From patchwork Wed May 24 07:07:38 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "MOESSBAUER, Felix" X-Patchwork-Id: 2830 Return-Path: Received: from shymkent.ilbers.de ([unix socket]) by shymkent (Cyrus 2.5.10-Debian-2.5.10-3+deb9u2) with LMTPA; Wed, 24 May 2023 09:08:17 +0200 X-Sieve: CMU Sieve 2.4 Received: from mail-ej1-f62.google.com (mail-ej1-f62.google.com [209.85.218.62]) by shymkent.ilbers.de (8.15.2/8.15.2/Debian-8+deb9u1) with ESMTPS id 34O78Gn4002128 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 24 May 2023 09:08:16 +0200 Received: by mail-ej1-f62.google.com with SMTP id a640c23a62f3a-96f4d917e06sf756861066b.1; Wed, 24 May 2023 00:08:16 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1684912091; cv=pass; d=google.com; s=arc-20160816; b=f9q+XU1eAjXRHr2OmVQq/f+ljKcKTJLjePIfwMJqynsppZYpekkOVChfFPGRZT2+Uq fzGTcxtff1NXlHJGLdFN55URzI98JyArlnmimgdpM0dCDCizUQQ6ceDG0927ZpeEry6+ g0QqBDMgUBxCCVXY4d5VesZqjxwQUFvXQ+95HM2dQGP2mk36Z09D2RKo8xgyxakP62d3 SwGLd90697JzDWdWvnodFwbTQwkeEdZxe9LdfVUCN0JC5fmAST66Wb1iDWBla9kAm2Wc xpbLKp3JjjhmMA/5HmEeYY7oPBrF5poOuI4Nn5eagStSYQkFNGiRHn4b8iYmS+w3jQH8 HsWQ== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:reply-to:feedback-id:mime-version :message-id:date:subject:cc:to:from:dkim-signature; bh=Rge/VOdVnd0tgXnpaR7nk7X/WcbjuBke/u3HsSwuXS8=; b=hL8WfYYsaKBSbm2HqROPpsOUgMuschtN6nORQ2XgOm7YTwoNLSr9m/rg3v0+wXaiCo NkCNVP2a08Uvsnem4vw4rC52ZUC/YS6NmToW0NYIJwUKuv09zEuyP3Jt7lGRqYBsY6s0 yN0wa6SHZ73TcO3K/B1yBb85hEyLfLlCUURRPkWAt5gaKSs7AubkCpiGUdvoVk3qE1uT XjsxzfBXBio5Lq7QZ1uhWcn30Y3SmyJu1lp4uBoJPh5oP73MsfmonM6smX5tiYqnPasf ILtQt0H0P3/k2iKs+eLp83yjAsy/hOCME5ICPWGyptePxHesdUOTVRbgEEwEkYcF2+5M kpLQ== ARC-Authentication-Results: i=2; gmr-mx.google.com; dkim=pass header.i=@siemens.com header.s=fm1 header.b=YZqfYMfb; spf=pass (google.com: domain of fm-72506-20230524070809579d07529846853102-l2vder@rts-flowmailer.siemens.com designates 185.136.65.227 as permitted sender) smtp.mailfrom=fm-72506-20230524070809579d07529846853102-L2vdEr@rts-flowmailer.siemens.com; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=siemens.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlegroups.com; s=20221208; t=1684912091; x=1687504091; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:reply-to :x-original-authentication-results:x-original-sender:feedback-id :mime-version:message-id:date:subject:cc:to:from:from:to:cc:subject :date:message-id:reply-to; bh=Rge/VOdVnd0tgXnpaR7nk7X/WcbjuBke/u3HsSwuXS8=; b=MqSwG2+72UZaxalTej+HVXvc3znBKecFYhjT7lxA4oAfzRVtTqCQcBmaus7EkbOtwp 0SJs1EIZXQnlqQXcji15Wu6yygyHhbSNUmRliZQVnTR7P/KsRo7COXMAxY/Yt+xValH0 ntJzmr+QqUVIEWQcELo0oFHacyv3O3yBD+fDBx2JA2ha37mHHUdmRlFTV6iclfrU5mNs EKVHRFATMb0DZAYGg8gwray4iXBmUst2zGT5KmHH+dvxVjdi1a5aIUVNv0a7Rg3JNtlf V/KeD5QfoOeFOgAgzji89AmhcRrld2uolfbes1vJSxlbNnnQEKQLbM9B9BWGlFtouxwx yu6w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1684912091; x=1687504091; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :x-spam-checked-in-group:list-id:mailing-list:precedence:reply-to :x-original-authentication-results:x-original-sender:feedback-id :mime-version:message-id:date:subject:cc:to:from:x-beenthere :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=Rge/VOdVnd0tgXnpaR7nk7X/WcbjuBke/u3HsSwuXS8=; b=TzHFlFb8hNfjqtvJLHjkj4z/9+nHI3vcd1+EDRKLNxN/8FsY+wL56n6VOLlg7UPiJL pjUCSSl06yFAwIbl8ADHhw/PCt5MMuvQdO33QnU2sWZ3KxD0R/GMPgXAMsptcZVjauUk VMzC/7A8Gq0K6LWPpF7/qMmBlvYzSYEMewUrcqQ6qEVOMSrmbszjN6O+rb730pXAkp67 o2+y41tEjSS3EtqPHYpB9UzukbzGD/KYF2XOIr1Os/YultBdAtGwuMQUQTUz29+upe7L