mirror of
https://github.com/linuxboot/heads.git
synced 2024-12-24 07:06:42 +00:00
qemu-coreboot-tpm boards: usage optimizations
- ROOT_DISK_IMG is now dynamic (ROOT_DISK_IMG=/path/to/existing/provisioned/disk.img can be reused across run statements) - Addition of missing boards to cover all use cases - All TPM1 boards rely on common config/coreboot-qemu-tpm1.config - boards/qemu-coreboot-fbwhiptail-tpm1-hotp/qemu-coreboot-fbwhiptail-tpm1-hotp.md has been generalized - all other boards are softlinked to the above for usage
This commit is contained in:
parent
395de880db
commit
080d439758
@ -1,5 +1,5 @@
|
|||||||
# Configuration for building a coreboot ROM that works in
|
# Configuration for building a coreboot ROM that works in
|
||||||
# the qemu emulator in GUI mode thanks to FBWhiptail
|
# the qemu emulator in console mode thanks to Whiptail
|
||||||
#
|
#
|
||||||
# TPM can be used with a qemu software TPM (TIS, 1.2). A Librem Key or
|
# TPM can be used with a qemu software TPM (TIS, 1.2). A Librem Key or
|
||||||
# Nitrokey Pro can also be used by forwarding the USB device from the host to
|
# Nitrokey Pro can also be used by forwarding the USB device from the host to
|
||||||
@ -8,7 +8,7 @@ export CONFIG_COREBOOT=y
|
|||||||
export CONFIG_COREBOOT_VERSION=4.13
|
export CONFIG_COREBOOT_VERSION=4.13
|
||||||
export CONFIG_LINUX_VERSION=5.10.5
|
export CONFIG_LINUX_VERSION=5.10.5
|
||||||
|
|
||||||
CONFIG_COREBOOT_CONFIG=config/coreboot-qemu-fbwhiptail-tpm1-hotp.config
|
CONFIG_COREBOOT_CONFIG=config/coreboot-qemu-tpm1.config
|
||||||
CONFIG_LINUX_CONFIG=config/linux-qemu.config
|
CONFIG_LINUX_CONFIG=config/linux-qemu.config
|
||||||
|
|
||||||
ifeq "$(CONFIG_UROOT)" "y"
|
ifeq "$(CONFIG_UROOT)" "y"
|
||||||
@ -77,7 +77,7 @@ $(TPMDIR)/.manufacture:
|
|||||||
mkdir -p "$(TPMDIR)"
|
mkdir -p "$(TPMDIR)"
|
||||||
swtpm_setup --tpm-state "$(TPMDIR)" --create-platform-cert --lock-nvram
|
swtpm_setup --tpm-state "$(TPMDIR)" --create-platform-cert --lock-nvram
|
||||||
touch "$(TPMDIR)/.manufacture"
|
touch "$(TPMDIR)/.manufacture"
|
||||||
ROOT_DISK_IMG=$(build)/$(BOARD)/root.qcow2
|
ROOT_DISK_IMG:=$(build)/$(BOARD)/root.qcow2
|
||||||
# Default to 20G disk
|
# Default to 20G disk
|
||||||
QEMU_DISK_SIZE?=20G
|
QEMU_DISK_SIZE?=20G
|
||||||
$(ROOT_DISK_IMG):
|
$(ROOT_DISK_IMG):
|
||||||
|
@ -1,8 +1,8 @@
|
|||||||
qemu-coreboot-fbwhiptal-tpm1-hotp
|
qemu-coreboot-(fb)whiptal-tpm1-(hotp) board
|
||||||
===
|
===
|
||||||
|
|
||||||
The `qemu-coreboot-fbwhiptail-tpm1-hotp` configuration permits testing of most features of Heads. It
|
The `qemu-coreboot-fbwhiptail-tpm1-hotp` configuration (and their variants) permits testing of most features of Heads.
