sgi/build-test-secureboot: add build support for validating secure boot

Add support for building the fip and disk images for validating secure
boot functionality on Arm's SGI platforms. The build packages busybox
as the filesystem and places all the required signatures into the EFI
parition.

Change-Id: Ie9f82f3954cc86dc44756256908cc98a2d2d4b11
Signed-off-by: Jagadeesh Ujja <jagadeesh.ujja@arm.com>

1 files changed, 250 insertions, 0 deletions

diff --git a/sgi/build-test-secureboot.sh b/sgi/build-test-secureboot.sh
new file mode 100755
index 0000000..3024640
--- /dev/null
+++ b/sgi/build-test-secureboot.sh
@@ -0,0 +1,250 @@
+#!/usr/bin/env bash
+
+# Copyright (c) 2019, ARM Limited and Contributors. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are met:
+#
+# Redistributions of source code must retain the above copyright notice, this
+# list of conditions and the following disclaimer.
+#
+# Redistributions in binary form must reproduce the above copyright notice,
+# this list of conditions and the following disclaimer in the documentation
+# and/or other materials provided with the distribution.
+#
+# Neither the name of ARM nor the names of its contributors may be used
+# to endorse or promote products derived from this software without specific
+# prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE
+# LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+# POSSIBILITY OF SUCH DAMAGE.
+
+#List of supported
+declare -A sgi_platforms
+sgi_platforms[sgi575]=1
+
+__print_supported_sgi_platforms()
+{
+	echo "Supported platforms are -"
+	for plat in "${!sgi_platforms[@]}" ;
+		do
+			printf "\t $plat \n"
+	  	done
+	echo
+}
+
+__print_usage()
+{
+	echo "Usage: ./build-scripts/build-secureboot.sh -p <platform> <command>"
+	__print_supported_sgi_platforms
+	echo "Supported build commands are - clean/build/package/all"
+	echo
+	exit
+}
+
+#callback from build-all.sh to override any build configs
+__do_override_build_configs()
+{
+        echo "build-secureboot.sh: adding UEFI_EXTRA_BUILD_PARAMS build configuration"
+        export UEFI_EXTRA_BUILD_PARAMS="-D SMM_RUNTIME=TRUE -D SECURE_BOOT_ENABLE=TRUE"
+        echo $UEFI_EXTRA_BUILD_PARAMS
+}
+
+parse_params() {
+	#Parse the named parameters
+	while getopts "p:" opt; do
+		case $opt in
+			p)
+				SGI_PLATFORM="$OPTARG"
+				;;
+		esac
+	done
+
+	#The clean/build/package/all should be after the other options
+	#So grab the parameters after the named param option index
+	BUILD_CMD=${@:$OPTIND:1}
+
+	#Ensure that the platform is supported
+	if [ -z "$SGI_PLATFORM" ] ; then
+		__print_usage
+	fi
+	if [ -z "${sgi_platforms[$SGI_PLATFORM]}" ] ; then
+		echo "[ERROR] Could not deduce which platform to build."
