From: Quirin Gylstorff <quirin.gylstorff@...>

This allows testing the partition encryption with qemu.

Signed-off-by: Quirin Gylstorff <quirin.gylstorff@...>
---
start-qemu.sh | 27 ++++++++++++++++++++++-----
1 file changed, 22 insertions(+), 5 deletions(-)

diff --git a/start-qemu.sh b/start-qemu.sh
index fcfbc5b..b46b066 100755
--- a/start-qemu.sh
+++ b/start-qemu.sh
@@ -28,6 +28,9 @@ if grep -s -q "IMAGE_SECURE_BOOT: true" .config.yaml; then
elif grep -s -q "IMAGE_SWUPDATE: true" .config.yaml; then
SWUPDATE_BOOT="true"
fi
+if grep -s -q "IMAGE_DATA_ENCRYPTION: true" .config.yaml; then
+ TPM2_ENCRYPTION="true"
+fi

if [ -n "${QEMU_PATH}" ]; then
QEMU_PATH="${QEMU_PATH}/"
@@ -143,7 +146,21 @@ QEMU_COMMON_OPTIONS=" \
-m 1G \
-serial mon:stdio \
-netdev user,id=net,hostfwd=tcp:127.0.0.1:22222-:22 \
- ${QEMU_EXTRA_ARGS}"
+ "
+
+if [ "$TPM2_ENCRYPTION" = "true" ] && [ -x /usr/bin/swtpm ]; then
+ swtpm_dir="/tmp/qemu-swtpm"
+ mkdir -p "${swtpm_dir}"
+ rm "${swtpm_dir}"/*
+ if swtpm socket -d --tpmstate dir="${swtpm_dir}" \
+ --ctrl type=unixio,path="${swtpm_dir}"/sock \
+ --tpm2; then
+ QEMU_EXTRA_ARGS="${QEMU_EXTRA_ARGS} \
+ -chardev socket,id=chrtpm,path=${swtpm_dir}/sock \
+ -tpmdev emulator,id=tpm0,chardev=chrtpm \
+ -device tpm-tis,tpmdev=tpm0"
+ fi
+fi

if [ -n "${SECURE_BOOT}${SWUPDATE_BOOT}" ]; then
case "${arch}" in
@@ -158,14 +175,14 @@ if [ -n "${SECURE_BOOT}${SWUPDATE_BOOT}" ]; then
-drive if=pflash,format=raw,unit=0,readonly=on,file=${ovmf_code} \
-drive if=pflash,format=raw,file=${ovmf_vars} \
-drive file=${IMAGE_PREFIX}.wic,discard=unmap,if=none,id=disk,format=raw \
- ${QEMU_COMMON_OPTIONS} "$@"
+ ${QEMU_COMMON_OPTIONS} ${QEMU_EXTRA_ARGS} "$@"
else
ovmf_code=${OVMF_CODE:-./build/tmp/deploy/images/qemu-amd64/OVMF/OVMF_CODE_4M.fd}

${QEMU_PATH}${QEMU} \
-drive file=${IMAGE_PREFIX}.wic,discard=unmap,if=none,id=disk,format=raw \
-drive if=pflash,format=raw,unit=0,readonly=on,file=${ovmf_code} \
- ${QEMU_COMMON_OPTIONS} "$@"
+ ${QEMU_COMMON_OPTIONS} ${QEMU_EXTRA_ARGS} "$@"
fi
;;
arm64|aarch64|arm|armhf)
@@ -174,7 +191,7 @@ if [ -n "${SECURE_BOOT}${SWUPDATE_BOOT}" ]; then
${QEMU_PATH}${QEMU} \
-drive file=${IMAGE_PREFIX}.wic,discard=unmap,if=none,id=disk,format=raw \
-bios ${u_boot_bin} \
- ${QEMU_COMMON_OPTIONS} "$@"
+ ${QEMU_COMMON_OPTIONS} ${QEMU_EXTRA_ARGS} "$@"
;;
rv64|riscv64)
opensbi_bin=${FIRMWARE_BIN:-./build/tmp/deploy/images/qemu-${QEMU_ARCH}/fw_payload.bin}
@@ -199,5 +216,5 @@ else
-drive file=${IMAGE_FILE},discard=unmap,if=none,id=disk,format=raw \
-kernel ${KERNEL_FILE} -append "${KERNEL_CMDLINE}" \
-initrd ${INITRD_FILE} \
- ${QEMU_COMMON_OPTIONS} "$@"
+ ${QEMU_COMMON_OPTIONS} ${QEMU_EXTRA_ARGS} "$@"
fi
--
2.39.2

On 09.03.23 11:28, Quirin Gylstorff wrote:

From: Quirin Gylstorff <quirin.gylstorff@...>

This allows testing the partition encryption with qemu.

