[isar-cip-core,0/8] Secureboot on QEMU with EDK2, OP-TEE and RPMB

Message ID	20221120204711.5826-1-sven.schultschik@siemens.com (mailing list archive)
Headers	show Return-Path: <sven.schultschik@siemens.com> ip: 40.107.6.42, mailfrom: sven.schultschik@siemens.com) From: sven.schultschik@siemens.com To: cip-dev@lists.cip-project.org CC: jan.kiszka@siemens.com, Sven Schultschik <sven.schultschik@siemens.com> Subject: [isar-cip-core][PATCH 0/8] Secureboot on QEMU with EDK2, OP-TEE and RPMB Date: Sun, 20 Nov 2022 21:47:03 +0100 Message-ID: <20221120204711.5826-1-sven.schultschik@siemens.com> Content-Transfer-Encoding: quoted-printable Content-Type: text/plain MIME-Version: 1.0
Series	Secureboot on QEMU with EDK2, OP-TEE and RPMB \| expand [isar-cip-core,0/8] Secureboot on QEMU with EDK2, OP-TEE and RPMB [isar-cip-core,1/8] add recipe for edk2 [isar-cip-core,2/8] add recipe for optee qemu arm64 [isar-cip-core,3/8] Include optee into u-boot [isar-cip-core,4/8] add u-boot patch for qemu to support RPMB [isar-cip-core,5/8] add recipe for trusted firmware a qemu arm64 [isar-cip-core,6/8] change ebg sb signer and secrets to pk kek db [isar-cip-core,7/8] enhance start-qemu.sh for arm64 secure boot [isar-cip-core,8/8] Use of snakeoil keys for qemu use case

Message ID

20221120204711.5826-1-sven.schultschik@siemens.com (mailing list archive)

