[isar-cip-core][PATCH 0/8] Secureboot on QEMU with EDK2, OP-TEE and RPMB

From: sven.schultschik@siemens.com
To: cip-dev@lists.cip-project.org
Cc: jan.kiszka@siemens.com, Sven Schultschik <sven.schultschik@siemens.com>
Subject: [isar-cip-core][PATCH 0/8] Secureboot on QEMU with EDK2, OP-TEE and RPMB
Date: Sun, 20 Nov 2022 21:47:03 +0100	[thread overview]
Message-ID: <20221120204711.5826-1-sven.schultschik@siemens.com> (raw)

From: Sven Schultschik <sven.schultschik@siemens.com>

This series of patches will add recipes to build a QEMU setup
which uses OP-TEE to use RPMB (Replay protected memory) of
an EMMC for a secure storage. Which is used within Secureboot
on ARM64. 
This secure boot solution works with a platform key (pk),
a key exchange key (kek) and a signature database (db).
Therefore the ebg signer, secret boot secrets and snakeoil
keys are change to this setup.
QEMU itself does not have an implementation of a
virtual RPMB. Therefore a patch for u-boot is needed which
adds this feature to u-boot, but breaks hardware
compatibility within u-boot. The virtiual RPMB workaround
is not persistent as well. Therfore a method to copy the keys
to the deploy folder, mount them into the qemu and provision
them on every boot is implemented.
As soon as QEMU has a native persistent RPMB support included,
the u-boot patch and the mounted keys can be removed.

Sven Schultschik (8):
  add recipe for edk2
  add recipe for optee qemu arm64
  Include optee into u-boot
  add u-boot patch for qemu to support RPMB
  add recipe for trusted firmware a qemu arm64
  change ebg sb signer and secrets to pk kek db
  enhance start-qemu.sh for arm64 secure boot
  Use of snakeoil keys for qemu use case

 kas/opt/ebg-secure-boot-snakeoil.yml          |    1 +
 .../edk2/edk2-platformstandalonemmrpmb.inc    |   56 +
 .../edk2-platformstandalonemmrpmb_202205.bb   |   12 +
 recipes-bsp/edk2/files/rules.tmpl             |   61 +
 .../op-tee/optee-os-qemu-arm64_3.17.0.bb      |   54 +
 .../trusted-firmware-a/files/rules.tmpl       |   22 +
 .../trusted-firmware-a-qemu-arm64_2.7.0.bb    |   62 +
 ...hack.-Breaks-proper-hardware-support.patch | 1375 +++++++++++++++++
 recipes-bsp/u-boot/files/secure-boot.cfg.tmpl |    9 +-
 recipes-bsp/u-boot/u-boot-qemu-common.inc     |    9 +
 .../files/sign_secure_image.sh                |    2 +-
 .../secure-boot-secrets/files/KEK.auth        |  Bin 0 -> 2066 bytes
 .../secure-boot-secrets/files/KEK.crt         |   19 +
 .../secure-boot-secrets/files/KEK.esl         |  Bin 0 -> 839 bytes
 .../secure-boot-secrets/files/KEK.key         |   28 +
 .../secure-boot-secrets/files/PK.auth         |  Bin 0 -> 2064 bytes
 .../secure-boot-secrets/files/PK.crt          |   19 +
 .../secure-boot-secrets/files/PK.esl          |  Bin 0 -> 837 bytes
 .../secure-boot-secrets/files/PK.key          |   28 +
 .../files/PkKek-1-snakeoil.key                |   27 -
 .../files/PkKek-1-snakeoil.pem                |   21 -
 .../secure-boot-secrets/files/db.auth         |  Bin 0 -> 2067 bytes
 .../secure-boot-secrets/files/db.crt          |   19 +
 .../secure-boot-secrets/files/db.esl          |  Bin 0 -> 837 bytes
 .../secure-boot-secrets/files/db.key          |   28 +
 .../secure-boot-secrets.inc                   |   59 +-
 .../secure-boot-snakeoil_0.1.bb               |    5 +-
 start-qemu.sh                                 |   20 +-
 28 files changed, 1873 insertions(+), 63 deletions(-)
 create mode 100644 recipes-bsp/edk2/edk2-platformstandalonemmrpmb.inc
 create mode 100644 recipes-bsp/edk2/edk2-platformstandalonemmrpmb_202205.bb
 create mode 100755 recipes-bsp/edk2/files/rules.tmpl
 create mode 100644 recipes-bsp/op-tee/optee-os-qemu-arm64_3.17.0.bb
 create mode 100755 recipes-bsp/trusted-firmware-a/files/rules.tmpl
 create mode 100644 recipes-bsp/trusted-firmware-a/trusted-firmware-a-qemu-arm64_2.7.0.bb
 create mode 100644 recipes-bsp/u-boot/files/0002-rpmb-emulation-hack.-Breaks-proper-hardware-support.patch
 create mode 100644 recipes-devtools/secure-boot-secrets/files/KEK.auth
 create mode 100644 recipes-devtools/secure-boot-secrets/files/KEK.crt
 create mode 100644 recipes-devtools/secure-boot-secrets/files/KEK.esl
 create mode 100644 recipes-devtools/secure-boot-secrets/files/KEK.key
 create mode 100644 recipes-devtools/secure-boot-secrets/files/PK.auth
 create mode 100644 recipes-devtools/secure-boot-secrets/files/PK.crt
 create mode 100644 recipes-devtools/secure-boot-secrets/files/PK.esl
 create mode 100644 recipes-devtools/secure-boot-secrets/files/PK.key
 delete mode 100644 recipes-devtools/secure-boot-secrets/files/PkKek-1-snakeoil.key
 delete mode 100644 recipes-devtools/secure-boot-secrets/files/PkKek-1-snakeoil.pem
 create mode 100644 recipes-devtools/secure-boot-secrets/files/db.auth
 create mode 100644 recipes-devtools/secure-boot-secrets/files/db.crt
 create mode 100644 recipes-devtools/secure-boot-secrets/files/db.esl
 create mode 100644 recipes-devtools/secure-boot-secrets/files/db.key

-- 
2.30.2