* [isar-cip-core][PATCH 0/8] Secureboot on QEMU with EDK2, OP-TEE and RPMB
@ 2022-11-20 20:47 sven.schultschik
2022-11-20 20:47 ` [isar-cip-core][PATCH 1/8] add recipe for edk2 sven.schultschik
` (7 more replies)
0 siblings, 8 replies; 16+ messages in thread
From: sven.schultschik @ 2022-11-20 20:47 UTC (permalink / raw)
To: cip-dev; +Cc: jan.kiszka, Sven Schultschik
From: Sven Schultschik <sven.schultschik@siemens.com>
This series of patches will add recipes to build a QEMU setup
which uses OP-TEE to use RPMB (Replay protected memory) of
an EMMC for a secure storage. Which is used within Secureboot
on ARM64.
This secure boot solution works with a platform key (pk),
a key exchange key (kek) and a signature database (db).
Therefore the ebg signer, secret boot secrets and snakeoil
keys are change to this setup.
QEMU itself does not have an implementation of a
virtual RPMB. Therefore a patch for u-boot is needed which
adds this feature to u-boot, but breaks hardware
compatibility within u-boot. The virtiual RPMB workaround
is not persistent as well. Therfore a method to copy the keys
to the deploy folder, mount them into the qemu and provision
them on every boot is implemented.
As soon as QEMU has a native persistent RPMB support included,
the u-boot patch and the mounted keys can be removed.
Sven Schultschik (8):
add recipe for edk2
add recipe for optee qemu arm64
Include optee into u-boot
add u-boot patch for qemu to support RPMB
add recipe for trusted firmware a qemu arm64
change ebg sb signer and secrets to pk kek db
enhance start-qemu.sh for arm64 secure boot
Use of snakeoil keys for qemu use case
kas/opt/ebg-secure-boot-snakeoil.yml | 1 +
.../edk2/edk2-platformstandalonemmrpmb.inc | 56 +
.../edk2-platformstandalonemmrpmb_202205.bb | 12 +
recipes-bsp/edk2/files/rules.tmpl | 61 +
.../op-tee/optee-os-qemu-arm64_3.17.0.bb | 54 +
.../trusted-firmware-a/files/rules.tmpl | 22 +
.../trusted-firmware-a-qemu-arm64_2.7.0.bb | 62 +
...hack.-Breaks-proper-hardware-support.patch | 1375 +++++++++++++++++
recipes-bsp/u-boot/files/secure-boot.cfg.tmpl | 9 +-
recipes-bsp/u-boot/u-boot-qemu-common.inc | 9 +
.../files/sign_secure_image.sh | 2 +-
.../secure-boot-secrets/files/KEK.auth | Bin 0 -> 2066 bytes
.../secure-boot-secrets/files/KEK.crt | 19 +
.../secure-boot-secrets/files/KEK.esl | Bin 0 -> 839 bytes
.../secure-boot-secrets/files/KEK.key | 28 +
.../secure-boot-secrets/files/PK.auth | Bin 0 -> 2064 bytes
.../secure-boot-secrets/files/PK.crt | 19 +
.../secure-boot-secrets/files/PK.esl | Bin 0 -> 837 bytes
.../secure-boot-secrets/files/PK.key | 28 +
.../files/PkKek-1-snakeoil.key | 27 -
.../files/PkKek-1-snakeoil.pem | 21 -
.../secure-boot-secrets/files/db.auth | Bin 0 -> 2067 bytes
.../secure-boot-secrets/files/db.crt | 19 +
.../secure-boot-secrets/files/db.esl | Bin 0 -> 837 bytes
.../secure-boot-secrets/files/db.key | 28 +
.../secure-boot-secrets.inc | 59 +-
.../secure-boot-snakeoil_0.1.bb | 5 +-
start-qemu.sh | 20 +-
28 files changed, 1873 insertions(+), 63 deletions(-)
create mode 100644 recipes-bsp/edk2/edk2-platformstandalonemmrpmb.inc
create mode 100644 recipes-bsp/edk2/edk2-platformstandalonemmrpmb_202205.bb
create mode 100755 recipes-bsp/edk2/files/rules.tmpl
create mode 100644 recipes-bsp/op-tee/optee-os-qemu-arm64_3.17.0.bb
create mode 100755 recipes-bsp/trusted-firmware-a/files/rules.tmpl
create mode 100644 recipes-bsp/trusted-firmware-a/trusted-firmware-a-qemu-arm64_2.7.0.bb
create mode 100644 recipes-bsp/u-boot/files/0002-rpmb-emulation-hack.-Breaks-proper-hardware-support.patch
create mode 100644 recipes-devtools/secure-boot-secrets/files/KEK.auth
create mode 100644 recipes-devtools/secure-boot-secrets/files/KEK.crt
create mode 100644 recipes-devtools/secure-boot-secrets/files/KEK.esl
create mode 100644 recipes-devtools/secure-boot-secrets/files/KEK.key
create mode 100644 recipes-devtools/secure-boot-secrets/files/PK.auth
create mode 100644 recipes-devtools/secure-boot-secrets/files/PK.crt
create mode 100644 recipes-devtools/secure-boot-secrets/files/PK.esl
create mode 100644 recipes-devtools/secure-boot-secrets/files/PK.key
delete mode 100644 recipes-devtools/secure-boot-secrets/files/PkKek-1-snakeoil.key
delete mode 100644 recipes-devtools/secure-boot-secrets/files/PkKek-1-snakeoil.pem
create mode 100644 recipes-devtools/secure-boot-secrets/files/db.auth
create mode 100644 recipes-devtools/secure-boot-secrets/files/db.crt
create mode 100644 recipes-devtools/secure-boot-secrets/files/db.esl
create mode 100644 recipes-devtools/secure-boot-secrets/files/db.key
--
2.30.2
^ permalink raw reply [flat|nested] 16+ messages in thread
* [isar-cip-core][PATCH 1/8] add recipe for edk2
2022-11-20 20:47 [isar-cip-core][PATCH 0/8] Secureboot on QEMU with EDK2, OP-TEE and RPMB sven.schultschik
@ 2022-11-20 20:47 ` sven.schultschik
2023-01-09 6:42 ` [cip-dev] " Su, Bao Cheng
2022-11-20 20:47 ` [isar-cip-core][PATCH 2/8] add recipe for optee qemu arm64 sven.schultschik
` (6 subsequent siblings)
7 siblings, 1 reply; 16+ messages in thread
From: sven.schultschik @ 2022-11-20 20:47 UTC (permalink / raw)
To: cip-dev; +Cc: jan.kiszka, Sven Schultschik
From: Sven Schultschik <sven.schultschik@siemens.com>
provide a recipe to create the BL32_AP_MM.fd binary by edk2 which is needed for the qemu optee generation as dependency.
Signed-off-by: Sven Schultschik <sven.schultschik@siemens.com>
---
.../edk2/edk2-platformstandalonemmrpmb.inc | 56 +++++++++++++++++
.../edk2-platformstandalonemmrpmb_202205.bb | 12 ++++
recipes-bsp/edk2/files/rules.tmpl | 61 +++++++++++++++++++
3 files changed, 129 insertions(+)
create mode 100644 recipes-bsp/edk2/edk2-platformstandalonemmrpmb.inc
create mode 100644 recipes-bsp/edk2/edk2-platformstandalonemmrpmb_202205.bb
create mode 100755 recipes-bsp/edk2/files/rules.tmpl
diff --git a/recipes-bsp/edk2/edk2-platformstandalonemmrpmb.inc b/recipes-bsp/edk2/edk2-platformstandalonemmrpmb.inc
new file mode 100644
index 0000000..3277cc8
--- /dev/null
+++ b/recipes-bsp/edk2/edk2-platformstandalonemmrpmb.inc
@@ -0,0 +1,56 @@
+#
+# CIP Core, generic profile
+#
+# Copyright (c) Siemens AG, 2022
+#
+# Authors:
+# Sven Schultschik <sven.schultschik@siemens.com>
+#
+# SPDX-License-Identifier: MIT
+#
+
+HOMEPAGE = "https://github.com/tianocore/edk2"
+MAINTAINER = "Sven Schultschik <sven.schultschik@siemens.com>"
+LICENSE = "BSD-2-Clause-Patent"
+
+inherit dpkg
+
+SRC_URI = "https://github.com/tianocore/edk2/archive/refs/tags/edk2-stable${PV}.tar.gz;name=edk2 \
+ https://github.com/google/brotli/archive/${SRC_REV_brotli}.tar.gz;name=brotli \
+ https://github.com/openssl/openssl/archive/refs/tags/${SRC_REV_openssl}.tar.gz;name=openssl \
+ git://github.com/tianocore/edk2-platforms.git;protocol=https;destsuffix=git/edk2-platforms;name=edk2-platforms \
+ file://rules.tmpl \
+ "
+SRC_URI[edk2.sha256sum] = "e6cf93bae78b30a10732b8afb5cc438735dc9ec976ae65d12dab041c18bb7987"
+SRC_URI[brotli.sha256sum] = "6d6cacce05086b7debe75127415ff9c3661849f564fe2f5f3b0383d48aa4ed77"
+SRC_URI[openssl.sha256sum] = "6b2d2440ced8c802aaa61475919f0870ec556694c466ebea460e35ea2b14839e"
+
+SRC_REV_brotli = "f4153a09f87cbb9c826d8fc12c74642bb2d879ea"
+SRC_REV_openssl = "OpenSSL_1_1_1n"
+SRCREV_edk2-platforms = "3b896d1a325686de3942723c42f286090453e37a"
+
+S = "${WORKDIR}/git"
+
+DEBIAN_BUILD_DEPENDS = "python3:native, dh-python, uuid-dev:native"
+
+EDK2_BINARIES ?= "Build/MmStandaloneRpmb/RELEASE_GCC5/FV/BL32_AP_MM.fd"
+
+BUILD_DEPENDS += ""
+
+TEMPLATE_FILES = "rules.tmpl"
+
+do_prepare_build() {
+ deb_debianize
+
+ mkdir -p ${S}/edk2
+ cp -a ${WORKDIR}/edk2-edk2-stable${PV}/* "${S}/edk2/"
+ cp -a ${WORKDIR}/brotli-${SRC_REV_brotli}/* "${S}/edk2/BaseTools/Source/C/BrotliCompress/brotli"
+ cp -a ${WORKDIR}/brotli-${SRC_REV_brotli}/* "${S}/edk2/MdeModulePkg/Library/BrotliCustomDecompressLib/brotli"
+ cp -a ${WORKDIR}/openssl-${SRC_REV_openssl}/* "${S}/edk2/CryptoPkg/Library/OpensslLib/openssl"
+
+ rm -f ${S}/debian/edk2.install
+ for binary in ${EDK2_BINARIES}; do
+ echo "$binary /usr/lib/edk2/" >> \
+ ${S}/debian/edk2-platformstandalonemmrpmb.install
+ done
+}
diff --git a/recipes-bsp/edk2/edk2-platformstandalonemmrpmb_202205.bb b/recipes-bsp/edk2/edk2-platformstandalonemmrpmb_202205.bb
new file mode 100644
index 0000000..84761c9
--- /dev/null
+++ b/recipes-bsp/edk2/edk2-platformstandalonemmrpmb_202205.bb
@@ -0,0 +1,12 @@
+#
+# CIP Core, generic profile
+#
+# Copyright (c) Siemens AG, 2022
+#
+# Authors:
+# Sven Schultschik <sven.schultschik@siemens.com>
+#
+# SPDX-License-Identifier: MIT
+#
+
+require edk2-platformstandalonemmrpmb.inc
diff --git a/recipes-bsp/edk2/files/rules.tmpl b/recipes-bsp/edk2/files/rules.tmpl
new file mode 100755
index 0000000..388e49a
--- /dev/null
+++ b/recipes-bsp/edk2/files/rules.tmpl
@@ -0,0 +1,61 @@
+#!/usr/bin/make -f
+#
+# Copyright (c) Siemens AG, 2022
+#
+# SPDX-License-Identifier: MIT
+
+ifneq ($(DEB_BUILD_GNU_TYPE),$(DEB_HOST_GNU_TYPE))
+export CROSS_COMPILE=$(DEB_HOST_GNU_TYPE)-
+endif
+
+export WORKSPACE=$(shell pwd)
+export PACKAGES_PATH=$(WORKSPACE)/edk2:$(WORKSPACE)/edk2-platforms
+export ACTIVE_PLATFORM="Platform/StandaloneMm/PlatformStandaloneMmPkg/PlatformStandaloneMmRpmb.dsc"
+
+# https://github.com/tianocore/edk2-platforms/blob/master/Readme.md#if-cross-compiling
+ifeq (arm64,$(DEB_TARGET_ARCH))
+export TARGET_ARCH = 'AARCH64'
+else ifeq ((armhf,$(DEB_TARGET_ARCH))
+export TARGET_ARCH = 'ARM'
+else ifeq ((amd64,$(DEB_TARGET_ARCH))
+export TARGET_ARCH = 'X64'
+else ifeq ((i386,$(DEB_TARGET_ARCH))
+export TARGET_ARCH = 'IA32'
+else
+$(error DEB_TARGET_ARCH $(DEB_TARGET_ARCH) unsupported)
+endif
+# When cross-compiling, or building with a different version of the compiler than
+# the default `gcc`, we additionally need to inform the
+# build command which toolchain to use. We do this by setting the environment
+# variable `{TOOL_CHAIN_TAG}_{TARGET_ARCH}_PREFIX` - in the case above,
+# **GCC5_AARCH64_PREFIX**.
+# export GCC5_AARCH64_PREFIX=aarch64-linux-gnu-
+# using export here at TOP Level does not work, because
+# GCC5_$(TARGET_ARCH)_PREFIX gets deleted again for what reason ever
+# Therefore it is set right before the build command
+# export GCC5_$(TARGET_ARCH)_PREFIX=$(DEB_HOST_GNU_TYPE)-
+
+
+export SHELL=/bin/bash
+
+# ENV Vars which should get set by edksetup.sh
+export PYTHON_COMMAND=python3
+export PYTHONHASHSEED=1
+export CONF_PATH=$(WORKSPACE)/edk2/Conf
+export EDK_TOOLS_PATH=$(WORKSPACE)/edk2/BaseTools
+export PATH=$(WORKSPACE)/edk2/BaseTools/Bin/Linux-$(TARGET_ARCH):$(WORKSPACE)/edk2/BaseTools/BinWrappers/PosixLike::/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
+
+override_dh_auto_build:
+ source edk2/edksetup.sh --reconfig
+
+ CFLAGS= LDFLAGS= make -C edk2/BaseTools
+
+ (export GCC5_$(TARGET_ARCH)_PREFIX=$(DEB_HOST_GNU_TYPE)- && \
+ build -p $(ACTIVE_PLATFORM) -b RELEASE -a $(TARGET_ARCH) -t GCC5 -n $(shell nproc))
+
+override_dh_auto_install:
+
+override_dh_auto_test:
+
+%:
+ dh $@ --no-parallel
--
2.30.2
^ permalink raw reply related [flat|nested] 16+ messages in thread
* [isar-cip-core][PATCH 2/8] add recipe for optee qemu arm64
2022-11-20 20:47 [isar-cip-core][PATCH 0/8] Secureboot on QEMU with EDK2, OP-TEE and RPMB sven.schultschik
2022-11-20 20:47 ` [isar-cip-core][PATCH 1/8] add recipe for edk2 sven.schultschik
@ 2022-11-20 20:47 ` sven.schultschik
2022-11-20 20:47 ` [isar-cip-core][PATCH 3/8] Include optee into u-boot sven.schultschik
` (5 subsequent siblings)
7 siblings, 0 replies; 16+ messages in thread
From: sven.schultschik @ 2022-11-20 20:47 UTC (permalink / raw)
To: cip-dev; +Cc: jan.kiszka, Sven Schultschik
From: Sven Schultschik <sven.schultschik@siemens.com>
The recipe provides the possibility to create optee-os binaries for use inside of an qemu secureboot setup with edk2, rpmb, u-boot and uefi
Signed-off-by: Sven Schultschik <sven.schultschik@siemens.com>
---
.../op-tee/optee-os-qemu-arm64_3.17.0.bb | 54 +++++++++++++++++++
1 file changed, 54 insertions(+)
create mode 100644 recipes-bsp/op-tee/optee-os-qemu-arm64_3.17.0.bb
diff --git a/recipes-bsp/op-tee/optee-os-qemu-arm64_3.17.0.bb b/recipes-bsp/op-tee/optee-os-qemu-arm64_3.17.0.bb
new file mode 100644
index 0000000..2568c0a
--- /dev/null
+++ b/recipes-bsp/op-tee/optee-os-qemu-arm64_3.17.0.bb
@@ -0,0 +1,54 @@
+#
+# CIP Core, generic profile
+#
+# Copyright (c) Siemens AG, 2022
+#
+# Authors:
+# Sven Schultschik <sven.schultschik@siemens.com>
+#
+# SPDX-License-Identifier: MIT
+#
+
+HOMEPAGE = "https://github.com/OP-TEE/optee_os"
+MAINTAINER = "Sven Schultschik <sven.schultschik@siemens.com>"
+LICENSE = "BSD-2-Clause"
+
+require recipes-bsp/optee-os/optee-os-custom.inc
+
+SRC_URI += " \
+ git://github.com/OP-TEE/optee_os.git;branch=master;protocol=https"
+SRCREV = "${PV}"
+
+S = "${WORKDIR}/git"
+
+OPTEE_PLATFORM = "vexpress-qemu_armv8a"
+
+OPTEE_BINARIES = "tee-header_v2.bin \
+ tee-pager_v2.bin \
+ tee-pageable_v2.bin"
+
+DEPENDS = "edk2-platformstandalonemmrpmb"
+DEBIAN_BUILD_DEPENDS += " ,\
+ debhelper(>= 11~), \
+ cpio, \
+ python3-cryptography:native, \
+ python3-serial:native, \
+ device-tree-compiler, \
+ edk2-platformstandalonemmrpmb, \
+ gcc-arm-linux-gnueabihf,"
+
+OPTEE_EXTRA_BUILDARGS = "CFG_STMM_PATH=/usr/lib/edk2/BL32_AP_MM.fd CFG_RPMB_FS=y \
+ CFG_RPMB_FS_DEV_ID=0 CFG_CORE_HEAP_SIZE=524288 CFG_RPMB_WRITE_KEY=1 \
+ CFG_CORE_DYN_SHM=y CFG_RPMB_TESTKEY=y \
+ CFG_REE_FS=n\
+ CFG_TEE_CORE_LOG_LEVEL=1 CFG_TEE_TA_LOG_LEVEL=1 CFG_SCTLR_ALIGNMENT_CHECK=n \
+ CFG_ARM64_core=y CFG_CORE_ARM64_PA_BITS=48"
+
+do_prepare_build_append() {
+ # $(ARCH) is the CPU architecture to be built.
+ # Currently, the only supported value is arm for 32-bit or 64-bit Armv7-A or Armv8-A.
+ # Please note that contrary to the Linux kernel, $(ARCH) should not be set to arm64 for 64-bit builds.
+ sed -i \
+ "s/\$(MAKE)/ARCH=\"arm\" CROSS_COMPILE32=arm-linux-gnueabihf- CROSS_COMPILE64=aarch64-linux-gnu- \$(MAKE)/g" \
+ ${S}/debian/rules
+}
--
2.30.2
^ permalink raw reply related [flat|nested] 16+ messages in thread
* [isar-cip-core][PATCH 3/8] Include optee into u-boot
2022-11-20 20:47 [isar-cip-core][PATCH 0/8] Secureboot on QEMU with EDK2, OP-TEE and RPMB sven.schultschik
2022-11-20 20:47 ` [isar-cip-core][PATCH 1/8] add recipe for edk2 sven.schultschik
2022-11-20 20:47 ` [isar-cip-core][PATCH 2/8] add recipe for optee qemu arm64 sven.schultschik
@ 2022-11-20 20:47 ` sven.schultschik
2022-11-20 20:47 ` [isar-cip-core][PATCH 4/8] add u-boot patch for qemu to support RPMB sven.schultschik
` (4 subsequent siblings)
7 siblings, 0 replies; 16+ messages in thread
From: sven.schultschik @ 2022-11-20 20:47 UTC (permalink / raw)
To: cip-dev; +Cc: jan.kiszka, Sven Schultschik
From: Sven Schultschik <sven.schultschik@siemens.com>
Optee is part of u-boot In the secureboot scenario to use optee and RPMB as secure storage.
Signed-off-by: Sven Schultschik <sven.schultschik@siemens.com>
---
recipes-bsp/u-boot/files/secure-boot.cfg.tmpl | 9 ++++++++-
recipes-bsp/u-boot/u-boot-qemu-common.inc | 2 ++
2 files changed, 10 insertions(+), 1 deletion(-)
diff --git a/recipes-bsp/u-boot/files/secure-boot.cfg.tmpl b/recipes-bsp/u-boot/files/secure-boot.cfg.tmpl
index 956dcbf..2b75988 100644
--- a/recipes-bsp/u-boot/files/secure-boot.cfg.tmpl
+++ b/recipes-bsp/u-boot/files/secure-boot.cfg.tmpl
@@ -2,5 +2,12 @@
CONFIG_BOOTDELAY=-2
CONFIG_USE_BOOTCOMMAND=y
CONFIG_BOOTCOMMAND="setenv scan_dev_for_boot 'if test -e ${devtype} ${devnum}:${distro_bootpart} efi/boot/boot${EFI_ARCH}.efi; then load ${devtype} ${devnum}:${distro_bootpart} ${kernel_addr_r} efi/boot/boot${EFI_ARCH}.efi; bootefi ${kernel_addr_r} ${fdtcontroladdr}; fi'; run distro_bootcmd; echo 'EFI Boot failed!'; sleep 1000; reset"
-CONFIG_EFI_VARIABLES_PRESEED=y
+CONFIG_EFI_VARIABLES_PRESEED=n
CONFIG_EFI_SECURE_BOOT=y
+### OPTEE config
+CONFIG_CMD_OPTEE_RPMB=y
+CONFIG_MMC=y
+CONFIG_SUPPORT_EMMC_RPMB=y
+CONFIG_TEE=y
+CONFIG_OPTEE=y
+CONFIG_EFI_MM_COMM_TEE=y
diff --git a/recipes-bsp/u-boot/u-boot-qemu-common.inc b/recipes-bsp/u-boot/u-boot-qemu-common.inc
index 0a9a15a..802fc50 100644
--- a/recipes-bsp/u-boot/u-boot-qemu-common.inc
+++ b/recipes-bsp/u-boot/u-boot-qemu-common.inc
@@ -13,6 +13,8 @@ require recipes-bsp/u-boot/u-boot-common.inc
U_BOOT_BIN = "u-boot.bin"
+DEPENDS_append_secureboot = " optee-os-${MACHINE}"
+
do_deploy[dirs] = "${DEPLOY_DIR_IMAGE}"
do_deploy() {
dpkg --fsys-tarfile "${WORKDIR}/u-boot-${MACHINE}_${PV}_${DISTRO_ARCH}.deb" | \
--
2.30.2
^ permalink raw reply related [flat|nested] 16+ messages in thread
* [isar-cip-core][PATCH 4/8] add u-boot patch for qemu to support RPMB
2022-11-20 20:47 [isar-cip-core][PATCH 0/8] Secureboot on QEMU with EDK2, OP-TEE and RPMB sven.schultschik
` (2 preceding siblings ...)
2022-11-20 20:47 ` [isar-cip-core][PATCH 3/8] Include optee into u-boot sven.schultschik
@ 2022-11-20 20:47 ` sven.schultschik
2022-11-20 20:47 ` [isar-cip-core][PATCH 5/8] add recipe for trusted firmware a qemu arm64 sven.schultschik
` (3 subsequent siblings)
7 siblings, 0 replies; 16+ messages in thread
From: sven.schultschik @ 2022-11-20 20:47 UTC (permalink / raw)
To: cip-dev; +Cc: jan.kiszka, Sven Schultschik
From: Sven Schultschik <sven.schultschik@siemens.com>
Qemu itself is missing a implemented emulation of an RPBM (replay protected memory) which is part of an emmc. Therefore currently a u-boot patch, which adds a RPMB emulation, is needed which breaks the u-boot hardware support. The patch is only included into the qemu u-boot recipes and can be removed if there is an official qemu rpmb emulation, which currently does not have any ETA.
