Re: [PATCH 00/10] Add support for secureboot using Debian boot chain

[Uladzimir Bely <ubely@ilbers.de>]

In mail from пятница, 23 декабря 2022 г. 11:40:48 +03 user Felix Moessbauer 
wrote:
> This series adds basic infrastructure to create ISAR images that
> can be bootet on a stock amd64 machine with secureboot and MS keys.
> Even if this comes with A LOT of limitations, we believe that this
> is a very needed feature: More and more systems have Secureboot (SB)
> enabled as default (MS keys enrolled) and often SB itself cannot be
> turned off. Having support for that in ISAR makes it possible to
> create two-staged images, where one image is used to configure the
> SB (enroll keys, configure MOK) and then boot the actual target image.
> 
> Currently, in this situation a debian live image has to be used to
> do the configuration (if the firmware graphical interface does not
> support it).
> 
> When reviewing, please not the following:
> 
> - this series is in a very early state, but fully works in a QEMU
>   as well as on some stock laptops
> - it is AMD64 only and that will not change (Debian limitations)
> - we need to make changes in the bootimg-efi-isar.py WIC plugin.
>   These are additions only and are very debian specific, hence these
>   should also remain ISAR only and not be proposed for OE
> - the key handling topic (p6-8) is not mature from a conceptual
>   perspective. Anyways, we do not want to spend too much time on it
>   as this is just an example how key management could be done
> - testing infrastructure is completely missing and that will not change
>   soon, as we need to maintain a state across reboots of the qemu.
> - These patches provide an easy way to create an image with any (signed)
>   stock debian kernel that boots on most (all) SB enabled AMD64 machines.
>   For that, no EFI config is required.
> 
> The series is structured as following:
> 
> p1-p3:  bare minimal support to boot with secureboot
> p4,5:   module signing
> p6-end: examples and helpers
> 
> Try it out:
> 
> Build it:
> bitbake mc:qemuamd64-sb-bullseye:isar-image-base
> 
> Start it (consider adding -enable-kvm to get some decent performance):
> start_vm -a amd64-sb -d bullseye -s
> 
> Check if SB is actually enabled (detected):
> dmesg | grep secure
> prints something like UEFI Secureboot is enabled
> 
> Try to load the example-module (it should fail):
> modprobe example-module
> 
> Enroll our MOK and reboot:
> mokutil --import /etc/sb-mok-keys/MOK/MOK.der
> 
> Now, use the previously definded password to enroll the key, then reboot.
> 
> Now our image should be up again and modprobe example-module should work.
> 
> Best regards,
> Felix
> Siemens AG
> 
> Felix Moessbauer (10):
>   wic: add option to use debian EFI shim
>   add debian sb chain bootloader dependencies
>   add example wic file for sb debian boot chain
>   style: split overlong line in module.inc
>   add support to sign kernel modules
>   add example to generated and distribute MOK data
>   add signed variant of example-module
>   add new machine qemuamd64-sb and corresponding mc
>   fix: only append kargs and extra_kargs if set
>   start_vm: add support for secureboot
> 
>  meta-isar/conf/local.conf.sample              |  1 +
>  meta-isar/conf/machine/qemuamd64-sb.conf      | 20 ++++++++++++++
>  .../multiconfig/qemuamd64-sb-bullseye.conf    | 12 +++++++++
>  .../example-module/example-module-signed.bb   | 14 ++++++++++
>  .../sb-mok-keys/files/Makefile.tmpl           | 27 +++++++++++++++++++
>  .../sb-mok-keys/sb-mok-keys.bb                | 23 ++++++++++++++++
>  .../sb-mok-public/files/rules                 | 12 +++++++++
>  .../sb-mok-public/sb-mok-public.bb            | 17 ++++++++++++
>  .../wic/canned-wks/sdimage-efi-sb-debian.wks  | 10 +++++++
>  meta/conf/distro/debian-common.conf           |  3 +++
>  .../linux-module/files/debian/rules.tmpl      |  3 +++
>  meta/recipes-kernel/linux-module/module.inc   | 15 ++++++++++-
>  .../wic/plugins/source/bootimg-efi-isar.py    | 16 +++++++++++
>  scripts/start_vm                              | 10 ++++++-
>  14 files changed, 181 insertions(+), 2 deletions(-)
>  create mode 100644 meta-isar/conf/machine/qemuamd64-sb.conf
>  create mode 100644 meta-isar/conf/multiconfig/qemuamd64-sb-bullseye.conf
>  create mode 100644
> meta-isar/recipes-kernel/example-module/example-module-signed.bb create
> mode 100644 meta-isar/recipes-secureboot/sb-mok-keys/files/Makefile.tmpl
> create mode 100644 meta-isar/recipes-secureboot/sb-mok-keys/sb-mok-keys.bb
> create mode 100644 meta-isar/recipes-secureboot/sb-mok-public/files/rules
> create mode 100644
> meta-isar/recipes-secureboot/sb-mok-public/sb-mok-public.bb create mode
> 100644 meta-isar/scripts/lib/wic/canned-wks/sdimage-efi-sb-debian.wks

Applied to next, thanks.