cip-dev@lists.cip-project.org | [isar-cip-core][PATCH 0/8] Secureboot on QEMU with EDK2, OP-TEE and RPMB

Home Messages Hashtags Subgroups

Date Date 1 - 1 of 1

[isar-cip-core][PATCH 0/8] Secureboot on QEMU with EDK2, OP-TEE and RPMB

Schultschik, Sven #10053 From: Sven Schultschik <sven.schultschik@...> This series of patches will add recipes to build a QEMU setup which uses OP-TEE to use RPMB (Replay protected memory) of an EMMC for a secure storage. Which is used within Secureboot on ARM64. This secure boot solution works with a platform key (pk), a key exchange key (kek) and a signature database (db). Therefore the ebg signer, secret boot secrets and snakeoil keys are change to this setup. QEMU itself does not have an implementation of a virtual RPMB. Therefore a patch for u-boot is needed which adds this feature to u-boot, but breaks hardware compatibility within u-boot. The virtiual RPMB workaround is not persistent as well. Therfore a method to copy the keys to the deploy folder, mount them into the qemu and provision them on every boot is implemented. As soon as QEMU has a native persistent RPMB support included, the u-boot patch and the mounted keys can be removed. Sven Schultschik (8): add recipe for edk2 add recipe for optee qemu arm64 Include optee into u-boot add u-boot patch for qemu to support RPMB add recipe for trusted firmware a qemu arm64 change ebg sb signer and secrets to pk kek db enhance start-qemu.sh for arm64 secure boot Use of snakeoil keys for qemu use case kas/opt/ebg-secure-boot-snakeoil.yml \| 1 + .../edk2/edk2-platformstandalonemmrpmb.inc \| 56 + .../edk2-platformstandalonemmrpmb_202205.bb \| 12 + recipes-bsp/edk2/files/rules.tmpl \| 61 + .../op-tee/optee-os-qemu-arm64_3.17.0.bb \| 54 + .../trusted-firmware-a/files/rules.tmpl \| 22 + .../trusted-firmware-a-qemu-arm64_2.7.0.bb \| 62 + ...hack.-Breaks-proper-hardware-support.patch \| 1375 +++++++++++++++++ recipes-bsp/u-boot/files/secure-boot.cfg.tmpl \| 9 +- recipes-bsp/u-boot/u-boot-qemu-common.inc \| 9 + .../files/sign_secure_image.sh \| 2 +- .../secure-boot-secrets/files/KEK.auth \| Bin 0 -> 2066 bytes .../secure-boot-secrets/files/KEK.crt \| 19 + .../secure-boot-secrets/files/KEK.esl \| Bin 0 -> 839 bytes .../secure-boot-secrets/files/KEK.key \| 28 + .../secure-boot-secrets/files/PK.auth \| Bin 0 -> 2064 bytes .../secure-boot-secrets/files/PK.crt \| 19 + .../secure-boot-secrets/files/PK.esl \| Bin 0 -> 837 bytes .../secure-boot-secrets/files/PK.key \| 28 + .../files/PkKek-1-snakeoil.key \| 27 - .../files/PkKek-1-snakeoil.pem \| 21 - .../secure-boot-secrets/files/db.auth \| Bin 0 -> 2067 bytes .../secure-boot-secrets/files/db.crt \| 19 + .../secure-boot-secrets/files/db.esl \| Bin 0 -> 837 bytes .../secure-boot-secrets/files/db.key \| 28 + .../secure-boot-secrets.inc \| 59 +- .../secure-boot-snakeoil_0.1.bb \| 5 +- start-qemu.sh \| 20 +- 28 files changed, 1873 insertions(+), 63 deletions(-) create mode 100644 recipes-bsp/edk2/edk2-platformstandalonemmrpmb.inc create mode 100644 recipes-bsp/edk2/edk2-platformstandalonemmrpmb_202205.bb create mode 100755 recipes-bsp/edk2/files/rules.tmpl create mode 100644 recipes-bsp/op-tee/optee-os-qemu-arm64_3.17.0.bb create mode 100755 recipes-bsp/trusted-firmware-a/files/rules.tmpl create mode 100644 recipes-bsp/trusted-firmware-a/trusted-firmware-a-qemu-arm64_2.7.0.bb create mode 100644 recipes-bsp/u-boot/files/0002-rpmb-emulation-hack.-Breaks-proper-hardware-support.patch create mode 100644 recipes-devtools/secure-boot-secrets/files/KEK.auth create mode 100644 recipes-devtools/secure-boot-secrets/files/KEK.crt create mode 100644 recipes-devtools/secure-boot-secrets/files/KEK.esl create mode 100644 recipes-devtools/secure-boot-secrets/files/KEK.key create mode 100644 recipes-devtools/secure-boot-secrets/files/PK.auth create mode 100644 recipes-devtools/secure-boot-secrets/files/PK.crt create mode 100644 recipes-devtools/secure-boot-secrets/files/PK.esl create mode 100644 recipes-devtools/secure-boot-secrets/files/PK.key delete mode 100644 recipes-devtools/secure-boot-secrets/files/PkKek-1-snakeoil.key delete mode 100644 recipes-devtools/secure-boot-secrets/files/PkKek-1-snakeoil.pem create mode 100644 recipes-devtools/secure-boot-secrets/files/db.auth create mode 100644 recipes-devtools/secure-boot-secrets/files/db.crt create mode 100644 recipes-devtools/secure-boot-secrets/files/db.esl create mode 100644 recipes-devtools/secure-boot-secrets/files/db.key -- 2.30.2
More All Messages By This Member

1 - 1 of 1

1

Previous Topic Next Topic

Home Hashtags Subgroups Terms