Signed-off-by: Sven Schultschik <sven.schultschik@siemens.com>
---
...hack.-Breaks-proper-hardware-support.patch | 1375 +++++++++++++++++
recipes-bsp/u-boot/u-boot-qemu-common.inc | 3 +
2 files changed, 1378 insertions(+)
create mode 100644 recipes-bsp/u-boot/files/0002-rpmb-emulation-hack.-Breaks-proper-hardware-support.patch
diff --git a/recipes-bsp/u-boot/files/0002-rpmb-emulation-hack.-Breaks-proper-hardware-support.patch b/recipes-bsp/u-boot/files/0002-rpmb-emulation-hack.-Breaks-proper-hardware-support.patch
new file mode 100644
index 0000000..26266b5
--- /dev/null
+++ b/recipes-bsp/u-boot/files/0002-rpmb-emulation-hack.-Breaks-proper-hardware-support.patch
@@ -0,0 +1,1375 @@
+From a4179f663673dbfa48f79761acc3ff781ee9b2b8 Mon Sep 17 00:00:00 2001
+From: Ilias Apalodimas <ilias.apalodimas@linaro.org>
+Date: Thu, 12 Nov 2020 09:44:54 +0200
+Subject: [PATCH] irpmb patch hack
+
+Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
+---
+ arch/arm/include/asm/gpio.h | 3 +-
+ arch/arm/include/asm/ioctl.h | 1 +
+ configs/qemu_tfa_mm_defconfig | 53 ++++
+ drivers/tee/optee/Makefile | 1 +
+ drivers/tee/optee/hmac_sha2.c | 126 ++++++++
+ drivers/tee/optee/hmac_sha2.h | 74 +++++
+ drivers/tee/optee/rpmb.c | 27 +-
+ drivers/tee/optee/rpmb.h | 1 +
+ drivers/tee/optee/rpmb_emu.c | 563 ++++++++++++++++++++++++++++++++++
+ drivers/tee/optee/rpmb_emu.h | 141 +++++++++
+ drivers/tee/optee/sha2.c | 249 +++++++++++++++
+ drivers/tee/optee/sha2.h | 75 +++++
+ 12 files changed, 1292 insertions(+), 22 deletions(-)
+ create mode 100644 arch/arm/include/asm/ioctl.h
+ create mode 100644 configs/qemu_tfa_mm_defconfig
+ create mode 100644 drivers/tee/optee/hmac_sha2.c
+ create mode 100644 drivers/tee/optee/hmac_sha2.h
+ create mode 100644 drivers/tee/optee/rpmb.h
+ create mode 100644 drivers/tee/optee/rpmb_emu.c
+ create mode 100644 drivers/tee/optee/rpmb_emu.h
+ create mode 100644 drivers/tee/optee/sha2.c
+ create mode 100644 drivers/tee/optee/sha2.h
+
+diff --git a/arch/arm/include/asm/ioctl.h b/arch/arm/include/asm/ioctl.h
+new file mode 100644
+index 000000000000..b279fe06dfe5
+--- /dev/null
++++ b/arch/arm/include/asm/ioctl.h
+@@ -0,0 +1 @@
++#include <asm-generic/ioctl.h>
+diff --git a/drivers/tee/optee/Makefile b/drivers/tee/optee/Makefile
+index 928d3f80027f..28108536d231 100644
+--- a/drivers/tee/optee/Makefile
++++ b/drivers/tee/optee/Makefile
+@@ -3,3 +3,4 @@
+ obj-y += core.o
+ obj-y += supplicant.o
+ obj-$(CONFIG_SUPPORT_EMMC_RPMB) += rpmb.o
++obj-y += sha2.o hmac_sha2.o rpmb_emu.o rpmb.o
+diff --git a/drivers/tee/optee/hmac_sha2.c b/drivers/tee/optee/hmac_sha2.c
+new file mode 100644
+index 000000000000..61b24b128f1d
+--- /dev/null
++++ b/drivers/tee/optee/hmac_sha2.c
+@@ -0,0 +1,126 @@
++/*
++ * HMAC-SHA-224/256/384/512 implementation
++ * Last update: 06/15/2005
++ * Issue date: 06/15/2005
++ *
++ * Copyright (C) 2005 Olivier Gay <olivier.gay@a3.epfl.ch>
++ * All rights reserved.
++ *
++ * Copyright (c) 2016, Linaro Limited
++ * All rights reserved.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ * 1. Redistributions of source code must retain the above copyright
++ * notice, this list of conditions and the following disclaimer.
++ * 2. Redistributions in binary form must reproduce the above copyright
++ * notice, this list of conditions and the following disclaimer in the
++ * documentation and/or other materials provided with the distribution.
++ * 3. Neither the name of the project nor the names of its contributors
++ * may be used to endorse or promote products derived from this software
++ * without specific prior written permission.
++ *
++ * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
++ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
++ * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
++ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
++ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
++ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
++ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
++ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
++ * SUCH DAMAGE.
++ */
++
++#include <string.h>
++
++#include "hmac_sha2.h"
++
++/* HMAC-SHA-256 functions */
++
++void hmac_sha256_init(hmac_sha256_ctx *ctx, const unsigned char *key,
++ unsigned int key_size)
++{
++ unsigned int fill = 0;
++ unsigned int num = 0;
++ const unsigned char *key_used = NULL;
++ unsigned char key_temp[SHA256_DIGEST_SIZE] = { 0 };
++ int i = 0;
++
++ if (key_size == SHA256_BLOCK_SIZE) {
++ key_used = key;
++ num = SHA256_BLOCK_SIZE;
++ } else {
++ if (key_size > SHA256_BLOCK_SIZE){
++ num = SHA256_DIGEST_SIZE;
++ sha256(key, key_size, key_temp);
++ key_used = key_temp;
++ } else { /* key_size > SHA256_BLOCK_SIZE */
++ key_used = key;
++ num = key_size;
++ }
++ fill = SHA256_BLOCK_SIZE - num;
++
++ memset(ctx->block_ipad + num, 0x36, fill);
++ memset(ctx->block_opad + num, 0x5c, fill);
++ }
++
++ for (i = 0; i < (int) num; i++) {
++ ctx->block_ipad[i] = key_used[i] ^ 0x36;
++ ctx->block_opad[i] = key_used[i] ^ 0x5c;
++ }
++
++ sha256_init(&ctx->ctx_inside);
++ sha256_update_tee(&ctx->ctx_inside, ctx->block_ipad, SHA256_BLOCK_SIZE);
++
++ sha256_init(&ctx->ctx_outside);
++ sha256_update_tee(&ctx->ctx_outside, ctx->block_opad,
++ SHA256_BLOCK_SIZE);
++
++ /* for hmac_reinit */
++ memcpy(&ctx->ctx_inside_reinit, &ctx->ctx_inside,
++ sizeof(sha256_ctx));
++ memcpy(&ctx->ctx_outside_reinit, &ctx->ctx_outside,
++ sizeof(sha256_ctx));
++}
++
++void hmac_sha256_reinit(hmac_sha256_ctx *ctx)
++{
++ memcpy(&ctx->ctx_inside, &ctx->ctx_inside_reinit,
++ sizeof(sha256_ctx));
++ memcpy(&ctx->ctx_outside, &ctx->ctx_outside_reinit,
++ sizeof(sha256_ctx));
++}
++
++void hmac_sha256_update(hmac_sha256_ctx *ctx, const unsigned char *message,
++ unsigned int message_len)
++{
++ sha256_update_tee(&ctx->ctx_inside, message, message_len);
++}
++
++void hmac_sha256_final(hmac_sha256_ctx *ctx, unsigned char *mac,
++ unsigned int mac_size)
++{
++ unsigned char digest_inside[SHA256_DIGEST_SIZE] = { 0 };
++ unsigned char mac_temp[SHA256_DIGEST_SIZE] = { 0 };
++
++ sha256_final(&ctx->ctx_inside, digest_inside);
++ sha256_update_tee(&ctx->ctx_outside, digest_inside, SHA256_DIGEST_SIZE);
++ sha256_final(&ctx->ctx_outside, mac_temp);
++ memcpy(mac, mac_temp, mac_size);
++}
++
++void hmac_sha256(const unsigned char *key, unsigned int key_size,
++ const unsigned char *message, unsigned int message_len,
++ unsigned char *mac, unsigned mac_size)
++{
++ hmac_sha256_ctx ctx;
++
++ memset(&ctx, 0, sizeof(ctx));
++
++ hmac_sha256_init(&ctx, key, key_size);
++ hmac_sha256_update(&ctx, message, message_len);
++ hmac_sha256_final(&ctx, mac, mac_size);
++}
+diff --git a/drivers/tee/optee/hmac_sha2.h b/drivers/tee/optee/hmac_sha2.h
+new file mode 100644
+index 000000000000..1044524d75c5
+--- /dev/null
++++ b/drivers/tee/optee/hmac_sha2.h
+@@ -0,0 +1,74 @@
++/*
++ * HMAC-SHA-224/256/384/512 implementation
++ * Last update: 06/15/2005
++ * Issue date: 06/15/2005
++ *
++ * Copyright (C) 2005 Olivier Gay <olivier.gay@a3.epfl.ch>
++ * All rights reserved.
++ *
++ * Copyright (c) 2016, Linaro Limited
++ * All rights reserved.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ * 1. Redistributions of source code must retain the above copyright
++ * notice, this list of conditions and the following disclaimer.
++ * 2. Redistributions in binary form must reproduce the above copyright
++ * notice, this list of conditions and the following disclaimer in the
++ * documentation and/or other materials provided with the distribution.
++ * 3. Neither the name of the project nor the names of its contributors
++ * may be used to endorse or promote products derived from this software
++ * without specific prior written permission.
++ *
++ * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
++ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
++ * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
++ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
++ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
++ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
++ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
++ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
++ * SUCH DAMAGE.
++ */
++
++#ifndef HMAC_SHA2_H
++#define HMAC_SHA2_H
++
++#include "sha2.h"
++
++#ifdef __cplusplus
++extern "C" {
++#endif
++
++typedef struct {
++ sha256_ctx ctx_inside;
++ sha256_ctx ctx_outside;
++
++ /* for hmac_reinit */
++ sha256_ctx ctx_inside_reinit;
++ sha256_ctx ctx_outside_reinit;
++
++ unsigned char block_ipad[SHA256_BLOCK_SIZE];
++ unsigned char block_opad[SHA256_BLOCK_SIZE];
++} hmac_sha256_ctx;
++
++void hmac_sha256_init(hmac_sha256_ctx *ctx, const unsigned char *key,
++ unsigned int key_size);
++void hmac_sha256_reinit(hmac_sha256_ctx *ctx);
++void hmac_sha256_update(hmac_sha256_ctx *ctx, const unsigned char *message,
++ unsigned int message_len);
++void hmac_sha256_final(hmac_sha256_ctx *ctx, unsigned char *mac,
++ unsigned int mac_size);
++void hmac_sha256(const unsigned char *key, unsigned int key_size,
++ const unsigned char *message, unsigned int message_len,
++ unsigned char *mac, unsigned mac_size);
++
++#ifdef __cplusplus
++}
++#endif
++
++#endif /* !HMAC_SHA2_H */
++
+diff --git a/drivers/tee/optee/rpmb.c b/drivers/tee/optee/rpmb.c
+index 0804fc963cf5..275f2112f102 100644
+--- a/drivers/tee/optee/rpmb.c
++++ b/drivers/tee/optee/rpmb.c
+@@ -12,35 +12,15 @@
+
+ #include "optee_msg.h"
+ #include "optee_private.h"
++#include "rpmb_emu.h"
+
+ /*
+ * Request and response definitions must be in sync with the secure side of
+ * OP-TEE.
+ */
+
+-/* Request */
+-struct rpmb_req {
+- u16 cmd;
+-#define RPMB_CMD_DATA_REQ 0x00
+-#define RPMB_CMD_GET_DEV_INFO 0x01
+- u16 dev_id;
+- u16 block_count;
+- /* Optional data frames (rpmb_data_frame) follow */
+-};
+-
+ #define RPMB_REQ_DATA(req) ((void *)((struct rpmb_req *)(req) + 1))
+
+-/* Response to device info request */
+-struct rpmb_dev_info {
+- u8 cid[16];
+- u8 rpmb_size_mult; /* EXT CSD-slice 168: RPMB Size */
+- u8 rel_wr_sec_c; /* EXT CSD-slice 222: Reliable Write Sector */
+- /* Count */
+- u8 ret_code;
+-#define RPMB_CMD_GET_DEV_INFO_RET_OK 0x00
+-#define RPMB_CMD_GET_DEV_INFO_RET_ERROR 0x01
+-};
+-
+ static void release_mmc(struct optee_private *priv)
+ {
+ int rc;
+@@ -175,8 +155,13 @@ void optee_suppl_cmd_rpmb(struct udevice *dev, struct optee_msg_arg *arg)
+ rsp_buf = (u8 *)rsp_shm->addr + arg->params[1].u.rmem.offs;
+ rsp_size = arg->params[1].u.rmem.size;
+
++#ifdef EMU
+ arg->ret = rpmb_process_request(dev_get_priv(dev), req_buf, req_size,
+ rsp_buf, rsp_size);
++#else
++ arg->ret = rpmb_process_request_emu(req_buf, req_size, rsp_buf,
++ rsp_size);
++#endif
+ }
+
+ void optee_suppl_rpmb_release(struct udevice *dev)
+diff --git a/drivers/tee/optee/rpmb.h b/drivers/tee/optee/rpmb.h
+new file mode 100644
+index 000000000000..8b137891791f
+--- /dev/null
++++ b/drivers/tee/optee/rpmb.h
+@@ -0,0 +1 @@
++
+diff --git a/drivers/tee/optee/rpmb_emu.c b/drivers/tee/optee/rpmb_emu.c
+new file mode 100644
+index 000000000000..629f36ee6b29
+--- /dev/null
++++ b/drivers/tee/optee/rpmb_emu.c
+@@ -0,0 +1,563 @@
++// SPDX-License-Identifier: BSD-2-Clause
++/*
++ * Copyright (c) 2020 Linaro Limited
++ */
++
++#include <common.h>
++#include <dm.h>
++#include <hexdump.h>
++#include <log.h>
++#include <tee.h>
++#include <mmc.h>
++#include <dm/device_compat.h>
++
++#include "optee_msg.h"
++#include "optee_private.h"
++#include "sha2.h"
++#include "hmac_sha2.h"
++#include "rpmb_emu.h"
++
++static struct rpmb_emu rpmb_emu = {
++ .size = EMU_RPMB_SIZE_BYTES
++};
++
++static struct rpmb_emu *mem_for_fd(int fd)
++{
++ static int sfd = -1;
++
++ if (sfd == -1)
++ sfd = fd;
++ if (sfd != fd) {
++ printf("Emulating more than 1 RPMB partition is not supported\n");
++ return NULL;
++ }
++
++ return &rpmb_emu;
++}
++
++#if (DEBUGLEVEL >= TRACE_FLOW)
++static void dump_blocks(size_t startblk, size_t numblk, uint8_t *ptr,
++ bool to_mmc)
++{
++ char msg[100] = { 0 };
++ size_t i = 0;
++
++ for (i = 0; i < numblk; i++) {
++ snprintf(msg, sizeof(msg), "%s MMC block %zu",
++ to_mmc ? "Write" : "Read", startblk + i);
++ //print_hex_dump_bytes("", DUMP_PREFIX_OFFSET, ptr, 256);
++ ptr += 256;
++ }
++}
++#else
++static void dump_blocks(size_t startblk, size_t numblk, uint8_t *ptr,
++ bool to_mmc)
++{
++ (void)startblk;
++ (void)numblk;
++ (void)ptr;
++ (void)to_mmc;
++}
++#endif
++
++#define CUC(x) ((const unsigned char *)(x))
++static void hmac_update_frm(hmac_sha256_ctx *ctx, struct rpmb_data_frame *frm)
++{
++ hmac_sha256_update(ctx, CUC(frm->data), 256);
++ hmac_sha256_update(ctx, CUC(frm->nonce), 16);
++ hmac_sha256_update(ctx, CUC(&frm->write_counter), 4);
++ hmac_sha256_update(ctx, CUC(&frm->address), 2);
++ hmac_sha256_update(ctx, CUC(&frm->block_count), 2);
++ hmac_sha256_update(ctx, CUC(&frm->op_result), 2);
++ hmac_sha256_update(ctx, CUC(&frm->msg_type), 2);
++}
++
++static bool is_hmac_valid(struct rpmb_emu *mem, struct rpmb_data_frame *frm,
++ size_t nfrm)
++{
++ uint8_t mac[32] = { 0 };
++ size_t i = 0;
++ hmac_sha256_ctx ctx;
++
++ memset(&ctx, 0, sizeof(ctx));
++
++ if (!mem->key_set) {
++ printf("Cannot check MAC (key not set)\n");
++ return false;
++ }
++
++ hmac_sha256_init(&ctx, mem->key, sizeof(mem->key));
++ for (i = 0; i < nfrm; i++, frm++)
++ hmac_update_frm(&ctx, frm);
++ frm--;
++ hmac_sha256_final(&ctx, mac, 32);
++
++ if (memcmp(mac, frm->key_mac, 32)) {
++ printf("Invalid MAC\n");
++ return false;
++ }
++ return true;
++}
++
++static uint16_t gen_msb1st_result(uint8_t byte)
++{
++ return (uint16_t)byte << 8;
++}
++
++static uint16_t compute_hmac(struct rpmb_emu *mem, struct rpmb_data_frame *frm,
++ size_t nfrm)
++{
++ size_t i = 0;
++ hmac_sha256_ctx ctx;
++
++ memset(&ctx, 0, sizeof(ctx));
++
++ if (!mem->key_set) {
++ printf("Cannot compute MAC (key not set)\n");
++ return gen_msb1st_result(RPMB_RESULT_AUTH_KEY_NOT_PROGRAMMED);
++ }
++
++ hmac_sha256_init(&ctx, mem->key, sizeof(mem->key));
++ for (i = 0; i < nfrm; i++, frm++)
++ hmac_update_frm(&ctx, frm);
++ frm--;
++ hmac_sha256_final(&ctx, frm->key_mac, 32);
++
++ return gen_msb1st_result(RPMB_RESULT_OK);
++}
++
++static uint16_t ioctl_emu_mem_transfer(struct rpmb_emu *mem,
++ struct rpmb_data_frame *frm,
++ size_t nfrm, int to_mmc)
++{
++ size_t start = mem->last_op.address * 256;
++ size_t size = nfrm * 256;
++ size_t i = 0;
++ uint8_t *memptr = NULL;
++
++ if (start > mem->size || start + size > mem->size) {
++ printf("Transfer bounds exceeed emulated memory\n");
++ return gen_msb1st_result(RPMB_RESULT_ADDRESS_FAILURE);
++ }
++ if (to_mmc && !is_hmac_valid(mem, frm, nfrm))
++ return gen_msb1st_result(RPMB_RESULT_AUTH_FAILURE);
++
++ //printf("Transferring %zu 256-byte data block%s %s MMC (block offset=%zu)",
++ //nfrm, (nfrm > 1) ? "s" : "", to_mmc ? "to" : "from", start / 256);
++ for (i = 0; i < nfrm; i++) {
++ memptr = mem->buf + start + i * 256;
++ if (to_mmc) {
++ memcpy(memptr, frm[i].data, 256);
++ mem->write_counter++;
++ frm[i].write_counter = htonl(mem->write_counter);
++ frm[i].msg_type =
++ htons(RPMB_MSG_TYPE_RESP_AUTH_DATA_WRITE);
++ } else {
++ memcpy(frm[i].data, memptr, 256);
++ frm[i].msg_type =
++ htons(RPMB_MSG_TYPE_RESP_AUTH_DATA_READ);
++ frm[i].address = htons(mem->last_op.address);
++ frm[i].block_count = nfrm;
++ memcpy(frm[i].nonce, mem->nonce, 16);
++ }
++ frm[i].op_result = gen_msb1st_result(RPMB_RESULT_OK);
++ }
++ dump_blocks(mem->last_op.address, nfrm, mem->buf + start, to_mmc);
++
++ if (!to_mmc)
++ compute_hmac(mem, frm, nfrm);
++
++ return gen_msb1st_result(RPMB_RESULT_OK);
++}
++
++static void ioctl_emu_get_write_result(struct rpmb_emu *mem,
++ struct rpmb_data_frame *frm)
++{
++ frm->msg_type = htons(RPMB_MSG_TYPE_RESP_AUTH_DATA_WRITE);
++ frm->op_result = mem->last_op.op_result;
++ frm->address = htons(mem->last_op.address);
++ frm->write_counter = htonl(mem->write_counter);
++ compute_hmac(mem, frm, 1);
++}
++
++static uint16_t ioctl_emu_setkey(struct rpmb_emu *mem,
++ struct rpmb_data_frame *frm)
++{
++ if (mem->key_set) {
++ printf("Key already set\n");
++ return gen_msb1st_result(RPMB_RESULT_GENERAL_FAILURE);
++ }
++ print_hex_dump_bytes("Setting Key:", DUMP_PREFIX_OFFSET, frm->key_mac,
++ 32);
++ memcpy(mem->key, frm->key_mac, 32);
++ mem->key_set = true;
++
++ return gen_msb1st_result(RPMB_RESULT_OK);
++}
++
++static void ioctl_emu_get_keyprog_result(struct rpmb_emu *mem,
++ struct rpmb_data_frame *frm)
++{
++ frm->msg_type =
++ htons(RPMB_MSG_TYPE_RESP_AUTH_KEY_PROGRAM);
++ frm->op_result = mem->last_op.op_result;
++}
++
++static void ioctl_emu_read_ctr(struct rpmb_emu *mem,
++ struct rpmb_data_frame *frm)
++{
++ printf("Reading counter\n");
++ frm->msg_type = htons(RPMB_MSG_TYPE_RESP_WRITE_COUNTER_VAL_READ);
++ frm->write_counter = htonl(mem->write_counter);
++ memcpy(frm->nonce, mem->nonce, 16);
++ frm->op_result = compute_hmac(mem, frm, 1);
++}
++
++static uint32_t read_cid(uint16_t dev_id, uint8_t *cid)
++{
++ /* Taken from an actual eMMC chip */
++ static const uint8_t test_cid[] = {
++ /* MID (Manufacturer ID): Micron */
++ 0xfe,
++ /* CBX (Device/BGA): BGA */
++ 0x01,
++ /* OID (OEM/Application ID) */
++ 0x4e,
++ /* PNM (Product name) "MMC04G" */
++ 0x4d, 0x4d, 0x43, 0x30, 0x34, 0x47,
++ /* PRV (Product revision): 4.2 */
++ 0x42,
++ /* PSN (Product serial number) */
++ 0xc8, 0xf6, 0x55, 0x2a,
++ /*
++ * MDT (Manufacturing date):
++ * June, 2014
++ */
++ 0x61,
++ /* (CRC7 (0xA) << 1) | 0x1 */
++ 0x15
++ };
++
++ (void)dev_id;
++ memcpy(cid, test_cid, sizeof(test_cid));
++
++ return TEE_SUCCESS;
++}
++
++static void ioctl_emu_set_ext_csd(uint8_t *ext_csd)
++{
++ ext_csd[168] = EMU_RPMB_SIZE_MULT;
++ ext_csd[222] = EMU_RPMB_REL_WR_SEC_C;
++}
++
++/* A crude emulation of the MMC ioctls we need for RPMB */
++static int ioctl_emu(int fd, unsigned long request, ...)
