Restesting linuxboot#893 and linuxboot#907 on top of master with safe…

…boot board being built by CI

.circleci/config.yml

@@ -311,6 +311,12 @@ workflows:
           requires:
             - librem_mini
 
+      - build:
+          name: safeboot
+          target: safeboot
+          requires:
+            - librem_mini
+
 
 ########################
 ########################

Makefile

@@ -493,6 +493,9 @@ bin_modules-$(CONFIG_MSRTOOLS) += msrtools
 bin_modules-$(CONFIG_NKSTORECLI) += nkstorecli
 bin_modules-$(CONFIG_OPENSSL) += openssl
 bin_modules-$(CONFIG_TPM2_TOOLS) += tpm2-tools
+bin_modules-$(CONFIG_SAFEBOOT) += safeboot
+bin_modules-$(CONFIG_BASH) += bash
+bin_modules-$(CONFIG_CURL) += curl
 
 $(foreach m, $(bin_modules-y), \
 	$(call map,initrd_bin_add,$(call bins,$m)) \

boards/safeboot/safeboot.config

@@ -0,0 +1,154 @@
+# Configuration for building a safeboot loader that works with
+# the qemu emulator using either coreboot or the ovmf (UEFI) firmware.
+# This will also launch the swtpm emulator for testing out attestation.
+export CONFIG_COREBOOT=y
+export CONFIG_COREBOOT_VERSION=4.8.1
+export CONFIG_LINUX_VERSION=5.4.69
+
+CONFIG_COREBOOT_CONFIG=config/coreboot-qemu.config
+CONFIG_LINUX_CONFIG=config/linux-safeboot.config
+
+CONFIG_KEYFILE=$(build)/$(BOARD)/key.bin
+CONFIG_ROOTFS=$(HOME)/debian/safeboot-recovery/root.squashfs
+
+ifeq "$(CONFIG_UROOT)" "y"
+CONFIG_BUSYBOX=n
+else
+CONFIG_KEXEC=y
+#CONFIG_QRENCODE=y
+#CONFIG_TPMTOTP=y
+CONFIG_POPT=y
+#CONFIG_FLASHTOOLS=y
+#CONFIG_FLASHROM=y
+CONFIG_PCIUTILS=y
+CONFIG_UTIL_LINUX=y
+CONFIG_CRYPTSETUP=y
+#CONFIG_GPG2=y
+CONFIG_LVM2=y
+#CONFIG_MBEDTLS=y
+#CONFIG_DROPBEAR=y
+CONFIG_MSRTOOLS=y
+
+CONFIG_BASH=y
+CONFIG_CURL=y
+CONFIG_SAFEBOOT=y
+CONFIG_TPM2_TOOLS=$(CONFIG_SAFEBOOT)
+CONFIG_TPM2_TSS=$(CONFIG_TPM2_TOOLS)
+CONFIG_OPENSSL=$(CONFIG_TPM2_TSS)
+
+#Uncomment only one of the following block
+#Required for graphical gui-init (FBWhiptail)
+#CONFIG_CAIRO=y
+#CONFIG_FBWHIPTAIL=y
+#
+#text-based init (generic-init and gui-init)
+CONFIG_NEWT=y
+CONFIG_SLANG=y
+
+endif
+
+#CONFIG_LINUX_ATA=y
+#CONFIG_LINUX_AHCI=y
+#CONFIG_LINUX_USB=y
+#CONFIG_LINUX_E1000=y
+
+#Uncomment only one BOOTSCRIPT:
+#Whiptail-based init (text-based or FBWhiptail)
+#export CONFIG_BOOTSCRIPT=/bin/gui-init
+#
+#text-based original init:
+export CONFIG_BOOTSCRIPT=/bin/safeboot-init
+
+export CONFIG_TPM=n
+
+export CONFIG_BOOT_DEV="/dev/sda1"
+
+#borrowed from https://github.com/orangecms/webboot/blob/boot-via-qemu/run-webboot.sh
+TPMDIR=$(build)/$(BOARD)/vtpm
+run-coreboot:
+	@mkdir -p "$(TPMDIR)"
+	swtpm socket \
+		--tpm2 \
+		--tpmstate dir="$(TPMDIR)" \
+		--flags "startup-clear" \
+		--ctrl type=unixio,path="$(TPMDIR)/sock" &
+	sleep 0.5
+
+	-qemu-system-x86_64 \
+		--machine q35 \
+		-m 4G \
+		--serial /dev/tty \
+		--bios $(build)/$(BOARD)/$(CB_OUTPUT_FILE) \
+		-object rng-random,filename=/dev/urandom,id=rng0 \
+		-device virtio-rng-pci,rng=rng0 \
+		-netdev user,id=u1 -device e1000,netdev=u1 \
+		-chardev socket,id=chrtpm,path="$(TPMDIR)/sock" \
+		-tpmdev emulator,id=tpm0,chardev=chrtpm \
+		-device tpm-tis,tpmdev=tpm0 \
+
+	stty sane
+
+$(build)/$(BOARD)/unified.efi: $(build)/$(BOARD)/bzImage $(build)/$(BOARD)/initrd.cpio.xz
+	echo "console=ttyS0 mode=linux" > "$(build)/$(BOARD)/cmdline.txt"
+
+	DIR=$(build)/$(safeboot_dir) $(build)/$(safeboot_dir)/sbin/safeboot \
+		unify-kernel \
+		"$@" \
+		linux="$(build)/$(BOARD)/bzImage" \
+		initrd="$(build)/$(BOARD)/initrd.cpio.xz" \
+		cmdline="$(build)/$(BOARD)/cmdline.txt" \
+
+$(build)/$(BOARD)/hda1.bin: $(build)/$(BOARD)/unified.efi
+	mkdir -p "$(build)/$(BOARD)/hda1/boot/EFI/BOOT"
+	cp "$<" "$(build)/$(BOARD)/hda1/boot/EFI/BOOT/BOOTX64.EFI"
+	$(build)/$(safeboot_dir)/sbin/mkfat \
+		"$(build)/$(BOARD)/hda1.bin" \
+		"$(build)/$(BOARD)/hda1/boot"
+
+$(CONFIG_KEYFILE):
+	echo -n "abcd1234" > "$@"
+$(build)/$(BOARD)/hda2.bin: $(CONFIG_KEYFILE) $(CONFIG_ROOTFS)
+	fallocate -l 512M "[email protected]"
+	cryptsetup \
+		-y luksFormat \
+		--pbkdf pbkdf2 \
+		"[email protected]" \
+		"$(CONFIG_KEYFILE)"
+	cryptsetup luksOpen \
+		--key-file "$(CONFIG_KEYFILE)" \
+		"[email protected]" \
+		test-luks
+	#mkfs.ext4 /dev/mapper/test-luks
+	cat "$(CONFIG_ROOTFS)" > /dev/mapper/test-luks
+	cryptsetup luksClose test-luks
+	mv "[email protected]" "$@"
+
+$(build)/$(BOARD)/hda.bin: $(build)/$(BOARD)/hda1.bin $(build)/$(BOARD)/hda2.bin
+	$(build)/$(safeboot_dir)/sbin/mkgpt \
+		"$@" \
+		$^
+
+
+run-ovmf: $(build)/$(BOARD)/hda.bin
+	@mkdir -p "$(TPMDIR)"
+	swtpm socket \
+		--tpm2 \
+		--tpmstate dir="$(TPMDIR)" \
+		--flags "startup-clear" \
+		--ctrl type=unixio,path="$(TPMDIR)/sock" &
+	sleep 0.5
+
+	-qemu-system-x86_64 \
+		--machine q35 \
+		-m 4G \
+		--serial /dev/tty \
+		--bios "/usr/share/ovmf/OVMF.fd" \
+		-object rng-random,filename=/dev/urandom,id=rng0 \
+		-device virtio-rng-pci,rng=rng0 \
+		-netdev user,id=u1 -device e1000,netdev=u1 \
+		-chardev socket,id=chrtpm,path="$(TPMDIR)/sock" \
+		-tpmdev emulator,id=tpm0,chardev=chrtpm \
+		-device tpm-tis,tpmdev=tpm0 \
+		-drive "file=$<,format=raw" \
+
+	stty sane

