safeboot: add encrypted rootfs

boards/safeboot/safeboot.config

@@ -1,6 +1,6 @@
-# Configuration for building a coreboot ROM that works in the.
-# the qemu emulator.  Note that the TPM does not work, so this
-# will just drop into the recovery shell.
+# Configuration for building a safeboot loader that works with
+# the qemu emulator using either coreboot or the ovmf (UEFI) firmware.
+# This will also launch the swtpm emulator for testing out attestation.
 export CONFIG_COREBOOT=y
 export CONFIG_COREBOOT_VERSION=4.8.1
 export CONFIG_LINUX_VERSION=5.4.69
@@ -8,6 +8,9 @@ export CONFIG_LINUX_VERSION=5.4.69
 CONFIG_COREBOOT_CONFIG=config/coreboot-qemu.config
 CONFIG_LINUX_CONFIG=config/linux-safeboot.config
 
+CONFIG_KEYFILE=$(build)/$(BOARD)/key.bin
+CONFIG_ROOTFS=$(HOME)/debian/safeboot-recovery/root.squashfs
+
 ifeq "$(CONFIG_UROOT)" "y"
 CONFIG_BUSYBOX=n
 else
@@ -102,10 +105,28 @@ $(build)/$(BOARD)/hda1.bin: $(build)/$(BOARD)/unified.efi
 		"$(build)/$(BOARD)/hda1.bin" \
 		"$(build)/$(BOARD)/hda1/boot"
 
-$(build)/$(BOARD)/hda.bin: $(build)/$(BOARD)/hda1.bin
+$(CONFIG_KEYFILE):
+	echo -n "abcd1234" > "$@"
+$(build)/$(BOARD)/hda2.bin: $(CONFIG_KEYFILE) $(CONFIG_ROOTFS)
+	fallocate -l 512M "$@.tmp"
+	cryptsetup \
+		-y luksFormat \
+		--pbkdf pbkdf2 \
+		"$@.tmp" \
+		"$(CONFIG_KEYFILE)"
+	cryptsetup luksOpen \
+		--key-file "$(CONFIG_KEYFILE)" \
+		"$@.tmp" \
+		test-luks
+	#mkfs.ext4 /dev/mapper/test-luks
+	cat "$(CONFIG_ROOTFS)" > /dev/mapper/test-luks
+	cryptsetup luksClose test-luks
+	mv "$@.tmp" "$@"
+
+$(build)/$(BOARD)/hda.bin: $(build)/$(BOARD)/hda1.bin $(build)/$(BOARD)/hda2.bin
 	$(build)/$(safeboot_dir)/sbin/mkgpt \
 		"$@" \
-		"$<"
+		$^
 
 
 run-ovmf: $(build)/$(BOARD)/hda.bin