++{
++ struct mmc_ioc_cmd *cmd = NULL;
++ struct rpmb_data_frame *frm = NULL;
++ uint16_t msg_type = 0;
++ struct rpmb_emu *mem = mem_for_fd(fd);
++ va_list ap;
++
++ if (request != MMC_IOC_CMD) {
++ printf("Unsupported ioctl: 0x%lx\n", request);
++ return -1;
++ }
++ if (!mem)
++ return -1;
++
++ va_start(ap, request);
++ cmd = va_arg(ap, struct mmc_ioc_cmd *);
++ va_end(ap);
++
++ switch (cmd->opcode) {
++ case MMC_SEND_EXT_CSD:
++ ioctl_emu_set_ext_csd((uint8_t *)(uintptr_t)cmd->data_ptr);
++ break;
++
++ case MMC_WRITE_MULTIPLE_BLOCK:
++ frm = (struct rpmb_data_frame *)(uintptr_t)cmd->data_ptr;
++ msg_type = ntohs(frm->msg_type);
++
++ switch (msg_type) {
++ case RPMB_MSG_TYPE_REQ_AUTH_KEY_PROGRAM:
++ mem->last_op.msg_type = msg_type;
++ mem->last_op.op_result = ioctl_emu_setkey(mem, frm);
++ break;
++
++ case RPMB_MSG_TYPE_REQ_AUTH_DATA_WRITE:
++ mem->last_op.msg_type = msg_type;
++ mem->last_op.address = ntohs(frm->address);
++ mem->last_op.op_result =
++ ioctl_emu_mem_transfer(mem, frm,
++ cmd->blocks, 1);
++ break;
++
++ case RPMB_MSG_TYPE_REQ_WRITE_COUNTER_VAL_READ:
++ case RPMB_MSG_TYPE_REQ_AUTH_DATA_READ:
++ memcpy(mem->nonce, frm->nonce, 16);
++ mem->last_op.msg_type = msg_type;
++ mem->last_op.address = ntohs(frm->address);
++ break;
++ default:
++ break;
++ }
++ break;
++
++ case MMC_READ_MULTIPLE_BLOCK:
++ frm = (struct rpmb_data_frame *)(uintptr_t)cmd->data_ptr;
++ msg_type = ntohs(frm->msg_type);
++
++ switch (mem->last_op.msg_type) {
++ case RPMB_MSG_TYPE_REQ_AUTH_KEY_PROGRAM:
++ ioctl_emu_get_keyprog_result(mem, frm);
++ break;
++
++ case RPMB_MSG_TYPE_REQ_AUTH_DATA_WRITE:
++ ioctl_emu_get_write_result(mem, frm);
++ break;
++
++ case RPMB_MSG_TYPE_REQ_WRITE_COUNTER_VAL_READ:
++ ioctl_emu_read_ctr(mem, frm);
++ break;
++
++ case RPMB_MSG_TYPE_REQ_AUTH_DATA_READ:
++ ioctl_emu_mem_transfer(mem, frm, cmd->blocks, 0);
++ break;
++
++ default:
++ printf("Unexpected\n");
++ break;
++ }
++ break;
++
++ default:
++ printf("Unsupported ioctl opcode 0x%08x\n", cmd->opcode);
++ return -1;
++ }
++
++ return 0;
++}
++
++static int mmc_rpmb_fd(uint16_t dev_id)
++{
++ (void)dev_id;
++
++ /* Any value != -1 will do in test mode */
++ return 0;
++}
++
++static int mmc_fd(uint16_t dev_id)
++{
++ (void)dev_id;
++
++ return 0;
++}
++
++static void close_mmc_fd(int fd)
++{
++ (void)fd;
++}
++
++/*
++ * Extended CSD Register is 512 bytes and defines device properties
++ * and selected modes.
++ */
++static uint32_t read_ext_csd(int fd, uint8_t *ext_csd)
++{
++ int st = 0;
++ struct mmc_ioc_cmd cmd = {
++ .blksz = 512,
++ .blocks = 1,
++ .flags = MMC_RSP_R1 | MMC_CMD_ADTC,
++ .opcode = MMC_SEND_EXT_CSD,
++ };
++
++ mmc_ioc_cmd_set_data(cmd, ext_csd);
++
++ st = IOCTL(fd, MMC_IOC_CMD, &cmd);
++ if (st < 0)
++ return TEE_ERROR_GENERIC;
++
++ return TEE_SUCCESS;
++}
++
++static uint32_t rpmb_data_req(int fd, struct rpmb_data_frame *req_frm,
++ size_t req_nfrm, struct rpmb_data_frame *rsp_frm,
++ size_t rsp_nfrm)
++{
++ int st = 0;
++ size_t i = 0;
++ uint16_t msg_type = ntohs(req_frm->msg_type);
++ struct mmc_ioc_cmd cmd = {
++ .blksz = 512,
++ .blocks = req_nfrm,
++ .data_ptr = (uintptr_t)req_frm,
++ .flags = MMC_RSP_R1 | MMC_CMD_ADTC,
++ .opcode = MMC_WRITE_MULTIPLE_BLOCK,
++ .write_flag = 1,
++ };
++
++ for (i = 1; i < req_nfrm; i++) {
++ if (req_frm[i].msg_type != msg_type) {
++ printf("All request frames shall be of the same type\n");
++ return TEE_ERROR_BAD_PARAMETERS;
++ }
++ }
++
++ //printf("Req: %zu frame(s) of type 0x%04x", req_nfrm, msg_type);
++ //printf("Rsp: %zu frame(s)", rsp_nfrm);
++
++ switch(msg_type) {
++ case RPMB_MSG_TYPE_REQ_AUTH_KEY_PROGRAM:
++ case RPMB_MSG_TYPE_REQ_AUTH_DATA_WRITE:
++ if (rsp_nfrm != 1) {
++ printf("Expected only one response frame\n");
++ return TEE_ERROR_BAD_PARAMETERS;
++ }
++
++ /* Send write request frame(s) */
++ cmd.write_flag |= MMC_CMD23_ARG_REL_WR;
++ /*
++ * Black magic: tested on a HiKey board with a HardKernel eMMC
++ * module. When postsleep values are zero, the kernel logs
++ * random errors: "mmc_blk_ioctl_cmd: Card Status=0x00000E00"
++ * and ioctl() fails.
++ */
++ cmd.postsleep_min_us = 20000;
++ cmd.postsleep_max_us = 50000;
++ st = IOCTL(fd, MMC_IOC_CMD, &cmd);
++ if (st < 0)
++ return TEE_ERROR_GENERIC;
++ cmd.postsleep_min_us = 0;
++ cmd.postsleep_max_us = 0;
++
++ /* Send result request frame */
++ memset(rsp_frm, 0, 1);
++ rsp_frm->msg_type = htons(RPMB_MSG_TYPE_REQ_RESULT_READ);
++ cmd.data_ptr = (uintptr_t)rsp_frm;
++ cmd.write_flag &= ~MMC_CMD23_ARG_REL_WR;
++ st = IOCTL(fd, MMC_IOC_CMD, &cmd);
++ if (st < 0)
++ return TEE_ERROR_GENERIC;
++
++ /* Read response frame */
++ cmd.opcode = MMC_READ_MULTIPLE_BLOCK;
++ cmd.write_flag = 0;
++ cmd.blocks = rsp_nfrm;
++ st = IOCTL(fd, MMC_IOC_CMD, &cmd);
++ if (st < 0)
++ return TEE_ERROR_GENERIC;
++ break;
++
++ case RPMB_MSG_TYPE_REQ_WRITE_COUNTER_VAL_READ:
++ if (rsp_nfrm != 1) {
++ printf("Expected only one response frame\n");
++ return TEE_ERROR_BAD_PARAMETERS;
++ }
++//#if __GNUC__ > 6
++ //__attribute__((fallthrough));
++//#endif
++
++ case RPMB_MSG_TYPE_REQ_AUTH_DATA_READ:
++ if (req_nfrm != 1) {
++ printf("Expected only one request frame\n");
++ return TEE_ERROR_BAD_PARAMETERS;
++ }
++
++ /* Send request frame */
++ st = IOCTL(fd, MMC_IOC_CMD, &cmd);
++ if (st < 0)
++ return TEE_ERROR_GENERIC;
++
++ /* Read response frames */
++ cmd.data_ptr = (uintptr_t)rsp_frm;
++ cmd.opcode = MMC_READ_MULTIPLE_BLOCK;
++ cmd.write_flag = 0;
++ cmd.blocks = rsp_nfrm;
++ st = IOCTL(fd, MMC_IOC_CMD, &cmd);
++ if (st < 0)
++ return TEE_ERROR_GENERIC;
++ break;
++
++ default:
++ printf("Unsupported message type: %d", msg_type);
++ return TEE_ERROR_GENERIC;
++ }
++
++ return TEE_SUCCESS;
++}
++
++static uint32_t rpmb_get_dev_info(uint16_t dev_id, struct rpmb_dev_info *info)
++{
++ int fd = 0;
++ uint32_t res = 0;
++ uint8_t ext_csd[512] = { 0 };
++
++ res = read_cid(dev_id, info->cid);
++ if (res != TEE_SUCCESS)
++ return res;
++
++ fd = mmc_fd(dev_id);
++ if (fd < 0)
++ return TEE_ERROR_BAD_PARAMETERS;
++
++ res = read_ext_csd(fd, ext_csd);
++ if (res != TEE_SUCCESS)
++ goto err;
++
++ info->rel_wr_sec_c = ext_csd[222];
++ info->rpmb_size_mult = ext_csd[168];
++ info->ret_code = RPMB_CMD_GET_DEV_INFO_RET_OK;
++
++err:
++ close_mmc_fd(fd);
++ return res;
++}
++
++
++/*
++ * req is one struct rpmb_req followed by one or more struct rpmb_data_frame
++ * rsp is either one struct rpmb_dev_info or one or more struct rpmb_data_frame
++ */
++uint32_t rpmb_process_request_emu(void *req, size_t req_size,
++ void *rsp, size_t rsp_size)
++{
++ struct rpmb_req *sreq = req;
++ size_t req_nfrm = 0;
++ size_t rsp_nfrm = 0;
++ uint32_t res = 0;
++ int fd = 0;
++
++ if (req_size < sizeof(*sreq))
++ return TEE_ERROR_BAD_PARAMETERS;
++
++ switch (sreq->cmd) {
++ case RPMB_CMD_DATA_REQ:
++ req_nfrm = (req_size - sizeof(struct rpmb_req)) / 512;
++ rsp_nfrm = rsp_size / 512;
++ fd = mmc_rpmb_fd(sreq->dev_id);
++ if (fd < 0)
++ return TEE_ERROR_BAD_PARAMETERS;
++ res = rpmb_data_req(fd, RPMB_REQ_DATA(req), req_nfrm, rsp,
++ rsp_nfrm);
++ break;
++
++ case RPMB_CMD_GET_DEV_INFO:
++ if (req_size != sizeof(struct rpmb_req) ||
++ rsp_size != sizeof(struct rpmb_dev_info)) {
++ printf("Invalid req/rsp size");
++ return TEE_ERROR_BAD_PARAMETERS;
++ }
++ res = rpmb_get_dev_info(sreq->dev_id,
++ (struct rpmb_dev_info *)rsp);
++ break;
++
++ default:
++ printf("Unsupported RPMB command: %d", sreq->cmd);
++ res = TEE_ERROR_BAD_PARAMETERS;
++ break;
++ }
++
++ return res;
++}
+diff --git a/drivers/tee/optee/rpmb_emu.h b/drivers/tee/optee/rpmb_emu.h
+new file mode 100644
+index 000000000000..3471eecf63b5
+--- /dev/null
++++ b/drivers/tee/optee/rpmb_emu.h
+@@ -0,0 +1,141 @@
++#include <linux/ioctl.h>
++
++/* mmc_ioc_cmd.opcode */
++#define MMC_SEND_EXT_CSD 8
++#define MMC_READ_MULTIPLE_BLOCK 18
++#define MMC_WRITE_MULTIPLE_BLOCK 25
++
++#define IOCTL(fd, request, ...) ioctl_emu((fd), (request), ##__VA_ARGS__)
++#define mmc_ioc_cmd_set_data(ic, ptr) ic.data_ptr = (__u64)(unsigned long) ptr
++#define MMC_CMD23_ARG_REL_WR (1 << 31) /* CMD23 reliable write */
++
++/* Emulated rel_wr_sec_c value (reliable write size, *256 bytes) */
++#define EMU_RPMB_REL_WR_SEC_C 1
++/* Emulated rpmb_size_mult value (RPMB size, *128 kB) */
++#define EMU_RPMB_SIZE_MULT 2
++
++#define EMU_RPMB_SIZE_BYTES (EMU_RPMB_SIZE_MULT * 128 * 1024)
++
++struct mmc_ioc_cmd {
++ /* Implies direction of data. true = write, false = read */
++ int write_flag;
++
++ /* Application-specific command. true = precede with CMD55 */
++ int is_acmd;
++
++ uint32_t opcode;
++ uint32_t arg;
++ uint32_t response[4]; /* CMD response */
++ unsigned int flags;
++ unsigned int blksz;
++ unsigned int blocks;
++
++ /*
++ * Sleep at least postsleep_min_us useconds, and at most
++ * postsleep_max_us useconds *after* issuing command. Needed for
++ * some read commands for which cards have no other way of indicating
++ * they're ready for the next command (i.e. there is no equivalent of
++ * a "busy" indicator for read operations).
++ */
++ unsigned int postsleep_min_us;
++ unsigned int postsleep_max_us;
++
++ /*
++ * Override driver-computed timeouts. Note the difference in units!
++ */
++ unsigned int data_timeout_ns;
++ unsigned int cmd_timeout_ms;
++
++ /*
++ * For 64-bit machines, the next member, ``__u64 data_ptr``, wants to
++ * be 8-byte aligned. Make sure this struct is the same size when
++ * built for 32-bit.
++ */
++ uint32_t __pad;
++
++ /* DAT buffer */
++ uint32_t data_ptr;
++};
++#define MMC_BLOCK_MAJOR 179
++#define MMC_IOC_CMD _IOWR(MMC_BLOCK_MAJOR, 0, struct mmc_ioc_cmd)
++
++/* Request */
++struct rpmb_req {
++ uint16_t cmd;
++#define RPMB_CMD_DATA_REQ 0x00
++#define RPMB_CMD_GET_DEV_INFO 0x01
++ uint16_t dev_id;
++ uint16_t block_count;
++ /* Optional data frames (rpmb_data_frame) follow */
++};
++#define RPMB_REQ_DATA(req) ((void *)((struct rpmb_req *)(req) + 1))
++
++/* Response to device info request */
++struct rpmb_dev_info {
++ uint8_t cid[16];
++ uint8_t rpmb_size_mult; /* EXT CSD-slice 168: RPMB Size */
++ uint8_t rel_wr_sec_c; /* EXT CSD-slice 222: Reliable Write Sector */
++ /* Count */
++ uint8_t ret_code;
++#define RPMB_CMD_GET_DEV_INFO_RET_OK 0x00
++#define RPMB_CMD_GET_DEV_INFO_RET_ERROR 0x01
++};
++/* mmc_ioc_cmd.flags */
++#define MMC_RSP_PRESENT (1 << 0)
++#define MMC_RSP_136 (1 << 1) /* 136 bit response */
++#define MMC_RSP_CRC (1 << 2) /* Expect valid CRC */
++#define MMC_RSP_OPCODE (1 << 4) /* Response contains opcode */
++
++#define MMC_RSP_R1 (MMC_RSP_PRESENT|MMC_RSP_CRC|MMC_RSP_OPCODE)
++
++#define MMC_CMD_ADTC (1 << 5) /* Addressed data transfer command */
++
++
++/* Emulated eMMC device state */
++struct rpmb_emu {
++ uint8_t buf[EMU_RPMB_SIZE_BYTES];
++ size_t size;
++ uint8_t key[32];
++ bool key_set;
++ uint8_t nonce[16];
++ uint32_t write_counter;
++ struct {
++ uint16_t msg_type;
++ uint16_t op_result;
++ uint16_t address;
++ } last_op;
++};
++
++/*
++ * This structure is shared with OP-TEE and the MMC ioctl layer.
++ * It is the "data frame for RPMB access" defined by JEDEC, minus the
++ * start and stop bits.
++ */
++struct rpmb_data_frame {
++ uint8_t stuff_bytes[196];
++ uint8_t key_mac[32];
++ uint8_t data[256];
++ uint8_t nonce[16];
++ uint32_t write_counter;
++ uint16_t address;
++ uint16_t block_count;
++ uint16_t op_result;
++#define RPMB_RESULT_OK 0x00
++#define RPMB_RESULT_GENERAL_FAILURE 0x01
++#define RPMB_RESULT_AUTH_FAILURE 0x02
++#define RPMB_RESULT_ADDRESS_FAILURE 0x04
++#define RPMB_RESULT_AUTH_KEY_NOT_PROGRAMMED 0x07
++ uint16_t msg_type;
++#define RPMB_MSG_TYPE_REQ_AUTH_KEY_PROGRAM 0x0001
++#define RPMB_MSG_TYPE_REQ_WRITE_COUNTER_VAL_READ 0x0002
++#define RPMB_MSG_TYPE_REQ_AUTH_DATA_WRITE 0x0003
++#define RPMB_MSG_TYPE_REQ_AUTH_DATA_READ 0x0004
++#define RPMB_MSG_TYPE_REQ_RESULT_READ 0x0005
++#define RPMB_MSG_TYPE_RESP_AUTH_KEY_PROGRAM 0x0100
++#define RPMB_MSG_TYPE_RESP_WRITE_COUNTER_VAL_READ 0x0200
++#define RPMB_MSG_TYPE_RESP_AUTH_DATA_WRITE 0x0300
++#define RPMB_MSG_TYPE_RESP_AUTH_DATA_READ 0x0400
++};
++
++uint32_t rpmb_process_request_emu(void *req, size_t req_size,
++ void *rsp, size_t rsp_size);
+diff --git a/drivers/tee/optee/sha2.c b/drivers/tee/optee/sha2.c
+new file mode 100644
+index 000000000000..a9acd7244947
+--- /dev/null
++++ b/drivers/tee/optee/sha2.c
+@@ -0,0 +1,249 @@
++/*
++ * FIPS 180-2 SHA-224/256/384/512 implementation
++ * Last update: 02/02/2007
++ * Issue date: 04/30/2005
++ *
++ * Copyright (C) 2005, 2007 Olivier Gay <olivier.gay@a3.epfl.ch>
++ * All rights reserved.
++ *
++ * Copyright (c) 2016, Linaro Limited
++ * All rights reserved.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ * 1. Redistributions of source code must retain the above copyright
++ * notice, this list of conditions and the following disclaimer.
++ * 2. Redistributions in binary form must reproduce the above copyright
++ * notice, this list of conditions and the following disclaimer in the
++ * documentation and/or other materials provided with the distribution.
++ * 3. Neither the name of the project nor the names of its contributors
++ * may be used to endorse or promote products derived from this software
++ * without specific prior written permission.
++ *
++ * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
++ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
++ * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
++ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
++ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
++ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
++ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
++ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
++ * SUCH DAMAGE.
++ */
++
++#include <string.h>
++#include "sha2.h"
++
++#define SHFR(x, n) (x >> n)
++#define ROTR(x, n) ((x >> n) | (x << ((sizeof(x) << 3) - n)))
++#define ROTL(x, n) ((x << n) | (x >> ((sizeof(x) << 3) - n)))
++#define CH(x, y, z) ((x & y) ^ (~x & z))
++#define MAJ(x, y, z) ((x & y) ^ (x & z) ^ (y & z))
++
++#define SHA256_F1(x) (ROTR(x, 2) ^ ROTR(x, 13) ^ ROTR(x, 22))
++#define SHA256_F2(x) (ROTR(x, 6) ^ ROTR(x, 11) ^ ROTR(x, 25))
++#define SHA256_F3(x) (ROTR(x, 7) ^ ROTR(x, 18) ^ SHFR(x, 3))
++#define SHA256_F4(x) (ROTR(x, 17) ^ ROTR(x, 19) ^ SHFR(x, 10))
++
++#define UNPACK32(x, str) \
++{ \
++ *((str) + 3) = (uint8) ((x) ); \
++ *((str) + 2) = (uint8) ((x) >> 8); \
++ *((str) + 1) = (uint8) ((x) >> 16); \
++ *((str) + 0) = (uint8) ((x) >> 24); \
++}
++
++#define PACK32(str, x) \
++{ \
++ *(x) = ((uint32) *((str) + 3) ) \
++ | ((uint32) *((str) + 2) << 8) \
++ | ((uint32) *((str) + 1) << 16) \
++ | ((uint32) *((str) + 0) << 24); \
++}
++
++#define UNPACK64(x, str) \
++{ \
++ *((str) + 7) = (uint8) ((x) ); \
++ *((str) + 6) = (uint8) ((x) >> 8); \
++ *((str) + 5) = (uint8) ((x) >> 16); \
++ *((str) + 4) = (uint8) ((x) >> 24); \
++ *((str) + 3) = (uint8) ((x) >> 32); \
++ *((str) + 2) = (uint8) ((x) >> 40); \
++ *((str) + 1) = (uint8) ((x) >> 48); \
++ *((str) + 0) = (uint8) ((x) >> 56); \
++}
++
++#define PACK64(str, x) \
++{ \
++ *(x) = ((uint64) *((str) + 7) ) \
++ | ((uint64) *((str) + 6) << 8) \
++ | ((uint64) *((str) + 5) << 16) \
++ | ((uint64) *((str) + 4) << 24) \
++ | ((uint64) *((str) + 3) << 32) \
++ | ((uint64) *((str) + 2) << 40) \
++ | ((uint64) *((str) + 1) << 48) \
++ | ((uint64) *((str) + 0) << 56); \
++}
++
++#define SHA256_SCR(i) \
++{ \
++ w[i] = SHA256_F4(w[i - 2]) + w[i - 7] \
++ + SHA256_F3(w[i - 15]) + w[i - 16]; \
++}
++
++uint32 sha256_h0[8] =
++ {0x6a09e667, 0xbb67ae85, 0x3c6ef372, 0xa54ff53a,
++ 0x510e527f, 0x9b05688c, 0x1f83d9ab, 0x5be0cd19};
++
++uint32 sha256_k[64] =
++ {0x428a2f98, 0x71374491, 0xb5c0fbcf, 0xe9b5dba5,
++ 0x3956c25b, 0x59f111f1, 0x923f82a4, 0xab1c5ed5,
++ 0xd807aa98, 0x12835b01, 0x243185be, 0x550c7dc3,
++ 0x72be5d74, 0x80deb1fe, 0x9bdc06a7, 0xc19bf174,
++ 0xe49b69c1, 0xefbe4786, 0x0fc19dc6, 0x240ca1cc,
++ 0x2de92c6f, 0x4a7484aa, 0x5cb0a9dc, 0x76f988da,
++ 0x983e5152, 0xa831c66d, 0xb00327c8, 0xbf597fc7,
++ 0xc6e00bf3, 0xd5a79147, 0x06ca6351, 0x14292967,
++ 0x27b70a85, 0x2e1b2138, 0x4d2c6dfc, 0x53380d13,
++ 0x650a7354, 0x766a0abb, 0x81c2c92e, 0x92722c85,
++ 0xa2bfe8a1, 0xa81a664b, 0xc24b8b70, 0xc76c51a3,
++ 0xd192e819, 0xd6990624, 0xf40e3585, 0x106aa070,
++ 0x19a4c116, 0x1e376c08, 0x2748774c, 0x34b0bcb5,
++ 0x391c0cb3, 0x4ed8aa4a, 0x5b9cca4f, 0x682e6ff3,
++ 0x748f82ee, 0x78a5636f, 0x84c87814, 0x8cc70208,
++ 0x90befffa, 0xa4506ceb, 0xbef9a3f7, 0xc67178f2};
++
++/* SHA-256 functions */
++
++static void sha256_transf(sha256_ctx *ctx, const unsigned char *message,
++ unsigned int block_nb)
++{
++ uint32 w[64] = { 0 };
++ uint32 wv[8] = { 0 };
++ uint32 t1 = 0;
++ uint32 t2 = 0;
++ const unsigned char *sub_block = NULL;
++ int i = 0;
++ int j = 0;
++
++ for (i = 0; i < (int) block_nb; i++) {
++ sub_block = message + (i << 6);
++
++ for (j = 0; j < 16; j++) {
++ PACK32(&sub_block[j << 2], &w[j]);
++ }
++
++ for (j = 16; j < 64; j++) {
++ SHA256_SCR(j);
++ }
++
++ for (j = 0; j < 8; j++) {
++ wv[j] = ctx->h[j];
++ }
++
++ for (j = 0; j < 64; j++) {
++ t1 = wv[7] + SHA256_F2(wv[4]) + CH(wv[4], wv[5], wv[6])
++ + sha256_k[j] + w[j];
++ t2 = SHA256_F1(wv[0]) + MAJ(wv[0], wv[1], wv[2]);
++ wv[7] = wv[6];
++ wv[6] = wv[5];
++ wv[5] = wv[4];
++ wv[4] = wv[3] + t1;
++ wv[3] = wv[2];
++ wv[2] = wv[1];
++ wv[1] = wv[0];
++ wv[0] = t1 + t2;
++ }
++
++ for (j = 0; j < 8; j++) {
++ ctx->h[j] += wv[j];
++ }
++ }
++}
++
++void sha256(const unsigned char *message, unsigned int len,
++ unsigned char *digest)
++{
++ sha256_ctx ctx;
++
++ memset(&ctx, 0, sizeof(ctx));
++
++ sha256_init(&ctx);
++ sha256_update_tee(&ctx, message, len);
++ sha256_final(&ctx, digest);
++}
++
++void sha256_init(sha256_ctx *ctx)
++{
++ int i = 0;
++
++ for (i = 0; i < 8; i++) {
++ ctx->h[i] = sha256_h0[i];
++ }
++
++ ctx->len = 0;
++ ctx->tot_len = 0;
++}
++
++void sha256_update_tee(sha256_ctx *ctx, const unsigned char *message,
++ unsigned int len)
++{
++ unsigned int block_nb = 0;
++ unsigned int new_len = 0;
++ unsigned int rem_len = 0;
++ unsigned int tmp_len = 0;
++ const unsigned char *shifted_message = NULL;
++
++ tmp_len = SHA256_BLOCK_SIZE - ctx->len;
++ rem_len = len < tmp_len ? len : tmp_len;
++
++ memcpy(&ctx->block[ctx->len], message, rem_len);
++
++ if (ctx->len + len < SHA256_BLOCK_SIZE) {
++ ctx->len += len;
++ return;
++ }
++
++ new_len = len - rem_len;
++ block_nb = new_len / SHA256_BLOCK_SIZE;
++
++ shifted_message = message + rem_len;
++
++ sha256_transf(ctx, ctx->block, 1);
++ sha256_transf(ctx, shifted_message, block_nb);
++
++ rem_len = new_len % SHA256_BLOCK_SIZE;
++
++ memcpy(ctx->block, &shifted_message[block_nb << 6],
++ rem_len);
++
++ ctx->len = rem_len;
++ ctx->tot_len += (block_nb + 1) << 6;
++}
++
++void sha256_final(sha256_ctx *ctx, unsigned char *digest)
++{
++ unsigned int block_nb = 0;
++ unsigned int pm_len = 0;
++ unsigned int len_b = 0;
++ int i = 0;
++
++ block_nb = (1 + ((SHA256_BLOCK_SIZE - 9)
++ < (ctx->len % SHA256_BLOCK_SIZE)));
++
++ len_b = (ctx->tot_len + ctx->len) << 3;
++ pm_len = block_nb << 6;
++
++ memset(ctx->block + ctx->len, 0, pm_len - ctx->len);
++ ctx->block[ctx->len] = 0x80;
++ UNPACK32(len_b, ctx->block + pm_len - 4);
++
++ sha256_transf(ctx, ctx->block, block_nb);
++
++ for (i = 0 ; i < 8; i++) {
++ UNPACK32(ctx->h[i], &digest[i << 2]);
++ }
++}
+diff --git a/drivers/tee/optee/sha2.h b/drivers/tee/optee/sha2.h
+new file mode 100644
+index 000000000000..4ce0f3cd5231
+--- /dev/null
++++ b/drivers/tee/optee/sha2.h
+@@ -0,0 +1,75 @@
++/*
++ * FIPS 180-2 SHA-224/256/384/512 implementation
++ * Last update: 02/02/2007
++ * Issue date: 04/30/2005
++ *
++ * Copyright (C) 2005, 2007 Olivier Gay <olivier.gay@a3.epfl.ch>
++ * All rights reserved.
