Skip to content

acrn-sign: add bbclass for signing #272

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
saininav wants to merge 2 commits into
base: master
Choose a base branch
from
Open

acrn-sign: add bbclass for signing #272

saininav wants to merge 2 commits into from

Conversation

@saininav
Copy link
Contributor

@saininav saininav commented Dec 17, 2020

This bbclass allows to enable secure boot out of the box.

In secureboot flow:
-> UEFI firmware verifies GRUB
-> GRUB verifies ACRN, Service VM kernel
-> Service VM OS kernel verifies the Device Model (acrn-dm) and User VM OVMF bootloader (with the help of acrn-dm)

This bbclass :
Generate sample grub.cfg
Generate initial grub configuration grub.init.cfg
Generte gpg secure keys
Sign acrn.bin, grub.init.cfg, grub.cfg and bzImage with gpg private key
Build standalone grub efi having all necessary modules, signed grub.init.cfg and public gpg key
Sign grub bootx64efi with UEFI secure key (db.key) and Ceritificat (db.crt)
Verify signed grub bootx64.efi image

Preliminary requirements for sigining in local.conf:
(1) INHERIT += "acrn-sign"
(2) Set UEFI keys path to PREGENERATED_ACRN_SIGNING_KEY_DIR variable having db.key and db.crt
(3) Install signed files to boot partition
IMAGE_EFI_BOOT_FILES_append_pn-acrn-image-base = "
acrn.bin.sig
bzImage.sig
grub.cfg;EFI/BOOT/grub.cfg
grub.cfg.sig;EFI/BOOT/grub.cfg.sig
grub-efi-bootx64.efi;EFI/BOOT/bootx64.efi
"
(4) Set manually generated UUIDs for boot and root partitions
BOOT_PARTITION_FSUUID = "56F8DCBA" (No dash)
DISK_SIGNATURE_UUID = "ada6f5b6-944a-4589-ae3a-592a56563ef5"

(5) Set WKS_FILE
WKS_FILE_pn-acrn-image-base = "acrn-bootdisk-static-uuid.wks.in"

Signed-off-by: Naveen Saini naveen.kumar.saini@intel.com

@saininav
acrn-boot-static-uuid.wks.in: add wks
5ab765d 
This allows the secure boot work well out of the box

Signed-off-by: Naveen Saini <naveen.kumar.saini@intel.com>
@saininav
acrn-sign: add bbclass for signing
3bb49c6 
This bbclass allows to enable secure boot out of the box.

In secureboot flow:
-> UEFI firmware verifies GRUB
-> GRUB verifies ACRN, Service VM kernel
-> Service VM OS kernel verifies the Device Model (acrn-dm) and User VM OVMF bootloader (with the help of acrn-dm)

This bbclass :
   Generate sample grub.cfg
   Generate initial grub configuration grub.init.cfg
   Generte gpg secure keys
   Sign acrn.bin, grub.init.cfg, grub.cfg and bzImage with gpg private key
   Build standalone grub efi having all necessary modules, signed grub.init.cfg and public gpg key
   Sign grub bootx64efi with UEFI secure key (db.key) and Ceritificat (db.crt)
   Verify signed grub bootx64.efi image

Preliminary requirements for sigining in local.conf:
(1) INHERIT += "acrn-sign"
(2) Set UEFI keys path to PREGENERATED_ACRN_SIGNING_KEY_DIR variable having db.key and db.crt
(3) Install signed files to boot partition
IMAGE_EFI_BOOT_FILES_append_pn-acrn-image-base = "\
	 acrn.bin.sig \
	 bzImage.sig \
	 grub.cfg;EFI/BOOT/grub.cfg \
	 grub.cfg.sig;EFI/BOOT/grub.cfg.sig \
	 grub-efi-bootx64.efi;EFI/BOOT/bootx64.efi \
"
(4) Set manually generated UUIDs for boot and root partitions
BOOT_PARTITION_FSUUID = "56F8DCBA" (No dash)
DISK_SIGNATURE_UUID = "ada6f5b6-944a-4589-ae3a-592a56563ef5"

(5) Set WKS_FILE
WKS_FILE_pn-acrn-image-base = "acrn-bootdisk-static-uuid.wks.in"

Signed-off-by: Naveen Saini <naveen.kumar.saini@intel.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@saininav