add readme

Earthfile

@@ -33,7 +33,7 @@ ARG ISO_NAME=installer
 ARG K8S_DISTRIBUTION
 ARG CUSTOM_TAG
 ARG CLUSTERCONFIG
-ARG EDGE_CUSTOM_CONFIG=edge_custom_config.yaml
+ARG EDGE_CUSTOM_CONFIG=.edge-custom-config.yaml
 ARG ARCH
 ARG DISABLE_SELINUX=true
 ARG CIS_HARDENING=true

README.md

@@ -138,6 +138,7 @@ cp .arg.template .arg
 | UKI_BRING_YOUR_OWN_KEYS     | Bring your own public/private key pairs if this is set to true. Otherwise, CanvOS will generate the key pair.                                                                                                                                                                                                                                  | boolean | `false`                  |
 | INCLUDE_MS_SECUREBOOT_KEYS  | Include Microsoft 3rd Party UEFI CA certificate in generated keys                                                                                                                                                                                                                                                                              | boolean | `true`                   |
 | AUTO_ENROLL_SECUREBOOT_KEYS | Auto enroll SecureBoot keys when device boots up and is in setup mode of secure boot                                                                                                                                                                                                                                                           | boolean | `true`                   |
+| EDGE_CUSTOM_CONFIG | Path to edge custom configuration file                                                                                                                                                                                                                                                            | string | `.edge-custom-config.yaml`                   |
 
 1. (Optional) If you are building the images behind a proxy server, you may need to modify your docker daemon settings to let it use your proxy server. You can refer this [tutorial](https://docs.docker.com/config/daemon/systemd/#httphttps-proxy).
 
@@ -322,3 +323,61 @@ cp spectro-luet-auth.yaml.template spectro-luet-auth.yaml
 ```shell
 earthly --push +build-all-images
 ```
+
+
+### Prepare keys for Trusted Boot
+
+1. In .arg, we have these options to configure the key generation for Trusted Boot.
+
+```
+UKI_BRING_YOUR_OWN_KEYS=false # set to true if you want to to use your own public/private key pairs to generate SecureBoot keys
+INCLUDE_MS_SECUREBOOT_KEYS=true # if you want to include Microsoft 3rd Party UEFI CA certificate in generated keys
+```
+
+2. Copy required keys into secure-boot directory. It should look like this:
+
+```shell
+secure-boot/
+|   enrollment
+|   exported-keys <-- keys exported from hardware
+|   |   db
+|   |   KEK
+|   private-keys <-- Will be used if UKI_BRING_YOUR_OWN_KEYS=true, otherwise CanvOS will generate the keys
+|   |   db.key
+|   |   KEK.key
+|   |   PK.key
+|   |   tpm2-pcr-private.pem
+|   public-keys <-- Will be used if UKI_BRING_YOUR_OWN_KEYS=true, otherwise CanvOS will generate the keys
+|   |   db.pem
+|   |   KEK.pem
+|   |   PK.pem
+```
+
+3. Generate keys for Trusted Boot
+
+```shell
+./earthly.sh +uki-genkey --MY_ORG="ACME Corp" --EXPIRATION_IN_DAYS=5475
+```
+
+### Building Installer Image with public key for verifying signed content
+
+1. Copy the .edge.custom-config.yaml.template file to .edge.custom-config.yaml 
+
+```shell
+cp .edge.custom-config.yaml.template .edge.custom-config.yaml
+```
+
+2. Edit the property signing.publicKey in `.edge.custom-config.yaml`
+
+3. Include the following property in `.arg` file
+```
+...
+
+EDGE_CUSTOM_CONFIG=/path/to/.edge.custom-config.yaml
+```
+
+4. Build the image using earthly installed on the host
+
+```shell
+earthly --push +build-all-images
+```