From patchwork Wed Oct 19 09:21:11 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Schultschik, Sven" X-Patchwork-Id: 13011519 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 0D57FC4332F for ; Wed, 19 Oct 2022 09:21:42 +0000 (UTC) Received: from EUR01-VE1-obe.outbound.protection.outlook.com (EUR01-VE1-obe.outbound.protection.outlook.com [40.107.14.45]) by mx.groups.io with SMTP id smtpd.web09.5834.1666171294003091095 for ; Wed, 19 Oct 2022 02:21:35 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="body hash did not verify" header.i=@siemens.com header.s=selector2 header.b=paMhVoaA; spf=pass (domain: siemens.com, ip: 40.107.14.45, mailfrom: sven.schultschik@siemens.com) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=ImKKmRKDaOmSEl7pSGfOCQ7JQwoGr0KmfWSTZ0V3o5W+chcnWDeKPCWcHyrQo3RRmvCe6IzD7iAKv0QbA8RDPehF2VBk+e5Qm6AbU2n7ZKcNkerYAV/mvMwhLRN8O6LAgfvOZuHVCWmupTQTRihGx8dl7h24Blhna8vbKO/W34yF/VvfUQo4cLsEMs4YkdZJ5TJD2Mg/F5D1+lrL9AXymJtIy3OW46aacyvoYsV+IXR1U92YxuWBtulVMMMTOV+KuWCh2QnDf6JYMROyReGceNG0OEMKSU4TuQwFtGUyZJxmRIwrEWOBCD/pKkjrYJDqCAj2uYOEWD24vskYFEAUwA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=dSJQDfC2/f5qsWRe2U3SlxvyBeFYRbVAP2N/VC2SqVY=; b=DiaJ4VO+TUQRdJpYDHdBDqpK2xgA+dFxkK17dcHcLgHbF05GdrPcQ5+aip3Ue2EqLggcQVrjy69gtqrrX/skE8PXTqe4drer03+WZbLY4gsnbArq4fUWftr98TpD/Ylz9MjXdJwlkQk50PfoTqxJHwjZFIAKwBnKmqxEgMVtRycBeQT582wpUva5BUo3/A7T/v1+u0cGhvb4LBMuOGv3pOuVeuYtdjft5OjFOV0z5dkliprV6ZpP1pUaS9rwMhjdcVwUsP2V7gaIsa8pvVwDJan6lf3I3wpvlZdMbYmtGDBJO+I8J+jya2E8n1Lzw4k117kOuppYW01n7q0+weYSig== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=siemens.com; dmarc=pass action=none header.from=siemens.com; dkim=pass header.d=siemens.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=siemens.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=dSJQDfC2/f5qsWRe2U3SlxvyBeFYRbVAP2N/VC2SqVY=; b=paMhVoaAy2Mz3cUof1mUgPkYbySS0b37qX1M/jkg56Ll65zTDsB7ME03mCPt8misdR4NonNdWxqB09O/WS0ZK330KIYMrBXnAVkeGbG6o3cw6gLusRtDeDP41lM4fKUf4Iu3pCUCItNfQVxZ33ppjAnSWv/tdCTAWnaiVVuL/4wr924V7NvlAjqmbuuMV1wj5jcnau0VBFcVqf+R7lLcgbFtBsL8z9u1Vgjmg9coLFoKJt+8etwwipp6HlGs79FLf5EK3N0KnrgwJDX5MfTdF2MLtMfXbfKqsd+AdFjHAlWU7VVtzl03WDEBGQicSoCjQ6fSOtsd8QU0iyB/qS4iKA== Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=siemens.com; Received: from PAXPR10MB5037.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:102:210::11) by GV1PR10MB5867.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:150:56::15) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5723.34; Wed, 19 Oct 2022 09:21:30 +0000 Received: from PAXPR10MB5037.EURPRD10.PROD.OUTLOOK.COM ([fe80::8f3:9a82:c9ed:6a3f]) by PAXPR10MB5037.EURPRD10.PROD.OUTLOOK.COM ([fe80::8f3:9a82:c9ed:6a3f%7]) with mapi id 15.20.5723.033; Wed, 19 Oct 2022 09:21:30 +0000 From: sven.schultschik@siemens.com To: cip-dev@lists.cip-project.org CC: jan.kiszka@siemens.com, Sven Schultschik Subject: [isar-cip-core][PATCH 1/7] add recipe for optee qemu arm64 Date: Wed, 19 Oct 2022 11:21:11 +0200 Message-ID: <20221019092117.5291-1-sven.schultschik@siemens.com> X-Mailer: git-send-email 2.30.2 X-ClientProxiedBy: AM7PR02CA0018.eurprd02.prod.outlook.com (2603:10a6:20b:100::28) To PAXPR10MB5037.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:102:210::11) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: PAXPR10MB5037:EE_|GV1PR10MB5867:EE_ X-MS-Office365-Filtering-Correlation-Id: a461f2d5-3669-4ddb-1dd3-08dab1b34ec9 X-LD-Processed: 38ae3bcd-9579-4fd4-adda-b42e1495d55a,ExtAddr X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: IyzlX0/ZS8MdC2yxHqV/CS/FqwKNS0BhIB71Se0Uv6L3/cfhVRo9U3odzFPM3a5ax95B5JXnOzLbWUfmzyb7sI2FSOPe7Ht1Hw8A5aLU7YXiuiVXJ2kxtw/XsB/wUm9qEM3Xhbt+NTSbR8XHLtuXXDoe7XdcNOLiO/U5IMXknKiszFJNuPlybGc5dUEvrlmQeDfqzfnA9gFNwSfUSuU4Y5Cm6ydU7OBC+z/baqpQqPHVc36ZA4UOBtWq2i7To0ak0zvN+NFiLxUWjm33bY9Z0T4CAAIuR4sli6VaA6gBaggyipdxgAIMhAaOrq5EJ84kWAAn0q5bj005Xn0Eh/BG0cbS8Ayvx69dVeofq8QKqMxoGZFMR3Pk/9cllwt6wktn0unBBMm0/+v5I+artDCsLGjn6dZJ0A7v21vB/xrCj0znXXaYROJ83yTkkp9kDsrb1a+s68Jo77zGmH8QyUgo86VmASX+Mxi7ooYN+jd72DvvNJJoEoVtCqNys7WEuyzKzVuW/oCnDC4AtdPrQcbUOQpljHVjKTI0lIdDcHnKePbXmD+BnHw9fUIBXnlP+ytDoyTAUn2oCXkSyD0/8iZbKHK9QpzIfJbMuHFYoSjjCYacnDAYkr7yjs4HXr2/6XAf8JMXZavAwC+bY8XmCRi+f+HXafsJVukiCNN5b+lLmdtzHRIuADp2mmVzBVYQ61WLdkq5lGu5QX43i1CKFfnGZwC2ED9UDX2C2r3lPApcbj0= X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:PAXPR10MB5037.EURPRD10.PROD.OUTLOOK.COM;PTR:;CAT:NONE;SFS:(13230022)(4636009)(136003)(376002)(346002)(396003)(39860400002)(366004)(451199015)(41300700001)(8936002)(26005)(82960400001)(9686003)(6512007)(36756003)(38100700002)(186003)(1076003)(2906002)(2616005)(5660300002)(83380400001)(478600001)(66946007)(66556008)(66476007)(8676002)(4326008)(107886003)(6666004)(6506007)(86362001)(316002)(6486002)(6916009);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: fkCsbxHTyvvDWjNuFRAGNS7gtQRxdvBvxfb6lQCfiBg3EzrvxANe0LCcv1mypsgsTbF+OzocXHTv3x91eqkZ9ekzKYHeoSj6eA0FvNhbEiiLpnE4IdPWmRB3EpoAsmrNxOY+u78cPDel1rKkcbsFVjQu8v5C83sScng54BO4W2Sv7KHs6TZU/zO1M2XzlxTRIaGw/ZX8ymJUA25Rl4Pqfxl177Bu33YCbBpUwiWqV84GhqSwUDg522dECpmnMbl433w0sNEiyz7AyO/TBKdLr6HXkRmXHOsBdtgAl2FU0jWINkD1ks1y4/dz5QORkJa6EefV2GJK5aJjW+X3pkb6ykspj7Ipp4Ys4xBafaUHFbFhIK5rMb+H0kk+eyYtgbh6I+fZ/JDnZDnPw2y6+xuCKPU9K2iikk0ygckSXLxLMEFJ8FA0AZGnnowAjCB56ERobogH9pz2wNtvoaFnwsL1TATsSxsRZQC8+ROB44W6eybIIOpDW0SqOIjJXO0SGqUsIOVSzDCmS7ixxoMJ4U4wwwdeIfs+LZodufJK6u0v9cK5ASSltXg3Wdrz1M/WRqMx13Q/8cDNFHuel3H5tVYoXFnNwmGhUsSOkM0OJ2hpqQgHFucbiRccPxL2nSqZn1tqZ3uw/bwGq2PuLyfnNVXieGr12JHKUZuXebzX71AL/Zg5QED5C9Myzkw04bxCA2hzK9PvFz/wmVHPIsM5jBrIrri+ztl08EecyX4ms7/SYk+lyT6t8emyWUJ0uxmXzf/LcH3GZ4m64crH4ogzHLg04/LHjbpIX9LIw5bH/+qqsdqMISiZKTPUEEkMLz2yqielmapy5Yokvry9KLKxIGs7N8R6Ce8qsrM3kA0y5zRarItGENSTCip3mpKhXSX1I7cNpQC4zmli2MrHxUZRL826bKCwmjg369rAfXiG4WcJYMbmdv+TUPYIi1UHRFUIP6iSjV3fohb/tW4MkUMA3xVif3yJPxE8Q+hgH258J1v0N7jDye/nO784KtwueKJp1eSKxTLwyRpNWkj4M+zpQXaBHgfxhvcahSOhu1PGy+ezAbXWSzhIcgfuwdqD3NtIrKu4YGh4biMnOHgHr64yPjwwL0bU+uKsH0qQKkr+mJKghsZia4ykMcmpH+Dkg29Finc1hl1Wm0fXWxYlM4uAudOq3969KMCypo3Jt2AupLWs1UgplgHbhpRKMpg4ex2uOko8p9V2D1cl+sQzhfLGAQjaGa5Z+piw/eJ+q9oWQNFaNzXTtUP94ff+LUv+7uZcM/236UfiWfnEqABjrOhllgvRiijSidH/Kt40Q6qFrrR3gW5JXmgy3nKMqsfCF5BLg8KQ+ynvhXtHeUDx/cwrDQ+3AQVf0YNB5aiRmlL9DxNHwnZ8CQdcjo/r29G6KjhFAMUYyB9wD9U0JLHy/GFOWo/fwW5MIm74sWduRM/zALtCsO22gj6OKp6C35t6Lzhg/xfPvTH1T7t068y8U9S0wmUEyNndI0UxWf0GfBb8aUqA6I65b/bmVYPl27dhcircNovuTX3TCjxUqiH4kZxS6d9bCPArXuFUKeK+gZ+ZjkxGTxMCg09fI6WzAzWfTQAzO7q4kQsWDoLkKAzSsW3U09gWwQ== X-OriginatorOrg: siemens.com X-MS-Exchange-CrossTenant-Network-Message-Id: a461f2d5-3669-4ddb-1dd3-08dab1b34ec9 X-MS-Exchange-CrossTenant-AuthSource: PAXPR10MB5037.EURPRD10.PROD.OUTLOOK.COM X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 19 Oct 2022 09:21:30.6024 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 38ae3bcd-9579-4fd4-adda-b42e1495d55a X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: YUB2tA+fEn1HLPwRhQeZzS39vP6d39WvTiVvmhMIffw3AfTWmejKkkguAtcUgC7h3V0ye7tH5yqZ/Dk2S8H5ktrclzij11AbXwUEu+9wxrg= X-MS-Exchange-Transport-CrossTenantHeadersStamped: GV1PR10MB5867 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 19 Oct 2022 09:21:42 -0000 X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/9775 From: Sven Schultschik The recipe provides the possibility to create optee-os binaries for use inside of an qemu secureboot setup with edk2, rpmb, u-boot and uefi Signed-off-by: Sven Schultschik --- .../op-tee/optee-os-qemu-arm64_3.17.0.bb | 57 +++++++++++++++++++ recipes-bsp/u-boot/files/secure-boot.cfg.tmpl | 7 +++ recipes-bsp/u-boot/u-boot-common.inc | 6 +- 3 files changed, 67 insertions(+), 3 deletions(-) create mode 100644 recipes-bsp/op-tee/optee-os-qemu-arm64_3.17.0.bb diff --git a/recipes-bsp/op-tee/optee-os-qemu-arm64_3.17.0.bb b/recipes-bsp/op-tee/optee-os-qemu-arm64_3.17.0.bb new file mode 100644 index 000000000..5e60041af --- /dev/null +++ b/recipes-bsp/op-tee/optee-os-qemu-arm64_3.17.0.bb @@ -0,0 +1,57 @@ +# +# CIP Core, generic profile +# +# Copyright (c) Siemens AG, 2022 +# +# Authors: +# Sven Schultschik +# +# SPDX-License-Identifier: MIT +# + +HOMEPAGE = "https://github.com/OP-TEE/optee_os" +MAINTAINER = "Sven Schultschik " +LICENSE = "BSD-2-Clause" + +require recipes-bsp/optee-os/optee-os-custom.inc + +SRC_URI += " \ + gitsm://github.com/OP-TEE/optee_os.git;branch=master;protocol=https;destsuffix=git;rev=${PV}" + +S = "${WORKDIR}/git" + +OPTEE_PLATFORM = "vexpress-qemu_armv8a" + +OPTEE_BINARIES = "tee-header_v2.bin \ + tee-pager_v2.bin \ + tee-pageable_v2.bin" + +DEPENDS = "edk2" +DEBIAN_BUILD_DEPENDS += " ,\ + debhelper(>= 11~), \ + build-essential, \ + cpio, \ + python3-cryptography, \ + python3-pycryptodome, \ + python3-serial, \ + device-tree-compiler, \ + edk2, \ + gcc-arm-linux-gnueabihf," + +OPTEE_EXTRA_BUILDARGS = "CFG_STMM_PATH=/usr/lib/edk2/BL32_AP_MM.fd CFG_RPMB_FS=y \ + CFG_RPMB_FS_DEV_ID=0 CFG_CORE_HEAP_SIZE=524288 CFG_RPMB_WRITE_KEY=1 \ + CFG_CORE_DYN_SHM=y CFG_RPMB_TESTKEY=y \ + CFG_REE_FS=n\ + CFG_TEE_CORE_LOG_LEVEL=1 CFG_TEE_TA_LOG_LEVEL=1 CFG_SCTLR_ALIGNMENT_CHECK=n \ + CFG_ARM64_core=y CFG_CORE_ARM64_PA_BITS=48" + +ISAR_CROSS_COMPILE = "0" + +dpkg_runbuild_prepend() { + # $(ARCH) is the CPU architecture to be built. + # Currently, the only supported value is arm for 32-bit or 64-bit Armv7-A or Armv8-A. + # Please note that contrary to the Linux kernel, $(ARCH) should not be set to arm64 for 64-bit builds. + export ARCH="arm" + export CROSS_COMPILE32=arm-linux-gnueabihf- + export CROSS_COMPILE64=aarch64-linux-gnu- +} \ No newline at end of file diff --git a/recipes-bsp/u-boot/files/secure-boot.cfg.tmpl b/recipes-bsp/u-boot/files/secure-boot.cfg.tmpl index 956dcbfed..8e6428238 100644 --- a/recipes-bsp/u-boot/files/secure-boot.cfg.tmpl +++ b/recipes-bsp/u-boot/files/secure-boot.cfg.tmpl @@ -4,3 +4,10 @@ CONFIG_USE_BOOTCOMMAND=y CONFIG_BOOTCOMMAND="setenv scan_dev_for_boot 'if test -e ${devtype} ${devnum}:${distro_bootpart} efi/boot/boot${EFI_ARCH}.efi; then load ${devtype} ${devnum}:${distro_bootpart} ${kernel_addr_r} efi/boot/boot${EFI_ARCH}.efi; bootefi ${kernel_addr_r} ${fdtcontroladdr}; fi'; run distro_bootcmd; echo 'EFI Boot failed!'; sleep 1000; reset" CONFIG_EFI_VARIABLES_PRESEED=y CONFIG_EFI_SECURE_BOOT=y +### OPTEE config +CONFIG_CMD_OPTEE_RPMB=y +CONFIG_MMC=y +CONFIG_SUPPORT_EMMC_RPMB=y +CONFIG_TEE=y +CONFIG_OPTEE=y +CONFIG_EFI_MM_COMM_TEE=y diff --git a/recipes-bsp/u-boot/u-boot-common.inc b/recipes-bsp/u-boot/u-boot-common.inc index 60f0da361..7fe4d3fad 100644 --- a/recipes-bsp/u-boot/u-boot-common.inc +++ b/recipes-bsp/u-boot/u-boot-common.inc @@ -25,12 +25,12 @@ DEBIAN_BUILD_DEPENDS += ", libssl-dev:native, libssl-dev:${DISTRO_ARCH}" DEBIAN_BUILD_DEPENDS_append_secureboot = ", \ openssl, pesign, secure-boot-secrets, python3-openssl:native" -DEPENDS_append_secureboot = " secure-boot-secrets" +DEPENDS_append_secureboot = " secure-boot-secrets optee-os-${MACHINE}" TEMPLATE_FILES_append_secureboot = " secure-boot.cfg.tmpl" TEMPLATE_VARS_append_secureboot = " EFI_ARCH" do_prepare_build_append_secureboot() { sed -ni '/### Secure boot config/q;p' ${S}/configs/${U_BOOT_CONFIG} - cat ${WORKDIR}/secure-boot.cfg >> ${S}/configs/${U_BOOT_CONFIG} -} + cat ${WORKDIR}/secure-boot.cfg >> ${S}/configs/${U_BOOT_CONFIG} +} \ No newline at end of file From patchwork Wed Oct 19 09:21:12 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Schultschik, Sven" X-Patchwork-Id: 13011520 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id CFC75C4332F for ; Wed, 19 Oct 2022 09:22:41 +0000 (UTC) Received: from EUR04-VI1-obe.outbound.protection.outlook.com (EUR04-VI1-obe.outbound.protection.outlook.com [40.107.8.85]) by mx.groups.io with SMTP id smtpd.web12.5881.1666171354036525480 for ; Wed, 19 Oct 2022 02:22:34 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="body hash did not verify" header.i=@siemens.com header.s=selector2 header.b=n932iX8C; spf=pass (domain: siemens.com, ip: 40.107.8.85, mailfrom: sven.schultschik@siemens.com) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Oppy93iXO0HR4JIPP3+aMC9QP7A9Fuo15h8hM1mUs8oK/4asvBvCRvgUdoE1mWoV/E6645eNzhD7uCx8dl/3qNKQrnZ/fjVHs/m13oQ75UDG+W5ZWEt8ZSLeAqToZLMN+VT01mEB6pCOkWreSz0Dpdjt7JxN2fRbi41mW7fGetSfZuA4nx2paw4td8XoO8PPwmI2yoTHFUGqWJdjAQIjgrVqU5xFzWNslVEgCzOE036tISIuINfRaS7LpH87xGf50/DJ/9C1PEZ552sR6hKMyM4WwOVBiQchNulI32zjU1RnCU7/TFB8Kga/WjZA/a65b5dU9ERMfdC5XPwY0RujwQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=reWrLijoqm7tHKQoUIM4VDBkk2N/FcX9+PxS8fbvo0g=; b=T0/Z3seCnmKMckPQ2PDqxGVjFcAs2+WrBUDBTCeRlJb99JfcAuc5sg/RvrTDWYyV1mm6i6hUgdtxbdSbwYQdgsc2GbjpFaW8/zg5z9U8OClSzCl/xDBZKmdeOTIUc0uPzlNkh3/2lYnbH69eT3ZwWnXV/uouuAQcnZGt+bJcez+EsIs+v4DevrFF7HWs/aRLjZnOpVRmcfTk+ccJ9Xirle6V+qQaRacHVzqG/eDgr/Reoon36LEtB8FvKH+5dS+VYeJMBNLHq2w+03m2JOWDwWfHNlLPjLvm08qp045BU3EXFDLkQdJN/951tOi5vCl5r2WhgB6KVlV/35IkdZjWXg== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=siemens.com; dmarc=pass action=none header.from=siemens.com; dkim=pass header.d=siemens.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=siemens.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=reWrLijoqm7tHKQoUIM4VDBkk2N/FcX9+PxS8fbvo0g=; b=n932iX8C5VxOZM7HYdyW/pKAlOs564pitDJUuc19ALe24rbVx3VOBauFe0L+yalVAqOoNKMPRE7jSuMHDioPSJ4TFk3QCcybKG9FzvCLS2iYRgjCnMNxZFd/PtMLpCrb452UfvuZjZLgV2Da9nYO27NxMpGckTYy9ptgqEF3Z2VG6rebI72p7mA5wH7cI9eFk4h3pFdtovTVOy9LThuxiRIiCCMqD88mpVxDsiqWbF4uoun5lTPofbisdI2bLz7Hioi0ZlkpxXck0U7lthZKq+7UzTJ0mWo1V+6q81IiqXDPf205JwPiliKJyTqeiBbng8v9DW80Cv1k6dV/UugDgA== Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=siemens.com; Received: from PAXPR10MB5037.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:102:210::11) by GV1PR10MB5867.