From patchwork Mon Oct 24 12:27:25 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Schultschik, Sven" X-Patchwork-Id: 13017533 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id A1DC3ECAAA1 for ; Mon, 24 Oct 2022 12:29:07 +0000 (UTC) Received: from EUR05-AM6-obe.outbound.protection.outlook.com (EUR05-AM6-obe.outbound.protection.outlook.com [40.107.22.50]) by mx.groups.io with SMTP id smtpd.web11.18528.1666614541837448079 for ; Mon, 24 Oct 2022 05:29:03 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="body hash did not verify" header.i=@siemens.com header.s=selector2 header.b=Dp1IX6Vt; spf=pass (domain: siemens.com, ip: 40.107.22.50, mailfrom: sven.schultschik@siemens.com) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=iljluCQqEOqugnndS2SqYK4f8sQOZuE87B6ybeDyxWlpKebHvR2Pl6v94997Eu8Qaqn3CCfCXqikRZqWin2Y7VOKuY4VP8Bo5u2OJYeCbVVWE8+F5G4k28oiMgRadYp/pDWnHXbaCw/njHqj65S+bDkM6f6K1nupDwiOxBNndoREtfXZIJejPi7hLwxy/w/fkgtBjN+mNdif3u1EMnXxxbeJO/22mrOXYr4LkYF8hznFrkF5UnnxEcjIIyYzrVz3/K0oaPquRkW/xCH0v1S7vs+thEDBs4L+n9FWISqm+yEB7cMR7zfN1XYf69cxaLATVNrMhzIQzMbQr9pdxb2dVA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=uswttgO+ANoZLnR3XGKcwIA1oHvjycnlkNaUJrI6cRM=; b=doC1i3KizxjuuqanpnG4ISrCVJdp1wkfuzrCgbWwnZGEnRJqsFYSxNwf2JvzxhNJm8bGeYp/b1TdA/GyaPFTAKSypvI1kXPTf6LStMN3ykrs6kwNAYMQozVhp8dIo1Hj6TqE3Xf8DO6Fx8jCZpHeUcTfkCuiTurP3h/uIz9chKpTVRQyra0Mq4E9AUND/z/Ma5qtgHoBsx0Rd4+Xvn3DmO8PWSLYfvnoFDCz4U17YJAQrrUsR0KIeNMCGoBeDahwWR6G5MbpQQSKtBYm2bSSatc9Pqfiu8vJDxK4YEgMufE9kC4Bzw80+GhcfR0gRHl0paOPiJx9syGit6/omZ88Nw== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=siemens.com; dmarc=pass action=none header.from=siemens.com; dkim=pass header.d=siemens.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=siemens.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=uswttgO+ANoZLnR3XGKcwIA1oHvjycnlkNaUJrI6cRM=; b=Dp1IX6VtL+jhlHeClhsczfFpA4CRs+lppAe9PZlqCQbclzjPQQLFY47x49FgP1zmw/FfIwuLYhmGOIe3yvGV79h9PvvbDV+OKKhSx7pvMCzGJpRuX/JTEFfLIQ0+R9rn8+OzY9a3IOfxTbebb1rmof9+s6CnEEPK75C7zM62n16X3a2jjtjOf5hTWy7dFd919QwHx0plS7+8/4zWMEaAx3JTs8bZpvCMyO+ruWpb8SN/BCGH2zPfcYgDvjScCFI7zK0TqI2PRqPiAExX0yFXOank56kfoQSsSgoUSTRfxH6G9nKYOIvCFw6T/G16cHZhfVr/Q4nE0wD5fWWIu0okfQ== Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=siemens.com; Received: from PAXPR10MB5037.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:102:210::11) by PAXPR10MB5783.