|
||||||
requires a supported USB token (which will be reset for use with the VM, do not use a token needed for a
|
It requires a supported USB token (which will be reset for use with the VM, do not use a token needed for a
|
||||||
real machine). With KVM acceleration, speed is comparable to a real machine. If KVM is unavailable,
|
real machine). With KVM acceleration, speed is comparable to a real machine. If KVM is unavailable,
|
||||||
lightweight desktops are still usable.
|
lightweight desktops are still usable.
|
||||||
|
|
||||||
@ -10,7 +10,7 @@ Heads is currently unable to reflash firmware within qemu, which means that OEM
|
|||||||
cannot be fully performed within the VM. Instead, a GPG key can be injected in the Heads image from the
|
cannot be fully performed within the VM. Instead, a GPG key can be injected in the Heads image from the
|
||||||
host during the build.
|
host during the build.
|
||||||
|
|
||||||
The TPM and disks for this configuration are persisted in the build/qemu-coreboot-fbwhiptail-tpm1-hotp/ directory.
|
The TPM and disks for this configuration are persisted in the build/qemu-coreboot-fbwhiptail-tpm1-hotp/ directory by default.
|
||||||
|
|
||||||
Bootstrapping a working system
|
Bootstrapping a working system
|
||||||
===
|
===
|
||||||
@ -49,6 +49,16 @@ Bootstrapping a working system
|
|||||||
7. Initialize the TPM - select "Reset the TPM" at the TOTP error prompt and follow prompts
|
7. Initialize the TPM - select "Reset the TPM" at the TOTP error prompt and follow prompts
|
||||||
8. Select "Default boot" and follow prompts to sign /boot for the first time and set a default boot option
|
8. Select "Default boot" and follow prompts to sign /boot for the first time and set a default boot option
|
||||||
|
|
||||||
|
You can reuse an already created ROOT_DISK_IMG by passing its path at runtime.
|
||||||
|
Ex: `make BOARD=qemu-coreboot-fbwhiptail-tpm1 PUBKEY_ASC=~/pub_key_counterpart_of_usb_dongle.asc USB_TOKEN=NitrokeyStorage ROOT_DISK_IMG=~/heads/build/x86/qemu-coreboot-fbwhiptail-tpm1-hotp/root.qcow2 run`
|
||||||
|
|
||||||
|
On a daily development cycle, usage looks like:
|
||||||
|
1. `make BOARD=qemu-coreboot-fbwhiptail-tpm1 PUBKEY_ASC=~/pub_key_counterpart_of_usb_dongle.asc USB_TOKEN=NitrokeyStorage ROOT_DISK_IMG=~/heads/build/x86/qemu-coreboot-fbwhiptail-tpm1-hotp/root.qcow2 inject_gpg`
|
||||||
|
2. `make BOARD=qemu-coreboot-fbwhiptail-tpm1 PUBKEY_ASC=~/pub_key_counterpart_of_usb_dongle.asc USB_TOKEN=NitrokeyStorage ROOT_DISK_IMG=~/heads/build/x86/qemu-coreboot-fbwhiptail-tpm1-hotp/root.qcow2 run`
|
||||||
|
|
||||||
|
The first command builds latest uncommited/unsigned changes and injects the public key inside of the rom to be ran by the second command.
|
||||||
|
To test across all qemu variants, one only has to change BOARD name and run the two previous commands, adapting `QEMU_MEMORY_SIZE=1G` or modifying the file directly under build dir to adapt to host resources.
