cip-dev@lists.cip-project.org | [isar-cip-core][PATCH v6 3/7] start-qemu.sh: Create a tpm2 device

Home Messages Hashtags Subgroups

Date Date 1 - 6 of 6

[isar-cip-core][PATCH v6 3/7] start-qemu.sh: Create a tpm2 device

Quirin Gylstorff #10968 From: Quirin Gylstorff <quirin.gylstorff@...> This allows testing the partition encryption with qemu. Signed-off-by: Quirin Gylstorff <quirin.gylstorff@...> --- start-qemu.sh \| 27 ++++++++++++++++++++++----- 1 file changed, 22 insertions(+), 5 deletions(-) diff --git a/start-qemu.sh b/start-qemu.sh index fcfbc5b..b46b066 100755 --- a/start-qemu.sh +++ b/start-qemu.sh @@ -28,6 +28,9 @@ if grep -s -q "IMAGE_SECURE_BOOT: true" .config.yaml; then elif grep -s -q "IMAGE_SWUPDATE: true" .config.yaml; then SWUPDATE_BOOT="true" fi +if grep -s -q "IMAGE_DATA_ENCRYPTION: true" .config.yaml; then + TPM2_ENCRYPTION="true" +fi if [ -n "${QEMU_PATH}" ]; then QEMU_PATH="${QEMU_PATH}/" @@ -143,7 +146,21 @@ QEMU_COMMON_OPTIONS=" \ -m 1G \ -serial mon:stdio \ -netdev user,id=net,hostfwd=tcp:127.0.0.1:22222-:22 \ - ${QEMU_EXTRA_ARGS}" + " + +if [ "$TPM2_ENCRYPTION" = "true" ] && [ -x /usr/bin/swtpm ]; then + swtpm_dir="/tmp/qemu-swtpm" + mkdir -p "${swtpm_dir}" + rm "${swtpm_dir}"/* + if swtpm socket -d --tpmstate dir="${swtpm_dir}" \ + --ctrl type=unixio,path="${swtpm_dir}"/sock \ + --tpm2; then + QEMU_EXTRA_ARGS="${QEMU_EXTRA_ARGS} \ + -chardev socket,id=chrtpm,path=${swtpm_dir}/sock \ + -tpmdev emulator,id=tpm0,chardev=chrtpm \ + -device tpm-tis,tpmdev=tpm0" + fi +fi if [ -n "${SECURE_BOOT}${SWUPDATE_BOOT}" ]; then case "${arch}" in @@ -158,14 +175,14 @@ if [ -n "${SECURE_BOOT}${SWUPDATE_BOOT}" ]; then -drive if=pflash,format=raw,unit=0,readonly=on,file=${ovmf_code} \ -drive if=pflash,format=raw,file=${ovmf_vars} \ -drive file=${IMAGE_PREFIX}.wic,discard=unmap,if=none,id=disk,format=raw \ - ${QEMU_COMMON_OPTIONS} "$@" + ${QEMU_COMMON_OPTIONS} ${QEMU_EXTRA_ARGS} "$@" else ovmf_code=${OVMF_CODE:-./build/tmp/deploy/images/qemu-amd64/OVMF/OVMF_CODE_4M.fd} ${QEMU_PATH}${QEMU} \ -drive file=${IMAGE_PREFIX}.wic,discard=unmap,if=none,id=disk,format=raw \ -drive if=pflash,format=raw,unit=0,readonly=on,file=${ovmf_code} \ - ${QEMU_COMMON_OPTIONS} "$@" + ${QEMU_COMMON_OPTIONS} ${QEMU_EXTRA_ARGS} "$@" fi ;; arm64\|aarch64\|arm\|armhf) @@ -174,7 +191,7 @@ if [ -n "${SECURE_BOOT}${SWUPDATE_BOOT}" ]; then ${QEMU_PATH}${QEMU} \ -drive file=${IMAGE_PREFIX}.wic,discard=unmap,if=none,id=disk,format=raw \ -bios ${u_boot_bin} \ - ${QEMU_COMMON_OPTIONS} "$@" + ${QEMU_COMMON_OPTIONS} ${QEMU_EXTRA_ARGS} "$@" ;; rv64\|riscv64) opensbi_bin=${FIRMWARE_BIN:-./build/tmp/deploy/images/qemu-${QEMU_ARCH}/fw_payload.bin} @@ -199,5 +216,5 @@ else -drive file=${IMAGE_FILE},discard=unmap,if=none,id=disk,format=raw \ -kernel ${KERNEL_FILE} -append "${KERNEL_CMDLINE}" \ -initrd ${INITRD_FILE} \ - ${QEMU_COMMON_OPTIONS} "$@" + ${QEMU_COMMON_OPTIONS} ${QEMU_EXTRA_ARGS} "$@" fi -- 2.39.2
