From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from shymkent.ilbers.de ([unix socket]) by shymkent (Cyrus 2.5.10-Debian-2.5.10-3+deb9u2) with LMTPA; Thu, 25 Jul 2024 14:37:43 +0200 X-Sieve: CMU Sieve 2.4 Received: from mail-pj1-f60.google.com (mail-pj1-f60.google.com [209.85.216.60]) by shymkent.ilbers.de (8.15.2/8.15.2/Debian-8+deb9u1) with ESMTPS id 46PCbfXO006223 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Thu, 25 Jul 2024 14:37:42 +0200 Received: by mail-pj1-f60.google.com with SMTP id 98e67ed59e1d1-2cb639aa911sf1028254a91.3 for ; Thu, 25 Jul 2024 05:37:42 -0700 (PDT) ARC-Seal: i=3; a=rsa-sha256; t=1721911056; cv=pass; d=google.com; s=arc-20160816; b=WmnKcFJvhZBw0DrOxon5Pm0Vc5z3n8XVpvStNfTtl9IdtTC6Z2nJW1MwtWClVGMQzO Ee0U9RlZBPcBTPXHfWI/ymQwV7gpqO+fF34TmHWFQNtqO0cklAONYgW18BJTSnQM77PC maq3UU+7+dDlrVMdiwSbt0f5yXNnnoOxTTKIKeMz6E5ztV6koUomhWOt2hGwAGlQMURq 8+aTV5FGAzv5ceWHY4zSOUMCvIpNXTaH6EVfcZUeCmUYaIfsRMd7pzTmkymGxuCGov+o /ataRuJlY1cBH9Pq1UZu+DCkbGbT/WnQ/2uVUxnGlRxm7HeA6OFBbphHWTkInoX5R6aw Md6g== ARC-Message-Signature: i=3; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:mime-version :content-transfer-encoding:content-id:content-language :accept-language:reply-to:in-reply-to:references:message-id:date :thread-index:thread-topic:subject:cc:to:from:dkim-signature; bh=q6Ea184VS2E3TG45AGjudT74MSetO22tvnmyzX0Pqzk=; fh=cu73n+Zl2NcgCBbLvD4yy5c+89P702sMPyZP8m/Xr8I=; b=FVmxy0YjmQzqX7lvbUj7tx/2KqyoR0r8T/bR5Tjh5rMYF81vdjeePb+6kXLdLebQws iSmewR8gg1vnr1Gab1tjsnyJPGQ01jDJwVDGI1CG82dflbmG65BKIGzUIUYbEmw3ZGMi ZT0LbX/6hXOMEqzmNFdObCNweQpjMONvG4dLhp+aCp64D8iKcz7Tpv4j0A7+J5Yq5Zyq V/skS5OVlMkSx9vm21lzovWXP+nBlJCZItymGvAteJuKZFIdss43OjoKdMJJk2pE2AEX gy9Sytzch/a+RhGkqrFNaVxrYJ1DPYvLKOuboRPBaDsyfKQqlwozSetdVOAOvrbJ70Bg tXhA==; darn=isar-build.org ARC-Authentication-Results: i=3; gmr-mx.google.com; dkim=pass header.i=@siemens.com header.s=selector2 header.b=THhm3qih; arc=pass (i=1 spf=pass spfdomain=siemens.com dkim=pass dkdomain=siemens.com dmarc=pass fromdomain=siemens.com); spf=pass (google.com: domain of benedikt.niedermayr@siemens.com designates 2a01:111:f403:2608::601 as permitted sender) smtp.mailfrom=benedikt.niedermayr@siemens.com; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=siemens.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlegroups.com; s=20230601; t=1721911056; x=1722515856; darn=isar-build.org; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:x-original-authentication-results :x-original-sender:mime-version:content-transfer-encoding:content-id :content-language:accept-language:reply-to:in-reply-to:references :message-id:date:thread-index:thread-topic:subject:cc:to:from:from :to:cc:subject:date:message-id:reply-to; bh=q6Ea184VS2E3TG45AGjudT74MSetO22tvnmyzX0Pqzk=; b=BK/TtU3ynOfMvsUT3EvkSaCVoS8m2KggZExrM38XWn3yt9vc23JPrjxNMlhVO4pM6U A2IQOvq8JPoFbfd0VEOdEm3ZMQsDRwSG7YW7Bpms/rAKqZXCdb8IZFohPYYZ4MA4BQqW EXVyhQpanIF9JQDRXYaEFP/IfpWixihWKSuCierBo026BQvO6xkTR6eo2j0+mN/j3lTC 3NxfGiM8Vwtk6SjSBITpqdQWHxLtmpYVOo6Vu2GPVHyoN19oxY6Sv8wEkk0h2l4lcS72 4PEQDVPFx+6r8Qg2YdqEZaJIHJ3As6RvKNb1rzJ1GEWeYwHOIIIBcSVXpQHWskG2U7rU wkoQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1721911056; x=1722515856; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :x-spam-checked-in-group:list-id:mailing-list:precedence :x-original-authentication-results:x-original-sender:mime-version :content-transfer-encoding:content-id:content-language :accept-language:reply-to:in-reply-to:references:message-id:date :thread-index:thread-topic:subject:cc:to:from:x-beenthere :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=q6Ea184VS2E3TG45AGjudT74MSetO22tvnmyzX0Pqzk=; b=GgvN8SSU+ifg3NYgXz9Zf/qu7kKxLngLBLdhdv8Jxzt1xm9lc751P4dXnDiDgDQ1E3 R4H3m5tV7rLMpqLZiZbqOpnHPc9ep20jr7P8q1PnV2yHDqElxw1ni5xwmONge+sYo+dK 8JFf99NNHyhPxhJKqxnmvnC2aweeKbLdWiC3FPIOMXadQI/udeZV9akXvAdQZUGLRrM1 oSDadkCC88VVZ2Si9w9b3Xx4cwd1/lbTR8vcU3/kaFJ/GlCW3QJ8sinQv2NnbuigJeDa CM3O2R98iaVNYHdIQj0KZ6Lxvz1AZQgr5kNLFelqPS7ZOBUxvScsLC9AXkDO0FD7GDdD gZuA== X-Forwarded-Encrypted: i=3; AJvYcCXcw+NO2jl2i1BhY/354jx8d8d9Ljn4/vg6mi2A5qdCBORUdTHY0X206O1cQ1kH4WYxvDz25Io68rESr02+7cruHSQ= X-Gm-Message-State: AOJu0YxBArconi9DL19UEinDWT3o/0HmqZQ+fVI9M5AC/d41+dlBs3AM VZZJAHgmL7wCEXuLNR0l5kx6RQkaZXka8FXOIVQhBsgYNp31cgLa X-Google-Smtp-Source: AGHT+IHwWakpsWGo8cS73mGCgi0n4FTsYoLl5ppBTCzyqVpo1ksf33o2AmYyLceh0fbfJtR0aoEigA== X-Received: by 2002:a17:90b:b03:b0:2c9:cf1d:1bcc with SMTP id 98e67ed59e1d1-2cf23935826mr2961790a91.36.1721911055529; Thu, 25 Jul 2024 05:37:35 -0700 (PDT) X-BeenThere: isar-users@googlegroups.com Received: by 2002:a17:90b:3889:b0:2cb:6018:fd3d with SMTP id 98e67ed59e1d1-2cf2131562cls560354a91.1.-pod-prod-02-us; Thu, 25 Jul 2024 05:37:34 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCVKL1KXhaQc5ninxvCMXPB6AEMtHU3CcnF4GMZ735mEdZF2NXaRgnSIpNvxeBNISPg2VmXitKx2p5RNsu8kNpULQaBb0TSHf/9hp9c= X-Received: by 2002:a05:6a20:8423:b0:1c0:ec87:d737 with SMTP id adf61e73a8af0-1c472875110mr3531905637.23.1721911054144; Thu, 25 Jul 2024 05:37:34 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1721911054; cv=pass; d=google.com; s=arc-20160816; b=K2D6xNjrIO/m5Z3HBCzLmvpRnacO6uefaG5C3VOkgmZhjIBbcUKSHPuLLpTValjcZ3 F+g+QlX8NmFnCXLnv8c29KYW9PTc4RSHT1YQ4cvFNC0NU1XUd6ttS8JGr6wYcODrJJJR tqQiTNZ7Jndf/buOgjSG4z/YgjEeJB5Ub0S9YyT8Hzxm99ssY0Ae/jHgS52fpj0u+0GU 7+cDJo00yrdyx8OEY5RvkftTnkhd4py3DVvneNSrbvS2SxiXjY6yk7DCtYcB+Z1ImOHb y3t8+In20w3S3aIafqrxpx6VT/GtiKszj7eLAxlfPSSbVjom3s0ZoQORfpHRj6rex8xV 8zcA== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=mime-version:content-transfer-encoding:content-id:content-language :accept-language:reply-to:in-reply-to:references:message-id:date :thread-index:thread-topic:subject:cc:to:from:dkim-signature; bh=P6X7xGZJbquDlSI96VMOUTdJlS6VRmn3pldNtF1B6S4=; fh=ri2xYftcwLUZajunFAhlt+Y0573TAC0kbythZKRAt9k=; b=Ao0O9VZifbaChmMgdmWcPmwzLnxsHu0bfvUc9NqdOlRzblU49r/f8bAwr/JYIXaw06 iGBZrfRHU8BNLxe6FKoJBZKXub3eWwNXNClCUUCQ4BMCTKpQlztaZbVzvJbNWNLk3Bw8 op9f0GEZwRwGLb/Q1vXBRmlTTnTuK9zngZnW+49RaNQSbT2nVLFw+EXdzRAmC45/3U7+ gxNd0UZruzcuDZvisVDo5HuOwOY3pXgEuoJAzr5VHFkrFpLUzv0N7qBmshlSvMEDXQ3i RRl16dWF9QsoQpCuHN9L2WjUU7YdtytQ5oQem0/AiwwB31vZ04lbpvx5hh4y4LFtvkE5 szAw==; dara=google.com ARC-Authentication-Results: i=2; gmr-mx.google.com; dkim=pass header.i=@siemens.com header.s=selector2 header.b=THhm3qih; arc=pass (i=1 spf=pass spfdomain=siemens.com dkim=pass dkdomain=siemens.com dmarc=pass fromdomain=siemens.com); spf=pass (google.com: domain of benedikt.niedermayr@siemens.com designates 2a01:111:f403:2608::601 