Hi,
I am trying to do some hands-on on qemu for aarch64 to boot a secure kernel image and running into the following two issues.
I would appreciate any pointers on the same.
1. Not able to boot a signed kernel Image on qemu-2.5.0 built for aarch64: --------------------------------------------------------------------------
a) I am using the following OE image from Linaro for vexpress64: vexpress64-openembedded_minimal-armv8-gcc-4.9_20140823-686.img.gz
b) I uncompress the same using the following command: # zcat vexpress64-openembedded_minimal-armv8-gcc-4.9_20140823-686.img.gz > vexpress64-oe.img
c) I mount this on /mnt: # mount -o loop,offset=32256 vexpress64-oe.img /mnt
d) # cd /mnt
e) I have downloaded the latest efitools (git://git.kernel.org/pub/scm/linux/kernel/git/jejb/efitools.git), which has the following commit as head: commit 613cf530f09fc1b27701b1be2538730539415db4 Author: James Bottomley JBottomley@Parallels.com Date: Wed Jan 14 22:57:41 2015 -0800
flash-var: new routine for manipulating variables in flash images
f) I make the efitools using make and copy the PK, KEK and DB to /mnt:
# cp -rf PK.auth /mnt/. ; cp -rf DB.auth /mnt/.; cp -rf KEK.auth /mnt/. ; cp -rf PK.crt /mnt/.; cp -rf DB.crt /mnt/. # cp -rf KEK.crt /mnt/. ; cp -rf DB.key /mnt/.
g) Now I generate the corresponding .der files:
# openssl x509 -in DB.crt -outform DER -out DB.der
and so on..
h) Create a signed kernel Image using 'sbsigntools': # sbsign --key DB.key --cert DB.crt --output Image.signed Image
i) # sync; umount /mnt
j) Launch Qemu and provide the PK.der, KEK.der and DB.der files in the "User Mode":
# qemu-system-aarch64 -m 1024 -cpu cortex-a57 -M virt -pflash flash0.img -pflash flash1.img -serial stdio -drive if=none,file=vexpress64-oe.img,id=hd0 -device virtio-blk-device,drive=hd0
k) Now, I enter the shell and provide the signed kernel Image as an input:
Shell> Image.signed root=/dev/vda2 console=ttyAMA0,38400n8 earlycon=pl011,0x9000000
But I get the following error message:
The image doesn't pass verification: VenHw(837DCA9E-E874-4D82-B29A-23FE0E23D1E2,003E000A00000000)/HD(1,MBR,0x00000000,0x3F,0x21FC0)/\InstallProtocolInterface: 5B1B31A1-9562-11D2-8E3F-00A0C969723B 7ACDD640 Unloading driver at 0x00000000000 Command Error Status: Unsupported
2. Latest sbsigntool broken?: -----------------------------
I have downloaded the v0.7 sbsigntool from git://git.kernel.org/pub/scm/linux/kernel/git/jejb/sbsigntools.git, which has the following commit as the head:
commit ed53774c2f6b39ab63b312891ba7e98492f4d7e3 Author: James Bottomley JBottomley@Parallels.com Date: Fri Dec 19 16:44:54 2014 -0800
Version 0.7
Now, I see that when I use the DB.key and DB.crt to sign a kernel Image (Image) using this sbsigntool, I get a "Invalid PE header magic" error.
# which sbsign /home/tools/sbsigntools/sbsigntools/src/sbsign
# sbsign --version sbsign 0.7
# sbsign --key DB.key --cert DB.crt --output Image.signed Image Invalid PE header magic
I use the following method to compile the sbsigntool:
#./autogen.sh # ./configure # make
Whereas, if I use the sbsign util (v0.6) available on by ubuntu 14.04 machine I can get the sbsigntool to sign the Image :
# which sbsign /usr/bin/sbsign
# sbsign --version sbsign 0.6
# sbsign --key DB.key --cert DB.crt --output Image.signed Image
Regards, Bhupesh
Hi Ard,
From: Bhupesh Sharma Sent: Wednesday, January 27, 2016 1:04 PM
Hi,
I am trying to do some hands-on on qemu for aarch64 to boot a secure kernel image and running into the following two issues.