Headers

From: sven.schultschik@siemens.com
To: cip-dev@lists.cip-project.org
CC: jan.kiszka@siemens.com,
	Sven Schultschik <sven.schultschik@siemens.com>
Subject: [isar-cip-core][PATCH 0/8] Secureboot on QEMU with EDK2,
 OP-TEE and RPMB
Date: Sun, 20 Nov 2022 21:47:03 +0100
Message-ID: <20221120204711.5826-1-sven.schultschik@siemens.com>
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain
MIME-Version: 1.0
X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-MessageData-0: 
 TVLFvZ/IgCXhQ65qasEmIhgg7U3dq8uZQPxuNHTpTr7C9pcYSDs3M3Nxa2e+YOnMoaBVlg6M1hmwwsTxg91w3BiOi5rPH4ngZSbwR3Ej8MrHVEZ02iFqzNEj5kevwCAJCYdA+LuAASnC3h4JfAjFbEoBsqP5WePqXt1zAUGc3o6n2oLIEmE67UwrGAXrgMTnlWQki6cXQygh13+mZidHq/cp1oYhlbr8F4nq5Y0FEepIwlNVIKH34D/DMtN/YDU2AKo2RkvxU2e+hg2hjMZHMhC3USye6XlBsoPwj+bMEk0NbC0XQaunOKcVMKWov63dOHnO0mNjTokWQBcqNH4g+BDXBORcAlW17PC43lrKQC1h0bypsOOAaylGoZbO1E37A75rN2ZcYXdHHVn5NMa5qZabyFyovFdMEu8AZH5fDUm00salVj2dBgwR4cpye2kliNaAKKL5zvtDLznBcSnN/hfVJUCDSBFO3PUeRWzCti7Chr9EbEQqAthMrihW3g2SLRGoeQQ6ZmumJ1HHNLjcb7zwTDPvKHTneemcbf2I7suuQeHfOoPsdqjIm5tI+NAzIhi2Jxxs4dBC5ZE5FOznoWbLPMcR+OViA9DuBQGa1RAHhzxGj2YkPyzIvE8YdqAhj4++P87bWq68N8t/AkC3XMFazRL2LMofUK3QCxRhc9xRhmF35kcvnW5V7QJDOmP/YtradLDXyhYU9PAv2FIC/RdRJhn0yLIbVOQvnHqO3AY2QADgWMb+yX0rA5DDzAeNY/xKyaQpoydCw1/ANdkANy1QrzS+6mG+G0Fe9L0z7kVbxMht2K3AP+1g66kawcrGla4N+6zPGmVYrCH8VXXXKEi/Tm3OrnDicpA0cWtnNu04QnxmkyuJAInJJm6jkXT4o96RiBEbLNyQJqUOGhmOb1KHNOazfywXzP8qr2cwkheYk64eiUL/tMSO4lTaDK3FCUwwLdgk7DhlOXMLHCDdyqSeTm0OwxRpqFZyrhzcgZ2gjPZWjc24lpBlcLY3+Dal/g1V9Mj5m+DYqilnS9oboPefbSGN9TRR90uWReDsMQWZ5UdR1ZIkU3UPRLw162BbDmZkheEBVkFH+3gVnseO4Zyk6ExABSs38ydxxIKQ+lkZQehbwzesbvQk+FNM4dlJWCzqkLDsDiwnWUMF3q1kQZ0OlmBnEFAqECzdy5AmWjwKKsHX9XJ5YBpyK3l3x3hZWjE39/vivOnb+bHvRqEciB/z21hKN4UmC569MaXqi+/w8DZIqJebXtLwW61VkhNoRMQ1XbtV6hdPseNvjS9TVU56EvSknRfBgFdWGeOqsJ30H3ImT98j0m+4x2c4tSGaql87oUKxPNKid/P7lxEpS023BIdJ+XdN2p9RYsbJCQmI/YfJYsb0wu3x6edxxdDRbd/3C42b7g6+dw8q1yZcNE7OAWKRRyfqq/spZ5uEdPmzKL2QAh0tfGiYBKgsxwm84vLeyxkvdHt4p8kQ1gWxVQ1CDE3UCXjjo+bPy+9C/Dz+1UiO0H953l0m0wYGAaH7wX5xkLsAU4IItUywX59ycn2/DANPQjB3QQw7Zu4P66/54LAlpV9gToZ63o7YB2VT4z5gM8yUhrK4kZDqfVqfsg==
X-OriginatorOrg: siemens.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 
 775ab0cc-95a5-402d-8c2e-08dacb388be4
X-MS-Exchange-CrossTenant-AuthSource: PAXPR10MB5037.EURPRD10.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 20 Nov 2022 20:48:15.3214
 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: 38ae3bcd-9579-4fd4-adda-b42e1495d55a
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: 
 ivbE8p0+sOzN6vTNj2wAAnf24UuSAaWpZ5P3CanJrcURL+fGCr1XnIjbgQzJWrl1M67dcs4NfRb6ZIyGRWFPhFrnDvJ3ypN9y1c5knnbfLQ=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DU0PR10MB7094
List-Id: <cip-dev.lists.cip-project.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <cip-dev@lists.cip-project.org>; Sun, 20 Nov 2022 20:48:22 -0000
X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/10053

Series

Secureboot on QEMU with EDK2, OP-TEE and RPMB | expand

Message

Schultschik, Sven Nov. 20, 2022, 8:47 p.m. UTC

From: Sven Schultschik <sven.schultschik@siemens.com>

This series of patches will add recipes to build a QEMU setup
which uses OP-TEE to use RPMB (Replay protected memory) of
an EMMC for a secure storage. Which is used within Secureboot
on ARM64. 
This secure boot solution works with a platform key (pk),
a key exchange key (kek) and a signature database (db).
Therefore the ebg signer, secret boot secrets and snakeoil
keys are change to this setup.
QEMU itself does not have an implementation of a
virtual RPMB. Therefore a patch for u-boot is needed which
adds this feature to u-boot, but breaks hardware
compatibility within u-boot. The virtiual RPMB workaround
is not persistent as well. Therfore a method to copy the keys
to the deploy folder, mount them into the qemu and provision
them on every boot is implemented.
As soon as QEMU has a native persistent RPMB support included,
the u-boot patch and the mounted keys can be removed.

