diff mbox series

[isar-cip-core,8/8] Use of snakeoil keys for qemu use case

Message ID 20221120204711.5826-9-sven.schultschik@siemens.com (mailing list archive)
State Handled Elsewhere
Headers show
Series Secureboot on QEMU with EDK2, OP-TEE and RPMB | expand

Commit Message

Schultschik, Sven Nov. 20, 2022, 8:47 p.m. UTC 
From: Sven Schultschik <sven.schultschik@siemens.com>

The snakeoil keys are copied to the deploy folder if machine is qemu-arm64. The RPMB qemu workaround is not persistent and for that the keys need to be provisioned on every boot of quemu. Therefor the keys are copied to the deploy folder, mounted into the qemu as virtual memory and the boot command automatically loads them on every boot.

Signed-off-by: Sven Schultschik <sven.schultschik@siemens.com>
---
 recipes-bsp/u-boot/u-boot-qemu-common.inc     |  4 ++++
 .../secure-boot-secrets.inc                   | 22 +++++++++++++++++++
 start-qemu.sh                                 |  3 ++-
 3 files changed, 28 insertions(+), 1 deletion(-)
diff mbox series

Patch

diff --git a/recipes-bsp/u-boot/u-boot-qemu-common.inc b/recipes-bsp/u-boot/u-boot-qemu-common.inc
index 6e7158b..51dabac 100644
--- a/recipes-bsp/u-boot/u-boot-qemu-common.inc
+++ b/recipes-bsp/u-boot/u-boot-qemu-common.inc
@@ -18,6 +18,10 @@  SRC_URI_append_secureboot = " \
 
 DEPENDS_append_secureboot = " optee-os-${MACHINE}"
 
+do_prepare_build_append_secureboot() {
+    sed -i 's/CONFIG_BOOTCOMMAND="/CONFIG_BOOTCOMMAND="fatload virtio 1:1 40000000 PK\.auth; setenv -e -nv -bs -rt -at -i 40000000:\$filesize PK; fatload virtio 1:1 40000000 KEK\.auth; setenv -e -nv -bs -rt -at -i 40000000:\$filesize KEK; fatload virtio 1:1 40000000 db\.auth; setenv -e -nv -bs -rt -at -i 40000000:\$filesize db; /g' ${S}/configs/${U_BOOT_CONFIG}
+}
+
 do_deploy[dirs] = "${DEPLOY_DIR_IMAGE}"
 do_deploy() {
     dpkg --fsys-tarfile "${WORKDIR}/u-boot-${MACHINE}_${PV}_${DISTRO_ARCH}.deb" | \
diff --git a/recipes-devtools/secure-boot-secrets/secure-boot-secrets.inc b/recipes-devtools/secure-boot-secrets/secure-boot-secrets.inc
index 2a30f1e..0fcde72 100644
--- a/recipes-devtools/secure-boot-secrets/secure-boot-secrets.inc
+++ b/recipes-devtools/secure-boot-secrets/secure-boot-secrets.inc
@@ -53,3 +53,25 @@  do_install() {
 do_prepare_build_append() {
     echo "Provides: secure-boot-secrets" >> ${S}/debian/control
 }
+
+do_deploy[dirs] = "${DEPLOY_DIR_IMAGE}"
+do_deploy() {
+    if [ "${MACHINE}" = "qemu-arm64" ]; then
+        DTARGET=${DEPLOY_DIR_IMAGE}/keys
+        mkdir -p ${DTARGET}
+        cp ${WORKDIR}/${SB_PK}.auth ${DTARGET}/PK.auth
+        cp ${WORKDIR}/${SB_PK}.crt ${DTARGET}/PK.crt
+        cp ${WORKDIR}/${SB_PK}.esl ${DTARGET}/PK.esl
+        cp ${WORKDIR}/${SB_PK}.key ${DTARGET}/PK.key
+        cp ${WORKDIR}/${SB_KEK}.auth ${DTARGET}/KEK.auth
+        cp ${WORKDIR}/${SB_KEK}.crt ${DTARGET}/KEK.crt
+        cp ${WORKDIR}/${SB_KEK}.esl ${DTARGET}/KEK.esl
+        cp ${WORKDIR}/${SB_KEK}.key ${DTARGET}/KEK.key
+        cp ${WORKDIR}/${SB_DB}.auth ${DTARGET}/db.auth
+        cp ${WORKDIR}/${SB_DB}.crt ${DTARGET}/db.crt
+        cp ${WORKDIR}/${SB_DB}.esl ${DTARGET}/db.esl
+        cp ${WORKDIR}/${SB_DB}.key ${DTARGET}/db.key
+    fi
+}
+
+addtask deploy after do_dpkg_build before do_deploy_deb
\ No newline at end of file
diff --git a/start-qemu.sh b/start-qemu.sh
index 5617a2a..f29b57d 100755
--- a/start-qemu.sh
+++ b/start-qemu.sh
@@ -183,7 +183,8 @@  if [ -n "${SECURE_BOOT}${SWUPDATE_BOOT}" ]; then
 			${QEMU_PATH}${QEMU} \
 				-drive file=${IMAGE_PREFIX}.wic,discard=unmap,if=none,id=disk,format=raw \
 				-bios ${u_boot_bin} \
-				${QEMU_COMMON_OPTIONS} "$@"
+				${QEMU_COMMON_OPTIONS} "$@" \
+				-hdb fat:rw:./build/tmp/deploy/images/qemu-${QEMU_ARCH}/keys
 			;;
 		*)
 			echo "Unsupported architecture: ${arch}"