YyPiuIUN5oVHzIpmJ7sTYu9By8FuOYfZx25mDAib9w2sI21FGpi eAtFtZj2W0fDbT4vB57SruUnbAcP2qfdJmNwwDd4O/B+vZ2/cU6L X-Google-Smtp-Source: AGHT+IGf0oA4C+lcM8hwJgDtG5Xzusjv5PxJ0aOhdieQ5S0+c6qisB5fe8ixCOD8KyIDGCcVyK0dFg== X-Received: by 2002:a05:6a20:431f:b0:1c0:f648:855f with SMTP id adf61e73a8af0-1c3fdce4270mr2569184637.18.1721227675910; Wed, 17 Jul 2024 07:47:55 -0700 (PDT) X-BeenThere: isar-users@googlegroups.com Received: by 2002:a17:903:2304:b0:1f7:12c9:9438 with SMTP id d9443c01a7336-1fbdcc4865als40217275ad.0.-pod-prod-07-us; Wed, 17 Jul 2024 07:47:54 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCVGXGHuNpue/FvzaZo6XNz+fEsx0+9h8z2vmJtpG++UihKDu0rzzuk3AF+3OPhNTENi6g3VjefbSv7OOiWm8FRLlqK1Rk7kPAeBHJA= X-Received: by 2002:a05:6a21:398a:b0:1be:c9bd:7b8b with SMTP id adf61e73a8af0-1c3fdd9955fmr2359911637.45.1721227674625; Wed, 17 Jul 2024 07:47:54 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1721227674; cv=pass; d=google.com; s=arc-20160816; b=EyAk7LqOb2UZH0vFeFuIO2IqbG6rAhYfCMDsrpSI4lFqYFmeQEMNSqMVqJa3a3enFQ sysGtONOBdkNSARMT1q7l01BnravRnHLfbIGuObmorThzbkETxJhyOjiG+yxkMzrjRnd ppZvSB3e/5fRD8fzpgvmgXh1MMCdSy9q9MNX5NvTKFDYsCXwmvSspdEpT306rz2jEMUP oO18OD0TMY30DgmQ2AYUm7+/cBaF0vmWUyXfpLEl8MnAAFbL2A/90Lg30vV9rTQUS3gb +kgWnzZIGQA2OKc9BH3YfCZeZcZwnSJ4E7jXMjqWQ7ZXdMu6TFVPNokG+1EEbycXz06+ xbPQ== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=mime-version:content-transfer-encoding:in-reply-to:autocrypt:from :content-language:references:cc:to:subject:user-agent:date :message-id:dkim-signature; bh=dZjolZNW+3kbNJraz8p/ucNRk80J1BexrUgG0UMN94c=; fh=IflI9GKZ5KTvYsrw51EqcEyFEpMMpGDJ/bc77r4DSIo=; b=MEUjEqWwxiclOTgIL6xHgpKLJwG9i7QCfTp+w+ffzB0Xs3a5XrHG8pWqDEeawOCMkT jPiTlfqhx6fe5NH2QElDGru0BtkY9GBpWktHyIGBuSf/A+t8IerUnDmm4Lx4tcUbRJ/u /EEupqnVs/DHx5D3xFL50AbOfx+JNlzcHXCwzC4DWydL9lu5yoSIP3lgttt49nmPbzLi adkvphY738bVyGU1+ninTLaY8wul3xQ2kZpB2yRaTVsDSDtttSA+pQO8Dw2EoLU+s6Hl HFk0OGVxaDvf0h+OPt0SJzPy9N3Cba0HjDU/di/lfHPWiFWK/P61fZ9IutdeKPbbsAVi nmjQ==; dara=google.com ARC-Authentication-Results: i=2; gmr-mx.google.com; dkim=pass header.i=@siemens.com header.s=selector2 header.b=ZcD+ju1j; arc=pass (i=1 spf=pass spfdomain=siemens.com dkim=pass dkdomain=siemens.com dmarc=pass fromdomain=siemens.com); spf=pass (google.com: domain of quirin.gylstorff@siemens.com designates 2a01:111:f400:7e1a::608 as permitted sender) smtp.mailfrom=quirin.gylstorff@siemens.com; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=siemens.com Received: from EUR05-DB8-obe.outbound.protection.outlook.com (mail-db8eur05on20608.outbound.protection.outlook.com. [2a01:111:f400:7e1a::608]) by gmr-mx.google.com with ESMTPS id d9443c01a7336-1fc0bc74460si3521155ad.12.2024.07.17.07.47.54 for (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Wed, 17 Jul 2024 07:47:54 -0700 (PDT) Received-SPF: pass (google.com: domain of quirin.gylstorff@siemens.com