Hi Ard,
From: Ard Biesheuvel [mailto:ard.biesheuvel@linaro.org] Sent: Friday, January 29, 2016 10:52 PM
On 29 January 2016 at 08:03, Bhupesh Sharma bhupesh.sharma@nxp.com wrote:
Hi Ard,
From: Bhupesh Sharma Sent: Wednesday, January 27, 2016 1:04 PM
Hi,
I am trying to do some hands-on on qemu for aarch64 to boot a secure kernel image and running into the following two issues.
Thanks for the patches on sbsigntool. Any pointers to the qemu issue I am seeing while trying to load a signed Image using ubuntu 14.04's sbsigntool (v0.6), as captured in
point 1 below?
I will look into this next Monday
Were you able to look into this issue.
Regards, Bhupesh
I would appreciate any pointers on the same.
- Not able to boot a signed kernel Image on qemu-2.5.0 built for
aarch64:
a) I am using the following OE image from Linaro for vexpress64:
vexpress64-openembedded_minimal-armv8-gcc-4.9_20140823-686.img.gz
b) I uncompress the same using the following command: # zcat vexpress64-openembedded_minimal-armv8-gcc-4.9_20140823- 686.img.gz > vexpress64-oe.img
c) I mount this on /mnt: # mount -o loop,offset=32256 vexpress64-oe.img /mnt
d) # cd /mnt
e) I have downloaded the latest efitools (git://git.kernel.org/pub/scm/linux/kernel/git/jejb/efitools.git), which has the following commit as head: commit 613cf530f09fc1b27701b1be2538730539415db4 Author: James Bottomley JBottomley@Parallels.com Date: Wed Jan 14 22:57:41 2015 -0800
flash-var: new routine for manipulating variables in flashimages
f) I make the efitools using make and copy the PK, KEK and DB to /mnt:
# cp -rf PK.auth /mnt/. ; cp -rf DB.auth /mnt/.; cp -rfKEK.auth /mnt/. ; cp -rf PK.crt /mnt/.; cp -rf DB.crt /mnt/. # cp -rf KEK.crt /mnt/. ; cp -rf DB.key /mnt/.
g) Now I generate the corresponding .der files:
# openssl x509 -in DB.crt -outform DER -out DB.der and so on..h) Create a signed kernel Image using 'sbsigntools': # sbsign --key DB.key --cert DB.crt --output Image.signed Image
i) # sync; umount /mnt
j) Launch Qemu and provide the PK.der, KEK.der and DB.der files in the "User Mode":
# qemu-system-aarch64 -m 1024 -cpu cortex-a57 -M virt -pflashflash0.img -pflash flash1.img -serial stdio -drive if=none,file=vexpress64-oe.img,id=hd0 -device virtio-blk-device,drive=hd0
k) Now, I enter the shell and provide the signed kernel Image as an input:
Shell> Image.signed root=/dev/vda2 console=ttyAMA0,38400n8earlycon=pl011,0x9000000
But I get the following error message:
The image doesn't pass verification: VenHw(837DCA9E-E874-4D82-B29A- 23FE0E23D1E2,003E000A00000000)/HD(1,MBR,0x00000000,0x3F,0x21FC0)/\Ins tall ProtocolInterface: 5B1B31A1-9562-11D2-8E3F-00A0C969723B 7ACDD640 Unloading driver at 0x00000000000 Command Error Status: Unsupported
I would expect an access violation, not unsupported. Does the signed image still work if you don't enroll the certificates?
- Latest sbsigntool broken?:
I have downloaded the v0.7 sbsigntool from git://git.kernel.org/pub/scm/linux/kernel/git/jejb/sbsigntools.git, which has the following commit as the head:
commit ed53774c2f6b39ab63b312891ba7e98492f4d7e3 Author: James Bottomley JBottomley@Parallels.com Date: Fri Dec 19 16:44:54 2014 -0800
Version 0.7Now, I see that when I use the DB.key and DB.crt to sign a kernel Image (Image) using this sbsigntool, I get a "Invalid PE header magic"
error.
# which sbsign /home/tools/sbsigntools/sbsigntools/src/sbsign # sbsign --version sbsign 0.7 # sbsign --key DB.key --cert DB.crt --output Image.signed Image Invalid PE header magicI use the following method to compile the sbsigntool:
#./autogen.sh # ./configure # makeWhereas, if I use the sbsign util (v0.6) available on by ubuntu 14.04 machine I can get the sbsigntool to sign the Image :
# which sbsign /usr/bin/sbsign # sbsign --version sbsign 0.6 # sbsign --key DB.key --cert DB.crt --output Image.signed ImageRegards, Bhupesh _______________________________________________ Linaro-uefi mailing list Linaro-uefi@lists.linaro.org https://lists.linaro.org/mailman/listinfo/linaro-uefi