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:150:56::15) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5723.34; Wed, 19 Oct 2022 09:22:30 +0000 Received: from PAXPR10MB5037.EURPRD10.PROD.OUTLOOK.COM ([fe80::8f3:9a82:c9ed:6a3f]) by PAXPR10MB5037.EURPRD10.PROD.OUTLOOK.COM ([fe80::8f3:9a82:c9ed:6a3f%7]) with mapi id 15.20.5723.033; Wed, 19 Oct 2022 09:22:29 +0000 From: sven.schultschik@siemens.com To: cip-dev@lists.cip-project.org CC: jan.kiszka@siemens.com, Sven Schultschik Subject: [isar-cip-core][PATCH 2/7] add recipe for for edk2 Date: Wed, 19 Oct 2022 11:21:12 +0200 Message-ID: <20221019092117.5291-2-sven.schultschik@siemens.com> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20221019092117.5291-1-sven.schultschik@siemens.com> References: <20221019092117.5291-1-sven.schultschik@siemens.com> X-ClientProxiedBy: AM6P195CA0047.EURP195.PROD.OUTLOOK.COM (2603:10a6:209:87::24) To PAXPR10MB5037.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:102:210::11) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: PAXPR10MB5037:EE_|GV1PR10MB5867:EE_ X-MS-Office365-Filtering-Correlation-Id: 36cd49e7-935b-4ac9-49be-08dab1b37218 X-LD-Processed: 38ae3bcd-9579-4fd4-adda-b42e1495d55a,ExtAddr X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: qdAwnj4dwF5dYy0goxUOunTptlkxVLWnXZ6lv+OGU5qjkWkHAN4Mj/Erg4mInq7+bMPEIRx5V8sTUbSuNgOlqcuDF29XE3/N67+is48X8Xwr6BI164OlBilG/lJuCY3PyOYPPVgLeaV8qbkRCMolDDlyGASKrnNbuViPQP+Tw6OMS0HgCqiniUN0jmrcQ1XGL3BkOV26jB6Nr+8ClRpy0L2s20Sb3Zz26UilWMvlC8oun56pu27PsKJK6I99crWO5ri48zstd9f/vV+2Sa9HzHuR1MXeOaV0r/RQ25kWUHgoRQAW+e7uXQhVaLytksePN/MuY44eQSdspZQ80WJkyE2XG80PUZZIKECi5FmP9kCEBFRXDpao3Yr7wzZ4tLIa9fg2fJZhQbYAopVc8U/Hyr01Ommpcnn5BKecqdLV3U4Y7tlmGGgM6MQkiP538o6pa82BL6cxnk7vk8zYfnFg0aBN2ZWfdrgQ2P1JXl7F/pFKmTCpkOtRCKKywkYcofL65qQOD+7bzLw85ZCviDVbZW+wSnW+mRe8Cwh8Uqb6qkWPIBqZ7n2HL+hr1t6tQwh1BQ+6inLVg5qjpIlN4VWnV3oKxGvLuONQFrsJ8nJNbaGGr1mSLIrSos82J9YHYyN27p4M0syEJUpqu0u0qoyfdHwuqhLsHMDMIdjT7p7+ZWHG7xxqCDloco3RHNvzHICWyxHKTUCvYzrT3Zt8tvMdz7Cro7dGjYOUivu6YWXnquwDpsaBCeR0ArCLFVUapfwCYOidvTSgXU6nyspZQfAcUw== X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:PAXPR10MB5037.EURPRD10.PROD.OUTLOOK.COM;PTR:;CAT:NONE;SFS:(13230022)(4636009)(136003)(376002)(346002)(396003)(39860400002)(366004)(451199015)(41300700001)(8936002)(26005)(82960400001)(9686003)(6512007)(36756003)(38100700002)(186003)(1076003)(2906002)(2616005)(5660300002)(83380400001)(478600001)(66946007)(66556008)(66476007)(8676002)(4326008)(107886003)(6666004)(6506007)(86362001)(316002)(966005)(6486002)(6916009);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: vplcKXiGXjMlgAy5UuaMfMtuGz3i0lEFC8rRMvV4Vm8ZsT4SGww1w5xGWFJGeMcU81JByleJShRNvNEkFgNlJk7ThAdSZjdw9FxQVCeRbULjJXlh+07Eo1j9Qnr876ajHFBJm8EkXqUm55zBMrrcww8NquDmJrW5+Loff1Fi2IUYiJiZDODepNlt3jyCUrwyeJy5Q68/eLOq3b0QJPJUkprkOuA4ynkade4VrTtX44rEnH9+UFeCRXzr69H2YtRPryAD2T9QxuCA9+0T58cS+nW1Du0kAVWkHe3VBdMUpeFTqEGYcO0cXQemb4IolyhGXLyiV+4yxPr24lbxvS6lUF1xcI+5g56CTv+PeQRMJ4m2NNDdDmsQnFFTilBc45wdkA6HbJqLa2Wu2ouDmrstCeNit+R5hqfhmfK2cC5sTF0KXgbJhF2+r5JbET68rs4g8Mglamz9CfXTbgQiWQj8dBS8PqPDe74BUoirFNTzPxiEh6nS/kn9KCM1pIYv5iRfVqtSGLjjlVf1FsKsFEYYfobMMCz4SUvCmIiHwLPa5nEu74AEdTpZ41LoB8e/xwM2XN9mx2AToixCZDwouyI6Fhm19MZFH1gCzo7ydk8Y+tgRneveVPKLmlnGJDsl/c84035xbfV4R/BFPDTfQ0gQfaPJCdFKMEiDIZivBIRXNr6jNRwo5EkwPoInOd5YO+ERoN7NbTiBvtFxAXqqptWTEknxmCRWIbadBX9iHddDJ5pN7ni2Mg80HtlNFTytIVCLTSXqUuVGnnnNEPzkil8Puf3v4WPZsoGyPf1fG1TGQl3oqc8sghDnvFgpBKuNec8zBSV2+Qos+0/6rQX5et2O7zO7nP4LcZt1C9oPCFQmqc10wKGzNyNIahcCbnnINuG31KCPnvTM+kZdKUfFJ97LC89LMbjq6okqbPggbBTMTuzr9bu3Q6gXb+LHIZowSuknOFAZKRD4Ae4sAudvvfU1DoGtzM5ymIKSD9ZuYBSCSC3aSF5nlJ6DMRu144l66nnfn+gZhnbrki0lFh3J/C+0npZpzAtEOI9CE5dYwwCKlJPIJCF4bXkkt1eVBiDLGgJ33qaW3/bujKgPwYw9iw8eNP3qSrzATKJjjjg6m70EZuuI7gj9XOPeMmFCFbRzYLQNWwpoLLFNMZJnLFD5chZCOf1deSVfph7sl7jHheZeDrEXvJEo04ey8LwPcVKIUQEPRyYfxKiJYPDBln7c01AFNWNyixma1mYvg4izfqyHsQsWtJsL5XmVHCzEeK2MrlW/vQvZxT+TFbQbi0URqlFeZsSPdj+9v4dOhjIz+fVpf6satUreeznyV8zl9d9ULY8mO6HH2wUjD2sO9MBdCNVbObIioQpK+l7d+BQvKUlBbJkriwNWlRxQTjwwEP03r/0z4Pkgd2GFA28NOrhCxSgVBdAvfEsJNZ3ctHYDduBFgxjYmyQ//1X4oPEL9FMYN8Shz2ZtS6bXCAiGMJ/aqEkKwf9eneYPPQ0QfBOUJ+b9yFXBLXczefe5kGYQrvAvll+i5UYo4HgTOuWs/hEOusM3QclUXNFmO6DsBtiv0FAKwNuhr0m7P2Ly0pNZ2hPuL9LA0Uwc/ItNPG704m0YV/4Qtw== X-OriginatorOrg: siemens.com X-MS-Exchange-CrossTenant-Network-Message-Id: 36cd49e7-935b-4ac9-49be-08dab1b37218 X-MS-Exchange-CrossTenant-AuthSource: PAXPR10MB5037.EURPRD10.PROD.OUTLOOK.COM X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 19 Oct 2022 09:22:29.9053 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 38ae3bcd-9579-4fd4-adda-b42e1495d55a X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: vxAVtWP1+b9neURJi9FxCXJcnvM5Ra+Rcg+G+0+OWkar3E77xLzeUhxVTcQn6I0ztLH/q509SSk9Z0Ambanw+lALiBd++guCSWui7obvw98= X-MS-Exchange-Transport-CrossTenantHeadersStamped: GV1PR10MB5867 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 19 Oct 2022 09:22:41 -0000 X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/9776 From: Sven Schultschik provide a recipe to create the BL32_AP_MM.fd binary by edk2 which is needed for the qemu optee generation as dependencie. Signed-off-by: Sven Schultschik --- recipes-bsp/edk2/edk2_202205.bb | 34 ++++++++++++ recipes-bsp/edk2/files/debian/changelog.tmpl | 6 +++ recipes-bsp/edk2/files/debian/compat | 1 + recipes-bsp/edk2/files/debian/control.tmpl | 14 +++++ recipes-bsp/edk2/files/debian/edk2.install | 2 + recipes-bsp/edk2/files/debian/rules.tmpl | 55 ++++++++++++++++++++ 6 files changed, 112 insertions(+) create mode 100644 recipes-bsp/edk2/edk2_202205.bb create mode 100644 recipes-bsp/edk2/files/debian/changelog.tmpl create mode 100644 recipes-bsp/edk2/files/debian/compat create mode 100644 recipes-bsp/edk2/files/debian/control.tmpl create mode 100644 recipes-bsp/edk2/files/debian/edk2.install create mode 100755 recipes-bsp/edk2/files/debian/rules.tmpl diff --git a/recipes-bsp/edk2/edk2_202205.bb b/recipes-bsp/edk2/edk2_202205.bb new file mode 100644 index 000000000..5a773bf77 --- /dev/null +++ b/recipes-bsp/edk2/edk2_202205.bb @@ -0,0 +1,34 @@ +# +# CIP Core, generic profile +# +# Copyright (c) Siemens AG, 2022 +# +# Authors: +# Sven Schultschik +# +# SPDX-License-Identifier: MIT +# + +HOMEPAGE = "https://github.com/tianocore/edk2" +MAINTAINER = "Sven Schultschik " +LICENSE = "BSD-2-Clause-Patent" + +inherit dpkg + +SRC_URI = "gitsm://github.com/tianocore/edk2.git;branch=master;protocol=https;destsuffix=git/edk2;rev=edk2-stable${PV} \ + git://github.com/tianocore/edk2-platforms.git;protocol=https;destsuffix=git/edk2-platforms;rev=3b896d1a325686de3942723c42f286090453e37a \ + file://debian \ + " +S = "${WORKDIR}/git" + +BUILD_DEPENDS += "" + +TEMPLATE_FILES = "debian/changelog.tmpl debian/control.tmpl debian/rules.tmpl" +TEMPLATE_VARS += "BUILD_DEPENDS S" + +ISAR_CROSS_COMPILE = "0" + +do_prepare_build() { + cp -R ${WORKDIR}/debian ${S} + deb_add_changelog +} \ No newline at end of file diff --git a/recipes-bsp/edk2/files/debian/changelog.tmpl b/recipes-bsp/edk2/files/debian/changelog.tmpl new file mode 100644 index 000000000..8d74dfe7a --- /dev/null +++ b/recipes-bsp/edk2/files/debian/changelog.tmpl @@ -0,0 +1,6 @@ +${PN} (${PV}) unstable; urgency=medium + + * EDK2 + + -- + diff --git a/recipes-bsp/edk2/files/debian/compat b/recipes-bsp/edk2/files/debian/compat new file mode 100644 index 000000000..f599e28b8 --- /dev/null +++ b/recipes-bsp/edk2/files/debian/compat @@ -0,0 +1 @@ +10 diff --git a/recipes-bsp/edk2/files/debian/control.tmpl b/recipes-bsp/edk2/files/debian/control.tmpl new file mode 100644 index 000000000..1f1bad7c8 --- /dev/null +++ b/recipes-bsp/edk2/files/debian/control.tmpl @@ -0,0 +1,14 @@ +Source: ${PN} +Section: base +Priority: optional +Standards-Version: 3.9.6 +Build-Depends: ${BUILD_DEPENDS}, python3, dh-python, uuid-dev +Homepage: ${HOMEPAGE} +Maintainer: ${MAINTAINER} + +Package: ${PN} +Depends: ${shlibs:Depends} +Section: base +Architecture: ${DISTRO_ARCH} +Priority: required +Description: ${DESCRIPTION} \ No newline at end of file diff --git a/recipes-bsp/edk2/files/debian/edk2.install b/recipes-bsp/edk2/files/debian/edk2.install new file mode 100644 index 000000000..e5cadccf3 --- /dev/null +++ b/recipes-bsp/edk2/files/debian/edk2.install @@ -0,0 +1,2 @@ +#! /usr/bin/dh-exec +Build/MmStandaloneRpmb/RELEASE_GCC5/FV/BL32_AP_MM.fd /usr/lib/edk2 \ No newline at end of file diff --git a/recipes-bsp/edk2/files/debian/rules.tmpl b/recipes-bsp/edk2/files/debian/rules.tmpl new file mode 100755 index 000000000..11e4ae8cd --- /dev/null +++ b/recipes-bsp/edk2/files/debian/rules.tmpl @@ -0,0 +1,55 @@ +#!/usr/bin/make -f +# +# Copyright (c) Siemens AG, 2022 +# +# SPDX-License-Identifier: MIT + +export WORKSPACE=$(shell pwd) +export PACKAGES_PATH=$(WORKSPACE)/edk2:$(WORKSPACE)/edk2-platforms +export ACTIVE_PLATFORM="Platform/StandaloneMm/PlatformStandaloneMmPkg/PlatformStandaloneMmRpmb.dsc" + +# https://github.com/tianocore/edk2-platforms/blob/master/Readme.md#if-cross-compiling +ifeq (arm64,$(DEB_TARGET_ARCH)) +export TARGET_ARCH = 'AARCH64' +else ifeq ((armhf,$(DEB_TARGET_ARCH)) +export TARGET_ARCH = 'ARM' +else ifeq ((amd64,$(DEB_TARGET_ARCH)) +export TARGET_ARCH = 'X64' +else ifeq ((i386,$(DEB_TARGET_ARCH)) +export TARGET_ARCH = 'IA32' +else +$(error DEB_TARGET_ARCH $(DEB_TARGET_ARCH) unsupported) +endif +# When cross-compiling, or building with a different version of the compiler than +# the default `gcc`, we additionally need to inform the +# build command which toolchain to use. We do this by setting the environment +# variable `{TOOL_CHAIN_TAG}_{TARGET_ARCH}_PREFIX` - in the case above, +# **GCC5_AARCH64_PREFIX**. +# export GCC5_AARCH64_PREFIX=aarch64-linux-gnu- +export GCC5_$(TARGET_ARCH)_PREFIX=$(DEB_HOST_GNU_TYPE)- + + +export SHELL=/bin/bash + +# ENV Vars which should get set by edksetup.sh +export PYTHON_COMMAND=python3 +export PYTHONHASHSEED=1 +export CONF_PATH=$(WORKSPACE)/edk2/Conf +export EDK_TOOLS_PATH=$(WORKSPACE)/edk2/BaseTools +export PATH=$(WORKSPACE)/edk2/BaseTools/Bin/Linux-$(TARGET_ARCH):$(WORKSPACE)/edk2/BaseTools/BinWrappers/PosixLike::/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin + +override_dh_auto_build: + source edk2/edksetup.sh --reconfig + + make -C edk2/BaseTools + + build -p $(ACTIVE_PLATFORM) -b RELEASE -a $(TARGET_ARCH) -t GCC5 -n $(shell nproc) + +override_dh_auto_install: + +override_dh_auto_test: + +override_dh_strip: + +%: + dh $@ --with python3 --no-parallel From patchwork Wed Oct 19 09:21:13 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Schultschik, Sven" X-Patchwork-Id: 13011521 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id CD434C433FE for ; Wed, 19 Oct 2022 09:22:51 +0000 (UTC) Received: from EUR02-VE1-obe.outbound.protection.outlook.com (EUR02-VE1-obe.outbound.protection.outlook.com [40.107.2.89]) by mx.groups.io with SMTP id smtpd.web09.5844.1666171362978657059 for ; Wed, 19 Oct 2022 02:22:43 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="body hash did not verify" header.i=@siemens.com header.s=selector2 header.b=HEWUbAEq; spf=pass (domain: siemens.com, ip: 40.107.2.89, mailfrom: sven.schultschik@siemens.com) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Ho8y7pD3kpt7FVMmFx7/nHhBj7Ndg+BTB6iGJmwkOkimhC51Pn6eLf0yWmn+2BdDX8wtdq2cubkMdGrVFqwfVukz3QrTjJa6ftMPYWmTiJ9VCSAqMP/KRcR+RC4/Q28tLWmr6lxjrelKOc2SnRMkPKn+Yg+WVw0d1pW92NX+ZQt1tsBIEomtLQBPCkgoQCuK91QrhlPKfkfbdBvQ0pAl8cZ49sCyOFdKduEfMIW05QGucFP2DfT6pIV+hDS8GhIjnJjk8xK/cXPjvgxzqWKl2MFUXbvp9DwBOzCQ5IFqVnka6TOEpNyqbwQk+wwQo8G92w5/Jxhy/BMw1bxFXXDWjQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=p6BLZa1QtdIvgZOrIj+zfhKXHIGsSSeE5LjDIGIpm3I=; b=jRK8Lltj+09VsbUFITHn8iHpEXAwrntvCbzhQ6PUG2R6BhZ5OzrKqQUdwzO3o8bpe9N3j/SuxCxkaU4B5081BfxzPhWfzCHc+io0psspvVRvJLVIFUxGSnOBnQo0/cVIs6fufC+WuDsKiOdB5DuOQF3Y6bZEbbb8eToUNhLknB8A3E9Efskb36v3KqL9eTd9VC37CZQATbd1vnhcT1K3MkJkkR/ZBzJNccir4Sb2Hv7O2cs3BedpSdY2rOZfgERo9pVMSKHlGlFppifK+a7OOaNHfcA6ff+tjzACAl/ilOrSG197nsSFaghCvQdj91BB2czHeVT6qDWJukAnnpB4eQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=siemens.com; dmarc=pass action=none header.from=siemens.com; dkim=pass header.d=siemens.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=siemens.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=p6BLZa1QtdIvgZOrIj+zfhKXHIGsSSeE5LjDIGIpm3I=; b=HEWUbAEqB1qmfTwbe1+PTTpvmYDBPJEVWKN2Tdb2K70Ab23qjIkg6J3LQzFyVUm6hLLxT6mZdMaL/okVSyXxJ4SwbNDHT1gyTj4r2BjwQuik2kC139tccoHMq1pdF81BSVsnZoLCVSg5ewdDkqmHWuMIg+MGL7hPWQmLeg3DD/a6Lp41nNyhXqvvsosvMOgItJ6WEr5cxteIA7LF5Bst7/AFeXhvcMm5m7vZmGXJClWccVbQfWriwlEpjfj28sDUKPgJGUsH7QXKi6qPuzdG9geHhAvkbSFc9APuGn4111v5p7iLzSSE/eq7+KspOYcuXWVlA0k/bUghEP6NU6JaVA== Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=siemens.com; Received: from PAXPR10MB5037.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:102:210::11) by DU0PR10MB5873.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:10:3bb::10) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5723.29; Wed, 19 Oct 2022 09:22:40 +0000 Received: from PAXPR10MB5037.EURPRD10.PROD.OUTLOOK.COM ([fe80::8f3:9a82:c9ed:6a3f]) by PAXPR10MB5037.EURPRD10.PROD.OUTLOOK.COM ([fe80::8f3:9a82:c9ed:6a3f%7]) with mapi id 15.20.5723.033; Wed, 19 Oct 2022 09:22:40 +0000 From: sven.schultschik@siemens.com To: cip-dev@lists.cip-project.org CC: jan.kiszka@siemens.com, Sven Schultschik Subject: [isar-cip-core][PATCH 3/7] add recipe for trusted firmware a qemu arm64 Date: Wed, 19 Oct 2022 11:21:13 +0200 Message-ID: <20221019092117.5291-3-sven.schultschik@siemens.com> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20221019092117.5291-1-sven.schultschik@siemens.com> References: <20221019092117.5291-1-sven.schultschik@siemens.com> X-ClientProxiedBy: AM5PR0101CA0005.eurprd01.prod.exchangelabs.com (2603:10a6:206:16::18) To PAXPR10MB5037.