Thanks for the patches on sbsigntool. Any pointers to the qemu issue I am seeing while trying to load a signed Image using ubuntu 14.04's sbsigntool (v0.6), as captured in point 1 below?
Regards, Bhupesh
I would appreciate any pointers on the same.
- Not able to boot a signed kernel Image on qemu-2.5.0 built for
aarch64:
a) I am using the following OE image from Linaro for vexpress64: vexpress64-openembedded_minimal-armv8-gcc-4.9_20140823-686.img.gz
b) I uncompress the same using the following command: # zcat vexpress64-openembedded_minimal-armv8-gcc-4.9_20140823- 686.img.gz > vexpress64-oe.img
c) I mount this on /mnt: # mount -o loop,offset=32256 vexpress64-oe.img /mnt
d) # cd /mnt
e) I have downloaded the latest efitools (git://git.kernel.org/pub/scm/linux/kernel/git/jejb/efitools.git), which has the following commit as head: commit 613cf530f09fc1b27701b1be2538730539415db4 Author: James Bottomley JBottomley@Parallels.com Date: Wed Jan 14 22:57:41 2015 -0800
flash-var: new routine for manipulating variables in flashimages
f) I make the efitools using make and copy the PK, KEK and DB to /mnt:
# cp -rf PK.auth /mnt/. ; cp -rf DB.auth /mnt/.; cp -rf KEK.auth /mnt/. ; cp -rf PK.crt /mnt/.; cp -rf DB.crt /mnt/. # cp -rf KEK.crt /mnt/. ; cp -rf DB.key /mnt/.
g) Now I generate the corresponding .der files:
# openssl x509 -in DB.crt -outform DER -out DB.der
and so on..
h) Create a signed kernel Image using 'sbsigntools': # sbsign --key DB.key --cert DB.crt --output Image.signed Image
i) # sync; umount /mnt
j) Launch Qemu and provide the PK.der, KEK.der and DB.der files in the "User Mode":
# qemu-system-aarch64 -m 1024 -cpu cortex-a57 -M virt -pflash flash0.img -pflash flash1.img -serial stdio -drive if=none,file=vexpress64-oe.img,id=hd0 -device virtio-blk-device,drive=hd0
k) Now, I enter the shell and provide the signed kernel Image as an input:
Shell> Image.signed root=/dev/vda2 console=ttyAMA0,38400n8 earlycon=pl011,0x9000000
But I get the following error message:
The image doesn't pass verification: VenHw(837DCA9E-E874-4D82-B29A- 23FE0E23D1E2,003E000A00000000)/HD(1,MBR,0x00000000,0x3F,0x21FC0)/\Install ProtocolInterface: 5B1B31A1-9562-11D2-8E3F-00A0C969723B 7ACDD640 Unloading driver at 0x00000000000 Command Error Status: Unsupported
- Latest sbsigntool broken?:
I have downloaded the v0.7 sbsigntool from git://git.kernel.org/pub/scm/linux/kernel/git/jejb/sbsigntools.git, which has the following commit as the head:
commit ed53774c2f6b39ab63b312891ba7e98492f4d7e3 Author: James Bottomley JBottomley@Parallels.com Date: Fri Dec 19 16:44:54 2014 -0800
Version 0.7Now, I see that when I use the DB.key and DB.crt to sign a kernel Image (Image) using this sbsigntool, I get a "Invalid PE header magic" error.
# which sbsign /home/tools/sbsigntools/sbsigntools/src/sbsign
# sbsign --version sbsign 0.7
# sbsign --key DB.key --cert DB.crt --output Image.signed Image Invalid PE header magic
I use the following method to compile the sbsigntool:
#./autogen.sh # ./configure # make
Whereas, if I use the sbsign util (v0.6) available on by ubuntu 14.04 machine I can get the sbsigntool to sign the Image :
# which sbsign /usr/bin/sbsign
# sbsign --version sbsign 0.6
# sbsign --key DB.key --cert DB.crt --output Image.signed Image
Regards, Bhupesh _______________________________________________ Linaro-uefi mailing list Linaro-uefi@lists.linaro.org https://lists.linaro.org/mailman/listinfo/linaro-uefi
On 29 January 2016 at 08:03, Bhupesh Sharma bhupesh.sharma@nxp.com wrote:
Hi Ard,
From: Bhupesh Sharma Sent: Wednesday, January 27, 2016 1:04 PM
Hi,
I am trying to do some hands-on on qemu for aarch64 to boot a secure kernel image and running into the following two issues.
