genode/repos/dde_linux/run/wg_qemu_tap_preamble.inc
Martin Stein a845dffa63 dde_linux: port of WireGuard kernel module
A userland component that ports the Linux WireGuard kernel module (originally
from kernel version 5.14.21) and integrates it via a NIC session (public
network side) and an Uplink session (private network side). The
WireGuard-specific device configuration is done through the component
configuration. The port is done using lx_emul, lx_kit and the virt_linux
targets. The commit adds also 4 corresponding run scripts of which 3 are fully
automated of which 1 is added to the autopilot.

:Warning:

Although in principal functioning, the WireGuard port has not been exposed to a
sufficient amount of real-world testing, so far. Therefore, we strongly
recommend not to use it in any security-critical scenarios! There is no
guarantee that the port meets any of the security goals pursued by the
WireGuard protocol or other WireGuard implementations!

Ref 
2022-05-25 12:23:03 +02:00

111 lines
3.1 KiB
PHP

#
# Preamble for WireGuard tests that run in Qemu and use a Qemu netdev TAP
# device to create a tunnel between the WireGuard device in the guest system
# and a Wireguard device in the host system. This script checks that the
# target platform is supported, installs the correct Qemu arguments, sets up
# the host WireGuard device, and ensures that the host WireGuard setup is
# undone whenever the test terminates.
#
if {[expr ![have_spec arm_64] && ![have_spec x86_64]]} {
puts "Run script is not supported on this platform."
exit 0
}
if {[expr [have_spec arm_64] && ![have_board virt_qemu]]} {
puts "Run script is not supported on this platform."
exit 0
}
if {[expr ![have_include power_on/qemu]]} {
puts "Test requires Qemu."
exit 0
}
append wg_board_qemu_args " -m 512 "
append wg_board_qemu_args " -nographic "
append wg_board_qemu_args " -netdev tap,id=net0,ifname=tap0,script=no,downscript=no "
append wg_board_qemu_args " -smp 4 "
if {[have_board virt_qemu]} {
append wg_board_qemu_args " -global virtio-mmio.force-legacy=false "
append wg_board_qemu_args " -device virtio-net-device,bus=virtio-mmio-bus.0,netdev=net0 "
append wg_board_qemu_args " -M virt,virtualization=true,gic-version=3 "
append wg_board_qemu_args " -cpu cortex-a53 "
} elseif {[have_spec x86_64]} {
append wg_board_qemu_args " -machine q35 "
append wg_board_qemu_args " -net nic,model=e1000,netdev=net0 "
} else {
puts "Run script is not supported on this platform."
exit 0
}
proc board_qemu_args { } {
global wg_board_qemu_args
return $wg_board_qemu_args
}
proc set_up_host_wg {} {
puts "Set up host WireGuard"
exec sudo rm -f udhcpd.conf udhcpd.leases
exec sudo ip tuntap del dev tap0 mode tap
set fd [open udhcpd.conf w]
puts $fd "interface tap0"
puts $fd "start 10.0.2.3"
puts $fd "end 10.0.2.4"
puts $fd "max_leases 2"
puts $fd "lease_file udhcpd.leases"
puts $fd "pidfile udhcpd.pid"
puts $fd "option dns 10.0.2.1 10.0.2.2"
puts $fd "option subnet 255.255.255.0"
puts $fd "option router 10.0.2.1"
close $fd
set fd [open udhcpd.leases w]
close $fd
exec sudo ip tuntap add dev tap0 mode tap user $::tcl_platform(user)
exec sudo ip address flush dev tap0
exec sudo ip address add 10.0.2.1/24 dev tap0
exec sudo ip link set tap0 up
exec sudo udhcpd udhcpd.conf
exec echo "0CtU34qsl97IGiYKSO4tMaF/SJvy04zzeQkhZEbZSk0=" > wg_private_key
exec chmod 700 wg_private_key
exec sudo ip link add wg0 type wireguard
exec sudo ip addr add 10.0.9.1/24 dev wg0
exec sudo wg set wg0 private-key wg_private_key listen-port 49001
exec sudo ip link set wg0 up
exec sudo wg set wg0 peer "GrvyALPZ3PQ2AWM+ovxJqnxSqKpmTyqUui5jH+C8I0E=" allowed-ips 10.0.9.2/32 endpoint 10.0.2.3:49002
}
proc undo_host_wg_setup {} {
puts "Undo host WireGuard setup"
exec sudo pkill -F udhcpd.pid
exec sudo ip link set wg0 down
exec sudo ip link delete dev wg0
exec sudo ip link set tap0 down
exec sudo ip address flush dev tap0
exec sudo ip link delete tap0
exec sudo rm -rf wg_private_key udhcpd.conf udhcpd.leases udhcpd.pid
}
rename exit run_tool_exit
proc exit {{status 0}} {
undo_host_wg_setup
run_tool_exit $status
}
set_up_host_wg