+		__print_supported_sgi_platforms
+		exit
+	fi
+
+	#Ensure a build command is specified
+	if [ -z "$BUILD_CMD" ] ; then
+		__print_usage
+	fi
+}
+
+#parse the command line parameters
+parse_params $@
+
+#override the command line parameters for build-all.sh
+set -- "-p $SGI_PLATFORM -f busybox $BUILD_CMD"
+source ./build-scripts/build-all.sh
+
+#------------------------------------------
+# Generate the disk image for secure boot
+#------------------------------------------
+
+#variables for image generation
+DIR=$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )
+TOP_DIR=`pwd`
+PLATDIR=${TOP_DIR}/output/$SGI_PLATFORM
+OUTDIR=${PLATDIR}/components
+GRUB_FS_CONFIG_FILE=${TOP_DIR}/build-scripts/configs/$SGI_PLATFORM/grub_config/busybox.cfg
+GRUB_FS_VALIDATION_CONFIG_FILE=${TOP_DIR}/build-scripts/configs/$SGI_PLATFORM/grub_config/busybox-dhcp.cfg
+
+create_cfgfiles ()
+{
+	local fatpart_name="$1"
+
+	if [ "$VALIDATION_LVL" == 1 ]; then
+		mcopy -i  $fatpart_name -o ${GRUB_FS_CONFIG_FILE} ::/grub/grub.cfg
+	else
+		mcopy -i $fatpart_name -o ${GRUB_FS_VALIDATION_CONFIG_FILE} ::/grub/grub.cfg
+	fi
+}
+
+create_fatpart ()
+{
+	local fatpart="$1"
+
+	dd if=/dev/zero of=$fatpart bs=$BLOCK_SIZE count=$FAT_SIZE
+	mkfs.vfat $fatpart
+	mmd -i $fatpart ::/EFI
+	mmd -i $fatpart ::/EFI/BOOT
+	mmd -i $fatpart ::/grub
+	mcopy -i $fatpart bootaa64.efi ::/EFI/BOOT
+
+	#Load PK,KEK,DB and DBX into fatpart
+	mcopy -i $fatpart $TOP_DIR/tools/efitools/PK.der ::/EFI/BOOT
+	mcopy -i $fatpart $TOP_DIR/tools/efitools/KEK.der ::/EFI/BOOT
+	mcopy -i $fatpart $TOP_DIR/tools/efitools/DB.der ::/EFI/BOOT
+	mcopy -i $fatpart $TOP_DIR/tools/efitools/DBX.der ::/EFI/BOOT
+}
+
+create_imagepart ()
+{
+	local image_name="$1"
+	local image_size="$2"
+	local ext3part_name="$3"
+
+	cat fat_part >> $image_name
+	cat $ext3part_name >> $image_name
+	(echo n; echo p; echo 1; echo $PART_START; echo +$((FAT_SIZE-1)); echo t; echo 6; echo n; echo p; echo 2; echo $((PART_START+FAT_SIZE)); echo +$(($image_size-1)); echo w) | fdisk $image_name
+	cp $image_name $PLATDIR
+}
+
+create_ext3part ()
+{
+	local ext3part_name="$1"
+	local ext3size=$2
+	local rootfs_file=$3
+
+	#Sign the kernel image and copy back the Signed image
+	cp $OUTDIR/linux/Image $TOP_DIR/tools/efitools/Image
+	pushd $TOP_DIR/tools/efitools
+	sbsign --key DB.key --cert DB.crt --output Image_signed Image
+	cp Image_signed $OUTDIR/linux/Image
+	popd
+
+	echo "create_ext3part: ext3part_name = $ext3part_name ext3size = $ext3size rootfs_file = $rootfs_file"
+	dd if=/dev/zero of=$ext3part_name bs=$BLOCK_SIZE count=$ext3size
+	mkdir -p mnt
+	#umount if it has been mounted
+	if [[ $(findmnt -M "mnt") ]]; then
+		fusermount -u mnt
+	fi
+	mkfs.ext3 -F $ext3part_name
+	fuse-ext2 $ext3part_name mnt -o rw+
+	cp $OUTDIR/linux/Image ./mnt
+	cp $PLATDIR/ramdisk-busybox.img ./mnt
+	sync
+	fusermount -u mnt
+	rm -rf mnt
+}
+
+prepare_disk_image ()
+{
+	pushd $TOP_DIR/$GRUB_PATH/output
+	local IMG_BB=grub-busybox.img
+	local BLOCK_SIZE=512
+	local SEC_PER_MB=$((1024*2))
+
+	#FAT Partition size of 20MB and EXT3 Partition size 200MB
+	local FAT_SIZE_MB=20
+	local EXT3_SIZE_MB=200
+	local PART_START=$((1*SEC_PER_MB))
+	local FAT_SIZE=$((FAT_SIZE_MB*SEC_PER_MB-(PART_START)))
+	local EXT3_SIZE=$((EXT3_SIZE_MB*SEC_PER_MB-(PART_START)))
+
+	#Check if PK, KEK, DB and DBX are available at "tools/efitools". If not, and if these
+        #are availble as prebuilts, then copy these from the prebuilts to "tools/efitools".
