mirror of
https://github.com/linuxboot/heads.git
synced 2024-12-20 21:43:11 +00:00
46cad549ef
- include nix tools inside of the docker to be able to call the garbage collector prior of creating docker. - protect roots from garbage collection (WiP) - Requires external preparation call so that nix (the binary) is not wiped as well. See NIX_REPRO_NOTES at the end of the file for repro notes - Could probably be improved. Works as of now and created a 4Gb vs 3.02Gb docker image I'm uploading now. - CircleCI bumped to use v0.0.9 version including this - CircleCI now depending on flake.lock for all cache layers. Will rebuild clean once again So now we have qemu with canokey support in image, nix basic tools inside of container. Possible to call docker with DISPLAY, see NIX_REPRO_NOTES as of now. That feels nice. No need of USB security dongle to have TPM based TPMTOTP nor detach sign? Not tested but feature is there TODO: - make docker creating nicer in the Nix way. - Add canokey support under targets/qemu.mk - add canokey board version At least we have reproducible stack and testing stack being in same docker image. Docker image moved from 991.18MB (v0.0.8) to 1.18GB (v0.0.9) - And I tried to clean binaries of symbols here! Seems like I do not know enough of the Nix way here. Signed-off-by: Thierry Laurion <insurgo@riseup.net>
110 lines
3.9 KiB
Makefile
110 lines
3.9 KiB
Makefile
# Targets for running in qemu, including:
|
|
# * virtual TPM
|
|
# * virtual disk image (configurable size)
|
|
# * virtual USB flash drive
|
|
# * configurable guest memory size
|
|
# * forwarded USB security token
|
|
|
|
# Use the GPG-injected ROM if a key was given, since we can't reflash a GPG
|
|
# keyring in QEMU. Otherwise use the plain ROM, some things can still be tested
|
|
# that way without a GPG key.
|
|
ifneq "$(PUBKEY_ASC)" ""
|
|
QEMU_BOOT_ROM := $(build)/$(BOARD)/$(CB_OUTPUT_FILE_GPG_INJ)
|
|
else
|
|
QEMU_BOOT_ROM := $(build)/$(BOARD)/$(CB_OUTPUT_FILE)
|
|
endif
|
|
|
|
ifeq "$(CONFIG_TPM2_TSS)" "y"
|
|
SWTPM_TPMVER := --tpm2
|
|
SWTPM_PRESETUP := swtpm_setup --create-config-files root skip-if-exist
|
|
else
|
|
# TPM1 is the default
|
|
SWTPM_TPMVER :=
|
|
# No pre-setup
|
|
SWTPM_PRESETUP := true
|
|
endif
|
|
|
|
#borrowed from https://github.com/orangecms/webboot/blob/boot-via-qemu/run-webboot.sh
|
|
TPMDIR=$(build)/$(BOARD)/vtpm
|
|
$(TPMDIR)/.manufacture:
|
|
mkdir -p "$(TPMDIR)"
|
|
$(SWTPM_PRESETUP)
|
|
swtpm_setup --tpm-state "$(TPMDIR)" --create-platform-cert --lock-nvram $(SWTPM_TPMVER)
|
|
touch "$(TPMDIR)/.manufacture"
|
|
ROOT_DISK_IMG:=$(build)/$(BOARD)/root.qcow2
|
|
# Default to 20G disk
|
|
QEMU_DISK_SIZE?=20G
|
|
$(ROOT_DISK_IMG):
|
|
qemu-img create -f qcow2 "$(ROOT_DISK_IMG)" $(QEMU_DISK_SIZE)