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:102:210::11) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: PAXPR10MB5037:EE_|DU0PR10MB5873:EE_ X-MS-Office365-Filtering-Correlation-Id: d0466877-36dc-4ac7-80b4-08dab1b37828 X-LD-Processed: 38ae3bcd-9579-4fd4-adda-b42e1495d55a,ExtAddr X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: HhjEsiNItdZjFBVYVMfFmypRU9RQnvAHHXJv6Js0T+93VhUOVGjZ4lIDX4319n8RPp6KWRLnEeSVJzJMUG8hKdacxKE/6ZPSm6q7FffnZQO41XGZseqEsBuOXLzrku+3IsEOxDM8Sh0YqKz/5k9carD5XH3x4WRFEzK8LaCpfEQJesbHIG2MRfL1H5P4GpwfjchJzZrcbBSF6qs06jDjyhX4NQniAfN732N0LhJD8UDS95+gNdH7h2me/gz73dm4CcDRYpXle9RYETmqes96+ZnB5PhmkGZo28O51CCuP5bE5GZ4G+IbtZzITQC9huMqnLp8Ji2emdVTjSLe78Z7HaALCYaHDIbg08rgLF5SYI1rlm/vh+huQWCxETd7rq+p3Z8Hr90fHbCxTcpuD5qeDdxl7FYVPRfpELejhWAfOicOEUCxxCL6jgnHZRtDxyWBaKb/QPfI/Vtl5AvKMQPLy8hmdlMk+GWTWBz7+Wx8VUi9BEuWO7ztbI56148LSc9Qgtm5U3ZysexxhUDLNQuy5FY+0IXezs4wnpBjv+fDtqTMM1y5H8sVd5O8RmzGJ6+N7wAeSVekpiYr/clNiO03Mevplddqnzv3W2Om22Vk94uflFj0bsQO7bbO4zlAIm7MheeeHb60WkS/vGd+PpULjD75PxcEr4c2o6S2AHQVSDgV+HzqsflvqRkFuBINBuVVKojx2q8KXiFDbCtMb6NLBJj8bdA3L8LTKHq7eE69lXM= X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:PAXPR10MB5037.EURPRD10.PROD.OUTLOOK.COM;PTR:;CAT:NONE;SFS:(13230022)(4636009)(396003)(346002)(136003)(39860400002)(366004)(376002)(451199015)(36756003)(86362001)(2906002)(82960400001)(5660300002)(38100700002)(2616005)(6486002)(186003)(1076003)(316002)(66946007)(66556008)(6512007)(66476007)(9686003)(6506007)(478600001)(8676002)(6916009)(26005)(4326008)(41300700001)(8936002)(107886003)(6666004);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: mOI8d+YVqrX8j4i0UB2Sh8CQ/2gTEdEHdxOmk3Q8XUqLlXB3YWGUM7aM6i0yZDk/LBZPsTCoUaYBk/GWCBKDlRmZw0+YDjjH/opy48gAsnYC/2sSZa7bsPVkb2GWHzS8/YQ9CLENlU1Tdz5LlLFqY77cgQGprnYEHrMthKAOpGErXscgVnmosWLmGmUhMAY9Y2H02yufmaBBDAC5tg1OkGeAMOh/ZRh7smmF2TR23LoNo210NGrZtgSl/K+ywFrrV2EAZnjKdNjsqbkbmLmwiLcJ3P+/uwA2VAdGXazW8yPJpRBE5H4UCtfuhVkC+x5AMqHYsyM806dOCBffR0sMJpyPxpmTULFxerw0otsf06qIEQVPMZf8MWKwYf4CHhsF0+nuih56+pabNl+EcxlPut5vis47oThb1SG/2vtcyC6QRqY1Gtf5h6NcMmNvfDyY5dRftaWyTuNU7q3eE6SdTbMZoBqXxqsW1EqfVaYPj1zIaZHfKiGxV7Q9eT5rlTm5nsyUPd5b5d6k1lDuz95+uSLtu0VYH5kmoA4CzbFWKaRPJyOxHuHBVqAdBRFj9/g9OLKuRPyi+3WYntGrQmb6DlVFe5SMnpps0mhYrIibgfnKf/REVl8+5xc559FehePEwOjyduApMOVwpb5QX8vg+8m4Mix8fa3TeiV7l3HSHLpCwYkTiZ11Yw+Ly1R7vICuiI/JEkwFLHmhryQSkMnc+JGgsJM6sI28n/+IA99FPQ77fKYYk6/ohawDu5DtaByCYZz9+x+7e09n20xXwMIRMPxTupO4MUUTE8BN7ug/0KZTc1JeZbjOrf9KuWM/kmEJtk0KxZpfg+dc9G2fNzDVuqCGiFKf7brxw/hcouPbDfBlskOmJhsO31SLpe+v2FzfEqq0u+87HVMZtrWvSymCBdGCOcuXAH7DL30TR6uW7jzxAqVovhJrhpj3Kvb97ZSGw7GXN2naOq3Y/UBI1FWvt7Gxi9aQpNKrsnnMhDTaK2IH/gHfNH5x6vmwT7xNu3xaoqO+e22J+e4cTyuvKohlEhLCThq0WiBA1CSkFP0TE3iho9XbhdqlBcBidR/dbvVRIqQjwO9S6IQImDGnerQHr1kiJwIbr38uxKcQ0D4E8V3eYjyp3ieMQRoT+InANjd+RzTKxSWhMEayYRgxNoJBainAbeWfQS56xnUYOHwSMkDK6eoJpsMi/QOeJ9AGuP7IelggpAoHofgU8FAAuF9PYliauMDYgjoTk+Noj/nFkK55g+uALcaKONMyCQ5GHwBuOKe0vjijlG2UwycvVOSn8RDfZ+KF+4GDGRwgpjd4mPyNvd00yWfgZc6EsKXnjD1SJw5GPqO/QReGYYYVnedl6STeFMxPJ5+169OkAf2+Wf2OyTSzm6tAndNPgag8m0B6AlHqF1ML0DiMPAggN3lgTh0eUhNeSbg9KBLKSb6FN/LFv5FXpG/lZbZ4NLNh50mGooUUQDG2mK47mLedc93KgTKICtYjg6PpnfdRVtEGFtQnC3Qr5jUXsdaF46ywjoFEZemM6Oao82DAulNaGMZAJNEo7QeZlUbGPF1p7ulNcMDtQg0jQSibl0yqkLwCWTUcs7rjwxCIGkzmf9nZyNaYBA== X-OriginatorOrg: siemens.com X-MS-Exchange-CrossTenant-Network-Message-Id: d0466877-36dc-4ac7-80b4-08dab1b37828 X-MS-Exchange-CrossTenant-AuthSource: PAXPR10MB5037.EURPRD10.PROD.OUTLOOK.COM X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 19 Oct 2022 09:22:40.0309 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 38ae3bcd-9579-4fd4-adda-b42e1495d55a X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: wj6U5Txolpg5unOoLVYGdhbMpgkbBkC5BAcd+YuGpangX/k277TeU1lV/C/u/2z+RX2owNXM0Zdm6pOJQprAqHTU29kOiAApAbqBldxXGXM= X-MS-Exchange-Transport-CrossTenantHeadersStamped: DU0PR10MB5873 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 19 Oct 2022 09:22:51 -0000 X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/9777 From: Sven Schultschik provide a recipe to generate the needed binary to start a secure boot qemu with integrated optee and active RPMB replay protected memory emulation within u-boot Signed-off-by: Sven Schultschik --- .../trusted-firmware-a-qemu-arm64_2.7.0.bb | 61 +++++++++++++++++++ 1 file changed, 61 insertions(+) create mode 100644 recipes-bsp/trusted-firmware-a/trusted-firmware-a-qemu-arm64_2.7.0.bb diff --git a/recipes-bsp/trusted-firmware-a/trusted-firmware-a-qemu-arm64_2.7.0.bb b/recipes-bsp/trusted-firmware-a/trusted-firmware-a-qemu-arm64_2.7.0.bb new file mode 100644 index 000000000..791089a21 --- /dev/null +++ b/recipes-bsp/trusted-firmware-a/trusted-firmware-a-qemu-arm64_2.7.0.bb @@ -0,0 +1,61 @@ +# +# CIP Core, generic profile +# +# Copyright (c) Siemens AG, 2022 +# +# Authors: +# Sven Schultschik +# +# SPDX-License-Identifier: MIT +# + +HOMEPAGE = "https://www.trustedfirmware.org/projects/tf-a/" +MAINTAINER = "Sven Schultschik " +LICENSE = "BSD-3-Clause" + +require recipes-bsp/trusted-firmware-a/trusted-firmware-a-custom.inc + +SRC_URI += " \ + git://review.trustedfirmware.org/TF-A/trusted-firmware-a;branch=master;protocol=https;destsuffix=git;rev=v${PV} " + +S = "${WORKDIR}/git" + +DEPENDS = "optee-os-${MACHINE} u-boot-qemu-arm64" +DEBIAN_BUILD_DEPENDS += " \ + debhelper(>= 11~), \ + optee-os-${MACHINE}, \ + u-boot-qemu-arm64, \ + libssl-dev, " + +TEEHEADER = "/usr/lib/optee-os/${MACHINE}/tee-header_v2.bin" +TEEPAGER = "/usr/lib/optee-os/${MACHINE}/tee-pager_v2.bin" +TEEPAGEABLE = "/usr/lib/optee-os/${MACHINE}/tee-pageable_v2.bin" +BL33 = "/usr/lib/u-boot/${MACHINE}/u-boot.bin" + +TF_A_EXTRA_BUILDARGS = "BL32=${TEEHEADER} \ + BL32_EXTRA1=${TEEPAGER} \ + BL32_EXTRA2=${TEEPAGEABLE} \ + BL33=${BL33} \ + BL32_RAM_LOCATION=tdram SPD=opteed ${DEBUG} all fip" + +TF_A_PLATFORM = "qemu" + +TF_A_BINARIES = "release/bl1.bin release/fip.bin" + +ISAR_CROSS_COMPILE = "0" + +do_deploy[dirs] = "${DEPLOY_DIR_IMAGE}" +do_deploy() { + dpkg --fsys-tarfile "${WORKDIR}/trusted-firmware-a-${MACHINE}_${PV}_${DISTRO_ARCH}.deb" | \ + tar xOf - "./usr/lib/trusted-firmware-a/${MACHINE}/bl1.bin" \ + > "${DEPLOY_DIR_IMAGE}/bl1.bin" + + dpkg --fsys-tarfile "${WORKDIR}/trusted-firmware-a-${MACHINE}_${PV}_${DISTRO_ARCH}.deb" | \ + tar xOf - "./usr/lib/trusted-firmware-a/${MACHINE}/fip.bin" \ + > "${DEPLOY_DIR_IMAGE}/fip.bin" + + dd if="${DEPLOY_DIR_IMAGE}/bl1.bin" of="${DEPLOY_DIR_IMAGE}/flash.bin" bs=4096 conv=notrunc + dd if="${DEPLOY_DIR_IMAGE}/fip.bin" of="${DEPLOY_DIR_IMAGE}/flash.bin" seek=64 bs=4096 conv=notrunc +} + +addtask deploy after do_dpkg_build before do_deploy_deb \ No newline at end of file From patchwork Wed Oct 19 09:21:14 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Schultschik, Sven" X-Patchwork-Id: 13011522 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id D5CB7C4332F for ; Wed, 19 Oct 2022 09:23:01 +0000 (UTC) Received: from EUR04-HE1-obe.outbound.protection.outlook.com (EUR04-HE1-obe.outbound.protection.outlook.com [40.107.7.72]) by mx.groups.io with SMTP id smtpd.web09.5847.1666171374022357906 for ; Wed, 19 Oct 2022 02:22:54 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="body hash did not verify" header.i=@siemens.com header.s=selector2 header.b=QRLEwY9d; spf=pass (domain: siemens.com, ip: 40.107.7.72, mailfrom: sven.schultschik@siemens.com) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Dsnj3Hzrdfg3C4CLJs/bzpGVK2tUtO9kMtW5nivcWDdtkBddJJiUnuk+STH+BLQcQaPsTT/1UcuaQOfFx31dcxEJ3Ctn3IuHZHe0y+qEtILuER3bj+VkKq87oz2P/d3504C6N56vPOw7Mgw3uC50HNm09oRcd02Xh3QpUWYUP2mW5ctP5PFDeI0+Q5dYf2I9YMuG+5p3SX6X85MwBheazGs2/7StJKUU59hnuiwSjV89x+r32RUu3LKxR1CwiTYn9PJJxBmUppgCaY0ukaUVLKz6VZ6593YSMDaoqnGc1s6UoQcwld2RQfiNHWVgIqRDnkKx46BHR+PJOUVMcpC7xA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=glPZLRNHkEfFOBrEFxwvvQD2PlFSCMh45jIkcXor5Vc=; b=NPKEMRTb8IEQyAncQT1id9GWeIJf54G4Qcv2iDDvRK8L60imdb+wYDyqsyglTxrL+HY/ePKm0aWjOtC4cJaqSJ2ywg6tCF5YsqWtdjp7/iZWPORsxU8KgJ9I8RRe3CNwlHuaSThTnSFuKSNE5rlB2HLX7rVLA78BVc0NcgYp8A+VfhVzNHz14kNdMP116BntLUYVH9KVYp9ItruIZU18JGiEZtFJclUhWohBxmSU4E4dQZXgxBOG38z+OM6pv6FU7Y+bqlHDTo+lxcUeqNqyt4ax9MvkoSIKN/neYOgQueZ21u1UpslQecDUIvyhDv4h5ffSxnvOZl9IRCWTxrRoOw== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=siemens.com; dmarc=pass action=none header.from=siemens.com; dkim=pass header.d=siemens.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=siemens.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=glPZLRNHkEfFOBrEFxwvvQD2PlFSCMh45jIkcXor5Vc=; b=QRLEwY9dMeuX/D/JQLt+BKZ9mSzM6idHosGrKouZ8kXDYtLa7h8C7EwtjIZ4Qnpsua3pgRK5wB4ql3LtSoNRXomcT4Bj9INio2joL5E9Yh424Dox235hJbEWYguk6+hEk29BeDHrxlSLczW0MgdpBYAABopg5AJEus2psF/rkd7nI5ZGbaePKDteTV8INPn/00orNcaL+dSKhlOmI8pwGerDeXo4j3KnEvKM2K/hmFhEeOXvFs1B9UYG1KPgrBAK1DmdRMxlXP2FbS8BQj7v6KNPvIx04uv+29MpQqVnAjPFUe6kkzU9hG+Cyw2ofuH302sdtLxNvW+O/cEJhoJlnA== Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=siemens.com; Received: from PAXPR10MB5037.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:102:210::11) by DB9PR10MB5211.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:10:33f::5) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5723.34; Wed, 19 Oct 2022 09:22:50 +0000 Received: from PAXPR10MB5037.EURPRD10.PROD.OUTLOOK.COM ([fe80::8f3:9a82:c9ed:6a3f]) by PAXPR10MB5037.EURPRD10.PROD.OUTLOOK.COM ([fe80::8f3:9a82:c9ed:6a3f%7]) with mapi id 15.20.5723.033; Wed, 19 Oct 2022 09:22:50 +0000 From: sven.schultschik@siemens.com To: cip-dev@lists.cip-project.org CC: jan.kiszka@siemens.com, Sven Schultschik Subject: [isar-cip-core][PATCH 4/7] add u-boot patch for qemu to support RPMB Date: Wed, 19 Oct 2022 11:21:14 +0200 Message-ID: <20221019092117.5291-4-sven.schultschik@siemens.com> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20221019092117.5291-1-sven.schultschik@siemens.com> References: <20221019092117.5291-1-sven.schultschik@siemens.com> X-ClientProxiedBy: AM6P192CA0080.EURP192.PROD.OUTLOOK.COM (2603:10a6:209:8d::21) To PAXPR10MB5037.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:102:210::11) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: PAXPR10MB5037:EE_|DB9PR10MB5211:EE_ X-MS-Office365-Filtering-Correlation-Id: fa85ffec-7250-4140-2473-08dab1b37e40 X-LD-Processed: 38ae3bcd-9579-4fd4-adda-b42e1495d55a,ExtAddr X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: U6LTXO+Pqslu20KKHmDmEgZDn2Ob6pSgiupUajh1capmF2hM3DMCfBA0pG9h0ppFtYHfJbQTp9E0uRA7CpDyIF+dNS2ZudxoLYV5LGIjvTERXKvZYLjxA4hSDzr7dForRTGX3Xf+8jJS/9OajSHeDgP5ZSNzDsubdn3kt1YUiJ44qX3tb66hYH6LJHtS0y0G0Vc7VcWtK4HWno9NT4gTuIXpR5nwONH0p5bpf6WFEbiPPPBVatBay1I5eY9Ydm08NLrnWT6RZluURo805jWlWS7L03IQ58zLAFv1985rC0HCMLI4YbmOVjKB4RKV357q7D2guu8HmbOr6QiUHQbPW/6y9yhiy56zb1ICz7q5Y6JUur9azpEuUDMTKMD/Taox3vhxogfF09skxv49x+p1oHFO7WNQCYoL7j8u01GdsgL61egpLHr40lrFwdB7EHAwFU5SN++QWIv79sv0vUOjvoqi7K/a/jAovgTv/1g+t48QtceqfrQYspMX+h3GUZrhZtlG8fAcizzrOhbe9Tv7mz2xJ/wo6rMjamH48e/cBC2NBpXjGoCeSFnOoUIWHd+Lj+Xtvmhwnnm5fBu2w453DLwSGBpwseOWmmSp0y7inA7JfSv65vb4bWuyUEbopgin1A+vmMx2J9/LuoobGYiLfxCVaWBBxmdStrFdb5sLm8CpF/cndZcKfJSsiZcLoFVOrR5cO1VM5UeqALGKoXzYBw== X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:PAXPR10MB5037.EURPRD10.PROD.OUTLOOK.COM;PTR:;CAT:NONE;SFS:(13230022)(4636009)(39860400002)(346002)(366004)(396003)(136003)(376002)(451199015)(2906002)(186003)(1076003)(2616005)(38100700002)(6486002)(82960400001)(478600001)(36756003)(83380400001)(4326008)(66556008)(66946007)(8676002)(66476007)(6916009)(30864003)(26005)(86362001)(41300700001)(6512007)(9686003)(6506007)(316002)(8936002)(5660300002)(6666004)(107886003)(579004);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: NaD451j6N0Q9gXufsjNr+iXJ+N8s7N14ab1XPvr4tZbwPU32jI1mo7tKWOFpIAH0uYHsu6QdSz1Ehe+JJlm5jtofuzd4ZvN9F2e6DxeJfkrVHbcnoUW0P4P/RZIQrHnvZGJezkAOMMJ73s7JWcLkyHYQvBup/vFTzuB77qrGbMBKVKpBb1oUbTNvzl0WVRcxxv1NXgSFLMPP82h+VBtvuYNR486lqGfZbAMHHowhL27D2BfXTqvFmHYN85tZjdeNfQ/v3yhJtepti1IXtEqTk3P0hd7UCZPV/y62mETSXpwaXKR4YbmbbBJHtPLo3DtAKktqEV6ewZ6+g6ALJkQr9IjzqMD8K0TiEuJACbMX2zxXmGiPz4TPOUgv8pqgVXDKZaWJtzggFkQC97J63DOMJrns8aisujuJQSFTMBSDovonPe7c9eHJY08t4J45EQZA0BUaoLWEE0Ce/YixgSzd902BQS3mQzJv1Oiqe47ER4fGEU4O68aX5nL7mnu/bHU/74oFNR9rHNbt6sxDoSMlRQKVV6OGEbyE2Lb3wLu5M4MXl/XnbDSVAv3itBoPYA7lLDxLjoOfx11AAFQ1YlIx+7pFYZPX5e0sGTjrLlBn7iUO6jCjBYCRS7NVPjzmEnJu7QuvJTksXx/a1bI8XOOjp2dPKLrDyyzqJj4+Hn7NoLli5x5nA+pRPbFV9z3Kvb/Qzaw7K1HbdMjcR0kdx02PAnXd5XPMr2xsUR553WjyGlfohqnJtucxtRQ0WlJXR++fI3rrDI6ZfXWi00ifxNq2cgLX0gnzkTh3LjgiL6skyDQeOUzGBQtj0OSwOCKYqYK1+wsn9iiAYLJuEU61BmK8Vt/hMK3PBdL+2gbwMDKC7r6+p20W+5mTwKAKlwD0heQ0FiZpIssnw/kAVQy6KTwJP0bPv3Uh+b9Kw1wPmh55W4okCtta0OqLBkXhWqIdYH8E3+MbAHoEreXailhFcsEYURBP9QFayJFmi1vuF5ihFLY2ani5F927VNtgm1JEdhyhe+h6qOi5enk+Pj0KrsDKABmQr/1Zp2UbWPSxg7EWGene+CrKHpb8WfyeQsMoiWlneGRC6ZbiHfcrVyhvUzqPWmxPc+pPbmxLEVMBNQkLRYUdzxkbWlgFhDORYdonPChKAHpOD+xiknwGiYWHhnEexdc4Q+KZYx9arjlKxotB60V8Eku3LFM0ptQPn9LC1JA64v5YeKaw0sLUx/6ROlO8slLQepoEhQgaXQZH/fVwHbg+1tv+rTE+sonDJ1s9tWnv9Q6xg5+Hp5bXdqSm6bb37HO3D6m5TWOYWQB2LU4Wd02acoMHqJJRXJEeAWUGx4vC2LcM0aPozrTihcFn2FKqR6cxy5pPytyVkHkh06NWD2MVjv/OLVQAqzk1nqNV5/TsOTya6pwxLwonvJLgwGqtEWRm1QX0NB4zczN+FJ4Gf5hX2cmlWlMgrKEkp4/FIi9krw/D6VfVLphXglP4VxGfXvxfwpZyUjt+5+Z2rxZaL3ZnblYwjjyKiIISEANiHlhBRSuMtHN60yHf9JcjAP6BxLtn51n3EfUKrnUGcvROI2LC+vXJxe3JEf7qQQHbWqfUktH9NItJkuyCKLVxe6Nmvg== X-OriginatorOrg: siemens.com X-MS-Exchange-CrossTenant-Network-Message-Id: fa85ffec-7250-4140-2473-08dab1b37e40 X-MS-Exchange-CrossTenant-AuthSource: PAXPR10MB5037.EURPRD10.PROD.OUTLOOK.COM X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 19 Oct 2022 09:22:50.3147 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 38ae3bcd-9579-4fd4-adda-b42e1495d55a X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: n0raOxrJwbKBuyStmB43uasYoW+WvzndKdxsVyPNLfESfDB3MVnrBJV89GY6C48XrgiwrOMNAa4SaBNLrfbw2zUaCLOlTQb6JJbc/XA1puo= X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB9PR10MB5211 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 19 Oct 2022 09:23:01 -0000 X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/9778 From: Sven Schultschik Qemu itself is missing a implemented emulation of an RPBM (replay protected memory) which is part of an emmc. Therefore currently a u-boot patch, which adds a RPMB emulation, is needed which breaks the u-boot hardware support. The patch is only included into the qemu u-boot recipes and can be removed if there is an official qemu rpmb emulation, which currently does not have any ETA. Signed-off-by: Sven Schultschik --- ...hack.-Breaks-proper-hardware-support.patch | 1375 +++++++++++++++++ recipes-bsp/u-boot/u-boot-qemu-common.inc | 3 + 2 files changed, 1378 insertions(+) create mode 100644 recipes-bsp/u-boot/files/0002-rpmb-emulation-hack.