More All Messages By This Member
Jan Kiszka #10992 On 09.03.23 11:28, Quirin Gylstorff wrote: From: Quirin Gylstorff <quirin.gylstorff@...> This allows testing the partition encryption with qemu. Signed-off-by: Quirin Gylstorff <quirin.gylstorff@...> --- start-qemu.sh \| 27 ++++++++++++++++++++++----- 1 file changed, 22 insertions(+), 5 deletions(-) diff --git a/start-qemu.sh b/start-qemu.sh index fcfbc5b..b46b066 100755 --- a/start-qemu.sh +++ b/start-qemu.sh @@ -28,6 +28,9 @@ if grep -s -q "IMAGE_SECURE_BOOT: true" .config.yaml; then elif grep -s -q "IMAGE_SWUPDATE: true" .config.yaml; then SWUPDATE_BOOT="true" fi +if grep -s -q "IMAGE_DATA_ENCRYPTION: true" .config.yaml; then + TPM2_ENCRYPTION="true" +fi if [ -n "${QEMU_PATH}" ]; then QEMU_PATH="${QEMU_PATH}/" @@ -143,7 +146,21 @@ QEMU_COMMON_OPTIONS=" \ -m 1G \ -serial mon:stdio \ -netdev user,id=net,hostfwd=tcp:127.0.0.1:22222-:22 \ - ${QEMU_EXTRA_ARGS}" + " + +if [ "$TPM2_ENCRYPTION" = "true" ] && [ -x /usr/bin/swtpm ]; then + swtpm_dir="/tmp/qemu-swtpm" + mkdir -p "${swtpm_dir}" + rm "${swtpm_dir}"/* This kills the previous TPM state, preventing to power-cycle the VM. We rather need to persist it aside the disk image. I'm massaging the script in that direction. Unfortunately, the unix socket can't be pushed there as well - path string becomes too long... Jan + if swtpm socket -d --tpmstate dir="${swtpm_dir}" \ + --ctrl type=unixio,path="${swtpm_dir}"/sock \ + --tpm2; then + QEMU_EXTRA_ARGS="${QEMU_EXTRA_ARGS} \ + -chardev socket,id=chrtpm,path=${swtpm_dir}/sock \ + -tpmdev emulator,id=tpm0,chardev=chrtpm \ + -device tpm-tis,tpmdev=tpm0" + fi +fi if [ -n "${SECURE_BOOT}${SWUPDATE_BOOT}" ]; then case "${arch}" in @@ -158,14 +175,14 @@ if [ -n "${SECURE_BOOT}${SWUPDATE_BOOT}" ]; then -drive if=pflash,format=raw,unit=0,readonly=on,file=${ovmf_code} \ -drive if=pflash,format=raw,file=${ovmf_vars} \ -drive file=${IMAGE_PREFIX}.wic,discard=unmap,if=none,id=disk,format=raw \ - ${QEMU_COMMON_OPTIONS} "$@" + ${QEMU_COMMON_OPTIONS} ${QEMU_EXTRA_ARGS} "$@" else ovmf_code=${OVMF_CODE:-./build/tmp/deploy/images/qemu-amd64/OVMF/OVMF_CODE_4M.fd} ${QEMU_PATH}${QEMU} \ -drive file=${IMAGE_PREFIX}.wic,discard=unmap,if=none,id=disk,format=raw \ -drive if=pflash,format=raw,unit=0,readonly=on,file=${ovmf_code} \ - ${QEMU_COMMON_OPTIONS} "$@" + ${QEMU_COMMON_OPTIONS} ${QEMU_EXTRA_ARGS} "$@" fi ;; arm64\|aarch64\|arm\|armhf) @@ -174,7 +191,7 @@ if [ -n "${SECURE_BOOT}${SWUPDATE_BOOT}" ]; then ${QEMU_PATH}${QEMU} \ -drive file=${IMAGE_PREFIX}.wic,discard=unmap,if=none,id=disk,format=raw \ -bios ${u_boot_bin} \ - ${QEMU_COMMON_OPTIONS} "$@" + ${QEMU_COMMON_OPTIONS} ${QEMU_EXTRA_ARGS} "$@" ;; rv64\|riscv64) opensbi_bin=${FIRMWARE_BIN:-./build/tmp/deploy/images/qemu-${QEMU_ARCH}/fw_payload.bin} @@ -199,5 +216,5 @@ else -drive file=${IMAGE_FILE},discard=unmap,if=none,id=disk,format=raw \ -kernel ${KERNEL_FILE} -append "${KERNEL_CMDLINE}" \ -initrd ${INITRD_FILE} \ - ${QEMU_COMMON_OPTIONS} "$@" + ${QEMU_COMMON_OPTIONS} ${QEMU_EXTRA_ARGS} "$@" fi -- Siemens AG, Technology Competence Center Embedded Linux