++ *
++ * Copyright (c) 2016, Linaro Limited
++ * All rights reserved.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ * 1. Redistributions of source code must retain the above copyright
++ * notice, this list of conditions and the following disclaimer.
++ * 2. Redistributions in binary form must reproduce the above copyright
++ * notice, this list of conditions and the following disclaimer in the
++ * documentation and/or other materials provided with the distribution.
++ * 3. Neither the name of the project nor the names of its contributors
++ * may be used to endorse or promote products derived from this software
++ * without specific prior written permission.
++ *
++ * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
++ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
++ * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
++ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
++ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
++ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
++ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
++ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
++ * SUCH DAMAGE.
++ */
++
++#ifndef SHA2_H
++#define SHA2_H
++
++#define SHA256_DIGEST_SIZE ( 256 / 8)
++#define SHA256_BLOCK_SIZE ( 512 / 8)
++
++#ifndef SHA2_TYPES
++#define SHA2_TYPES
++typedef unsigned char uint8;
++typedef unsigned int uint32;
++typedef unsigned long long uint64;
++#endif
++
++#ifdef __cplusplus
++extern "C" {
++#endif
++
++typedef struct {
++ unsigned int tot_len;
++ unsigned int len;
++ unsigned char block[2 * SHA256_BLOCK_SIZE];
++ uint32 h[8];
++} sha256_ctx;
++
++typedef sha256_ctx sha224_ctx;
++
++void sha256_init(sha256_ctx * ctx);
++void sha256_update_tee(sha256_ctx *ctx, const unsigned char *message,
++ unsigned int len);
++void sha256_final(sha256_ctx *ctx, unsigned char *digest);
++void sha256(const unsigned char *message, unsigned int len,
++ unsigned char *digest);
++
++#ifdef __cplusplus
++}
++#endif
++
++#endif /* !SHA2_H */
++
+--
+2.29.2
+
diff --git a/recipes-bsp/u-boot/u-boot-qemu-common.inc b/recipes-bsp/u-boot/u-boot-qemu-common.inc
index 802fc50..6e7158b 100644
--- a/recipes-bsp/u-boot/u-boot-qemu-common.inc
+++ b/recipes-bsp/u-boot/u-boot-qemu-common.inc
@@ -13,6 +13,9 @@ require recipes-bsp/u-boot/u-boot-common.inc
U_BOOT_BIN = "u-boot.bin"
+SRC_URI_append_secureboot = " \
+ file://0002-rpmb-emulation-hack.-Breaks-proper-hardware-support.patch;patch=1"
+
DEPENDS_append_secureboot = " optee-os-${MACHINE}"
do_deploy[dirs] = "${DEPLOY_DIR_IMAGE}"
--
2.30.2
^ permalink raw reply related [flat|nested] 16+ messages in thread
* [isar-cip-core][PATCH 5/8] add recipe for trusted firmware a qemu arm64
2022-11-20 20:47 [isar-cip-core][PATCH 0/8] Secureboot on QEMU with EDK2, OP-TEE and RPMB sven.schultschik
` (3 preceding siblings ...)
2022-11-20 20:47 ` [isar-cip-core][PATCH 4/8] add u-boot patch for qemu to support RPMB sven.schultschik
@ 2022-11-20 20:47 ` sven.schultschik
2022-11-20 20:47 ` [isar-cip-core][PATCH 6/8] change ebg sb signer and secrets to pk kek db sven.schultschik
` (2 subsequent siblings)
7 siblings, 0 replies; 16+ messages in thread
From: sven.schultschik @ 2022-11-20 20:47 UTC (permalink / raw)
To: cip-dev; +Cc: jan.kiszka, Sven Schultschik
From: Sven Schultschik <sven.schultschik@siemens.com>
provide a recipe to generate the needed binary to start a secure boot qemu with integrated optee and active RPMB replay protected memory emulation within u-boot
Signed-off-by: Sven Schultschik <sven.schultschik@siemens.com>
---
kas/opt/ebg-secure-boot-snakeoil.yml | 1 +
.../trusted-firmware-a/files/rules.tmpl | 22 +++++++
.../trusted-firmware-a-qemu-arm64_2.7.0.bb | 62 +++++++++++++++++++
3 files changed, 85 insertions(+)
create mode 100755 recipes-bsp/trusted-firmware-a/files/rules.tmpl
create mode 100644 recipes-bsp/trusted-firmware-a/trusted-firmware-a-qemu-arm64_2.7.0.bb
diff --git a/kas/opt/ebg-secure-boot-snakeoil.yml b/kas/opt/ebg-secure-boot-snakeoil.yml
index e92ea5e..6732095 100644
--- a/kas/opt/ebg-secure-boot-snakeoil.yml
+++ b/kas/opt/ebg-secure-boot-snakeoil.yml
@@ -26,6 +26,7 @@ local_conf_header:
secure-boot: |
IMAGER_BUILD_DEPS += "ebg-secure-boot-signer"
+ IMAGER_BUILD_DEPS_append_qemu-arm64 = " trusted-firmware-a-qemu-arm64"
IMAGER_INSTALL += "ebg-secure-boot-signer"
# Use snakeoil keys
PREFERRED_PROVIDER_secure-boot-secrets = "secure-boot-snakeoil"
diff --git a/recipes-bsp/trusted-firmware-a/files/rules.tmpl b/recipes-bsp/trusted-firmware-a/files/rules.tmpl
new file mode 100755
index 0000000..45eb00b
--- /dev/null
+++ b/recipes-bsp/trusted-firmware-a/files/rules.tmpl
@@ -0,0 +1,22 @@
+#!/usr/bin/make -f
+
+# Debian rules for custom Trusted Firmware A build
+#
+# This software is a part of ISAR.
+# Copyright (c) Siemens AG, 2020
+#
+# SPDX-License-Identifier: MIT
+
+ifneq ($(DEB_BUILD_GNU_TYPE),$(DEB_HOST_GNU_TYPE))
+export CROSS_COMPILE=$(DEB_HOST_GNU_TYPE)-
+endif
+
+override_dh_auto_build:
+ CFLAGS= LDFLAGS= $(MAKE) $(PARALLEL_MAKE) PLAT=${TF_A_PLATFORM} \
+ ${TF_A_EXTRA_BUILDARGS}
+
+ dd if="build/${TF_A_PLATFORM}/release/bl1.bin" of="build/${TF_A_PLATFORM}/release/flash.bin" bs=4096 conv=notrunc
+ dd if="build/${TF_A_PLATFORM}/release/fip.bin" of="build/${TF_A_PLATFORM}/release/flash.bin" seek=64 bs=4096 conv=notrunc
+
+%:
+ dh $@
diff --git a/recipes-bsp/trusted-firmware-a/trusted-firmware-a-qemu-arm64_2.7.0.bb b/recipes-bsp/trusted-firmware-a/trusted-firmware-a-qemu-arm64_2.7.0.bb
new file mode 100644
index 0000000..fcb2729
--- /dev/null
+++ b/recipes-bsp/trusted-firmware-a/trusted-firmware-a-qemu-arm64_2.7.0.bb
@@ -0,0 +1,62 @@
+#
+# CIP Core, generic profile
+#
+# Copyright (c) Siemens AG, 2022
+#
+# Authors:
+# Sven Schultschik <sven.schultschik@siemens.com>
+#
+# SPDX-License-Identifier: MIT
+#
+
+HOMEPAGE = "https://www.trustedfirmware.org/projects/tf-a/"
+MAINTAINER = "Sven Schultschik <sven.schultschik@siemens.com>"
+LICENSE = "BSD-3-Clause"
+
+require recipes-bsp/trusted-firmware-a/trusted-firmware-a-custom.inc
+
+SRC_URI += " \
+ https://git.trustedfirmware.org/TF-A/trusted-firmware-a.git/snapshot/trusted-firmware-a-${PV}.tar.gz \
+ file://rules.tmpl"
+
+SRC_URI[sha256sum] = "553eeca87d4296cdf37361079d1a6446d4b36da16bc25feadd7e465537e7bd4d"
+
+S = "${WORKDIR}/trusted-firmware-a-${PV}"
+
+DEPENDS = "optee-os-${MACHINE} u-boot-qemu-arm64"
+DEBIAN_BUILD_DEPENDS += " \
+ debhelper(>= 11~), \
+ optee-os-${MACHINE}, \
+ u-boot-qemu-arm64, \
+ libssl-dev:native, "
+
+TEMPLATE_FILES += "rules.tmpl"
+
+TEEHEADER = "/usr/lib/optee-os/${MACHINE}/tee-header_v2.bin"
+TEEPAGER = "/usr/lib/optee-os/${MACHINE}/tee-pager_v2.bin"
+TEEPAGEABLE = "/usr/lib/optee-os/${MACHINE}/tee-pageable_v2.bin"
+BL33 = "/usr/lib/u-boot/${MACHINE}/u-boot.bin"
+
+TF_A_EXTRA_BUILDARGS = "BL32=${TEEHEADER} \
+ BL32_EXTRA1=${TEEPAGER} \
+ BL32_EXTRA2=${TEEPAGEABLE} \
+ BL33=${BL33} \
+ BL32_RAM_LOCATION=tdram SPD=opteed ${DEBUG} all fip"
+
+TF_A_PLATFORM = "qemu"
+
+TF_A_BINARIES = "release/flash.bin"
+
+do_prepare_build_append() {
+ rm -f ${S}/rules
+ cp ${WORKDIR}/rules ${S}/debian/
+}
+
+do_deploy[dirs] = "${DEPLOY_DIR_IMAGE}"
+do_deploy() {
+ dpkg --fsys-tarfile "${WORKDIR}/trusted-firmware-a-${MACHINE}_${PV}_${DISTRO_ARCH}.deb" | \
+ tar xOf - "./usr/lib/trusted-firmware-a/${MACHINE}/flash.bin" \
+ > "${DEPLOY_DIR_IMAGE}/flash.bin"
+}
+
+addtask deploy after do_dpkg_build before do_deploy_deb
\ No newline at end of file
--
2.30.2
^ permalink raw reply related [flat|nested] 16+ messages in thread
* [isar-cip-core][PATCH 6/8] change ebg sb signer and secrets to pk kek db
2022-11-20 20:47 [isar-cip-core][PATCH 0/8] Secureboot on QEMU with EDK2, OP-TEE and RPMB sven.schultschik
` (4 preceding siblings ...)
2022-11-20 20:47 ` [isar-cip-core][PATCH 5/8] add recipe for trusted firmware a qemu arm64 sven.schultschik
@ 2022-11-20 20:47 ` sven.schultschik
2022-11-21 10:40 ` Jan Kiszka
2022-11-20 20:47 ` [isar-cip-core][PATCH 7/8] enhance start-qemu.sh for arm64 secure boot sven.schultschik
2022-11-20 20:47 ` [isar-cip-core][PATCH 8/8] Use of snakeoil keys for qemu use case sven.schultschik
7 siblings, 1 reply; 16+ messages in thread
From: sven.schultschik @ 2022-11-20 20:47 UTC (permalink / raw)
To: cip-dev; +Cc: jan.kiszka, Sven Schultschik
From: Sven Schultschik <sven.schultschik@siemens.com>
The secure boot setup with OP-TEE, u-boot and EFI works with a platform key (pk), key exchange key (kek) and signature database (db). isar-cip-core should only provide one secure boot solution and so the key structure and setup needed to be adjusted.
Signed-off-by: Sven Schultschik <sven.schultschik@siemens.com>
---
.../files/sign_secure_image.sh | 2 +-
.../secure-boot-secrets/files/KEK.auth | Bin 0 -> 2066 bytes
.../secure-boot-secrets/files/KEK.crt | 19 +++++++++
.../secure-boot-secrets/files/KEK.esl | Bin 0 -> 839 bytes
.../secure-boot-secrets/files/KEK.key | 28 +++++++++++++
.../secure-boot-secrets/files/PK.auth | Bin 0 -> 2064 bytes
.../secure-boot-secrets/files/PK.crt | 19 +++++++++
.../secure-boot-secrets/files/PK.esl | Bin 0 -> 837 bytes
.../secure-boot-secrets/files/PK.key | 28 +++++++++++++
.../files/PkKek-1-snakeoil.key | 27 -------------
.../files/PkKek-1-snakeoil.pem | 21 ----------
.../secure-boot-secrets/files/db.auth | Bin 0 -> 2067 bytes
.../secure-boot-secrets/files/db.crt | 19 +++++++++
.../secure-boot-secrets/files/db.esl | Bin 0 -> 837 bytes
.../secure-boot-secrets/files/db.key | 28 +++++++++++++
.../secure-boot-secrets.inc | 37 ++++++++++++++----
.../secure-boot-snakeoil_0.1.bb | 5 ++-
17 files changed, 174 insertions(+), 59 deletions(-)
create mode 100644 recipes-devtools/secure-boot-secrets/files/KEK.auth
create mode 100644 recipes-devtools/secure-boot-secrets/files/KEK.crt
create mode 100644 recipes-devtools/secure-boot-secrets/files/KEK.esl
create mode 100644 recipes-devtools/secure-boot-secrets/files/KEK.key
create mode 100644 recipes-devtools/secure-boot-secrets/files/PK.auth
create mode 100644 recipes-devtools/secure-boot-secrets/files/PK.crt
create mode 100644 recipes-devtools/secure-boot-secrets/files/PK.esl
create mode 100644 recipes-devtools/secure-boot-secrets/files/PK.key
delete mode 100644 recipes-devtools/secure-boot-secrets/files/PkKek-1-snakeoil.key
delete mode 100644 recipes-devtools/secure-boot-secrets/files/PkKek-1-snakeoil.pem
create mode 100644 recipes-devtools/secure-boot-secrets/files/db.auth
create mode 100644 recipes-devtools/secure-boot-secrets/files/db.crt
create mode 100644 recipes-devtools/secure-boot-secrets/files/db.esl
create mode 100644 recipes-devtools/secure-boot-secrets/files/db.key
diff --git a/recipes-devtools/ebg-secure-boot-signer/files/sign_secure_image.sh b/recipes-devtools/ebg-secure-boot-signer/files/sign_secure_image.sh
index 0c9b898..42e5b90 100644
--- a/recipes-devtools/ebg-secure-boot-signer/files/sign_secure_image.sh
+++ b/recipes-devtools/ebg-secure-boot-signer/files/sign_secure_image.sh
@@ -30,4 +30,4 @@ fi
keydir=/usr/share/secure-boot-secrets
-sbsign --key ${keydir}/secure-boot.key --cert ${keydir}/secure-boot.pem --output $signed $signee
+sbsign --key ${keydir}/db.key --cert ${keydir}/db.crt --output $signed $signee
\ No newline at end of file
diff --git a/recipes-devtools/secure-boot-secrets/files/KEK.auth b/recipes-devtools/secure-boot-secrets/files/KEK.auth
new file mode 100644
index 0000000000000000000000000000000000000000..3127ddfd55edd8e07baf97df7fe3ea862b1c3d91
GIT binary patch
literal 2066
zcma)+cT|&E7Qpi*A&Al;ARtA^LLihcWh4j+0V4r2fFQ6il%eZV6akT791Mo0bX1D8
zHGm^!fQ%H$3=S5AQ8qLsfS?#$DG4A-lQQwl>^aOH*V*^aefPY3@4M%g-y3mp1z98#
z@}JWV7u}$X(k1;r*iW1g+NFO_pqsh}SAz_A8597pGN2Sf;@e~j5DbGu0Wk=;2O(jQ
zOi5mm0>puG222HHz>pvV*er)Z0Vq^42;*jER;h5)Da}i_d!;?l>V2f=rx1Vm0DD9s
zRIz(OB?Qb34wIB|wIhE`c69YSPIf)+=j;G#C`;jRpefc2OTb}qSTB)^-=TidmjP(+
z{7RH9i~-0%MA_|zG5`Q_3z_^2^Bx1kwAUWPz0`a%5x3Xfi5EmgKP{v@%klR;QyY+%
zHF$oezrAGn?Hh4P{kn^_mLE0QW8P|ye4gvS@pVWcTqG4<3JVG4AXS=2#yFw-5F{%d
zcXw}cN8$Rn7t{_rd4n{3&qBvct?iZm_7jI4BqHj#n9@ov-_Xr!f58K##xjJp{Pg4G
zLx?id8s{!%cG=pXmcSVrsT>`<L6jRpoxJXw+a~*b6FQY;cF5c;Ls^?&r;vc@3glEV
zIT;3C>VMC32$jM64XgFoy`D}iZcIEql_tiE8yh}LiY`&%y=nvnWfhsYUru}ZYOPJX
zbXd$Zhxp%Vo>BY`3Iia(O;_+3s4l9$x-?t~u9!P;UeH~-$ZBa^6Gle|5$R3y1W@zS
zvkqL;rNqx0$b2$T0Dx_{7zh)Ion;qwSX6cZ5}<YeSU*v+kNr3*GyGr8zE00*>4t8@
zLFQkL3u51jRhH`K)&Q9q{wIwhwNIe}c5lLW9h??wD?$+)X<<d-9`Tdcg&caYPD|^v
z&GCX|Bj=hX@cQ9hzIJ-ts>Y`E?N`;rJt(YRbW2F2c?o;f@ET!BRk!z_DAUo!L_%a{
zN?Z7L3dPSmWJ%a$Uxr|T&5Zh6G7oIf^O@;Bse&8*ocg}H`PML5Vu!9A^6Sulp9{df
ze#8zYSW-y|rw+}%W-O{Km>=(5TvC&rJ78O07jnK~%mZ_DMY>p7KJi?^chOnuHopA9
z+^cx0B%0rJ4-P#E9i3N>qYrTO?poBlVHtprX!JZqTLj|1G`IhIX?E`2jvW#WHk<)K
zRK-IpB`;^5;Ky)_S}%-14_pC9Ji1AGm#IDm`5*AIPYGzC3lmJKw8qEgd00uLRD-de
zMYAme%Ljt8kveX+PU6dj!KfsCSlmzL&2V-Yehe+Cev#FXL~&4WT|S-8A3bk2B`YCB
zY_5-W=VZq~wyAL`TTeLx=iZye1~=k)N8VL?oAa%cdLKS**j;3+LR%rX<#Z3G?sYjm
zQl^)3G-h4R4nvZgPcWGst^E*;s_L43W%u@*3f+ROkU0yCRh1llwVgu<aWvMXyqpH)
zISG&2THNdPGA6fTwo0=Zzh1kN`Oas<9@@nYvIOpqq2&pRYYi?MF>9ynetcZvd9RY6
zUu~aqrv~YbSvX@0`yFZ+k(3i1ZEZaM$Psyh`?(^Hh*HX;W^DgKDVNCnXv5ry^{+xH
z>lThCo$5&GtN%5_pc+;MRQ{b(vVWqK1NpBp^+o5u;#B8t%d`it?zxflsE}D<bEVjA
zahH{}S`${QO?p$Q=4wMxx%G13tzpe$In}F6x9pg7iwg*A)1lfZbKPuD)?8q5SJ3-)
zuIG@%M9!H_rm;zQ1dEqXk$Z2gK7<<dsNU@M&Nu5LnA3@^Qd71+(WKWK4XEUAGVW9t
zmcwpL5-V(XKUwZNq@NX$#5Wd*rD{F-d6!OXvmp252+wW#B%S>%D|UdeZJ0GD(c?5b
zTm12PxGK62)4mZiKzdP|AD)*Z*t2z4=`Af*%+beCa=OTA|9z*Cgj^xnWbK0&ZNdOp
zJGy+92J;VjR1wQIj)q*zVyf`s!`p{_&GR+d;y=f!D&y5lJ?<@&sp-N9Brx6@2-ima
ziBq37_<uMR*KaiCBt)8Ov8!#ypR>;HNBh)}F0Ujc&JbzC)L*@ZnYm{=y~cmI_@eXY
zyZf^a^twKDKpmv-`v+9blPhL(I5mR~0tc_;>Aq<2NY;aIm#~%u7g*ucfrzvWCHj3c
z-0^q3zP~k;wC+=oy$3_78by^{3T%s-j)ZOz3QZ0gR`@TgwcEPSW|<auwT|+bFR<Uo
zQ=r4DOM;l*BoFxtYktSENt=@<HCL6wPV_$HRptBmPZVr0fQ%e$z#y8Tai3^4#@+G?