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:102:249::8) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5723.29; Mon, 24 Oct 2022 12:28:59 +0000 Received: from PAXPR10MB5037.EURPRD10.PROD.OUTLOOK.COM ([fe80::8f3:9a82:c9ed:6a3f]) by PAXPR10MB5037.EURPRD10.PROD.OUTLOOK.COM ([fe80::8f3:9a82:c9ed:6a3f%8]) with mapi id 15.20.5746.026; Mon, 24 Oct 2022 12:28:59 +0000 From: sven.schultschik@siemens.com To: cip-dev@lists.cip-project.org CC: jan.kiszka@siemens.com, Sven Schultschik Subject: [isar-cip-core][PATCH 8/8] no merge - manually instructions test secure boot Date: Mon, 24 Oct 2022 14:27:25 +0200 Message-ID: <20221024122725.383791-9-sven.schultschik@siemens.com> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20221024122725.383791-1-sven.schultschik@siemens.com> References: <20221024122725.383791-1-sven.schultschik@siemens.com> X-ClientProxiedBy: AS9PR06CA0307.eurprd06.prod.outlook.com (2603:10a6:20b:45b::32) To PAXPR10MB5037.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:102:210::11) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: PAXPR10MB5037:EE_|PAXPR10MB5783:EE_ X-MS-Office365-Filtering-Correlation-Id: 7394d642-3233-4596-f3bf-08dab5bb53cc X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: rHzLuuUqPh1IlqF5Du066JC4o+2/vEvpZr7gmNDmGq0my2vv+qSlKpQFTlzbOxzGK2+9IBfRZqaTCgZpi2i9GcGn1heAYt2muYDrxtGtpYWivnQxQSLiqpjNzCPPFyZQKs98ciHLV//93s6JUuVjfr0bMaE5Z4ckd5gQmP8Mn5yyKMnkLhwiA/sAoyA6KV6Fe70YSxecyGU3/2obr4V9lJD8i8v6SZfZm9CV4bO24WowLSUJxSdNz8Zll9ts4pNKJa0lrn4AZDAZ6JjcGT7lp39VSrFSkINEXQwqTPh0cML4naE9b7ZosKqEh8mBpwsQLgrD8XPZZ33Eb1KJc2CKNtNlP4tv8y2PaXH+3HxW18svlGv4c38+Gs7QPy5b78/6OoNSqkHm4bPlfbmig/ktgcBWsIbP4A64RCRNTcyp46ShcwOMZD8rVOgbGC4u+yXVFe/4L7IOGGGjN+V+t2YbF8zyogPnuT9ShRtliGvygZ2an93etTTndVETLvguF+GizQtHZ2/j+k9qbtoi4mCmKBW+77BVHG1gH+G0+TNtaJsKQb8uG5QxrMjPu9apT3CvVFmQJtfgDDQ0dl6W5Ivl3/kPDFEtQ158f0IpIZhaBEYRHKza5NumfNS7I2odtLyfJrgaKFnFb30nI36CymNrULxGNgov4kfR1G2P2BpgkiXPkykQP+L2aPPHat/VwgJVtZT2SrL/IWVoDHeZ0iFdNA== X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:PAXPR10MB5037.EURPRD10.PROD.OUTLOOK.COM;PTR:;CAT:NONE;SFS:(13230022)(4636009)(376002)(396003)(346002)(39860400002)(136003)(366004)(451199015)(6486002)(5660300002)(186003)(83380400001)(2616005)(316002)(2906002)(1076003)(86362001)(38100700002)(6916009)(6512007)(4326008)(8936002)(66476007)(107886003)(8676002)(478600001)(9686003)(26005)(66946007)(6666004)(6506007)(36756003)(66556008)(82960400001)(41300700001);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: 