Sven Schultschik (8):
  add recipe for edk2
  add recipe for optee qemu arm64
  Include optee into u-boot
  add u-boot patch for qemu to support RPMB
  add recipe for trusted firmware a qemu arm64
  change ebg sb signer and secrets to pk kek db
  enhance start-qemu.sh for arm64 secure boot
  Use of snakeoil keys for qemu use case

 kas/opt/ebg-secure-boot-snakeoil.yml          |    1 +
 .../edk2/edk2-platformstandalonemmrpmb.inc    |   56 +
 .../edk2-platformstandalonemmrpmb_202205.bb   |   12 +
 recipes-bsp/edk2/files/rules.tmpl             |   61 +
 .../op-tee/optee-os-qemu-arm64_3.17.0.bb      |   54 +
 .../trusted-firmware-a/files/rules.tmpl       |   22 +
 .../trusted-firmware-a-qemu-arm64_2.7.0.bb    |   62 +
 ...hack.-Breaks-proper-hardware-support.patch | 1375 +++++++++++++++++
 recipes-bsp/u-boot/files/secure-boot.cfg.tmpl |    9 +-
 recipes-bsp/u-boot/u-boot-qemu-common.inc     |    9 +
 .../files/sign_secure_image.sh                |    2 +-
 .../secure-boot-secrets/files/KEK.auth        |  Bin 0 -> 2066 bytes
 .../secure-boot-secrets/files/KEK.crt         |   19 +
 .../secure-boot-secrets/files/KEK.esl         |  Bin 0 -> 839 bytes
 .../secure-boot-secrets/files/KEK.key         |   28 +
 .../secure-boot-secrets/files/PK.auth         |  Bin 0 -> 2064 bytes
 .../secure-boot-secrets/files/PK.crt          |   19 +
 .../secure-boot-secrets/files/PK.esl          |  Bin 0 -> 837 bytes
 .../secure-boot-secrets/files/PK.key          |   28 +
 .../files/PkKek-1-snakeoil.key                |   27 -
 .../files/PkKek-1-snakeoil.pem                |   21 -
 .../secure-boot-secrets/files/db.auth         |  Bin 0 -> 2067 bytes
 .../secure-boot-secrets/files/db.crt          |   19 +
 .../secure-boot-secrets/files/db.esl          |  Bin 0 -> 837 bytes
 .../secure-boot-secrets/files/db.key          |   28 +
 .../secure-boot-secrets.inc                   |   59 +-
 .../secure-boot-snakeoil_0.1.bb               |    5 +-
 start-qemu.sh                                 |   20 +-
 28 files changed, 1873 insertions(+), 63 deletions(-)
 create mode 100644 recipes-bsp/edk2/edk2-platformstandalonemmrpmb.inc
 create mode 100644 recipes-bsp/edk2/edk2-platformstandalonemmrpmb_202205.bb
 create mode 100755 recipes-bsp/edk2/files/rules.tmpl
 create mode 100644 recipes-bsp/op-tee/optee-os-qemu-arm64_3.17.0.bb
 create mode 100755 recipes-bsp/trusted-firmware-a/files/rules.tmpl
 create mode 100644 recipes-bsp/trusted-firmware-a/trusted-firmware-a-qemu-arm64_2.7.0.bb
 create mode 100644 recipes-bsp/u-boot/files/0002-rpmb-emulation-hack.-Breaks-proper-hardware-support.patch
 create mode 100644 recipes-devtools/secure-boot-secrets/files/KEK.auth
 create mode 100644 recipes-devtools/secure-boot-secrets/files/KEK.crt
 create mode 100644 recipes-devtools/secure-boot-secrets/files/KEK.esl
 create mode 100644 recipes-devtools/secure-boot-secrets/files/KEK.key
 create mode 100644 recipes-devtools/secure-boot-secrets/files/PK.auth
 create mode 100644 recipes-devtools/secure-boot-secrets/files/PK.crt
 create mode 100644 recipes-devtools/secure-boot-secrets/files/PK.esl
 create mode 100644 recipes-devtools/secure-boot-secrets/files/PK.key
 delete mode 100644 recipes-devtools/secure-boot-secrets/files/PkKek-1-snakeoil.key
 delete mode 100644 recipes-devtools/secure-boot-secrets/files/PkKek-1-snakeoil.pem
 create mode 100644 recipes-devtools/secure-boot-secrets/files/db.auth
 create mode 100644 recipes-devtools/secure-boot-secrets/files/db.crt
 create mode 100644 recipes-devtools/secure-boot-secrets/files/db.esl
 create mode 100644 recipes-devtools/secure-boot-secrets/files/db.key