zFzQ(timO-jK1Jg0sx)~*FQIDk6%`^#ZnrZ+#mTc8fMcgd{Es@W0X53dqqna~HTH!1
IArSGu0a%Gf%K!iX
literal 0
HcmV?d00001
diff --git a/recipes-devtools/secure-boot-secrets/files/KEK.crt b/recipes-devtools/secure-boot-secrets/files/KEK.crt
new file mode 100644
index 0000000..9e30c92
--- /dev/null
+++ b/recipes-devtools/secure-boot-secrets/files/KEK.crt
@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDFzCCAf+gAwIBAgIUUm6UcyySbfo1Z0j6PE4vwh0VDpUwDQYJKoZIhvcNAQEL
+BQAwGzEZMBcGA1UEAwwQU0lFTUVOU19URVNUX0tFSzAeFw0yMjA3MTkxNDIxMjFa
+Fw0yMzA3MTkxNDIxMjFaMBsxGTAXBgNVBAMMEFNJRU1FTlNfVEVTVF9LRUswggEi
+MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDCqj+JxOHAVUEnTADr7ralBaoH
+UveJrC+kuEOKsp4f+LCaoEL2Y6jYH1GRp/jzqEmFfTx+BkI31axxOyaQWaTsY5vH
+ZPT60FnVCd+Rcv2FLi9sbaTZlEgR9EId1STUV6f9yVyUOdE0O304uA3lR716Dvqx
+KkxFW421p5mgA5ziOKFHCsz2xz0pj22D5C7tBYggzL4II3W27ZL72tlV9ml9s9aP
+ddM0/yyP7AnKT+vrm/vXbBoo0Su7/HTTQd2slGyTke0L/roW6Hp1BU5dLAzpmk8h
+w0/ae5LuRS/59Vp63yoB+Ub2dnoDYWbGoXWzLnMAlo+FGdl5bLvYXjuUHrl5AgMB
+AAGjUzBRMB0GA1UdDgQWBBSmLviEyla34oiK7m0VAd64YwQiJDAfBgNVHSMEGDAW
+gBSmLviEyla34oiK7m0VAd64YwQiJDAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3
+DQEBCwUAA4IBAQB30i3lT+4VNyCzp0Pe16R2IShdq0GL93uA6jh62EzLWtiFknLC
+Wt6vgd3CvrohjzbOU8VLJDp9HGoCG1nQBUM+iI19MAE6jJMm3bBXhicE/52k8+1+
+pGxM022JjRZ9wzkyVPLZ0SWwnbgcExDAAyQaLXGdhGO5celuAv40mS86LKFh9hu7
+R1brjzebx7jb2YXdMal5SALYGvPtdM6DVxKhQuS/UeJDaS+rlRZraM7F2aaUXWHf
+mPyCAY2RMWLUKIIewzhA3ND+WmItyvDVd64UXG9B0AilL8x9nUwf5BQTbUFVqo1n
+B0XrHgFOwh55tCNTYqsXAkaqlg2xymdfBgZ5
+-----END CERTIFICATE-----
diff --git a/recipes-devtools/secure-boot-secrets/files/KEK.esl b/recipes-devtools/secure-boot-secrets/files/KEK.esl
new file mode 100644
index 0000000000000000000000000000000000000000..3debd0f8c60d83fda677003b81b56f3f734371f4
GIT binary patch
literal 839
zcmZ1&d0^?2Da*aux2_hA(f&~6&ddM?+CW+m2$YnJja^)XOu{N=?J;O#7B^^O{J(&i
ziIIs(Bq(o6vCgF2U#96Ezij;U56O!1O*P<U<J4;NX#38~$jHsgU?6QMX&}zV9LmDX
zBM|KA>g(zk93SEu91`#C>TMt=&TC|3U~Xt>Xkuh&WEchH8Y6M>Yi?pxLbi;Nm4Ug5
zk)HwRJ}#yvMn;B1tL!_EJUkHUsP4n?`rWprtgG0AzIU$CU$VowYtuaW9~)*ZaQc?K
z;)Z<S#N|IeukdWGwW(usGQYZ}&{}Om<dQeZvyZ2I`E?=kD(C%)MSolM^mB5T+??Ve
z_{B-~s>+q{<$q7cOtHLZVqI&ogZHWX-YULd8?}5~qkFe5pSgf}&LfM3?p$ZS9k<o&
z&uxC9_m;Io;mke`<<f0$C;h&4GxS?#?dEI!rI$_q>-4|jJmvrT_3Yo*bEGsbYVZD2
za@q0jnkhMxC%)zWw@d6rRVk}qtPao1S^kQL{clxIdgrSD^J`SqeJ#eHZr{qPm=n{E
zEiB!vSIjW2zg6;PWzOy!an@7hc2+VmGcqtP4mJohkOhXnEFX&)i^wv)A1$ZCwm<6V
zdY3E8cyC8Ci;{|gJV;uZMZ!R=0lNZzkOE;w#{Vp=2FySTIoN@53=DQghVo0gPyOGC
znk#Hx?tJh1k}^e&*wv2R->Vy5SybKdIURMQbyCrxsC(-h?;hH>OR?YVT<}qE6{}jA
zEGFs53#`s|9lf;%j8;99)$VQxZ&PRaKX=LJw{=T$d@kp9_KMXWwloU)bn~L>hPgXr
zgar;Tt4Qe<&TUEFS@<%K>7U6=eJh=XiQlAmyNA8*H=lic$L*V~cMVrodNAFP`uw)!
zTywb4LZ>JD10OkO>aU(EmYs3#=*?wQViWJr_|wGLJJB%dibj*%VGD;l7yd;h>7M#<
zwS1jOOupj<j-~o%YUldMKM@hmbqrnAo6hd~T8`20kX+>!<=~{%;!JL<rtxk(l^)N=
GRtW$zSy9pe
literal 0
HcmV?d00001
diff --git a/recipes-devtools/secure-boot-secrets/files/KEK.key b/recipes-devtools/secure-boot-secrets/files/KEK.key
new file mode 100644
index 0000000..d5e015c
--- /dev/null
+++ b/recipes-devtools/secure-boot-secrets/files/KEK.key
@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQDCqj+JxOHAVUEn
+TADr7ralBaoHUveJrC+kuEOKsp4f+LCaoEL2Y6jYH1GRp/jzqEmFfTx+BkI31axx
+OyaQWaTsY5vHZPT60FnVCd+Rcv2FLi9sbaTZlEgR9EId1STUV6f9yVyUOdE0O304
+uA3lR716DvqxKkxFW421p5mgA5ziOKFHCsz2xz0pj22D5C7tBYggzL4II3W27ZL7
+2tlV9ml9s9aPddM0/yyP7AnKT+vrm/vXbBoo0Su7/HTTQd2slGyTke0L/roW6Hp1
+BU5dLAzpmk8hw0/ae5LuRS/59Vp63yoB+Ub2dnoDYWbGoXWzLnMAlo+FGdl5bLvY
+XjuUHrl5AgMBAAECggEAEElEFZemN3wqfkoqjZKkLzxBFGnJkfgY6FQOOo1lE1Gw
+HM+pqol9987u+RuvhVsgA44NwJFvetJiofqL6GnHlYtj3hPBNza1PVCdJsMTGNBb
+YVvu/dEdEnt4CJzrfuRyhpYRK8mGijMr79HeP793x713FdlvFiJpwbfq72s99eMX
+dyV6oBXfwYRNs/NVzJtoADEKSdx9WbqEQX1LDH9uqLtrsWEipWRV53F/AmLAjEPF
+3KdK0Yq7JqVLEXig96Dg7d77N/cnXa3ynBKhA2rQrCaJMFWkmSBOUhUNyUFJ0WJe
+pmF80g4Qkljl+usE82uDgLgEsFOQbynDCNA8f3YQfQKBgQD3IVJKbyYAv97wtD7x
+QCqlZyRPElv6cEZm2t9+YA65/In8GAke7m8a+wW6VhxyH3FPsEyyDXTJNAo1LNSp
+ARyQ6QCYrxsCmkQaIrLuvnnbZrfFUsTp1uXS7psryZQeT+CP+pNV1olaZOJtqT7S
+XIo3HgPeEiqH6J6zvUcaqyRd7wKBgQDJpt4DLjITNtdqow4SNbFxhXT1eleCdL31
+LLjYDV4VX7raGjF0JV4A4IS1JlVsHdvarr/PiE8jq0UK/rsoPQHkyFAxcP7T+bWX
+Xit6F0HOk8bh0ygwYNQzNf5YH22OxwXiORHYHs+iDRUEy7mUnFPiaqY8tVzROmtp
+5N7yPANHFwKBgBBYvOe9iGb+ShHj6lHs66U7OFSeo0TijlWZXrUuR2sYAEyTjm7k
+WKcROaTEs2b9G3Ko97nDWBlC/vXbfEmdkDUppGd1FbVLXPvZlbpjEQ5pMfi0a+AH
+3fXg4JS55blHkVQUwBAqe7Vl/PBCBKzHgED7FEhpLTUGNxEukPh7n5EzAoGASiT5
+4s98iAYVJNd5WAa4DNaWT6BBRu1n3xsniAE6Q7+kM4eIAX2v18C16umCZTOBYCH6
+0vL6rlHOHCHXbQ8pgBaLLfKvL//T3ik48TZV8v/xE52RXGBuBbpnn71GikXxiuGT
+BxUlIR+QR+gkf1kPmuO95fqFe0Tws8n8k7KvPdcCgYA6ThU4MXo5VY540TiKkkYy
+cz6nJRPXea8UCjHl0KoYzRxWBn18uCUla64pG2s5c94RwPACWRdIkpDdXxcWQVMl
+ZT7jNGnq0njRMh/VXyKnZMwgYrw564ESNVWcysgDNvgmohNSImP8uQo1IRQcIdY5
+8jh7DDlNxlV3iwRuFyTKGw==
+-----END PRIVATE KEY-----
diff --git a/recipes-devtools/secure-boot-secrets/files/PK.auth b/recipes-devtools/secure-boot-secrets/files/PK.auth
new file mode 100644
index 0000000000000000000000000000000000000000..75bd8f298420452a1d8b33ae6aca6e9cf8dc7e9b
GIT binary patch
literal 2064
zcmaFH&Mqt<D#`!@yIFuNrjLAcFRk~wpYhJKYo$r8d06UlgC>^wOpJ_%{06*ioC$3n
zjH%2lOpL4y2Hb3%T5TR}-+39?85cA$OBysWiyAaB{$0S##K^=XlA;}IX}MH*v43Zj
z+R5*`lO4X~MS_fg>S5#t8X;vUVIaoF9LmDX!yoMF>g(zk93SEu91<VkZ6GJkYh+|#
zZfI#}Vq|D!7zN}SBXRNSZDLeHwhHK4<|amd2B7P>n3@<F8CHn49c(?&q}}SJbjRp{
z{F(dZ5@G%~Q+zbe&h)r8F)^-aP15B4D>bh!?VkJX#WQvu&9#kd?0?H|z7r#TEcUwQ
zvpDZ|lSapxE!k=5dqgF--MX_UU53rkK{+fe#&!S9UkP>6cK$I2RmP`2?0>b!z30;I
z3_EYm+_e|9=PkYPL?_fiamEp`jq}-@gkGL#vt^razB=G|>xB6~uPD3?V9FCOF8yO6
zcvU5HdfcR)0@wdCJ?*!&wYKaPS9-EmxLW&o@}6a_dwR8^WFsbfr}G=f-;h4#`S@kS
z?2QctPdiy}mfyKi=2$#e^5(;h25;vt>@zx85EZBJ^JUO}n^)V?61Q%9B~s7C%*epF
zIM^W2Ko%JKvV1IJEFzOG*StMB@8go~8-KnlE>5wi-SpnXKprHm%mR$12J8y>K?;N!
z8UM4e8ZZMX<X{KJFfiB|8IlwZ2VSz^xw!d6VPDSqZE^nBs=9PSZ=_h8-g{g6f_3RU
z%}J{n`+5^Ib@P<+Rg$>=vT#_ve5WMB#P+8%dsa?(<)i8E_SB{-Z{Kn4@4Xq{bOTmz
zGMH}15$CCXVcEt_zy3d5Zo#c$s9wB1Ezf%H<{vuKOg>Agom-@0e*0sCNnT(3&Yb`4
z9`P}0pWkirn$NbxU|Z9=75qn>HQx7i#df@%b7{}Ii)-KS$QH2JuO=w!oBq5a$>{O1
z&8a5#K91G-wr?IceU$uQ9dhpDXK8^qX6_5trqyh?6Rz#{oo}|dP(#Ix`r>|B=eQ?V
zCQUWwZLW%cdCExR5!3DW;^noM_o(l(Sr=;9#25=qdXd0fWMG6Z-QvzP$oUQ_4*?T4
zOA{jlfB(f}Z?dbJs$vc#PyAdRS+MT8&TnUyy2(e|JrfG~#FIN*V&dv;r^Ndt*1Ab;
zUR_kX=((cNMK<Y^Uwrrf)tBWuWMMziaSzuIdxwv&`)?GlK4T>|&%W;8Wr@j8-%S*^
zI<@0x_L=T8fw?o?D!v|QPw`ll9=hO(%n~bC;awS%>gNhdPWyd7BGz(M{o?d~*NujL
zd-vW-Vd#^oIMo?z`F4>~Y<{+w!6V};>HB@n>u;@}$Yt@Z(o&Wsz-jk`T!*VwPyej!
z|Freo%J$9;r;jOJ;t&rER@E?I;8?xrskEDs%2DYBpP23ys~>tlk2A&O`|DKR3DSSR
zEB+S`WIJspwximoePQH*rB9|T_iEp|S~N!cLy;>pq)^iY(t<#sq-1RD;v!@cRxxYO
PXel*XN{yCMSV}1Xh66(<
literal 0
HcmV?d00001
diff --git a/recipes-devtools/secure-boot-secrets/files/PK.crt b/recipes-devtools/secure-boot-secrets/files/PK.crt
new file mode 100644
index 0000000..b775cd9
--- /dev/null
+++ b/recipes-devtools/secure-boot-secrets/files/PK.crt
@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDFTCCAf2gAwIBAgIUZCtVOTmlE6NPiVomyfe7Y0D0blkwDQYJKoZIhvcNAQEL
+BQAwGjEYMBYGA1UEAwwPU0lFTUVOU19URVNUX1BLMB4XDTIyMDcxOTE0MjEyMVoX
+DTIzMDcxOTE0MjEyMVowGjEYMBYGA1UEAwwPU0lFTUVOU19URVNUX1BLMIIBIjAN
+BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqBWGwYXAgiuFSiLcMuAfzN93GFZP
+2WRMKM2ZSNaRYV5yrGKTj9R86tK7nfbo5gcMKa2BrD/7H7PcXBvGXdcp5l5LhzSB
+QZmEa2ZnvBUZttrcvGccBkFAI1ZWXEW/mfpgfhs+T1wwejPK8L/qrEeM0rtoPksJ
+ba3QK56l0OQsVUAhmMQWsZ8GQhLpyIY9Bp83q1DHhZCf+dQg7VACbhdzdfw4EdUk
+aZdekrkQ1/0C5Y85PTs5jRci5K0TeyvHY7ymhbyNKlodWJNLZw8zX9gbyknj6YCb
+sYBw5YkF2Xfc2HZBc50Z2eGxMO2foY4ywXBaXiD56VK/POq2ZmG1tuoUfwIDAQAB
+o1MwUTAdBgNVHQ4EFgQUktN87cme8aS3sfnuc3NkOH2y7zQwHwYDVR0jBBgwFoAU
+ktN87cme8aS3sfnuc3NkOH2y7zQwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0B
+AQsFAAOCAQEAYiDDUdI4DNGzyHGObM+2Xk/WeoosVdhkOzXe7XXoBaWeKZKrAY6N
+YWktbiJvJGIK/QQIOunuIhQCBvyJa5psV3nil+68fWUjt7jW/d6Y9i1Qq7Iwlz4I
+Xkkn0Kaxsvr/4ac4CyQxJ3O3Zm47nbP4LJY08xomzqIkN9vxgDRujoe5bP+HSF9c
+ZvPuskqfBqQwtoKuqA/EQyjvjopdiO2c0ryu0a3vuGsQOL8mERVNZ+d4YjLjxrNl
+ND9MQXtvPezjgvEZ8DtUzvHzGxDsNkegrWZ8sNxXK0b3DpsXEoB4mH9zjx1DXuTU
+kpUzDYN6X+nKMijiAtvvF3d907wnujyuVQ==
+-----END CERTIFICATE-----
diff --git a/recipes-devtools/secure-boot-secrets/files/PK.esl b/recipes-devtools/secure-boot-secrets/files/PK.esl
new file mode 100644
index 0000000000000000000000000000000000000000..acd616b5ce5fa5fedfcd0a77334821fc834f1a88
GIT binary patch
literal 837
zcmZ1&d0^?2Da*aux2_hA(f&~6%FF-;nm}3*2$YnJja^)XOu{N=?J;O#7By&M{JVge
ziIIs(Bt<*a(sHTrV*k!4wUgg>Cp&z}i!|V6<J4;NX#38~$jHsgU?62EVIaoF9LmDX
z!yoMF>g(zk93SEu91<VkZ6GJkYh+|#ZfI#}Vq|D!7zN}SBXRNSZDLeHwu+IJfw_s1
zp8@DPE~X|%MurulZ3kNqG-<bbDcv!8Ab;k5xkQ-%%@iMvvok%eO-zg{T9Y)n|4PlP
zOS|WOd-05&M{{lC8vEb!oA1O(AB(-N`7F-6-K5cRW=nQj`W{iqZMW|1Nta=BbWjcp
zi*emQ^H)Nhw4Hy9L6z~T5Bp!OaqqdbJHyVKGk5I;?RiTtJkbetP@Hi@Y~y@3C!v=o
z+HBe8o39Qy-a29a&npUV1DNu}i%b7l2wqjmoE|r6r@-~UOi%kQZLKYP#g(3{6|UAk
zp1fyS>z-b%DA|a~-s$|t@i(MTc|LyGFneP|!P8FGo8@<IlsOj9mAv_Iqruzx3;T=?