Thanks for the patches on sbsigntool. Any pointers to the qemu issue I am seeing while trying to load a signed Image using ubuntu 14.04's sbsigntool (v0.6), as captured in point 1 below?
I will look into this next Monday
Thanks, Ard.
I would appreciate any pointers on the same.
- Not able to boot a signed kernel Image on qemu-2.5.0 built for
aarch64:
a) I am using the following OE image from Linaro for vexpress64: vexpress64-openembedded_minimal-armv8-gcc-4.9_20140823-686.img.gz
b) I uncompress the same using the following command: # zcat vexpress64-openembedded_minimal-armv8-gcc-4.9_20140823- 686.img.gz > vexpress64-oe.img
c) I mount this on /mnt: # mount -o loop,offset=32256 vexpress64-oe.img /mnt
d) # cd /mnt
e) I have downloaded the latest efitools (git://git.kernel.org/pub/scm/linux/kernel/git/jejb/efitools.git), which has the following commit as head: commit 613cf530f09fc1b27701b1be2538730539415db4 Author: James Bottomley JBottomley@Parallels.com Date: Wed Jan 14 22:57:41 2015 -0800
flash-var: new routine for manipulating variables in flashimages
f) I make the efitools using make and copy the PK, KEK and DB to /mnt:
# cp -rf PK.auth /mnt/. ; cp -rf DB.auth /mnt/.; cp -rf KEK.auth/mnt/. ; cp -rf PK.crt /mnt/.; cp -rf DB.crt /mnt/. # cp -rf KEK.crt /mnt/. ; cp -rf DB.key /mnt/.
g) Now I generate the corresponding .der files:
# openssl x509 -in DB.crt -outform DER -out DB.der and so on..h) Create a signed kernel Image using 'sbsigntools': # sbsign --key DB.key --cert DB.crt --output Image.signed Image
i) # sync; umount /mnt
j) Launch Qemu and provide the PK.der, KEK.der and DB.der files in the "User Mode":
# qemu-system-aarch64 -m 1024 -cpu cortex-a57 -M virt -pflashflash0.img -pflash flash1.img -serial stdio -drive if=none,file=vexpress64-oe.img,id=hd0 -device virtio-blk-device,drive=hd0
k) Now, I enter the shell and provide the signed kernel Image as an input:
Shell> Image.signed root=/dev/vda2 console=ttyAMA0,38400n8earlycon=pl011,0x9000000
But I get the following error message:
The image doesn't pass verification: VenHw(837DCA9E-E874-4D82-B29A- 23FE0E23D1E2,003E000A00000000)/HD(1,MBR,0x00000000,0x3F,0x21FC0)/\Install ProtocolInterface: 5B1B31A1-9562-11D2-8E3F-00A0C969723B 7ACDD640 Unloading driver at 0x00000000000 Command Error Status: Unsupported
I would expect an access violation, not unsupported. Does the signed image still work if you don't enroll the certificates?
- Latest sbsigntool broken?:
I have downloaded the v0.7 sbsigntool from git://git.kernel.org/pub/scm/linux/kernel/git/jejb/sbsigntools.git, which has the following commit as the head:
commit ed53774c2f6b39ab63b312891ba7e98492f4d7e3 Author: James Bottomley JBottomley@Parallels.com Date: Fri Dec 19 16:44:54 2014 -0800
Version 0.7Now, I see that when I use the DB.key and DB.crt to sign a kernel Image (Image) using this sbsigntool, I get a "Invalid PE header magic" error.
