Finalizing OpenSBI

keystone-enclave · Jan 26, 2021 · ae9b498 · ae9b498
1 parent 2653f1b
commit ae9b498
Show file tree

Hide file tree

Showing 6 changed files with 60 additions and 24 deletions.
diff --git a/CMakeLists.txt b/CMakeLists.txt
@@ -37,7 +37,7 @@ endif()
 
 set(USE_RUST_SM FALSE CACHE BOOL "Use Rust version of the security monitor.")
 set(SM_CONFIGURE_ARGS --enable-opt=2 CACHE STRING "Security Monitor configure script arguments")
-set(SM_PLATFORM "default" CACHE STRING "Board name for SM hardware-specific functions")
+set(SM_PLATFORM "generic" CACHE STRING "Board name for SM hardware-specific functions")
 set(platform ${SM_PLATFORM})
 message(STATUS "platform=${platform}")
 
@@ -98,11 +98,11 @@ set(linux_srcdir ${CMAKE_SOURCE_DIR}/linux)
 mkdir(linux_wrkdir ${CMAKE_BINARY_DIR}/linux.build)
 set(linux_symvers ${linux_wrkdir}/Modules.symvers)
 set(linux_image ${linux_wrkdir}/arch/riscv/boot/Image)
-set(linux_vmlinux ${linux_wrkdir}/vmlinux)
-set(linux_vmlinux_stripped ${linux_wrkdir}/vmlinux-stripped)
 set(driver_srcdir ${CMAKE_SOURCE_DIR}/linux-keystone-driver)
 set(driver_wrkdir ${CMAKE_BINARY_DIR}/linux-keystone-driver.build)
-set(final_image ${CMAKE_BINARY_DIR}/bbl.bin)
+set(fw_elf ${sm_wrkdir}/platform/${platform}/firmware/fw_payload.elf)
+set(fw_bin ${sm_wrkdir}/platform/${platform}/firmware/fw_payload.bin)
+set(final_image ${CMAKE_BINARY_DIR}/firmware.bin)
 set(initramfs_sysroot ${CMAKE_BINARY_DIR}/initramfs-sysroot)
 
 
@@ -190,28 +190,19 @@ if(initramfs)
   execute_process(COMMAND id -g OUTPUT_VARIABLE gid)
   string(STRIP ${gid} gid)
   add_custom_command(OUTPUT ${initramfs_sysroot} COMMAND mkdir -p ${initramfs_sysroot})
-  add_custom_command(OUTPUT ${linux_vmlinux_stripped} ${linux_vmlinux} ${linux_image} DEPENDS ${initramfs_sysroot} ${linux_srcdir} "linux-symvers" "buildroot" ${buildroot_wrkdir}/images/rootfs.tar
+  add_custom_command(OUTPUT ${linux_image} DEPENDS ${initramfs_sysroot} ${linux_srcdir} "linux-symvers" "buildroot" ${buildroot_wrkdir}/images/rootfs.tar
     COMMAND tar -xpf ${buildroot_wrkdir}/images/rootfs.tar -C ${initramfs_sysroot} --exclude ./dev --exclude ./usr/share/locale
     COMMAND echo "::sysinit:/bin/mount -t devtmpfs devtmpfs /dev" >> ${initramfs_sysroot}/etc/inittab
     COMMAND $(MAKE) -C ${linux_srcdir}
       O=${linux_wrkdir} CONFIG_INITRAMFS_SOURCE="${confdir}/initramfs.txt ${initramfs_sysroot}"
       CONFIG_INITRAMFS_ROOT_UID=${uid} CONFIG_INITRAMFS_ROOT_GID=${gid}
       CONFIG_DEVTMPFS=y CONFIG_DEVTMPFS_MOUNT=y
       CROSS_COMPILE=${cross_compile} ARCH=riscv
-
-    COMMAND $(MAKE) -C ${linux_srcdir}
-      O=${linux_wrkdir} CONFIG_INITRAMFS_SOURCE="${confdir}/initramfs.txt ${initramfs_sysroot}"
-      CONFIG_INITRAMFS_ROOT_UID=${uid} CONFIG_INITRAMFS_ROOT_GID=${gid}
-      CONFIG_DEVTMPFS=y CONFIG_DEVTMPFS_MOUNT=y
-      CROSS_COMPILE=${cross_compile} ARCH=riscv vmlinux
-    COMMAND ${cross_compile}strip -o ${linux_vmlinux_stripped} ${linux_vmlinux}
     COMMENT "Building linux (initramfs)"
   )
 else()
-  add_custom_command(OUTPUT ${linux_vmlinux_stripped} ${linux_vmlinux} ${linux_image} DEPENDS ${linux_srcdir} "linux-symvers"
-    COMMAND $(MAKE) -C ${linux_srcdir} O=${linux_wrkdir} CROSS_COMPILE=${cross_compile} ARCH=riscv vmlinux
+  add_custom_command(OUTPUT ${linux_image} DEPENDS ${linux_srcdir} "linux-symvers"
     COMMAND $(MAKE) -C ${linux_srcdir} O=${linux_wrkdir} CROSS_COMPILE=${cross_compile} ARCH=riscv
-    COMMAND ${cross_compile}strip -o ${linux_vmlinux_stripped} ${linux_vmlinux}
     COMMENT "Building linux"
   )
 endif()
@@ -221,7 +212,7 @@ add_custom_command(OUTPUT ${linux_symvers} DEPENDS ${linux_srcdir} "linux-config
   COMMENT "Building linux symvers"
 )
 add_custom_target("linux-symvers" DEPENDS ${linux_symvers})
-add_custom_target("linux" ALL DEPENDS ${linux_vmlinux_stripped} ${linux_vmlinux} ${linux_image})
+add_custom_target("linux" ALL DEPENDS ${linux_image})
 
