| Message ID | 20221024122725.383791-9-sven.schultschik@siemens.com (mailing list archive) |
|---|---|
| State | Handled Elsewhere |
| Headers | show |
| Series | Secureboot on QEMU with EDK2, OP-TEE and RPBM | expand |
On Mon, 2022-10-24 at 14:27 +0200, sven.schultschik@siemens.com wrote: > From: Sven Schultschik <sven.schultschik@siemens.com> > > This patch is not ment for merge but shows how to generally test the implementation of the optee and rpmb driven secure boot qemu setup. > > Signed-off-by: Sven Schultschik <sven.schultschik@siemens.com> > --- > README.md | 65 ++++++++++++++++++ > keys/helloworld.efi | Bin 0 -> 4576 bytes > recipes-bsp/u-boot/files/secure-boot.cfg.tmpl | 2 +- > start-qemu.sh | 3 +- > 4 files changed, 68 insertions(+), 2 deletions(-) > create mode 100644 keys/helloworld.efi > > diff --git a/README.md b/README.md > index e30ff3a63..6aa3f7d19 100644 > --- a/README.md > +++ b/README.md > @@ -55,6 +55,71 @@ or via bmap-tools > > > > > bmaptool copy build/tmp/deploy/images/bbb/cip-core-image-cip-core-buster-bbb.wic.img /dev/<medium-device> > > > > > +## Running Secure Boot Target Images and test it > +Create a folder named `keys` if not exist and within this folder create the signing keys and db > + > +```bash > +#PK > +openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=SIEMENS_TEST_PK/ -keyout PK.key -out PK.crt -nodes -days 365 > +cert-to-efi-sig-list -g 11111111-2222-3333-4444-123456789abc PK.crt PK.esl > +sign-efi-sig-list -c PK.crt -k PK.key PK PK.esl PK.auth > + > +# KEK > +openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=SIEMENS_TEST_KEK/ -keyout KEK.key -out KEK.crt -nodes -days 365 > +cert-to-efi-sig-list -g 11111111-2222-3333-4444-123456789abc KEK.crt KEK.esl > +sign-efi-sig-list -c PK.crt -k PK.key KEK KEK.esl KEK.auth > + > +# db > +openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=SIEMENS_TEST_db/ -keyout db.key -out db.crt -nodes -days 365 > +cert-to-efi-sig-list -g 11111111-2222-3333-4444-123456789abc db.crt db.esl > +sign-efi-sig-list -c KEK.crt -k KEK.key db db.esl db.auth > +``` > + > +Put an bootable `.efi` file in it or use the `helloworld.efi` provided and sign it. > + > +``` > +sbsign --key db.key --cert db.crt helloworld.efi > +``` > + > +The `start-qemu.sh` has additional `-hdb fat:rw:keys` added with this patch to mount the `keys` folder. > + > +Start the qemu with following command > + > +``` > +FIRMWARE_BIN=./build/tmp/deploy/images/qemu-arm64/flash.bin ./start-qemu.sh