+	if [ ! -f $TOP_DIR/tools/efitools/PK.der ] ||
+	   [ ! -f $TOP_DIR/tools/efitools/KEK.der ] ||
+	   [ ! -f $TOP_DIR/tools/efitools/DB.der ] ||
+	   [ ! -f $TOP_DIR/tools/efitools/DBX.der ]; then
+		if [ ! -f $TOP_DIR/prebuilts/sgi/secure_boot/sgi_secure_keys/PK.der ] ||
+		   [ ! -f $TOP_DIR/prebuilts/sgi/secure_boot/sgi_secure_keys/KEK.der ] ||
+		   [ ! -f $TOP_DIR/prebuilts/sgi/secure_boot/sgi_secure_keys/DB.der ] ||
+                   [ ! -f $TOP_DIR/prebuilts/sgi/secure_boot/sgi_secure_keys/DB.crt ] ||
+                   [ ! -f $TOP_DIR/prebuilts/sgi/secure_boot/sgi_secure_keys/DB.key ] ||
+                   [ ! -f $TOP_DIR/prebuilts/sgi/secure_boot/sgi_secure_keys/DBX.der ] ||
+                   [ ! -f $TOP_DIR/prebuilts/sgi/secure_boot/sgi_secure_keys/nor2_flash.img ]; then
+			echo "[ERROR] pre-built sercure keys and/or NOR flash image not found!"
+			exit 1;
+		fi
+		echo "[INFO] Using PK, KEK, DB and DBX from prebuilts..."
+		cp $TOP_DIR/prebuilts/sgi/secure_boot/sgi_secure_keys/PK.der $TOP_DIR/tools/efitools/PK.der
+		cp $TOP_DIR/prebuilts/sgi/secure_boot/sgi_secure_keys/KEK.der $TOP_DIR/tools/efitools/KEK.der
+		cp $TOP_DIR/prebuilts/sgi/secure_boot/sgi_secure_keys/DB.der $TOP_DIR/tools/efitools/DB.der
+		cp $TOP_DIR/prebuilts/sgi/secure_boot/sgi_secure_keys/DB.crt $TOP_DIR/tools/efitools/DB.crt
+		cp $TOP_DIR/prebuilts/sgi/secure_boot/sgi_secure_keys/DB.key $TOP_DIR/tools/efitools/DB.key
+		cp $TOP_DIR/prebuilts/sgi/secure_boot/sgi_secure_keys/DBX.der $TOP_DIR/tools/efitools/DBX.der
+		cp $TOP_DIR/prebuilts/sgi/secure_boot/sgi_secure_keys/nor2_flash.img ${TOP_DIR}/model-scripts/sgi/configs/$SGI_PLATFORM/nor2_flash.img
+	fi
+
+	#Sign the grub image and copy back the Signed image
+	cp grubaa64.efi bootaa64.efi
+	cp bootaa64.efi $TOP_DIR/tools/efitools/bootaa64.efi
+	pushd $TOP_DIR/tools/efitools
+	sbsign --key DB.key --cert DB.crt --output bootaa64_signed.efi bootaa64.efi
+	cp bootaa64_signed.efi $TOP_DIR/$GRUB_PATH/output/bootaa64.efi
+	popd
+
+	grep -q -F 'mtools_skip_check=1' ~/.mtoolsrc || echo "mtools_skip_check=1" >> ~/.mtoolsrc
+	#Create fat partition
+	create_fatpart "fat_part"
+
+	#Package images for Busybox
+	rm -f $IMG_BB
+	dd if=/dev/zero of=$IMG_BB bs=$BLOCK_SIZE count=$PART_START
+	create_cfgfiles "fat_part" "busybox"
+	#Create ext3 partition
+	create_ext3part "ext3_part" $EXT3_SIZE ""
+	# create image and copy into output folder
+	create_imagepart $IMG_BB $EXT3_SIZE "ext3_part"
+
+	#remove intermediate files
+	rm -f fat_part
+	rm -f ext3_part
+}
+
+if [ "$CMD" == "all" ] || [ "$CMD" == "package" ]; then
+	#prepare the disk image
+	prepare_disk_image
+fi