linuxboot · osresearch · Nov 4, 2020 · Nov 5, 2020 · Nov 5, 2020
diff --git a/Makefile b/Makefile
@@ -491,6 +491,8 @@ bin_modules-$(CONFIG_FBWHIPTAIL) += fbwhiptail
 bin_modules-$(CONFIG_HOTPKEY) += hotp-verification
 bin_modules-$(CONFIG_MSRTOOLS) += msrtools
 bin_modules-$(CONFIG_NKSTORECLI) += nkstorecli
+bin_modules-$(CONFIG_OPENSSL) += openssl
+bin_modules-$(CONFIG_TPM2_TOOLS) += tpm2-tools
 
 $(foreach m, $(bin_modules-y), \
 	$(call map,initrd_bin_add,$(call bins,$m)) \

diff --git a/config/coreboot-qemu.config b/config/coreboot-qemu.config
@@ -1,11 +1,11 @@
 CONFIG_ANY_TOOLCHAIN=y
 # CONFIG_INCLUDE_CONFIG_FILE is not set
-CONFIG_CBFS_SIZE=0x700000
+CONFIG_CBFS_SIZE=0xF00000
 # CONFIG_POST_IO is not set
 CONFIG_BOARD_EMULATION_QEMU_X86_Q35=y
 # CONFIG_POST_DEVICE is not set
 CONFIG_DRIVERS_PS2_KEYBOARD=y
-CONFIG_COREBOOT_ROMSIZE_KB_8192=y
+CONFIG_COREBOOT_ROMSIZE_KB_16384=y
 CONFIG_PCIEXP_ASPM=y
 CONFIG_PCIEXP_COMMON_CLOCK=y
 CONFIG_UART_PCI_ADDR=0

diff --git a/initrd/etc/fstab b/initrd/etc/fstab
@@ -3,3 +3,4 @@ devpts		/dev/pts	devpts		defaults	0 0
 sysfs		/sys		sysfs		defaults	0 0
 proc		/proc		proc		defaults	0 0
 efivarfs	/sys/firmware/efi/efivars efivarfs defaults	0 0
+securityfs	/sys/kernel/security securityfs defaults        0 0
diff --git a/initrd/init b/initrd/init
@@ -16,6 +16,8 @@ mkdir /proc /sys /dev /tmp /boot /media 2>&- 1>&-
 mount /dev 2>/dev/ttyprintk
 mount /proc 2>/dev/ttyprintk
 mount /sys 2>/dev/ttyprintk
+mount /sys/kernel/security 2>/dev/ttyprintk
+
 if [ "$CONFIG_LINUXBOOT" = "y" ]; then
 	mount /sys/firmware/efi/efivars
 fi