aarch64 > +``` > + > +In this test patch there is as well the possibility added to stop in the u-boot. So if you see a 5 sec timer ticking press Enter to stop. > + > +Now add the keys to the environment my typing > + > +``` > +fatload virtio 1:1 40000000 PK.auth > +setenv -e -nv -bs -rt -at -i 40000000:$filesize PK > +fatload virtio 1:1 40000000 KEK.auth > +setenv -e -nv -bs -rt -at -i 40000000:$filesize KEK > +fatload virtio 1:1 40000000 db.auth > +setenv -e -nv -bs -rt -at -i 40000000:$filesize db > +``` > +> The address 40000000 depends on your DRAM setup. You can check with `bdinfo` > + > +> $filesize is set by fatload > + > +### Boot signed efi binary > + > +``` > +fatload virtio 1:1 40000000 helloworld.efi.signed > + > +bootefi 40000000 ${fdtcontroladdr} > +``` > + > +### Try same binary but unsigned > +This should fail with `Image not authenticated. Loading image failed` > +``` > +fatload virtio 1:1 40000000 helloworld.efi > + > +bootefi 40000000 ${fdtcontroladdr} > +``` > > > > > ## Community Resources > > > > > diff --git a/keys/helloworld.efi b/keys/helloworld.efi > new file mode 100644 > index 0000000000000000000000000000000000000000..c021d94ae576271f1f472bd2e5f380ed1830a2ff > GIT binary patch > literal 4576 > zcmeHKYfKbZ6h1SvJSx^Kg7`w6;o+lE>w`Af8X2%q+e(Xoefa|rRv{uFPz#|cL$D1A > ziD9CqO=~TtHE}mhYK@xOmxv~9Q<GY>r2V(h{ve?bDWy6pZoe~omt7WOn<n)acQbqL > zJ@-4`{m!{}c4l*5r2o`1^K;8|MCN4^m3icG9Gx^nj*;c~rPG4$O%f4bfu^Dp9T<ez > znwTIiBs>H$u^Tzj^^cyFwXVwQ(!0ZSa%QcpcQw=l#<{TmfDMgQDbG9F^o4s=A=4Wr > zxr;}9PCz>}eVMsHqJzamr@c{`?q`V(jy824?^23-8E<1c5>1X9E|A=Di1||?Pq8Q4 > zk{!CGQ%0|`MnBsnQCiDF-D;8OROlS{nPa#h)2$6GGMSs>t|_vI<VC%Kc`bT@$^K!V > zZ}w=@=eAB>FCMWYaby`1oi+ql92q^D?#J``UM0@M{3CI?HQIE+)}9P5nT&i5S1~Zd > z(5woMwUW`pn&Rl%A6i?G=Qpg)YxIHdP}T}tkDZ@bm-Pp7?u^teDMhz<ZB_7h-SV9Z > zXw*(D9K-%#=k)QooDP70WSi_Bfv)SNird=daNnwnaI33ytN3+ttEz4po(Q{knh{)= > zB8_|*S64)5tyh_`tazGk^*7O31$j!*`dRfAXMwh!W)jIU-k+$kZ<rc&2gMS687Z`9 > zAc_icq|*8a{c}<@rD<Ih%eXP^q?$J`NG9)fL-!IpkGbg2-$>@VcGaAX`UmRLr_A#N > zYBCldQm4bn(}+Q>(sauwOM@32RA@x$)?V=Tw@T*uZZeh4T*q0Sz&>?G(<wti4A#_Y > zlE&(I5L~=B$h8N1+hbr49F_i9BlH|>%W_{Y-H4h#hMH!(N1MK~&xE#=w)89X0M{oO > z_4)++;`^N%yI~U)qo+@q<Dqoj`s>w%w`JMrAxda(#{JMq^pO8t%njyhYnkt{anZWP > zag476zDwY3{i-&m-$0DiN@jS>j_{bv!I<ljWPS*J-nF`w=<~h7wd;RRG9~1%bm~@@ > zESZ72VclTeI+E>mPl{NY4lM5RvAPbV*z+FDw=gI6F&X=CJ}bz_Sl-(M;I(r(o@yQe > z-tG@9Hu((nwdT0vp^NV?8ukVGpZA{|#(1N0+~m})X#%$&9GZ$ca1OW}xKfRx8^@q8 > zlN668(`kaQODXC-r_vDa+ro1x!Y0yC2~lAZ@%=5gYdV=j;7h@H6gC<57HkpGP}v;) > zCVr0!