Signed-off-by: Quirin Gylstorff <quirin.gylstorff@...>
---
start-qemu.sh | 27 ++++++++++++++++++++++-----
1 file changed, 22 insertions(+), 5 deletions(-)

diff --git a/start-qemu.sh b/start-qemu.sh
index fcfbc5b..b46b066 100755
--- a/start-qemu.sh
+++ b/start-qemu.sh
@@ -28,6 +28,9 @@ if grep -s -q "IMAGE_SECURE_BOOT: true" .config.yaml; then
elif grep -s -q "IMAGE_SWUPDATE: true" .config.yaml; then
SWUPDATE_BOOT="true"
fi
+if grep -s -q "IMAGE_DATA_ENCRYPTION: true" .config.yaml; then
+ TPM2_ENCRYPTION="true"
+fi

if [ -n "${QEMU_PATH}" ]; then
QEMU_PATH="${QEMU_PATH}/"
@@ -143,7 +146,21 @@ QEMU_COMMON_OPTIONS=" \
-m 1G \
-serial mon:stdio \
-netdev user,id=net,hostfwd=tcp:127.0.0.1:22222-:22 \
- ${QEMU_EXTRA_ARGS}"
+ "
+
+if [ "$TPM2_ENCRYPTION" = "true" ] && [ -x /usr/bin/swtpm ]; then
+ swtpm_dir="/tmp/qemu-swtpm"
+ mkdir -p "${swtpm_dir}"
+ rm "${swtpm_dir}"/*

This kills the previous TPM state, preventing to power-cycle the VM. We
rather need to persist it aside the disk image. I'm massaging the script
in that direction.

Unfortunately, the unix socket can't be pushed there as well - path
string becomes too long...

Jan

+ if swtpm socket -d --tpmstate dir="${swtpm_dir}" \
+ --ctrl type=unixio,path="${swtpm_dir}"/sock \
+ --tpm2; then
+ QEMU_EXTRA_ARGS="${QEMU_EXTRA_ARGS} \
+ -chardev socket,id=chrtpm,path=${swtpm_dir}/sock \
+ -tpmdev emulator,id=tpm0,chardev=chrtpm \
+ -device tpm-tis,tpmdev=tpm0"
+ fi
+fi

if [ -n "${SECURE_BOOT}${SWUPDATE_BOOT}" ]; then
case "${arch}" in
@@ -158,14 +175,14 @@ if [ -n "${SECURE_BOOT}${SWUPDATE_BOOT}" ]; then
-drive if=pflash,format=raw,unit=0,readonly=on,file=${ovmf_code} \
-drive if=pflash,format=raw,file=${ovmf_vars} \
-drive file=${IMAGE_PREFIX}.wic,discard=unmap,if=none,id=disk,format=raw \
- ${QEMU_COMMON_OPTIONS} "$@"
+ ${QEMU_COMMON_OPTIONS} ${QEMU_EXTRA_ARGS} "$@"
else
ovmf_code=${OVMF_CODE:-./build/tmp/deploy/images/qemu-amd64/OVMF/OVMF_CODE_4M.fd}

${QEMU_PATH}${QEMU} \
-drive file=${IMAGE_PREFIX}.wic,discard=unmap,if=none,id=disk,format=raw \
-drive if=pflash,format=raw,unit=0,readonly=on,file=${ovmf_code} \
- ${QEMU_COMMON_OPTIONS} "$@"
+ ${QEMU_COMMON_OPTIONS} ${QEMU_EXTRA_ARGS} "$@"
fi
;;
arm64|aarch64|arm|armhf)
@@ -174,7 +191,7 @@ if [ -n "${SECURE_BOOT}${SWUPDATE_BOOT}" ]; then
${QEMU_PATH}${QEMU} \
-drive file=${IMAGE_PREFIX}.wic,discard=unmap,if=none,id=disk,format=raw \
-bios ${u_boot_bin} \
- ${QEMU_COMMON_OPTIONS} "$@"
+ ${QEMU_COMMON_OPTIONS} ${QEMU_EXTRA_ARGS} "$@"
;;
rv64|riscv64)
opensbi_bin=${FIRMWARE_BIN:-./build/tmp/deploy/images/qemu-${QEMU_ARCH}/fw_payload.bin}
@@ -199,5 +216,5 @@ else
-drive file=${IMAGE_FILE},discard=unmap,if=none,id=disk,format=raw \
-kernel ${KERNEL_FILE} -append "${KERNEL_CMDLINE}" \
-initrd ${INITRD_FILE} \
- ${QEMU_COMMON_OPTIONS} "$@"
+ ${QEMU_COMMON_OPTIONS} ${QEMU_EXTRA_ARGS} "$@"
fi