|
|
# Remember the amount of memory so it doesn't have to be specified every time.
|
|
# Default to 4G, most bootable OSes are not usable with less.
|
|
QEMU_MEMORY_SIZE?=4G
|
|
MEMORY_SIZE_FILE=$(build)/$(BOARD)/memory
|
|
$(MEMORY_SIZE_FILE):
|
|
@echo "$(QEMU_MEMORY_SIZE)" >"$(MEMORY_SIZE_FILE)"
|
|
USB_FD_IMG=$(build)/$(BOARD)/usb_fd.raw
|
|
$(USB_FD_IMG):
|
|
dd if=/dev/zero bs=1M of="$(USB_FD_IMG)" bs=1M count=256
|
|
# Debian obnoxiously does not include /usr/sbin in PATH for non-root, even
|
|
# though it is meaningful to use mkfs.vfat (etc.) as non-root
|
|
MKFS_VFAT=mkfs.vfat; \
|
|
[ -x /usr/sbin/mkfs.vfat ] && MKFS_VFAT=/usr/sbin/mkfs.vfat; \
|
|
"$$MKFS_VFAT" "$(USB_FD_IMG)"
|
|
# Pass INSTALL_IMG=<path_to_img.iso> to attach an installer as a USB flash drive instead
|
|
# of the temporary flash drive for exporting GPG keys.
|
|
ifneq "$(INSTALL_IMG)" ""
|
|
QEMU_USB_FD_IMG := $(INSTALL_IMG)
|
|
else
|
|
QEMU_USB_FD_IMG := $(USB_FD_IMG)
|
|
endif
|
|
# To forward a USB token, set USB_TOKEN to one of the following:
|
|
# - NitrokeyPro - forwards a Nitrokey Pro by VID:PID
|
|
# - NitrokeyStorage - forwards a Nitrokey Storage by VID:PID
|
|
# - Nitrokey3NFC - forwards a Nitrokey 3 by VID:PID
|
|
# - LibremKey - forwards a Librem Key by VID:PID
|
|
# - <other> - Provide the QEMU usb-host parameters, such as
|
|
# 'hostbus=<#>,hostport=<#>' or 'vendorid=<#>,productid=<#>'
|
|
ifeq "$(USB_TOKEN)" "NitrokeyPro"
|
|
QEMU_USB_TOKEN_DEV := -device usb-host,vendorid=8352,productid=16648
|
|
else ifeq "$(USB_TOKEN)" "NitrokeyStorage"
|
|
QEMU_USB_TOKEN_DEV := -device usb-host,vendorid=8352,productid=16649
|
|
else ifeq "$(USB_TOKEN)" "Nitrokey3NFC"
|
|
QEMU_USB_TOKEN_DEV := -device usb-host,vendorid=8352,productid=17074
|
|
else ifeq "$(USB_TOKEN)" "LibremKey"
|
|
QEMU_USB_TOKEN_DEV := -device usb-host,vendorid=12653,productid=19531
|
|
else ifneq "$(USB_TOKEN)" ""
|
|
QEMU_USB_TOKEN_DEV := -device "usb-host,$(USB_TOKEN)"
|
|
endif
|
|
|
|
run: $(TPMDIR)/.manufacture $(ROOT_DISK_IMG) $(MEMORY_SIZE_FILE) $(USB_FD_IMG)
|
|
swtpm socket \
|
|
$(SWTPM_TPMVER) \
|
|
--tpmstate dir="$(TPMDIR)" \
|
|
--flags "startup-clear" \
|
|
--terminate \
|
|
--ctrl type=unixio,path="$(TPMDIR)/sock" &
|
|
sleep 0.5
|
|
|
|
-qemu-system-x86_64 -drive file="$(ROOT_DISK_IMG)",if=virtio \
|
|
--machine q35,accel=kvm:tcg \
|
|
-rtc base=utc \
|
|
-smp 1 \
|
|
-vga std \
|
|
-m "$$(cat "$(MEMORY_SIZE_FILE)")" \
|
|
-serial stdio \
|
|
--bios "$(QEMU_BOOT_ROM)" \
|
|
-object rng-random,filename=/dev/urandom,id=rng0 \
|
|
-device virtio-rng-pci,rng=rng0 \
|
|
-netdev user,id=u1 -device e1000,netdev=u1 \
|
|
-chardev socket,id=chrtpm,path="$(TPMDIR)/sock" \
|
|
-tpmdev emulator,id=tpm0,chardev=chrtpm \
|
|
-device tpm-tis,tpmdev=tpm0 \
|
|
-device qemu-xhci,id=usb \
|
|
-device usb-tablet \
|
|
-drive file="$(QEMU_USB_FD_IMG)",if=none,id=usb-fd-drive,format=raw \
|
|
-device usb-storage,bus=usb.0,drive=usb-fd-drive \
|
|
$(QEMU_USB_TOKEN_DEV) \
|
|
|
|
stty sane
|
|
@echo
|