-Breaks-proper-hardware-support.patch diff --git a/recipes-bsp/u-boot/files/0002-rpmb-emulation-hack.-Breaks-proper-hardware-support.patch b/recipes-bsp/u-boot/files/0002-rpmb-emulation-hack.-Breaks-proper-hardware-support.patch new file mode 100644 index 000000000..26266b549 --- /dev/null +++ b/recipes-bsp/u-boot/files/0002-rpmb-emulation-hack.-Breaks-proper-hardware-support.patch @@ -0,0 +1,1375 @@ +From a4179f663673dbfa48f79761acc3ff781ee9b2b8 Mon Sep 17 00:00:00 2001 +From: Ilias Apalodimas +Date: Thu, 12 Nov 2020 09:44:54 +0200 +Subject: [PATCH] irpmb patch hack + +Signed-off-by: Ilias Apalodimas +--- + arch/arm/include/asm/gpio.h | 3 +- + arch/arm/include/asm/ioctl.h | 1 + + configs/qemu_tfa_mm_defconfig | 53 ++++ + drivers/tee/optee/Makefile | 1 + + drivers/tee/optee/hmac_sha2.c | 126 ++++++++ + drivers/tee/optee/hmac_sha2.h | 74 +++++ + drivers/tee/optee/rpmb.c | 27 +- + drivers/tee/optee/rpmb.h | 1 + + drivers/tee/optee/rpmb_emu.c | 563 ++++++++++++++++++++++++++++++++++ + drivers/tee/optee/rpmb_emu.h | 141 +++++++++ + drivers/tee/optee/sha2.c | 249 +++++++++++++++ + drivers/tee/optee/sha2.h | 75 +++++ + 12 files changed, 1292 insertions(+), 22 deletions(-) + create mode 100644 arch/arm/include/asm/ioctl.h + create mode 100644 configs/qemu_tfa_mm_defconfig + create mode 100644 drivers/tee/optee/hmac_sha2.c + create mode 100644 drivers/tee/optee/hmac_sha2.h + create mode 100644 drivers/tee/optee/rpmb.h + create mode 100644 drivers/tee/optee/rpmb_emu.c + create mode 100644 drivers/tee/optee/rpmb_emu.h + create mode 100644 drivers/tee/optee/sha2.c + create mode 100644 drivers/tee/optee/sha2.h + +diff --git a/arch/arm/include/asm/ioctl.h b/arch/arm/include/asm/ioctl.h +new file mode 100644 +index 000000000000..b279fe06dfe5 +--- /dev/null ++++ b/arch/arm/include/asm/ioctl.h +@@ -0,0 +1 @@ ++#include +diff --git a/drivers/tee/optee/Makefile b/drivers/tee/optee/Makefile +index 928d3f80027f..28108536d231 100644 +--- a/drivers/tee/optee/Makefile ++++ b/drivers/tee/optee/Makefile +@@ -3,3 +3,4 @@ + obj-y += core.o + obj-y += supplicant.o + obj-$(CONFIG_SUPPORT_EMMC_RPMB) += rpmb.o ++obj-y += sha2.o hmac_sha2.o rpmb_emu.o rpmb.o +diff --git a/drivers/tee/optee/hmac_sha2.c b/drivers/tee/optee/hmac_sha2.c +new file mode 100644 +index 000000000000..61b24b128f1d +--- /dev/null ++++ b/drivers/tee/optee/hmac_sha2.c +@@ -0,0 +1,126 @@ ++/* ++ * HMAC-SHA-224/256/384/512 implementation ++ * Last update: 06/15/2005 ++ * Issue date: 06/15/2005 ++ * ++ * Copyright (C) 2005 Olivier Gay ++ * All rights reserved. ++ * ++ * Copyright (c) 2016, Linaro Limited ++ * All rights reserved. ++ * ++ * Redistribution and use in source and binary forms, with or without ++ * modification, are permitted provided that the following conditions ++ * are met: ++ * 1. Redistributions of source code must retain the above copyright ++ * notice, this list of conditions and the following disclaimer. ++ * 2. Redistributions in binary form must reproduce the above copyright ++ * notice, this list of conditions and the following disclaimer in the ++ * documentation and/or other materials provided with the distribution. ++ * 3. Neither the name of the project nor the names of its contributors ++ * may be used to endorse or promote products derived from this software ++ * without specific prior written permission. ++ * ++ * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND ++ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE ++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ++ * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE ++ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL ++ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS ++ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) ++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT ++ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY ++ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF ++ * SUCH DAMAGE. ++ */ ++ ++#include ++ ++#include "hmac_sha2.h" ++ ++/* HMAC-SHA-256 functions */ ++ ++void hmac_sha256_init(hmac_sha256_ctx *ctx, const unsigned char *key, ++ unsigned int key_size) ++{ ++ unsigned int fill = 0; ++ unsigned int num = 0; ++ const unsigned char *key_used = NULL; ++ unsigned char key_temp[SHA256_DIGEST_SIZE] = { 0 }; ++ int i = 0; ++ ++ if (key_size == SHA256_BLOCK_SIZE) { ++ key_used = key; ++ num = SHA256_BLOCK_SIZE; ++ } else { ++ if (key_size > SHA256_BLOCK_SIZE){ ++ num = SHA256_DIGEST_SIZE; ++ sha256(key, key_size, key_temp); ++ key_used = key_temp; ++ } else { /* key_size > SHA256_BLOCK_SIZE */ ++ key_used = key; ++ num = key_size; ++ } ++ fill = SHA256_BLOCK_SIZE - num; ++ ++ memset(ctx->block_ipad + num, 0x36, fill); ++ memset(ctx->block_opad + num, 0x5c, fill); ++ } ++ ++ for (i = 0; i < (int) num; i++) { ++ ctx->block_ipad[i] = key_used[i] ^ 0x36; ++ ctx->block_opad[i] = key_used[i] ^ 0x5c; ++ } ++ ++ sha256_init(&ctx->ctx_inside); ++ sha256_update_tee(&ctx->ctx_inside, ctx->block_ipad, SHA256_BLOCK_SIZE); ++ ++ sha256_init(&ctx->ctx_outside); ++ sha256_update_tee(&ctx->ctx_outside, ctx->block_opad, ++ SHA256_BLOCK_SIZE); ++ ++ /* for hmac_reinit */ ++ memcpy(&ctx->ctx_inside_reinit, &ctx->ctx_inside, ++ sizeof(sha256_ctx)); ++ memcpy(&ctx->ctx_outside_reinit, &ctx->ctx_outside, ++ sizeof(sha256_ctx)); ++} ++ ++void hmac_sha256_reinit(hmac_sha256_ctx *ctx) ++{ ++ memcpy(&ctx->ctx_inside, &ctx->ctx_inside_reinit, ++ sizeof(sha256_ctx)); ++ memcpy(&ctx->ctx_outside, &ctx->ctx_outside_reinit, ++ sizeof(sha256_ctx)); ++} ++ ++void hmac_sha256_update(hmac_sha256_ctx *ctx, const unsigned char *message, ++ unsigned int message_len) ++{ ++ sha256_update_tee(&ctx->ctx_inside, message, message_len); ++} ++ ++void hmac_sha256_final(hmac_sha256_ctx *ctx, unsigned char *mac, ++ unsigned int mac_size) ++{ ++ unsigned char digest_inside[SHA256_DIGEST_SIZE] = { 0 }; ++ unsigned char mac_temp[SHA256_DIGEST_SIZE] = { 0 }; ++ ++ sha256_final(&ctx->ctx_inside, digest_inside); ++ sha256_update_tee(&ctx->ctx_outside, digest_inside, SHA256_DIGEST_SIZE); ++ sha256_final(&ctx->ctx_outside, mac_temp); ++ memcpy(mac, mac_temp, mac_size); ++} ++ ++void hmac_sha256(const unsigned char *key, unsigned int key_size, ++ const unsigned char *message, unsigned int message_len, ++ unsigned char *mac, unsigned mac_size) ++{ ++ hmac_sha256_ctx ctx; ++ ++ memset(&ctx, 0, sizeof(ctx)); ++ ++ hmac_sha256_init(&ctx, key, key_size); ++ hmac_sha256_update(&ctx, message, message_len); ++ hmac_sha256_final(&ctx, mac, mac_size); ++} +diff --git a/drivers/tee/optee/hmac_sha2.h b/drivers/tee/optee/hmac_sha2.h +new file mode 100644 +index 000000000000..1044524d75c5 +--- /dev/null ++++ b/drivers/tee/optee/hmac_sha2.h +@@ -0,0 +1,74 @@ ++/* ++ * HMAC-SHA-224/256/384/512 implementation ++ * Last update: 06/15/2005 ++ * Issue date: 06/15/2005 ++ * ++ * Copyright (C) 2005 Olivier Gay ++ * All rights reserved. ++ * ++ * Copyright (c) 2016, Linaro Limited ++ * All rights reserved. ++ * ++ * Redistribution and use in source and binary forms, with or without ++ * modification, are permitted provided that the following conditions ++ * are met: ++ * 1. Redistributions of source code must retain the above copyright ++ * notice, this list of conditions and the following disclaimer. ++ * 2. Redistributions in binary form must reproduce the above copyright ++ * notice, this list of conditions and the following disclaimer in the ++ * documentation and/or other materials provided with the distribution. ++ * 3. Neither the name of the project nor the names of its contributors ++ * may be used to endorse or promote products derived from this software ++ * without specific prior written permission. ++ * ++ * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND ++ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE ++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ++ * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE ++ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL ++ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS ++ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) ++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT ++ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY ++ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF ++ * SUCH DAMAGE. ++ */ ++ ++#ifndef HMAC_SHA2_H ++#define HMAC_SHA2_H ++ ++#include "sha2.h" ++ ++#ifdef __cplusplus ++extern "C" { ++#endif ++ ++typedef struct { ++ sha256_ctx ctx_inside; ++ sha256_ctx ctx_outside; ++ ++ /* for hmac_reinit */ ++ sha256_ctx ctx_inside_reinit; ++ sha256_ctx ctx_outside_reinit; ++ ++ unsigned char block_ipad[SHA256_BLOCK_SIZE]; ++ unsigned char block_opad[SHA256_BLOCK_SIZE]; ++} hmac_sha256_ctx; ++ ++void hmac_sha256_init(hmac_sha256_ctx *ctx, const unsigned char *key, ++ unsigned int key_size); ++void hmac_sha256_reinit(hmac_sha256_ctx *ctx); ++void hmac_sha256_update(hmac_sha256_ctx *ctx, const unsigned char *message, ++ unsigned int message_len); ++void hmac_sha256_final(hmac_sha256_ctx *ctx, unsigned char *mac, ++ unsigned int mac_size); ++void hmac_sha256(const unsigned char *key, unsigned int key_size, ++ const unsigned char *message, unsigned int message_len, ++ unsigned char *mac, unsigned mac_size); ++ ++#ifdef __cplusplus ++} ++#endif ++ ++#endif /* !HMAC_SHA2_H */ ++ +diff --git a/drivers/tee/optee/rpmb.c b/drivers/tee/optee/rpmb.c +index 0804fc963cf5..275f2112f102 100644 +--- a/drivers/tee/optee/rpmb.c ++++ b/drivers/tee/optee/rpmb.c +@@ -12,35 +12,15 @@ + + #include "optee_msg.h" + #include "optee_private.h" ++#include "rpmb_emu.h" + + /* + * Request and response definitions must be in sync with the secure side of + * OP-TEE. + */ + +-/* Request */ +-struct rpmb_req { +- u16 cmd; +-#define RPMB_CMD_DATA_REQ 0x00 +-#define RPMB_CMD_GET_DEV_INFO 0x01 +- u16 dev_id; +- u16 block_count; +- /* Optional data frames (rpmb_data_frame) follow */ +-}; +- + #define RPMB_REQ_DATA(req) ((void *)((struct rpmb_req *)(req) + 1)) + +-/* Response to device info request */ +-struct rpmb_dev_info { +- u8 cid[16]; +- u8 rpmb_size_mult; /* EXT CSD-slice 168: RPMB Size */ +- u8 rel_wr_sec_c; /* EXT CSD-slice 222: Reliable Write Sector */ +- /* Count */ +- u8 ret_code; +-#define RPMB_CMD_GET_DEV_INFO_RET_OK 0x00 +-#define RPMB_CMD_GET_DEV_INFO_RET_ERROR 0x01 +-}; +- + static void release_mmc(struct optee_private *priv) + { + int rc; +@@ -175,8 +155,13 @@ void optee_suppl_cmd_rpmb(struct udevice *dev, struct optee_msg_arg *arg) + rsp_buf = (u8 *)rsp_shm->addr + arg->params[1].u.rmem.offs; + rsp_size = arg->params[1].u.rmem.size; + ++#ifdef EMU + arg->ret = rpmb_process_request(dev_get_priv(dev), req_buf, req_size, + rsp_buf, rsp_size); ++#else ++ arg->ret = rpmb_process_request_emu(req_buf, req_size, rsp_buf, ++ rsp_size); ++#endif + } + + void optee_suppl_rpmb_release(struct udevice *dev) +diff --git a/drivers/tee/optee/rpmb.h b/drivers/tee/optee/rpmb.h +new file mode 100644 +index 000000000000..8b137891791f +--- /dev/null ++++ b/drivers/tee/optee/rpmb.h +@@ -0,0 +1 @@ ++ +diff --git a/drivers/tee/optee/rpmb_emu.c b/drivers/tee/optee/rpmb_emu.c +new file mode 100644 +index 000000000000..629f36ee6b29 +--- /dev/null ++++ b/drivers/tee/optee/rpmb_emu.c +@@ -0,0 +1,563 @@ ++// SPDX-License-Identifier: BSD-2-Clause ++/* ++ * Copyright (c) 2020 Linaro Limited ++ */ ++ ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++ ++#include "optee_msg.h" ++#include "optee_private.h" ++#include "sha2.h" ++#include "hmac_sha2.h" ++#include "rpmb_emu.h" ++ ++static struct rpmb_emu rpmb_emu = { ++ .size = EMU_RPMB_SIZE_BYTES ++}; ++ ++static struct rpmb_emu *mem_for_fd(int fd) ++{ ++ static int sfd = -1; ++ ++ if (sfd == -1) ++ sfd = fd; ++ if (sfd != fd) { ++ printf("Emulating more than 1 RPMB partition is not supported\n"); ++ return NULL; ++ } ++ ++ return &rpmb_emu; ++} ++ ++#if (DEBUGLEVEL >= TRACE_FLOW) ++static void dump_blocks(size_t startblk, size_t numblk, uint8_t *ptr, ++ bool to_mmc) ++{ ++ char msg[100] = { 0 }; ++ size_t i = 0; ++ ++ for (i = 0; i < numblk; i++) { ++ snprintf(msg, sizeof(msg), "%s MMC block %zu", ++ to_mmc ? "Write" : "Read", startblk + i); ++ //print_hex_dump_bytes("", DUMP_PREFIX_OFFSET, ptr, 256); ++ ptr += 256; ++ } ++} ++#else ++static void dump_blocks(size_t startblk, size_t numblk, uint8_t *ptr, ++ bool to_mmc) ++{ ++ (void)startblk; ++ (void)numblk; ++ (void)ptr; ++ (void)to_mmc; ++} ++#endif ++ ++#define CUC(x) ((const unsigned char *)(x)) ++static void hmac_update_frm(hmac_sha256_ctx *ctx, struct rpmb_data_frame *frm) ++{ ++ hmac_sha256_update(ctx, CUC(frm->data), 256); ++ hmac_sha256_update(ctx, CUC(frm->nonce), 16); ++ hmac_sha256_update(ctx, CUC(&frm->write_counter), 4); ++ hmac_sha256_update(ctx, CUC(&frm->address), 2); ++ hmac_sha256_update(ctx, CUC(&frm->block_count), 2); ++ hmac_sha256_update(ctx, CUC(&frm->op_result), 2); ++ hmac_sha256_update(ctx, CUC(&frm->msg_type), 2); ++} ++ ++static bool is_hmac_valid(struct rpmb_emu *mem, struct rpmb_data_frame *frm, ++ size_t nfrm) ++{ ++ uint8_t mac[32] = { 0 }; ++ size_t i = 0; ++ hmac_sha256_ctx ctx; ++ ++ memset(&ctx, 0, sizeof(ctx)); ++ ++ if (!mem->key_set) { ++ printf("Cannot check MAC (key not set)\n"); ++ return false; ++ } ++ ++ hmac_sha256_init(&ctx, mem->key, sizeof(mem->key)); ++ for (i = 0; i < nfrm; i++, frm++) ++ hmac_update_frm(&ctx, frm); ++ frm--; ++ hmac_sha256_final(&ctx, mac, 32); ++ ++ if (memcmp(mac, frm->key_mac, 32)) { ++ printf("Invalid MAC\n"); ++ return false; ++ } ++ return true; ++} ++ ++static uint16_t gen_msb1st_result(uint8_t byte) ++{ ++ return (uint16_t)byte << 8; ++} ++ ++static uint16_t compute_hmac(struct rpmb_emu *mem, struct rpmb_data_frame *frm, ++ size_t nfrm) ++{ ++ size_t i = 0; ++ hmac_sha256_ctx ctx; ++ ++ memset(&ctx, 0, sizeof(ctx)); ++ ++ if (!mem->key_set) { ++ printf("Cannot compute MAC (key not set)\n"); ++ return gen_msb1st_result(RPMB_RESULT_AUTH_KEY_NOT_PROGRAMMED); ++ } ++ ++ hmac_sha256_init(&ctx, mem->key, sizeof(mem->key)); ++ for (i = 0; i < nfrm; i++, frm++) ++ hmac_update_frm(&ctx, frm); ++ frm--; ++ hmac_sha256_final(&ctx, frm->key_mac, 32); ++ ++ return gen_msb1st_result(RPMB_RESULT_OK); ++} ++ ++static uint16_t ioctl_emu_mem_transfer(struct rpmb_emu *mem, ++ struct rpmb_data_frame *frm, ++ size_t nfrm, int to_mmc) ++{ ++ size_t start = mem->last_op.address * 256; ++ size_t size = nfrm * 256; ++ size_t i = 0; ++ uint8_t *memptr = NULL; ++ ++ if (start > mem->size || start + size > mem->size) { ++ printf("Transfer bounds exceeed emulated memory\n"); ++ return gen_msb1st_result(RPMB_RESULT_ADDRESS_FAILURE); ++ } ++ if (to_mmc && !is_hmac_valid(mem, frm, nfrm)) ++ return gen_msb1st_result(RPMB_RESULT_AUTH_FAILURE); ++ ++ //printf("Transferring %zu 256-byte data block%s %s MMC (block offset=%zu)", ++ //nfrm, (nfrm > 1) ? "s" : "", to_mmc ? "to" : "from", start / 256); ++ for (i = 0; i < nfrm; i++) { ++ memptr = mem->buf + start + i * 256; ++ if (to_mmc) { ++ memcpy(memptr, frm[i].data, 256); ++ mem->write_counter++; ++ frm[i].write_counter = htonl(mem->write_counter); ++ frm[i].msg_type = ++ htons(RPMB_MSG_TYPE_RESP_AUTH_DATA_WRITE); ++ } else { ++ memcpy(frm[i].data, memptr, 256); ++ frm[i].msg_type = ++ htons(RPMB_MSG_TYPE_RESP_AUTH_DATA_READ); ++ frm[i].address = htons(mem->last_op.address); ++ frm[i].block_count = nfrm; ++ memcpy(frm[i].nonce, mem->nonce, 16); ++ } ++ frm[i].op_result = gen_msb1st_result(RPMB_RESULT_OK); ++ } ++ dump_blocks(mem->last_op.address, nfrm, mem->buf + start, to_mmc); ++ ++ if (!to_mmc) ++ compute_hmac(mem, frm, nfrm); ++ ++ return gen_msb1st_result(RPMB_RESULT_OK); ++} ++ ++static void ioctl_emu_get_write_result(struct rpmb_emu *mem, ++ struct rpmb_data_frame *frm) ++{ ++ frm->msg_type = htons(RPMB_MSG_TYPE_RESP_AUTH_DATA_WRITE); ++ frm->op_result = mem->last_op.op_result; ++ frm->address = htons(mem->last_op.address); ++ frm->write_counter = htonl(mem->write_counter); ++ compute_hmac(mem, frm, 1); ++} ++ ++static uint16_t ioctl_emu_setkey(struct rpmb_emu *mem, ++ struct rpmb_data_frame *frm) ++{ ++ if (mem->key_set) { ++ printf("Key already set\n"); ++ return gen_msb1st_result(RPMB_RESULT_GENERAL_FAILURE); ++ } ++ print_hex_dump_bytes("Setting Key:", DUMP_PREFIX_OFFSET, frm->key_mac, ++ 32); ++ memcpy(mem->key, frm->key_mac, 32); ++ mem->key_set = true; ++ ++ return gen_msb1st_result(RPMB_RESULT_OK); ++} ++ ++static void ioctl_emu_get_keyprog_result(struct rpmb_emu *mem, ++ struct rpmb_data_frame *frm) ++{ ++ frm->msg_type = ++ htons(RPMB_MSG_TYPE_RESP_AUTH_KEY_PROGRAM); ++ frm->op_result = mem->last_op.op_result; ++} ++ ++static void ioctl_emu_read_ctr(struct rpmb_emu *mem, ++ struct rpmb_data_frame *frm) ++{ ++ printf("Reading counter\n"); ++ frm->msg_type = htons(RPMB_MSG_TYPE_RESP_WRITE_COUNTER_VAL_READ); ++ frm->write_counter = htonl(mem->write_counter); ++ memcpy(frm->nonce, mem->nonce, 16); ++ frm->op_result = compute_hmac(mem, frm, 1); ++} ++ ++static uint32_t read_cid(uint16_t dev_id, uint8_t *cid) ++{ ++ /* Taken from an actual eMMC chip */ ++ static const uint8_t test_cid[] = { ++ /* MID (Manufacturer ID): Micron */ ++ 0xfe, ++ /* CBX (Device/BGA): BGA */ ++ 0x01, ++ /* OID (OEM/Application ID) */ ++ 0x4e, ++ /* PNM (Product name) "MMC04G" */ ++ 0x4d, 0x4d, 0x43, 0x30, 0x34, 0x47, ++ /* PRV (Product revision): 4.2 */ ++ 0x42, ++ /* PSN (Product serial number) */ ++ 0xc8, 0xf6, 0x55, 0x2a, ++ /* ++ * MDT (Manufacturing date): ++ * June, 2014 ++ */ ++ 0x61, ++ /* (CRC7 (0xA) << 1) | 0x1 */ ++ 0x15 ++ }; ++ ++ (void)dev_id; ++ memcpy(cid, test_cid, sizeof(test_cid)); ++ ++ return TEE_SUCCESS; ++} ++ ++static void ioctl_emu_set_ext_csd(uint8_t *ext_csd) ++{ ++ ext_csd[168] = EMU_RPMB_SIZE_MULT; ++ ext_csd[222] = EMU_RPMB_REL_WR_SEC_C; ++} ++ ++/* A crude emulation of the MMC ioctls we need for RPMB */ ++static int ioctl_emu(int fd, unsigned long request, ...) ++{ ++ struct mmc_ioc_cmd *cmd = NULL; ++ struct rpmb_data_frame *frm = NULL; ++ uint16_t msg_type = 0; ++ struct rpmb_emu *mem = mem_for_fd(fd); ++ va_list ap; ++ ++ if (request != MMC_IOC_CMD) { ++ printf("Unsupported ioctl: 0x%lx\n", request); ++ return -1; ++ } ++ if (!mem) ++ return -1; ++ ++ va_start(ap, request); ++ cmd = va_arg(ap, struct mmc_ioc_cmd *); ++ va_end(ap); ++ ++ switch (cmd->opcode) { ++ case MMC_SEND_EXT_CSD: ++ ioctl_emu_set_ext_csd((uint8_t *)(uintptr_t)cmd->data_ptr); ++ break; ++ ++ case MMC_WRITE_MULTIPLE_BLOCK: ++ frm = (struct rpmb_data_frame *)(uintptr_t)cmd->data_ptr; ++ msg_type = ntohs(frm->msg_type); ++ ++ switch (msg_type) { ++ case RPMB_MSG_TYPE_REQ_AUTH_KEY_PROGRAM: ++ mem->last_op.msg_type = msg_type; ++ mem->last_op.op_result = ioctl_emu_setkey(mem, frm); ++ break; ++ ++ case RPMB_MSG_TYPE_REQ_AUTH_DATA_WRITE: ++ mem->last_op.msg_type = msg_type; ++ mem->last_op.address = ntohs(frm->address); ++ mem->last_op.op_result = ++ ioctl_emu_mem_transfer(mem, frm, ++ cmd->blocks, 1); ++ break; ++ ++ case RPMB_MSG_TYPE_REQ_WRITE_COUNTER_VAL_READ: ++ case RPMB_MSG_TYPE_REQ_AUTH_DATA_READ: ++ memcpy(mem->nonce, frm->nonce, 16); ++ mem->last_op.msg_type = msg_type; ++ mem->last_op.address = ntohs(frm->address); ++ break; ++ default: ++ break; ++ } ++ break; ++ ++ case MMC_READ_MULTIPLE_BLOCK: ++ frm = (struct rpmb_data_frame *)(uintptr_t)cmd->data_ptr; ++ msg_type = ntohs(frm->msg_type); ++ ++ switch (mem->last_op.msg_type) { ++ case RPMB_MSG_TYPE_REQ_AUTH_KEY_PROGRAM: ++ ioctl_emu_get_keyprog_result(mem, frm); ++ break; ++ ++ case RPMB_MSG_TYPE_REQ_AUTH_DATA_WRITE: ++ ioctl_emu_get_write_result(mem, frm); ++ break; ++ ++ case RPMB_MSG_TYPE_REQ_WRITE_COUNTER_VAL_READ: ++ ioctl_emu_read_ctr(mem, frm); ++ break; ++ ++ case RPMB_MSG_TYPE_REQ_AUTH_DATA_READ: ++ ioctl_emu_mem_transfer(mem, frm, cmd->blocks, 0); ++ break; ++ ++ default: ++ printf("Unexpected\n"); ++ break; ++ } ++ break; ++ ++ default: ++ printf("Unsupported ioctl opcode 0x%08x\n", cmd->opcode); ++ return -1; ++ } ++ ++ return 0; ++} ++ ++static int mmc_rpmb_fd(uint16_t dev_id) ++{ ++ (void)dev_id; ++ ++ /* Any value != -1 will do in test mode */ ++ return 0; ++} ++ ++static int mmc_fd(uint16_t dev_id) ++{ ++ (void)dev_id; ++ ++ return 0; ++} ++ ++static void close_mmc_fd(int fd) ++{ ++ (void)fd; ++} ++ ++/* ++ * Extended CSD Register is 512 bytes and defines device properties ++ * and selected modes. ++ */ ++static uint32_t read_ext_csd(int fd, uint8_t *ext_csd) ++{ ++ int st = 0; ++ struct mmc_ioc_cmd cmd = { ++ .blksz = 512, ++ .blocks = 1, ++ .flags = MMC_RSP_R1 | MMC_CMD_ADTC, ++ .opcode = MMC_SEND_EXT_CSD, ++ }; ++ ++ mmc_ioc_cmd_set_data(cmd, ext_csd); ++ ++ st = IOCTL(fd, MMC_IOC_CMD, &cmd); ++ if (st < 0) ++ return TEE_ERROR_GENERIC; ++ ++ return TEE_SUCCESS; ++} ++ ++static uint32_t rpmb_data_req(int fd, struct rpmb_data_frame *req_frm, ++ size_t req_nfrm, struct rpmb_data_frame *rsp_frm, ++ size_t rsp_nfrm) ++{ ++ int st = 0; ++ size_t i = 0; ++ uint16_t msg_type = ntohs(req_frm->msg_type); ++ struct mmc_ioc_cmd cmd = { ++ .blksz = 512, ++ .blocks = req_nfrm, ++ .data_ptr = (uintptr_t)req_frm, ++ .flags = MMC_RSP_R1 | MMC_CMD_ADTC, ++ .opcode = MMC_WRITE_MULTIPLE_BLOCK, ++ .write_flag = 1, ++ }; ++ ++ for (i = 1; i < req_nfrm; i++) { ++ if (req_frm[i].msg_type != msg_type) { ++ printf("All request frames shall be of the same type\n"); ++ return TEE_ERROR_BAD_PARAMETERS; ++ } ++ } ++ ++ //printf("Req: %zu frame(s) of type 0x%04x", req_nfrm, msg_type); ++ //printf("Rsp: %zu frame(s)", rsp_nfrm); ++ ++ switch(msg_type) { ++ case RPMB_MSG_TYPE_REQ_AUTH_KEY_PROGRAM: ++ case RPMB_MSG_TYPE_REQ_AUTH_DATA_WRITE: ++ if (rsp_nfrm != 1) { ++ printf("Expected only one response frame\n"); ++ return TEE_ERROR_BAD_PARAMETERS; ++ } ++ ++ /* Send write request frame(s) */ ++ cmd.write_flag |= MMC_CMD23_ARG_REL_WR; ++ /* ++ * Black magic: tested on a HiKey board with a HardKernel eMMC ++ * module. When postsleep values are zero, the kernel logs ++ * random errors: "mmc_blk_ioctl_cmd: Card Status=0x00000E00" ++ * and ioctl() fails. ++ */ ++ cmd.postsleep_min_us = 20000; ++ cmd.postsleep_max_us = 50000; ++ st = IOCTL(fd, MMC_IOC_CMD, &cmd); ++ if (st < 0) ++ return TEE_ERROR_GENERIC; ++ cmd.postsleep_min_us = 0; ++ cmd.postsleep_max_us = 0; ++ ++ /* Send result request frame */ ++ memset(rsp_frm, 0, 1); ++ rsp_frm->msg_type = htons(RPMB_MSG_TYPE_REQ_RESULT_READ); ++ cmd.data_ptr = (uintptr_t)rsp_frm; ++ cmd.write_flag &= ~MMC_CMD23_ARG_REL_WR; ++ st = IOCTL(fd, MMC_IOC_CMD, &cmd); ++ if (st < 0) ++ return TEE_ERROR_GENERIC; ++ ++ /* Read response frame */ ++ cmd.opcode = MMC_READ_MULTIPLE_BLOCK; ++ cmd.write_flag = 0; ++ cmd.blocks = rsp_nfrm; ++ st = IOCTL(fd, MMC_IOC_CMD, &cmd); ++ if (st < 0) ++ return TEE_ERROR_GENERIC; ++ break; ++ ++ case RPMB_MSG_TYPE_REQ_WRITE_COUNTER_VAL_READ: ++ if (rsp_nfrm != 1) { ++ printf("Expected only one response frame\n"); ++ return TEE_ERROR_BAD_PARAMETERS; ++ } ++//#if __GNUC__ > 6 ++ //__attribute__((fallthrough)); ++//#endif ++ ++ case RPMB_MSG_TYPE_REQ_AUTH_DATA_READ: ++ if (req_nfrm != 1) { ++ printf("Expected only one request frame\n"); ++ return TEE_ERROR_BAD_PARAMETERS; ++ } ++ ++ /* Send request frame */ ++ st = IOCTL(fd, MMC_IOC_CMD, &cmd); ++ if (st < 0) ++ return TEE_ERROR_GENERIC; ++ ++ /* Read response frames */ ++ cmd.data_ptr = (uintptr_t)rsp_frm; ++ cmd.opcode = MMC_READ_MULTIPLE_BLOCK; ++ cmd.write_flag = 0; ++ cmd.blocks = rsp_nfrm; ++ st = IOCTL(fd, MMC_IOC_CMD, &cmd); ++ if (st < 0) ++ return TEE_ERROR_GENERIC; ++ break; ++ ++ default: ++ printf("Unsupported message type: %d", msg_type); ++ return TEE_ERROR_GENERIC; ++ } ++ ++ return TEE_SUCCESS; ++} ++ ++static uint32_t rpmb_get_dev_info(uint16_t dev_id, struct rpmb_dev_info *info) ++{ ++ int fd = 0; ++ uint32_t res = 0; ++ uint8_t ext_csd[512] = { 0 }; ++ ++ res = read_cid(dev_id, info->cid); ++ if (res != TEE_SUCCESS) ++ return res; ++ ++ fd = mmc_fd(dev_id); ++ if (fd < 0) ++ return TEE_ERROR_BAD_PARAMETERS; ++ ++ res = read_ext_csd(fd, ext_csd); ++ if (res != TEE_SUCCESS) ++ goto err; ++ ++ info->rel_wr_sec_c = ext_csd[222]; ++ info->rpmb_size_mult = ext_csd[168]; ++ info->ret_code = RPMB_CMD_GET_DEV_INFO_RET_OK; ++ ++err: ++ close_mmc_fd(fd); ++ return res; ++} ++ ++ ++/* ++ * req is one struct rpmb_req followed by one or more struct rpmb_data_frame ++ * rsp is either one struct rpmb_dev_info or one or more struct rpmb_data_frame ++ */ ++uint32_t rpmb_process_request_emu(void *req, size_t req_size, ++ void *rsp, size_t rsp_size) ++{ ++ struct rpmb_req *sreq = req; ++ size_t req_nfrm = 0; ++ size_t rsp_nfrm = 0; ++ uint32_t res = 0; ++ int fd = 0; ++ ++ if (req_size < sizeof(*sreq)) ++ return TEE_ERROR_BAD_PARAMETERS; ++ ++ switch (sreq->cmd) { ++ case RPMB_CMD_DATA_REQ: ++ req_nfrm = (req_size - sizeof(struct rpmb_req)) / 512; ++ rsp_nfrm = rsp_size / 512; ++ fd = mmc_rpmb_fd(sreq->dev_id); ++ if (fd < 0) ++ return TEE_ERROR_BAD_PARAMETERS; ++ res = rpmb_data_req(fd, RPMB_REQ_DATA(req), req_nfrm, rsp, ++ rsp_nfrm); ++ break; ++ ++ case RPMB_CMD_GET_DEV_INFO: ++ if (req_size != sizeof(struct rpmb_req) || ++ rsp_size != sizeof(struct rpmb_dev_info)) { ++ printf("Invalid req/rsp size"); ++ return TEE_ERROR_BAD_PARAMETERS; ++ } ++ res = rpmb_get_dev_info(sreq->dev_id, ++ (struct rpmb_dev_info *)rsp); ++ break; ++ ++ default: ++ printf("Unsupported RPMB command: %d", sreq->cmd); ++ res = TEE_ERROR_BAD_PARAMETERS; ++ break; ++ } ++ ++ return res; ++} +diff --git a/drivers/tee/optee/rpmb_emu.h b/drivers/tee/optee/rpmb_emu.h +new file mode 100644 +index 000000000000..3471eecf63b5 +--- /dev/null ++++ b/drivers/tee/optee/rpmb_emu.h +@@ -0,0 +1,141 @@ ++#include ++ ++/* mmc_ioc_cmd.opcode */ ++#define MMC_SEND_EXT_CSD 8 ++#define MMC_READ_MULTIPLE_BLOCK 18 ++#define MMC_WRITE_MULTIPLE_BLOCK 25 ++ ++#define IOCTL(fd, request, ...) ioctl_emu((fd), (request), ##__VA_ARGS__) ++#define mmc_ioc_cmd_set_data(ic, ptr) ic.data_ptr = (__u64)(unsigned long) ptr ++#define MMC_CMD23_ARG_REL_WR (1 << 31) /* CMD23 reliable write */ ++ ++/* Emulated rel_wr_sec_c value (reliable write size, *256 bytes) */ ++#define EMU_RPMB_REL_WR_SEC_C 1 ++/* Emulated rpmb_size_mult value (RPMB size, *128 kB) */ ++#define EMU_RPMB_SIZE_MULT 2 ++ ++#define EMU_RPMB_SIZE_BYTES (EMU_RPMB_SIZE_MULT * 128 * 1024) ++ ++struct mmc_ioc_cmd { ++ /* Implies direction of data. true = write, false = read */ ++ int write_flag; ++ ++ /* Application-specific command. true = precede with CMD55 */ ++ int is_acmd; ++ ++ uint32_t opcode; ++ uint32_t arg; ++ uint32_t response[4]; /* CMD response */ ++ unsigned int flags; ++ unsigned int blksz; ++ unsigned int blocks; ++ ++ /* ++ * Sleep at least postsleep_min_us useconds, and at most ++ * postsleep_max_us useconds *after* issuing command. Needed for ++ * some read commands for which cards have no other way of indicating ++ * they're ready for the next command (i.e. there is no equivalent of ++ * a "busy" indicator for read operations). ++ */ ++ unsigned int postsleep_min_us; ++ unsigned int postsleep_max_us; ++ ++ /* ++ * Override driver-computed timeouts. Note the difference in units! ++ */ ++ unsigned int data_timeout_ns; ++ unsigned int cmd_timeout_ms; ++ ++ /* ++ * For 64-bit machines, the next member, ``__u64 data_ptr``, wants to ++ * be 8-byte aligned. Make sure this struct is the same size when ++ * built for 32-bit. ++ */ ++ uint32_t __pad; ++ ++ /* DAT buffer */ ++ uint32_t data_ptr; ++}; ++#define MMC_BLOCK_MAJOR 179 ++#define MMC_IOC_CMD _IOWR(MMC_BLOCK_MAJOR, 0, struct mmc_ioc_cmd) ++ ++/* Request */ ++struct rpmb_req { ++ uint16_t cmd; ++#define RPMB_CMD_DATA_REQ 0x00 ++#define RPMB_CMD_GET_DEV_INFO 0x01 ++ uint16_t dev_id; ++ uint16_t block_count; ++ /* Optional data frames (rpmb_data_frame) follow */ ++}; ++#define RPMB_REQ_DATA(req) ((void *)((struct rpmb_req *)(req) + 1)) ++ ++/* Response to device info request */ ++struct rpmb_dev_info { ++ uint8_t cid[16]; ++ uint8_t rpmb_size_mult; /* EXT CSD-slice 168: RPMB Size */ ++ uint8_t rel_wr_sec_c; /* EXT