config/coreboot-qemu.config

@@ -3,6 +3,7 @@ CONFIG_CBFS_SIZE=0xF00000
 # CONFIG_POST_IO is not set
 CONFIG_BOARD_EMULATION_QEMU_X86_Q35=y
 # CONFIG_POST_DEVICE is not set
+CONFIG_MAINBOARD_SMBIOS_PRODUCT_NAME="qemu-coreboot"
 CONFIG_DRIVERS_PS2_KEYBOARD=y
 CONFIG_COREBOOT_ROMSIZE_KB_16384=y
 CONFIG_PCIEXP_ASPM=y
@@ -12,6 +13,6 @@ CONFIG_CPU_MICROCODE_CBFS_GENERATE=y
 # CONFIG_CONSOLE_SERIAL is not set
 CONFIG_DEFAULT_CONSOLE_LOGLEVEL_6=y
 CONFIG_PAYLOAD_LINUX=y
-CONFIG_LINUX_COMMAND_LINE="debug console=ttyS0 vga=786"
 CONFIG_PAYLOAD_FILE="../../build/qemu-coreboot/bzImage"
+CONFIG_LINUX_COMMAND_LINE="debug console=ttyS0 vga=786"
 CONFIG_LINUX_INITRD="../../build/qemu-coreboot/initrd.cpio.xz"