as permitted sender) smtp.mailfrom=benedikt.niedermayr@siemens.com; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=siemens.com Received: from EUR02-DB5-obe.outbound.protection.outlook.com (mail-db5eur02on20601.outbound.protection.outlook.com. [2a01:111:f403:2608::601]) by gmr-mx.google.com with ESMTPS id d9443c01a7336-1fed7c6f1f8si605325ad.2.2024.07.25.05.37.33 for (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Thu, 25 Jul 2024 05:37:33 -0700 (PDT) Received-SPF: pass (google.com: domain of benedikt.niedermayr@siemens.com designates 2a01:111:f403:2608::601 as permitted sender) client-ip=2a01:111:f403:2608::601; ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=AFr754A1XxVYpFv+szD56ZukLmxwVpaxSgN6cYB/Y285vsIkKmu7nfbBsX+syohAfQ5Cw0s3+KLb3XAJNHQ6qs4EfqLdjSqPFlNq1Wp21L6Jr2kCkfpRwSbHRo9V8EdeLAMV028ZP8Ra0Ch6z0I4ZuBlxkhjm/rkBrJDuN3CIf0LrTr9PvrboUH+jo0YnWUEfBszsAXmgn0L/Q5t66ScAzwQwuxN/JWeq2PEkdQgyGTBiMIuBKcC12CBLArNNekCIfJat5K8JnV9+ViSwKKK6AhZF19jYBMf3/6LC5NDXscfZkIudY1Wg1nejf6uIwkHk+snMeqvlNiR2Zae3rw7TQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=P6X7xGZJbquDlSI96VMOUTdJlS6VRmn3pldNtF1B6S4=; b=CIafH5VqZja17rbMG/tDc0Qr0iHsgtOoFDtKDoQhOiIKm0mUQBMriAf4JGT3osh7J13UlBEJ3sbyg3KAf4khdRIWxOlCT++Rk7CbwrhhHUr2vV1Hn1EtT6bQhrWCe0C8UPjpBWxleNOcFLhx7aUr+YZuMqy7EKeesmlwsNl0ImL6x67MxAzjIO+hbMm36v8sUYTHoARiPNyiof/WnpPcfdq4cR0zqBEj7+jgcGh6vUuCnd+RKZGTJwvIjSS/62xrX9v907MEYbPtCt6XOMynKmjL/tIw6kVoqKsPRQZgb3LghEzqSlYT//Aqh/0P/XmQGMBY1gZKzrICByVuxg0A8w== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=siemens.com; dmarc=pass action=none header.from=siemens.com; dkim=pass header.d=siemens.com; arc=none Received: from PAXPR10MB5520.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:102:23e::20) by AS8PR10MB7230.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:20b:61a::10) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7784.28; Thu, 25 Jul 2024 12:37:30 +0000 Received: from PAXPR10MB5520.EURPRD10.PROD.OUTLOOK.COM ([fe80::7615:5a22:34bf:f079]) by PAXPR10MB5520.EURPRD10.PROD.OUTLOOK.COM ([fe80::7615:5a22:34bf:f079%4]) with mapi id 15.20.7784.017; Thu, 25 Jul 2024 12:37:30 +0000 From: "'Niedermayr, BENEDIKT' via isar-users" To: "Heinisch, Alexander" , "isar-users@googlegroups.com" CC: "quirin.gylstorff@siemens.com" , "Kiszka, Jan" Subject: Re: [meta-isar] Proposal to improve initial device bootstrapping Thread-Topic: [meta-isar] Proposal to improve initial device bootstrapping Thread-Index: AdrXglnCFID0IKt2Qheoi3Gzli88CgHDRAsA Date: Thu, 25 Jul 2024 12:37:30 +0000 Message-ID: References: In-Reply-To: Reply-To: "Niedermayr, BENEDIKT" Accept-Language: de-DE, en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-ms-publictraffictype: Email x-ms-traffictypediagnostic: PAXPR10MB5520:EE_|AS8PR10MB7230:EE_ x-ms-office365-filtering-correlation-id: 6bc91488-f145-4eb5-e3bc-08dcaca68ce9 x-ms-exchange-atpmessageproperties: SA x-ms-exchange-senderadcheck: 1 x-ms-exchange-antispam-relay: 0 x-microsoft-antispam: BCL:0;ARA:13230040|376014|1800799024|366016|3613699012|38070700018; x-microsoft-antispam-message-info: =?utf-8?B?K1hpZTR0dWhuUDIyOUV4ZUpOUFA1SzMyYkQ3dTJpalFKaS9aQUZaQ282c2w1?= =?utf-8?B?VDZ4Z2JSOHh5OGJYM2JBcVBKdXJXUzlERm5YWDVWL2NWcEFHK0JmSm1aUXJ1?