|
||||||
|
|
||||||
swtpm on Debian Bullseye
|
swtpm on Debian Bullseye
|
||||||
===
|
===
|
||||||
|
|
||||||
|
@ -0,0 +1,151 @@
|
|||||||
|
# Configuration for building a coreboot ROM that works in
|
||||||
|
# the qemu emulator in console mode thanks to Whiptail
|
||||||
|
#
|
||||||
|
# TPM can be used with a qemu software TPM (TIS, 1.2).
|
||||||
|
export CONFIG_COREBOOT=y
|
||||||
|
export CONFIG_COREBOOT_VERSION=4.13
|
||||||
|
export CONFIG_LINUX_VERSION=5.10.5
|
||||||
|
|
||||||
|
CONFIG_COREBOOT_CONFIG=config/coreboot-qemu-tpm1.config
|
||||||
|
CONFIG_LINUX_CONFIG=config/linux-qemu.config
|
||||||
|
|
||||||
|
ifeq "$(CONFIG_UROOT)" "y"
|
||||||
|
CONFIG_BUSYBOX=n
|
||||||
|
else
|
||||||
|
CONFIG_KEXEC=y
|
||||||
|
CONFIG_QRENCODE=y
|
||||||
|
CONFIG_TPMTOTP=y
|
||||||
|
CONFIG_POPT=y
|
||||||
|
CONFIG_FLASHTOOLS=y
|
||||||
|
CONFIG_FLASHROM=y
|
||||||
|
CONFIG_PCIUTILS=y
|
||||||
|
CONFIG_UTIL_LINUX=y
|
||||||
|
CONFIG_CRYPTSETUP2=y
|
||||||
|
CONFIG_GPG2=y
|
||||||
|
CONFIG_LVM2=y
|
||||||
|
CONFIG_MBEDTLS=y
|
||||||
|
CONFIG_DROPBEAR=y
|
||||||
|
CONFIG_MSRTOOLS=y
|
||||||
|
#CONFIG_HOTPKEY=y
|
||||||
|
|
||||||
|
#Uncomment only one of the following block
|
||||||
|
#Required for graphical gui-init (FBWhiptail)
|
||||||
|
CONFIG_CAIRO=y
|
||||||
|
CONFIG_FBWHIPTAIL=y
|
||||||
|
#
|
||||||
|
#text-based init (generic-init and gui-init)
|
||||||
|
#CONFIG_NEWT=y
|
||||||
|
#CONFIG_SLANG=y
|
||||||
|
|
||||||
|
endif
|
||||||
|
|
||||||
|
export CONFIG_LINUX_USB_COMPANION_CONTROLLER=y
|
||||||
|
CONFIG_LINUX_USB=y
|
||||||
|
CONFIG_LINUX_E1000=y
|
||||||
|
|
||||||
|
#Uncomment only one BOOTSCRIPT:
|
||||||
|
#Whiptail-based init (text-based or FBWhiptail)
|
||||||
|
export CONFIG_BOOTSCRIPT=/bin/gui-init
|
||||||
|
#
|
||||||
|
#text-based original init:
|
||||||
|
#export CONFIG_BOOTSCRIPT=/bin/generic-init
|
||||||
|
export CONFIG_BOOT_REQ_HASH=n
|
||||||
|
export CONFIG_BOOT_REQ_ROLLBACK=n
|
||||||
|
export CONFIG_BOOT_RECOVERY_SERIAL="/dev/ttyS0"
|
||||||
|
export CONFIG_BOOT_KERNEL_ADD="console=ttyS0 console=tty systemd.zram=0"
|
||||||
|
export CONFIG_BOOT_KERNEL_REMOVE="quiet rhgb splash"
|
||||||
|
|
||||||
|
export CONFIG_TPM=y
|
||||||
|
|
||||||
|
export CONFIG_BOOT_DEV="/dev/vda1"
|
||||||
|
export CONFIG_BOARD_NAME="qemu-coreboot-fbwhiptail-tpm1"