z7DUA<{CpX--{#e}w8X93UWwE*F*7nSE)F&bG>`>`zAPV$7>mfH%QbIL&ilAz`^KN|
zii=Y$YB#+%F^~sIE3*J&sR6qJevkrTM#ldvtOm?L3OU$;F$@fLMusGX!-1D9crI=}
zQP`Jrep{UXwW=<i&>Jb%ruW{KzF=KCPjk|0#=hRfOx--Ce3c}wzbqV9FW)JNFtPpV
z%$}7KUioPHyFIn3%G-Bb`+IN3H{F2Mn+&Ggam0D5Us$$r)35&zms@bF7^)X<Ps_8O
zyZMLCG?UL#YUdWInBV@`V3OC@zBA{4yGMLX+UIwhyymklG1%6$ZUz4lXN~uLU9lZ+
z=Um#e?&8|_JF*2V_Nxhs`ldgxNHThSY;&rKy^mvczU`aGO&=vcScjbZ_*q)ujhXv`
zwP`gQ?u2W*edn7kF4RylqrSLb);aFUl}S^Ld7G=^U!F43c*J!3y?A-;<vr@VY}SPW
E037I59smFU
literal 0
HcmV?d00001
diff --git a/recipes-devtools/secure-boot-secrets/files/PK.key b/recipes-devtools/secure-boot-secrets/files/PK.key
new file mode 100644
index 0000000..8241b95
--- /dev/null
+++ b/recipes-devtools/secure-boot-secrets/files/PK.key
@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCoFYbBhcCCK4VK
+Itwy4B/M33cYVk/ZZEwozZlI1pFhXnKsYpOP1Hzq0rud9ujmBwwprYGsP/sfs9xc
+G8Zd1ynmXkuHNIFBmYRrZme8FRm22ty8ZxwGQUAjVlZcRb+Z+mB+Gz5PXDB6M8rw
+v+qsR4zSu2g+SwltrdArnqXQ5CxVQCGYxBaxnwZCEunIhj0GnzerUMeFkJ/51CDt
+UAJuF3N1/DgR1SRpl16SuRDX/QLljzk9OzmNFyLkrRN7K8djvKaFvI0qWh1Yk0tn
+DzNf2BvKSePpgJuxgHDliQXZd9zYdkFznRnZ4bEw7Z+hjjLBcFpeIPnpUr886rZm
+YbW26hR/AgMBAAECggEBAID06wuEu7ri+wNzFXAvBhbgB/ZzGhYW3lubyhPZE3cZ
+yG87vizmgOSEw48hRXReSdWcGdX2zIt5KgK9CIcssifdhqL4BIc46iCgU8w4gB8L
+cblWfmjKHRQ/hEiM9sCDGQ8HhdnLSCIppHTrOXft+TwgrozEczpj1UfyExPeS6kn
+KKT6qYroBDI6019YyGnsUXAldvweoFb8apkNXQr41PJsdv00FZC+VnM96GHKle4o
+TKPqfPMV9UTuYlCVbNhGmS17C5qZUdPhqlPnGjBzKO0SmwDF4GDKr2q8oVHrfGKs
+tgaUeoDI8NAYpMahaLvP+aM/gEEDZKguGwzk7FQaNGECgYEA3+VrKaM95QVwElIS
+UGZY6qiXER9I1vFjAd96i0MF7KYVSRBvLc2L/kvh/m9TVYosM6PziI45jhkfs19p
+r6DZiWl7tXY3vRzF2L+14ST8nlmkDe2GiYkGP3W2EXUwW4eORK1FvJdGJMsByplG
+66u19qWFO9A4r68Uiwu4wJalQU8CgYEAwC9oWamopJaZzSbachkn2jz94/1rkf8/
+ggNPZgyeFb3GT52/0ocb8UV3/f++qQKfVeDuM2X4wI0SkJlVXTRHv2xhYZcjpDkT
+fS9VIrgo4yjfL1N1KNY7EayySG6zzrwewHsoxxahjFJSeFZQK6QkB0aTbP/1DZsx
+SJv3o4A1TdECgYBzOP7IQ9EzjnPZidEQ/UrfIHn1/tKeg0U/joHjL0/aNLKZklKV
+EMXtzaF1LleFmwEaZlKLQR5PiZBt4Dlkf/PTqqxWe4s90JPk8uwn/L/gwiMSY92r
+5A+KEwrquxNy1zUZFM7hujwH7U1ztSPxXsHbN910Jbk2eHSrBhJDUoOjMwKBgBJK
+8OXH7lNsOkt6rUQ6/L4bHBd9YaXN49+eLQqLnOh43c1qOH3zekdm01sL4rv3ke78
+r++YfyrkwqWc0rFCbqnbyREe77eL7zz1KmdZnBqzIzs/+GDgs1KlW3rlfpvo8Axm
+LKV2k/3lQBBQNuVQhFVk9FdlrY+T/AbrQZEAfRJhAoGBAIUM6deAiamqsr9CAD99
+mwUbZIzQVQ/yaa4oNZGaF+SX/ZVkbUqC0p7eUWXn3g5FcOafM+uS8FPh/pakpLve
+ZcMd1N8FaPPChKbKnOECouw6ZZAo68W7L800Z3nxr2aCigcWGk0mKt+mth3AwAet
+Um0CSV1HpOZ3XD85/IvfKtxh
+-----END PRIVATE KEY-----
diff --git a/recipes-devtools/secure-boot-secrets/files/PkKek-1-snakeoil.key b/recipes-devtools/secure-boot-secrets/files/PkKek-1-snakeoil.key
deleted file mode 100644
index 193de62..0000000
--- a/recipes-devtools/secure-boot-secrets/files/PkKek-1-snakeoil.key
+++ /dev/null
@@ -1,27 +0,0 @@
------BEGIN RSA PRIVATE KEY-----
-MIIEowIBAAKCAQEAyIuuXei5qIw+UvavLxPyyNhx0G6Ijuf9SqxVXOpKcQ+l3ZCc
-KQaCLWCH0pbPQj587zVjgMUd4SHgXdVP6awDz8b0NcLgyzF31pHBmmB3z55nv2Jb
-gI56bix9TEHLpoDs4+cWAb2WZPkW8rV/6YR+xVuE8fi9aAWJ7H4dwUhPzU7RBB1d
-Z1wF6Wv3b8nn1jJa5W8I3zOd+tpWczOsqyRnDnFhMiOulGAiFTtmIXv2VReQf7Tx
-rXdqAAs9dcS3qizzNVgY5XpABtmYu1AjyLwwqXZ+blZ2tmUUJicgw3YdCWtlTAtf
-XZDHf+ZzgCNtTvhb2DzpAVmF/H+A8w8lUJZiBQIDAQABAoIBABET/BRZNj5JOyF7
-im2a6Ej8TazvTMfGr8ZFKLvR4+b+6yQUJYhE2p8colRnrVy5z4/bXw7fOm0qol27
-RaPjlyuBiNhvMQ98tfTa0r7fyjQvDCy7JomrGHf7Z+wvijUys3mw+ynIyF7u62pd
-1HfBZb5OzeKBSTfriNRP5R7JlqooDl+O9JVlnvlJIaFe1rX2sQxZ7F8gVINKIJDv
-n7ZZ0o351uIMjKLqwmliULPTjZ2ZeeJqnkB0pFcWZzEf2wAnrrglYRdnn10oNzhB
-6cXMHJeuEOedXECLZtmynRw1dWZK9+Xku1jEAqTWAoI0OIjrfYYzntwe/kab8w/R
-T7ojFGECgYEA9rGhtmSQiim2h+3iGyXNTEQiEOFFL7E8/1ibfWi3vzDhoLARrnH1
-p45DPgnL664xLHXIUl6/wto79Ij/2qA9mp054nVJ4X4AQgq3xCT/57nL0QHfQLaa
-VdzNIoz4jJT3cO0gYcBAK4Bg+dGGQ6ZUrRRt6VkHG/W6fW0D1e7PnEkCgYEA0Bxj
-Jr4ShNXb7J4YDQ24uSwmc2E1IgX5FjHu/JMKCiyIDWQkrxtVdIL9v6+kmYecyxFJ
-S3Qyr3ZqOHqwN1svYuB/CHyKg6dHrzJyZFTj8cr8h0ZKLDu2xZNFxfBIjn5vitSX
-W9q3477oFG/30Ew12Yee4NhDQkaEuB/Ic9+yv90CgYB2y00rLrwnvDSIunXiSs7U
-xg59gG03rSrJb5rYxj+NkvVj0sWA8qGwASLCUidfo69MUJ+ZgsTnCP5MIFjMp9Ni
-jAne0ko0it+G7fBWRNbyeJb8W+FtIUGqzTv/QlFCKU4KlDW+vLxp9lU8l7gHBabK
-/gZ7kwKIZUlbss5hC7Hv+QKBgQCsQBLBKmlhkTEqs9/sTgMrISPiM/8qXg9BE6tf
-WsTgjuM9UjoaxWEBwroMQnDWsqxQV8p2rYKWQEjC3qmj59Fc4bvDZnGvbnGizPpp
-mOniY8SIouEZo4MwHSmPH8auSnBAVJ3C5VF3K7gj0lknCy03E02phNaGsJ+BVq0v
-W2Qz8QKBgEB5RKiwJhgGQA2o+NJKKUUCDM9iBsO1Yy3QwtDWioKKcdAkxdTg3xR+
-XtJdXq6MkCMWM5em3v6GHPceexn81FZTxGBbIMBYNp0Sp4qs/3lK64ln8m5Qttxe
-70HVtrp9HhG5oFJ3fUuLPcYpE2GMgPM9fIbAWh9GZ4GpTLuPRtWg
------END RSA PRIVATE KEY-----
diff --git a/recipes-devtools/secure-boot-secrets/files/PkKek-1-snakeoil.pem b/recipes-devtools/secure-boot-secrets/files/PkKek-1-snakeoil.pem
deleted file mode 100644
index dd02a82..0000000
--- a/recipes-devtools/secure-boot-secrets/files/PkKek-1-snakeoil.pem
+++ /dev/null
@@ -1,21 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDdzCCAl+gAwIBAgIULTs+L+8XzClMGhAvyFIdsp/PYgUwDQYJKoZIhvcNAQEL
-BQAwSjELMAkGA1UEBhMCVVMxETAPBgNVBAgMCENvbG9yYWRvMRUwEwYDVQQHDAxG
-b3J0IENvbGxpbnMxETAPBgNVBAoMCFNuYWtlT2lsMCAXDTIwMDkwNzE4NDMyMloY
-DzIxMjAwODE0MTg0MzIyWjBKMQswCQYDVQQGEwJVUzERMA8GA1UECAwIQ29sb3Jh
-ZG8xFTATBgNVBAcMDEZvcnQgQ29sbGluczERMA8GA1UECgwIU25ha2VPaWwwggEi
-MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDIi65d6LmojD5S9q8vE/LI2HHQ
-boiO5/1KrFVc6kpxD6XdkJwpBoItYIfSls9CPnzvNWOAxR3hIeBd1U/prAPPxvQ1
-wuDLMXfWkcGaYHfPnme/YluAjnpuLH1MQcumgOzj5xYBvZZk+RbytX/phH7FW4Tx
-+L1oBYnsfh3BSE/NTtEEHV1nXAXpa/dvyefWMlrlbwjfM5362lZzM6yrJGcOcWEy
-I66UYCIVO2Yhe/ZVF5B/tPGtd2oACz11xLeqLPM1WBjlekAG2Zi7UCPIvDCpdn5u
-Vna2ZRQmJyDDdh0Ja2VMC19dkMd/5nOAI21O+FvYPOkBWYX8f4DzDyVQlmIFAgMB
-AAGjUzBRMB0GA1UdDgQWBBRjuNXuXfh7mi8I3eTboeYGyFTa2zAfBgNVHSMEGDAW
-gBRjuNXuXfh7mi8I3eTboeYGyFTa2zAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3
-DQEBCwUAA4IBAQBW2ckn0APqBnwSiOXCWkMCnvY7K7UOfxAlotEsMFSrkzdEa4IE
-sn0+A3RV/r3HZGqIaE8GMsBqp8UiVIbL5H67dkqvJEke94/7wEUC16JSSOBc0Mac
-HeArDWsL/WIbzKiVcRrmgX+XwJFlsUN5UtR/feTHR08yiy5srSCIJEqli/cTrOxS
-JAgvWPLxcoFhOKf6Mi+nwWdrQEbpXvvv8Jv/qyyz5e/VmTRY0wIVmUjd+Yseu+5M
-3+cpKtlYaawMxVni5RibA0A12fm+i60fGPrkCNhascUrNY+Oppaf/h+QmKOwEM7h
-pqKXyGFQyU6dB6cFBQ/uD5IABUYuEOuL7VFY
------END CERTIFICATE-----
diff --git a/recipes-devtools/secure-boot-secrets/files/db.auth b/recipes-devtools/secure-boot-secrets/files/db.auth
new file mode 100644
index 0000000000000000000000000000000000000000..a385ee08c9cc40761f9f0f52e0b4ff9d48b87770
GIT binary patch
literal 2067
zcmaFH&Mqt<D#ic<`&fW1rjLAcFRk~wpYhJKYo$r8d06UlgC>?mOpJ_%{06*ioC$3n
zjH%2lOpL4y2Hb3%T5TR}-+39?85cA$OB*yXiyJgC{$Ie%#K^=X5|lTkSZ7l1FVl37
zUp9XFhh#<hrh<%s>S5#t8X;{cX&}zV9LmDXBM|KA>g(zk93SEu91`#C>TMt=&TC|3
zU~Xt>Xkuh&WEchH8Y6M>Yi?pxLbeR(Ugjo7eg>fXxR{z485s_(vhO_d@Ia`ex(~za
zciWb-u3``R-nmA9$qwhPP4nb`Y?!sc>09!O8}fk@m;d;@!n3v3rjE_Y{OX!QYqbfH
zOWq{UKA!UB*M-QdocAXd{cY9L&&geKbBc%H7bn@PDp$gn|2-Kq#qy$wb*;q?-ly(+
ztN4Cx)beqS?%le4<^tw9k1Q6tbDjBi+*Y$cxA}?QTh<PRGy6D{OSiq9^!wJ$&~KTw
zo3HhkUN-r!)BlF^l>h73vwvUDk<z%Rz57qeWyiZ~rsPbX_?G+MF0mI?rL2CjIy^6D
z`70jwzg0cyovZ%OuTfR^wHSZ8eJiVCPE0$tuynItF~hX}R>_-{IlFJfSx=GMS;@rA
z$iTQb*dWkA78w4rd@N!tBFprCw44gt{-~qtU9KqOy&cIcN-75OAZcY52?MbP><ain
z3WOOM|Ff_fFas&%U<bxAFxVLx$}j0Y^?xU7uCRHz^S$d!$`mzXS37opuWoo{QFX)T
zbkvR3NkxaE?yYaUduZP-#eTDM!AHGStZHSln4}{wusYjy^wt_MTJ=m;ySpL0O`YZc
z+$Epi)-B2Lxt!bCD^`2h(kSH9&5NoV=I)RY7C6AHBBfh6w<URJ;mbUxe<m~at#lS9
zev{tq9`?H5eD?7jw{N!IHC$Qg!E{6F^V^bh&EY}|ou2FueB_*|zj~@zcE-7*H<wL`
zO}szjPZMMBM8l*j8clMCEgbG#_!pI=d+Nj0@^vCH`HmMjmg=9Wo$Dk2L_|2(F?3aL
zI=ky@IYz%ja+O<@gOgT^Gr6sr#=G%UdORCjrC}3e95Crc0rQc8G2VoWJKrE@J)~>|
zOxY|=j12s?c735Ig`OsH-^~1DIs5L74v`$U2X-DyTc$2ERn4BgZ0>&33cpjH=evH%
z*)-TMy?=J|zsPeuDH3lFSR1tLUlClOzWMdcw_oS%`ZNFag*&UV<aR$Z(Q#tgGp+iV
zz3-o@Pj7+^HFzaM0xJ{`cI*uhoEOIMXyG-ExpQ{sz1)7?foW%rrF+nyI%b`wyJ!5?
z2jqQrE&q__XghDmY3=J<FUhZSU*;Udyxf&@mFViz37=aJMC25DMyIZhedW}gYi0go
zh1Y#!5oWXEjT{a8x62-0Cc1sknu|@}rrGKF3h#T=7Niuf8n-KAvey5+6&Iv4YC|n~
z?H#r33)Y!zKKU%Z_`Bq%g^>rAKAE!It9|Qg(HQLyMXt<{a!nIR3j%?XlCiOii;ziJ
z#jHKRf=Uz^8-Jk%m2R`C_mYQ()0xba<mdjpp1}Y7;Tp6=Y#?O_%m9#riXWw*N=ZU1
zr;Jd`DWfR7dI=R%%U$+gR(^N1O;Vv}^??VIZ_a!7t0w=I<yW70amxwbt8%%g2z}XR
zu*0Ne|Eur`O_yeioj>y@%5lGQlZ=Vel4HHvs}y{S>^+aHRk;1lN83w5<HmdSzWrA3
z<Ifu$o%{6a*^J`Ht|2<c_chb)x!liX?3vTonf^CvW9#ehEN3k9FEwnnwJG-~(@GZ-
zxOG}O*j9h{AJd;(uj>{ppJJ-xbnrq=+0>f~afhSR;~TVBy6SQ~*>Zo~EPK_L+uZE?
zHwi!7bedO6P&!NRS$t`~v1vv4id_w+HA;HoCnsInDciE^aXZ8N8IykJUX9ePzkBFH
zbl-`1w+iRNi^3<*9_(Qi3uX4wIEby7$_hOun7lWpF0yaq%p3Ls{!PZmub~uESQQXc
zOwF_xD0nGoIBC(Xj{9p1m$h{+<CxZ-dc^gO%(ITiKesFSxgO_sEm(Sa&gq5uoT_SR
zjg>BYvqA;<xPzN=*GV}^r)LT7($&gjRzAfLnqWM2*Da+>@sk&QUFJ~1z+QRPnDyhl
z=I6@Y^S(ds@Z2>a(O`R|%Y&PpntQjHl$P%?PUh~uJu_)zbKlPIzQMX(k=sNr>dh^B
zkiFfYFT`8&*DE1!s|AnxzD!MWTv?Ugec;Vm=_9>~6Q}oYYPLEwcc$ewVW%obJ03T#
zt9suaB~4lsuNxp3eCuqPuKIcXEEZ)Qs|#Nvi%xu1U%JNYW|FOU)|DHMuf(=I+kINa
Paf;{kpd$s2M~?siFKstz
literal 0
HcmV?d00001
diff --git a/recipes-devtools/secure-boot-secrets/files/db.crt b/recipes-devtools/secure-boot-secrets/files/db.crt
new file mode 100644
index 0000000..d8016c0
--- /dev/null
+++ b/recipes-devtools/secure-boot-secrets/files/db.crt
@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDFTCCAf2gAwIBAgIULYM1S6ThMZcCNiIfnfnXYA/n4awwDQYJKoZIhvcNAQEL
+BQAwGjEYMBYGA1UEAwwPU0lFTUVOU19URVNUX2RiMB4XDTIyMDcxOTE0MjEyMloX
+DTIzMDcxOTE0MjEyMlowGjEYMBYGA1UEAwwPU0lFTUVOU19URVNUX2RiMIIBIjAN
+BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAp0S/0yPuxYYZIIyrwOCT2Z7u+nxv
+6jn1TF8XOZBLqm0LlBL0tjC4NHS/6leQgtKbFs/M/FpBv0OCHDRCpMaNK6ogTHI/
+ScStINv2TCtKICjY7yeOvzrvX88wxZ3l1c1oc+NFVCwz3ylnPwpHzmi8nI6JZ/1i
+sYXr9wTMOW/SgLU9PHdIdipnEhDayxtTPS+7/DX5tdctcKeUNSxCwdB8dpXZIF7D
+W2dfgCupRS0I5LTfrpo/Jem2Rj+PshPhsssNGhEbai7mX3WPMzV4V6i6gDV8Ii4X
+yZLSuR2EuuOHAO+Ykvtt1Vktf93C0FuOyF9GeENx0RPJzcGMBRZVA0oowQIDAQAB
+o1MwUTAdBgNVHQ4EFgQUalXGEWO9XH5ZjrGZ2D8QT4Izx9YwHwYDVR0jBBgwFoAU
+alXGEWO9XH5ZjrGZ2D8QT4Izx9YwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0B
+AQsFAAOCAQEAmT8QcOkRMZKi2ojfrXGmhommCJaHZcRF7BzmiOP5tyJORccLRXCl
+05zLoW8JJSZmgXlEvWpVEA4LU4JtrhpCG2dqEbotKmkDI8oAVWAzlbraItJfk6L1
+pkB4AAd51TMF8Z6D5yOLnvfjiEm6kGEwt1lE4NmJKb20NHV3vDNjC4vbmWKxg465
+901TLYpZthTRLp1y4Gu3MI5USxn66hJLOqDijvSVYkGpemeLwOzNG8SNYZGXj7KD
+OsKdmTm2E0J6QT4MRgrVLvbiYpKiXy1QEVPazXYtJ88vagQjLDrQ9VlyyPUnpaxK
+2WI9S2rU2EHqFrTmu8skQZRJl1LEcEHFxA==
+-----END CERTIFICATE-----
diff --git a/recipes-devtools/secure-boot-secrets/files/db.esl b/recipes-devtools/secure-boot-secrets/files/db.esl
new file mode 100644
index 0000000000000000000000000000000000000000..644357bedea2acb605e9f3abbd97423133844c0c
GIT binary patch
literal 837
zcmZ1&d0^?2Da*aux2_hA(f&~6%FF-;nm}3*2$YnJja^)XOu{N=?J;O#7By&M{JVge
ziIIs(M7P=0d&xt?=}cxy@^gP)PvC$4aE$>k8>d#AN85K^Mn-N{1_LQW2?H@U=1>-9
z9{ylYS6^4Z;P?>N;E?!~Bm+5dULzv|b3;o*6C*<-qbMNP7>SElZxf>uvQ><%49rc8
z{0u<XaWOS9GBPZ8*?(F2-O)Blg`U+19!$PD@7=GO{8yG=ed5I}CwQ;Q<(?w+Wt+hc
zlal?f!Y4Fcnk{zz%%3R7{mxA?CQeI^^=hwD@F}wQJhE2d_BS7GF9nSo@74SETfL7z
zZ*X+()2nAQiXXd%=osJEOt<H9KbNs*PG4vG-=vMLufMaLvCO~Ju+`S4+@nk@T}a^8
zY3X2F{oQ{|e{Q|5Td;hJsgBdZ3pHg^Zz{wcj!utn&|c}P%kgB({dKeKRbOs%v+v&|
z{BYB0UMWH8EWKy(rTxaH72zv(HJH{Y>4~45bZMt-%dW@m4DV-5`ki|<Qn&u@p$pM{
zC*s{IoC_}spFDf8hgB?;*-PUf6Eh<N<Kke0Km%D|=*#l4h_Q%dg&q@3-WyXF*|%}#
z4SNCqCgbDR4CF!5$}GTGYQV05AEZE-k?}tZs{u2RLJoFd3<HCmkzuC2K*38v!%2&7
zb=+TDxU8*n8OOBt)FZBMWS(_A{<&Sr&-FOBYr)dXb51YJ=TucoYpitHn-wa+#~s|1
zyH3hUIz3Bpm#$VOv+^m1&;;YDyKX66il4mb>oSK52KLIU#;hObH9uGGp7;H6hv%*d
zi3ZyvT^`)*)ZDwpq_ljGaWZ%J?U_j%oBMWt_YKzVirgl0QEzV1gY4}FeIeeGzg`J>
zTP=9h_ho95<I1Y^?gMYmN+0P>oH)IIQ?u2fxic-d2|HCe+VQw?UDf;cC~4B7c-;WO
z;9F<Qbk)!6XR#>jSY7xUS#;v7`qDLCH<N6=v##85d?mK!+3wRSj#E6R2OTMJJbDBG
Di@!@P
literal 0
HcmV?d00001
diff --git a/recipes-devtools/secure-boot-secrets/files/db.key b/recipes-devtools/secure-boot-secrets/files/db.key
new file mode 100644
index 0000000..46e130e
--- /dev/null
+++ b/recipes-devtools/secure-boot-secrets/files/db.key
@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCnRL/TI+7Fhhkg
+jKvA4JPZnu76fG/qOfVMXxc5kEuqbQuUEvS2MLg0dL/qV5CC0psWz8z8WkG/Q4Ic
+NEKkxo0rqiBMcj9JxK0g2/ZMK0ogKNjvJ46/Ou9fzzDFneXVzWhz40VULDPfKWc/
+CkfOaLycjoln/WKxhev3BMw5b9KAtT08d0h2KmcSENrLG1M9L7v8Nfm11y1wp5Q1
+LELB0Hx2ldkgXsNbZ1+AK6lFLQjktN+umj8l6bZGP4+yE+Gyyw0aERtqLuZfdY8z
+NXhXqLqANXwiLhfJktK5HYS644cA75iS+23VWS1/3cLQW47IX0Z4Q3HRE8nNwYwF
+FlUDSijBAgMBAAECggEBAJRVTV9qcCZOYx4QYYesILFOVlNf4sduGnBdq3Tq148N
+IMVxgf3HerNaDY89k/PP3KUAJqJrT/7TWSC135vMUAi21+mzLxi2B2oqZmLpyNR4
+JNkA1YAUPY9TZ8b33YganlSW6TZZ9K4kQ2EONtt+2jRj2sqTU+BmCPmIEaul1KE5
+qPaF5CbKVIIg8Jlkq8OuOLaCtaOq2iv7bOZFdoK6jCKNQA9dfGQPD6NgTtPXAX8f
+3iNeHtX+vfbUhsxqKsMeybWxYDTzjuV/zADvh66IPrjViIe4jS52f9jmKrdMe6fp
+GHmGVlZqkUtuE5aQTJOnQIxKqjJMv4TetXJrNa6WBiECgYEA2AnpfXnb0ONsD3Wz
+4TwXrY7OimbWgkBLXpWBDuxKmmCKdtac9l2g8USzZFqZ1svu7r07BUnGbziPtKCN
+Fn36UNRll75FmgZ12PcX9vwr2SnU4UaKWgBJCAVjJAIaqeysG+6TyB/gtFszqlhF
+OmGCa/o7vEVrTd4V1Dfv6rH25v0CgYEAxjVsDIbGb7eZ5v6Wi6XMq5ssO7MvFmhb
+LwSOMFX2lNRPOXYf3xRdkgzrdqVtvWvH2OnY7jy81IVa8OdJ7DFdLOkO2kBfb71/
+F8xyLlo6dWoOmTtBQ1GVfetwto6E9puaaP5x4n4CgRkt7X4j1HNSAOVIZ7m8wYaC
+QiAv4p+S7hUCgYEAgJ0mDDVH0AwUgP+pnyWPUxv5ihu/CLwOIrkOpDu4Dj/7LtSF
+jYYgEoK76bqma2HtVOQDBxrsr7oUk4whcop9QzGvaa808IV4EzrHYZqu4BIvUg4U
+v4/76nKKmx1FknP74oUeJb4UoErLb1YtoJv8cRwABA2v3COjCzxh8G8SdmECgYB4
++aI5AwmapjUJB9pa4ZdKJiuZRIQ46Pi+eclPNyiJLgwsxiwtvABgZAJTKCUSt/YC
+Lrh4sBmQnNQktQYpYve7sYOfMisNyFsJ637FS8ziXRkL7V6n9+OGN21T/yioW9Ci
+xKo90ys0IGonyhWUVc53PXoz1OmgNLjMI1kWuM61AQKBgB2+vLFr+uPsOoQE1KzY
+W2+NQAQzvixsESdrdl2p4r/VmF40kPbKyLtKx7/yUzWAblvYahB3T2Bb9Ppy4DhN
+1gTQYvi7rfdmEvNVo0cHAdUlhZZAkBF3sfRNZktKSrIf+lxJfCMVwrhRGkNko2ou
+8LlFqem938MnXqxlDCh1YQ9J
+-----END PRIVATE KEY-----
diff --git a/recipes-devtools/secure-boot-secrets/secure-boot-secrets.inc b/recipes-devtools/secure-boot-secrets/secure-boot-secrets.inc
index f53435a..2a30f1e 100644
--- a/recipes-devtools/secure-boot-secrets/secure-boot-secrets.inc
+++ b/recipes-devtools/secure-boot-secrets/secure-boot-secrets.inc
@@ -13,20 +13,41 @@ inherit dpkg-raw
PROVIDES += "secure-boot-secrets"
-SB_KEY ??= ""
-SB_CERT ??= ""
+SB_PK ??= ""
+SB_KEK ??= ""
+SB_DB ??= ""
-SRC_URI_append = " ${@ "file://"+d.getVar('SB_KEY') if d.getVar('SB_KEY') else '' }"
-SRC_URI_append = " ${@ "file://"+d.getVar('SB_CERT') if d.getVar('SB_CERT') else '' }"
+SRC_URI_append = " ${@ "file://"+d.getVar('SB_PK')+".auth" if d.getVar('SB_PK') else '' }"
+SRC_URI_append = " ${@ "file://"+d.getVar('SB_PK')+".crt" if d.getVar('SB_PK') else '' }"
+SRC_URI_append = " ${@ "file://"+d.getVar('SB_PK')+".esl" if d.getVar('SB_PK') else '' }"
+SRC_URI_append = " ${@ "file://"+d.getVar('SB_PK')+".key" if d.getVar('SB_PK') else '' }"
+SRC_URI_append = " ${@ "file://"+d.getVar('SB_KEK')+".auth" if d.getVar('SB_KEK') else '' }"
+SRC_URI_append = " ${@ "file://"+d.getVar('SB_KEK')+".crt" if d.getVar('SB_KEK') else '' }"
+SRC_URI_append = " ${@ "file://"+d.getVar('SB_KEK')+".esl" if d.getVar('SB_KEK') else '' }"
+SRC_URI_append = " ${@ "file://"+d.getVar('SB_KEK')+".key" if d.getVar('SB_KEK') else '' }"
+SRC_URI_append = " ${@ "file://"+d.getVar('SB_DB')+".auth" if d.getVar('SB_DB') else '' }"
+SRC_URI_append = " ${@ "file://"+d.getVar('SB_DB')+".crt" if d.getVar('SB_DB') else '' }"
+SRC_URI_append = " ${@ "file://"+d.getVar('SB_DB')+".esl" if d.getVar('SB_DB') else '' }"
+SRC_URI_append = " ${@ "file://"+d.getVar('SB_DB')+".key" if d.getVar('SB_DB') else '' }"
do_install() {
- if [ -z ${SB_KEY} ] || [ -z ${SB_CERT} ]; then
- bbfatal "You must set SB_KEY and SB_CERT and provide the required files as artifacts to this recipe"
+ if [ -z ${SB_PK} ] || [ -z ${SB_KEK} || [ -z ${SB_DB}]; then
+ bbfatal "You must set SB_PK, SB_KEK and SB_DB and provide the required files as artifacts to this recipe"
fi
TARGET=${D}/usr/share/secure-boot-secrets
install -d -m 0700 ${TARGET}
- install -m 0700 ${WORKDIR}/${SB_KEY} ${TARGET}/secure-boot.key
- install -m 0700 ${WORKDIR}/${SB_CERT} ${TARGET}/secure-boot.pem
+ install -m 0700 ${WORKDIR}/${SB_PK}.auth ${TARGET}/PK.auth
+ install -m 0700 ${WORKDIR}/${SB_PK}.crt ${TARGET}/PK.crt
+ install -m 0700 ${WORKDIR}/${SB_PK}.esl ${TARGET}/PK.esl
+ install -m 0700 ${WORKDIR}/${SB_PK}.key ${TARGET}/PK.key
+ install -m 0700 ${WORKDIR}/${SB_KEK}.auth ${TARGET}/KEK.auth
+ install -m 0700 ${WORKDIR}/${SB_KEK}.crt ${TARGET}/KEK.crt
+ install -m 0700 ${WORKDIR}/${SB_KEK}.esl ${TARGET}/KEK.esl
+ install -m 0700 ${WORKDIR}/${SB_KEK}.key ${TARGET}/KEK.key
+ install -m 0700 ${WORKDIR}/${SB_DB}.auth ${TARGET}/db.auth
+ install -m 0700 ${WORKDIR}/${SB_DB}.crt ${TARGET}/db.crt
+ install -m 0700 ${WORKDIR}/${SB_DB}.esl ${TARGET}/db.esl
+ install -m 0700 ${WORKDIR}/${SB_DB}.key ${TARGET}/db.key
}
do_prepare_build_append() {
diff --git a/recipes-devtools/secure-boot-secrets/secure-boot-snakeoil_0.1.bb b/recipes-devtools/secure-boot-secrets/secure-boot-snakeoil_0.1.bb
index 24a5352..b78f22f 100644
--- a/recipes-devtools/secure-boot-secrets/secure-boot-snakeoil_0.1.bb
+++ b/recipes-devtools/secure-boot-secrets/secure-boot-snakeoil_0.1.bb
@@ -11,7 +11,8 @@
require secure-boot-secrets.inc
-SB_KEY = "PkKek-1-snakeoil.key"
-SB_CERT = "PkKek-1-snakeoil.pem"
+SB_PK ??= "PK"
+SB_KEK ??= "KEK"
+SB_DB ??= "db"
DEBIAN_CONFLICTS = "secure-boot-key"
--
2.30.2
^ permalink raw reply related [flat|nested] 16+ messages in thread
* [isar-cip-core][PATCH 7/8] enhance start-qemu.sh for arm64 secure boot
2022-11-20 20:47 [isar-cip-core][PATCH 0/8] Secureboot on QEMU with EDK2, OP-TEE and RPMB sven.schultschik
` (5 preceding siblings ...)