= =?utf-8?B?dXIwcWdkT3NtN0F1V29lS2FZL0V0MXdkdS9xSFFGamVhUWpuVHFVSVN2bHJY?= =?utf-8?B?Q2QwVlNvWmVDamVuMnNhR1AwNE9vTGUwVFNDYmpvS3BnOUw1TVVqczB4VGts?= =?utf-8?B?cWk1UG1veWdMMEhIOHc5eTh0WXRLQ2hiRlNKTmlIcWhqQWpKQy96NFdOWkMz?= =?utf-8?B?V1JBQXpoVFlKdldMQUx1cDNQengrdlY2OTNUSWRZUnQ4c0c3Nm5HVHQzNDNr?= =?utf-8?B?UHJUeXhsTTh4VGNRci9FVlZNaC8wdGVUMmk1bXR6V0Z1eVlTc1ZReW9zaUxL?= =?utf-8?B?eXJCOW8wUGEvTjhWQmExL2ZYTjhSYXd6aWh2UktOc0ticC9pKzFKQVlCcGFM?= =?utf-8?B?TVVTUXNLaWUvc1JrSWN5b214MGptTnBWalphcnF4SE9jK3pWTG5XWFh4MXFE?= =?utf-8?B?Q0Radk40ZGIyMVNOYXhZYzdMNS83dkpRRjhJUWV2akV0ZFE4OXdRWmdnZHB5?= =?utf-8?B?VnVXa3luNWozbXAxbFY1dkJOWnBOOHpuOWdwOUZJWUlubWdiNmt5YmhGQ1pF?= =?utf-8?B?WjZIL0g1aFNzSE92bW5MMkxKeDdOdUZhdjROa2N1V2dzdmZTR1hnMGhlRWo5?= =?utf-8?B?TVB4R2EydUIwRzZlMFlWYUlLdlRRN0hWaXVTaWlaYWs1Q1lkdTlrSnRlZTBy?= =?utf-8?B?dWIrb2E3UHpreTlQSks4RUI3ZFlCWWJhSHFIcG9tNVNCZTZyc01tWjRQc2xa?= =?utf-8?B?YVJTSnpFNEUybEZzbktyUU0zQU1tZDdKWW51MVNiYzhrd1kxZDhLZG5wb0lY?= =?utf-8?B?V2hHMHJQNC91WXFqeHBYMFNubnBXaWliUWhLNUpDRWZqRUJqQy9NM3cyQUo1?= =?utf-8?B?dHJvVE01K1ZqTmFYUFQzZ1J4Wis4NVZFUlRQaWNUSjJybURpOUhGaThSMm9R?= =?utf-8?B?RmdOUThoQnNmV2djYVNnbEpoc28yRTlXc0ZDYTUybkhaNTY0Yk5vZ3pIN3pt?= =?utf-8?B?OE9jTko1QkhWYTZGNHpVb0RCQjBXcnNKN056dVNjNjVhWmhtY3pBQ1BBNXNT?= =?utf-8?B?VGFzdkZXa3lCUEhqUGIyTUthV0MrSDZZWkdLNmVnRnAxSG5yNEF6anJETnRE?= =?utf-8?B?OXFzcEVaWExaZXpVVW1iOHVkSHovT3R4NUtxMmJZTlN0Tk8wc3pqcHgrM0dV?= =?utf-8?B?bkRKMHVlaE0xRm11VlQ0TWwyVGdaSEs0UGYvc0krdFhOYU53aG5JQWt5N1Zq?= =?utf-8?B?U2MrbWpIZEVQeWovbWpGby9KejRWVnJhbW1sVmVGN0p3V0pmaWVkR0hpMmRw?= =?utf-8?B?YVN3NjY4RWE3UUpWMkdkUkxaN0Znb1NOWEErMTcwWnBMM0ppbFFvS0RWMEw1?= =?utf-8?B?M29wYndzUmRqcW5ib0UrUlFkSWFhNDExUHp3K1h3c200bm1ScGVnNENFcXRs?= =?utf-8?B?VlB5NVMyL2pRaG1hNmdSTHViNElsL0xCZFROOG9zcDgzSDdtcXVuVjE3Uitl?= =?utf-8?B?TkYxU1ZwV3JEV0FDVjgwV2lyQVJpZVVLRFZkbTJ0YUpIVUY2dGtZbUJmcjQ0?= =?utf-8?B?ajg1cHZlZU4zMCtYbHlpbVZhSXhDRTJlYkRzaXVBZDgyTk9KYnkyQVZjckZ0?= =?utf-8?B?N1hxa2Fja3VpNnF4clkyaEJRQ3BBMlRuWE9WTEpLSEU4VThtL0NlM2FNbnpX?= =?utf-8?B?VmJoWjlva3hQOUZBT1dsWmNnbU8wZGdhRzMyNkpqeW1mNGxCOVJIUy9Nc0Fl?= =?utf-8?B?Mi83TnBFZXFoaGlFTkFwTWpIL21CWW11TEZzSW5waGY2Wi9KUzJTWVJTS0Jn?= =?utf-8?B?SCtFc3A5MUNlWmFta3hjSHV4cC9HVyt5YTZoNmJkMHREMnc9PQ==?= x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:PAXPR10MB5520.EURPRD10.PROD.OUTLOOK.COM;PTR:;CAT:NONE;SFS:(13230040)(376014)(1800799024)(366016)(3613699012)(38070700018);DIR:OUT;SFP:1101; x-ms-exchange-antispam-messagedata-chunkcount: 1 x-ms-exchange-antispam-messagedata-0: =?utf-8?B?WTFVdS85M09ENFNHUUl1ZWVram9NUmFkNGkyUTJuc0RvZ3cyelQ5bCtJWGVJ?= =?utf-8?B?bUROQ3Z2TkJCSVFmYXVxOTZyR3NBQUlSdXFMdzJtMDNTa200dW44Y0hYR3dG?= =?utf-8?B?SUs1WE9JNTNiNFZydTVSQjNVZ3M5Y3lURW92cnpPRDJxVWtCT1gxdjJ1eExV?= =?utf-8?B?Mk1Pd1pUT2d2MC9EbFhiejltMnRxZDVKVFZMWDAvcHFGZVNxeGlIdS9lUnla?= =?utf-8?B?V3NTQzdJNWhlakwvY21aRWh1NGdpYURJOThBSVFLSi8yQWEyWk5wQjBDZmlD?= =?utf-8?B?eC9ncnRoMHhTb2RvZHJxUTNEM0U4WlJKaVV6QnZWNmVoNXhmNDJCbnJqRHNO?= =?utf-8?B?YTA2Tm96L293cURVdUtDVGNoS0tXR3RsUlV2QWkrbVcrZnJDZVlpMlEzMFNq?= =?utf-8?B?UjdOdXZLSzdBa3pBVWpNZFcxQU5STzBONHI1TkQ5TVdBRFM1cmkrQUYyWmVu?= =?utf-8?B?SUFEUU1Zby9CdTZJd2lYditBcDhybFBUQTFCVTdnR0RhWVNGaWhJYS9seEZ5?= =?utf-8?B?ZU8wWTZmWi93OVdrWDgwcDkxdFAzNWNESnNZUzVIdmo5ZVU5WW5xTS9FN0dj?= =?utf-8?B?VHNwbThXWnNoR1RUdWJyaXd3ekhxYU0zUXY1V00rbS9nWGxmSkM4TTVqK2pw?