--
Siemens AG, Technology
Competence Center Embedded Linux

On 3/13/23 08:08, Jan Kiszka wrote:

On 09.03.23 11:28, Quirin Gylstorff wrote:

From: Quirin Gylstorff <quirin.gylstorff@...>

This allows testing the partition encryption with qemu.

Signed-off-by: Quirin Gylstorff <quirin.gylstorff@...>
---
start-qemu.sh | 27 ++++++++++++++++++++++-----
1 file changed, 22 insertions(+), 5 deletions(-)

diff --git a/start-qemu.sh b/start-qemu.sh
index fcfbc5b..b46b066 100755
--- a/start-qemu.sh
+++ b/start-qemu.sh
@@ -28,6 +28,9 @@ if grep -s -q "IMAGE_SECURE_BOOT: true" .config.yaml; then
elif grep -s -q "IMAGE_SWUPDATE: true" .config.yaml; then
SWUPDATE_BOOT="true"
fi
+if grep -s -q "IMAGE_DATA_ENCRYPTION: true" .config.yaml; then
+ TPM2_ENCRYPTION="true"
+fi
if [ -n "${QEMU_PATH}" ]; then
QEMU_PATH="${QEMU_PATH}/"
@@ -143,7 +146,21 @@ QEMU_COMMON_OPTIONS=" \
-m 1G \
-serial mon:stdio \
-netdev user,id=net,hostfwd=tcp:127.0.0.1:22222-:22 \
- ${QEMU_EXTRA_ARGS}"
+ "
+
+if [ "$TPM2_ENCRYPTION" = "true" ] && [ -x /usr/bin/swtpm ]; then
+ swtpm_dir="/tmp/qemu-swtpm"
+ mkdir -p "${swtpm_dir}"
+ rm "${swtpm_dir}"/*

This kills the previous TPM state, preventing to power-cycle the VM. We
rather need to persist it aside the disk image. I'm massaging the script
in that direction.

This was for debugging purposes as the TPM is no longer accessible after a number of keys entered.

Quirin

Unfortunately, the unix socket can't be pushed there as well - path
string becomes too long...
Jan

