On 27 January 2016 at 08:34, Bhupesh Sharma bhupesh.sharma@nxp.com wrote:
Hi,
I am trying to do some hands-on on qemu for aarch64 to boot a secure kernel image and running into the following two issues.
I would appreciate any pointers on the same.
- Not able to boot a signed kernel Image on qemu-2.5.0 built for aarch64:
a) I am using the following OE image from Linaro for vexpress64: vexpress64-openembedded_minimal-armv8-gcc-4.9_20140823-686.img.gz
b) I uncompress the same using the following command: # zcat vexpress64-openembedded_minimal-armv8-gcc-4.9_20140823-686.img.gz > vexpress64-oe.img
c) I mount this on /mnt: # mount -o loop,offset=32256 vexpress64-oe.img /mnt
d) # cd /mnt
e) I have downloaded the latest efitools (git://git.kernel.org/pub/scm/linux/kernel/git/jejb/efitools.git), which has the following commit as head: commit 613cf530f09fc1b27701b1be2538730539415db4 Author: James Bottomley JBottomley@Parallels.com Date: Wed Jan 14 22:57:41 2015 -0800
flash-var: new routine for manipulating variables in flash imagesf) I make the efitools using make and copy the PK, KEK and DB to /mnt:
# cp -rf PK.auth /mnt/. ; cp -rf DB.auth /mnt/.; cp -rf KEK.auth /mnt/. ; cp -rf PK.crt /mnt/.; cp -rf DB.crt /mnt/. # cp -rf KEK.crt /mnt/. ; cp -rf DB.key /mnt/.g) Now I generate the corresponding .der files:
# openssl x509 -in DB.crt -outform DER -out DB.der and so on..h) Create a signed kernel Image using 'sbsigntools': # sbsign --key DB.key --cert DB.crt --output Image.signed Image
i) # sync; umount /mnt
j) Launch Qemu and provide the PK.der, KEK.der and DB.der files in the "User Mode":
# qemu-system-aarch64 -m 1024 -cpu cortex-a57 -M virt -pflash flash0.img -pflash flash1.img -serial stdio -drive if=none,file=vexpress64-oe.img,id=hd0 -device virtio-blk-device,drive=hd0k) Now, I enter the shell and provide the signed kernel Image as an input:
Shell> Image.signed root=/dev/vda2 console=ttyAMA0,38400n8 earlycon=pl011,0x9000000But I get the following error message:
The image doesn't pass verification: VenHw(837DCA9E-E874-4D82-B29A-23FE0E23D1E2,003E000A00000000)/HD(1,MBR,0x00000000,0x3F,0x21FC0)/\InstallProtocolInterface: 5B1B31A1-9562-11D2-8E3F-00A0C969723B 7ACDD640 Unloading driver at 0x00000000000 Command Error Status: Unsupported
I am sorry, but I cannot reproduce this with the latest EDK2 build. If I enroll the .der files and sign the kernel with the corresponding key, I can boot the kernel from the shell. If I boot an unsigned kernel, I get a security violation, not 'Unsupported' It looks like you may be missing the correct crypto algorithms. Did you build the OpenSslLib etc correctly?