@w;~NSNJk<e`HK|4jn~&HgFhQ8d3Yva`i?QDee16`Q}~3UAp5d^a8Ir=sVU{ > zM2<mT6Pog)h~ky<vh;lpGE-rjDPkA-e1*jn@f7P_MAG0gnF<}O4OhRCWS`eka5a-W > z$hoAJm!`i~o}A7)Q_y#yk9m{lTfoIUT$kIJ{{<KKi%1#Fga)3I1fJu0%-3eBrV=V6 > z6}E=zsRFi&>gW-82seL~J$BKCu+ja*Pq2-Mt+Fxoz?a(Cz2u@=FsWd5(Oxi?!m3~| > zfwvsJdf@omMGg3#jA;iLTq3F(=t|&sW4s&vT51$Ao8YO$r<#^y{$+cv602%rKA&E) > z)m7koClH*ON?R$La_9;4@YI7Q)*G(1Uaare7DQzt<2*Zd4XvbAh^q&~c4%;oX$mkF > zP%dQw`wSIKf*W5suD#1v$Jy|Hxa>WtK*lA|?yp}h=D2oT=gLXz7UcPNwdY-#j5Qa# > zR)<fZa^u;`p{WY`f?3}kAKdvJP+mKs+7tP*fa6@p?~DIT=0Fv%96V8eKhgKvnU4++ > z9m{Nu`El0r3XgZsKzZBH&sSnUOCsaT^=&PySG+UWw&F_cTM5*$B;$PU(be;}Z9mi# > zyFY_Ezpki#RNb(zeN9XLrjAQn=RN&obD~-G+<h6lF~80~@5G4-Z4NQGtol16cYM{{ > ztI_=92)`jnwcFUcoFEFk1AZ%Tcs;b+9AOs<JN^w+IPam!3kbc3YfddSRe`ArOjY3j > zsK8E;&LoKv@lwVu@H_q{`cC-6TQMArCxK5CfKOqaq!9nF4{eWQ!1$};0r0+<d{Fos > z#DgGB_;uLHcntWNM-9_?QQ*}usYh(TMB%^JTLjMsV%<E9x#2&u&3{esT(!MKi-rH9 > zc<?wC|HK&>)|nTU@58n~ObmSNVf_tassUqecwYz4kS|>43-B}kw$K^amlHN#p;ck) > F{tfI&1hD`B > > literal 0 > HcmV?d00001 > > diff --git a/recipes-bsp/u-boot/files/secure-boot.cfg.tmpl b/recipes-bsp/u-boot/files/secure-boot.cfg.tmpl > index 8e6428238..63d73f70a 100644 > --- a/recipes-bsp/u-boot/files/secure-boot.cfg.tmpl > +++ b/recipes-bsp/u-boot/files/secure-boot.cfg.tmpl > @@ -1,5 +1,5 @@ > ### Secure boot config > -CONFIG_BOOTDELAY=-2 > +CONFIG_BOOTDELAY=5 > CONFIG_USE_BOOTCOMMAND=y > CONFIG_BOOTCOMMAND="setenv scan_dev_for_boot 'if test -e ${devtype} ${devnum}:${distro_bootpart} efi/boot/boot${EFI_ARCH}.efi; then load ${devtype} ${devnum}:${distro_bootpart} ${kernel_addr_r} efi/boot/boot${EFI_ARCH}.efi; bootefi ${kernel_addr_r} ${fdtcontroladdr}; fi'; run distro_bootcmd; echo 'EFI Boot failed!'; sleep 1000; reset" > CONFIG_EFI_VARIABLES_PRESEED=y CONFIG_EFI_VARIABLES_PRESEED should set to N in the previous patch. > diff --git a/start-qemu.sh b/start-qemu.sh > index 18946a6c9..ac73d8d3b 100755 > --- a/start-qemu.sh > +++ b/start-qemu.sh > @@ -179,7 +179,8 @@ if [ -n "${SECURE_BOOT}${SWUPDATE_BOOT}" ]; then > ${QEMU_PATH}${QEMU} \ > -drive file=${IMAGE_PREFIX}.wic,discard=unmap,if=none,id=disk,format=raw \ > -bios ${u_boot_bin} \ > - ${QEMU_COMMON_OPTIONS} "$@" > + ${QEMU_COMMON_OPTIONS} "$@" \ > + -hdb fat:rw:keys > ;; > *) > echo "Unsupported architecture: ${arch}"