# which sbsign /home/tools/sbsigntools/sbsigntools/src/sbsign # sbsign --version sbsign 0.7 # sbsign --key DB.key --cert DB.crt --output Image.signed Image Invalid PE header magicI use the following method to compile the sbsigntool:
#./autogen.sh # ./configure # makeWhereas, if I use the sbsign util (v0.6) available on by ubuntu 14.04 machine I can get the sbsigntool to sign the Image :
# which sbsign /usr/bin/sbsign # sbsign --version sbsign 0.6 # sbsign --key DB.key --cert DB.crt --output Image.signed ImageRegards, Bhupesh _______________________________________________ Linaro-uefi mailing list Linaro-uefi@lists.linaro.org https://lists.linaro.org/mailman/listinfo/linaro-uefi
Hi Ard,
From: Ard Biesheuvel [mailto:ard.biesheuvel@linaro.org] Sent: Friday, January 29, 2016 10:52 PM
On 29 January 2016 at 08:03, Bhupesh Sharma bhupesh.sharma@nxp.com wrote:
Hi Ard,
From: Bhupesh Sharma Sent: Wednesday, January 27, 2016 1:04 PM
Hi,
I am trying to do some hands-on on qemu for aarch64 to boot a secure kernel image and running into the following two issues.
Thanks for the patches on sbsigntool. Any pointers to the qemu issue I am seeing while trying to load a signed Image using ubuntu 14.04's sbsigntool (v0.6), as captured in
point 1 below?
I will look into this next Monday
Were you able to look into this issue.
Regards, Bhupesh
I would appreciate any pointers on the same.
- Not able to boot a signed kernel Image on qemu-2.5.0 built for
aarch64:
a) I am using the following OE image from Linaro for vexpress64:
vexpress64-openembedded_minimal-armv8-gcc-4.9_20140823-686.img.gz
b) I uncompress the same using the following command: # zcat vexpress64-openembedded_minimal-armv8-gcc-4.9_20140823- 686.img.gz > vexpress64-oe.img
c) I mount this on /mnt: # mount -o loop,offset=32256 vexpress64-oe.img /mnt
d) # cd /mnt
e) I have downloaded the latest efitools (git://git.kernel.org/pub/scm/linux/kernel/git/jejb/efitools.git), which has the following commit as head: commit 613cf530f09fc1b27701b1be2538730539415db4 Author: James Bottomley JBottomley@Parallels.com Date: Wed Jan 14 22:57:41 2015 -0800
flash-var: new routine for manipulating variables in flashimages
f) I make the efitools using make and copy the PK, KEK and DB to /mnt:
# cp -rf PK.auth /mnt/. ; cp -rf DB.auth /mnt/.; cp -rfKEK.auth /mnt/. ; cp -rf PK.crt /mnt/.; cp -rf DB.crt /mnt/. # cp -rf KEK.crt /mnt/. ; cp -rf DB.key /mnt/.
g) Now I generate the corresponding .der files:
# openssl x509 -in DB.crt -outform DER -out DB.der and so on..h) Create a signed kernel Image using 'sbsigntools': # sbsign --key DB.key --cert DB.crt --output Image.signed Image
i) # sync; umount /mnt
j) Launch Qemu and provide the PK.der, KEK.der and DB.der files in the "User Mode":
# qemu-system-aarch64 -m 1024 -cpu cortex-a57 -M virt -pflashflash0.img -pflash flash1.img -serial stdio -drive if=none,file=vexpress64-oe.img,id=hd0 -device virtio-blk-device,drive=hd0
k) Now, I enter the shell and provide the signed kernel Image as an input:
Shell> Image.signed root=/dev/vda2 console=ttyAMA0,38400n8earlycon=pl011,0x9000000
But I get the following error message:
The image doesn't pass verification: VenHw(837DCA9E-E874-4D82-B29A- 23FE0E23D1E2,003E000A00000000)/HD(1,MBR,0x00000000,0x3F,0x21FC0)/\Ins tall ProtocolInterface: 5B1B31A1-9562-11D2-8E3F-00A0C969723B 7ACDD640 Unloading driver at 0x00000000000 Command Error Status: Unsupported
I would expect an access violation, not unsupported. Does the signed image still work if you don't enroll the certificates?