2022-11-20 20:47 ` [isar-cip-core][PATCH 6/8] change ebg sb signer and secrets to pk kek db sven.schultschik
@ 2022-11-20 20:47 ` sven.schultschik
2022-11-20 20:47 ` [isar-cip-core][PATCH 8/8] Use of snakeoil keys for qemu use case sven.schultschik
7 siblings, 0 replies; 16+ messages in thread
From: sven.schultschik @ 2022-11-20 20:47 UTC (permalink / raw)
To: cip-dev; +Cc: jan.kiszka, Sven Schultschik
From: Sven Schultschik <sven.schultschik@siemens.com>
The start-qemu shell script need some adjustments to switch on secure in the machine statement and adds the virtual random number generator if secure boot is enabled.
Signed-off-by: Sven Schultschik <sven.schultschik@siemens.com>
---
start-qemu.sh | 17 +++++++++++++++--
1 file changed, 15 insertions(+), 2 deletions(-)
diff --git a/start-qemu.sh b/start-qemu.sh
index dd16aed..5617a2a 100755
--- a/start-qemu.sh
+++ b/start-qemu.sh
@@ -80,13 +80,22 @@ case "${arch}" in
QEMU_EXTRA_ARGS=" \
-cpu cortex-a57 \
-smp 4 \
- -machine virt \
-device virtio-serial-device \
-device virtconsole,chardev=con -chardev vc,id=con \
-device virtio-blk-device,drive=disk \
-device virtio-net-device,netdev=net"
KERNEL_CMDLINE=" \
root=/dev/vda rw"
+ if [ -n "${SECURE_BOOT}" ]; then
+ QEMU_EXTRA_ARGS=" \
+ ${QEMU_EXTRA_ARGS} \
+ -machine virt,secure=on \
+ -device virtio-rng-device"
+ else
+ QEMU_EXTRA_ARGS=" \
+ ${QEMU_EXTRA_ARGS} \
+ -machine virt"
+ fi
;;
arm|armhf)
QEMU_ARCH=arm
@@ -165,7 +174,11 @@ if [ -n "${SECURE_BOOT}${SWUPDATE_BOOT}" ]; then
fi
;;
arm64|aarch64|arm|armhf)
- u_boot_bin=${FIRMWARE_BIN:-./build/tmp/deploy/images/qemu-${QEMU_ARCH}/firmware.bin}
+ if [ -n "${SECURE_BOOT}" ]; then
+ u_boot_bin=${FIRMWARE_BIN:-./build/tmp/deploy/images/qemu-${QEMU_ARCH}/flash.bin}
+ else
+ u_boot_bin=${FIRMWARE_BIN:-./build/tmp/deploy/images/qemu-${QEMU_ARCH}/firmware.bin}
+ fi
${QEMU_PATH}${QEMU} \
-drive file=${IMAGE_PREFIX}.wic,discard=unmap,if=none,id=disk,format=raw \
--
2.30.2
^ permalink raw reply related [flat|nested] 16+ messages in thread
* [isar-cip-core][PATCH 8/8] Use of snakeoil keys for qemu use case
2022-11-20 20:47 [isar-cip-core][PATCH 0/8] Secureboot on QEMU with EDK2, OP-TEE and RPMB sven.schultschik
` (6 preceding siblings ...)
2022-11-20 20:47 ` [isar-cip-core][PATCH 7/8] enhance start-qemu.sh for arm64 secure boot sven.schultschik
@ 2022-11-20 20:47 ` sven.schultschik
7 siblings, 0 replies; 16+ messages in thread
From: sven.schultschik @ 2022-11-20 20:47 UTC (permalink / raw)
To: cip-dev; +Cc: jan.kiszka, Sven Schultschik
From: Sven Schultschik <sven.schultschik@siemens.com>
The snakeoil keys are copied to the deploy folder if machine is qemu-arm64. The RPMB qemu workaround is not persistent and for that the keys need to be provisioned on every boot of quemu. Therefor the keys are copied to the deploy folder, mounted into the qemu as virtual memory and the boot command automatically loads them on every boot.
Signed-off-by: Sven Schultschik <sven.schultschik@siemens.com>
---
recipes-bsp/u-boot/u-boot-qemu-common.inc | 4 ++++
.../secure-boot-secrets.inc | 22 +++++++++++++++++++
start-qemu.sh | 3 ++-
3 files changed, 28 insertions(+), 1 deletion(-)
diff --git a/recipes-bsp/u-boot/u-boot-qemu-common.inc b/recipes-bsp/u-boot/u-boot-qemu-common.inc
index 6e7158b..51dabac 100644
--- a/recipes-bsp/u-boot/u-boot-qemu-common.inc
+++ b/recipes-bsp/u-boot/u-boot-qemu-common.inc
@@ -18,6 +18,10 @@ SRC_URI_append_secureboot = " \
DEPENDS_append_secureboot = " optee-os-${MACHINE}"
+do_prepare_build_append_secureboot() {
+ sed -i 's/CONFIG_BOOTCOMMAND="/CONFIG_BOOTCOMMAND="fatload virtio 1:1 40000000 PK\.auth; setenv -e -nv -bs -rt -at -i 40000000:\$filesize PK; fatload virtio 1:1 40000000 KEK\.auth; setenv -e -nv -bs -rt -at -i 40000000:\$filesize KEK; fatload virtio 1:1 40000000 db\.auth; setenv -e -nv -bs -rt -at -i 40000000:\$filesize db; /g' ${S}/configs/${U_BOOT_CONFIG}
+}
+
do_deploy[dirs] = "${DEPLOY_DIR_IMAGE}"
do_deploy() {
dpkg --fsys-tarfile "${WORKDIR}/u-boot-${MACHINE}_${PV}_${DISTRO_ARCH}.deb" | \
diff --git a/recipes-devtools/secure-boot-secrets/secure-boot-secrets.inc b/recipes-devtools/secure-boot-secrets/secure-boot-secrets.inc
index 2a30f1e..0fcde72 100644
--- a/recipes-devtools/secure-boot-secrets/secure-boot-secrets.inc
+++ b/recipes-devtools/secure-boot-secrets/secure-boot-secrets.inc
@@ -53,3 +53,25 @@ do_install() {
do_prepare_build_append() {
echo "Provides: secure-boot-secrets" >> ${S}/debian/control
}
+
+do_deploy[dirs] = "${DEPLOY_DIR_IMAGE}"
+do_deploy() {
+ if [ "${MACHINE}" = "qemu-arm64" ]; then
+ DTARGET=${DEPLOY_DIR_IMAGE}/keys
+ mkdir -p ${DTARGET}
+ cp ${WORKDIR}/${SB_PK}.auth ${DTARGET}/PK.auth
+ cp ${WORKDIR}/${SB_PK}.crt ${DTARGET}/PK.crt
+ cp ${WORKDIR}/${SB_PK}.esl ${DTARGET}/PK.esl
+ cp ${WORKDIR}/${SB_PK}.key ${DTARGET}/PK.key
+ cp ${WORKDIR}/${SB_KEK}.auth ${DTARGET}/KEK.auth
+ cp ${WORKDIR}/${SB_KEK}.crt ${DTARGET}/KEK.crt
+ cp ${WORKDIR}/${SB_KEK}.esl ${DTARGET}/KEK.esl
+ cp ${WORKDIR}/${SB_KEK}.key ${DTARGET}/KEK.key
+ cp ${WORKDIR}/${SB_DB}.auth ${DTARGET}/db.auth
+ cp ${WORKDIR}/${SB_DB}.crt ${DTARGET}/db.crt
+ cp ${WORKDIR}/${SB_DB}.esl ${DTARGET}/db.esl
+ cp ${WORKDIR}/${SB_DB}.key ${DTARGET}/db.key
+ fi
+}
+
+addtask deploy after do_dpkg_build before do_deploy_deb
\ No newline at end of file
diff --git a/start-qemu.sh b/start-qemu.sh
index 5617a2a..f29b57d 100755
--- a/start-qemu.sh
+++ b/start-qemu.sh
@@ -183,7 +183,8 @@ if [ -n "${SECURE_BOOT}${SWUPDATE_BOOT}" ]; then
${QEMU_PATH}${QEMU} \
-drive file=${IMAGE_PREFIX}.wic,discard=unmap,if=none,id=disk,format=raw \
-bios ${u_boot_bin} \
- ${QEMU_COMMON_OPTIONS} "$@"
+ ${QEMU_COMMON_OPTIONS} "$@" \
+ -hdb fat:rw:./build/tmp/deploy/images/qemu-${QEMU_ARCH}/keys
;;
*)
echo "Unsupported architecture: ${arch}"
--
2.30.2
^ permalink raw reply related [flat|nested] 16+ messages in thread
* Re: [isar-cip-core][PATCH 6/8] change ebg sb signer and secrets to pk kek db
2022-11-20 20:47 ` [isar-cip-core][PATCH 6/8] change ebg sb signer and secrets to pk kek db sven.schultschik
@ 2022-11-21 10:40 ` Jan Kiszka
2022-11-21 15:10 ` AW: " Schultschik, Sven
0 siblings, 1 reply; 16+ messages in thread
From: Jan Kiszka @ 2022-11-21 10:40 UTC (permalink / raw)
To: sven.schultschik, cip-dev
On 20.11.22 21:47, sven.schultschik@siemens.com wrote:
> From: Sven Schultschik <sven.schultschik@siemens.com>
>
> The secure boot setup with OP-TEE, u-boot and EFI works with a platform key (pk), key exchange key (kek) and signature database (db). isar-cip-core should only provide one secure boot solution and so the key structure and setup needed to be adjusted.
>
I don't understand the purpose yet, specifically as the touched keys and
the signing structure was already use for UEFI secure boot, on x86 and
ARM[64]. It rather looks to me like you are committing a lot of stuff
that can be easily generated, given the secure boot key pair.
Jan
--
Siemens AG, Technology
Competence Center Embedded Linux
^ permalink raw reply [flat|nested] 16+ messages in thread
* AW: [isar-cip-core][PATCH 6/8] change ebg sb signer and secrets to pk kek db
2022-11-21 10:40 ` Jan Kiszka
@ 2022-11-21 15:10 ` Schultschik, Sven
2022-11-21 17:25 ` Jan Kiszka
0 siblings, 1 reply; 16+ messages in thread
From: Schultschik, Sven @ 2022-11-21 15:10 UTC (permalink / raw)
To: Kiszka, Jan, cip-dev
[-- Attachment #1: Type: text/plain, Size: 1569 bytes --]
> On 20.11.22 21:47, sven.schultschik@siemens.com wrote:
> > From: Sven Schultschik <sven.schultschik@siemens.com>
> >
> > The secure boot setup with OP-TEE, u-boot and EFI works with a platform
> > key
> (pk), key exchange key (kek) and signature database (db). isar-cip-core
> should
> only provide one secure boot solution and so the key structure and setup
> needed
> to be adjusted.
> >
>
> I don't understand the purpose yet, specifically as the touched keys and the
> signing structure was already use for UEFI secure boot, on x86 and ARM[64].
> It
> rather looks to me like you are committing a lot of stuff that can be easily
> generated, given the secure boot key pair.
>
It depends on the purpose you want to create.
My idea was to provide the complete PK,KEK,db structure as sankeoil and
possibility to be added to the build.
Your idea is to use the existing key end pem as "PK" and generate KEK and db
while the build is running.
- But then my question would be, why then not generating all snakeoil keys and
certs on the fly?
- Or do you want only the PkKek-1-snakeoil key/cert to be provisioned in qemu
as "db"
- or should the PkKek-1-snakeoil key/cert be used as "PK" and KEK and db
should be generated on the fly and signed
by the PkKek-1-snakeoil key/cert?
It depends on the goal you want to achieve.
For production you only need the "db" to sign the efi file, but for qemu you
would need PK and KEK as well to be
provisioned to the efi environment.
As longer I think about, the more possible solutions I get in mind.
Regards
Sven
[-- Attachment #2: smime.p7s --]
[-- Type: application/pkcs7-signature, Size: 14944 bytes --]
^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: [isar-cip-core][PATCH 6/8] change ebg sb signer and secrets to pk kek db
2022-11-21 15:10 ` AW: " Schultschik, Sven
@ 2022-11-21 17:25 ` Jan Kiszka
0 siblings, 0 replies; 16+ messages in thread
From: Jan Kiszka @ 2022-11-21 17:25 UTC (permalink / raw)
To: Schultschik, Sven (DI PA DCP R&D 2), cip-dev
On 21.11.22 16:10, Schultschik, Sven (DI PA DCP R&D 2) wrote:
>
>> On 20.11.22 21:47, sven.schultschik@siemens.com wrote:
>>> From: Sven Schultschik <sven.schultschik@siemens.com>
>>>
>>> The secure boot setup with OP-TEE, u-boot and EFI works with a platform
>>> key
>> (pk), key exchange key (kek) and signature database (db). isar-cip-core
>> should
>> only provide one secure boot solution and so the key structure and setup
>> needed
>> to be adjusted.
>>>
>>
>> I don't understand the purpose yet, specifically as the touched keys and the
>> signing structure was already use for UEFI secure boot, on x86 and ARM[64].
>> It
>> rather looks to me like you are committing a lot of stuff that can be easily
>> generated, given the secure boot key pair.
>>
>
> It depends on the purpose you want to create.
>
> My idea was to provide the complete PK,KEK,db structure as sankeoil and
> possibility to be added to the build.
>
> Your idea is to use the existing key end pem as "PK" and generate KEK and db
> while the build is running.
>
> - But then my question would be, why then not generating all snakeoil keys and
> certs on the fly?
Because we use existing provisioning for x86 OVMF.
> - Or do you want only the PkKek-1-snakeoil key/cert to be provisioned in qemu
> as "db"
> - or should the PkKek-1-snakeoil key/cert be used as "PK" and KEK and db
> should be generated on the fly and signed
> by the PkKek-1-snakeoil key/cert?
>
> It depends on the goal you want to achieve.
>
> For production you only need the "db" to sign the efi file, but for qemu you
> would need PK and KEK as well to be
> provisioned to the efi environment.
sbsign takes the private key and the cert to sign a binary. That cert
then has to be added into the cert DB on the target in order to validate
the signature later on. We do that during the build so far for U-Boot
and expect the x86 firmware to have been provisioning accordingly.
However, in order to model a complete UEFI device lifecycle, there
should also be the Platform Key and the Key Exchange Key involved. We
don't do anything about those yet for U-Boot, just set them to be
identical to the signing key. We can change that eventually, but I don't
see that related to adding RPMB as secure storage.
Jan
--
Siemens AG, Technology
Competence Center Embedded Linux
^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: [cip-dev] [isar-cip-core][PATCH 1/8] add recipe for edk2
2022-11-20 20:47 ` [isar-cip-core][PATCH 1/8] add recipe for edk2 sven.schultschik
@ 2023-01-09 6:42 ` Su, Bao Cheng
2023-01-09 7:40 ` Jan Kiszka
2023-01-11 8:37 ` Schultschik, Sven
0 siblings, 2 replies; 16+ messages in thread
From: Su, Bao Cheng @ 2023-01-09 6:42 UTC (permalink / raw)
To: cip-dev; +Cc: Schultschik, Sven, Kiszka, Jan
On Sun, 2022-11-20 at 21:47 +0100, Schultschik, Sven via lists.cip-
project.org wrote:
> From: Sven Schultschik <sven.schultschik@siemens.com>
>
> provide a recipe to create the BL32_AP_MM.fd binary by edk2 which is needed for the qemu optee generation as dependency.
>
> Signed-off-by: Sven Schultschik <sven.schultschik@siemens.com>
> ---
> .../edk2/edk2-platformstandalonemmrpmb.inc | 56 +++++++++++++++++
> .../edk2-platformstandalonemmrpmb_202205.bb | 12 ++++
> recipes-bsp/edk2/files/rules.tmpl | 61 +++++++++++++++++++
> 3 files changed, 129 insertions(+)
> create mode 100644 recipes-bsp/edk2/edk2-platformstandalonemmrpmb.inc
> create mode 100644 recipes-bsp/edk2/edk2-platformstandalonemmrpmb_202205.bb
> create mode 100755 recipes-bsp/edk2/files/rules.tmpl
>
> diff --git a/recipes-bsp/edk2/edk2-platformstandalonemmrpmb.inc b/recipes-bsp/edk2/edk2-platformstandalonemmrpmb.inc
> new file mode 100644
> index 0000000..3277cc8
> --- /dev/null
> +++ b/recipes-bsp/edk2/edk2-platformstandalonemmrpmb.inc
> @@ -0,0 +1,56 @@
> +#
> +# CIP Core, generic profile
> +#
> +# Copyright (c) Siemens AG, 2022
> +#
> +# Authors:
> +# Sven Schultschik <sven.schultschik@siemens.com>
> +#
> +# SPDX-License-Identifier: MIT
> +#
> +
> +HOMEPAGE = "https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Ftianocore%2Fedk2&data=05%7C01%7Cbaocheng.su%40ad011.siemens.com%7Cd8e95371c5514a59b97208dacb389eee%7C38ae3bcd95794fd4addab42e1495d55a%7C1%7C0%7C638045741292237684%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=9P%2FE9X1XBTC3KyoKEEdnFQMk75K0kWyJ27GIaNYLt8I%3D&reserved=0"
> +MAINTAINER = "Sven Schultschik <sven.schultschik@siemens.com>"
> +LICENSE = "BSD-2-Clause-Patent"
> +
> +inherit dpkg
> +
> +SRC_URI = "https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Ftianocore%2Fedk2%2Farchive%2Frefs%2Ftags%2Fedk2-stable%24&data=05%7C01%7Cbaocheng.su%40ad011.siemens.com%7Cd8e95371c5514a59b97208dacb389eee%7C38ae3bcd95794fd4addab42e1495d55a%7C1%7C0%7C638045741292237684%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=iRpR%2FuUjJ7fm14hsvfXPeWP6IlyaUzHToet79uU2e4Y%3D&reserved=0{PV}.tar.gz;name=edk2 \
> + https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fgoogle%2Fbrotli%2Farchive%2F%24&data=05%7C01%7Cbaocheng.su%40ad011.siemens.com%7Cd8e95371c5514a59b97208dacb389eee%7C38ae3bcd95794fd4addab42e1495d55a%7C1%7C0%7C638045741292237684%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=pxp4gT%2Fm7pxMANDx0oXWpjknB%2ByUWFupdtQQsZn%2B1g8%3D&reserved=0{SRC_REV_brotli}.tar.gz;name=brotli \
> + https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fopenssl%2Fopenssl%2Farchive%2Frefs%2Ftags%2F%24&data=05%7C01%7Cbaocheng.su%40ad011.siemens.com%7Cd8e95371c5514a59b97208dacb389eee%7C38ae3bcd95794fd4addab42e1495d55a%7C1%7C0%7C638045741292237684%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=po8JpMAv3G51dPOvS6lDetWvdZiY6LjDruaR%2BejGESA%3D&reserved=0{SRC_REV_openssl}.tar.gz;name=openssl \
> + git://github.com/tianocore/edk2-platforms.git;protocol=https;destsuffix=git/edk2-platforms;name=edk2-platforms \
> + file://rules.tmpl \
> + "
> +SRC_URI[edk2.sha256sum] = "e6cf93bae78b30a10732b8afb5cc438735dc9ec976ae65d12dab041c18bb7987"
> +SRC_URI[brotli.sha256sum] = "6d6cacce05086b7debe75127415ff9c3661849f564fe2f5f3b0383d48aa4ed77"
> +SRC_URI[openssl.sha256sum] = "6b2d2440ced8c802aaa61475919f0870ec556694c466ebea460e35ea2b14839e"
> +
> +SRC_REV_brotli = "f4153a09f87cbb9c826d8fc12c74642bb2d879ea"
> +SRC_REV_openssl = "OpenSSL_1_1_1n"
> +SRCREV_edk2-platforms = "3b896d1a325686de3942723c42f286090453e37a"
> +
> +S = "${WORKDIR}/git"
> +
> +DEBIAN_BUILD_DEPENDS = "python3:native, dh-python, uuid-dev:native"
> +
> +EDK2_BINARIES ?= "Build/MmStandaloneRpmb/RELEASE_GCC5/FV/BL32_AP_MM.fd"
> +
> +BUILD_DEPENDS += ""
> +
> +TEMPLATE_FILES = "rules.tmpl"
> +
> +do_prepare_build() {
> + deb_debianize
> +
> + mkdir -p ${S}/edk2
> + cp -a ${WORKDIR}/edk2-edk2-stable${PV}/* "${S}/edk2/"
> + cp -a ${WORKDIR}/brotli-${SRC_REV_brotli}/* "${S}/edk2/BaseTools/Source/C/BrotliCompress/brotli"
> + cp -a ${WORKDIR}/brotli-${SRC_REV_brotli}/* "${S}/edk2/MdeModulePkg/Library/BrotliCustomDecompressLib/brotli"
> + cp -a ${WORKDIR}/openssl-${SRC_REV_openssl}/* "${S}/edk2/CryptoPkg/Library/OpensslLib/openssl"
> +
> + rm -f ${S}/debian/edk2.install
> + for binary in ${EDK2_BINARIES}; do
> + echo "$binary /usr/lib/edk2/" >> \
> + ${S}/debian/edk2-platformstandalonemmrpmb.install
> + done
> +}
> diff --git a/recipes-bsp/edk2/edk2-platformstandalonemmrpmb_202205.bb b/recipes-bsp/edk2/edk2-platformstandalonemmrpmb_202205.bb
> new file mode 100644
> index 0000000..84761c9
> --- /dev/null
> +++ b/recipes-bsp/edk2/edk2-platformstandalonemmrpmb_202205.bb
2022.05 is a bit older version, the latest ones are 2022.08 and even
2022.11.