= =?utf-8?B?U3dKRk92QUdkUEd3dUhVSi9Pc3ErOWE0MkJZOTZXaWF4bVZBZCt6QXJwYWZI?= =?utf-8?B?UjFKN2RrUVpxSmdFM2JqVEZubGlDRDRKd1RsNzR3SXR2bGZLTGptTFJHdXVt?= =?utf-8?B?VGRaMTNOTVR1L0cwK1hjQnhGd0xxd0xhMW1nNGZnZEtjV1I5NjlQOTJ0cTJM?= =?utf-8?B?YXQrMVBuL21neWYwc2QrUUlyZEEyb0dhcTJBQURrTG9kU2V1elc5a05mSzV5?= =?utf-8?B?MFZiVHpBQ002TUpsamhNeng2eTR6M3BYTVVXaFNqcHNYbDd4SGNLQWoxRFpu?= =?utf-8?B?VHRwcGFIUzMxRndtelc0ZFRXQ3BLRmpEMXRwUGZiLzl4QnJKZ05ZeE5nd0xV?= =?utf-8?B?Z3Rvc1hkZE1sZjZ3SWxXck5lc1pXSXNnUW04VHBtYStvK1ZkMkhvZlo5R1JV?= =?utf-8?B?YTRacjE0eFRUK3B2MFFQWkZnZHg0OVBRV0kwTWROUk1PRUtwdmt0RjhoWm9l?= =?utf-8?B?b0FDblhkMjAxbnVsL3RRVlhqTDFnc1d1MDBMbWwzcWllVkkrS1ppVWJSd2kz?= =?utf-8?B?Z3Y5OGtoK0tMemFYOUtzZFBsdytCTDVtTTBOZEthWm9vRzhyT0llSDVWeDM2?= =?utf-8?B?UldTcVJ3eFNBYXRodUlZNjVsV0JzaWEyZjZxMllEdjRhRTQxa1NzaG84WnEy?= =?utf-8?B?UmZlZDJYTzJhWGd0L2JLYUlZckFFU3kwTk1zaDFWc0d2U21EdVdkWEIxOXZR?= =?utf-8?B?VlhvMEJhZyt3MWN3Vy9iaGJOcVJDNTdWbHVZUzVMNzdkQS9Ud0lzeGtFN2ps?= =?utf-8?B?UHZsUXNWUVJxU1R3Z0ZyM04yRXdPbkx1dTUwUzVRRk5GVGZOZXAvdVpuUU5x?= =?utf-8?B?WmdqQWtadk1TcnZGcXB6dXJQeisrMTVFSTJMei93VW12bUdNelhyS1Fnb3Yw?= =?utf-8?B?VVNSQ1lRTU96eDlLUUo2VHVXRVJBUVkvbXhqZVY0cjI3ZUNwSk1IQUdrVEJQ?= =?utf-8?B?aU4yaTdidW5zZkZpWHp1RzM2eXV3blZ6TjB4Z1NnUC9tMHZQeTFybXFhWDlI?= =?utf-8?B?dUtaTVIxaWZXSE9mOFZuYnZQREY3UWNQWGk1KzVjbFZvM1hiVFVEVlI1MG82?= =?utf-8?B?TXdWY0ZhSHk0d2dLWlAxUExhQUd1dEQ1d1I0OWloQnRrUXZicHp0UWlBcElT?= =?utf-8?B?ZEV0cEdwd2UySmMyNHh2R05TQXNqWUdNUlZ2YTF6M3F0S0tVbnhHRUhkcU5D?= =?utf-8?B?TVE4ZGhLTDhEU3YrY2tNSTlzVlA3UlpkeHRJaE1zRXAzZHhZS1dRUG92ZjVs?= =?utf-8?B?MmhDakVtUElSL2Z3TFRjTTJOTmxpK011RnNDT3FZemNlQnlVYjlTTjlFNjFR?= =?utf-8?B?OHlqMWg2S1JNVEtIWUVHZ05OejNrMW5pQS82TzRyTExadm5ucGZhNUpUTVNq?= =?utf-8?B?eVpjV2lKL29GWU8zd2lCcEgxbWk2NWtkYnQ1eHEvcUlZcFc3cGJyU3JwZVBG?= =?utf-8?B?Um1EMityZGpYdTVOMUp4YVlteFJYWDRiTlAzZE0zRXJSOEVONUdWcWt5RTZh?= =?utf-8?Q?MvkEDp7ziJmCbTQCr+jorN0=3D?= Content-Type: text/plain; charset="UTF-8" Content-ID: <66DE40129C4E0241B344BDD52E28121D@EURPRD10.PROD.OUTLOOK.COM> Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-OriginatorOrg: siemens.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: PAXPR10MB5520.EURPRD10.PROD.OUTLOOK.COM X-MS-Exchange-CrossTenant-Network-Message-Id: 6bc91488-f145-4eb5-e3bc-08dcaca68ce9 X-MS-Exchange-CrossTenant-originalarrivaltime: 25 Jul 2024 12:37:30.8351 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 38ae3bcd-9579-4fd4-adda-b42e1495d55a X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: 4N5JnosjY7Iji8H2jQqo1Oiz3qfOdxXpcPnYVOWPd32unO2g72uaxgVPaCL66Ez2AjnQO6Qa+YEX5i5/UrGg9NWyOd7x8ErCRrjMmClkzV4= X-MS-Exchange-Transport-CrossTenantHeadersStamped: AS8PR10MB7230 X-Original-Sender: benedikt.niedermayr@siemens.com X-Original-Authentication-Results: gmr-mx.google.com; dkim=pass header.i=@siemens.com header.s=selector2 header.b=THhm3qih; arc=pass (i=1 spf=pass spfdomain=siemens.com dkim=pass dkdomain=siemens.com dmarc=pass fromdomain=siemens.com); spf=pass (google.com: domain of benedikt.niedermayr@siemens.com designates 2a01:111:f403:2608::601 as permitted sender) smtp.mailfrom=benedikt.niedermayr@siemens.com; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=siemens.com X-Original-From: "Niedermayr, BENEDIKT" Precedence: list Mailing-list: list