- Latest sbsigntool broken?:
I have downloaded the v0.7 sbsigntool from git://git.kernel.org/pub/scm/linux/kernel/git/jejb/sbsigntools.git, which has the following commit as the head:
commit ed53774c2f6b39ab63b312891ba7e98492f4d7e3 Author: James Bottomley JBottomley@Parallels.com Date: Fri Dec 19 16:44:54 2014 -0800
Version 0.7Now, I see that when I use the DB.key and DB.crt to sign a kernel Image (Image) using this sbsigntool, I get a "Invalid PE header magic"
error.
# which sbsign /home/tools/sbsigntools/sbsigntools/src/sbsign # sbsign --version sbsign 0.7 # sbsign --key DB.key --cert DB.crt --output Image.signed Image Invalid PE header magicI use the following method to compile the sbsigntool:
#./autogen.sh # ./configure # makeWhereas, if I use the sbsign util (v0.6) available on by ubuntu 14.04 machine I can get the sbsigntool to sign the Image :
# which sbsign /usr/bin/sbsign # sbsign --version sbsign 0.6 # sbsign --key DB.key --cert DB.crt --output Image.signed ImageRegards, Bhupesh _______________________________________________ Linaro-uefi mailing list Linaro-uefi@lists.linaro.org https://lists.linaro.org/mailman/listinfo/linaro-uefi
On 27 January 2016 at 08:34, Bhupesh Sharma bhupesh.sharma@nxp.com wrote:
Hi,
I am trying to do some hands-on on qemu for aarch64 to boot a secure kernel image and running into the following two issues.
I would appreciate any pointers on the same.
- Not able to boot a signed kernel Image on qemu-2.5.0 built for aarch64:
a) I am using the following OE image from Linaro for vexpress64: vexpress64-openembedded_minimal-armv8-gcc-4.9_20140823-686.img.gz
b) I uncompress the same using the following command: # zcat vexpress64-openembedded_minimal-armv8-gcc-4.9_20140823-686.img.gz > vexpress64-oe.img
c) I mount this on /mnt: # mount -o loop,offset=32256 vexpress64-oe.img /mnt
d) # cd /mnt
e) I have downloaded the latest efitools (git://git.kernel.org/pub/scm/linux/kernel/git/jejb/efitools.git), which has the following commit as head: commit 613cf530f09fc1b27701b1be2538730539415db4 Author: James Bottomley JBottomley@Parallels.com Date: Wed Jan 14 22:57:41 2015 -0800
flash-var: new routine for manipulating variables in flash imagesf) I make the efitools using make and copy the PK, KEK and DB to /mnt:
# cp -rf PK.auth /mnt/. ; cp -rf DB.auth /mnt/.; cp -rf KEK.auth /mnt/. ; cp -rf PK.crt /mnt/.; cp -rf DB.crt /mnt/. # cp -rf KEK.crt /mnt/. ; cp -rf DB.key /mnt/.g) Now I generate the corresponding .der files:
# openssl x509 -in DB.crt -outform DER -out DB.der and so on..h) Create a signed kernel Image using 'sbsigntools': # sbsign --key DB.key --cert DB.crt --output Image.signed Image
i) # sync; umount /mnt
j) Launch Qemu and provide the PK.der, KEK.der and DB.der files in the "User Mode":
# qemu-system-aarch64 -m 1024 -cpu cortex-a57 -M virt -pflash flash0.img -pflash flash1.img -serial stdio -drive if=none,file=vexpress64-oe.img,id=hd0 -device virtio-blk-device,drive=hd0k) Now, I enter the shell and provide the signed kernel Image as an input:
Shell> Image.signed root=/dev/vda2 console=ttyAMA0,38400n8 earlycon=pl011,0x9000000But I get the following error message:
The image doesn't pass verification: VenHw(837DCA9E-E874-4D82-B29A-23FE0E23D1E2,003E000A00000000)/HD(1,MBR,0x00000000,0x3F,0x21FC0)/\InstallProtocolInterface: 5B1B31A1-9562-11D2-8E3F-00A0C969723B 7ACDD640 Unloading driver at 0x00000000000 Command Error Status: Unsupported
I am sorry, but I cannot reproduce this with the latest EDK2 build. If I enroll the .der files and sign the kernel with the corresponding key, I can boot the kernel from the shell. If I boot an unsigned kernel, I get a security violation, not 'Unsupported' It looks like you may be missing the correct crypto algorithms. Did you build the OpenSslLib etc correctly?