designates 2a01:111:f400:7e1a::608 as permitted sender) client-ip=2a01:111:f400:7e1a::608; ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=UiqGBKV2qMouS17C668jhXm5bQwZ0BQK9R/4qAMTo9OMu/sXs2hLnxXbYq6hbQR1Y5z35YMC7u6MfpL0enN2VDVpa9hbmlmMlRkd2h1lgrrvRQNtE6sLDJMjbvWhY+J7dmiOLQi4col5XKx8VPo1kK0gzq0pKgq5NAuOU2ALj5mA1ciqmjcg44q6oRDcZYNjZjJ/qAElMABhE3wjfqx3qihwo58SMff6Za/Q2RSlE1gGhK9C62T/Uc+7pv8W+dYrn5CorA2nmeW2DSh6+TOYLVLikiTsBCs+jhQfbNH688iodxzRIn1LngfaowiofNCbosa/2fEMJgyzdlw8NpcrGA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=dZjolZNW+3kbNJraz8p/ucNRk80J1BexrUgG0UMN94c=; b=P3hjiZHZpJz/a6v62b7sdNSLQy3gLipZtgTsOH1Ugor6MoDu39n6hvvlyg1vEZ4JwVhMv5l1wHBHsh9mzHlXyZPZ95v92odAkDIubkVIclGiNeHgx6xuAL97kpw0GttXsYw6a1AbeRIjSNLu/vcfI5vCa5Uf2/xdpXmJSG2nv/wr7U2aJzDi0O872myXbAfiowqGbvABKlLGTBGHwzSC/8iUAnpz/ULNdV/BDx9KoOdSrpC725sJ62GYYGA/a9EcNxVx03QbwzVZOtlML8/HFwSMUK0sGM0j1oVkyPH+ZPBcXA2scNwSZbsfz84zeAfMys7UqWglOyfUU4ilAClEyQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=siemens.com; dmarc=pass action=none header.from=siemens.com; dkim=pass header.d=siemens.com; arc=none Received: from AM9PR10MB4085.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:20b:1f9::22) by DB8PR10MB3532.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:10:140::18) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7784.16; Wed, 17 Jul 2024 14:47:51 +0000 Received: from AM9PR10MB4085.EURPRD10.PROD.OUTLOOK.COM ([fe80::3087:c116:dfed:1ca2]) by AM9PR10MB4085.EURPRD10.PROD.OUTLOOK.COM ([fe80::3087:c116:dfed:1ca2%7]) with mapi id 15.20.7784.013; Wed, 17 Jul 2024 14:47:51 +0000 Message-ID: <34c4028d-2d4d-4c3c-b528-972bfaa9f74b@siemens.com> Date: Wed, 17 Jul 2024 16:47:50 +0200 User-Agent: Mozilla Thunderbird Subject: Re: [meta-isar] Proposal to improve initial device bootstrapping To: "Heinisch, Alexander (T CED SES-AT)" , "isar-users@googlegroups.com" Cc: "Kiszka, Jan (T CED)" References: Content-Language: en-US, de-DE From: "'Gylstorff Quirin' via isar-users" Autocrypt: addr=quirin.gylstorff@siemens.com; keydata= xsDNBGE5tqgBDACpa0M7NVvWkE84XaWEmmQT0REu4Ad8DGRzxlQdLHn4PwakShu46Kl9Rrwm KZsIoQaLMM+e39xkl70bNFAKOodEgnkwzywjRkOXzf46AkBs3xThp/SMuZXIgdXDXhJupN1G 1Zu0GbIx316GZaXf9lXuiAwwqJXKWsjRuFSNopQUMs4R4v7CRuwx/y2CPkAbq9rhph6njcaO 4JTkkd8s0IA8Ec4otQ+YcUpRvrqHQAx3jFP3hDO93s1Ja8iLkDHxveD/5dnCoJ7wBxWQw1D+ Qy/YsKzT9eBCo41aiP2sh6Xae7YAF/bZGXm5Nh/tIN6tM9O2ujsvICJMgaQ6KvLl7uLE12Ey 3Tiatxuse0cRCVLU6dL/ljm7jY30gBpgP6UpMYANNKbjH1QHOkyM0725Wodh3s2kb+nMSgCr bx8kbD03tFAOFdmMANUmTI2XUcUUuEPHGWMViZlKi8GEIElXMXJi3WJSJBFaEYj/ns6lGKNk zE053GrLzJHh1wcZmPWHsZMAEQEAAc0vR3lsc3RvcmZmIFF1aXJpbiA8cXVpcmluLmd5bHN0 b3JmZkBzaWVtZW5zLmNvbT7CwQkEEwEIADMWIQTY7GSkZ04ObjDZR5UG7p+HXEQunQUCZNTY OgIbAwULCQgHAgYVCAkKCwIFFgIDAQAACgkQBu6fh1xELp2ViQwAkSIZKvKai3o1yAsYQGYZ Pa9oIzM1+rqGPdBTqJ8LCIUM3kDz7kNo3nll2mnhtZOAeA/DpEc/pQGpIUUm2XQJEOCCv4Ze