isar-users@googlegroups.com; contact isar-users+owners@googlegroups.com List-ID: X-Spam-Checked-In-Group: isar-users@googlegroups.com X-Google-Group-Id: 914930254986 List-Post: , List-Help: , List-Archive: , List-Unsubscribe: , X-Spam-Status: No, score=-4.9 required=5.0 tests=DKIMWL_WL_MED,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,MAILING_LIST_MULTI, RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,RCVD_IN_RP_CERTIFIED, RCVD_IN_RP_RNBL,RCVD_IN_RP_SAFE,SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.2 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on shymkent.ilbers.de X-TUID: d3VyhoLTrDl7 On Tue, 2024-07-16 at 13:30 +0000, 'Heinisch, Alexander' via isar-users wro= te: > # Device Bootstrapping >=20 > This is a proposal to improve initial device bootstrapping with meta-isar= by making the `isar- > image-installer` a more versatile and general tool. >=20 > ## Background >=20 > Currently, the `isar-image-installer` contains the target image to be dep= loyed (copied) to the > target device in it's root filesystem. The installer image has to be copi= ed to a usb stick and > executed on the target device. >=20 > In our current manufacturing setup we are targeting prebuilt devices with= out any OS > precommissioned. Flashing images directly to disk is not possible at that= stage easily. > That's why we are using the `isar-image-installer` to deploy the target i= mages to the device via > usb. >=20 > ## Motivation >=20 > This approach works fine when working with a single device on desk, havin= g keyboard and screen > attached, but does not scale for large rollouts for multiple devices duri= ng manufacturing. >=20 > To scale that process I suggest not only supporting a usb stick scenario,= but also a variant to > boot via pxe boot (or ipxe-boot) into an live os (which could (and probab= ly will) be `isar-image- > installer`). >=20 > > Note: Currently, we are targeting x86 based architectures providing UEF= I. >=20 > ## Identified Problems >=20 > 1. =C2=A0**Problem**: The installer script has to provide an unattended m= ode. >=20 > =C2=A0 =C2=A0 **Possible Solution**: Add setting for unattended mode eith= er via well known config file or > via kernel cmdline. >=20 > 2. =C2=A0**Problem**: When embedding the target image into the installer = rootfs a rebuild of the > installer image is required everytime we change the target image. >=20 > =C2=A0 =C2=A0 **Possible Solution**: Installer image could download targe= t image from http/ftp/s3 server at > runtime and install it from memory. (Therefore, we have to ensure enough = memory is provided, or > probably support some kind of streaming functionality) Yes, sounds like swupdate and friends...=20 Nevertheless, I find the idea of using swupdate rather than the current scr= ipt not that bad at all. I has some nice side effects. For example any custom pre/post processing co= uld be simply done by=20 writing scripts and add them to the swu container. So there would be no nee= d to customize the current update script. That decouples downstream customizations very nicely= ... In conjunction with wfx [1] as update server I could imagine that very comp= lex setups were possible. I'm not sure wether or not isar is the right