3si3aW8cUqLXS7JtI0r912iXgE7rZMEQCTEWa9RMFgnWcSmuV72UTdkhRKLzsynUDu+woOCFcz5nXqRBw5jIugMM1sbCWuxM3Wv2d7a5GI6KTtSG4i1CrhgkPsn8knSrKIUti0l6NkeWg7H8unEJQdxLOiJeNU6qam/c0diiF9KsEJ5iEQmHvUrWPDAaoZPPfHGc8FkdBztg2jJA9rzLlUpYi5k8y/m5rL5tbSUufHK7QvehRglulDZ3RcbwYuK3UhuTbL5CzKrBVuREUVX1w4+3qyqRawy72Gl6XMxDa1timRh02s5WdtUZozlzh5T9sfZVDtUI8ZNZAfp0y4YKMaP1D3cJzlCuhyuK/VcxduygJjw7qUbtFnH5RbvUXsSMZ0dqSbohLzkuM7O43uMqFOcc1ig7sqMXPBGFb8EXjciub/61cxJGsyXKS7SpjBpKnE61HY6eC1d6+uoNWZNemAXRWtF5Xt9qQvTa2ZJ4dDu3U7eWMEOOwji+y4Ypd7EBjMj1o4PD7XUCXwXWW1iNYZG2OCEPk2SjW4gt0GGH4YYQ0jJx9BBFopAQ6rEKBl7n3891yC7UnZPLoVC+XkvPZNcTl3NNu1M1ncnTH6CzUwMk3z77qysTMptv5SlYkxpQgA2F6YcjSzcfNCtWCLyT7ylZugX/LFBV3GqqeGiZ4M6EZjYOUfo/VaqvXvzOdbImBbDh/5aDMTOZ7BCjIWOOEsW1sUH/gtTBKsPtC+hGnlilGm0ieqPvDXtTwH1nHQG8qVoplJZSeE5eehf0CycmeWyXcAdEFtPGfoPD17vgHVlpB2GLp2pi9I7kkJv1xqe1oWsIQ9CBMzS/iU5PiDhX6uYA4y787mJK0K/OoLJZtN9FdbttXRa0UZEzwJhtiiX2sjIBj3d9AHHiWhf4Lxgbd0SPrsR4kPeFypXdFdarmRovlDO1xF2fv3Xbi83iTqenBufnM4V7aZDaIrL6AeUhOVpegaiHvBdLhvEHRM6VTuhZUdz+BItHqsHS8QnXawhehNZJSaWMvjNZS09e4ufZjctRvKwq2tbpc3s1/EbJsZW+pJU+d4KSFIq08xGB90lJgB78eJtAO1vsI4MehsGXrNLt0ldei63sPA2rebMTXMcu9pZUcH2etooZDz2BT+V89hgyn1FF0tQnmS4GAbCCy0vHiUkBucIVOrGLTj55s7qpm7KGS5zz6MehRboTKndis1o02HLOCqOQa6ElD7cUV7VQxxru8H44w2REIA0A7KRpFZMcs09E2TnWKD1d+vMPNnnv4YLl9accWIIQlpobNhz1UUYI69tU6EmzGFzmn0hA+JxCl1GH9JtxuArej8lUTiErAK106VbgkaUCXfgINOyGtAE4XOqPy6t8C3/plX5M/9LvLz9VZPfeaIbeljpaoiUTUr6RdK6+YCRqj9YVhmeZYEx540uABgvR4u6jjKBJxyQ2ATrDQj8jOC3pORYIXg9OaA6P+IBlqzMUYWMWMNkzXA706FvkAgAfm4ffjuVNa4IoETXCghdD1HZ6cxmjyfTzZwQ6sum3JPvBQrzwUaQWJpZCroxFIq+wya87cLmvPAwp1TnV7LPf/SeQdhu2WRZ616OLJFPDpzbnAGdYpQ== X-OriginatorOrg: siemens.com X-MS-Exchange-CrossTenant-Network-Message-Id: 7394d642-3233-4596-f3bf-08dab5bb53cc X-MS-Exchange-CrossTenant-AuthSource: PAXPR10MB5037.EURPRD10.PROD.OUTLOOK.COM X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 24 Oct 2022 12:28:59.8298 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 38ae3bcd-9579-4fd4-adda-b42e1495d55a X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: /rztwup27HIi1cjJpcL6qupyxl/NVgJ/fjSpntG+UmvasUkwPDuP/7WeWnR2gEH3nUkoYCI5hLq7L+ELyBPUdpmzJbROZBxZsnycnVRZTD4= X-MS-Exchange-Transport-CrossTenantHeadersStamped: PAXPR10MB5783 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 24 Oct 2022 12:29:07 -0000 X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/9812 From: Sven Schultschik This patch is not ment for merge but shows how to generally test the implementation of the optee and rpmb driven secure boot qemu setup. Signed-off-by: Sven Schultschik --- README.md | 65 ++++++++++++++++++ keys/helloworld.efi | Bin 0 -> 4576 bytes recipes-bsp/u-boot/files/secure-boot.cfg.tmpl | 2 +- start-qemu.sh | 3 +- 4 files changed, 68 insertions(+), 2 