fO2tFuhACpU6Yz3XwQhr1SHy/KPsxUmiTgZUzfvlDxFzOuvKt4kg7/lC4/qm4i4ZRbohjggS XwLAawfULBSzoiTaMi6GtPm8e8oLoBwdo7UIwHHlN5s5UoEruntnc/Tx6+wWquHX/3/zVGUu OBqixq3uClkTNCY4itIix9yuMsUgWUgarN2BjcDxeNFIxlozGgcMmWyRobDOPfL7I0YHXm3/ uB3wg4ei5dBCB12uYKr4CH/S3CRtYXUaIdyFoxYlvpEoUfuHthB2wcqQllVg3IEhGhkuvfTX snzeMFhg7wU7HlX/MDK5EnAGK9fHvZMnbb+H78bMNtoisBPY7XwuOAyUOtwMq0SR8G+9ZLnC ABeS6tyPB8UePy8MWdcTQRboXubmUkDAIwBuNI2xALMYZxyUZWEzD+M0euWLzsDNBGE5tqkB DAC6s08UAYSENgz33zbBZ+XWlo5A7muxzYjwN77DMgC5EcuqQJA2YnMO15mkB2YcTbP2Zf97 ZhjTneRwe62xurjO2SOwPi0Sw3JN+VBQ1hpxMHJ2KjeAjJeQ4kINYgFFF5vNfgfGi7eI9qrL hViCf0Osulj7IGD7vDkib1WoO++SRO+9DShVD4sFIi0Gv9YSTalazpT9bgcAtnaDb/viLvaU qtK7S5rvFVPiuUD60yvmr3Pfd5iPKSxIQS/5/uKWGjeCntNu4ujoIg3C5rnDRIp4wcKIYXOu Nq0uGT52B4jtakb7jomXGX1/MZAHSRzUNUrup0UbwWCJEuvUEizq3G3Kg/Itvns5JzZAyGHk Jn0Sa9sTZCN+lNspvl1/t4F9ogBQbGOWPaslScjUQ5VDul8oLGMK1Zi+mj+SYFpQCXd7fwhP fl+yQlOdzGOGKHk9jqcaRHizuXtabQVIGrO8I52p26QJWaVqmMvJRWRqykxzk0Sw17/YDOBQ iEE0QOivBwkAEQEAAcLA9gQYAQgAIBYhBNjsZKRnTg5uMNlHlQbun4dcRC6dBQJk1Ng6AhsM AAoJEAbun4dcRC6dnnML/jLf8oN9BMkd/UaOtBh04YQQLR8TFwahbIZQZUakRteSaWILgGT6 vuu19bbSaU3WAFHiB+ftuLYxCh9LB2YjEjoaDeFY+qOpYHsWKrE1g/rr5iEPyb+V3FZvd8a2 fbSo7Hdw9n0jzAr6Yb6dMnU2FN6iRrIYoreEkEB5WbrFfmEyQGdxF45FGnu7mkLMGs4P8hiC Jpn73cdGB7Mj5+XWAcoYKDqXiKm6FL9Bfle7RO6FaI0m5JqQjGmsTLAIDaY6ZYSQmBzY8WzY 5e4YlveowP9E+boqYhyPLGdDFVGhWwHMb/VkeFXAwsNtsfQfmpb/VmWs0urz8WkvYpiF6pZw Xe/DyZ2leVdCQVbhsUb4z1b1nAYAxVB+4yIqi5uc1cQYFzb1LPeMcQ0YVv9UAjqaYzP4vh6e 2zRoeyL3H2PAQbodkBam6WiNHFG0HezOnSTxOHcpqx8s8bzgrJHGj6eUbQjxG27SGvTcy6Gs XSdq0hnpafc1V+voPJq3LMxUvLNrwg== In-Reply-To: Content-Type: text/plain; charset="UTF-8"; format=flowed Content-Transfer-Encoding: quoted-printable X-ClientProxiedBy: FR0P281CA0211.DEUP281.PROD.OUTLOOK.COM (2603:10a6:d10:ac::6) To AM9PR10MB4085.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:20b:1f9::22) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: AM9PR10MB4085:EE_|DB8PR10MB3532:EE_ X-MS-Office365-Filtering-Correlation-Id: d317e179-7e5b-44ed-2874-08dca66f6f21 X-MS-Exchange-AtpMessageProperties: SA X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|366016|1800799024|376014|3613699012; X-Microsoft-Antispam-Message-Info: =?utf-8?B?Y25ReVpwUGxBNjV1Z2RkM1AwV2FrcnFwMXB3TXVhcEpBK3lEUVVHL29NdkNY?= =?utf-8?B?cHdxaUhPYUkzc2c2THRaRUVyeEVpRHFWcURFYjdMeG04T3dGcnJGVlVPbjZ6?= =?utf-8?B?OU0zUmNjVU5EdkVUMWdWUlBlcW1zQXhxc0JsdTRNdk9LVTdUb3h5ZzROSElQ?= =?utf-8?B?NmhTa1k3RU1tb0pUR05oTTI2S2tpOWo3eWJqQnhObHVyRWorcHJ3ZnNRNFRU?= =?utf-8?B?SmNaL0tjU3RUV0FDLzRQK2VmbGk2dERidldXQlBDbnVTcTJVbHIwSUxyTmVX?= =?utf-8?B?c1FvMmlMZTZYdEd6TFJ4d3g2MWE3VHhxa1dZK3F0aVJvZk5iYk83cktJMXFw?= =?utf-8?B?SU44bFdTZHJnckliM21zb2Q3WnZrdE5EZ1VTRThDWjdReERLMGw1S2xMbzNN?= =?utf-8?B?QW1RZktTQ3pidUtjOE1CbHR3amF3dUFJbEU3d0N2LzJoRUlET0JlUHlncTU4?= =?utf-8?B?OVJCcElkQmZTcElLelBRNmRSMklmTE5CQ2VuR3AxbUF5U1NyTTlqRmZLdS9k?