diff --git a/Makefile b/Makefile index 44023aed6..70aca77b6 100644 --- a/Makefile +++ b/Makefile @@ -491,6 +491,8 @@ bin_modules-$(CONFIG_FBWHIPTAIL) += fbwhiptail bin_modules-$(CONFIG_HOTPKEY) += hotp-verification bin_modules-$(CONFIG_MSRTOOLS) += msrtools bin_modules-$(CONFIG_NKSTORECLI) += nkstorecli +bin_modules-$(CONFIG_OPENSSL) += openssl +bin_modules-$(CONFIG_TPM2_TOOLS) += tpm2-tools $(foreach m, $(bin_modules-y), \ $(call map,initrd_bin_add,$(call bins,$m)) \ diff --git a/config/coreboot-qemu.config b/config/coreboot-qemu.config index 8a3fd6d28..15c01a9c3 100644 --- a/config/coreboot-qemu.config +++ b/config/coreboot-qemu.config @@ -1,11 +1,11 @@ CONFIG_ANY_TOOLCHAIN=y # CONFIG_INCLUDE_CONFIG_FILE is not set -CONFIG_CBFS_SIZE=0x700000 +CONFIG_CBFS_SIZE=0xF00000 # CONFIG_POST_IO is not set CONFIG_BOARD_EMULATION_QEMU_X86_Q35=y # CONFIG_POST_DEVICE is not set CONFIG_DRIVERS_PS2_KEYBOARD=y -CONFIG_COREBOOT_ROMSIZE_KB_8192=y +CONFIG_COREBOOT_ROMSIZE_KB_16384=y CONFIG_PCIEXP_ASPM=y CONFIG_PCIEXP_COMMON_CLOCK=y CONFIG_UART_PCI_ADDR=0 diff --git a/initrd/etc/fstab b/initrd/etc/fstab index 43d34e012..69987bddb 100644 --- a/initrd/etc/fstab +++ b/initrd/etc/fstab @@ -3,3 +3,4 @@ devpts /dev/pts devpts defaults 0 0 sysfs /sys sysfs defaults 0 0 proc /proc proc defaults 0 0 efivarfs /sys/firmware/efi/efivars efivarfs defaults 0 0 +securityfs /sys/kernel/security securityfs defaults 0 0 diff --git a/initrd/init b/initrd/init index 660e4dfea..c5cda6074 100755 --- a/initrd/init +++ b/initrd/init @@ -16,6 +16,8 @@ mkdir /proc /sys /dev /tmp /boot /media 2>&- 1>&- mount /dev 2>/dev/ttyprintk mount /proc 2>/dev/ttyprintk mount /sys 2>/dev/ttyprintk +mount /sys/kernel/security 2>/dev/ttyprintk + if [ "$CONFIG_LINUXBOOT" = "y" ]; then mount /sys/firmware/efi/efivars fi diff --git a/modules/openssl b/modules/openssl new file mode 100644 index 000000000..9084e4c5e --- /dev/null +++ b/modules/openssl @@ -0,0 +1,36 @@ +# OpenSSL library +modules-$(CONFIG_OPENSSL) += openssl + +openssl_version := 1_1_1h +openssl_dir := openssl-$(openssl_version) +openssl_tar := openssl-$(openssl_version).tar.gz +openssl_url := https://github.com/openssl/openssl/archive/OpenSSL_$(openssl_version).tar.gz +openssl_hash := d1f723c1f6b6d1eaf26655caa50d2f60d4d33f4b04977b1da63def878f386fcc + +# hack to provide path to libgcc +LIBGCC_DIR := $(dir $(shell $(heads_cc) -print-libgcc-file-name)) + +openssl_configure := \ + $(CROSS_TOOLS) \ + LDFLAGS="-L$(LIBGCC_DIR)" \ + ./Configure \ + --prefix="/" \ + linux-x86_64 \ + +openssl_target := $(MAKE_JOBS) \ + build_programs \ + && \ + $(MAKE) \ + -C "$(build)/$(openssl_dir)" \ + DESTDIR="$(INSTALL)" \ + LIBDIR="lib" \ + install_sw \ + +openssl_libraries := \ + libcrypto.so.1.1 \ + libssl.so.1.1 \ + +openssl_output := \ + apps/openssl \ + +openssl_depends := $(musl_dep) diff --git a/modules/tpm2-tools b/modules/tpm2-tools new file mode 100644 index 000000000..2d34ce005 --- /dev/null +++ b/modules/tpm2-tools @@ -0,0 +1,28 @@ +# TPM2 tools program +modules-$(CONFIG_TPM2_TOOLS) += tpm2-tools + +#tpm2-tools_version := 4.3.0 +tpm2-tools_version := 78a7681 +tpm2-tools_repo := https://github.com/tpm2-software/tpm2-tools.git + +tpm2-tools_dir := tpm2-tools-$(tpm2-tools_version) +tpm2-tools_tar := tpm2-tools-$(tpm2-tools_version).tar.gz +tpm2-tools_url := https://github.com/tpm2-software/tpm2-tools/releases/download/$(tpm2-tools_version)/$(tpm2-tools_tar) +tpm2-tools_hash := ae009b3495b44a16faa3d94d41ac9c9d99c71723482efad53c5eea17eeed80fc + +# we have ESYS 3.0, but it doesn't figure that out on its own +tpm2-tools_configure := ./bootstrap && ./configure \ + $(CROSS_TOOLS) \ + --host i386-elf-linux \ + --prefix "/" \ + TSS2_ESYS_3_0_CFLAGS="-I$(INSTALL)/include" \ + TSS2_ESYS_3_0_LIBS="-ltss2-esys" \ + +tpm2-tools_target := $(MAKE_JOBS) \ + DESTDIR="$(INSTALL)" \ + $(CROSS_TOOLS) \ + install \ + +tpm2-tools_output := tools/tpm2 + +tpm2-tools_depends := tpm2-tss $(musl_dep) diff --git a/modules/tpm2-tss b/modules/tpm2-tss new file mode 100644 index 000000000..bf648ce3f --- /dev/null +++ b/modules/tpm2-tss @@ -0,0 +1,39 @@ +# TPM2 TSS library +modules-$(CONFIG_TPM2_TSS) += tpm2-tss + +tpm2-tss_version := 2.4.3 +tpm2-tss_dir := tpm2-tss-$(tpm2-tss_version) +tpm2-tss_tar := tpm2-tss-$(tpm2-tss_version).tar.gz +tpm2-tss_url := https://github.com/tpm2-software/tpm2-tss/releases/download/$(tpm2-tss_version)/$(tpm2-tss_tar) +tpm2-tss_hash := e294677f8993234d0adfa191a5cbf9c5b83cc60c724c233e3d631c26712abea0 + +tpm2-tss_configure := ./configure \ + $(CROSS_TOOLS) \ + --host i386-elf-linux \ + --prefix "/" \ + --disable-doxygen-doc \ + --disable-doxygen-man \ + --disable-doxygen-rtf \ + --disable-doxygen-html \ + --disable-fapi \ + +# Run one build to generate the executables with the pre-defined +# exec_prefix and datarootdir, then a second make to install the binaries +# into our actual target location + +tpm2-tss_target := $(MAKE_JOBS) \ + DESTDIR="$(INSTALL)" \ + $(CROSS_TOOLS) \ + install \ + +# tpm2 binary wants to dlopen some libraries, so be sure that +# they are available. It would be nice to statically link these. +tpm2-tss_libraries := \ + src/tss2-rc/.libs/libtss2-rc.so.0 \ + src/tss2-mu/.libs/libtss2-mu.so.0 \ + src/tss2-sys/.libs/libtss2-sys.so.0 \ + src/tss2-esys/.libs/libtss2-esys.so.0 \ + src/tss2-tcti/.libs/libtss2-tctildr.so.0 \ + src/tss2-tcti/.libs/libtss2-tcti-device.so.0 \ + +tpm2-tss_depends := openssl $(musl_dep) diff --git a/patches/tpm2-tools.patch b/patches/tpm2-tools.patch new file mode 100644 index 000000000..ed5233d9b --- /dev/null +++ b/patches/tpm2-tools.patch @@ -0,0 +1,21 @@ +diff --git a/Makefile.am b/Makefile.am +index c58f0f34..a2bade09 100644 +--- a/Makefile.am ++++ b/Makefile.am +@@ -93,7 +93,7 @@ tss2_tools = \ + + # Bundle all the tools into a single program similar to busybox + bin_PROGRAMS += tools/tpm2 +-tools_tpm2_LDADD = $(LDADD) $(CURL_LIBS) ++tools_tpm2_LDADD = $(LDADD) + tools_tpm2_CFLAGS = $(AM_CFLAGS) -DTPM2_TOOLS_MAX="$(words $(tpm2_tools))" + tools_tpm2_SOURCES = \ + tools/tpm2_tool.c \ +@@ -127,7 +127,6 @@ tpm2_tools = \ + tools/tpm2_encryptdecrypt.c \ + tools/tpm2_evictcontrol.c \ + tools/tpm2_flushcontext.c \ +- tools/tpm2_getekcertificate.c \ + tools/tpm2_getrandom.c \ + tools/tpm2_gettime.c \ + tools/tpm2_hash.c \