+ if swtpm socket -d --tpmstate dir="${swtpm_dir}" \
+ --ctrl type=unixio,path="${swtpm_dir}"/sock \
+ --tpm2; then
+ QEMU_EXTRA_ARGS="${QEMU_EXTRA_ARGS} \
+ -chardev socket,id=chrtpm,path=${swtpm_dir}/sock \
+ -tpmdev emulator,id=tpm0,chardev=chrtpm \
+ -device tpm-tis,tpmdev=tpm0"
+ fi
+fi
if [ -n "${SECURE_BOOT}${SWUPDATE_BOOT}" ]; then
case "${arch}" in
@@ -158,14 +175,14 @@ if [ -n "${SECURE_BOOT}${SWUPDATE_BOOT}" ]; then
-drive if=pflash,format=raw,unit=0,readonly=on,file=${ovmf_code} \
-drive if=pflash,format=raw,file=${ovmf_vars} \
-drive file=${IMAGE_PREFIX}.wic,discard=unmap,if=none,id=disk,format=raw \
- ${QEMU_COMMON_OPTIONS} "$@"
+ ${QEMU_COMMON_OPTIONS} ${QEMU_EXTRA_ARGS} "$@"
else
ovmf_code=${OVMF_CODE:-./build/tmp/deploy/images/qemu-amd64/OVMF/OVMF_CODE_4M.fd}
${QEMU_PATH}${QEMU} \
-drive file=${IMAGE_PREFIX}.wic,discard=unmap,if=none,id=disk,format=raw \
-drive if=pflash,format=raw,unit=0,readonly=on,file=${ovmf_code} \
- ${QEMU_COMMON_OPTIONS} "$@"
+ ${QEMU_COMMON_OPTIONS} ${QEMU_EXTRA_ARGS} "$@"
fi
;;
arm64|aarch64|arm|armhf)
@@ -174,7 +191,7 @@ if [ -n "${SECURE_BOOT}${SWUPDATE_BOOT}" ]; then
${QEMU_PATH}${QEMU} \
-drive file=${IMAGE_PREFIX}.wic,discard=unmap,if=none,id=disk,format=raw \
-bios ${u_boot_bin} \
- ${QEMU_COMMON_OPTIONS} "$@"
+ ${QEMU_COMMON_OPTIONS} ${QEMU_EXTRA_ARGS} "$@"
;;
rv64|riscv64)
opensbi_bin=${FIRMWARE_BIN:-./build/tmp/deploy/images/qemu-${QEMU_ARCH}/fw_payload.bin}
@@ -199,5 +216,5 @@ else
-drive file=${IMAGE_FILE},discard=unmap,if=none,id=disk,format=raw \
-kernel ${KERNEL_FILE} -append "${KERNEL_CMDLINE}" \
-initrd ${INITRD_FILE} \
- ${QEMU_COMMON_OPTIONS} "$@"
+ ${QEMU_COMMON_OPTIONS} ${QEMU_EXTRA_ARGS} "$@"
fi

On 13.03.23 09:13, Gylstorff Quirin wrote:

On 3/13/23 08:08, Jan Kiszka wrote:

On 09.03.23 11:28, Quirin Gylstorff wrote:

From: Quirin Gylstorff <quirin.gylstorff@...>

This allows testing the partition encryption with qemu.

Signed-off-by: Quirin Gylstorff <quirin.gylstorff@...>
---
  start-qemu.sh | 27 ++++++++++++++++++++++-----
  1 file changed, 22 insertions(+), 5 deletions(-)

diff --git a/start-qemu.sh b/start-qemu.sh
index fcfbc5b..b46b066 100755
--- a/start-qemu.sh
+++ b/start-qemu.sh
@@ -28,6 +28,9 @@ if grep -s -q "IMAGE_SECURE_BOOT: true"
.config.yaml; then
  elif grep -s -q "IMAGE_SWUPDATE: true" .config.yaml; then
      SWUPDATE_BOOT="true"
  fi
+if grep -s -q "IMAGE_DATA_ENCRYPTION: true" .config.yaml; then
+    TPM2_ENCRYPTION="true"
+fi
    if [ -n "${QEMU_PATH}" ]; then
      QEMU_PATH="${QEMU_PATH}/"
@@ -143,7 +146,21 @@ QEMU_COMMON_OPTIONS=" \
      -m 1G \
      -serial mon:stdio \
      -netdev user,id=net,hostfwd=tcp:127.0.0.1:22222-:22 \
-    ${QEMU_EXTRA_ARGS}"
+    "
+
+if [ "$TPM2_ENCRYPTION" = "true" ] && [ -x /usr/bin/swtpm ]; then
+    swtpm_dir="/tmp/qemu-swtpm"
+    mkdir -p "${swtpm_dir}"
+    rm "${swtpm_dir}"/*

This kills the previous TPM state, preventing to power-cycle the VM. We
rather need to persist it aside the disk image. I'm massaging the script
in that direction.

This was for debugging purposes as the TPM is no longer accessible after
a number of keys entered.

At least it is possible to encrypt a new image using the TPM state of a
previous run, just tested. In which cases exactly does this issue hurt?

Jan

--
Siemens AG, Technology
Competence Center Embedded Linux

On 3/13/23 10:13, Jan Kiszka wrote:

On 13.03.23 09:13, Gylstorff Quirin wrote:

On 3/13/23 08:08, Jan Kiszka wrote:

On 09.03.23 11:28, Quirin Gylstorff wrote:

From: Quirin Gylstorff <quirin.gylstorff@...>

This allows testing the partition encryption with qemu.