= =?utf-8?B?NnJQZUpxNUpjQUdGbktyLzlXK3g0N1JZbnkyVjJJeDM1aWQ4NGV0QmF2cmVI?= =?utf-8?B?anFXRHhUQTFTNThGeW1XcHdhK1BzZVBvV3NGeGxXeTRjQVZoOWpKZExTMGZU?= =?utf-8?B?REVWZm0zRUg3Znl0TFZoQ1JQTXV3a0Y5OFRISVhnQmxWVExiOUhPSW5jTXo1?= =?utf-8?B?Qm1WaTY5NXJvS0NVNXMzQ3JsVjByTVBMbU1QWVR1SUxwaW1VcXhZSlBTWEtK?= =?utf-8?B?Wml0VHIxNVpUUUxvWVhRdHJEMUdVTVEzZlJ1Q1c0RFIwbTlqM1JvM3IyeVVK?= =?utf-8?B?UE5kZithZnp2SG5JRFRYK1QrR2ZLNTZkODJJRzJnSnJpWFZlZjRjYXhVWmdl?= =?utf-8?B?Q2hvTW9HSkVad1hKS0kwVUpVQjlZTVc1QkhHRnpwU0RkVng4V1U0MTBvaW5k?= =?utf-8?B?TFFTdDBqbHV2cklKQmw2TlJOZU1vUjNvUXpYNERxcEJBS1laTXdYaU9HOWxH?= =?utf-8?B?MWtxV0dla1BBaG1qQjh3aURoM0MvbExBM2NDM1RrNFNLRDR3NFVoZ2o2ek9z?= =?utf-8?B?K2NjVjYyYW5HVnRsblFKTmwxMHUvcjJzdEJLNWhQOTdWTzlyU3JxTExramVE?= =?utf-8?B?Q3dRdkVsTEJKdi91Y2lWUk44OWRxd1VpUGJDVWwvYlFld2ZJNGJMVnVMZW11?= =?utf-8?B?QzU4VEtWamxVanMxTjJxMkkrMXdyNmVjaWdTeFF0M3FYWEFsU2NBZ0NsVkU4?= =?utf-8?B?aXFJVlNvWC9YYnZtekRTYzdPY2tuK2p2dm1RY2k3a29COEtVUDhjTWFLd0JG?= =?utf-8?B?U1hOVWFwd0Vmc25wNDRKZ3ZiRjdRajB2cGViQmpCb2k2Ykt2aGc3VkVuVkhJ?= =?utf-8?B?aWZjS0ozcHJ0MzYrV05scEEvaWlwYmhsVlY4Q2xoanZkbkVLSkJtWnZCRmVQ?= =?utf-8?B?emhZeHdDdURlSnFneXQvZUlJSTduRVFJcnFvUnNUQS96ZFJEYmJLdTRaVE5J?= =?utf-8?B?YlRCbENsRnhKUUV5RUo1Wm80SE41bGF6NXJTNlFiWnBnM0dSRDloeVF2bUpx?= =?utf-8?B?NXdkWHdwU2VXeVQrVFZYWGloMXF4NXhOeDRLNjBya2swYk5XUzRJcnNhdmx2?= =?utf-8?B?cEUvT1JaRlVNeXlLbU9VamZrL2lacE0vNHpKakU5Z05WeVZhbEF2NEtxaktq?= =?utf-8?B?RnowVkVnMWZucHZ3UkphY1VxOExDQTNhcDZSOGp4ck1WU2lYYW9iTURqYzNq?= =?utf-8?B?SDdtSFJRMDc1b0F2UUNQbnprdTZ1Z3doUTlqRDdKVXRIb3RNVVdsaXF1Q1NK?= =?utf-8?Q?3UylhzXx1dgOcNlik9XY4CsNL8/dVaB+fLwWg=3D?= X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:AM9PR10MB4085.EURPRD10.PROD.OUTLOOK.COM;PTR:;CAT:NONE;SFS:(13230040)(366016)(1800799024)(376014)(3613699012);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: =?utf-8?B?U1cvNHBDU2NMTUpybzhJM0gxc0FsUXo5citrK1NFbWpXRGFocWJuQ1A1U1pk?= =?utf-8?B?a2lEOXo5Vk9POHVxczNBZHVKcDFla2hsMHVTTHFjdVc5UkJYWGViTXE0OWpW?= =?utf-8?B?ZEFOalVtSEhpTE1sdXRIWHYxSXFWTGE2aU9oYlErRjROSDBPbnl4TklvTWgv?= =?utf-8?B?N1QyRGpDVDI2M0NnMkRZKzhRUGtHWm5aNWtnQlpiT3ZKeW9Sd0xEV1k5TEpo?= =?utf-8?B?QWViZEhMcm90SURTVGw1Z3JYd1EzdDYvM3k4S0lvcTZpMTRDcmxPc3pnV2Er?= =?utf-8?B?ZmlzMXVlWlVhUEFBZ3dXbUFpcTh0WTFWTUgvaWNYNDVmQ0Z6ejlmZ2ErSE9Z?= =?utf-8?B?WjlXbE1hQjFBY2RuOTFkck9obEJDNTd1MVE4Q1ErV1diamFGMncrUVY3d1ZX?= =?utf-8?B?YlEzY2YzVDV0SEtpTGs3cHc5VTltZ2k0YWg5R3lDVUN3bUNiNTRlLzV3aDJq?= =?utf-8?B?YkVvRXUwY205NlVnY0t2OHBiRGFqb2xCbGRQWldxWnJPZ2U3bkNTcC93dVFN?= =?utf-8?B?bzErNUoyRTlMSzBpUFpteWJ6VG5kUForNmlnRzBlMUNOVGRjQTZSVVc0R1hP?= =?utf-8?B?ZHFXRlJxWWVycVlWdlZ4NVVvMFVCZDMwMHNFMVBsNFpqVUQ1all1NmI0cXR0?= =?utf-8?B?OXJIY05Xd0dWVU9qMlNXM0JyNkxjZlVDaVo0NjJVU01DeHFqckU4Q3FBbVIx?= =?utf-8?B?c1hBdkNsRW9ydkMwVTR3SnlvWUF5RDRzemYwVEExcjd6Z0pSZWtMV0VhOXYv?= =?utf-8?B?UTZ4Z2N4ZXBZVWxxS1YwaWl6czFPVHhDTU94bGl6bkMyTlR1ZzZNQjBjZnJQ?