diff --git a/modules/openssl b/modules/openssl
@@ -0,0 +1,36 @@
+# OpenSSL library
+modules-$(CONFIG_OPENSSL) += openssl
+
+openssl_version := 1_1_1h
+openssl_dir := openssl-$(openssl_version)
+openssl_tar := openssl-$(openssl_version).tar.gz
+openssl_url := https://github.com/openssl/openssl/archive/OpenSSL_$(openssl_version).tar.gz
+openssl_hash := d1f723c1f6b6d1eaf26655caa50d2f60d4d33f4b04977b1da63def878f386fcc
+
+# hack to provide path to libgcc
+LIBGCC_DIR := $(dir $(shell $(heads_cc) -print-libgcc-file-name))
+
+openssl_configure := \
+	$(CROSS_TOOLS) \
+	LDFLAGS="-L$(LIBGCC_DIR)" \
+	./Configure \
+		--prefix="/" \
+		linux-x86_64 \
+
+openssl_target := $(MAKE_JOBS) \
+	build_programs \
+	&& \
+	$(MAKE) \
+		-C "$(build)/$(openssl_dir)" \
+		DESTDIR="$(INSTALL)" \
+		LIBDIR="lib" \
+		install_sw \
+
+openssl_libraries := \
+	libcrypto.so.1.1 \
+	libssl.so.1.1 \
+
+openssl_output := \
+	apps/openssl \
+
+openssl_depends := $(musl_dep)
diff --git a/modules/tpm2-tools b/modules/tpm2-tools
@@ -0,0 +1,28 @@
+# TPM2 tools program
+modules-$(CONFIG_TPM2_TOOLS) += tpm2-tools
+
+#tpm2-tools_version := 4.3.0
+tpm2-tools_version := 78a7681
+tpm2-tools_repo := https://github.com/tpm2-software/tpm2-tools.git
+
+tpm2-tools_dir := tpm2-tools-$(tpm2-tools_version)
+tpm2-tools_tar := tpm2-tools-$(tpm2-tools_version).tar.gz
+tpm2-tools_url := https://github.com/tpm2-software/tpm2-tools/releases/download/$(tpm2-tools_version)/$(tpm2-tools_tar)
+tpm2-tools_hash := ae009b3495b44a16faa3d94d41ac9c9d99c71723482efad53c5eea17eeed80fc
+
+# we have ESYS 3.0, but it doesn't figure that out on its own
+tpm2-tools_configure := ./bootstrap && ./configure \
+	$(CROSS_TOOLS) \
+	--host i386-elf-linux \
+	--prefix "/" \
+	TSS2_ESYS_3_0_CFLAGS="-I$(INSTALL)/include" \
+	TSS2_ESYS_3_0_LIBS="-ltss2-esys" \
+
+tpm2-tools_target := $(MAKE_JOBS) \
+	DESTDIR="$(INSTALL)" \
+	$(CROSS_TOOLS) \
+	install \
+
+tpm2-tools_output := tools/tpm2
+
+tpm2-tools_depends := tpm2-tss $(musl_dep)
diff --git a/modules/tpm2-tss b/modules/tpm2-tss
@@ -0,0 +1,39 @@
+# TPM2 TSS library
+modules-$(CONFIG_TPM2_TSS) += tpm2-tss
+
+tpm2-tss_version := 2.4.3
+tpm2-tss_dir := tpm2-tss-$(tpm2-tss_version)
+tpm2-tss_tar := tpm2-tss-$(tpm2-tss_version).tar.gz
+tpm2-tss_url := https://github.com/tpm2-software/tpm2-tss/releases/download/$(tpm2-tss_version)/$(tpm2-tss_tar)
+tpm2-tss_hash := e294677f8993234d0adfa191a5cbf9c5b83cc60c724c233e3d631c26712abea0
+
+tpm2-tss_configure := ./configure \
+	$(CROSS_TOOLS) \
+	--host i386-elf-linux \
+	--prefix "/" \
+	--disable-doxygen-doc \
+	--disable-doxygen-man \
+	--disable-doxygen-rtf \
+	--disable-doxygen-html \
+	--disable-fapi \
+
+# Run one build to generate the executables with the pre-defined
+# exec_prefix and datarootdir, then a second make to install the binaries
+# into our actual target location
+
+tpm2-tss_target := $(MAKE_JOBS) \
+	DESTDIR="$(INSTALL)" \
+	$(CROSS_TOOLS) \
+	install \
+
+# tpm2 binary wants to dlopen some libraries, so be sure that
+# they are available.  It would be nice to statically link these.
+tpm2-tss_libraries := \
+	src/tss2-rc/.libs/libtss2-rc.so.0 \
+	src/tss2-mu/.libs/libtss2-mu.so.0 \
+	src/tss2-sys/.libs/libtss2-sys.so.0 \
+	src/tss2-esys/.libs/libtss2-esys.so.0 \
+	src/tss2-tcti/.libs/libtss2-tctildr.so.0 \
+	src/tss2-tcti/.libs/libtss2-tcti-device.so.0 \
+
+tpm2-tss_depends := openssl $(musl_dep)
diff --git a/patches/tpm2-tools.patch b/patches/tpm2-tools.patch
@@ -0,0 +1,21 @@
+diff --git a/Makefile.am b/Makefile.am
+index c58f0f34..a2bade09 100644
+--- a/Makefile.am
++++ b/Makefile.am
+@@ -93,7 +93,7 @@ tss2_tools = \
+
+ # Bundle all the tools into a single program similar to busybox
+ bin_PROGRAMS += tools/tpm2
+-tools_tpm2_LDADD = $(LDADD) $(CURL_LIBS)
++tools_tpm2_LDADD = $(LDADD)
+ tools_tpm2_CFLAGS = $(AM_CFLAGS) -DTPM2_TOOLS_MAX="$(words $(tpm2_tools))"
+ tools_tpm2_SOURCES = \
+ 	tools/tpm2_tool.c \
+@@ -127,7 +127,6 @@ tpm2_tools = \
+     tools/tpm2_encryptdecrypt.c \
+     tools/tpm2_evictcontrol.c \
+     tools/tpm2_flushcontext.c \
+-    tools/tpm2_getekcertificate.c \
+     tools/tpm2_getrandom.c \
+     tools/tpm2_gettime.c \
+     tools/tpm2_hash.c \