|
||||||
|
|
||||||
|
# Use the GPG-injected ROM if a key was given, since we can't reflash a GPG
|
||||||
|
# keyring in QEMU. Otherwise use the plain ROM, some things can still be tested
|
||||||
|
# that way without a GPG key.
|
||||||
|
ifneq "$(PUBKEY_ASC)" ""
|
||||||
|
QEMU_BOOT_ROM := $(build)/$(BOARD)/$(CB_OUTPUT_FILE_GPG_INJ)
|
||||||
|
else
|
||||||
|
QEMU_BOOT_ROM := $(build)/$(BOARD)/$(CB_OUTPUT_FILE)
|
||||||
|
endif
|
||||||
|
|
||||||
|
#borrowed from https://github.com/orangecms/webboot/blob/boot-via-qemu/run-webboot.sh
|
||||||
|
TPMDIR=$(build)/$(BOARD)/vtpm
|
||||||
|
$(TPMDIR)/.manufacture:
|
||||||
|
mkdir -p "$(TPMDIR)"
|
||||||
|
swtpm_setup --tpm-state "$(TPMDIR)" --create-platform-cert --lock-nvram
|
||||||
|
touch "$(TPMDIR)/.manufacture"
|
||||||
|
ROOT_DISK_IMG:=$(build)/$(BOARD)/root.qcow2
|
||||||
|
# Default to 20G disk
|
||||||
|
QEMU_DISK_SIZE?=20G
|
||||||
|
$(ROOT_DISK_IMG):
|
||||||
|
qemu-img create -f qcow2 "$(ROOT_DISK_IMG)" $(QEMU_DISK_SIZE)
|
||||||
|
# Remember the amount of memory so it doesn't have to be specified every time.
|
||||||
|
# Default to 4G, most bootable OSes are not usable with less.
|
||||||
|
QEMU_MEMORY_SIZE?=4G
|
||||||
|
MEMORY_SIZE_FILE=$(build)/$(BOARD)/memory
|
||||||
|
$(MEMORY_SIZE_FILE):
|
||||||
|
@echo "$(QEMU_MEMORY_SIZE)" >"$(MEMORY_SIZE_FILE)"
|
||||||
|
USB_FD_IMG=$(build)/$(BOARD)/usb_fd.raw
|
||||||
|
$(USB_FD_IMG):
|
||||||
|
dd if=/dev/zero bs=1M of="$(USB_FD_IMG)" bs=1M count=128
|
||||||
|
# Debian obnoxiously does not include /usr/sbin in PATH for non-root, even
|
||||||
|
# though it is meaningful to use mkfs.vfat (etc.) as non-root
|
||||||
|
MKFS_VFAT=mkfs.vfat; \
|
||||||
|
[ -x /usr/sbin/mkfs.vfat ] && MKFS_VFAT=/usr/sbin/mkfs.vfat; \
|
||||||
|
"$$MKFS_VFAT" "$(USB_FD_IMG)"
|
||||||
|
# Pass INSTALL_IMG=<path_to_img.iso> to attach an installer as a USB flash drive instead
|
||||||
|
# of the temporary flash drive for exporting GPG keys.
|
||||||
|
ifneq "$(INSTALL_IMG)" ""
|
||||||
|
QEMU_USB_FD_IMG := $(INSTALL_IMG)
|
||||||
|
else
|
||||||
|
QEMU_USB_FD_IMG := $(USB_FD_IMG)
|
||||||
|
endif
|
||||||
|
# To forward a USB token, set USB_TOKEN to one of the following:
|
||||||
|
# - NitrokeyPro - forwards a Nitrokey Pro by VID:PID
|
||||||
|
# - LibremKey - forwards a Librem Key by VID:PID
|
||||||
|
# - <other> - Provide the QEMU usb-host parameters, such as
|
||||||
|
# 'hostbus=<#>,hostport=<#>' or 'vendorid=<#>,productid=<#>'
|
||||||
|
ifeq "$(USB_TOKEN)" "NitrokeyPro"
|
||||||
|
QEMU_USB_TOKEN_DEV := -device usb-host,vendorid=8352,productid=16648
|
||||||
|
else ifeq "$(USB_TOKEN)" "NitrokeyStorage"
|
||||||
|
QEMU_USB_TOKEN_DEV := -device usb-host,vendorid=8352,productid=16649
|
||||||
|
else ifeq "$(USB_TOKEN)" "Nitrokey3NFC"
|
||||||
|
QEMU_USB_TOKEN_DEV := -device usb-host,vendorid=8352,productid=17074
|
||||||
|
else ifeq "$(USB_TOKEN)" "LibremKey"
|
||||||
|
QEMU_USB_TOKEN_DEV := -device usb-host,vendorid=12653,productid=19531
|
||||||
|
else ifneq "$(USB_TOKEN)" ""
|
||||||
|
QEMU_USB_TOKEN_DEV := -device "usb-host,$(USB_TOKEN)"
|
||||||
|
endif
|
||||||
|
|
||||||
|
run: $(TPMDIR)/.manufacture $(ROOT_DISK_IMG) $(MEMORY_SIZE_FILE) $(USB_FD_IMG)