= =?utf-8?B?WDMvYmJlY1JnVkJNQU1kbDNYTEJ2VlhiMTk5bTkzSkJVeEhPUTdnUVZoTUM5?= =?utf-8?B?UytGSWhWYU1Ea1hhc2R0SGtQTFhKLzhuSndTS2FlQlVzazNsN1ZTVERUdXAv?= =?utf-8?B?V1g3c0U2d0RGTHh6Q1czZDltNkh1U0pjWTByd2loTStTUWpZcXFrSjdaZE5K?= =?utf-8?B?S0V5NXorc1BDZE1wbjhGZTE2MUR3RmNSVXl4K0xiOFlDakZRM3NoaTI1dHR0?= =?utf-8?B?dEN1Z3R3SDZpRGo2ZEwzL0YwTm1NeUZFTnpLckVHTk02dTZIai9UOVlaSHdz?= =?utf-8?B?RW1GQVN1ZzhOQzQxeUN5OVYrdmY5WlVOWG9icDlBVmZ5L0dhMCtLUE1ERllm?= =?utf-8?B?NGo1cm1neHBJcmdHb0U1dURRUVZJeW1kL0gvVXVMemgzUElKbzN6MEI0Q25I?= =?utf-8?B?OGEwV1M2TjkrZWpiMDBIbzV5WGVLbTBSTlNzWDMyYzBlT1YrUnhjcC9iZUlh?= =?utf-8?B?S1FBb2Mxcy9yQmlRVEN5NlFsYlNoYmFSOXZ0ck5TbFFCOFpTbUxJSm40Qm9K?= =?utf-8?B?ekxjR2ZmcVpIUkNEV215SmdrdFFZdVFmc3I2S293blNyL0tJbCtUYzNsb1ds?= =?utf-8?B?Znhoa01PejJqU3Y4TkNoUFN6dkZMQkJ5aFlteVdxaTZaK3VJVTNwOFBKWmZn?= =?utf-8?B?blJYaXA4bzF4Tmx3V0dkY3R5UHZqa09SMEUwS2VSa2JTdkdYbHM5WldxeDFo?= =?utf-8?B?N3FERC9nVkZFNFhoVERpTzJqOUJIYmZ1bkY2ZlhLVGc4QVpUZWxwU1BxZ3Jq?= =?utf-8?B?RStQREd2VE9pTjRpTEJnMWpqc0ZXQXBEWmJuaVcvUmw1RDcvU2tBMU5UM3Q2?= =?utf-8?B?dGg4ZzREVHFpc2pQRmZ4QlE0SEdkKy9jUUh2eXBtbzZDaFdGbVBNcUpLNW5V?= =?utf-8?B?MVIzNjd1S00rbUw3MUJVR0VYdjRYdUpBT2psWEpkVDErNXIyWFZEV0dNdnQy?= =?utf-8?B?VElNUzgyeWNMQ1FmbnRLWUpYR2NtNFRFT0wzcjZtY0ZrdGVzT0FoL1pERmRy?= =?utf-8?B?YWZYdEpNV1FyVjVmOXQ1M2xYTk1IWkJ1Ymp4RUJIY1FUSTY0Ny9UWVBlOWpv?= =?utf-8?B?akxlakdTU3U0c3cvdzVsT21YVmsrbG1jOFE5ZU1yUUE1eVBhbSs1dTNhMThZ?= =?utf-8?B?aUYrT3JrcTFmYjJUdU9KZDBtZkdKaEZ5azNhaU8zdXJ4QXo5RVJwTUpodHdu?= =?utf-8?B?dWNZRno0dHdMSStRS3RMTXV0UlVlMHZsNklUSUdEb1Z6dzVlcGR2bnUwYnRu?= =?utf-8?B?Nzl0a3NOc1lHWHRWV2laY3J6TVlJbjlMK3JnbjgxNmkrTGMvYVVqMHlEMHFp?= =?utf-8?B?Wmc9PQ==?= X-OriginatorOrg: siemens.com X-MS-Exchange-CrossTenant-Network-Message-Id: d317e179-7e5b-44ed-2874-08dca66f6f21 X-MS-Exchange-CrossTenant-AuthSource: AM9PR10MB4085.EURPRD10.PROD.OUTLOOK.COM X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 17 Jul 2024 14:47:51.6854 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 38ae3bcd-9579-4fd4-adda-b42e1495d55a X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: KWHa/bsW8b1X4zfl2gxFhgoKfzLTR4CxHyi6Nfbe1MkfFwsgHH7q4AR14i7gm6qSbtNX9EdZbDH53Ds0+CFhTYwcSDaitGz7tkdwzy9PuPw= X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB8PR10MB3532 X-Original-Sender: quirin.gylstorff@siemens.com X-Original-Authentication-Results: gmr-mx.google.com; dkim=pass header.i=@siemens.com header.s=selector2 header.b=ZcD+ju1j; arc=pass (i=1 spf=pass spfdomain=siemens.com dkim=pass dkdomain=siemens.com dmarc=pass fromdomain=siemens.com); spf=pass (google.com: domain of quirin.gylstorff@siemens.com designates 2a01:111:f400:7e1a::608 as permitted sender) smtp.mailfrom=quirin.gylstorff@siemens.com; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=siemens.com X-Original-From: Gylstorff Quirin Reply-To: Gylstorff Quirin Precedence: list Mailing-list: list isar-users@googlegroups.com; contact