Hi Ard,
From: Ard Biesheuvel [mailto:ard.biesheuvel@linaro.org] Sent: Tuesday, February 09, 2016 9:20 PM
On 27 January 2016 at 08:34, Bhupesh Sharma bhupesh.sharma@nxp.com wrote:
Hi,
I am trying to do some hands-on on qemu for aarch64 to boot a secure kernel image and running into the following two issues.
I would appreciate any pointers on the same.
- Not able to boot a signed kernel Image on qemu-2.5.0 built for
aarch64:
a) I am using the following OE image from Linaro for vexpress64:
vexpress64-openembedded_minimal-armv8-gcc-4.9_20140823-686.img.gz
b) I uncompress the same using the following command: # zcat vexpress64-openembedded_minimal-armv8-gcc-4.9_20140823-686.img.gz > vexpress64-oe.img
c) I mount this on /mnt: # mount -o loop,offset=32256 vexpress64-oe.img /mnt
d) # cd /mnt
e) I have downloaded the latest efitools (git://git.kernel.org/pub/scm/linux/kernel/git/jejb/efitools.git), which has the following commit as head: commit 613cf530f09fc1b27701b1be2538730539415db4 Author: James Bottomley JBottomley@Parallels.com Date: Wed Jan 14 22:57:41 2015 -0800
flash-var: new routine for manipulating variables in flashimages
f) I make the efitools using make and copy the PK, KEK and DB to /mnt:
# cp -rf PK.auth /mnt/. ; cp -rf DB.auth /mnt/.; cp -rfKEK.auth /mnt/. ; cp -rf PK.crt /mnt/.; cp -rf DB.crt /mnt/.
# cp -rf KEK.crt /mnt/. ; cp -rf DB.key /mnt/.g) Now I generate the corresponding .der files:
# openssl x509 -in DB.crt -outform DER -out DB.der and so on..h) Create a signed kernel Image using 'sbsigntools': # sbsign --key DB.key --cert DB.crt --output Image.signed Image
i) # sync; umount /mnt
j) Launch Qemu and provide the PK.der, KEK.der and DB.der files in the
"User Mode":
# qemu-system-aarch64 -m 1024 -cpu cortex-a57 -M virt -pflashflash0.img -pflash flash1.img -serial stdio -drive if=none,file=vexpress64-oe.img,id=hd0 -device virtio-blk-device,drive=hd0
k) Now, I enter the shell and provide the signed kernel Image as an
input:
Shell> Image.signed root=/dev/vda2 console=ttyAMA0,38400n8earlycon=pl011,0x9000000
But I get the following error message:
The image doesn't pass verification: VenHw(837DCA9E-E874-4D82-B29A-23FE0E23D1E2,003E000A00000000)/HD(1,MBR, 0x00000000,0x3F,0x21FC0)/\InstallProtocolInterface: 5B1B31A1-9562-11D2-8E3F-00A0C969723B 7ACDD640 Unloading driver at 0x00000000000 Command Error Status: Unsupported
I am sorry, but I cannot reproduce this with the latest EDK2 build. If I enroll the .der files and sign the kernel with the corresponding key, I can boot the kernel from the shell. If I boot an unsigned kernel, I get a security violation, not 'Unsupported' It looks like you may be missing the correct crypto algorithms. Did you build the OpenSslLib etc correctly?
Thanks. Can you please share the EDK2 SHA ID you have as the HEAD.
Also can you please share which QEMU, sbsigntool and efitool versions/git branches you are using. I will try shifting to them as well and will give a try.
I followed the steps mentioned on LEG WIKI on build the OpenSslLib Pkg. I hope that the information on the WIKI is not too old.
