-
Notifications
You must be signed in to change notification settings - Fork 0
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Hwio 2024 fixes #7
base: main
Are you sure you want to change the base?
Conversation
pietrushnic
commented
Oct 15, 2024
•
edited
Loading
edited
To set the GROUP_ID for the coreboot user one has to pass two variables to docker environment: GROUP and GROUP_ID. Most likely it was a copy-pasta error, which can be fixed by using GROUP_ID in the IF condition. Signed-off-by: Michał Żygowski <[email protected]>
Remove unneded entrypoint and switch back default user in container to coreboot. Cleanup any source code directories after installing compiled binaries. Signed-off-by: Piotr Król <[email protected]>
Signed-off-by: Piotr Król <[email protected]>
This arv_root key still causing some problems? Unbelievable, even vboot itself cannot generate it properly? |
We also may change the coreboot version from which cbfstool and smmstoretool is built to 24.08. The latter tool is already there in tree. Keeping some random hash does not look good. Or, keep this hash just for the smmstoretool. Then clone coreboot separately to 24.02 and build cbfstool and vboot from it. |
I ignored that; is this something to be concerned about? I never saw those scripts correctly running, so I can't say how bad it is. Also, I probably didn't see in the documentation what the correct output is. Generated keys worked for the process, but there were more warnings like that. https://paste.dasharo.com/?eb1d2a8b2f6b9aed#4WPkBNCTFmZVUvvDShHKohdnK7Ri8JPwvrqYueFs54xd
We have a long-term plan for a fully boostable toolchain for coreboot, and things will move forward (posting stuff on the relevant channels on the matrix). My main concern is whether I need more time to hack the solution if the issues are not critical. Switching the container to 24.08 for cbfstool and smmstoretool is easy. My primary inquiry with this PR is: why does our vboot behave differently (installing |
It must work to get the vboot signing or key generation script to work IIRC |
i already said that we should use upstream now. As to why there is no |
Signed-off-by: Piotr Król <[email protected]>
Signed-off-by: Piotr Król <[email protected]>
Signed-off-by: Piotr Król <[email protected]>
One thing started to work: TL;DR (...)
Firmware Preamble:
Size: 1688
Header version: 2.1
Firmware version: 1
Kernel key algorithm: 7 RSA4096 SHA256
Kernel key version: 1
Kernel key sha1sum: e41246691ba7980a1b004231d68da9dd91809b7a
Firmware body size: 0
Preamble flags: 0
Body metadata hash: SHA256 cf1128770ba7e9c2abba12abda4d368dbc4d2c54596ed9a868188635133d4879
Body metadata hash valid!
Body verification succeeded. Unfortunately, while generating keys vboot, I still see the same errors despite everything being built from the same code. Do you have any other ideas on how to make vboot happy? user@OST2-VM:~/training_materials/src/dasharo-tools$ ./vboot/generate_keys new_keys
creating arv_root keypair (version = 1)...
vb2_read_packed_keyb() - wrong key size 3272 for algorithm 7
No version file found. Creating default key.versions.
creating root_key keypair (version = 1)...
vb2_read_packed_keyb() - wrong key size 6392 for algorithm 11
creating firmware_data_key keypair (version = 1)...
vb2_read_packed_keyb() - wrong key size 3272 for algorithm 7
creating kernel_subkey keypair (version = 1)...
vb2_read_packed_keyb() - wrong key size 3268 for algorithm 7
creating kernel_data_key keypair (version = 1)...
vb2_read_packed_keyb() - wrong key size 1704 for algorithm 4
creating recovery_key keypair (version = 1)...
(...) |
Main question is if the signing works and one can boot the platform in normal mode (no recovery). If yes, then those warning can be probably ignored. It may be some bug in vboot. Also could you try |
I will test that and get back with results.
dasharo-sdk is the base for dasharo-tools; I'm using those because those were instructions I got; the whole topic of fixing dasharo-sdk came from the issue that I already have coreboot-sdk and needed dasharo-sdk, which added 7GB to my hwio2024 VM image size. From what I understand now, I need no dasharo-tools. I can use scripts directly in dasharo-sdk, but dasharo-tools OTOH are handy; there is just one command that signs everything. I already have quite a lot of copy and paste. Adding more will slow down training progress and potentially lead to more errors. Wrappers are good, especially if they are available publicly, like in the case of dasharo-tools. There is a need for balance between going too deep in the guts or wrapping everything. I will try a direct call to see if this gives any better results. |
I agree. However, when debugging issues, wrappers may obfuscate some hidden problems, thus I asked to use the vboot script directly |
I think we should proceed with merging and tagging the container with a new version. There are improvements worth merging |
@macpijan I would like to use this code for PC Engines build and get rid of pce-fw-builder. Do you see any issues with merging this branch? |