From mboxrd@z Thu Jan 1 00:00:00 1970 X-GM-THRID: 7180261367669063680 X-Received: by 2002:a17:903:2441:b0:194:4449:56e7 with SMTP id l1-20020a170903244100b00194444956e7mr3905878pls.2.1674631029824; Tue, 24 Jan 2023 23:17:09 -0800 (PST) X-BeenThere: isar-users@googlegroups.com Received: by 2002:a17:90b:4cc5:b0:210:6f33:e22d with SMTP id nd5-20020a17090b4cc500b002106f33e22dls1556547pjb.2.-pod-control-gmail; Tue, 24 Jan 2023 23:17:08 -0800 (PST) X-Google-Smtp-Source: AMrXdXslSbzojlWSWGiNY8J1tTchX2FQ/hXer70cikjarsGsLxSTeyMkX7kNPkXO82eEmD6MiRzf X-Received: by 2002:a17:90a:7309:b0:228:e521:3430 with SMTP id m9-20020a17090a730900b00228e5213430mr32420791pjk.21.1674631028806; Tue, 24 Jan 2023 23:17:08 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1674631028; cv=none; d=google.com; s=arc-20160816; b=JI158tom4P1Ta6ijG9Hp18E+WXvXOpy0cNIijabGFcLbgHC1a0tGpqrn8Oisyw7uMn Bu85TX8ewLvzuDDsdr4gEcuUAYJLHi1I04pF2qzTwy/Vw3EmQi90gy2mMm6JHOvrgkaY J2JQgslUJAJFZlNlRcRRcZLAhh8wml76Ll0aWmJMc0mEWZ+uq4JNG6kMYsmFPPlqqqjI g+K2N2e0iEr2DpB1W3QLWjmQ+vIczxvl/aZu2rGIHHHiuS/c0LY8OpWOGmeRmoq2JKvm FxkA953yHr5R3xf0ZOZxhzZQvnjPCcXAHOqKroaK93uK32ifuhhi4s/xwzjfVkYYbzZf ZzDg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from; bh=ZaL9Yf53s5ACHwOKAB60KvJj6arFFGpj/eci+7NYco4=; b=wCXRu8RtV0WPEkChGDatSGavJ8vXWoKg9rqfm/3dxNwVaBruYNJ4baUiyzgKeZAKQZ yC6pu7FlF6/xYhrQGPx3t9IWagRfXPRfxDpQAE1u7fiPoMZdcYiZe2Sw5jZ7rGipXMuz HXo9e00qHMoGyUsZo3Xi5MR9/67c32nyAF8dpCaclhrwb27dxR470J0Nbt+iRB16mtam O2izaOIccJPvHqvN4fgQTLlqY0TWvyQTPQEGVZfKI2+xI0EuVHq81JUvjNW2GuqGm/uf /ZGDPZrzykMIVIi8oWYKjBuzHsZY4My8mBEH64XxMvMO1Ie0xnql4SS15wD1tTR95Cb6 d8Ew== ARC-Authentication-Results: i=1; gmr-mx.google.com; spf=pass (google.com: domain of ubely@ilbers.de designates 85.214.156.166 as permitted sender) smtp.mailfrom=ubely@ilbers.de Return-Path: Received: from shymkent.ilbers.de (shymkent.ilbers.de. [85.214.156.166]) by gmr-mx.google.com with ESMTPS id d11-20020a17090ab30b00b0022975f69761si49556pjr.0.2023.01.24.23.17.08 for (version=TLS1_2 cipher=ECDHE-ECDSA-CHACHA20-POLY1305 bits=256/256); Tue, 24 Jan 2023 23:17:08 -0800 (PST) Received-SPF: pass (google.com: domain of ubely@ilbers.de designates 85.214.156.166 as permitted sender) client-ip=85.214.156.166; Authentication-Results: gmr-mx.google.com; spf=pass (google.com: domain of ubely@ilbers.de designates 85.214.156.166 as permitted sender) smtp.mailfrom=ubely@ilbers.de Received: from hp.localnet (host-80-81-17-52.static.customer.m-online.net [80.81.17.52]) (authenticated bits=0) by shymkent.ilbers.de (8.15.2/8.15.2/Debian-8+deb9u1) with ESMTPSA id 30P7H53r025493 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Wed, 25 Jan 2023 08:17:06 +0100 From: Uladzimir Bely To: isar-users@googlegroups.com Subject: Re: [PATCH 00/10] Add support for secureboot using Debian boot chain Date: Wed, 25 Jan 2023 10:17:00 +0300 Message-ID: <4762907.OV4Wx5bFTl@hp> In-Reply-To: <20221223084058.1899957-1-felix.moessbauer@siemens.com> References: <20221223084058.1899957-1-felix.moessbauer@siemens.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="UTF-8" X-Spam-Status: No, score=-1.0 required=5.0 tests=ALL_TRUSTED autolearn=unavailable autolearn_force=no version=3.4.2 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on shymkent.ilbers.de X-TUID: EDzbdpLwVryq In mail from =D0=BF=D1=8F=D1=82=D0=BD=D0=B8=D1=86=D0=B0, 23 =D0=B4=D0=B5=D0= =BA=D0=B0=D0=B1=D1=80=D1=8F 2022 =D0=B3. 