Re: [isar-cip-core PATCH v3 4/6] secure-boot: Add secure boot with unified kernel image


Jan Kiszka
 

On 24.07.20 17:01, Quirin Gylstorff wrote:
From: Quirin Gylstorff <quirin.gylstorff@...>
A unified kernel image contains the os-release, kernel,
kernel commandline, initramfs and efi-stub in one binary.
This binary can be boot by systemd-boot and efibootguard.
It also allows to sign kernel and initramfs as one packages.
Signed-off-by: Quirin Gylstorff <quirin.gylstorff@...>
...

diff --git a/start-qemu.sh b/start-qemu.sh
index 49f0266..74d1b54 100755
--- a/start-qemu.sh
+++ b/start-qemu.sh
@@ -15,6 +15,8 @@ usage()
echo "Usage: $0 ARCHITECTURE [QEMU_OPTIONS]"
echo -e "\nSet QEMU_PATH environment variable to use a locally " \
"built QEMU version"
+ echo -e "\nSet SECURE_BOOT environment variable to boot a secure boot environment " \
+ "This environment also needs the variables OVMF_VARS and OVMF_CODE set"
exit 1
}
@@ -22,17 +24,25 @@ if [ -n "${QEMU_PATH}" ]; then
QEMU_PATH="${QEMU_PATH}/"
fi
+if [ -z "${DISTRO_RELEASE}" ]; then
+ DISTRO_RELEASE="buster"
+fi
+if [ -z "${TARGET_IMAGE}" ];then
+ TARGET_IMAGE="cip-core-image"
+fi
+
case "$1" in
x86|x86_64|amd64)
DISTRO_ARCH=amd64
QEMU=qemu-system-x86_64
QEMU_EXTRA_ARGS=" \
- -cpu host -smp 4 \
- -enable-kvm -machine q35 \
+ -cpu qemu64 \
+ -smp 4 \
+ -machine q35,accel=kvm:tcg \
-device ide-hd,drive=disk \
-device virtio-net-pci,netdev=net"
KERNEL_CMDLINE=" \
- root=/dev/sda vga=0x305 console=ttyS0"
+ root=/dev/sda vga=0x305"
;;
arm64|aarch64)
DISTRO_ARCH=arm64
@@ -71,21 +81,41 @@ case "$1" in
;;
esac
-if [ -z "${DISTRO_RELEASE}" ]; then
- DISTRO_RELEASE="buster"
-fi
-
-IMAGE_PREFIX="$(dirname $0)/build/tmp/deploy/images/qemu-${DISTRO_ARCH}/cip-core-image-cip-core-${DISTRO_RELEASE}-qemu-${DISTRO_ARCH}"
-IMAGE_FILE=$(ls ${IMAGE_PREFIX}.ext4.img)
+IMAGE_PREFIX="$(dirname $0)/build/tmp/deploy/images/qemu-${DISTRO_ARCH}/${TARGET_IMAGE}-cip-core-${DISTRO_RELEASE}-qemu-${DISTRO_ARCH}"
if [ -z "${DISPLAY}" ]; then
QEMU_EXTRA_ARGS="${QEMU_EXTRA_ARGS} -nographic"
+ case "$1" in
+ x86|x86_64|amd64)
+ KERNEL_CMDLINE="${KERNEL_CMDLINE} console=ttyS0"
+ esac
+fi
+
+
+
+if [ -n "SECURE_BOOT" ]; then
+ ovmf_code=${OVMF_CODE:-/usr/share/OVMF/OVMF_CODE.secboot.fd}
+ ovmf_vars=${OVMF_VARS:-./OVMF_VARS.fd}
+ QEMU_EXTRA_ARGS=" \
+ ${QEMU_EXTRA_ARGS} \
+ -global ICH9-LPC.disable_s3=1 \
+ -global isa-fdc.driveA= \
+ "
Looks like someone fell asleep on the tab key - please indent more reasonably.

+ BOOT_FILES="-drive if=pflash,format=raw,unit=0,readonly=on,file=${ovmf_code} \
+ -drive if=pflash,format=raw,file=${ovmf_vars} \
+ -drive file=${IMAGE_PREFIX}.wic.img,discard=unmap,if=none,id=disk,format=raw"
+else
+ IMAGE_FILE=$(ls ${IMAGE_PREFIX}.ext4.img)
+
+ KERNEL_FILE=$(ls ${IMAGE_PREFIX}-vmlinuz* | tail -1)
+ INITRD_FILE=$(ls ${IMAGE_PREFIX}-initrd.img* | tail -1)
+
+ BOOT_FILES=-kernel ${KERNEL_FILE} -append "${KERNEL_CMDLINE}" \
+ -initrd ${INITRD_FILE}
fi
shift 1
${QEMU_PATH}${QEMU} \
- -drive file=${IMAGE_FILE},discard=unmap,if=none,id=disk,format=raw \
-m 1G -serial mon:stdio -netdev user,id=net \
- -kernel ${IMAGE_PREFIX}-vmlinuz -append "${KERNEL_CMDLINE}" \
- -initrd ${IMAGE_PREFIX}-initrd.img ${QEMU_EXTRA_ARGS} "$@"
+ ${BOOT_FILES} ${QEMU_EXTRA_ARGS} "$@"
This file is in conflict with changes in next. Please rebase.

Jan

--
Siemens AG, Corporate Technology, CT RDA IOT SES-DE
Corporate Competence Center Embedded Linux

Join cip-dev@lists.cip-project.org to automatically receive all group messages.