More All Messages By This Member
Quirin Gylstorff #10994 On 3/13/23 08:08, Jan Kiszka wrote: On 09.03.23 11:28, Quirin Gylstorff wrote: From: Quirin Gylstorff <quirin.gylstorff@...> This allows testing the partition encryption with qemu. Signed-off-by: Quirin Gylstorff <quirin.gylstorff@...> --- start-qemu.sh \| 27 ++++++++++++++++++++++----- 1 file changed, 22 insertions(+), 5 deletions(-) diff --git a/start-qemu.sh b/start-qemu.sh index fcfbc5b..b46b066 100755 --- a/start-qemu.sh +++ b/start-qemu.sh @@ -28,6 +28,9 @@ if grep -s -q "IMAGE_SECURE_BOOT: true" .config.yaml; then elif grep -s -q "IMAGE_SWUPDATE: true" .config.yaml; then SWUPDATE_BOOT="true" fi +if grep -s -q "IMAGE_DATA_ENCRYPTION: true" .config.yaml; then + TPM2_ENCRYPTION="true" +fi if [ -n "${QEMU_PATH}" ]; then QEMU_PATH="${QEMU_PATH}/" @@ -143,7 +146,21 @@ QEMU_COMMON_OPTIONS=" \ -m 1G \ -serial mon:stdio \ -netdev user,id=net,hostfwd=tcp:127.0.0.1:22222-:22 \ - ${QEMU_EXTRA_ARGS}" + " + +if [ "$TPM2_ENCRYPTION" = "true" ] && [ -x /usr/bin/swtpm ]; then + swtpm_dir="/tmp/qemu-swtpm" + mkdir -p "${swtpm_dir}" + rm "${swtpm_dir}"/* This kills the previous TPM state, preventing to power-cycle the VM. We rather need to persist it aside the disk image. I'm massaging the script in that direction. This was for debugging purposes as the TPM is no longer accessible after a number of keys entered. Quirin Unfortunately, the unix socket can't be pushed there as well - path string becomes too long... Jan + if swtpm socket -d --tpmstate dir="${swtpm_dir}" \ + --ctrl type=unixio,path="${swtpm_dir}"/sock \ + --tpm2; then + QEMU_EXTRA_ARGS="${QEMU_EXTRA_ARGS} \ + -chardev socket,id=chrtpm,path=${swtpm_dir}/sock \ + -tpmdev emulator,id=tpm0,chardev=chrtpm \ + -device tpm-tis,tpmdev=tpm0" + fi +fi if [ -n "${SECURE_BOOT}${SWUPDATE_BOOT}" ]; then case "${arch}" in @@ -158,14 +175,14 @@ if [ -n "${SECURE_BOOT}${SWUPDATE_BOOT}" ]; then -drive if=pflash,format=raw,unit=0,readonly=on,file=${ovmf_code} \ -drive if=pflash,format=raw,file=${ovmf_vars} \ -drive file=${IMAGE_PREFIX}.wic,discard=unmap,if=none,id=disk,format=raw \ - ${QEMU_COMMON_OPTIONS} "$@" + ${QEMU_COMMON_OPTIONS} ${QEMU_EXTRA_ARGS} "$@" else ovmf_code=${OVMF_CODE:-./build/tmp/deploy/images/qemu-amd64/OVMF/OVMF_CODE_4M.fd} ${QEMU_PATH}${QEMU} \ -drive file=${IMAGE_PREFIX}.wic,discard=unmap,if=none,id=disk,format=raw \ -drive if=pflash,format=raw,unit=0,readonly=on,file=${ovmf_code} \ - ${QEMU_COMMON_OPTIONS} "$@" + ${QEMU_COMMON_OPTIONS} ${QEMU_EXTRA_ARGS} "$@" fi ;; arm64\|aarch64\|arm\|armhf) @@ -174,7 +191,7 @@ if [ -n "${SECURE_BOOT}${SWUPDATE_BOOT}" ]; then ${QEMU_PATH}${QEMU} \ -drive file=${IMAGE_PREFIX}.wic,discard=unmap,if=none,id=disk,format=raw \ -bios ${u_boot_bin} \ - ${QEMU_COMMON_OPTIONS} "$@" + ${QEMU_COMMON_OPTIONS} ${QEMU_EXTRA_ARGS} "$@" ;; rv64\|riscv64) opensbi_bin=${FIRMWARE_BIN:-./build/tmp/deploy/images/qemu-${QEMU_ARCH}/fw_payload.bin} @@ -199,5 +216,5 @@ else -drive file=${IMAGE_FILE},discard=unmap,if=none,id=disk,format=raw \ -kernel ${KERNEL_FILE} -append "${KERNEL_CMDLINE}" \ -initrd ${INITRD_FILE} \ - ${QEMU_COMMON_OPTIONS} "$@" + ${QEMU_COMMON_OPTIONS} ${QEMU_EXTRA_ARGS} "$@" fi
