diff mbox series

[1/1] docs: document debian secure boot workflow

Message ID 20230524070738.193693-1-felix.moessbauer@siemens.com
State Accepted, archived
Headers show
Series [1/1] docs: document debian secure boot workflow | expand

Commit Message

MOESSBAUER, Felix May 24, 2023, 7:07 a.m. UTC 
This patch documents the example secure boot workflow based on MOK
enrollment. The workflow itself is included in meta-isar for some time,
but the documentation was only part of the cover letter of that series.
This is now added to the user_manual.md.

Signed-off-by: Felix Moessbauer <felix.moessbauer@siemens.com>
---
 doc/user_manual.md | 57 ++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 57 insertions(+)

Comments

Uladzimir Bely May 29, 2023, 7:08 a.m. UTC | #1 
On Wed, 2023-05-24 at 07:07 +0000, 'Felix Moessbauer' via isar-users
wrote:
> This patch documents the example secure boot workflow based on MOK
> enrollment. The workflow itself is included in meta-isar for some
> time,
> but the documentation was only part of the cover letter of that
> series.
> This is now added to the user_manual.md.
> 
> Signed-off-by: Felix Moessbauer <felix.moessbauer@siemens.com>
> ---
>  doc/user_manual.md | 57
> ++++++++++++++++++++++++++++++++++++++++++++++
>  1 file changed, 57 insertions(+)

Applied to next, thanks.
diff mbox series

Patch

diff --git a/doc/user_manual.md b/doc/user_manual.md
index 120cfebd..e07b76d8 100644
--- a/doc/user_manual.md
+++ b/doc/user_manual.md
@@ -983,6 +983,63 @@  To explicitly build a package for the build host architecture (in cross build
 scenarios, or when generating an SDK), Isar automatically provides a
 `<package>-native` target for all dpkg package recipes.
 
+### Using the Debian Secure Boot chain
+
+In case no modification of the bootloader or kernel is required, you can use the
+`qemuamd64-sb-bullseye` machine to create an image that can be bootet on amd64 machines
+where Secure Boot (SB) with the MS keys is enabled. This works, because it implements
+the Debian SB boot chain (shim -> debian grub -> debian kernel). However, none of these
+components must be modified, as this would break the signatures and by that cannot be
+bootet anymore.
+
+Please note, that this workflow is just intended for prototyping. It also does not
+cover SB with self-signed bootloaders or kernels. Do NOT use it for productive images, as
+the key handling needs to be implemented differently (e.g. the private key needs to be
+stored in a TPM).
+
+The example consists of two parts:
+
+- create an image using the debian SB boot chain for MOK deployment
+- create and sign a custom kernel module
+
+**Build the key deployment image:**
+
+```bash
+bitbake mc:qemuamd64-sb-bullseye:isar-image-base
+```
+
+**Start the image:** (consider adding `-enable-kvm` to get some decent performance):
+
+```bash
+start_vm -a amd64-sb -d bullseye -s
+```
+
+**Check if SB is actually enabled (detected):**
+
+```bash
+dmesg | grep -i secure
+# prints something like UEFI Secureboot is enabled
+```
+
+**Try to load the example-module (it should fail):**
+
+```bash
+modprobe example-module
+# this should fail as it is signed with a non trusted key
+```
+
+**Enroll our MOK and reboot into the MOK manager:**
+
+```bash
+mokutil --import /etc/sb-mok-keys/MOK/MOK.der
+```
+
+Use the previously definded password to enroll the key, then reboot.
+
+**Boot self-signed image**:
+
+Now the image should be up again and `modprobe example-module` should work.
+
 ### Cross Support for Imagers
 
 If `ISAR_CROSS_COMPILE = "1"`, the imager and optional compression tasks