Import firmware signing keychain from coreboot at boot

2020-07-20 19:59:18 -07:00 · 2020-07-20 19:59:18 -07:00 · d35950c72f
parent 01c292c828
commit d35950c72f
6 changed files with 114 additions and 0 deletions
--- a/config/buildroot/Config.in
+++ b/config/buildroot/Config.in
@ -0,0 +1 @@
+source "$BR2_EXTERNAL_Airgap_PATH/package/flashtools/Config.in"
--- a/config/buildroot/configs/airgap_x86_64_defconfig
+++ b/config/buildroot/configs/airgap_x86_64_defconfig
@ -4135,3 +4135,13 @@ BR2_LINUX_KERNEL_CUSTOM_GIT_VERSION=""
 #
 # Linux distribution for offline cryptography use cases (in /home/build/config/buildroot)
 #
+
+#
+# Flashtools
+#
+BR2_PACKAGE_FLASHTOOLS=y
+# BR2_PACKAGE_FLASHTOOLS_FLASHTOOL is not set
+# BR2_PACKAGE_FLASHTOOLS_PEEK is not set
+# BR2_PACKAGE_FLASHTOOLS_POKE is not set
+BR2_PACKAGE_FLASHTOOLS_CBFS=y
+# BR2_PACKAGE_FLASHTOOLS_UEFI is not set
--- a/config/buildroot/external.mk
+++ b/config/buildroot/external.mk
@ -0,0 +1 @@
+include $(sort $(wildcard $(BR2_EXTERNAL_Airgap_PATH)/package/*/*.mk))
--- a/config/buildroot/package/flashtools/Config.in
+++ b/config/buildroot/package/flashtools/Config.in
@ -0,0 +1,36 @@
+menu "Flashtools"
+
+config BR2_PACKAGE_FLASHTOOLS
+	bool "flashtools"
+
+config BR2_PACKAGE_FLASHTOOLS_FLASHTOOL
+	bool "flashtool"
+	select BR2_PACKAGE_FLASHTOOLS
+	help
+      Todo
+
+config BR2_PACKAGE_FLASHTOOLS_PEEK
+	bool "peek"
+	select BR2_PACKAGE_FLASHTOOLS
+	help
+      Todo
+
+config BR2_PACKAGE_FLASHTOOLS_POKE
+	bool "poke"
+	select BR2_PACKAGE_FLASHTOOLS
+	help
+      Todo
+
+config BR2_PACKAGE_FLASHTOOLS_CBFS
+	bool "cbfs"
+	select BR2_PACKAGE_FLASHTOOLS
+	help
+      Todo
+
+config BR2_PACKAGE_FLASHTOOLS_UEFI
+	bool "uefi"
+	select BR2_PACKAGE_FLASHTOOLS
+	help
+      Todo
+
+endmenu
--- a/config/buildroot/package/flashtools/flashtools.mk
+++ b/config/buildroot/package/flashtools/flashtools.mk
@ -0,0 +1,47 @@
+################################################################################
+#
+# flashtools
+#
+################################################################################
+
+FLASHTOOLS_VERSION = 9acce09aeb635c5bef01843e495b95e75e8da135
+FLASHTOOLS_SITE = https://github.com/osresearch/flashtools.git
+FLASHTOOLS_SITE_METHOD = git
+FLASHTOOLS_LICENSE = GPL-2.0
+FLASHTOOLS_LICENSE_FILES = LICENSE
+
+ifeq ($(BR2_PACKAGE_FLASHTOOLS_FLASHTOOL),y)
+	FLASHTOOLS_TARGETS += flashtool
+endif
+
+ifeq ($(BR2_PACKAGE_FLASHTOOLS_PEEK),y)
+	FLASHTOOLS_TARGETS += peek
+endif
+
+ifeq ($(BR2_PACKAGE_FLASHTOOLS_POKE),y)
+	FLASHTOOLS_TARGETS += poke
+endif
+
+ifeq ($(BR2_PACKAGE_FLASHTOOLS_CBFS),y)
+	FLASHTOOLS_TARGETS += cbfs
+endif
+
+ifeq ($(BR2_PACKAGE_FLASHTOOLS_UEFI),y)
+	FLASHTOOLS_TARGETS += uefi
+endif
+
+define FLASHTOOLS_BUILD_CMDS
+	$(foreach t,$(FLASHTOOLS_TARGETS),\
+		$(TARGET_MAKE_ENV) $(MAKE) $(TARGET_CONFIGURE_OPTS) \
+			CFLAGS="$(TARGET_CFLAGS)" -C $(@D) $(t) \
+	)
+endef
+
+define FLASHTOOLS_INSTALL_TARGET_CMDS
+	$(foreach t,$(FLASHTOOLS_TARGETS),\
+		$(INSTALL) -D -m 0755 $(@D)/$(t) $(TARGET_DIR)/usr/bin/$(t)$(sep) \
+	)
+endef
+
+
+$(eval $(generic-package))
--- a/config/buildroot/rootfs_overlay/etc/init.d/S04cbfs-key-import
+++ b/config/buildroot/rootfs_overlay/etc/init.d/S04cbfs-key-import
@ -0,0 +1,19 @@
+#!/bin/sh
+
+case "${1}" in
+	start)
+		printf 'Loading firmware signing key from Coreboot CBFS: '
+		mkdir -p /.gnupg
+		cbfs -r heads/initrd/.gnupg/pubring.kbx > /.gnupg/pubring.kbx
+		cbfs -r heads/initrd/.gnupg/trustdb.gpg > /.gnupg/trustdb.gpg
+		if [ $? -eq 0 ]; then
+			echo "OK"
+		else
+			echo "FAIL"
+		fi
+		;;
+	*)
+		echo "Usage: ${0} {start}"
+		exit 1
+		;;
+esac
				`@ -0,0 +1 @@`
				`source "$BR2_EXTERNAL_Airgap_PATH/package/flashtools/Config.in"`
				`@ -0,0 +1 @@`
				`include $(sort $(wildcard $(BR2_EXTERNAL_Airgap_PATH)/package//.mk))`