From c0f3a4bb79fda146c2733f42ff625e51e25068ba Mon Sep 17 00:00:00 2001 From: Francis Lam Date: Sun, 29 Apr 2018 19:58:44 -0700 Subject: [PATCH] Read and measure an EFI file into initrd during init --- boards/qemu-linuxboot/qemu-linuxboot.config | 2 +- initrd/bin/cbfs-init | 11 +++----- initrd/bin/key-init | 8 ++++++ initrd/bin/uefi-init | 28 +++++++++++++++++++++ initrd/init | 4 +++ modules/flashtools | 1 + modules/linuxboot | 6 +++++ 7 files changed, 52 insertions(+), 8 deletions(-) create mode 100755 initrd/bin/key-init create mode 100755 initrd/bin/uefi-init diff --git a/boards/qemu-linuxboot/qemu-linuxboot.config b/boards/qemu-linuxboot/qemu-linuxboot.config index 2480ebd9..f7114174 100644 --- a/boards/qemu-linuxboot/qemu-linuxboot.config +++ b/boards/qemu-linuxboot/qemu-linuxboot.config @@ -1,6 +1,6 @@ # Configuration for emulating LinuxBoot+Heads with qemu # -CONFIG_LINUXBOOT=y +export CONFIG_LINUXBOOT=y CONFIG_LINUXBOOT_BOARD=qemu CONFIG_LINUX_CONFIG=config/linux-linuxboot.config diff --git a/initrd/bin/cbfs-init b/initrd/bin/cbfs-init index 9c80d8bd..ee6276a8 100755 --- a/initrd/bin/cbfs-init +++ b/initrd/bin/cbfs-init @@ -3,8 +3,8 @@ set -e -o pipefail . /etc/functions # Update initrd with CBFS files -if [ -z "$CBFS_PCR" ]; then - CBFS_PCR=7 +if [ -z "$CONFIG_PCR" ]; then + CONFIG_PCR=7 fi # Load individual files @@ -22,13 +22,10 @@ for cbfsname in `echo $cbfsfiles`; do TMPFILE=/tmp/cbfs.$$ echo "$filename" > $TMPFILE cat $filename >> $TMPFILE - tpm extend -ix "$CBFS_PCR" -if $TMPFILE \ + tpm extend -ix "$CONFIG_PCR" -if $TMPFILE \ || die "$filename: tpm extend failed" fi fi done -# TODO: copy CBFS file named "initrd.tgz" to /tmp, measure and extract - -# Post processing of keys -gpg --import /.gnupg/keys/* 2>/dev/null || true +# TODO: copy CBFS file named "heads/initrd.tgz" to /tmp, measure and extract diff --git a/initrd/bin/key-init b/initrd/bin/key-init new file mode 100755 index 00000000..2d684a8d --- /dev/null +++ b/initrd/bin/key-init @@ -0,0 +1,8 @@ +#!/bin/ash +set -e -o pipefail +. /etc/functions + +# Post processing of keys +gpg --import /.gnupg/keys/* 2>/dev/null || true + +# TODO: split out gpg keys into multiple rings by function diff --git a/initrd/bin/uefi-init b/initrd/bin/uefi-init new file mode 100755 index 00000000..600d2072 --- /dev/null +++ b/initrd/bin/uefi-init @@ -0,0 +1,28 @@ +#!/bin/ash +set -e -o pipefail +. /etc/functions + +# Update initrd with CBFS files +if [ -z "$CONFIG_PCR" ]; then + CONFIG_PCR=7 +fi + +CONFIG_GUID="74696e69-6472-632e-7069-6f2f75736572" + +# copy EFI file named $CONFIG_GUID to /tmp, measure and extract +GUID=`uefi -l | grep "^$CONFIG_GUID"` + +if [ -n "GUID" ]; then + echo "Loading $GUID from ROM" + TMPFILE=/tmp/uefi.$$ + uefi -r $GUID | gunzip -c > $TMPFILE \ + || die "Failed to read config GUID from ROM" + + if [ "$CONFIG_TPM" = "y" ]; then + tpm extend -ix "$CONFIG_PCR" -if $TMPFILE \ + || die "$filename: tpm extend failed" + fi + + ( cd / ; cpio -iud < $TMPFILE 2>/dev/null ) \ + || die "Failed to extract config GUID" +fi diff --git a/initrd/init b/initrd/init index 4bc5e865..d489f6ae 100755 --- a/initrd/init +++ b/initrd/init @@ -54,6 +54,10 @@ fi if [ "$CONFIG_COREBOOT" = "y" ]; then /bin/cbfs-init fi +if [ "$CONFIG_LINUXBOOT" = "y" ]; then + /bin/uefi-init +fi +/bin/key-init # Setup recovery serial shell if [ ! -z "$CONFIG_BOOT_RECOVERY_SERIAL" ]; then diff --git a/modules/flashtools b/modules/flashtools index fddd761e..d95c2152 100644 --- a/modules/flashtools +++ b/modules/flashtools @@ -21,6 +21,7 @@ flashtools_output := \ peek \ poke \ cbfs \ + uefi \ flashtools_libraries := \ diff --git a/modules/linuxboot b/modules/linuxboot index 7392bc2e..822b664c 100644 --- a/modules/linuxboot +++ b/modules/linuxboot @@ -24,10 +24,15 @@ linuxboot_configure := \ fi ; \ touch .config ; \ +ifdef CUSTOM + CUSTOMPWD=$(pwd)/$(CUSTOM) +endif + linuxboot_target := \ BOARD=$(linuxboot_board) \ KERNEL=$(build)/$(BOARD)/bzImage \ INITRD=$(build)/$(BOARD)/initrd.cpio.xz \ + CUSTOM=$(CUSTOMPWD) \ $(if $(CONFIG_LINUXBOOT_ROM), ROM=$(pwd)/$(CONFIG_LINUXBOOT_ROM)) \ all @@ -74,4 +79,5 @@ linuxboot.run: $(build)/$(BOARD)/linuxboot.rom BOARD:=$(linuxboot_board) \ KERNEL=$(build)/$(BOARD)/bzImage \ INITRD=$(build)/$(BOARD)/initrd.cpio.xz \ + CUSTOM=$(CUSTOMPWD) \ run