nP+0Mm4LAD3dkv5umcTjuiLnJyohI5COZHZ8oz9dyBC/kGxZTGKfQ4b0Uh4L5k1zU+2n sKVA== X-Gm-Message-State: AC+VfDy2KGn4icd/KYNJFsXexvx0IiP8zZ1TqIzPk+wWMGhYm+jx2J6E uH6ZBsqyyHCO+ABw69v546s= X-Google-Smtp-Source: ACHHUZ6s2W8jD/h2PyyJ+6OXVM8sKADWqCZ9OGLnt3ZcRxEA0DIyXCgGaQK8trWwjjLox3GdBNZQyw== X-Received: by 2002:a17:907:7250:b0:96f:825b:ed8a with SMTP id ds16-20020a170907725000b0096f825bed8amr7228653ejc.4.1684912091091; Wed, 24 May 2023 00:08:11 -0700 (PDT) X-BeenThere: isar-users@googlegroups.com Received: by 2002:aa7:d783:0:b0:50b:f4e3:a863 with SMTP id s3-20020aa7d783000000b0050bf4e3a863ls2247573edq.1.-pod-prod-01-eu; Wed, 24 May 2023 00:08:09 -0700 (PDT) X-Received: by 2002:a17:907:940b:b0:96f:bc31:5e0b with SMTP id dk11-20020a170907940b00b0096fbc315e0bmr11289868ejc.64.1684912089508; Wed, 24 May 2023 00:08:09 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1684912089; cv=none; d=google.com; s=arc-20160816; b=r+UTDg1eW8/mt4wraab+Vh7e3gl1fQmqQuxhT6ewEk6O50aBU2ZSI5vNm8riGz0xj+ m3qrAndmUk/d0JjX7y5jCHeLkVnl0Z6Uj6rum/z9Em30hgNHzussle7nrYO1HMrMy2co Pd8i6f4BvvGNwCRMsyqmeGJsQfTNJt6FW6q8U1bzFlFUJ1AK1uBjoRaaBnkbSl7lzfLr plg0XJNaYV5f9uJgjqfFedWEovPiHFjoeocS+H9XqbeeEif0x04h5G9rAWIVw+L3AwOF QpBqTiMCKyGK+HXj5FK6vhGBauinuRzpSyuLWVbOqur/BPCT673TOd+KKtU1ze5/wtfH HWlw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=feedback-id:content-transfer-encoding:mime-version:message-id:date :subject:cc:to:from:dkim-signature; bh=3Eo4FL0n/ykIttAN7o2LE8oFYHOAwYUqxGAbnoVTvr8=; b=chSZnK/i4Scmi8h7zVRpkOGkjr0DqOYQeavsxTWMqg2Qi0DdlN27joO74M01zOTR1/ PsVoalqslt0PQqw3lYzCX8RK3g1mQNayrMGwPdGONKgwPufGW0KNqY19QuyQCj2rTS8H dMpEW9vDEn0PTne9jw08CHAhtPSRJYi6+noSMjTBVP0q6FnUoY5Ex5Ig5hsLs/jScO/1 8EkYaMjtru/QYZ8VMQgf/0zWZ6xxrbmgLt4veE9x3Ut0hNqd9W4dlgqRuoS5g2rrKqh3 zwPNYPUr0ACblBmt4TtwOtgbP3AOeGLSgCuY7advYAR2cPyfKZAAbMxhuL2In1p2kpBJ r7rg== ARC-Authentication-Results: i=1; gmr-mx.google.com; dkim=pass header.i=@siemens.com header.s=fm1 header.b=YZqfYMfb; spf=pass (google.com: domain of fm-72506-20230524070809579d07529846853102-l2vder@rts-flowmailer.siemens.com designates 185.136.65.227 as permitted sender) smtp.mailfrom=fm-72506-20230524070809579d07529846853102-L2vdEr@rts-flowmailer.siemens.com; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=siemens.com Received: from mta-65-227.siemens.flowmailer.net (mta-65-227.siemens.flowmailer.net. [185.136.65.227]) by gmr-mx.google.com with ESMTPS id jx26-20020a170907761a00b0096f6a9166cbsi990778ejc.0.2023.05.24.00.08.09 for (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Wed, 24 May 2023 00:08:09 -0700 (PDT) Received-SPF: pass (google.com: domain of fm-72506-20230524070809579d07529846853102-l2vder@rts-flowmailer.siemens.com designates 185.136.65.227 as permitted sender) client-ip=185.136.65.227; Received: by mta-65-227.siemens.flowmailer.net with ESMTPSA id 20230524070809579d07529846853102 for ; Wed, 24 May 2023 09:08:09 +0200 X-Patchwork-Original-From: "'Felix Moessbauer' via isar-users" From: "MOESSBAUER, Felix" To: isar-users@googlegroups.com Cc: Felix Moessbauer Subject: [PATCH 1/1] docs: document debian secure boot workflow Date: Wed, 24 May 2023 07:07:38 +0000 Message-Id: <20230524070738.193693-1-felix.moessbauer@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-72506:519-21489:flowmailer X-Original-Sender: felix.moessbauer@siemens.com X-Original-Authentication-Results: gmr-mx.google.com; dkim=pass header.i=@siemens.com header.s=fm1 header.b=YZqfYMfb; spf=pass (google.com: domain of