|
||||||
|
swtpm socket \
|
||||||
|
--tpmstate dir="$(TPMDIR)" \
|
||||||
|
--flags "startup-clear" \
|
||||||
|
--terminate \
|
||||||
|
--ctrl type=unixio,path="$(TPMDIR)/sock" &
|
||||||
|
sleep 0.5
|
||||||
|
|
||||||
|
-qemu-system-x86_64 -drive file="$(ROOT_DISK_IMG)",if=virtio \
|
||||||
|
--machine q35,accel=kvm:tcg \
|
||||||
|
-rtc base=utc \
|
||||||
|
-smp "$$(nproc)" \
|
||||||
|
-vga virtio \
|
||||||
|
-full-screen \
|
||||||
|
-m "$$(cat "$(MEMORY_SIZE_FILE)")" \
|
||||||
|
-serial stdio \
|
||||||
|
--bios "$(QEMU_BOOT_ROM)" \
|
||||||
|
-object rng-random,filename=/dev/urandom,id=rng0 \
|
||||||
|
-device virtio-rng-pci,rng=rng0 \
|
||||||
|
-netdev user,id=u1 -device e1000,netdev=u1 \
|
||||||
|
-chardev socket,id=chrtpm,path="$(TPMDIR)/sock" \
|
||||||
|
-tpmdev emulator,id=tpm0,chardev=chrtpm \
|
||||||
|
-device tpm-tis,tpmdev=tpm0 \
|
||||||
|
-device qemu-xhci,id=usb \
|
||||||
|
-device usb-tablet \
|
||||||
|
-drive file="$(QEMU_USB_FD_IMG)",if=none,id=usb-fd-drive,format=raw \
|
||||||
|
-device usb-storage,bus=usb.0,drive=usb-fd-drive \
|
||||||
|
$(QEMU_USB_TOKEN_DEV) \
|
||||||
|
|
||||||
|
stty sane
|
||||||
|
@echo
|
@ -0,0 +1 @@
|
|||||||
|
../qemu-coreboot-fbwhiptail-tpm1-hotp/qemu-coreboot-fbwhiptail-tpm1-hotp.md
|
@ -0,0 +1,153 @@
|
|||||||
|
# Configuration for building a coreboot ROM that works in
|
||||||
|
# the qemu emulator in console mode thanks to Whiptail
|
||||||
|
#
|
||||||
|
# TPM can be used with a qemu software TPM (TIS, 1.2). A Librem Key or
|
||||||
|
# Nitrokey Pro can also be used by forwarding the USB device from the host to
|
||||||
|
# the VM.
|
||||||
|
export CONFIG_COREBOOT=y
|
||||||
|
export CONFIG_COREBOOT_VERSION=4.13
|
||||||
|
export CONFIG_LINUX_VERSION=5.10.5
|
||||||
|
|
||||||
|
CONFIG_COREBOOT_CONFIG=config/coreboot-qemu-tpm1.config
|
||||||
|
CONFIG_LINUX_CONFIG=config/linux-qemu.config
|
||||||
|
|
||||||
|
ifeq "$(CONFIG_UROOT)" "y"
|
||||||
|
CONFIG_BUSYBOX=n
|
||||||
|
else
|
||||||
|
CONFIG_KEXEC=y
|
||||||
|
CONFIG_QRENCODE=y
|
||||||
|
CONFIG_TPMTOTP=y
|
||||||
|
CONFIG_POPT=y
|
||||||
|
CONFIG_FLASHTOOLS=y
|
||||||
|
CONFIG_FLASHROM=y
|
||||||
|
CONFIG_PCIUTILS=y
|
||||||
|
CONFIG_UTIL_LINUX=y
|
||||||
|
CONFIG_CRYPTSETUP2=y
|
||||||
|
CONFIG_GPG2=y
|
||||||
|
CONFIG_LVM2=y
|
