From d35950c72f00afa39600698d7d7931d0fbdac2a1 Mon Sep 17 00:00:00 2001 From: "Lance R. Vick" Date: Mon, 20 Jul 2020 19:59:18 -0700 Subject: [PATCH] Import firmware signing keychain from coreboot at boot --- config/buildroot/Config.in | 1 + .../buildroot/configs/airgap_x86_64_defconfig | 10 ++++ config/buildroot/external.mk | 1 + config/buildroot/package/flashtools/Config.in | 36 ++++++++++++++ .../package/flashtools/flashtools.mk | 47 +++++++++++++++++++ .../etc/init.d/S04cbfs-key-import | 19 ++++++++ 6 files changed, 114 insertions(+) create mode 100644 config/buildroot/package/flashtools/Config.in create mode 100644 config/buildroot/package/flashtools/flashtools.mk create mode 100755 config/buildroot/rootfs_overlay/etc/init.d/S04cbfs-key-import diff --git a/config/buildroot/Config.in b/config/buildroot/Config.in index e69de29..d176493 100644 --- a/config/buildroot/Config.in +++ b/config/buildroot/Config.in @@ -0,0 +1 @@ +source "$BR2_EXTERNAL_Airgap_PATH/package/flashtools/Config.in" diff --git a/config/buildroot/configs/airgap_x86_64_defconfig b/config/buildroot/configs/airgap_x86_64_defconfig index df9d2a2..9481fc2 100644 --- a/config/buildroot/configs/airgap_x86_64_defconfig +++ b/config/buildroot/configs/airgap_x86_64_defconfig @@ -4135,3 +4135,13 @@ BR2_LINUX_KERNEL_CUSTOM_GIT_VERSION="" # # Linux distribution for offline cryptography use cases (in /home/build/config/buildroot) # + +# +# Flashtools +# +BR2_PACKAGE_FLASHTOOLS=y +# BR2_PACKAGE_FLASHTOOLS_FLASHTOOL is not set +# BR2_PACKAGE_FLASHTOOLS_PEEK is not set +# BR2_PACKAGE_FLASHTOOLS_POKE is not set +BR2_PACKAGE_FLASHTOOLS_CBFS=y +# BR2_PACKAGE_FLASHTOOLS_UEFI is not set diff --git a/config/buildroot/external.mk b/config/buildroot/external.mk index e69de29..bde98c8 100644 --- a/config/buildroot/external.mk +++ b/config/buildroot/external.mk @@ -0,0 +1 @@ +include $(sort $(wildcard $(BR2_EXTERNAL_Airgap_PATH)/package/*/*.mk)) diff --git a/config/buildroot/package/flashtools/Config.in b/config/buildroot/package/flashtools/Config.in new file mode 100644 index 0000000..3f1fc09 --- /dev/null +++ b/config/buildroot/package/flashtools/Config.in @@ -0,0 +1,36 @@ +menu "Flashtools" + +config BR2_PACKAGE_FLASHTOOLS + bool "flashtools" + +config BR2_PACKAGE_FLASHTOOLS_FLASHTOOL + bool "flashtool" + select BR2_PACKAGE_FLASHTOOLS + help + Todo + +config BR2_PACKAGE_FLASHTOOLS_PEEK + bool "peek" + select BR2_PACKAGE_FLASHTOOLS + help + Todo + +config BR2_PACKAGE_FLASHTOOLS_POKE + bool "poke" + select BR2_PACKAGE_FLASHTOOLS + help + Todo + +config BR2_PACKAGE_FLASHTOOLS_CBFS + bool "cbfs" + select BR2_PACKAGE_FLASHTOOLS + help + Todo + +config BR2_PACKAGE_FLASHTOOLS_UEFI + bool "uefi" + select BR2_PACKAGE_FLASHTOOLS + help + Todo + +endmenu diff --git a/config/buildroot/package/flashtools/flashtools.mk b/config/buildroot/package/flashtools/flashtools.mk new file mode 100644 index 0000000..a4eb8b7 --- /dev/null +++ b/config/buildroot/package/flashtools/flashtools.mk @@ -0,0 +1,47 @@ +################################################################################ +# +# flashtools +# +################################################################################ + +FLASHTOOLS_VERSION = 9acce09aeb635c5bef01843e495b95e75e8da135 +FLASHTOOLS_SITE = https://github.com/osresearch/flashtools.git +FLASHTOOLS_SITE_METHOD = git +FLASHTOOLS_LICENSE = GPL-2.0 +FLASHTOOLS_LICENSE_FILES = LICENSE + +ifeq ($(BR2_PACKAGE_FLASHTOOLS_FLASHTOOL),y) + FLASHTOOLS_TARGETS += flashtool +endif + +ifeq ($(BR2_PACKAGE_FLASHTOOLS_PEEK),y) + FLASHTOOLS_TARGETS += peek +endif + +ifeq ($(BR2_PACKAGE_FLASHTOOLS_POKE),y) + FLASHTOOLS_TARGETS += poke +endif + +ifeq ($(BR2_PACKAGE_FLASHTOOLS_CBFS),y) + FLASHTOOLS_TARGETS += cbfs +endif + +ifeq ($(BR2_PACKAGE_FLASHTOOLS_UEFI),y) + FLASHTOOLS_TARGETS += uefi +endif + +define FLASHTOOLS_BUILD_CMDS + $(foreach t,$(FLASHTOOLS_TARGETS),\ + $(TARGET_MAKE_ENV) $(MAKE) $(TARGET_CONFIGURE_OPTS) \ + CFLAGS="$(TARGET_CFLAGS)" -C $(@D) $(t) \ + ) +endef + +define FLASHTOOLS_INSTALL_TARGET_CMDS + $(foreach t,$(FLASHTOOLS_TARGETS),\ + $(INSTALL) -D -m 0755 $(@D)/$(t) $(TARGET_DIR)/usr/bin/$(t)$(sep) \ + ) +endef + + +$(eval $(generic-package)) diff --git a/config/buildroot/rootfs_overlay/etc/init.d/S04cbfs-key-import b/config/buildroot/rootfs_overlay/etc/init.d/S04cbfs-key-import new file mode 100755 index 0000000..3fdef50 --- /dev/null +++ b/config/buildroot/rootfs_overlay/etc/init.d/S04cbfs-key-import @@ -0,0 +1,19 @@ +#!/bin/sh + +case "${1}" in + start) + printf 'Loading firmware signing key from Coreboot CBFS: ' + mkdir -p /.gnupg + cbfs -r heads/initrd/.gnupg/pubring.kbx > /.gnupg/pubring.kbx + cbfs -r heads/initrd/.gnupg/trustdb.gpg > /.gnupg/trustdb.gpg + if [ $? -eq 0 ]; then + echo "OK" + else + echo "FAIL" + fi + ;; + *) + echo "Usage: ${0} {start}" + exit 1 + ;; +esac