isar-users+owners@googlegroups.com List-ID: X-Spam-Checked-In-Group: isar-users@googlegroups.com X-Google-Group-Id: 914930254986 List-Post: , List-Help: , List-Archive: , List-Unsubscribe: , X-Spam-Status: No, score=-4.9 required=5.0 tests=DKIMWL_WL_MED,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,MAILING_LIST_MULTI, RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,RCVD_IN_RP_CERTIFIED, RCVD_IN_RP_RNBL,RCVD_IN_RP_SAFE,SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.2 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on shymkent.ilbers.de X-TUID: VOEJKu8jswZG On 7/16/24 3:30 PM, Heinisch, Alexander (T CED SES-AT) wrote: > # Device Bootstrapping >=20 > This is a proposal to improve initial device bootstrapping with meta-isar= by making the `isar-image-installer` a more versatile and general tool. >=20 > ## Background >=20 > Currently, the `isar-image-installer` contains the target image to be dep= loyed (copied) to the target device in it's root filesystem. The installer = image has to be copied to a usb stick and executed on the target device. >=20 > In our current manufacturing setup we are targeting prebuilt devices with= out any OS precommissioned. Flashing images directly to disk is not possibl= e at that stage easily. > That's why we are using the `isar-image-installer` to deploy the target i= mages to the device via usb. >=20 > ## Motivation >=20 > This approach works fine when working with a single device on desk, havin= g keyboard and screen attached, but does not scale for large rollouts for m= ultiple devices during manufacturing. >=20 > To scale that process I suggest not only supporting a usb stick scenario,= but also a variant to boot via pxe boot (or ipxe-boot) into an live os (wh= ich could (and probably will) be `isar-image-installer`). >=20 >> Note: Currently, we are targeting x86 based architectures providing UEFI= . >=20 > ## Identified Problems >=20 > 1. =C2=A0**Problem**: The installer script has to provide an unattended m= ode. >=20 > =C2=A0 =C2=A0 **Possible Solution**: Add setting for unattended mode eit= her via well known config file or via kernel cmdline. >=20 > 2. =C2=A0**Problem**: When embedding the target image into the installer = rootfs a rebuild of the installer image is required everytime we change the= target image. >=20 > =C2=A0 =C2=A0 **Possible Solution**: Installer image could download targ= et image from http/ftp/s3 server at runtime and install it from memory. (Th= erefore, we have to ensure enough memory is provided, or probably support s= ome kind of streaming functionality) This sounds like what SWUpdate or rauc already provide. Which could be=20 used to describe the system and also provide a installation state. Quirin >=20 > 3. =C2=A0**Problem**: Since pxe transferrs only the kernel and the initra= mfs via TFTP (rather slow) When using pxe we have to provide the rootfs of = the installer via nfs. >=20 > =C2=A0 =C2=A0 **Possible Solution**: Having an online installer download= ing the target images from some external source, enables us to put all inst= aller logic in the installers initramfs. Thus, no need for an installer-roo= tfs. >=20 > =C2=A0 =C2=A0 > Note: This not always works. Since we also want to suppo= rt the usb use case, loading the target image from rootfs is still a desire= able option we have to maintain! >=20 > 4. =C2=A0**Problem**: Enrolling secure boot keys has to be done manually = now. Currently we are using scripts to do so which get executed after the i= nstaller ran. > This is needed, since the installer is not signed. >=20 > =C2=A0 =C2=A0 **Possible Solution**: Sign installer. >=20 > 5. =C2=A0**Problem**: Still, enrolling the keys manually upfront is cumbe= rsome and error prone, and buying devices with preenrolled keys, oftentimes= is not wanted due to additional cost and additional trust. Enrolling the k= eys after installation can be done, but again, is a manual task which shoul= d be automated. >=20 > =C2=A0 =C2=A0 **Possible Solution**: Enroll secureboot keys as an additi= onal step during installation. >=20 > =C2=A0 =C2=A0 > Note: Since `installation` is not an appropriate term an= ymore, when not only the image get's installed but additional steps like ke= y-enrollment takes place, I will call that workflow `target-bootstrapping` = in the remainder of this text. >=20 > 6. =C2=A0**Problem**: Disc encryption is currently done on first boot of = the device (detects if disk is already encrypted, and if not, encrypts it.)= We saw that this process sometimes takes several minutes and is one of the= crucial parts when initially starting up. In our scenario after a device g= ot precommissioned it is put aside and stored (without initial boot of the = target os). Once manufacturing needs to pick up a new device it is taken fr= om there and assembled to the main asset shipped to the customer during ass= et production. Since that step has to be as easy and as fast as possible, w= aiting several minutes (due to initial encryption) to check basic device in= formation or worse, failing at that stage is inacceptible. >=20 > =C2=A0 =C2=A0 **Possible Solution**: Encrypt target device disks as an a= dditional step during `target-bootstrapping`. >=20 > 7. =C2=A0**Problem**: After the initial procomissioning of the device sta= tus information of the device (e.g. serial number, hardware info) has to be= transferred to our central mgmt. system. >=20 > =C2=A0 =C2=A0 **Possible Solution**: Run custom scripts as part of the `= target-bootstrapping` >=20 > 8. =C2=A0**Problem**: During `target-bootstrapping` the progress of the b= ootstrapping has to be visualized. When talking about bootstrapping