On 10 February 2016 at 09:48, Bhupesh Sharma bhupesh.sharma@nxp.com wrote:
Hi Ard,
From: Ard Biesheuvel [mailto:ard.biesheuvel@linaro.org] Sent: Tuesday, February 09, 2016 9:20 PM
On 27 January 2016 at 08:34, Bhupesh Sharma bhupesh.sharma@nxp.com wrote:
Hi,
I am trying to do some hands-on on qemu for aarch64 to boot a secure kernel image and running into the following two issues.
I would appreciate any pointers on the same.
- Not able to boot a signed kernel Image on qemu-2.5.0 built for
aarch64:
a) I am using the following OE image from Linaro for vexpress64:
vexpress64-openembedded_minimal-armv8-gcc-4.9_20140823-686.img.gz
b) I uncompress the same using the following command: # zcat vexpress64-openembedded_minimal-armv8-gcc-4.9_20140823-686.img.gz > vexpress64-oe.img
c) I mount this on /mnt: # mount -o loop,offset=32256 vexpress64-oe.img /mnt
d) # cd /mnt
e) I have downloaded the latest efitools (git://git.kernel.org/pub/scm/linux/kernel/git/jejb/efitools.git), which has the following commit as head: commit 613cf530f09fc1b27701b1be2538730539415db4 Author: James Bottomley JBottomley@Parallels.com Date: Wed Jan 14 22:57:41 2015 -0800
flash-var: new routine for manipulating variables in flash
images
f) I make the efitools using make and copy the PK, KEK and DB to /mnt:
# cp -rf PK.auth /mnt/. ; cp -rf DB.auth /mnt/.; cp -rf
KEK.auth /mnt/. ; cp -rf PK.crt /mnt/.; cp -rf DB.crt /mnt/.
# cp -rf KEK.crt /mnt/. ; cp -rf DB.key /mnt/.
g) Now I generate the corresponding .der files:
# openssl x509 -in DB.crt -outform DER -out DB.der and so on..
h) Create a signed kernel Image using 'sbsigntools': # sbsign --key DB.key --cert DB.crt --output Image.signed Image
i) # sync; umount /mnt
j) Launch Qemu and provide the PK.der, KEK.der and DB.der files in the
"User Mode":
# qemu-system-aarch64 -m 1024 -cpu cortex-a57 -M virt -pflash
flash0.img -pflash flash1.img -serial stdio -drive if=none,file=vexpress64-oe.img,id=hd0 -device virtio-blk-device,drive=hd0
k) Now, I enter the shell and provide the signed kernel Image as an
input:
Shell> Image.signed root=/dev/vda2 console=ttyAMA0,38400n8
earlycon=pl011,0x9000000
But I get the following error message:
The image doesn't pass verification: VenHw(837DCA9E-E874-4D82-B29A-23FE0E23D1E2,003E000A00000000)/HD(1,MBR, 0x00000000,0x3F,0x21FC0)/\InstallProtocolInterface: 5B1B31A1-9562-11D2-8E3F-00A0C969723B 7ACDD640 Unloading driver at 0x00000000000 Command Error Status: Unsupported
I am sorry, but I cannot reproduce this with the latest EDK2 build. If I enroll the .der files and sign the kernel with the corresponding key, I can boot the kernel from the shell. If I boot an unsigned kernel, I get a security violation, not 'Unsupported' It looks like you may be missing the correct crypto algorithms. Did you build the OpenSslLib etc correctly?
Thanks. Can you please share the EDK2 SHA ID you have as the HEAD.
i used snapshots from here: http://snapshots.linaro.org/components/kernel/leg-virt-tianocore-edk2-upstre...
All of those are built with support for secure boot.
Also can you please share which QEMU, sbsigntool and efitool versions/git branches you are using. I will try shifting to them as well and will give a try.
$ qemu-system-aarch64 --version QEMU emulator version 2.5.50, Copyright (c) 2003-2008 Fabrice Bellard
$ sbsign --version sbsign 0.6
I did not use efitools at all, only 'openssl x509' to create the key pairs and convert to DER format
I followed the steps mentioned on LEG WIKI on build the OpenSslLib Pkg. I hope that the information on the WIKI is not too old.
No, that information should still be correct.