place for this feature. This c= ould potentially fit better into isar-cip-core which implements these type common patterns?! [1] https://github.com/siemens/wfx >=20 > 3. =C2=A0**Problem**: Since pxe transferrs only the kernel and the initra= mfs via TFTP (rather slow) > When using pxe we have to provide the rootfs of the installer via nfs. You could checkout iPXE. It uses http/https for downloading. >=20 > =C2=A0 =C2=A0 **Possible Solution**: Having an online installer downloadi= ng the target images from some > external source, enables us to put all installer logic in the installers = initramfs. Thus, no need > for an installer-rootfs. Using an initramfs may be fine, but as soon as the installer needs internet= you will encounter issues due to missing support of different libraries. In other words, the m= ore features we support the more needs to be added into the initramfs and installation into initram= fs can be very cumbersome and time consuming (files have to be installed directly since no package-ma= nager available).=20 >=20 > =C2=A0 =C2=A0 > Note: This not always works. Since we also want to suppor= t the usb use case, loading the > target image from rootfs is still a desireable option we have to maintain= ! >=20 > 4. =C2=A0**Problem**: Enrolling secure boot keys has to be done manually = now. Currently we are using > scripts to do so which get executed after the installer ran. > This is needed, since the installer is not signed. >=20 > =C2=A0 =C2=A0 **Possible Solution**: Sign installer. >=20 > 5. =C2=A0**Problem**: Still, enrolling the keys manually upfront is cumbe= rsome and error prone, and > buying devices with preenrolled keys, oftentimes is not wanted due to add= itional cost and > additional trust. Enrolling the keys after installation can be done, but = again, is a manual task > which should be automated. >=20 > =C2=A0 =C2=A0 **Possible Solution**: Enroll secureboot keys as an additio= nal step during installation. >=20 > =C2=A0 =C2=A0 > Note: Since `installation` is not an appropriate term any= more, when not only the image get's > installed but additional steps like key-enrollment takes place, I will ca= ll that workflow `target- > bootstrapping` in the remainder of this text. >=20 > 6. =C2=A0**Problem**: Disc encryption is currently done on first boot of = the device (detects if disk is > already encrypted, and if not, encrypts it.) We saw that this process som= etimes takes several > minutes and is one of the crucial parts when initially starting up. In ou= r scenario after a device > got precommissioned it is put aside and stored (without initial boot of t= he target os). Once > manufacturing needs to pick up a new device it is taken from there and as= sembled to the main asset > shipped to the customer during asset production. Since that step has to b= e as easy and as fast as > possible, waiting several minutes (due to initial encryption) to check ba= sic device information or > worse, failing at that stage is inacceptible. >=20 > =C2=A0 =C2=A0 **Possible Solution**: Encrypt target device disks as an ad= ditional step during `target- > bootstrapping`. >=20 > 7. =C2=A0**Problem**: After the initial procomissioning of the device sta= tus information of the