> -----Ursprüngliche Nachricht----- > Von: Su, Bao Cheng (DI FA CTR IPC CN PRC4) <baocheng.su@siemens.com> > Gesendet: Dienstag, 25. Oktober 2022 10:37 > An: Schultschik, Sven (DI PA DCP R&D 2) <sven.schultschik@siemens.com>; cip- > dev@lists.cip-project.org > Cc: Kiszka, Jan (T CED) <jan.kiszka@siemens.com> > Betreff: Re: [isar-cip-core][PATCH 8/8] no merge - manually instructions test > secure boot > > On Mon, 2022-10-24 at 14:27 +0200, sven.schultschik@siemens.com wrote: > > From: Sven Schultschik <sven.schultschik@siemens.com> > > > > diff --git a/recipes-bsp/u-boot/files/secure-boot.cfg.tmpl > > b/recipes-bsp/u-boot/files/secure-boot.cfg.tmpl > > index 8e6428238..63d73f70a 100644 > > --- a/recipes-bsp/u-boot/files/secure-boot.cfg.tmpl > > +++ b/recipes-bsp/u-boot/files/secure-boot.cfg.tmpl > > @@ -1,5 +1,5 @@ > > ### Secure boot config > > -CONFIG_BOOTDELAY=-2 > > +CONFIG_BOOTDELAY=5 > > CONFIG_USE_BOOTCOMMAND=y > > CONFIG_BOOTCOMMAND="setenv scan_dev_for_boot 'if test -e ${devtype} > ${devnum}:${distro_bootpart} efi/boot/boot${EFI_ARCH}.efi; then load > ${devtype} ${devnum}:${distro_bootpart} ${kernel_addr_r} > efi/boot/boot${EFI_ARCH}.efi; bootefi ${kernel_addr_r} ${fdtcontroladdr}; fi'; > run distro_bootcmd; echo 'EFI Boot failed!'; sleep 1000; reset" > > CONFIG_EFI_VARIABLES_PRESEED=y > > CONFIG_EFI_VARIABLES_PRESEED should set to N in the previous patch. I didn't change this variable. It is the secure-boot.cfg.tmpl currently on the next branch. For testing purpose you only need the Bootdelay to have the chance to jump into the u-boot
diff --git a/README.md b/README.md index e30ff3a63..6aa3f7d19 100644 --- a/README.md +++ b/README.md @@ -55,6 +55,71 @@ or via bmap-tools bmaptool copy build/tmp/deploy/images/bbb/cip-core-image-cip-core-buster-bbb.wic.img /dev/<medium-device> +## Running Secure Boot Target Images and test it +Create a folder named `keys` if not exist and within this folder create the signing keys and db + +```bash +#PK +openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=SIEMENS_TEST_PK/ -keyout PK.key -out PK.crt -nodes -days 365 +cert-to-efi-sig-list -g 11111111-2222-3333-4444-123456789abc PK.crt PK.esl +sign-efi-sig-list -c PK.crt -k PK.key PK PK.esl PK.auth + +# KEK +openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=SIEMENS_TEST_KEK/ -keyout KEK.key -out KEK.crt -nodes -days 365 +cert-to-efi-sig-list -g 11111111-2222-3333-4444-123456789abc KEK.crt KEK.esl +sign-efi-sig-list -c PK.crt -k PK.key KEK KEK.esl KEK.auth + +# db +openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=SIEMENS_TEST_db/ -keyout db.key -out db.crt -nodes -days 365 +cert-to-efi-sig-list -g 