Regards, Bhupesh
On 10 February 2016 at 09:48, Bhupesh Sharma bhupesh.sharma@nxp.com wrote:
Hi Ard,
From: Ard Biesheuvel [mailto:ard.biesheuvel@linaro.org] Sent: Tuesday, February 09, 2016 9:20 PM
On 27 January 2016 at 08:34, Bhupesh Sharma bhupesh.sharma@nxp.com wrote:
Hi,
I am trying to do some hands-on on qemu for aarch64 to boot a secure kernel image and running into the following two issues.
I would appreciate any pointers on the same.
- Not able to boot a signed kernel Image on qemu-2.5.0 built for
aarch64:
a) I am using the following OE image from Linaro for vexpress64:
vexpress64-openembedded_minimal-armv8-gcc-4.9_20140823-686.img.gz
b) I uncompress the same using the following command: # zcat vexpress64-openembedded_minimal-armv8-gcc-4.9_20140823-686.img.gz > vexpress64-oe.img
c) I mount this on /mnt: # mount -o loop,offset=32256 vexpress64-oe.img /mnt
d) # cd /mnt
e) I have downloaded the latest efitools (git://git.kernel.org/pub/scm/linux/kernel/git/jejb/efitools.git), which has the following commit as head: commit 613cf530f09fc1b27701b1be2538730539415db4 Author: James Bottomley JBottomley@Parallels.com Date: Wed Jan 14 22:57:41 2015 -0800
flash-var: new routine for manipulating variables in flashimages
f) I make the efitools using make and copy the PK, KEK and DB to /mnt:
# cp -rf PK.auth /mnt/. ; cp -rf DB.auth /mnt/.; cp -rfKEK.auth /mnt/. ; cp -rf PK.crt /mnt/.; cp -rf DB.crt /mnt/.
# cp -rf KEK.crt /mnt/. ; cp -rf DB.key /mnt/.g) Now I generate the corresponding .der files:
# openssl x509 -in DB.crt -outform DER -out DB.der and so on..h) Create a signed kernel Image using 'sbsigntools': # sbsign --key DB.key --cert DB.crt --output Image.signed Image
i) # sync; umount /mnt
j) Launch Qemu and provide the PK.der, KEK.der and DB.der files in the
"User Mode":
# qemu-system-aarch64 -m 1024 -cpu cortex-a57 -M virt -pflashflash0.img -pflash flash1.img -serial stdio -drive if=none,file=vexpress64-oe.img,id=hd0 -device virtio-blk-device,drive=hd0
k) Now, I enter the shell and provide the signed kernel Image as an
input:
Shell> Image.signed root=/dev/vda2 console=ttyAMA0,38400n8earlycon=pl011,0x9000000
But I get the following error message:
The image doesn't pass verification: VenHw(837DCA9E-E874-4D82-B29A-23FE0E23D1E2,003E000A00000000)/HD(1,MBR, 0x00000000,0x3F,0x21FC0)/\InstallProtocolInterface: 5B1B31A1-9562-11D2-8E3F-00A0C969723B 7ACDD640 Unloading driver at 0x00000000000 Command Error Status: Unsupported
I am sorry, but I cannot reproduce this with the latest EDK2 build. If I enroll the .der files and sign the kernel with the corresponding key, I can boot the kernel from the shell. If I boot an unsigned kernel, I get a security violation, not 'Unsupported' It looks like you may be missing the correct crypto algorithms. Did you build the OpenSslLib etc correctly?
Thanks. Can you please share the EDK2 SHA ID you have as the HEAD.
i used snapshots from here: http://snapshots.linaro.org/components/kernel/leg-virt-tianocore-edk2-upstre...
All of those are built with support for secure boot.
Also can you please share which QEMU, sbsigntool and efitool versions/git branches you are using. I will try shifting to them as well and will give a try.
$ qemu-system-aarch64 --version QEMU emulator version 2.5.50, Copyright (c) 2003-2008 Fabrice Bellard
$ sbsign --version sbsign 0.6
I did not use efitools at all, only 'openssl x509' to create the key pairs and convert to DER format
I followed the steps mentioned on LEG WIKI on build the OpenSslLib Pkg. I hope that the information on the WIKI is not too old.
No, that information should still be correct.
-
Ard Biesheuvel -
Bhupesh Sharma