Import firmware signing keychain from coreboot at boot

2020-07-20 19:59:18 -07:00 · 2020-07-20 19:59:18 -07:00 · d35950c72f
parent 01c292c828
commit d35950c72f
6 changed files with 114 additions and 0 deletions
--- a/config/buildroot/Config.in
+++ b/config/buildroot/Config.in
@ -0,0 +1 @@
 source "$BR2_EXTERNAL_Airgap_PATH/package/flashtools/Config.in"
--- a/config/buildroot/configs/airgap_x86_64_defconfig
+++ b/config/buildroot/configs/airgap_x86_64_defconfig
@ -4135,3 +4135,13 @@ BR2_LINUX_KERNEL_CUSTOM_GIT_VERSION=""
 #
 # Linux distribution for offline cryptography use cases (in /home/build/config/buildroot)
 #
 #
 # Flashtools
 #
 BR2_PACKAGE_FLASHTOOLS=y
 # BR2_PACKAGE_FLASHTOOLS_FLASHTOOL is not set
 # BR2_PACKAGE_FLASHTOOLS_PEEK is not set
 # BR2_PACKAGE_FLASHTOOLS_POKE is not set
 BR2_PACKAGE_FLASHTOOLS_CBFS=y
 # BR2_PACKAGE_FLASHTOOLS_UEFI is not set
--- a/config/buildroot/external.mk
+++ b/config/buildroot/external.mk
@ -0,0 +1 @@
 include $(sort $(wildcard $(BR2_EXTERNAL_Airgap_PATH)/package/*/*.mk))
--- a/config/buildroot/package/flashtools/Config.in
+++ b/config/buildroot/package/flashtools/Config.in
@ -0,0 +1,36 @@
 menu "Flashtools"
 config BR2_PACKAGE_FLASHTOOLS
 	bool "flashtools"
 config BR2_PACKAGE_FLASHTOOLS_FLASHTOOL
 	bool "flashtool"
 	select BR2_PACKAGE_FLASHTOOLS
 	help
      Todo
 config BR2_PACKAGE_FLASHTOOLS_PEEK
 	bool "peek"
 	select BR2_PACKAGE_FLASHTOOLS
 	help
      Todo
 config BR2_PACKAGE_FLASHTOOLS_POKE
 	bool "poke"
 	select BR2_PACKAGE_FLASHTOOLS
 	help
      Todo
 config BR2_PACKAGE_FLASHTOOLS_CBFS
 	bool "cbfs"
 	select BR2_PACKAGE_FLASHTOOLS
 	help
      Todo
 config BR2_PACKAGE_FLASHTOOLS_UEFI
 	bool "uefi"
 	select BR2_PACKAGE_FLASHTOOLS
 	help
      Todo
 endmenu
--- a/config/buildroot/package/flashtools/flashtools.mk
+++ b/config/buildroot/package/flashtools/flashtools.mk
@ -0,0 +1,47 @@
 ################################################################################
 #
 # flashtools
 #
 ################################################################################
 FLASHTOOLS_VERSION = 9acce09aeb635c5bef01843e495b95e75e8da135
 FLASHTOOLS_SITE = https://github.com/osresearch/flashtools.git
 FLASHTOOLS_SITE_METHOD = git
 FLASHTOOLS_LICENSE = GPL-2.0
 FLASHTOOLS_LICENSE_FILES = LICENSE
 ifeq ($(BR2_PACKAGE_FLASHTOOLS_FLASHTOOL),y)
 	FLASHTOOLS_TARGETS += flashtool
 endif
 ifeq ($(BR2_PACKAGE_FLASHTOOLS_PEEK),y)
 	FLASHTOOLS_TARGETS += peek
 endif
 ifeq ($(BR2_PACKAGE_FLASHTOOLS_POKE),y)
 	FLASHTOOLS_TARGETS += poke
 endif
 ifeq ($(BR2_PACKAGE_FLASHTOOLS_CBFS),y)
 	FLASHTOOLS_TARGETS += cbfs
 endif
 ifeq ($(BR2_PACKAGE_FLASHTOOLS_UEFI),y)
 	FLASHTOOLS_TARGETS += uefi
 endif
 define FLASHTOOLS_BUILD_CMDS
 	$(foreach t,$(FLASHTOOLS_TARGETS),\
 		$(TARGET_MAKE_ENV) $(MAKE) $(TARGET_CONFIGURE_OPTS) \
 			CFLAGS="$(TARGET_CFLAGS)" -C $(@D) $(t) \
 	)
 endef
 define FLASHTOOLS_INSTALL_TARGET_CMDS
 	$(foreach t,$(FLASHTOOLS_TARGETS),\
 		$(INSTALL) -D -m 0755 $(@D)/$(t) $(TARGET_DIR)/usr/bin/$(t)$(sep) \
 	)
 endef
 $(eval $(generic-package))
--- a/config/buildroot/rootfs_overlay/etc/init.d/S04cbfs-key-import
+++ b/config/buildroot/rootfs_overlay/etc/init.d/S04cbfs-key-import
@ -0,0 +1,19 @@
 #!/bin/sh
 case "${1}" in
 	start)
 		printf 'Loading firmware signing key from Coreboot CBFS: '
 		mkdir -p /.gnupg
 		cbfs -r heads/initrd/.gnupg/pubring.kbx > /.gnupg/pubring.kbx
 		cbfs -r heads/initrd/.gnupg/trustdb.gpg > /.gnupg/trustdb.gpg
 		if [ $? -eq 0 ]; then
 			echo "OK"
 		else
 			echo "FAIL"
 		fi
 		;;
 	*)
 		echo "Usage: ${0} {start}"
 		exit 1
 		;;
 esac
		`@ -0,0 +1 @@`
							`source "$BR2_EXTERNAL_Airgap_PATH/package/flashtools/Config.in"`
		`@ -0,0 +1 @@`
							`include $(sort $(wildcard $(BR2_EXTERNAL_Airgap_PATH)/package//.mk))`