From eca06f519f79acbd0bcf372b855ad89620ac8031 Mon Sep 17 00:00:00 2001 From: Trammell Hudson Date: Fri, 20 Nov 2020 10:42:58 -0500 Subject: [PATCH] safeboot: add encrypted rootfs --- boards/safeboot/safeboot.config | 31 ++++++++++++++++++++++++++----- 1 file changed, 26 insertions(+), 5 deletions(-) diff --git a/boards/safeboot/safeboot.config b/boards/safeboot/safeboot.config index f3a87427..f225d130 100644 --- a/boards/safeboot/safeboot.config +++ b/boards/safeboot/safeboot.config @@ -1,6 +1,6 @@ -# Configuration for building a coreboot ROM that works in the. -# the qemu emulator. Note that the TPM does not work, so this -# will just drop into the recovery shell. +# Configuration for building a safeboot loader that works with +# the qemu emulator using either coreboot or the ovmf (UEFI) firmware. +# This will also launch the swtpm emulator for testing out attestation. export CONFIG_COREBOOT=y export CONFIG_COREBOOT_VERSION=4.8.1 export CONFIG_LINUX_VERSION=5.4.69 @@ -8,6 +8,9 @@ export CONFIG_LINUX_VERSION=5.4.69 CONFIG_COREBOOT_CONFIG=config/coreboot-qemu.config CONFIG_LINUX_CONFIG=config/linux-safeboot.config +CONFIG_KEYFILE=$(build)/$(BOARD)/key.bin +CONFIG_ROOTFS=$(HOME)/debian/safeboot-recovery/root.squashfs + ifeq "$(CONFIG_UROOT)" "y" CONFIG_BUSYBOX=n else @@ -102,10 +105,28 @@ $(build)/$(BOARD)/hda1.bin: $(build)/$(BOARD)/unified.efi "$(build)/$(BOARD)/hda1.bin" \ "$(build)/$(BOARD)/hda1/boot" -$(build)/$(BOARD)/hda.bin: $(build)/$(BOARD)/hda1.bin +$(CONFIG_KEYFILE): + echo -n "abcd1234" > "$@" +$(build)/$(BOARD)/hda2.bin: $(CONFIG_KEYFILE) $(CONFIG_ROOTFS) + fallocate -l 512M "$@.tmp" + cryptsetup \ + -y luksFormat \ + --pbkdf pbkdf2 \ + "$@.tmp" \ + "$(CONFIG_KEYFILE)" + cryptsetup luksOpen \ + --key-file "$(CONFIG_KEYFILE)" \ + "$@.tmp" \ + test-luks + #mkfs.ext4 /dev/mapper/test-luks + cat "$(CONFIG_ROOTFS)" > /dev/mapper/test-luks + cryptsetup luksClose test-luks + mv "$@.tmp" "$@" + +$(build)/$(BOARD)/hda.bin: $(build)/$(BOARD)/hda1.bin $(build)/$(BOARD)/hda2.bin $(build)/$(safeboot_dir)/sbin/mkgpt \ "$@" \ - "$<" + $^ run-ovmf: $(build)/$(BOARD)/hda.bin