Signed-off-by: Quirin Gylstorff <quirin.gylstorff@...>
---
  start-qemu.sh | 27 ++++++++++++++++++++++-----
  1 file changed, 22 insertions(+), 5 deletions(-)

diff --git a/start-qemu.sh b/start-qemu.sh
index fcfbc5b..b46b066 100755
--- a/start-qemu.sh
+++ b/start-qemu.sh
@@ -28,6 +28,9 @@ if grep -s -q "IMAGE_SECURE_BOOT: true"
.config.yaml; then
  elif grep -s -q "IMAGE_SWUPDATE: true" .config.yaml; then
      SWUPDATE_BOOT="true"
  fi
+if grep -s -q "IMAGE_DATA_ENCRYPTION: true" .config.yaml; then
+    TPM2_ENCRYPTION="true"
+fi
    if [ -n "${QEMU_PATH}" ]; then
      QEMU_PATH="${QEMU_PATH}/"
@@ -143,7 +146,21 @@ QEMU_COMMON_OPTIONS=" \
      -m 1G \
      -serial mon:stdio \
      -netdev user,id=net,hostfwd=tcp:127.0.0.1:22222-:22 \
-    ${QEMU_EXTRA_ARGS}"
+    "
+
+if [ "$TPM2_ENCRYPTION" = "true" ] && [ -x /usr/bin/swtpm ]; then
+    swtpm_dir="/tmp/qemu-swtpm"
+    mkdir -p "${swtpm_dir}"
+    rm "${swtpm_dir}"/*

This kills the previous TPM state, preventing to power-cycle the VM. We
rather need to persist it aside the disk image. I'm massaging the script
in that direction.

This was for debugging purposes as the TPM is no longer accessible after
a number of keys entered.

At least it is possible to encrypt a new image using the TPM state of a
previous run, just tested. In which cases exactly does this issue hurt?

After creating 8 keys/Images the 9th time you want to add a key to a new the TPM will throw a error.

Quirin

Jan

On 13.03.23 11:29, Gylstorff Quirin wrote:

On 3/13/23 10:13, Jan Kiszka wrote:

On 13.03.23 09:13, Gylstorff Quirin wrote:

On 3/13/23 08:08, Jan Kiszka wrote:

On 09.03.23 11:28, Quirin Gylstorff wrote:

From: Quirin Gylstorff <quirin.gylstorff@...>

This allows testing the partition encryption with qemu.

Signed-off-by: Quirin Gylstorff <quirin.gylstorff@...>
---
   start-qemu.sh | 27 ++++++++++++++++++++++-----
   1 file changed, 22 insertions(+), 5 deletions(-)

diff --git a/start-qemu.sh b/start-qemu.sh
index fcfbc5b..b46b066 100755
--- a/start-qemu.sh
+++ b/start-qemu.sh
@@ -28,6 +28,9 @@ if grep -s -q "IMAGE_SECURE_BOOT: true"
.config.yaml; then
   elif grep -s -q "IMAGE_SWUPDATE: true" .config.yaml; then
       SWUPDATE_BOOT="true"
   fi
+if grep -s -q "IMAGE_DATA_ENCRYPTION: true" .config.yaml; then
+    TPM2_ENCRYPTION="true"
+fi
     if [ -n "${QEMU_PATH}" ]; then
       QEMU_PATH="${QEMU_PATH}/"
@@ -143,7 +146,21 @@ QEMU_COMMON_OPTIONS=" \
       -m 1G \
       -serial mon:stdio \
       -netdev user,id=net,hostfwd=tcp:127.0.0.1:22222-:22 \
-    ${QEMU_EXTRA_ARGS}"
+    "
+
+if [ "$TPM2_ENCRYPTION" = "true" ] && [ -x /usr/bin/swtpm ]; then
+    swtpm_dir="/tmp/qemu-swtpm"
+    mkdir -p "${swtpm_dir}"
+    rm "${swtpm_dir}"/*

This kills the previous TPM state, preventing to power-cycle the VM. We
rather need to persist it aside the disk image. I'm massaging the
script
in that direction.

This was for debugging purposes as the TPM is no longer accessible after
a number of keys entered.

At least it is possible to encrypt a new image using the TPM state of a
previous run, just tested. In which cases exactly does this issue hurt?

After creating 8 keys/Images the 9th time you want to add a key to a new
the TPM will throw a error.

So, every boot-strap of a new image will add one key, and that will
start to fail after the 8th time. Then we should purge the newly created
subfolder in deploydir when performing an image deployment.

Jan

--
Siemens AG, Technology
Competence Center Embedded Linux