11:40:48 +03 user Felix Moessbauer= =20 wrote: > This series adds basic infrastructure to create ISAR images that > can be bootet on a stock amd64 machine with secureboot and MS keys. > Even if this comes with A LOT of limitations, we believe that this > is a very needed feature: More and more systems have Secureboot (SB) > enabled as default (MS keys enrolled) and often SB itself cannot be > turned off. Having support for that in ISAR makes it possible to > create two-staged images, where one image is used to configure the > SB (enroll keys, configure MOK) and then boot the actual target image. >=20 > Currently, in this situation a debian live image has to be used to > do the configuration (if the firmware graphical interface does not > support it). >=20 > When reviewing, please not the following: >=20 > - this series is in a very early state, but fully works in a QEMU > as well as on some stock laptops > - it is AMD64 only and that will not change (Debian limitations) > - we need to make changes in the bootimg-efi-isar.py WIC plugin. > These are additions only and are very debian specific, hence these > should also remain ISAR only and not be proposed for OE > - the key handling topic (p6-8) is not mature from a conceptual > perspective. Anyways, we do not want to spend too much time on it > as this is just an example how key management could be done > - testing infrastructure is completely missing and that will not change > soon, as we need to maintain a state across reboots of the qemu. > - These patches provide an easy way to create an image with any (signed) > stock debian kernel that boots on most (all) SB enabled AMD64 machines. > For that, no EFI config is required. >=20 > The series is structured as following: >=20 > p1-p3: bare minimal support to boot with secureboot > p4,5: module signing > p6-end: examples and helpers >=20 > Try it out: >=20 > Build it: > bitbake mc:qemuamd64-sb-bullseye:isar-image-base >=20 > Start it (consider adding -enable-kvm to get some decent performance): > start_vm -a amd64-sb -d bullseye -s >=20 > Check if SB is actually enabled (detected): > dmesg | grep secure > prints something like UEFI Secureboot is enabled >=20 > Try to load the example-module (it should fail): > modprobe example-module >=20 > Enroll our MOK and reboot: > mokutil --import /etc/sb-mok-keys/MOK/MOK.der >=20 > Now, use the previously definded password to enroll the key, then reboot. >=20 > Now our image should be up again and modprobe example-module should work. >=20 > Best regards, > Felix > Siemens AG >=20 > Felix Moessbauer (10): > wic: add option to use debian EFI shim > add debian sb chain bootloader dependencies > add example wic file for sb debian boot chain > style: split overlong line in module.inc > add support to sign kernel modules > add example to generated and distribute MOK data > add signed variant of example-module > add new machine qemuamd64-sb and corresponding mc > fix: only append kargs and extra_kargs if set > start_vm: add support for secureboot >=20 > meta-isar/conf/local.conf.sample | 1 + > meta-isar/conf/machine/qemuamd64-sb.conf | 20 ++++++++++++++ > .../multiconfig/qemuamd64-sb-bullseye.conf | 12 +++++++++ > .../example-module/example-module-signed.bb | 14 ++++++++++ > .../sb-mok-keys/files/Makefile.tmpl | 27 +++++++++++++++++++ > .../sb-mok-keys/sb-mok-keys.bb | 23 ++++++++++++++++ > .../sb-mok-public/files/rules | 12 +++++++++ > .../sb-mok-public/sb-mok-public.bb | 17 ++++++++++++ > .../wic/canned-wks/sdimage-efi-sb-debian.wks | 10 +++++++ > meta/conf/distro/debian-common.conf | 3 +++ > .../linux-module/files/debian/rules.tmpl | 3 +++ > meta/recipes-kernel/linux-module/module.inc | 15 ++++++++++- > .../wic/plugins/source/bootimg-efi-isar.py | 16 +++++++++++ > scripts/start_vm | 10 ++++++- > 14 files changed, 181 insertions(+), 2 deletions(-) > create mode 100644 meta-isar/conf/machine/qemuamd64-sb.conf > create mode 100644 meta-isar/conf/multiconfig/qemuamd64-sb-bullseye.conf > create mode 100644 > meta-isar/recipes-kernel/example-module/example-module-signed.bb create > mode 100644 meta-isar/recipes-secureboot/sb-mok-keys/files/Makefile.tmpl > create mode 100644 meta-isar/recipes-secureboot/sb-mok-keys/sb-mok-keys.bb > create mode 100644 meta-isar/recipes-secureboot/sb-mok-public/files/rules > create mode 100644 > meta-isar/recipes-secureboot/sb-mok-public/sb-mok-public.bb create mode > 100644 meta-isar/scripts/lib/wic/canned-wks/sdimage-efi-sb-debian.wks Applied to next, thanks.