 
 ###############################################################################
@@ -242,8 +233,9 @@ add_custom_target("driver" ALL DEPENDS ${driver_srcdir} ${linux_srcdir} "linux-s
 ## COMPONENT: security monitor (sm)
 ###############################################################################
 
-add_custom_target("sm" ALL DEPENDS "linux" ${sm_wrkdir_exists} WORKING_DIRECTORY ${sm_wrkdir}
-  COMMAND $(MAKE) -C ${sm_srcdir}/opensbi O=${sm_wrkdir} PLATFORM_DIR=${sm_srcdir}/plat/generic
+add_patch("sm/opensbi" "opensbi-firmware-secure-boot.patch" ${sm_srcdir}/opensbi sm_patches)
+add_custom_target("sm" ALL DEPENDS "linux" ${sm_wrkdir_exists} ${sm_patches} WORKING_DIRECTORY ${sm_wrkdir}
+  COMMAND $(MAKE) -C ${sm_srcdir}/opensbi O=${sm_wrkdir} PLATFORM_DIR=${sm_srcdir}/plat/${platform}
     CROSS_COMPILE=riscv64-unknown-elf- FW_PAYLOAD_PATH=${linux_image} FW_PAYLOAD=y
   COMMENT "Building sm"
 )
@@ -268,9 +260,9 @@ add_custom_target("image-deps" DEPENDS "tests" "driver" ${overlay_root}
   COMMAND find ${driver_wrkdir} -name "*.ko" -exec cp {} ${overlay_root} \\\\;
 )
 add_custom_target("image" DEPENDS "buildroot" "sm"
-  COMMAND ${cross_compile}objcopy -S -O binary --change-addresses -0x80000000 ${sm_wrkdir}/bbl ${final_image}
   COMMENT "Generating image"
 )
+
 add_dependencies("buildroot" "image-deps")
 
 ###############################################################################
@@ -310,7 +302,7 @@ add_custom_command(OUTPUT ${scripts}/run-qemu.sh DEPENDS ${scripts}
       -nographic \
       -machine virt \
       -bios ${bootrom_wrkdir}/bootrom.bin \
-      -kernel ${sm_wrkdir}/platform/generic/firmware/fw_payload.elf \
+      -kernel ${fw_elf} \
       ${extra_qemu_options} \
       -netdev user,id=net0,net=192.168.100.1/24,dhcpstart=192.168.100.128,hostfwd=tcp::\$\{HOST_PORT\}-:22 \
       -device virtio-net-device,netdev=net0 \

diff --git a/linux b/linux
diff --git a/linux-keystone-driver b/linux-keystone-driver
diff --git a/patches/sm/opensbi/opensbi-firmware-secure-boot.patch b/patches/sm/opensbi/opensbi-firmware-secure-boot.patch
@@ -0,0 +1,44 @@
+diff --git firmware/fw_base.ldS firmware/fw_base.ldS
+index 0ac75f2..9aa9c1a 100644
+--- firmware/fw_base.ldS
++++ firmware/fw_base.ldS
+@@ -79,3 +79,39 @@
+ 	. = ALIGN(0x1000); /* Need this to create proper sections */
+
+ 	PROVIDE(_fw_end = .);
++
++  * # Sanctum params */
++  /* ================ */
++  . = 0x801ff000; /* the last page before the payload */
++
++  /* ## manufacturer_keys : */
++
++  /* 32 Bytes : manufacturer public key */
++  PROVIDE( sanctum_m_public_key = . );
++  . += 0x20;
++
++  /* 32 Bytes : device public key */
++  PROVIDE( sanctum_dev_public_key = . );
++  . += 0x20;
++
++  /* 64 Bytes : device secret key */
++  PROVIDE( sanctum_dev_secret_key = . );
++  . += 0x40;
++
++  /* ## security_monitor_keys : */
++
++  /* 64 Bytes : security monitor hash */
++  PROVIDE( sanctum_sm_hash = . );
++  . += 0x40;
++
++  /* 32 Bytes : security monitor public key */
++  PROVIDE( sanctum_sm_public_key = . );
++  . += 0x20;
++
++  /* 64 Bytes : security monitor secret key */
++  PROVIDE( sanctum_sm_secret_key = . );
++  . += 0x40;
++
++  /* 64 Bytes : security monitor's signature by device */
++  PROVIDE( sanctum_sm_signature = . );
++  . += 0x40;
diff --git a/sdk b/sdk
diff --git a/sm b/sm
+6 −1		examples/tests/CMakeLists.txt
+1 −0		examples/tests/attestation/retval
+1 −0		examples/tests/data-sealing/retval
+1 −0		examples/tests/fibonacci/retval
+1 −0		examples/tests/long-nop/retval
+1 −0		examples/tests/loop/retval
+1 −0		examples/tests/malloc/retval
+1 −0		examples/tests/stack/retval
+13 −4		examples/tests/test-runner.cpp
+1 −0		examples/tests/untrusted/retval