More All Messages By This Member
Jan Kiszka #10995 On 13.03.23 09:13, Gylstorff Quirin wrote: On 3/13/23 08:08, Jan Kiszka wrote: On 09.03.23 11:28, Quirin Gylstorff wrote: From: Quirin Gylstorff <quirin.gylstorff@...> This allows testing the partition encryption with qemu. Signed-off-by: Quirin Gylstorff <quirin.gylstorff@...> --- start-qemu.sh \| 27 ++++++++++++++++++++++----- 1 file changed, 22 insertions(+), 5 deletions(-) diff --git a/start-qemu.sh b/start-qemu.sh index fcfbc5b..b46b066 100755 --- a/start-qemu.sh +++ b/start-qemu.sh @@ -28,6 +28,9 @@ if grep -s -q "IMAGE_SECURE_BOOT: true" .config.yaml; then elif grep -s -q "IMAGE_SWUPDATE: true" .config.yaml; then SWUPDATE_BOOT="true" fi +if grep -s -q "IMAGE_DATA_ENCRYPTION: true" .config.yaml; then + TPM2_ENCRYPTION="true" +fi if [ -n "${QEMU_PATH}" ]; then QEMU_PATH="${QEMU_PATH}/" @@ -143,7 +146,21 @@ QEMU_COMMON_OPTIONS=" \ -m 1G \ -serial mon:stdio \ -netdev user,id=net,hostfwd=tcp:127.0.0.1:22222-:22 \ - ${QEMU_EXTRA_ARGS}" + " + +if [ "$TPM2_ENCRYPTION" = "true" ] && [ -x /usr/bin/swtpm ]; then + swtpm_dir="/tmp/qemu-swtpm" + mkdir -p "${swtpm_dir}" + rm "${swtpm_dir}"/* This kills the previous TPM state, preventing to power-cycle the VM. We rather need to persist it aside the disk image. I'm massaging the script in that direction. This was for debugging purposes as the TPM is no longer accessible after a number of keys entered. At least it is possible to encrypt a new image using the TPM state of a previous run, just tested. In which cases exactly does this issue hurt? Jan -- Siemens AG, Technology Competence Center Embedded Linux
More All Messages By This Member
Quirin Gylstorff #11000 On 3/13/23 10:13, Jan Kiszka wrote: On 13.03.23 09:13, Gylstorff Quirin wrote: On 3/13/23 08:08, Jan Kiszka wrote: On 09.03.23 11:28, Quirin Gylstorff wrote: From: Quirin Gylstorff <quirin.gylstorff@...> This allows testing the partition encryption with qemu. Signed-off-by: Quirin Gylstorff <quirin.gylstorff@...> --- start-qemu.sh \| 27 ++++++++++++++++++++++----- 1 file changed, 22 insertions(+), 5 deletions(-) diff --git a/start-qemu.sh b/start-qemu.sh index fcfbc5b..b46b066 100755 --- a/start-qemu.sh +++ b/start-qemu.sh @@ -28,6 +28,9 @@ if grep -s -q "IMAGE_SECURE_BOOT: true" .config.yaml; then elif grep -s -q "IMAGE_SWUPDATE: true" .config.yaml; then SWUPDATE_BOOT="true" fi +if grep -s -q "IMAGE_DATA_ENCRYPTION: true" .config.yaml; then + TPM2_ENCRYPTION="true" +fi if [ -n "${QEMU_PATH}" ]; then QEMU_PATH="${QEMU_PATH}/" @@ -143,7 +146,21 @@ QEMU_COMMON_OPTIONS=" \ -m 1G \ -serial mon:stdio \ -netdev user,id=net,hostfwd=tcp:127.0.0.1:22222-:22 \ - ${QEMU_EXTRA_ARGS}" + " + +if [ "$TPM2_ENCRYPTION" = "true" ] && [ -x /usr/bin/swtpm ]; then + swtpm_dir="/tmp/qemu-swtpm" + mkdir -p "${swtpm_dir}" + rm "${swtpm_dir}"/* This kills the previous TPM state, preventing to power-cycle the VM. We rather need to persist it aside the disk image. I'm massaging the script in that direction. This was for debugging purposes as the TPM is no longer accessible after a number of keys entered. At least it is possible to encrypt a new image using the TPM state of a previous run, just tested. In which cases exactly does this issue hurt? After creating 8 keys/Images the 9th time you want to add a key to a new the TPM will throw a error. Quirin Jan
More All Messages By This Member
Jan Kiszka #11007 On 13.03.23 11:29, Gylstorff Quirin wrote: On 3/13/23 10:13, Jan Kiszka wrote: On 13.03.23 09:13, Gylstorff Quirin wrote: On 3/13/23 08:08, Jan Kiszka wrote: On 09.03.23 11:28, Quirin Gylstorff wrote: From: Quirin Gylstorff <quirin.gylstorff@...> This allows testing the partition encryption with qemu. Signed-off-by: Quirin Gylstorff <quirin.gylstorff@...> --- start-qemu.sh \| 27 ++++++++++++++++++++++----- 1 file changed, 22 insertions(+), 5 deletions(-) diff --git a/start-qemu.sh b/start-qemu.sh index fcfbc5b..b46b066 100755 --- a/start-qemu.sh +++ b/start-qemu.sh @@ -28,6 +28,9 @@ if grep -s -q "IMAGE_SECURE_BOOT: true" .config.yaml; then elif grep -s -q "IMAGE_SWUPDATE: true" .config.yaml; then SWUPDATE_BOOT="true" fi +if grep -s -q "IMAGE_DATA_ENCRYPTION: true" .config.yaml; then + TPM2_ENCRYPTION="true" +fi if [ -n "${QEMU_PATH}" ]; then QEMU_PATH="${QEMU_PATH}/" @@ -143,7 +146,21 @@ QEMU_COMMON_OPTIONS=" \ -m 1G \ -serial mon:stdio \ -netdev user,id=net,hostfwd=tcp:127.0.0.1:22222-:22 \ - ${QEMU_EXTRA_ARGS}" + " + +if [ "$TPM2_ENCRYPTION" = "true" ] && [ -x /usr/bin/swtpm ]; then + swtpm_dir="/tmp/qemu-swtpm" + mkdir -p "${swtpm_dir}" + rm "${swtpm_dir}"/* This kills the previous TPM state, preventing to power-cycle the VM. We rather need to persist it aside the disk image. I'm massaging the script in that direction. This was for debugging purposes as the TPM is no longer accessible after a number of keys entered. At least it is possible to encrypt a new image using the TPM state of a previous run, just tested. In which cases exactly does this issue hurt? After creating 8 keys/Images the 9th time you want to add a key to a new the TPM will throw a error. So, every boot-strap of a new image will add one key, and that will start to fail after the 8th time. Then we should purge the newly created subfolder in deploydir when performing an image deployment. Jan -- Siemens AG, Technology Competence Center Embedded Linux
More All Messages By This Member

1 - 6 of 6

1

Previous Topic Next Topic

Home Hashtags Subgroups Terms