Not sure if any security updates between these versions, but I would
blindly use the newer version.
- Baocheng
> @@ -0,0 +1,12 @@
> +#
> +# CIP Core, generic profile
> +#
> +# Copyright (c) Siemens AG, 2022
> +#
> +# Authors:
> +# Sven Schultschik <sven.schultschik@siemens.com>
> +#
> +# SPDX-License-Identifier: MIT
> +#
> +
> +require edk2-platformstandalonemmrpmb.inc
Sorry, after some rethinking, I find maybe it's not a good idea to have
the multiple version supportive for EDK2, since:
1. EDK2 has too many sub-components, if multi version need be supported,
somebody must have to maintain a list of these sub-components for each
version, which could be a not easy job. Also, it's hard to notice if the
wrong versions of some sub-components are selected. So it would increase
the chance of making mistake.
2. Unlike kernel, there should be no real requirement of using different
version of EDK2 stmm for different products/projects, from security
point of view, the latest security version should always be used.
3. Best practice, per my understanding, is we have an unified EDK2-stmm
version in cip-core and downstreams just use it. if new version is
required, then upsteam it into cip-core.
- Baocheng
> diff --git a/recipes-bsp/edk2/files/rules.tmpl b/recipes-bsp/edk2/files/rules.tmpl
> new file mode 100755
> index 0000000..388e49a
> --- /dev/null
> +++ b/recipes-bsp/edk2/files/rules.tmpl
> @@ -0,0 +1,61 @@
> +#!/usr/bin/make -f
> +#
> +# Copyright (c) Siemens AG, 2022
> +#
> +# SPDX-License-Identifier: MIT
> +
> +ifneq ($(DEB_BUILD_GNU_TYPE),$(DEB_HOST_GNU_TYPE))
> +export CROSS_COMPILE=$(DEB_HOST_GNU_TYPE)-
> +endif
> +
> +export WORKSPACE=$(shell pwd)
> +export PACKAGES_PATH=$(WORKSPACE)/edk2:$(WORKSPACE)/edk2-platforms
> +export ACTIVE_PLATFORM="Platform/StandaloneMm/PlatformStandaloneMmPkg/PlatformStandaloneMmRpmb.dsc"
> +
> +# https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Ftianocore%2Fedk2-platforms%2Fblob%2Fmaster%2FReadme.md%23if-cross-compiling&data=05%7C01%7Cbaocheng.su%40ad011.siemens.com%7Cd8e95371c5514a59b97208dacb389eee%7C38ae3bcd95794fd4addab42e1495d55a%7C1%7C0%7C638045741292237684%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=FewD9iEjYriBF2%2FwENcbaS594qR18lg%2BQZ8HgHRt6JQ%3D&reserved=0
> +ifeq (arm64,$(DEB_TARGET_ARCH))
> +export TARGET_ARCH = 'AARCH64'
> +else ifeq ((armhf,$(DEB_TARGET_ARCH))
> +export TARGET_ARCH = 'ARM'
> +else ifeq ((amd64,$(DEB_TARGET_ARCH))
> +export TARGET_ARCH = 'X64'
> +else ifeq ((i386,$(DEB_TARGET_ARCH))
> +export TARGET_ARCH = 'IA32'
> +else
> +$(error DEB_TARGET_ARCH $(DEB_TARGET_ARCH) unsupported)
> +endif
> +# When cross-compiling, or building with a different version of the compiler than
> +# the default `gcc`, we additionally need to inform the
> +# build command which toolchain to use. We do this by setting the environment
> +# variable `{TOOL_CHAIN_TAG}_{TARGET_ARCH}_PREFIX` - in the case above,
> +# **GCC5_AARCH64_PREFIX**.
> +# export GCC5_AARCH64_PREFIX=aarch64-linux-gnu-
> +# using export here at TOP Level does not work, because
> +# GCC5_$(TARGET_ARCH)_PREFIX gets deleted again for what reason ever
> +# Therefore it is set right before the build command
> +# export GCC5_$(TARGET_ARCH)_PREFIX=$(DEB_HOST_GNU_TYPE)-
> +
> +
> +export SHELL=/bin/bash
> +
> +# ENV Vars which should get set by edksetup.sh
> +export PYTHON_COMMAND=python3
> +export PYTHONHASHSEED=1
> +export CONF_PATH=$(WORKSPACE)/edk2/Conf
> +export EDK_TOOLS_PATH=$(WORKSPACE)/edk2/BaseTools
> +export PATH=$(WORKSPACE)/edk2/BaseTools/Bin/Linux-$(TARGET_ARCH):$(WORKSPACE)/edk2/BaseTools/BinWrappers/PosixLike::/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
> +
> +override_dh_auto_build:
> + source edk2/edksetup.sh --reconfig
> +
> + CFLAGS= LDFLAGS= make -C edk2/BaseTools
> +
> + (export GCC5_$(TARGET_ARCH)_PREFIX=$(DEB_HOST_GNU_TYPE)- && \
> + build -p $(ACTIVE_PLATFORM) -b RELEASE -a $(TARGET_ARCH) -t GCC5 -n $(shell nproc))
> +
> +override_dh_auto_install:
> +
> +override_dh_auto_test:
> +
> +%:
> + dh $@ --no-parallel
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#10054): https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.cip-project.org%2Fg%2Fcip-dev%2Fmessage%2F10054&data=05%7C01%7Cbaocheng.su%40ad011.siemens.com%7Cd8e95371c5514a59b97208dacb389eee%7C38ae3bcd95794fd4addab42e1495d55a%7C1%7C0%7C638045741292393442%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=Uzt%2FAb%2BnKgZ81uNRCUFzUUuJCOxGygQQeLNLfAlk7o8%3D&reserved=0
> Mute This Topic: https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.cip-project.org%2Fmt%2F95159771%2F7250105&data=05%7C01%7Cbaocheng.su%40ad011.siemens.com%7Cd8e95371c5514a59b97208dacb389eee%7C38ae3bcd95794fd4addab42e1495d55a%7C1%7C0%7C638045741292393442%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=62QQ74sWZvvjriGsZcya2cHDgIR7J8dKlzzoJ%2BKGpdw%3D&reserved=0
> Group Owner: cip-dev+owner@lists.cip-project.org
> Unsubscribe: https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.cip-project.org%2Fg%2Fcip-dev%2Fleave%2F11766303%2F7250105%2F167695058%2Fxyzzy&data=05%7C01%7Cbaocheng.su%40ad011.siemens.com%7Cd8e95371c5514a59b97208dacb389eee%7C38ae3bcd95794fd4addab42e1495d55a%7C1%7C0%7C638045741292393442%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=Tw5KKrRJg0bwdgQ%2B%2FT976DlNRizAVKdH%2F8DhyitmGUI%3D&reserved=0 [baocheng.su@siemens.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>
^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: [cip-dev] [isar-cip-core][PATCH 1/8] add recipe for edk2
2023-01-09 6:42 ` [cip-dev] " Su, Bao Cheng
@ 2023-01-09 7:40 ` Jan Kiszka
2023-01-11 8:47 ` Schultschik, Sven
2023-01-11 8:37 ` Schultschik, Sven
1 sibling, 1 reply; 16+ messages in thread
From: Jan Kiszka @ 2023-01-09 7:40 UTC (permalink / raw)
To: Su, Bao Cheng (DI FA CTR IPC CN PRC4),
cip-dev, Schultschik, Sven (DI PA DCP R&D 2)
On 09.01.23 07:42, Su, Bao Cheng (DI FA CTR IPC CN PRC4) wrote:
> On Sun, 2022-11-20 at 21:47 +0100, Schultschik, Sven via lists.cip-
> project.org wrote:
>> From: Sven Schultschik <sven.schultschik@siemens.com>
>>
>> provide a recipe to create the BL32_AP_MM.fd binary by edk2 which is needed for the qemu optee generation as dependency.
Should mention the StandaloneMm for RPMB, what it is and then mention
where it will be used.
Also adjust the subject - we are not building complete EDK2.
>>
>> Signed-off-by: Sven Schultschik <sven.schultschik@siemens.com>
>> ---
>> .../edk2/edk2-platformstandalonemmrpmb.inc | 56 +++++++++++++++++
>> .../edk2-platformstandalonemmrpmb_202205.bb | 12 ++++
Recipe name became too unreadable. "edk2-standalonemm-rpmb" maybe? By
convention, we don't use camel-cases in recipes, so this cannot help
with separating words.
>> recipes-bsp/edk2/files/rules.tmpl | 61 +++++++++++++++++++
>> 3 files changed, 129 insertions(+)
>> create mode 100644 recipes-bsp/edk2/edk2-platformstandalonemmrpmb.inc
>> create mode 100644 recipes-bsp/edk2/edk2-platformstandalonemmrpmb_202205.bb
>> create mode 100755 recipes-bsp/edk2/files/rules.tmpl
>>
>> diff --git a/recipes-bsp/edk2/edk2-platformstandalonemmrpmb.inc b/recipes-bsp/edk2/edk2-platformstandalonemmrpmb.inc
>> new file mode 100644
>> index 0000000..3277cc8
>> --- /dev/null
>> +++ b/recipes-bsp/edk2/edk2-platformstandalonemmrpmb.inc
>> @@ -0,0 +1,56 @@
>> +#
>> +# CIP Core, generic profile
>> +#
>> +# Copyright (c) Siemens AG, 2022
>> +#
>> +# Authors:
>> +# Sven Schultschik <sven.schultschik@siemens.com>
>> +#
>> +# SPDX-License-Identifier: MIT
>> +#
>> +
>> +HOMEPAGE = "https://github.com/tianocore/edk2"
>> +MAINTAINER = "Sven Schultschik <sven.schultschik@siemens.com>"
>> +LICENSE = "BSD-2-Clause-Patent"
We don't track licenses this way, so better drop this line.
>> +
>> +inherit dpkg
>> +
>> +SRC_URI = "https://github.com/tianocore/edk2/archive/refs/tags/edk2-stable${PV}.tar.gz;name=edk2 \
>> + https://github.com/google/brotli/archive/${SRC_REV_brotli}.tar.gz;name=brotli \
>> + https://github.com/openssl/openssl/archive/refs/tags/${SRC_REV_openssl}.tar.gz;name=openssl \
Can we use the Debian sources here? Would avoid separate version
tracking (SVM, OSS license checking...).
>> + git://github.com/tianocore/edk2-platforms.git;protocol=https;destsuffix=git/edk2-platforms;name=edk2-platforms \
Why not using an archive here as well? Even works when there is no
release tag.
>> + file://rules.tmpl \
>> + "
>> +SRC_URI[edk2.sha256sum] = "e6cf93bae78b30a10732b8afb5cc438735dc9ec976ae65d12dab041c18bb7987"
>> +SRC_URI[brotli.sha256sum] = "6d6cacce05086b7debe75127415ff9c3661849f564fe2f5f3b0383d48aa4ed77"
>> +SRC_URI[openssl.sha256sum] = "6b2d2440ced8c802aaa61475919f0870ec556694c466ebea460e35ea2b14839e"
>> +
>> +SRC_REV_brotli = "f4153a09f87cbb9c826d8fc12c74642bb2d879ea"
>> +SRC_REV_openssl = "OpenSSL_1_1_1n"
>> +SRCREV_edk2-platforms = "3b896d1a325686de3942723c42f286090453e37a"
Would be good to clarify how these revisions were selected. Do they come
from the EDK2 build manifest?
>> +
>> +S = "${WORKDIR}/git"
>> +
>> +DEBIAN_BUILD_DEPENDS = "python3:native, dh-python, uuid-dev:native"
>> +
>> +EDK2_BINARIES ?= "Build/MmStandaloneRpmb/RELEASE_GCC5/FV/BL32_AP_MM.fd"
>> +
>> +BUILD_DEPENDS += ""
Useless line.
>> +
>> +TEMPLATE_FILES = "rules.tmpl"
Which variables are you actually replacing?
>> +
>> +do_prepare_build() {
>> + deb_debianize
>> +
>> + mkdir -p ${S}/edk2
>> + cp -a ${WORKDIR}/edk2-edk2-stable${PV}/* "${S}/edk2/"
>> + cp -a ${WORKDIR}/brotli-${SRC_REV_brotli}/* "${S}/edk2/BaseTools/Source/C/BrotliCompress/brotli"
>> + cp -a ${WORKDIR}/brotli-${SRC_REV_brotli}/* "${S}/edk2/MdeModulePkg/Library/BrotliCustomDecompressLib/brotli"
>> + cp -a ${WORKDIR}/openssl-${SRC_REV_openssl}/* "${S}/edk2/CryptoPkg/Library/OpensslLib/openssl"
>> +
>> + rm -f ${S}/debian/edk2.install
>> + for binary in ${EDK2_BINARIES}; do
>> + echo "$binary /usr/lib/edk2/" >> \
>> + ${S}/debian/edk2-platformstandalonemmrpmb.install
>> + done
>> +}
>> diff --git a/recipes-bsp/edk2/edk2-platformstandalonemmrpmb_202205.bb b/recipes-bsp/edk2/edk2-platformstandalonemmrpmb_202205.bb
>> new file mode 100644
>> index 0000000..84761c9
>> --- /dev/null
>> +++ b/recipes-bsp/edk2/edk2-platformstandalonemmrpmb_202205.bb
>
> 2022.05 is a bit older version, the latest ones are 2022.08 and even
> 2022.11.
>
> Not sure if any security updates between these versions, but I would
> blindly use the newer version.
Ack.
>
> - Baocheng
>
>> @@ -0,0 +1,12 @@
>> +#
>> +# CIP Core, generic profile
>> +#
>> +# Copyright (c) Siemens AG, 2022
>> +#
>> +# Authors:
>> +# Sven Schultschik <sven.schultschik@siemens.com>
>> +#
>> +# SPDX-License-Identifier: MIT
>> +#
>> +
>> +require edk2-platformstandalonemmrpmb.inc
>
> Sorry, after some rethinking, I find maybe it's not a good idea to have
> the multiple version supportive for EDK2, since:
>
> 1. EDK2 has too many sub-components, if multi version need be supported,
> somebody must have to maintain a list of these sub-components for each
> version, which could be a not easy job. Also, it's hard to notice if the
> wrong versions of some sub-components are selected. So it would increase
> the chance of making mistake.
>
> 2. Unlike kernel, there should be no real requirement of using different
> version of EDK2 stmm for different products/projects, from security
> point of view, the latest security version should always be used.
>
> 3. Best practice, per my understanding, is we have an unified EDK2-stmm
> version in cip-core and downstreams just use it. if new version is
> required, then upsteam it into cip-core.
>
> - Baocheng
>
>> diff --git a/recipes-bsp/edk2/files/rules.tmpl b/recipes-bsp/edk2/files/rules.tmpl
>> new file mode 100755
>> index 0000000..388e49a
>> --- /dev/null
>> +++ b/recipes-bsp/edk2/files/rules.tmpl
>> @@ -0,0 +1,61 @@
>> +#!/usr/bin/make -f
>> +#
>> +# Copyright (c) Siemens AG, 2022
>> +#
>> +# SPDX-License-Identifier: MIT
>> +
>> +ifneq ($(DEB_BUILD_GNU_TYPE),$(DEB_HOST_GNU_TYPE))
>> +export CROSS_COMPILE=$(DEB_HOST_GNU_TYPE)-
>> +endif
>> +
>> +export WORKSPACE=$(shell pwd)
>> +export PACKAGES_PATH=$(WORKSPACE)/edk2:$(WORKSPACE)/edk2-platforms
>> +export ACTIVE_PLATFORM="Platform/StandaloneMm/PlatformStandaloneMmPkg/PlatformStandaloneMmRpmb.dsc"
>> +
>> +# https://github.com/tianocore/edk2-platforms/blob/master/Readme.md#if-cross-compiling
>> +ifeq (arm64,$(DEB_TARGET_ARCH))
>> +export TARGET_ARCH = 'AARCH64'
>> +else ifeq ((armhf,$(DEB_TARGET_ARCH))
>> +export TARGET_ARCH = 'ARM'
>> +else ifeq ((amd64,$(DEB_TARGET_ARCH))
>> +export TARGET_ARCH = 'X64'
>> +else ifeq ((i386,$(DEB_TARGET_ARCH))
>> +export TARGET_ARCH = 'IA32'
>> +else
>> +$(error DEB_TARGET_ARCH $(DEB_TARGET_ARCH) unsupported)
>> +endif
Maybe a blank line here to make things more readable.
>> +# When cross-compiling, or building with a different version of the compiler than
>> +# the default `gcc`, we additionally need to inform the
>> +# build command which toolchain to use. We do this by setting the environment
>> +# variable `{TOOL_CHAIN_TAG}_{TARGET_ARCH}_PREFIX` - in the case above,
>> +# **GCC5_AARCH64_PREFIX**.
>> +# export GCC5_AARCH64_PREFIX=aarch64-linux-gnu-
>> +# using export here at TOP Level does not work, because
>> +# GCC5_$(TARGET_ARCH)_PREFIX gets deleted again for what reason ever
>> +# Therefore it is set right before the build command
>> +# export GCC5_$(TARGET_ARCH)_PREFIX=$(DEB_HOST_GNU_TYPE)-
Context? This refers to something done much more below.
>> +
>> +
One blank line too much.
>> +export SHELL=/bin/bash
Needed?
>> +
>> +# ENV Vars which should get set by edksetup.sh
>> +export PYTHON_COMMAND=python3
>> +export PYTHONHASHSEED=1
>> +export CONF_PATH=$(WORKSPACE)/edk2/Conf
>> +export EDK_TOOLS_PATH=$(WORKSPACE)/edk2/BaseTools
>> +export PATH=$(WORKSPACE)/edk2/BaseTools/Bin/Linux-$(TARGET_ARCH):$(WORKSPACE)/edk2/BaseTools/BinWrappers/PosixLike::/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
>> +
>> +override_dh_auto_build:
>> +source edk2/edksetup.sh --reconfig
>> +
>> +CFLAGS= LDFLAGS= make -C edk2/BaseTools
>> +
>> +(export GCC5_$(TARGET_ARCH)_PREFIX=$(DEB_HOST_GNU_TYPE)- && \
>> +build -p $(ACTIVE_PLATFORM) -b RELEASE -a $(TARGET_ARCH) -t GCC5 -n $(shell nproc))
>> +
>> +override_dh_auto_install:
>> +
>> +override_dh_auto_test:
>> +
>> +%:
>> +dh $@ --no-parallel
I've discussed with Baocheng to pull this in earlier. Unfortunately, the
situation for QEMU is still ugly, and I do not like that U-Boot hack
which does not allow us to truly explore EFI vars in RPMB (even more if
kernel patches will show up soon that allow using those via the normal
kernel APIs).
Jan
--
Siemens AG, Technology
Competence Center Embedded Linux
^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: [cip-dev] [isar-cip-core][PATCH 1/8] add recipe for edk2
2023-01-09 6:42 ` [cip-dev] " Su, Bao Cheng
2023-01-09 7:40 ` Jan Kiszka
@ 2023-01-11 8:37 ` Schultschik, Sven
1 sibling, 0 replies; 16+ messages in thread
From: Schultschik, Sven @ 2023-01-11 8:37 UTC (permalink / raw)
To: cip-dev, baocheng.su; +Cc: Kiszka, Jan
[-- Attachment #1: Type: text/plain, Size: 454 bytes --]
On Mon, 2023-01-09 at 06:42 +0000, Su, Bao Cheng (DI FA CTR IPC CN
PRC4) wrote:
>
> 2022.05 is a bit older version, the latest ones are 2022.08 and even
> 2022.11.
>
> Not sure if any security updates between these versions, but I would
> blindly use the newer version.
>
> - Baocheng
Indeed the patch itself has some age now. I didn't update after the
feedback, that the patch won't be merge till qemu has a rpmb
implementation.
[-- Attachment #2: smime.p7s --]
[-- Type: application/pkcs7-signature, Size: 7531 bytes --]
^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: [cip-dev] [isar-cip-core][PATCH 1/8] add recipe for edk2
2023-01-09 7:40 ` Jan Kiszka
@ 2023-01-11 8:47 ` Schultschik, Sven
0 siblings, 0 replies; 16+ messages in thread
From: Schultschik, Sven @ 2023-01-11 8:47 UTC (permalink / raw)
To: cip-dev, Kiszka, Jan, baocheng.su
[-- Attachment #1: Type: text/plain, Size: 1523 bytes --]
On Mon, 2023-01-09 at 08:40 +0100, Jan Kiszka wrote:
> On 09.01.23 07:42, Su, Bao Cheng (DI FA CTR IPC CN PRC4) wrote:
> > On Sun, 2022-11-20 at 21:47 +0100, Schultschik, Sven via lists.cip-
> > project.org wrote:
> > > From: Sven Schultschik <sven.schultschik@siemens.com>
> > >
> > > provide a recipe to create the BL32_AP_MM.fd binary by edk2 which
> > > is needed for the qemu optee generation as dependency.
>
> Should mention the StandaloneMm for RPMB, what it is and then mention
> where it will be used.
>
> Also adjust the subject - we are not building complete EDK2.
>
> > >
> > > Signed-off-by: Sven Schultschik <sven.schultschik@siemens.com>
> > > ---
> > > .../edk2/edk2-platformstandalonemmrpmb.inc | 56
> > > +++++++++++++++++
> > > .../edk2-platformstandalonemmrpmb_202205.bb | 12 ++++
>
> Recipe name became too unreadable. "edk2-standalonemm-rpmb" maybe? By
> convention, we don't use camel-cases in recipes, so this cannot help
> with separating words.
Made the changes yesterday, but as I can see you already did with the
other patch you send in.
>
> > >
>
> Would be good to clarify how these revisions were selected. Do they
> come
> from the EDK2 build manifest?
Those are submodules. So look into the edk2 repo on the specific
location which version they used in the submodul at the version you
want to use edk2.
>
> > >
>
> > > +export SHELL=/bin/bash
>
> Needed?
Yes. source edk2/edksetup.sh only works under bin/bash
[-- Attachment #2: smime.p7s --]
[-- Type: application/pkcs7-signature, Size: 7531 bytes --]
^ permalink raw reply [flat|nested] 16+ messages in thread
end of thread, other threads:[~2023-01-11 8:47 UTC | newest]
Thread overview: 16+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-11-20 20:47 [isar-cip-core][PATCH 0/8] Secureboot on QEMU with EDK2, OP-TEE and RPMB sven.schultschik
2022-11-20 20:47 ` [isar-cip-core][PATCH 1/8] add recipe for edk2 sven.schultschik
2023-01-09 6:42 ` [cip-dev] " Su, Bao Cheng
2023-01-09 7:40 ` Jan Kiszka
2023-01-11 8:47 ` Schultschik, Sven
2023-01-11 8:37 ` Schultschik, Sven
2022-11-20 20:47 ` [isar-cip-core][PATCH 2/8] add recipe for optee qemu arm64 sven.schultschik
2022-11-20 20:47 ` [isar-cip-core][PATCH 3/8] Include optee into u-boot sven.schultschik
2022-11-20 20:47 ` [isar-cip-core][PATCH 4/8] add u-boot patch for qemu to support RPMB sven.schultschik
2022-11-20 20:47 ` [isar-cip-core][PATCH 5/8] add recipe for trusted firmware a qemu arm64 sven.schultschik
2022-11-20 20:47 ` [isar-cip-core][PATCH 6/8] change ebg sb signer and secrets to pk kek db sven.schultschik
2022-11-21 10:40 ` Jan Kiszka
2022-11-21 15:10 ` AW: " Schultschik, Sven
2022-11-21 17:25 ` Jan Kiszka
2022-11-20 20:47 ` [isar-cip-core][PATCH 7/8] enhance start-qemu.sh for arm64 secure boot sven.schultschik
2022-11-20 20:47 ` [isar-cip-core][PATCH 8/8] Use of snakeoil keys for qemu use case sven.schultschik
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).