UEFI-based SWUpdate and Secure Boot integration #314
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This brings a resolution of build conflicts between tensorflow and swupdate packages. Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
gylstorffq
reviewed
May 12, 2022
gylstorffq
reviewed
May 12, 2022
| @@ -13,7 +13,7 @@ Before=swupdate.service shutdown.target | |||
|
|
|||
| [Service] | |||
| Type=oneshot | |||
| ExecStart=/usr/share/u-boot-env/patch-u-boot-env.sh sysselect /usr/share/u-boot-env/patch-u-boot-env.config | |||
| ExecStart=sh -c '/usr/share/u-boot-env/patch-u-boot-env.sh watchdog_timeout_ms /usr/share/u-boot-env/patch-u-boot-env.config; fw_setenv watchdog_timeout_ms 60000' | |||
There was a problem hiding this comment.
What is the reason for setting the variable watchdog_timeout_ms in the u-boot config script and the patch service?
There was a problem hiding this comment.
The patch service can also handle current firmware 1.2.1 (for non-secure swupdate) by not only setting a non-zero timeout but also adding the related scripts that is missing in that version.
jan-kiszka
force-pushed
the
jan/uefi-secure-boot
branch
from
52b5059
to
c204548
Compare
BaochengSu
reviewed
May 16, 2022
|
@jan-kiszka , Sorry but I could not recall the exact |
|
-> validated firewall settings |
BaochengSu
reviewed
May 17, 2022
Brings internal simplifications and allows to update to kas 3.x, thus Debian bullseye as build environment. It also permits to build EFI Boot Guard for arm64 which will be used soon. Temporarily, we pick up an older version of wic-swu-img.bbclass in order to preserve the r/w property of the rootfs that isar-cip-core already dropped. Alignment to isar-cip-core will happen in succeeding steps. Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
…ecipe No need to carry this in the kas file. Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Those are not compatible / not needed (we use PARTLABEL so far) with SWUpdate images. Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Those are dropped into the soon persistent [/home]/root folder, thus cannot be part of the update image anymore. Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
This will be needed when making the rootfs read-only and /home persistent. We keep a link, though, so that everything feels the same. Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Will be needed for read-only rootfs imaging. This patch is likely not the final solution as upstream OE gave some push-back. But the use-case is valid, and there will be an official pattern or patch eventually. We will adopt that once available. Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Keeping this off prevents the kernel from being bootable via a UEFI bootloader. However, the latest firmware release is already capable of booting via UEFI. So there is no reason to deny this default option. Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Will be needed for a read-only rootfs. Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Adopting the UEFI-based boot that isar-cip-core pre-integrates allows sharing of much more recipes and patterns. It also enables the switch to the more appropriate read-only rootfs setup which avoids mixing up local installation with full-image updating. Finally, this lays the ground for secure boot and rootfs image integrity checking in later steps. We boot the kernel now via EFI Boot Guard and a unified kernel image generated by it. That means, watchdog handling will remain with U-Boot but rootfs selection is moved to EFI Boot Guard. The unified kernel image contains all device trees of the IOT2050 variants and selects the fitting one based on what U-Boot passed down as firmware DTB. So we preserve the ability to update kernel and DTB in lock-step. An initramfs is now generate with pairs the booted kernel with the associated rootfs and mounts the /etc overlay early. Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
The current expired already 2 years ago, and that will make some validators unhappy. Refresh, giving it a decade now. Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Will be needed for secure boot. Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Will be needed when we use dm-verity for the rootfs. Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
This provides our custMpk key/cert for signing and validating artifacts in the upcoming secure boot setup. Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Adopt the secure boot pattern of isar-cip-core by enabling dm-verity for the rootfs and activating signatures for the boot loader as well as the unified kernel image. Note that the persistent /var and /home partitions are not yet protected. Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Many are backported from mainline, some still need upstreaming. None of them should have negative impact on the default non-secure configuration of the firmware. Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
This requires to build in the corresponding image certificate as static EFI vars into U-Boot, at least as long as we have no secure storage as alternative. Hardening is done via a config fragment that adjusts BOOTCOMMAND to only run bootefi while still respecting boot_targets. Note that not all U-Boot env variables can be protected. Specifically Ethernet MAC addresses remain in the unprotect env section and could be manipulated offline. Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Let's better test the full-featured build here. Also, the secure image boots fine on a non-secured firmware. The non-secure option could be added as separate target if we see too many regressions for it. Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
jan-kiszka
force-pushed
the
jan/uefi-secure-boot
branch
from
c204548
to
1ec3d8b
Compare
BaochengSu
approved these changes
May 20, 2022
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Not completely secure yet due to
Still requires addition work on the documentation front, both to update it and to describe in more details how to adopt and customize these patterns for product images.
@gylstorffq @stormc