CSD-slice 222: Reliable Write Sector */ ++ /* Count */ ++ uint8_t ret_code; ++#define RPMB_CMD_GET_DEV_INFO_RET_OK 0x00 ++#define RPMB_CMD_GET_DEV_INFO_RET_ERROR 0x01 ++}; ++/* mmc_ioc_cmd.flags */ ++#define MMC_RSP_PRESENT (1 << 0) ++#define MMC_RSP_136 (1 << 1) /* 136 bit response */ ++#define MMC_RSP_CRC (1 << 2) /* Expect valid CRC */ ++#define MMC_RSP_OPCODE (1 << 4) /* Response contains opcode */ ++ ++#define MMC_RSP_R1 (MMC_RSP_PRESENT|MMC_RSP_CRC|MMC_RSP_OPCODE) ++ ++#define MMC_CMD_ADTC (1 << 5) /* Addressed data transfer command */ ++ ++ ++/* Emulated eMMC device state */ ++struct rpmb_emu { ++ uint8_t buf[EMU_RPMB_SIZE_BYTES]; ++ size_t size; ++ uint8_t key[32]; ++ bool key_set; ++ uint8_t nonce[16]; ++ uint32_t write_counter; ++ struct { ++ uint16_t msg_type; ++ uint16_t op_result; ++ uint16_t address; ++ } last_op; ++}; ++ ++/* ++ * This structure is shared with OP-TEE and the MMC ioctl layer. ++ * It is the "data frame for RPMB access" defined by JEDEC, minus the ++ * start and stop bits. ++ */ ++struct rpmb_data_frame { ++ uint8_t stuff_bytes[196]; ++ uint8_t key_mac[32]; ++ uint8_t data[256]; ++ uint8_t nonce[16]; ++ uint32_t write_counter; ++ uint16_t address; ++ uint16_t block_count; ++ uint16_t op_result; ++#define RPMB_RESULT_OK 0x00 ++#define RPMB_RESULT_GENERAL_FAILURE 0x01 ++#define RPMB_RESULT_AUTH_FAILURE 0x02 ++#define RPMB_RESULT_ADDRESS_FAILURE 0x04 ++#define RPMB_RESULT_AUTH_KEY_NOT_PROGRAMMED 0x07 ++ uint16_t msg_type; ++#define RPMB_MSG_TYPE_REQ_AUTH_KEY_PROGRAM 0x0001 ++#define RPMB_MSG_TYPE_REQ_WRITE_COUNTER_VAL_READ 0x0002 ++#define RPMB_MSG_TYPE_REQ_AUTH_DATA_WRITE 0x0003 ++#define RPMB_MSG_TYPE_REQ_AUTH_DATA_READ 0x0004 ++#define RPMB_MSG_TYPE_REQ_RESULT_READ 0x0005 ++#define RPMB_MSG_TYPE_RESP_AUTH_KEY_PROGRAM 0x0100 ++#define RPMB_MSG_TYPE_RESP_WRITE_COUNTER_VAL_READ 0x0200 ++#define RPMB_MSG_TYPE_RESP_AUTH_DATA_WRITE 0x0300 ++#define RPMB_MSG_TYPE_RESP_AUTH_DATA_READ 0x0400 ++}; ++ ++uint32_t rpmb_process_request_emu(void *req, size_t req_size, ++ void *rsp, size_t rsp_size); +diff --git a/drivers/tee/optee/sha2.c b/drivers/tee/optee/sha2.c +new file mode 100644 +index 000000000000..a9acd7244947 +--- /dev/null ++++ b/drivers/tee/optee/sha2.c +@@ -0,0 +1,249 @@ ++/* ++ * FIPS 180-2 SHA-224/256/384/512 implementation ++ * Last update: 02/02/2007 ++ * Issue date: 04/30/2005 ++ * ++ * Copyright (C) 2005, 2007 Olivier Gay ++ * All rights reserved. ++ * ++ * Copyright (c) 2016, Linaro Limited ++ * All rights reserved. ++ * ++ * Redistribution and use in source and binary forms, with or without ++ * modification, are permitted provided that the following conditions ++ * are met: ++ * 1. Redistributions of source code must retain the above copyright ++ * notice, this list of conditions and the following disclaimer. ++ * 2. Redistributions in binary form must reproduce the above copyright ++ * notice, this list of conditions and the following disclaimer in the ++ * documentation and/or other materials provided with the distribution. ++ * 3. Neither the name of the project nor the names of its contributors ++ * may be used to endorse or promote products derived from this software ++ * without specific prior written permission. ++ * ++ * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND ++ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE ++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ++ * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE ++ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL ++ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS ++ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) ++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT ++ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY ++ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF ++ * SUCH DAMAGE. ++ */ ++ ++#include ++#include "sha2.h" ++ ++#define SHFR(x, n) (x >> n) ++#define ROTR(x, n) ((x >> n) | (x << ((sizeof(x) << 3) - n))) ++#define ROTL(x, n) ((x << n) | (x >> ((sizeof(x) << 3) - n))) ++#define CH(x, y, z) ((x & y) ^ (~x & z)) ++#define MAJ(x, y, z) ((x & y) ^ (x & z) ^ (y & z)) ++ ++#define SHA256_F1(x) (ROTR(x, 2) ^ ROTR(x, 13) ^ ROTR(x, 22)) ++#define SHA256_F2(x) (ROTR(x, 6) ^ ROTR(x, 11) ^ ROTR(x, 25)) ++#define SHA256_F3(x) (ROTR(x, 7) ^ ROTR(x, 18) ^ SHFR(x, 3)) ++#define SHA256_F4(x) (ROTR(x, 17) ^ ROTR(x, 19) ^ SHFR(x, 10)) ++ ++#define UNPACK32(x, str) \ ++{ \ ++ *((str) + 3) = (uint8) ((x) ); \ ++ *((str) + 2) = (uint8) ((x) >> 8); \ ++ *((str) + 1) = (uint8) ((x) >> 16); \ ++ *((str) + 0) = (uint8) ((x) >> 24); \ ++} ++ ++#define PACK32(str, x) \ ++{ \ ++ *(x) = ((uint32) *((str) + 3) ) \ ++ | ((uint32) *((str) + 2) << 8) \ ++ | ((uint32) *((str) + 1) << 16) \ ++ | ((uint32) *((str) + 0) << 24); \ ++} ++ ++#define UNPACK64(x, str) \ ++{ \ ++ *((str) + 7) = (uint8) ((x) ); \ ++ *((str) + 6) = (uint8) ((x) >> 8); \ ++ *((str) + 5) = (uint8) ((x) >> 16); \ ++ *((str) + 4) = (uint8) ((x) >> 24); \ ++ *((str) + 3) = (uint8) ((x) >> 32); \ ++ *((str) + 2) = (uint8) ((x) >> 40); \ ++ *((str) + 1) = (uint8) ((x) >> 48); \ ++ *((str) + 0) = (uint8) ((x) >> 56); \ ++} ++ ++#define PACK64(str, x) \ ++{ \ ++ *(x) = ((uint64) *((str) + 7) ) \ ++ | ((uint64) *((str) + 6) << 8) \ ++ | ((uint64) *((str) + 5) << 16) \ ++ | ((uint64) *((str) + 4) << 24) \ ++ | ((uint64) *((str) + 3) << 32) \ ++ | ((uint64) *((str) + 2) << 40) \ ++ | ((uint64) *((str) + 1) << 48) \ ++ | ((uint64) *((str) + 0) << 56); \ ++} ++ ++#define SHA256_SCR(i) \ ++{ \ ++ w[i] = SHA256_F4(w[i - 2]) + w[i - 7] \ ++ + SHA256_F3(w[i - 15]) + w[i - 16]; \ ++} ++ ++uint32 sha256_h0[8] = ++ {0x6a09e667, 0xbb67ae85, 0x3c6ef372, 0xa54ff53a, ++ 0x510e527f, 0x9b05688c, 0x1f83d9ab, 0x5be0cd19}; ++ ++uint32 sha256_k[64] = ++ {0x428a2f98, 0x71374491, 0xb5c0fbcf, 0xe9b5dba5, ++ 0x3956c25b, 0x59f111f1, 0x923f82a4, 0xab1c5ed5, ++ 0xd807aa98, 0x12835b01, 0x243185be, 0x550c7dc3, ++ 0x72be5d74, 0x80deb1fe, 0x9bdc06a7, 0xc19bf174, ++ 0xe49b69c1, 0xefbe4786, 0x0fc19dc6, 0x240ca1cc, ++ 0x2de92c6f, 0x4a7484aa, 0x5cb0a9dc, 0x76f988da, ++ 0x983e5152, 0xa831c66d, 0xb00327c8, 0xbf597fc7, ++ 0xc6e00bf3, 0xd5a79147, 0x06ca6351, 0x14292967, ++ 0x27b70a85, 0x2e1b2138, 0x4d2c6dfc, 0x53380d13, ++ 0x650a7354, 0x766a0abb, 0x81c2c92e, 0x92722c85, ++ 0xa2bfe8a1, 0xa81a664b, 0xc24b8b70, 0xc76c51a3, ++ 0xd192e819, 0xd6990624, 0xf40e3585, 0x106aa070, ++ 0x19a4c116, 0x1e376c08, 0x2748774c, 0x34b0bcb5, ++ 0x391c0cb3, 0x4ed8aa4a, 0x5b9cca4f, 0x682e6ff3, ++ 0x748f82ee, 0x78a5636f, 0x84c87814, 0x8cc70208, ++ 0x90befffa, 0xa4506ceb, 0xbef9a3f7, 0xc67178f2}; ++ ++/* SHA-256 functions */ ++ ++static void sha256_transf(sha256_ctx *ctx, const unsigned char *message, ++ unsigned int block_nb) ++{ ++ uint32 w[64] = { 0 }; ++ uint32 wv[8] = { 0 }; ++ uint32 t1 = 0; ++ uint32 t2 = 0; ++ const unsigned char *sub_block = NULL; ++ int i = 0; ++ int j = 0; ++ ++ for (i = 0; i < (int) block_nb; i++) { ++ sub_block = message + (i << 6); ++ ++ for (j = 0; j < 16; j++) { ++ PACK32(&sub_block[j << 2], &w[j]); ++ } ++ ++ for (j = 16; j < 64; j++) { ++ SHA256_SCR(j); ++ } ++ ++ for (j = 0; j < 8; j++) { ++ wv[j] = ctx->h[j]; ++ } ++ ++ for (j = 0; j < 64; j++) { ++ t1 = wv[7] + SHA256_F2(wv[4]) + CH(wv[4], wv[5], wv[6]) ++ + sha256_k[j] + w[j]; ++ t2 = SHA256_F1(wv[0]) + MAJ(wv[0], wv[1], wv[2]); ++ wv[7] = wv[6]; ++ wv[6] = wv[5]; ++ wv[5] = wv[4]; ++ wv[4] = wv[3] + t1; ++ wv[3] = wv[2]; ++ wv[2] = wv[1]; ++ wv[1] = wv[0]; ++ wv[0] = t1 + t2; ++ } ++ ++ for (j = 0; j < 8; j++) { ++ ctx->h[j] += wv[j]; ++ } ++ } ++} ++ ++void sha256(const unsigned char *message, unsigned int len, ++ unsigned char *digest) ++{ ++ sha256_ctx ctx; ++ ++ memset(&ctx, 0, sizeof(ctx)); ++ ++ sha256_init(&ctx); ++ sha256_update_tee(&ctx, message, len); ++ sha256_final(&ctx, digest); ++} ++ ++void sha256_init(sha256_ctx *ctx) ++{ ++ int i = 0; ++ ++ for (i = 0; i < 8; i++) { ++ ctx->h[i] = sha256_h0[i]; ++ } ++ ++ ctx->len = 0; ++ ctx->tot_len = 0; ++} ++ ++void sha256_update_tee(sha256_ctx *ctx, const unsigned char *message, ++ unsigned int len) ++{ ++ unsigned int block_nb = 0; ++ unsigned int new_len = 0; ++ unsigned int rem_len = 0; ++ unsigned int tmp_len = 0; ++ const unsigned char *shifted_message = NULL; ++ ++ tmp_len = SHA256_BLOCK_SIZE - ctx->len; ++ rem_len = len < tmp_len ? len : tmp_len; ++ ++ memcpy(&ctx->block[ctx->len], message, rem_len); ++ ++ if (ctx->len + len < SHA256_BLOCK_SIZE) { ++ ctx->len += len; ++ return; ++ } ++ ++ new_len = len - rem_len; ++ block_nb = new_len / SHA256_BLOCK_SIZE; ++ ++ shifted_message = message + rem_len; ++ ++ sha256_transf(ctx, ctx->block, 1); ++ sha256_transf(ctx, shifted_message, block_nb); ++ ++ rem_len = new_len % SHA256_BLOCK_SIZE; ++ ++ memcpy(ctx->block, &shifted_message[block_nb << 6], ++ rem_len); ++ ++ ctx->len = rem_len; ++ ctx->tot_len += (block_nb + 1) << 6; ++} ++ ++void sha256_final(sha256_ctx *ctx, unsigned char *digest) ++{ ++ unsigned int block_nb = 0; ++ unsigned int pm_len = 0; ++ unsigned int len_b = 0; ++ int i = 0; ++ ++ block_nb = (1 + ((SHA256_BLOCK_SIZE - 9) ++ < (ctx->len % SHA256_BLOCK_SIZE))); ++ ++ len_b = (ctx->tot_len + ctx->len) << 3; ++ pm_len = block_nb << 6; ++ ++ memset(ctx->block + ctx->len, 0, pm_len - ctx->len); ++ ctx->block[ctx->len] = 0x80; ++ UNPACK32(len_b, ctx->block + pm_len - 4); ++ ++ sha256_transf(ctx, ctx->block, block_nb); ++ ++ for (i = 0 ; i < 8; i++) { ++ UNPACK32(ctx->h[i], &digest[i << 2]); ++ } ++} +diff --git a/drivers/tee/optee/sha2.h b/drivers/tee/optee/sha2.h +new file mode 100644 +index 000000000000..4ce0f3cd5231 +--- /dev/null ++++ b/drivers/tee/optee/sha2.h +@@ -0,0 +1,75 @@ ++/* ++ * FIPS 180-2 SHA-224/256/384/512 implementation ++ * Last update: 02/02/2007 ++ * Issue date: 04/30/2005 ++ * ++ * Copyright (C) 2005, 2007 Olivier Gay ++ * All rights reserved. ++ * ++ * Copyright (c) 2016, Linaro Limited ++ * All rights reserved. ++ * ++ * Redistribution and use in source and binary forms, with or without ++ * modification, are permitted provided that the following conditions ++ * are met: ++ * 1. Redistributions of source code must retain the above copyright ++ * notice, this list of conditions and the following disclaimer. ++ * 2. Redistributions in binary form must reproduce the above copyright ++ * notice, this list of conditions and the following disclaimer in the ++ * documentation and/or other materials provided with the distribution. ++ * 3. Neither the name of the project nor the names of its contributors ++ * may be used to endorse or promote products derived from this software ++ * without specific prior written permission. ++ * ++ * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND ++ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE ++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ++ * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE ++ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL ++ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS ++ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) ++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT ++ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY ++ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF ++ * SUCH DAMAGE. ++ */ ++ ++#ifndef SHA2_H ++#define SHA2_H ++ ++#define SHA256_DIGEST_SIZE ( 256 / 8) ++#define SHA256_BLOCK_SIZE ( 512 / 8) ++ ++#ifndef SHA2_TYPES ++#define SHA2_TYPES ++typedef unsigned char uint8; ++typedef unsigned int uint32; ++typedef unsigned long long uint64; ++#endif ++ ++#ifdef __cplusplus ++extern "C" { ++#endif ++ ++typedef struct { ++ unsigned int tot_len; ++ unsigned int len; ++ unsigned char block[2 * SHA256_BLOCK_SIZE]; ++ uint32 h[8]; ++} sha256_ctx; ++ ++typedef sha256_ctx sha224_ctx; ++ ++void sha256_init(sha256_ctx * ctx); ++void sha256_update_tee(sha256_ctx *ctx, const unsigned char *message, ++ unsigned int len); ++void sha256_final(sha256_ctx *ctx, unsigned char *digest); ++void sha256(const unsigned char *message, unsigned int len, ++ unsigned char *digest); ++ ++#ifdef __cplusplus ++} ++#endif ++ ++#endif /* !SHA2_H */ ++ +-- +2.29.2 + diff --git a/recipes-bsp/u-boot/u-boot-qemu-common.inc b/recipes-bsp/u-boot/u-boot-qemu-common.inc index 0a9a15a0f..d5d7c16de 100644 --- a/recipes-bsp/u-boot/u-boot-qemu-common.inc +++ b/recipes-bsp/u-boot/u-boot-qemu-common.inc @@ -13,6 +13,9 @@ require recipes-bsp/u-boot/u-boot-common.inc U_BOOT_BIN = "u-boot.bin" +SRC_URI_append_secureboot = " \ + file://0002-rpmb-emulation-hack.-Breaks-proper-hardware-support.patch;patch=1" + do_deploy[dirs] = "${DEPLOY_DIR_IMAGE}" do_deploy() { dpkg --fsys-tarfile "${WORKDIR}/u-boot-${MACHINE}_${PV}_${DISTRO_ARCH}.deb" | \ From patchwork Wed Oct 19 09:21:15 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Schultschik, Sven" X-Patchwork-Id: 13011523 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id D05A4C433FE for ; Wed, 19 Oct 2022 09:23:11 +0000 (UTC) Received: from EUR04-DB3-obe.outbound.protection.outlook.com (EUR04-DB3-obe.outbound.protection.outlook.com [40.107.6.54]) by mx.groups.io with SMTP id smtpd.web10.5951.1666171383482874154 for ; Wed, 19 Oct 2022 02:23:04 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="body hash did not verify" header.i=@siemens.com header.s=selector2 header.b=kPYdw8Bc; spf=pass (domain: siemens.com, ip: 40.107.6.54, mailfrom: sven.schultschik@siemens.com) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=D1hq/NkyLTRrlGbEUXZPsEuvLHlU+tZ/0+lv+KsgZsiJo/c/KzMChQ+RR3vBly2Ar0RLzaB6MXLwnKZ3LZPe7pd5idSDDwqExOuKjP9cHWziGexDZM28Twf3YlvMJ+ke0eVqKgK2u2/rn9mUASgywAg6wmSfHSbDL8b6HmAdDNer0nRQWBsJ5QpCOKbBSvhx/XysmzreqSuRZNveu6w1HsfTpLErJREpP0eFlWK3nBwqUArm1d+T0WGQHbHWMSca/ljzZjNuMm8ao19nXwempwRW8pMZcwJUGccCgGTTkL9ut1T/86PrKFBuZc3uGriktka7LQ+bb9OzaFgz/fFeXw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=qKctsy99kQVyvvjfNtrVgONXkTgC7lmciMU6TbJdXpg=; b=jnxAwGKzpxa0GD1jCxPoqMaMetTQDtRmJ7ktow81USHNDu+ppvk24jZ5/l5qqwPO8kFj+RnExUKmiJlwIawPYS+0uWGjrW7bn893348HY+C938/jXEsvyNqaXuYp6uwKOWmpMUf+Th1JE96NIjHoOJ5ONryEY9rOAo/+lZlfuYjw1aBCYU8/Ifyn0udWkH78nVQAzIX12RcqavZvq7pjZb/f+v9hAcLperP/tLZqD1IPfWsn80/m6K886XLxKMHiQ6YXKv1IYTzRWOmdMGLOoVz8y7P03H6JavM2f7rDL3jnEPaZvF1UG7UL0m0AJN5taFCyXmXIoJ0XTJQ1EnTciA== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=siemens.com; dmarc=pass action=none header.from=siemens.com; dkim=pass header.d=siemens.