diff mbox series

[isar-cip-core,7/7] Use of snakeoil keys for qemu use case

Message ID 20221123152906.75323-8-sven.schultschik@siemens.com (mailing list archive)
State Deferred
Headers show
Series Secureboot on QEMU with EDK2, OP-TEE and RPMB | expand

Commit Message

Schultschik, Sven Nov. 23, 2022, 3:29 p.m. UTC 
From: Sven Schultschik <sven.schultschik@siemens.com>

The snakeoil keys are copied to the deploy folder if machine is qemu-arm64. The RPMB qemu workaround is not persistent and for that the keys need to be provisioned on every boot of quemu. Therefor the keys are copied to the deploy folder, mounted into the qemu as virtual memory and the boot command automatically loads them on every boot.

Signed-off-by: Sven Schultschik <sven.schultschik@siemens.com>
---
 recipes-bsp/u-boot/u-boot-qemu-common.inc     |  4 ++++
 .../secure-boot-secrets.inc                   | 19 +++++++++++++++++++
 start-qemu.sh                                 |  3 ++-
 3 files changed, 25 insertions(+), 1 deletion(-)
diff mbox series

Patch

diff --git a/recipes-bsp/u-boot/u-boot-qemu-common.inc b/recipes-bsp/u-boot/u-boot-qemu-common.inc
index 6e7158b..36e4dbd 100644
--- a/recipes-bsp/u-boot/u-boot-qemu-common.inc
+++ b/recipes-bsp/u-boot/u-boot-qemu-common.inc
@@ -18,6 +18,10 @@  SRC_URI_append_secureboot = " \
 
 DEPENDS_append_secureboot = " optee-os-${MACHINE}"
 
+do_prepare_build_append_secureboot() {
+    sed -i 's/CONFIG_BOOTCOMMAND="/CONFIG_BOOTCOMMAND="fatload virtio 1:1 40000000 db\.auth; setenv -e -nv -bs -rt -at -i 40000000:\$filesize db; /g' ${S}/configs/${U_BOOT_CONFIG}
+}
+
 do_deploy[dirs] = "${DEPLOY_DIR_IMAGE}"
 do_deploy() {
     dpkg --fsys-tarfile "${WORKDIR}/u-boot-${MACHINE}_${PV}_${DISTRO_ARCH}.deb" | \
diff --git a/recipes-devtools/secure-boot-secrets/secure-boot-secrets.inc b/recipes-devtools/secure-boot-secrets/secure-boot-secrets.inc
index f53435a..196d798 100644
--- a/recipes-devtools/secure-boot-secrets/secure-boot-secrets.inc
+++ b/recipes-devtools/secure-boot-secrets/secure-boot-secrets.inc
@@ -32,3 +32,22 @@  do_install() {
 do_prepare_build_append() {
     echo "Provides: secure-boot-secrets" >> ${S}/debian/control
 }
+
+do_build_append() {
+    if [ "${MACHINE}" = "qemu-arm64" ]; then
+        cert-to-efi-sig-list -g 11111111-2222-3333-4444-123456789abc "${WORKDIR}/${SB_CERT}" "${WORKDIR}/secure-boot.esl"
+        sign-efi-sig-list -c "${WORKDIR}/${SB_CERT}" -k "${WORKDIR}/${SB_KEY}" db "${WORKDIR}/secure-boot.esl" "${WORKDIR}/db.auth"
+    fi
+}
+
+do_deploy[dirs] = "${DEPLOY_DIR_IMAGE}"
+do_deploy() {
+    if [ "${MACHINE}" = "qemu-arm64" ]; then
+        DTARGET=${DEPLOY_DIR_IMAGE}/keys
+        mkdir -p ${DTARGET}
+       
+        cp ${WORKDIR}/db.auth ${DTARGET}/db.auth
+    fi
+}
+
+addtask deploy after do_dpkg_build before do_deploy_deb
\ No newline at end of file
diff --git a/start-qemu.sh b/start-qemu.sh
index 5617a2a..f29b57d 100755
--- a/start-qemu.sh
+++ b/start-qemu.sh
@@ -183,7 +183,8 @@  if [ -n "${SECURE_BOOT}${SWUPDATE_BOOT}" ]; then
 			${QEMU_PATH}${QEMU} \
 				-drive file=${IMAGE_PREFIX}.wic,discard=unmap,if=none,id=disk,format=raw \
 				-bios ${u_boot_bin} \
-				${QEMU_COMMON_OPTIONS} "$@"
+				${QEMU_COMMON_OPTIONS} "$@" \
+				-hdb fat:rw:./build/tmp/deploy/images/qemu-${QEMU_ARCH}/keys
 			;;
 		*)
 			echo "Unsupported architecture: ${arch}"