||||||
|
CONFIG_MBEDTLS=y
|
||||||
|
CONFIG_DROPBEAR=y
|
||||||
|
CONFIG_MSRTOOLS=y
|
||||||
|
CONFIG_HOTPKEY=y
|
||||||
|
|
||||||
|
#Uncomment only one of the following block
|
||||||
|
#Required for graphical gui-init (FBWhiptail)
|
||||||
|
#CONFIG_CAIRO=y
|
||||||
|
#CONFIG_FBWHIPTAIL=y
|
||||||
|
#
|
||||||
|
#text-based init (generic-init and gui-init)
|
||||||
|
CONFIG_NEWT=y
|
||||||
|
CONFIG_SLANG=y
|
||||||
|
|
||||||
|
endif
|
||||||
|
|
||||||
|
export CONFIG_LINUX_USB_COMPANION_CONTROLLER=y
|
||||||
|
CONFIG_LINUX_USB=y
|
||||||
|
CONFIG_LINUX_E1000=y
|
||||||
|
|
||||||
|
#Uncomment only one BOOTSCRIPT:
|
||||||
|
#Whiptail-based init (text-based or FBWhiptail)
|
||||||
|
export CONFIG_BOOTSCRIPT=/bin/gui-init
|
||||||
|
#
|
||||||
|
#text-based original init:
|
||||||
|
#export CONFIG_BOOTSCRIPT=/bin/generic-init
|
||||||
|
export CONFIG_BOOT_REQ_HASH=n
|
||||||
|
export CONFIG_BOOT_REQ_ROLLBACK=n
|
||||||
|
export CONFIG_BOOT_RECOVERY_SERIAL="/dev/ttyS0"
|
||||||
|
export CONFIG_BOOT_KERNEL_ADD="console=ttyS0 console=tty systemd.zram=0"
|
||||||
|
export CONFIG_BOOT_KERNEL_REMOVE="quiet rhgb splash"
|
||||||
|
|
||||||
|
export CONFIG_TPM=y
|
||||||
|
|
||||||
|
export CONFIG_BOOT_DEV="/dev/vda1"
|
||||||
|
export CONFIG_BOARD_NAME="qemu-coreboot-whiptail-tpm1-hotp"
|
||||||
|
|
||||||
|
# Use the GPG-injected ROM if a key was given, since we can't reflash a GPG
|
||||||
|
# keyring in QEMU. Otherwise use the plain ROM, some things can still be tested
|
||||||
|
# that way without a GPG key.
|
||||||
|
ifneq "$(PUBKEY_ASC)" ""
|
||||||
|
QEMU_BOOT_ROM := $(build)/$(BOARD)/$(CB_OUTPUT_FILE_GPG_INJ)
|
||||||
|
else
|
||||||
|
QEMU_BOOT_ROM := $(build)/$(BOARD)/$(CB_OUTPUT_FILE)
|
||||||
|
endif
|
||||||
|
|
||||||
|
#borrowed from https://github.com/orangecms/webboot/blob/boot-via-qemu/run-webboot.sh
|
||||||
|
TPMDIR=$(build)/$(BOARD)/vtpm
|
||||||
|
$(TPMDIR)/.manufacture:
|
||||||
|
mkdir -p "$(TPMDIR)"
|
||||||
|
swtpm_setup --tpm-state "$(TPMDIR)" --create-platform-cert --lock-nvram
|
||||||
|
touch "$(TPMDIR)/.manufacture"
|
||||||
|
ROOT_DISK_IMG:=$(build)/$(BOARD)/root.qcow2
|
||||||
|
# Default to 20G disk
|
||||||
|
QEMU_DISK_SIZE?=20G
|
||||||
|
$(ROOT_DISK_IMG):
|
||||||
|
qemu-img create -f qcow2 "$(ROOT_DISK_IMG)" $(QEMU_DISK_SIZE)