fm-72506-20230524070809579d07529846853102-l2vder@rts-flowmailer.siemens.com designates 185.136.65.227 as permitted sender) smtp.mailfrom=fm-72506-20230524070809579d07529846853102-L2vdEr@rts-flowmailer.siemens.com; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=siemens.com X-Original-From: Felix Moessbauer Reply-To: Felix Moessbauer Precedence: list Mailing-list: list isar-users@googlegroups.com; contact isar-users+owners@googlegroups.com List-ID: X-Spam-Checked-In-Group: isar-users@googlegroups.com X-Google-Group-Id: 914930254986 List-Post: , List-Help: , List-Archive: , List-Unsubscribe: , X-Spam-Status: No, score=-1.2 required=5.0 tests=DKIMWL_WL_MED,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,MAILING_LIST_MULTI, RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.2 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on shymkent.ilbers.de X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= This patch documents the example secure boot workflow based on MOK enrollment. The workflow itself is included in meta-isar for some time, but the documentation was only part of the cover letter of that series. This is now added to the user_manual.md. Signed-off-by: Felix Moessbauer --- doc/user_manual.md | 57 ++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 57 insertions(+) diff --git a/doc/user_manual.md b/doc/user_manual.md index 120cfebd..e07b76d8 100644 --- a/doc/user_manual.md +++ b/doc/user_manual.md @@ -983,6 +983,63 @@ To explicitly build a package for the build host architecture (in cross build scenarios, or when generating an SDK), Isar automatically provides a `-native` target for all dpkg package recipes. +### Using the Debian Secure Boot chain + +In case no modification of the bootloader or kernel is required, you can use the +`qemuamd64-sb-bullseye` machine to create an image that can be bootet on amd64 machines +where Secure Boot (SB) with the MS keys is enabled. This works, because it implements +the Debian SB boot chain (shim -> debian grub -> debian kernel). However, none of these +components must be modified, as this would break the signatures and by that cannot be +bootet anymore. + +Please note, that this workflow is just intended for prototyping. It also does not +cover SB with self-signed bootloaders or kernels. Do NOT use it for productive images, as +the key handling needs to be implemented differently (e.g. the private key needs to be +stored in a TPM). + +The example consists of two parts: + +- create an image using the debian SB boot chain for MOK deployment +- create and sign a custom kernel module + +**Build the key deployment image:** + +```bash +bitbake mc:qemuamd64-sb-bullseye:isar-image-base +``` + +**Start the image:** (consider adding `-enable-kvm` to get some decent performance): + +```bash +start_vm -a amd64-sb -d bullseye -s +``` + +**Check if SB is actually enabled (detected):** + +```bash +dmesg | grep -i secure +# prints something like UEFI Secureboot is enabled +``` + +**Try to load the example-module (it should fail):** + +```bash +modprobe example-module +# this should fail as it is signed with a non trusted key +``` + +**Enroll our MOK and reboot into the MOK manager:** + +```bash +mokutil --import /etc/sb-mok-keys/MOK/MOK.der +``` + +Use the previously definded password to enroll the key, then reboot. + +**Boot self-signed image**: + +Now the image should be up again and `modprobe example-module` should work. + ### Cross Support for Imagers If `ISAR_CROSS_COMPILE = "1"`, the imager and optional compression tasks