deletions(-) create mode 100644 keys/helloworld.efi diff --git a/README.md b/README.md index e30ff3a63..6aa3f7d19 100644 --- a/README.md +++ b/README.md @@ -55,6 +55,71 @@ or via bmap-tools bmaptool copy build/tmp/deploy/images/bbb/cip-core-image-cip-core-buster-bbb.wic.img /dev/ +## Running Secure Boot Target Images and test it +Create a folder named `keys` if not exist and within this folder create the signing keys and db + +```bash +#PK +openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=SIEMENS_TEST_PK/ -keyout PK.key -out PK.crt -nodes -days 365 +cert-to-efi-sig-list -g 11111111-2222-3333-4444-123456789abc PK.crt PK.esl +sign-efi-sig-list -c PK.crt -k PK.key PK PK.esl PK.auth + +# KEK +openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=SIEMENS_TEST_KEK/ -keyout KEK.key -out KEK.crt -nodes -days 365 +cert-to-efi-sig-list -g 11111111-2222-3333-4444-123456789abc KEK.crt KEK.esl +sign-efi-sig-list -c PK.crt -k PK.key KEK KEK.esl KEK.auth + +# db +openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=SIEMENS_TEST_db/ -keyout db.key -out db.crt -nodes -days 365 +cert-to-efi-sig-list -g 11111111-2222-3333-4444-123456789abc db.crt db.esl +sign-efi-sig-list -c KEK.crt -k KEK.key db db.esl db.auth +``` + +Put an bootable `.efi` file in it or use the `helloworld.efi` provided and sign it. + +``` +sbsign --key db.key --cert db.crt helloworld.efi +``` + +The `start-qemu.sh` has additional `-hdb fat:rw:keys` added with this patch to mount the `keys` folder. + +Start the qemu with following command + +``` +FIRMWARE_BIN=./build/tmp/deploy/images/qemu-arm64/flash.bin ./start-qemu.sh aarch64 +``` + +In this test patch there is as well the possibility added to stop in the u-boot. So if you see a 5 sec timer ticking press Enter to stop. + +Now add the keys to the environment my typing + +``` +fatload virtio 1:1 40000000 PK.auth +setenv -e -nv -bs -rt -at -i 40000000:$filesize PK +fatload virtio 1:1 40000000 KEK.auth +setenv -e -nv -bs -rt -at -i 40000000:$filesize KEK +fatload virtio 1:1 40000000 db.auth +setenv -e -nv -bs -rt -at -i 40000000:$filesize db +``` +> The address 40000000 depends on your DRAM setup. You can check with `bdinfo` + +> $filesize is set by fatload + +### Boot signed efi binary + +``` +fatload virtio 1:1 40000000 helloworld.efi.signed + +bootefi 40000000 ${fdtcontroladdr} +``` + +### Try same binary but unsigned +This should fail with `Image not authenticated. Loading image failed` +``` +fatload virtio 1:1 40000000 helloworld.efi + +bootefi 40000000 ${fdtcontroladdr} +``` ## Community Resources diff --git a/keys/helloworld.efi b/keys/helloworld.efi new file mode 100644 index 0000000000000000000000000000000000000000..c021d94ae576271f1f472bd2e5f380ed1830a2ff GIT binary patch literal 4576 zcmeHKYfKbZ6h1SvJSx^Kg7`w6;o+lE>w`Af8X2%q+e(Xoefa|rRv{uFPz#|cL$D1A ziD9CqO=~TtHE}mhYK@xOmxv~9Qr2V(h{ve?bDWy6pZoe~omt7WOnH$u^Tzj^^cyFwXVwQ(!0ZSa%QcpcQw=l#<{TmfDMgQDbG9F^o4s=A=4Wr zxr;}9PCz>}eVMsHqJzamr@c{`?q`V(jy824?^23-8E<1c5>1X9E|A=Di1||?Pq8Q4 zk{!CGQ%0|`MnBsnQCiDF-D;8OROlS{nPa#h)2$6GGMSs>t|_vIFCMWYaby`1oi+ql92q^D?#J``UM0@M{3CI?HQIE+)}9P5nT&i5S1~Zd z(5woMwUW`pn&Rl%A6i?G=Qpg)YxIHdP}T}tkDZ@bm-Pp7?u^teDMhz@VcGaAX`UmRLr_A#N zYBCldQm4bn(}+Q>(sauwOM@32RA@x$)?V=Tw@T*uZZeh4T*q0Sz&>?G(%W_{Y-H4h#hMH!(N1MK~&xE#=w)89X0M{oO z_4)++;`^N%yI~U)qo+@qw%w`JMrAxda(#{JMq^pO8t%njyhYnkt{anZWP zag476zDwY3{i-&m-$0DiN@jS>j_{bv!ImPl{NY4lM5RvAPbV*z+FDw=gI6F&X=CJ}bz_Sl-(M;I(r(o@yQe z-tG@9Hu((nwdT0vp^NV?8ukVGpZA{|#(1N0+~m})X#%$&9GZ$ca1OW}xKfRx8^@q8 zlN668(`kaQODXC-r_vDa+ro1x!Y0yC2~lAZ@%=5gYdV=j;7h@H6gC<57HkpGP}v;) zCVr0!@w;~NSNJkgW-82seL~J$BKCu+ja*Pq2-Mt+Fxoz?a(Cz2u@=FsWd5(Oxi?!m3~| zfwvsJdf@omMGg3#jA;iLTq3F(=t|&sW4s&vT51$Ao8YO$r<#^y{$+cv602%rKA&E) z)m7koClH*ON?R$La_9;4@YI7Q)*G(1Uaare7DQzt<2*Zd4XvbAh^q&~c4%;oX$mkF zP%dQw`wSIKf*W5suD#1v$Jy|Hxa>WtK*lA|?yp}h=D2oT=gLXz7UcPNwdY-#j5Qa# zR))|nTU@58n~ObmSNVf_tassUqecwYz4kS|>43-B}kw$K^amlHN#p;ck) F{tfI&1hD`B literal 0 HcmV?d00001 diff --git a/recipes-bsp/u-boot/files/secure-boot.cfg.tmpl b/recipes-bsp/u-boot/files/secure-boot.cfg.tmpl index 8e6428238..63d73f70a 100644 --- a/recipes-bsp/u-boot/files/secure-boot.cfg.tmpl +++ b/recipes-bsp/u-boot/files/secure-boot.cfg.tmpl @@ -1,5 +1,5 @@ ### Secure boot config -CONFIG_BOOTDELAY=-2 +CONFIG_BOOTDELAY=5 CONFIG_USE_BOOTCOMMAND=y CONFIG_BOOTCOMMAND="setenv scan_dev_for_boot 'if test -e ${devtype} ${devnum}:${distro_bootpart} efi/boot/boot${EFI_ARCH}.efi; then load ${devtype} ${devnum}:${distro_bootpart} ${kernel_addr_r} efi/boot/boot${EFI_ARCH}.efi; bootefi ${kernel_addr_r} ${fdtcontroladdr}; fi'; run distro_bootcmd; echo 'EFI Boot failed!'; sleep 1000; reset" CONFIG_EFI_VARIABLES_PRESEED=y diff --git a/start-qemu.sh b/start-qemu.sh index 18946a6c9..ac73d8d3b 100755 --- a/start-qemu.sh +++ b/start-qemu.sh @@ -179,7 +179,8 @@ if [ -n "${SECURE_BOOT}${SWUPDATE_BOOT}" ]; then ${QEMU_PATH}${QEMU} \ -drive file=${IMAGE_PREFIX}.wic,discard=unmap,if=none,id=disk,format=raw \ -bios ${u_boot_bin} \ - ${QEMU_COMMON_OPTIONS} "$@" + ${QEMU_COMMON_OPTIONS} "$@" \ + -hdb fat:rw:keys ;; *) echo "Unsupported architecture: ${arch}"