device > (e.g. serial number, hardware info) has to be transferred to our central = mgmt. system. >=20 > =C2=A0 =C2=A0 **Possible Solution**: Run custom scripts as part of the `t= arget-bootstrapping` >=20 > 8. =C2=A0**Problem**: During `target-bootstrapping` the progress of the b= ootstrapping has to be > visualized. When talking about bootstrapping multiple devices attaching a= screen is not desired. > Thus we plan to give some status indication via LED drivers as well, and = also report status to our > central mgmt. system. >=20 > =C2=A0 =C2=A0 **Possible Solution**: Run custom scripts for status report= ing. This means, that customizeable > scripts shall be invoked before and after every single bootstrapping phas= e, and ideally also > reporting an overall progress. >=20 > ## Draft >=20 > Instead of excecuting the deploy image script as a systemd service we pro= pose to implement a > configurable target-bootstrapper, which takes prepackaged scripts as an i= nput and invokes them in > a generic way. >=20 > ``` > TARGET_BOOTSTRAPPER_ADDITIONAL_PACKAGES +=3D " deploy-image" > TARGET_BOOTSTRAPPER_TASK_deploy-image[script] =3D "deploy-image-wic.sh" > TARGET_BOOTSTRAPPER_TASK_deploy-image[workdir] =3D "/usr/bin" > TARGET_BOOTSTRAPPER_TASK_deploy-image[effort] =3D "2" > ``` >=20 > This configuration enables us to reuse existing upstream (e.g. deploy-ima= ge [1]) as well as > downstream scripts (e.g. encrypt partition [2] from cip-core or enroll se= cure boot keys from other > downstream repo) without code-duplication. >=20 > To allow such bootstrapper to report progress between execution of each o= f the prepackaged > scripts, customized status reporting utilities can be configured and will= be invoked. Such > utilities include e.g. led drivers, status reporting via an REST service,= aso.=20 >=20 > Each script-configuration can not only specify a dedicated workdir and en= trypoint, but also an > effort-estimate to weight the work performed within a single script more = accurately. >=20 > Besides coming up with an initial draft of such target-bootstrapping (wil= l send a patchseries in > the upcoming days) one of the first steps will be to refactor the existin= g deploy-image-wic.sh to > allow for `unattended-mode` (based on this patche-series [3] from Jan Kis= zka) and extend the > script to support downloading the target images from an http server. >=20 >=20 > [1] > https://github.com/ilbers/isar/blob/master/meta-isar/recipes-installer/de= ploy-image/files/deploy-image-wic.sh > [2] > https://gitlab.com/cip-project/cip-core/isar-cip-core/-/blob/master/recip= es-initramfs/initramfs-crypt-hook/files/encrypt_partition.script?ref_type= =3Dheads > [3] > https://patchwork.isar-build.org/project/isar/patch/6279c4d497ade9a55cad9= c0f2f21834ae97f964c.1719927511.git.jan.kiszka@siemens.com/ >=20 > Looking forward for your inputs, > Thank you! > Alexander >=20 --=20 You received this message because you are subscribed to the Google Groups "= isar-users" group. To unsubscribe from this group and stop receiving emails from it, send an e= mail to isar-users+unsubscribe@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/= isar-users/f9995136bac1847e9a875382d1983a33cce9f0d6.camel%40siemens.com.