11111111-2222-3333-4444-123456789abc db.crt db.esl +sign-efi-sig-list -c KEK.crt -k KEK.key db db.esl db.auth +``` + +Put an bootable `.efi` file in it or use the `helloworld.efi` provided and sign it. + +``` +sbsign --key db.key --cert db.crt helloworld.efi +``` + +The `start-qemu.sh` has additional `-hdb fat:rw:keys` added with this patch to mount the `keys` folder. + +Start the qemu with following command + +``` +FIRMWARE_BIN=./build/tmp/deploy/images/qemu-arm64/flash.bin ./start-qemu.sh aarch64 +``` + +In this test patch there is as well the possibility added to stop in the u-boot. So if you see a 5 sec timer ticking press Enter to stop. + +Now add the keys to the environment my typing + +``` +fatload virtio 1:1 40000000 PK.auth +setenv -e -nv -bs -rt -at -i 40000000:$filesize PK +fatload virtio 1:1 40000000 KEK.auth +setenv -e -nv -bs -rt -at -i 40000000:$filesize KEK +fatload virtio 1:1 40000000 db.auth +setenv -e -nv -bs -rt -at -i 40000000:$filesize db +``` +> The address 40000000 depends on your DRAM setup. You can check with `bdinfo` + +> $filesize is set by fatload + +### Boot signed efi binary + +``` +fatload virtio 1:1 40000000 helloworld.efi.signed + +bootefi 40000000 ${fdtcontroladdr} +``` + +### Try same binary but unsigned +This should fail with `Image not authenticated. Loading image failed` +``` +fatload virtio 1:1 40000000 helloworld.efi + +bootefi 40000000 ${fdtcontroladdr} +``` ## Community Resources diff --git a/keys/helloworld.efi b/keys/helloworld.efi new file mode 100644 index 0000000000000000000000000000000000000000..c021d94ae576271f1f472bd2e5f380ed1830a2ff GIT binary patch literal 4576 zcmeHKYfKbZ6h1SvJSx^Kg7`w6;o+lE>w`Af8X2%q+e(Xoefa|rRv{uFPz#|cL$D1A ziD9CqO=~TtHE}mhYK@xOmxv~9Q<GY>r2V(h{ve?bDWy6pZoe~omt7WOn<n)acQbqL zJ@-4`{m!{}c4l*5r2o`1^K;8|MCN4^m3icG9Gx^nj*;c~rPG4$O%f4bfu^Dp9T<ez znwTIiBs>H$u^Tzj^^cyFwXVwQ(!0ZSa%QcpcQw=l#<{TmfDMgQDbG9F^o4s=A=4Wr zxr;}9PCz>}eVMsHqJzamr@c{`?q`V(jy824?^23-8E<1c5>1X9E|A=Di1||?Pq8Q4 zk{!CGQ%0|`MnBsnQCiDF-D;8OROlS{nPa#h)2$6GGMSs>t|_vI<VC%Kc`bT@$^K!V zZ}w=@=eAB>FCMWYaby`1oi+ql92q^D?#J``UM0@M{3CI?HQIE+)}9P5nT&i5S1~Zd z(5woMwUW`pn&Rl%A6i?G=Qpg)YxIHdP}T}tkDZ@bm-Pp7?u^teDMhz<ZB_7h-SV9Z zXw*(D9K-%#=k)QooDP70WSi_Bfv)SNird=daNnwnaI33ytN3+ttEz4po(Q{knh{)= zB8_|*S64)5tyh_`tazGk^*7O31$j!*`dRfAXMwh!W)jIU-k+$kZ<rc&2gMS687Z`9 zAc_icq|*8a{c}<@rD<Ih%eXP^q?$J`NG9)fL-!IpkGbg2-$>@VcGaAX`UmRLr_A#N zYBCldQm4bn(}+Q>(sauwOM@32RA@x$)?V=Tw@T*uZZeh4T*q0Sz&>?G(<wti4A#_Y zlE&(I5L~=B$h8N1+hbr49F_i9BlH|>%W_{Y-H4h#hMH!