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=siemens.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=qKctsy99kQVyvvjfNtrVgONXkTgC7lmciMU6TbJdXpg=; b=kPYdw8BcxAPOZFnkmt4c17lLHPpLUNEOiN0mregiuJPhRdyhIji3ksCEpR8OISi6PuKJRVzcWrEYfJpFmG73Bfti7Srx3g3ykqWVYhVGDLGCHut/EyVLOUU/ILKt8y7ZbnmDmXMtF0zV1B7YthaTtBOrWHVNhhE0Az6x0N+HxBJc3hVUdreU3g3GFqAzKJZIkZ38h15u27rR/zU1fCr/QtWFuDkWq/LsdvdTzMT2HPe8CJLqkhpV1ruGTG3WaHQIQMAyMXtb3wYlUbsUD3FR9Hfs86ZyE5z0+l/Rev+HaqXqXzv4F6EBl9tXEzT+qowxVL+XZDSKFfSXOY/Qp9zvOw== Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=siemens.com; Received: from PAXPR10MB5037.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:102:210::11) by AM7PR10MB3510.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:20b:138::23) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5723.34; Wed, 19 Oct 2022 09:23:00 +0000 Received: from PAXPR10MB5037.EURPRD10.PROD.OUTLOOK.COM ([fe80::8f3:9a82:c9ed:6a3f]) by PAXPR10MB5037.EURPRD10.PROD.OUTLOOK.COM ([fe80::8f3:9a82:c9ed:6a3f%7]) with mapi id 15.20.5723.033; Wed, 19 Oct 2022 09:23:00 +0000 From: sven.schultschik@siemens.com To: cip-dev@lists.cip-project.org CC: jan.kiszka@siemens.com, Sven Schultschik Subject: [isar-cip-core][PATCH 5/7] add kas files for building qemu secure boot images Date: Wed, 19 Oct 2022 11:21:15 +0200 Message-ID: <20221019092117.5291-5-sven.schultschik@siemens.com> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20221019092117.5291-1-sven.schultschik@siemens.com> References: <20221019092117.5291-1-sven.schultschik@siemens.com> X-ClientProxiedBy: AM5PR0701CA0064.eurprd07.prod.outlook.com (2603:10a6:203:2::26) To PAXPR10MB5037.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:102:210::11) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: PAXPR10MB5037:EE_|AM7PR10MB3510:EE_ X-MS-Office365-Filtering-Correlation-Id: 75d8a9b2-7054-4c22-9654-08dab1b38482 X-LD-Processed: 38ae3bcd-9579-4fd4-adda-b42e1495d55a,ExtAddr X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: 9fr1Bqvev0CjvDaVK6KFIe6n0/HU9gIZPK4BGpxTW+lBWi4y0XnMWCAJG/3kanpgvL6rNp2NtV0NIkq6xwTwcUtRL4XgA5z1i8SfGFNHJTybloLYO2cCBNH47WXPtX4esb4Q58dVTvCgNz//q60bOLmtLKGpaH/7eaGga0HP4La5nDUYl7M4uz5BVtwPeN0BjhSYhyWvs5Wocp26WyuBYVXGyvwVOO3W3MCSTefRBwm84WwWInnpH/nWkeej57oLwJ37PjcFFaeOz0zvjSn+OMTb+srOfFJ8qqX/nqJ1MkH97d2od3sryhFqBoVyglWDWvwcx1/GZdzkXI63FpSYXg//Xa0jR0ocoEE+G1t/yvpPvrXcXwd4krmMjLCvn98Hc1DAmvLyCaWgU2XzA3ZeZUqE2SSX1UPwcD5yzMlvyoDctBlOtWrhD0sFyFLu7+ZIz/TaxX/uRmaGpwG2PAkPhZjJsbhH1aMzQxBWlviDMyUihjTkNur9KY5pDslyStSftfETjnKW7Is+EYDP9IDsf9RFA+rNyA4mrzM4R2YfJQHIRSgegu6DJMaO9chkZuRXomHdMbezq4+JG2m1gn1vKAzOPMZt6kjMLXIEick17ACfX25/tiOazJJWu5PXaWFrz/6xhzy42sVp5u2wc8gxS0GJa3tBXJTAxMb6GZWjUTwgr0EC8jbzDIeav5IKXHpbJvEjqAR+2LJSbNWnFk6Ucg== X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:PAXPR10MB5037.EURPRD10.PROD.OUTLOOK.COM;PTR:;CAT:NONE;SFS:(13230022)(4636009)(376002)(39860400002)(396003)(136003)(366004)(346002)(451199015)(26005)(4744005)(6512007)(9686003)(6506007)(41300700001)(86362001)(36756003)(6916009)(8676002)(66476007)(4326008)(66946007)(66556008)(8936002)(5660300002)(107886003)(6666004)(316002)(82960400001)(6486002)(38100700002)(2616005)(2906002)(1076003)(186003)(478600001);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: eL9Ic5GZonmiWpjOdxXdWSPCPMBTEZit5xFJ41Hn6xclac2BTeakTUI3q2LGCm8novdsKhPaNmI3TX7X38BY+IuJVfm2xc1Mgdx40C0YC+usWTItXNthlDZl72KXrTd9YHhXmmLlcV0C1tUhC0ajY26EJQfPoSwr6ZYDxVYfFxOEfrvAArcvsv5rdl3rFzZnHjXdLlOOfiLZNv+Eq5GK7yostQvdth9vvZ/21pfF+SaOE6ogiY/RoR+uNfKJ5E82ZHzKfKG9ypOfXsgTigsDSy8gG4qVqK1LKUr8tqpzpZrJIZR7MAyIymYjpwdjuxMKnUnTKzMMjS+Owr1AaiC0mJPdCC2c/dn9xdRWYADuJ1CpBTu2fWl++OIkgv02XmClW3LXM4QA21bnsVg5mK8k90wpYiXWuRwbtwzCzB1zCn+0M+Ngigk7+NmZgr+zAyzmk9Mr/lifHotvrBa+ZmpSJ0KIEnSHorxP9WwziA1O7IK+oVgG28+Tn4UrZBcEMD5HFRJRzAzfxSjeF7ornptIq+cumzzrh8DSgL8ydKWU1NUhrga4Z7T8SZfshPPuv8pSm40tWCEOQ5Ncg7WyQuDrztiQ25W39cpDEhaI/YJNTVRaJNQ6kj4C98fuSNI884ZAT4VPjbdSTlX8PxnkQx90EZk6QtxiKRMOFe65NrFd9QC9rTSevB+9LXg/uHMjdgr4nwDDOvDVFG1/ibf+Uk19VwbfV+iFzQeVqbMA+dTI2oOLfEHCNQACJfFkAq/De8cuDxkozqwc6LESkCppZcEZbQTjNRD7sXZ6hDGu55lM9KdMdasXe0b2lGeidilu8s5sa+i8BDnRSn0Zua1g50nRLnMHhCieWGuXg7B6Ii2y7Y+BpiJV6Tp+sXafr+OYvakPJYOXM4JHZ0fjbZoEQnrEko16V5kmojOztjQHBVNtLq0JAK/yUtwTwzDJ9adQlHxKSEfttM08VqVutggMEAu/Epem0dQWv5hUumS/cyUPMXABdVTazNc1u/4d3VK48Vk6wnVjYphEocL7EE0WGLnvcz/n+ovWF2bvlcUtmiiiXkiViCuscMHIk67RrAgU7sG6xdo5qSVWVaz+SwwzmWzk4HWDqpAMG1CAzEnGX6a2G2HGKQpM8liCXTPsnEIFqPAFUpF/uZXjEu5tjP7DoUNrKhktrXZCeK4w5douXGHL371n310Fvfw9x/vGp3b9FhRoRHBPW9Qy0fC7Jt6MwqEImCmGPyGyuBu1IXoXyDSJO3adKMYBujIm9bpKh5wyNikROArVyJT6RtoMHZDwGEh6hIPALK9LzjcZx2zbO3L7Xo783Ho0DppsoONnkwZSTOaZdLgzoJ2OImK4TNnAwHlveWfG4Ymru2MjpHMMocWfzqGLNu46W8JiIE3zUymOkBXkWe4jiUlsWmontH1EvW7q5ONyvV13DaKODSJnoDViWs/LWwXi0j5rjT+h0B2Ujwo0fgwGXBE/gwoLClNBfKSZX6LkBQY16MCjU5A4HDEwnCIO9cwA1KRLeuxnFVEZbW2fAnIqw9gDQ3RGCIdiTbpx2OEBIjMywDW9yHFtxprjxrh9IKODgUNGx2DgEDfnzP8qcyhTOlvx708cYptPd4ZWhQ== X-OriginatorOrg: siemens.com X-MS-Exchange-CrossTenant-Network-Message-Id: 75d8a9b2-7054-4c22-9654-08dab1b38482 X-MS-Exchange-CrossTenant-AuthSource: PAXPR10MB5037.EURPRD10.PROD.OUTLOOK.COM X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 19 Oct 2022 09:23:00.7384 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 38ae3bcd-9579-4fd4-adda-b42e1495d55a X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: j24xDmXsGsun6ZcS0nl2iQqLFCf57ekAGv4Ha001413H1pxVb/zowrYinSr5gozUPjt4TDUz0XC4yG7vtvPSvH9g6mJSqXXvjpILoxttaes= X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM7PR10MB3510 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 19 Oct 2022 09:23:11 -0000 X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/9779 From: Sven Schultschik The u-boot-efi-ebg-op-tee-qemu kas file combines the different recipes to create an image which can be booted with qemu and provides secure boot with EBG, TFA, u-boot, UEFI, EDK2, OPTEE and RPMB Signed-off-by: Sven Schultschik --- kas/opt/u-boot-efi-ebg-op-tee-qemu.yml | 11 +++++++++++ 1 file changed, 11 insertions(+) create mode 100644 kas/opt/u-boot-efi-ebg-op-tee-qemu.yml diff --git a/kas/opt/u-boot-efi-ebg-op-tee-qemu.yml b/kas/opt/u-boot-efi-ebg-op-tee-qemu.yml new file mode 100644 index 000000000..0558c8e79 --- /dev/null +++ b/kas/opt/u-boot-efi-ebg-op-tee-qemu.yml @@ -0,0 +1,11 @@ +header: + version: 10 + includes: + - kas/board/qemu-arm64.yml + - kas/opt/5.10.yml + - kas/opt/bullseye.yml + - kas/opt/ebg-secure-boot-snakeoil.yml + +local_conf_header: + trusted-firmware-a-qemu-arm64: | + IMAGE_INSTALL_append = " trusted-firmware-a-qemu-arm64" \ No newline at end of file From patchwork Wed Oct 19 09:21:16 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Schultschik, Sven" X-Patchwork-Id: 13011524 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id CFDD8C4332F for ; Wed, 19 Oct 2022 09:23:31 +0000 (UTC) Received: from EUR04-DB3-obe.outbound.protection.outlook.com (EUR04-DB3-obe.outbound.protection.outlook.com [40.107.6.64]) by mx.groups.io with SMTP id smtpd.web08.5951.1666171409261868401 for ; Wed, 19 Oct 2022 02:23:29 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="body hash did not verify" header.i=@siemens.com header.s=selector2 header.b=peg9/OmU; spf=pass (domain: siemens.com, ip: 40.107.6.64, mailfrom: sven.schultschik@siemens.com) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Gtfo18fkF1hnxURGicFArL+LW+evlmMv38Rutk4ne7kdT3XCDWLVtRmwSNwJ/zxk5MgXmzAwT9wwTbSEDUCnvTNbUgL7yiADlqGCs2CJ99dwf52r5Phug0kQ+fH9ZizMg1xHCFtIUN0o1H7wpS/lqdLSgr/UYkpTzI1jKHiM3EwaGJTEsC1QiMY7P+uMfTCQ0CMagQkYjNpFHyfAGWyjvP1ZLzqcT1DLy1irZoHjadiQBuwMiKZjB0vkrTn8Kk89YBFH+T+5IlvFD84MjH+VE/PZt/33w6tgIRE7nH+FNAsJ0NPMgIFV/bhoAboYy1y/DFdNbv4SSzWbcwIjcqxOjw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=liFCM8giZCFQLY7w62P7vdTEGzRf8ZYwoE7rWQzZRI0=; b=SzGdTodTJATrTs3b1f5VC8usJ9roUOg9O6BECXDJo7gTc4oKl88UbQQRK7kT7N+kalCk6auZtkb7nIMW8djjSgAyOmu2n5nV+I9feeQ0kzc3+7s0cumhNCa25K1s9VxYhf7OYlu+tTbaT+fiIxSFhC9cl22+cUdSpPfg5YI/mAW5gYtKvf8cNRvHG8NWj0mtwxZ+AKNI16NqJU/GysC1U/hm6MX37dSBnwCmgOc84lDpudLru+Ak9SjzhKiG1UaJz9FDnyITY75os8A6bh9J0R/UZLh0IE+2kMJWetVU8DB6WCgYv7r9SdHIiUm1Mrk7j/SUWaWfqhkaZkyW+EFAAg== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=siemens.com; dmarc=pass action=none header.from=siemens.com; dkim=pass header.d=siemens.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=siemens.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=liFCM8giZCFQLY7w62P7vdTEGzRf8ZYwoE7rWQzZRI0=; b=peg9/OmUeOF1ow7Xggww63VDVI9kTuqm/5Q6HsiFASmy+M2BWLKmiiJlFVcqbrRMGm8I1D0ATCEDTopWRgnGouAGeKG3hVsfed/Tm3c2cVMQMB+dULK/kJah5PoivxZ6JjfNBCHS94wP6Gqj92he6DZU/U9dukJIF/pbQ+WY6FO75FSVNgjguVAREljGK5RuFbKNUPo/X0iaTDZP+Uhr19R96WwfRgiCqYzbu2rO9ObVt7du1epqEkrDA152Fbf7AUfncK0XXJJjILMjLDL6r+tdq4UY/gKNCNKXgNdXGFHfKArcK6E5zMroH3Qvl9f1ZuIpO//x6P9EFcs4AAca6w== Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=siemens.com; Received: from PAXPR10MB5037.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:102:210::11) by AM7PR10MB3510.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:20b:138::23) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5723.34; Wed, 19 Oct 2022 09:23:27 +0000 Received: from PAXPR10MB5037.EURPRD10.PROD.OUTLOOK.COM ([fe80::8f3:9a82:c9ed:6a3f]) by PAXPR10MB5037.EURPRD10.PROD.OUTLOOK.COM ([fe80::8f3:9a82:c9ed:6a3f%7]) with mapi id 15.20.5723.033; Wed, 19 Oct 2022 09:23:26 +0000 From: sven.schultschik@siemens.com To: cip-dev@lists.cip-project.org CC: jan.kiszka@siemens.com, Sven Schultschik Subject: [isar-cip-core][PATCH 6/7] enhance start-qemu.sh for arm64 secure boot Date: Wed, 19 Oct 2022 11:21:16 +0200 Message-ID: <20221019092117.5291-6-sven.schultschik@siemens.com> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20221019092117.5291-1-sven.schultschik@siemens.com> References: <20221019092117.5291-1-sven.schultschik@siemens.com> X-ClientProxiedBy: AS8PR04CA0122.eurprd04.prod.outlook.com (2603:10a6:20b:127::7) To PAXPR10MB5037.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:102:210::11) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: PAXPR10MB5037:EE_|AM7PR10MB3510:EE_ X-MS-Office365-Filtering-Correlation-Id: c97b0ee2-f22a-4a62-6c2d-08dab1b3941b X-LD-Processed: 38ae3bcd-9579-4fd4-adda-b42e1495d55a,ExtAddr X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: ZSfNgvcy+fbCcj8lnCxOBs02DvM2ykifvw4tKPeekbSyhbaijhjQvB7XxpzvQ85QuR5GKBH/fMeYzAqkxc2Unv4P2UY+PNL/jiN/vU2LoxxucLPamz1s5ndlS0LEMjhtDJQWYU8n/MmJgGXgVT1QdcbBk54t6vge0ha8eVTu3iGnNH6JhG/x3TWUFbbfgESNSn5I+oJ1LxTcMPYf59Y3bzY+AW3zvIrDSgIAxAFvadQ9K5plRlVi4CLRGVmk1S7H8vXe66zugpzXjG1Ihqff56bErwHoJ/YAI6b7cYIAHe7XB1tNh1Fo0koCGLNMkGyzqFstIqRskQfJk5uUFyVkfNjieGMzkYFKtk5FKVpk9UZU3xuzSQ0zQ5FiVCf1qOFvofg2viVqIyIP8deqjhuh2X8mqv49IfC0UITS6r4JqlnrzpbfV00mHENCIG2FeR4jduDUmw88j6li+shsLVlbdTdZyMeOtUI74M3OY7r+8VSAzEEYM+/XYhxgc5Zd2JeVCXLtJTjfvr+M4y3hn5s7FRqStBys2FIumBnH7G8KhR6bUpARWSl1Te9gMTEJMhbuvlu0UGBeMnsMjGJgwCqnviHfok6e14Iu+28v5ZpbkmFCnlqQCe3ohicwrZrlHYMHtmmwFE90qYWhmm767o2Lp5kYngJziF243DHC9FfiqVIBFUXsJ0w0hGkQHJXeYg81kcnyxOjewInHi6suJgBDSg== X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:PAXPR10MB5037.EURPRD10.PROD.OUTLOOK.COM;PTR:;CAT:NONE;SFS:(13230022)(4636009)(376002)(39860400002)(396003)(136003)(366004)(346002)(451199015)(26005)(6512007)(9686003)(6506007)(41300700001)(86362001)(83380400001)(36756003)(6916009)(8676002)(66476007)(4326008)(66946007)(66556008)(8936002)(5660300002)(107886003)(6666004)(316002)(82960400001)(6486002)(38100700002)(2616005)(2906002)(1076003)(186003)(478600001);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: tIFEKUid1evOIx4YiSVfr4ootQgobYfoag4F0ZGbGdtVPIKru8tRSn13+mjnniBmEtS0ctTqzJFQ2qB/dk7j4+1JqTc+0WoctSOUuVpqMQ72RukdQjdUyRogjx2Bj4/EnfVXyDMu47ZNFoUBKc5P8nQDVeUuljQS7Grnfj85kctEgH3HCMuegaZbsuQ6CPhRlk8KC6j1mCuGb2jF7VkWkUmSoRuy7gR7UqEYW5iD9qvRdxe/m32d3auE7SubxmKqggAQqYw3tUO2CoHJiJAj8g2sobQnXKKMK1Dy1ijEPOQYShkCVu4b4SVSiRi+w21wZfxxieMxeSPgF5Xh0i/0cCEcdZdXg4lWSghx5LxkzObSrow0g7vmbN7w4VCnfhehO2nMf8xKEYTzZPI4eONBknsEnQiDLXXZIv8uo776U2RF2peC8nU8CG+H7Bm04k/MiA8PFdyWe634MAp0hrJAhuPCV+HnSUtAC5ESNFzQa+preEnepCMUvHliyu2oRz6sl+Xs4130iZX9HCF32qdHdFlQkMgexxqYHP74oAnAVcE4tFq0PcjC5xlEp/+oa1+Iy131Mpn9Dkrf+rgtaTbZpYJpN1OjgSEQCotutpktd/1v0VqFITEuxjJelNuSvC6Trpj7I4oCiIy/3FKkPZGm1e2QC/0zt0DxWLmjvLhej829mTlKiPnTJKqSh3EEIF/R+DkJSRxF4O5v7lCYDF3TlzeMppKyXGG8C2NkUc8DaWgRPiWUFDibXXeB3wYYGOYG/GMdgPWqei0jDTvG5GW/KP0mhfliIcsyqNE1S2aSl7hdvvDUTTP/pWnayKcw5gQaRwXK2YPFIr3MOzVf9fDd2sETI0RtzrHAYIQJRxWQxiLVQuY1KDYLNrXxpPUij1R6tOl6XS+WuAL/aRaOSewxQLo699m1B0NNm4JuJJoBAdec0srB3WK+uJ4Y7lXsciCBXLKR1TmXhyNM+SWO6V5fP4YQYO6PRm+UCi/hmH58aWfLuE3kWDE6FHkFuvoOgGDMcWhsjC6cf7aQ7aLJW3F6HVpxtY+z6xPOsnHrsrtCseM5p8B38PHIiqIedZmq4hD62W67sRP4Jj14M2iTnUdJ4tKNeFgTthAnLMeCTcrFgiEs1r8KjOwt3x5mJn4voQzX3ksklR0A9hqf7Vf8ainB0nh4HWumCIueBIwuCwmCjSWNGFovXiNi1ZY3f252/aZNdr0pvc1yEFjZbgNRQCXO6aD1qRlXGmlVdYYSELhe8/fURXrHvs3acoApUrdPtbGQISZQxSvGsGePD+7SgVjw4Kjv4YYnefoZmnigE4uG9rTnSJX+XAu/deUV5V9F/MMWD0skvkg2M55MjZ3OAzzIX9+cji47bd9P4/Shs4AMfio66ZQi8OATE67gKWuuHILa6g2UX3PRf0NbB7n745kll7NPvciCS7OFTA548XNijlcbmH2MO2PDkrYSc+JYE7YhQdWlwbD1IqqJb8jq7DmjKZSSSdk4KcYgxgRv0kD+li38hww1mfQMquyF1rCqxAQguL+0BPZK11k7QtV7P+JVfWeMzeElLlwelCN/lR2GH0dZcULQZSrqpX0opKjWbK/Cmazx6EJh8xuEEGpnAMYoyw== X-OriginatorOrg: siemens.com X-MS-Exchange-CrossTenant-Network-Message-Id: c97b0ee2-f22a-4a62-6c2d-08dab1b3941b X-MS-Exchange-CrossTenant-AuthSource: PAXPR10MB5037.EURPRD10.PROD.OUTLOOK.COM X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 19 Oct 2022 09:23:26.9527 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 38ae3bcd-9579-4fd4-adda-b42e1495d55a X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: rxPabFV9zqaQcJ9+FYrvtoGjBQj30y89e16VqWXUMlQHaDlLlv+EKKnirWb6uoT7MmDGXxUMRI4FCtghrz8JMetOj6HBNG4pBSHDUrpc6vs= X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM7PR10MB3510 