|
||||||
|
# Remember the amount of memory so it doesn't have to be specified every time.
|
||||||
|
# Default to 4G, most bootable OSes are not usable with less.
|
||||||
|
QEMU_MEMORY_SIZE?=4G
|
||||||
|
MEMORY_SIZE_FILE=$(build)/$(BOARD)/memory
|
||||||
|
$(MEMORY_SIZE_FILE):
|
||||||
|
@echo "$(QEMU_MEMORY_SIZE)" >"$(MEMORY_SIZE_FILE)"
|
||||||
|
USB_FD_IMG=$(build)/$(BOARD)/usb_fd.raw
|
||||||
|
$(USB_FD_IMG):
|
||||||
|
dd if=/dev/zero bs=1M of="$(USB_FD_IMG)" bs=1M count=128
|
||||||
|
# Debian obnoxiously does not include /usr/sbin in PATH for non-root, even
|
||||||
|
# though it is meaningful to use mkfs.vfat (etc.) as non-root
|
||||||
|
MKFS_VFAT=mkfs.vfat; \
|
||||||
|
[ -x /usr/sbin/mkfs.vfat ] && MKFS_VFAT=/usr/sbin/mkfs.vfat; \
|
||||||
|
"$$MKFS_VFAT" "$(USB_FD_IMG)"
|
||||||
|
# Pass INSTALL_IMG=<path_to_img.iso> to attach an installer as a USB flash drive instead
|
||||||
|
# of the temporary flash drive for exporting GPG keys.
|
||||||
|
ifneq "$(INSTALL_IMG)" ""
|
||||||
|
QEMU_USB_FD_IMG := $(INSTALL_IMG)
|
||||||
|
else
|
||||||
|
QEMU_USB_FD_IMG := $(USB_FD_IMG)
|
||||||
|
endif
|
||||||
|
# To forward a USB token, set USB_TOKEN to one of the following:
|
||||||
|
# - NitrokeyPro - forwards a Nitrokey Pro by VID:PID
|
||||||
|
# - LibremKey - forwards a Librem Key by VID:PID
|
||||||
|
# - <other> - Provide the QEMU usb-host parameters, such as
|
||||||
|
# 'hostbus=<#>,hostport=<#>' or 'vendorid=<#>,productid=<#>'
|
||||||
|
ifeq "$(USB_TOKEN)" "NitrokeyPro"
|
||||||
|
QEMU_USB_TOKEN_DEV := -device usb-host,vendorid=8352,productid=16648
|
||||||
|
else ifeq "$(USB_TOKEN)" "NitrokeyStorage"
|
||||||
|
QEMU_USB_TOKEN_DEV := -device usb-host,vendorid=8352,productid=16649
|
||||||
|
else ifeq "$(USB_TOKEN)" "Nitrokey3NFC"
|
||||||
|
QEMU_USB_TOKEN_DEV := -device usb-host,vendorid=8352,productid=17074
|
||||||
|
else ifeq "$(USB_TOKEN)" "LibremKey"
|
||||||
|
QEMU_USB_TOKEN_DEV := -device usb-host,vendorid=12653,productid=19531
|
||||||
|
else ifneq "$(USB_TOKEN)" ""
|
||||||
|
QEMU_USB_TOKEN_DEV := -device "usb-host,$(USB_TOKEN)"
|
||||||
|
endif
|
||||||
|
|
||||||
|
run: $(TPMDIR)/.manufacture $(ROOT_DISK_IMG) $(MEMORY_SIZE_FILE) $(USB_FD_IMG)
|
||||||
|
swtpm socket \
|
||||||
|
--tpmstate dir="$(TPMDIR)" \
|
||||||
|
--flags "startup-clear" \
|
||||||
|
--terminate \
|
||||||
|
--ctrl type=unixio,path="$(TPMDIR)/sock" &