(N1MK~&xE#=w)89X0M{oO z_4)++;`^N%yI~U)qo+@q<Dqoj`s>w%w`JMrAxda(#{JMq^pO8t%njyhYnkt{anZWP zag476zDwY3{i-&m-$0DiN@jS>j_{bv!I<ljWPS*J-nF`w=<~h7wd;RRG9~1%bm~@@ zESZ72VclTeI+E>mPl{NY4lM5RvAPbV*z+FDw=gI6F&X=CJ}bz_Sl-(M;I(r(o@yQe z-tG@9Hu((nwdT0vp^NV?8ukVGpZA{|#(1N0+~m})X#%$&9GZ$ca1OW}xKfRx8^@q8 zlN668(`kaQODXC-r_vDa+ro1x!Y0yC2~lAZ@%=5gYdV=j;7h@H6gC<57HkpGP}v;) zCVr0!@w;~NSNJk<e`HK|4jn~&HgFhQ8d3Yva`i?QDee16`Q}~3UAp5d^a8Ir=sVU{ zM2<mT6Pog)h~ky<vh;lpGE-rjDPkA-e1*jn@f7P_MAG0gnF<}O4OhRCWS`eka5a-W z$hoAJm!`i~o}A7)Q_y#yk9m{lTfoIUT$kIJ{{<KKi%1#Fga)3I1fJu0%-3eBrV=V6 z6}E=zsRFi&>gW-82seL~J$BKCu+ja*Pq2-Mt+Fxoz?a(Cz2u@=FsWd5(Oxi?!m3~| zfwvsJdf@omMGg3#jA;iLTq3F(=t|&sW4s&vT51$Ao8YO$r<#^y{$+cv602%rKA&E) z)m7koClH*ON?R$La_9;4@YI7Q)*G(1Uaare7DQzt<2*Zd4XvbAh^q&~c4%;oX$mkF zP%dQw`wSIKf*W5suD#1v$Jy|Hxa>WtK*lA|?yp}h=D2oT=gLXz7UcPNwdY-#j5Qa# zR)<fZa^u;`p{WY`f?3}kAKdvJP+mKs+7tP*fa6@p?~DIT=0Fv%96V8eKhgKvnU4++ z9m{Nu`El0r3XgZsKzZBH&sSnUOCsaT^=&PySG+UWw&F_cTM5*$B;$PU(be;}Z9mi# zyFY_Ezpki#RNb(zeN9XLrjAQn=RN&obD~-G+<h6lF~80~@5G4-Z4NQGtol16cYM{{ ztI_=92)`jnwcFUcoFEFk1AZ%Tcs;b+9AOs<JN^w+IPam!3kbc3YfddSRe`ArOjY3j zsK8E;&LoKv@lwVu@H_q{`cC-6TQMArCxK5CfKOqaq!9nF4{eWQ!1$};0r0+<d{Fos z#DgGB_;uLHcntWNM-9_?QQ*}usYh(TMB%^JTLjMsV%<E9x#2&u&3{esT(!MKi-rH9 zc<?wC|HK&>)|nTU@58n~ObmSNVf_tassUqecwYz4kS|>43-B}kw$K^amlHN#p;ck) F{tfI&1hD`B literal 0 HcmV?d00001 diff --git a/recipes-bsp/u-boot/files/secure-boot.cfg.tmpl b/recipes-bsp/u-boot/files/secure-boot.cfg.tmpl index 8e6428238..63d73f70a 100644 --- a/recipes-bsp/u-boot/files/secure-boot.cfg.tmpl +++ b/recipes-bsp/u-boot/files/secure-boot.cfg.tmpl @@ -1,5 +1,5 @@ ### Secure boot config -CONFIG_BOOTDELAY=-2 +CONFIG_BOOTDELAY=5 CONFIG_USE_BOOTCOMMAND=y CONFIG_BOOTCOMMAND="setenv scan_dev_for_boot 'if test -e ${devtype} ${devnum}:${distro_bootpart} efi/boot/boot${EFI_ARCH}.efi; then load ${devtype} ${devnum}:${distro_bootpart} ${kernel_addr_r} efi/boot/boot${EFI_ARCH}.efi; bootefi ${kernel_addr_r} ${fdtcontroladdr}; fi'; run distro_bootcmd; echo 'EFI Boot failed!'; sleep 1000; reset" CONFIG_EFI_VARIABLES_PRESEED=y diff --git a/start-qemu.sh b/start-qemu.sh index 18946a6c9..ac73d8d3b 100755 --- a/start-qemu.sh +++ b/start-qemu.sh @@ -179,7 +179,8 @@ if [ -n "${SECURE_BOOT}${SWUPDATE_BOOT}" ]; then ${QEMU_PATH}${QEMU} \ -drive file=${IMAGE_PREFIX}.wic,discard=unmap,if=none,id=disk,format=raw \ -bios ${u_boot_bin} \ - ${QEMU_COMMON_OPTIONS} "$@" + ${QEMU_COMMON_OPTIONS} "$@" \ + -hdb fat:rw:keys ;; *) echo "Unsupported architecture: ${arch}"