multipl= e devices attaching a screen is not desired. Thus we plan to give some stat= us indication via LED drivers as well, and also report status to our centra= l mgmt. system. >=20 > =C2=A0 =C2=A0 **Possible Solution**: Run custom scripts for status repor= ting. This means, that customizeable scripts shall be invoked before and af= ter every single bootstrapping phase, and ideally also reporting an overall= progress. >=20 > ## Draft >=20 > Instead of excecuting the deploy image script as a systemd service we pro= pose to implement a configurable target-bootstrapper, which takes prepackag= ed scripts as an input and invokes them in a generic way. >=20 > ``` > TARGET_BOOTSTRAPPER_ADDITIONAL_PACKAGES +=3D " deploy-image" > TARGET_BOOTSTRAPPER_TASK_deploy-image[script] =3D "deploy-image-wic.sh" > TARGET_BOOTSTRAPPER_TASK_deploy-image[workdir] =3D "/usr/bin" > TARGET_BOOTSTRAPPER_TASK_deploy-image[effort] =3D "2" > ``` >=20 > This configuration enables us to reuse existing upstream (e.g. deploy-ima= ge [1]) as well as downstream scripts (e.g. encrypt partition [2] from cip-= core or enroll secure boot keys from other downstream repo) without code-du= plication. >=20 > To allow such bootstrapper to report progress between execution of each o= f the prepackaged scripts, customized status reporting utilities can be con= figured and will be invoked. Such utilities include e.g. led drivers, statu= s reporting via an REST service, aso. >=20 > Each script-configuration can not only specify a dedicated workdir and en= trypoint, but also an effort-estimate to weight the work performed within a= single script more accurately. >=20 > Besides coming up with an initial draft of such target-bootstrapping (wil= l send a patchseries in the upcoming days) one of the first steps will be t= o refactor the existing deploy-image-wic.sh to allow for `unattended-mode` = (based on this patche-series [3] from Jan Kiszka) and extend the script to = support downloading the target images from an http server. >=20 >=20 > [1] https://github.com/ilbers/isar/blob/master/meta-isar/recipes-installe= r/deploy-image/files/deploy-image-wic.sh > [2] https://gitlab.com/cip-project/cip-core/isar-cip-core/-/blob/master/r= ecipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.script?ref_ty= pe=3Dheads > [3] https://patchwork.isar-build.org/project/isar/patch/6279c4d497ade9a55= cad9c0f2f21834ae97f964c.1719927511.git.jan.kiszka@siemens.com/ >=20 > Looking forward for your inputs, > Thank you! > Alexander --=20 You received this message because you are subscribed to the Google Groups "= isar-users" group. To unsubscribe from this group and stop receiving emails from it, send an e= mail to isar-users+unsubscribe@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/= isar-users/34c4028d-2d4d-4c3c-b528-972bfaa9f74b%40siemens.com.