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 19 Oct 2022 09:23:31 -0000 X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/9780 From: Sven Schultschik The start-qemu shell script need some adjustments to switch on secure in the machine statement and adds the virtual random number generator if secure boot is enabled. Signed-off-by: Sven Schultschik --- start-qemu.sh | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/start-qemu.sh b/start-qemu.sh index dd16aed98..18946a6c9 100755 --- a/start-qemu.sh +++ b/start-qemu.sh @@ -80,13 +80,22 @@ case "${arch}" in QEMU_EXTRA_ARGS=" \ -cpu cortex-a57 \ -smp 4 \ - -machine virt \ -device virtio-serial-device \ -device virtconsole,chardev=con -chardev vc,id=con \ -device virtio-blk-device,drive=disk \ -device virtio-net-device,netdev=net" KERNEL_CMDLINE=" \ root=/dev/vda rw" + if [ -n "${SECURE_BOOT}" ]; then + QEMU_EXTRA_ARGS=" \ + ${QEMU_EXTRA_ARGS} \ + -machine virt,secure=on \ + -device virtio-rng-device" + else + QEMU_EXTRA_ARGS=" \ + ${QEMU_EXTRA_ARGS} \ + -machine virt" + fi ;; arm|armhf) QEMU_ARCH=arm From patchwork Wed Oct 19 09:21:17 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Schultschik, Sven" X-Patchwork-Id: 13011525 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id CFE2EC4332F for ; Wed, 19 Oct 2022 09:23:41 +0000 (UTC) Received: from EUR04-DB3-obe.outbound.protection.outlook.com (EUR04-DB3-obe.outbound.protection.outlook.com [40.107.6.59]) by mx.groups.io with SMTP id smtpd.web09.5856.1666171419636292320 for ; Wed, 19 Oct 2022 02:23:40 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="body hash did not verify" header.i=@siemens.com header.s=selector2 header.b=JoM8S71l; spf=pass (domain: siemens.com, ip: 40.107.6.59, mailfrom: sven.schultschik@siemens.com) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=hgIca5t76/AT55ETbCjSEAuUQSGJwf6tOAbFbzjBV0AK6cZPekRV6aAVt5QNKo4Olz7EqF4k4up8e8aTEH4JMk0JZsP6jigwfNoXL81j4TQziT9aP6S8k3BEjtusE/D72uZsKareXwl5UGKcxxL833AbP6C+OJ2wIBbmc/N3OivAejvo+YBjfmAqPHmFCYzEqjrDuGPGYNB7jNqDCQ0VmfcwVTXwo3IViUBxt7BCmFd71DoBohiBgFTLiDOal4zBmQxmajBo1S3vQ71OWoxBrc2bLh2jW51+fOYsE0Bjpg/pPwy6S318PaV3H50KnL5JjICttFqW671cq+CRB1ADrg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=NHwVCia27qt1UB7zGmtCD00VwRR+4RHEEVrm7sedoXc=; b=TaVWzedkZVRt4QgfXfePNtq2/n8/GEHFNvTzZY26TkXGzs/cZYwaLX7+WJ/xbUgQO9k5h0TliE6v981FPa3o3fHDloXUyIjcsuFDuv4PYrYyfFGqB2yEGOCPkMnqVYbcPWZpbN3VZD6QzmzaJ6RjD1a+AHk2syQs1PBy5vyPx7R9PiYvzqzLlrOaS9AOcHQ2PQBTVASbrHx5vO7w/y4vchfdjYzcbsUCzhT85U+2sIucnXGBRY6QovBpaYCqcL5ChA/irxnNLZtY5Dx4Gj1QpbvLFG1Z6SGpeXGo66v7Ay9Yfnqil4cd19/Wdbx8bEhXyIdtJPvcg4nRXIeviJQJIg== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=siemens.com; dmarc=pass action=none header.from=siemens.com; dkim=pass header.d=siemens.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=siemens.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=NHwVCia27qt1UB7zGmtCD00VwRR+4RHEEVrm7sedoXc=; b=JoM8S71l63zqvH8lPjHiqkAK2zdBoByxbKeuCVrBcG64FHWA6m54s47HdsTzZA6EF7wSwFqnstfXJK5H96DwQbX+p8RvNS3Ekr5dGmGbraSxkc/Qza2EfHcOIJa2Hq9Emjpz4NiBPSlBrCyzoZfJKkPQ+I6TBtcg2Okj0aU7mq52wrXXRvyE5e7zeY8QHerhM7gr7440hOqKNeOWxWrsd/yEIhzvPKmNHwebxNFZHtil1rBLH8eJpVDuZ1p8gXas8S8NNkAgWX5uQXvV9gZtXR7428WmzY9/aOwe3qwWJHgfBLDAHkPObzIRB8y9a9T0y3/Ym/mF6r5LmWVcBOAuvw== Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=siemens.com; Received: from PAXPR10MB5037.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:102:210::11) by AM7PR10MB3510.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:20b:138::23) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5723.34; Wed, 19 Oct 2022 09:23:37 +0000 Received: from PAXPR10MB5037.EURPRD10.PROD.OUTLOOK.COM ([fe80::8f3:9a82:c9ed:6a3f]) by PAXPR10MB5037.EURPRD10.PROD.OUTLOOK.COM ([fe80::8f3:9a82:c9ed:6a3f%7]) with mapi id 15.20.5723.033; Wed, 19 Oct 2022 09:23:37 +0000 From: sven.schultschik@siemens.com To: cip-dev@lists.cip-project.org CC: jan.kiszka@siemens.com, Sven Schultschik Subject: [isar-cip-core][PATCH 7/7] no merge - manually instructions test secure boot Date: Wed, 19 Oct 2022 11:21:17 +0200 Message-ID: <20221019092117.5291-7-sven.schultschik@siemens.com> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20221019092117.5291-1-sven.schultschik@siemens.com> References: <20221019092117.5291-1-sven.schultschik@siemens.com> X-ClientProxiedBy: AS9PR06CA0638.eurprd06.prod.outlook.com (2603:10a6:20b:46f::32) To PAXPR10MB5037.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:102:210::11) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: PAXPR10MB5037:EE_|AM7PR10MB3510:EE_ X-MS-Office365-Filtering-Correlation-Id: c761993e-895b-4e08-3c9d-08dab1b39a6c X-LD-Processed: 38ae3bcd-9579-4fd4-adda-b42e1495d55a,ExtAddr X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: fZyOr5q1qkMEfIX0iL5hvNZbH5Y9Ynd9hla4Wan54q50jWRa86D/xwDjgohWwtCe0mw3bB8f0V2BpPVV8h6mf0R11Ba3fFKMkN7o5TZ6fKj7UudvrL8VBj/DXLYBRDoc+IJPcZYliTUA0G7hmQstAajNc03kTvy1Ev85zWiCdQ6Wfe+ZQ4/Bfme7v1yfnmGTI4gYGRK6HIDE5JR91D2qbhQDS2LBnePwOVxO2VXA5PQyo7H9a1Jhi4RXqK2yHeJ8k+ZIGQiqgL1jNMA29LH1sW/YuDwquI4pS+ksvrm/Qa/Dc0b+SaSgNhkDE+nI8vzxgVUhR8W2EyZ+AcEsPh4twQmmImrff1WrGI+vypEu2TXIHg9QCB3W1bwZE91lixKC6UF0ohnV70DZ2oyhFP8R+FzvUnwD5tGPD16VUX01iu4hdp5B/ixj62RR+3tP/1wKGY9SiwABVtVyEXxUzmtJsN8Ug40/kQ+BoJdvqFJai9O8ECFaPd0TPDqbJ/N9xw2MFsPnal/BdsWW3utWrxxQxzi2+CA8FDmG7ARzpeX32zXrhKxLneqlFzzG5usIKSF90o8CH4Tt8GU5xwmB14E/+OWm+g6sG/zQMy/FLSY2nLBrS4oHQIbnryVp0A6uSNZIMvMVfNwdsv5wN5ZMniwRtRlLhpGOVqMIyjBjRB59+5V3AKQIPHnJe+U51Z1uuje//NZXk4F4MkxU01vt2QfsPw== X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:PAXPR10MB5037.EURPRD10.PROD.OUTLOOK.COM;PTR:;CAT:NONE;SFS:(13230022)(4636009)(376002)(39860400002)(396003)(136003)(366004)(346002)(451199015)(26005)(6512007)(9686003)(6506007)(41300700001)(86362001)(83380400001)(36756003)(6916009)(8676002)(66476007)(4326008)(66946007)(66556008)(8936002)(5660300002)(107886003)(6666004)(316002)(82960400001)(6486002)(38100700002)(2616005)(2906002)(1076003)(186003)(478600001);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: 3ghg0YyDR1yX1y82e9ZvIflphVTmbN8jV4S2tqmQJA90QlixECqEy0oTnpN45cPfwqfeKyW7ig8PvjnLJdPkNI0eI8+KVj/qZlE/+ePrzhaWmkO9Ah7g0aVPltI03ImkNcKPaGYitwbyHbIRbuJnYMdIO+Y/YjBetcrK2Z6rVK+WAWycicvgV+y8369XWMAOYu2/5UpdsbBSk2gUSuVZBIrCDSNxp9NteCMBdrJQ4HDihhUguE7wW+LXDQXy5+IiSBDNnG/FetsvnF5425gOwOQ10W8dTgD6kCSFOa/w83+CORum4Y5jLdaLmV1N9Emm160AqjgxZQBgrx3pYSRSZ/ymVhuJxRo/cs67JBuuIqdY9AIrALoRM0OvUtfdf2YcEsu50MMVmX2Dws93qVScMbf1xL1cVF+pORtHZ3zAYzmbE19vuviO+AXyz09MzcLV4+boHhx5AhYqwQuXmXtx0Ifr4JFG4qkLrFgxxhgAVTO+EA9Sp9Cn59qCfIbsKg9gOkL/Z0JcegrhKQMFIN3WZ3FcgmkL3FyhvlgY6G3McKSahTmsMx4fY7a8a0W5Zjaos54npREugqMDniVcEEQdVlErKXcTmG8JoLJmi6xeTJl2RxUZimW9IjlOLiXsTVwIwEE6uZiDFOrhUk5A6z5788i3A4kibl0VKVH8nkZQpvb9lGFcM3/aVwAeuhYYvNVoxYJkNRwaXtzGJKljj6UUeTM5aCbbT8q6j5lWGK9qav6bJM4CKOTsrdRTn6agexxKTZHumqNHjoPLv66BGwUdW5Euim9IHt+eetLVvrdpT31QzGFl2mj37pZiE+RBEFtjDNK/i6Mei6OI6KXuZzgngnn//98ESB0bAvd+LPJEW7NghmsDmOWHbtAlQ3wMO6x1CA3Nt9h3LN+mPEAAyjBReFzjJ2bhygpbiCcNHrMt6hXd3bphRV/9oBAmXI8CfS8Bk4XFd3bVwnVwANqhvIll6XE6hKLFxuMGzIQCZzAivcmYfaI6aPs47mB+5oNyW4B7TPHrnL/LS/aikJbCctnsDxn8seZOoYeWWywrgdAgFMG7Cxffp5YBONP90gzr61XrHdxoklk8oOfvGg5hKP6a37q5WerGlX4iCPGdUC1D3AkzrnSjSSb5umjx5SjJlxzzqtUGfawVvHUWbgCEhg+dJOz6NWQ7guKnbrWZvp0Pa/bXRtLISS3hEfllGYojnnGaptpnm2cz+TAhCCk8X21X09VH+sMea1Xm0AoluZOZgTiw96SUVILN7Cz4qgqxAqR+XMeZqsy7BkTYt84eRqudS/2Q93Bilmy1csW7sDg4fD1KVWg6HPWw202wB1GtwqgivorTQQJkn6tBesmKsaHV+rrrL5zJFbc+0by1u3s4AR5iEQJFyirT127efl6Q45YyYTsZTY63nyuClc3BM2ggb3u3JGtIRs1XYT5Kfo0GBQRWAinSAt8socRXkwNpmnHJqBmz5Lkg64+Alp3OuDbdzFrwyuPvAAcFrUReWc7XJLctnuNmPGlESg9L9rU6qplCFJMm13leELC92ObfI3NMi/8/gHW+8S4ZVh8p/Fh6stdKM27nmNls2GG74k6TA6otagXlrxMA/90ldPWqmbNL+w== X-OriginatorOrg: siemens.com X-MS-Exchange-CrossTenant-Network-Message-Id: c761993e-895b-4e08-3c9d-08dab1b39a6c X-MS-Exchange-CrossTenant-AuthSource: PAXPR10MB5037.EURPRD10.PROD.OUTLOOK.COM X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 19 Oct 2022 09:23:37.5018 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 38ae3bcd-9579-4fd4-adda-b42e1495d55a X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: C+AC/a4GTatYFqbsl5sa8EfH9KBP/DuJjbTx2bUjUFBsfVgkIVFr7x8EtZVHWpmtrfvPda/Pi92PFo6riKOuVJmxSgFwk2hSInzxaPZOy1E= X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM7PR10MB3510 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 19 Oct 2022 09:23:41 -0000 X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/9781 From: Sven Schultschik This patch is not ment for merge but shows how to generally test the implementation of the optee and rpmb driven secure boot qemu setup. Signed-off-by: Sven Schultschik --- README.md | 65 ++++++++++++++++++ keys/helloworld.efi | Bin 0 -> 4576 bytes recipes-bsp/u-boot/files/secure-boot.cfg.tmpl | 2 +- start-qemu.sh | 3 +- 4 files changed, 68 insertions(+), 2 deletions(-) create mode 100644 keys/helloworld.efi diff --git a/README.md b/README.md index e30ff3a63..36f9ebe25 100644 --- a/README.md +++ b/README.md @@ -55,6 +55,71 @@ or via bmap-tools bmaptool copy build/tmp/deploy/images/bbb/cip-core-image-cip-core-buster-bbb.wic.img /dev/ +## Running Secure Boot Target Images and test it +Create a folder named `keys` if not exist and within this folder create the signing keys and db + +```bash +#PK +openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=SIEMENS_TEST_PK/ -keyout PK.key -out PK.crt -nodes -days 365 +cert-to-efi-sig-list -g 11111111-2222-3333-4444-123456789abc PK.crt PK.esl +sign-efi-sig-list -c PK.crt -k PK.key PK PK.esl PK.auth + +# KEK +openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=SIEMENS_TEST_KEK/ -keyout KEK.key -out KEK.crt -nodes -days 365 +cert-to-efi-sig-list -g 11111111-2222-3333-4444-123456789abc KEK.crt KEK.esl +sign-efi-sig-list -c PK.crt -k PK.key KEK KEK.esl KEK.auth + +# db +openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=SIEMENS_TEST_db/ -keyout db.key -out db.crt -nodes -days 365 +cert-to-efi-sig-list -g 11111111-2222-3333-4444-123456789abc db.crt db.esl +sign-efi-sig-list -c KEK.crt -k KEK.key db db.esl db.auth +``` + +Put an bootable `.efi` file in it or use the `helloworld.efi` provided and sign it. + +``` +sbsign --key db.key --cert db.crt helloworld.efi +``` + +The `start-qemu.sh` has additional `-hdb fat:rw:keys` added with this patch to mount the `keys` folder. + +Start the qemu with following command + +``` +FIRMWARE_BIN=./build/tmp/deploy/images/qemu-arm64/flash.bin ./start-qemu.sh aarch64 +``` + +In this test patch there is as well the possibility added to stop in the u-boot. So if you see a 5 sec timer ticking press Enter to stop. + +Now add the keys to the environment my typing + +``` +fatload virtio 1:1 ${fileaddr} PK.auth +setenv -e -nv -bs -rt -at -i ${fileaddr}:$filesize PK +fatload virtio 1:1 ${fileaddr} KEK.auth +setenv -e -nv -bs -rt -at -i ${fileaddr}:$filesize KEK +fatload virtio 1:1 ${fileaddr} db.auth +setenv -e -nv -bs -rt -at -i ${fileaddr}:$filesize db +``` +> The address ${fileaddr}=40000000 depends on your DRAM setup. You can check with `bdinfo` + +> $filesize is set by fatload + +### Boot signed efi binary + +``` +fatload virtio 1:1 ${fileaddr} helloworld.efi.signed + +bootefi ${fileaddr} ${fdtcontroladdr} +``` + +### Try same binary but unsigned +This should fail with `Image not authenticated. Loading image failed` +``` +fatload virtio 1:1 ${fileaddr} helloworld.efi + +bootefi ${fileaddr} ${fdtcontroladdr} +``` ## Community Resources diff --git a/keys/helloworld.efi b/keys/helloworld.efi new file mode 100644 index 0000000000000000000000000000000000000000..c021d94ae576271f1f472bd2e5f380ed1830a2ff GIT binary patch literal 4576 zcmeHKYfKbZ6h1SvJSx^Kg7`w6;o+lE>w`Af8X2%q+e(Xoefa|rRv{uFPz#|cL$D1A ziD9CqO=~TtHE}mhYK@xOmxv~9Qr2V(h{ve?bDWy6pZoe~omt7WOnH$u^Tzj^^cyFwXVwQ(!0ZSa%QcpcQw=l#<{TmfDMgQDbG9F^o4s=A=4Wr zxr;}9PCz>}eVMsHqJzamr@c{`?q`V(jy824?^23-8E<1c5>1X9E|A=Di1||?Pq8Q4 zk{!CGQ%0|`MnBsnQCiDF-D;8OROlS{nPa#h)2$6GGMSs>t|_vIFCMWYaby`1oi+ql92q^D?#J``UM0@M{3CI?HQIE+)}9P5nT&i5S1~Zd z(5woMwUW`pn&Rl%A6i?G=Qpg)YxIHdP}T}tkDZ@bm-Pp7?u^teDMhz@VcGaAX`UmRLr_A#N zYBCldQm4bn(}+Q>(sauwOM@32RA@x$)?V=Tw@T*uZZeh4T*q0Sz&>?G(%W_{Y-H4h#hMH!(N1MK~&xE#=w)89X0M{oO z_4)++;`^N%yI~U)qo+@qw%w`JMrAxda(#{JMq^pO8t%njyhYnkt{anZWP zag476zDwY3{i-&m-$0DiN@jS>j_{bv!ImPl{NY4lM5RvAPbV*z+FDw=gI6F&X=CJ}bz_Sl-(M;I(r(o@yQe z-tG@9Hu((nwdT0vp^NV?8ukVGpZA{|#(1N0+~m})X#%$&9GZ$ca1OW}xKfRx8^@q8 zlN668(`kaQODXC-r_vDa+ro1x!Y0yC2~lAZ@%=5gYdV=j;7h@H6gC<57HkpGP}v;) zCVr0!@w;~NSNJkgW-82seL~J$BKCu+ja*Pq2-Mt+Fxoz?a(Cz2u@=FsWd5(Oxi?!m3~| zfwvsJdf@omMGg3#jA;iLTq3F(=t|&sW4s&vT51$Ao8YO$r<#^y{$+cv602%rKA&E) z)m7koClH*ON?R$La_9;4@YI7Q)*G(1Uaare7DQzt<2*Zd4XvbAh^q&~c4%;oX$mkF zP%dQw`wSIKf*W5suD#1v$Jy|Hxa>WtK*lA|?yp}h=D2oT=gLXz7UcPNwdY-#j5Qa# zR))|nTU@58n~ObmSNVf_tassUqecwYz4kS|>43-B}kw$K^amlHN#p;ck) F{tfI&1hD`B literal 0 HcmV?d00001 diff --git a/recipes-bsp/u-boot/files/secure-boot.cfg.tmpl b/recipes-bsp/u-boot/files/secure-boot.cfg.tmpl index 8e6428238..63d73f70a 100644 --- a/recipes-bsp/u-boot/files/secure-boot.cfg.tmpl +++ b/recipes-bsp/u-boot/files/secure-boot.cfg.tmpl @@ -1,5 +1,5 @@ ### Secure boot config -CONFIG_BOOTDELAY=-2 +CONFIG_BOOTDELAY=5 CONFIG_USE_BOOTCOMMAND=y CONFIG_BOOTCOMMAND="setenv scan_dev_for_boot 'if test -e ${devtype} ${devnum}:${distro_bootpart} efi/boot/boot${EFI_ARCH}.efi; then load ${devtype} ${devnum}:${distro_bootpart} ${kernel_addr_r} efi/boot/boot${EFI_ARCH}.efi; bootefi ${kernel_addr_r} ${fdtcontroladdr}; fi'; run distro_bootcmd; echo 'EFI Boot failed!'; sleep 1000; reset" CONFIG_EFI_VARIABLES_PRESEED=y diff --git a/start-qemu.sh b/start-qemu.sh index 18946a6c9..ac73d8d3b 100755 --- a/start-qemu.sh +++ b/start-qemu.sh @@ -179,7 +179,8 @@ if [ -n "${SECURE_BOOT}${SWUPDATE_BOOT}" ]; then ${QEMU_PATH}${QEMU} \ -drive file=${IMAGE_PREFIX}.wic,discard=unmap,if=none,id=disk,format=raw \ -bios ${u_boot_bin} \ - ${QEMU_COMMON_OPTIONS} "$@" + ${QEMU_COMMON_OPTIONS} "$@" \ + -hdb fat:rw:keys ;; *) echo "Unsupported architecture: ${arch}"