|
||||||
|
sleep 0.5
|
||||||
|
|
||||||
|
-qemu-system-x86_64 -drive file="$(ROOT_DISK_IMG)",if=virtio \
|
||||||
|
--machine q35,accel=kvm:tcg \
|
||||||
|
-rtc base=utc \
|
||||||
|
-smp "$$(nproc)" \
|
||||||
|
-vga virtio \
|
||||||
|
-full-screen \
|
||||||
|
-m "$$(cat "$(MEMORY_SIZE_FILE)")" \
|
||||||
|
-serial stdio \
|
||||||
|
--bios "$(QEMU_BOOT_ROM)" \
|
||||||
|
-object rng-random,filename=/dev/urandom,id=rng0 \
|
||||||
|
-device virtio-rng-pci,rng=rng0 \
|
||||||
|
-netdev user,id=u1 -device e1000,netdev=u1 \
|
||||||
|
-chardev socket,id=chrtpm,path="$(TPMDIR)/sock" \
|
||||||
|
-tpmdev emulator,id=tpm0,chardev=chrtpm \
|
||||||
|
-device tpm-tis,tpmdev=tpm0 \
|
||||||
|
-device qemu-xhci,id=usb \
|
||||||
|
-device usb-tablet \
|
||||||
|
-drive file="$(QEMU_USB_FD_IMG)",if=none,id=usb-fd-drive,format=raw \
|
||||||
|
-device usb-storage,bus=usb.0,drive=usb-fd-drive \
|
||||||
|
$(QEMU_USB_TOKEN_DEV) \
|
||||||
|
|
||||||
|
stty sane
|
||||||
|
@echo
|
@ -0,0 +1 @@
|
|||||||
|
../qemu-coreboot-fbwhiptail-tpm1-hotp/qemu-coreboot-fbwhiptail-tpm1-hotp.md
|
@ -6,7 +6,7 @@ export CONFIG_COREBOOT=y
|
|||||||
export CONFIG_COREBOOT_VERSION=4.13
|
export CONFIG_COREBOOT_VERSION=4.13
|
||||||
export CONFIG_LINUX_VERSION=5.10.5
|
export CONFIG_LINUX_VERSION=5.10.5
|
||||||
|
|
||||||
CONFIG_COREBOOT_CONFIG=config/coreboot-qemu-whiptail-tpm1.config
|
CONFIG_COREBOOT_CONFIG=config/coreboot-qemu-tpm1.config
|
||||||
CONFIG_LINUX_CONFIG=config/linux-qemu.config
|
CONFIG_LINUX_CONFIG=config/linux-qemu.config
|
||||||
|
|
||||||
ifeq "$(CONFIG_UROOT)" "y"
|
ifeq "$(CONFIG_UROOT)" "y"
|
||||||
@ -75,7 +75,7 @@ $(TPMDIR)/.manufacture:
|
|||||||
mkdir -p "$(TPMDIR)"
|
mkdir -p "$(TPMDIR)"
|
||||||
swtpm_setup --tpm-state "$(TPMDIR)" --create-platform-cert --lock-nvram
|
swtpm_setup --tpm-state "$(TPMDIR)" --create-platform-cert --lock-nvram
|
||||||
touch "$(TPMDIR)/.manufacture"
|
touch "$(TPMDIR)/.manufacture"
|
||||||
ROOT_DISK_IMG=$(build)/$(BOARD)/root.qcow2
|
ROOT_DISK_IMG:=$(build)/$(BOARD)/root.qcow2
|
||||||
# Default to 20G disk
|
# Default to 20G disk
|
||||||
QEMU_DISK_SIZE?=20G
|
QEMU_DISK_SIZE?=20G
|
||||||
$(ROOT_DISK_IMG):
|
$(ROOT_DISK_IMG):
|
||||||
|
@ -0,0 +1 @@
|
|||||||
|
../qemu-coreboot-fbwhiptail-tpm1-hotp/qemu-coreboot-fbwhiptail-tpm1-hotp.md
|
Loading…
Reference in New Issue
Block a user