diff --git a/CMakeLists.txt b/CMakeLists.txt index e61480738..a12c41e62 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -37,7 +37,7 @@ endif() set(USE_RUST_SM FALSE CACHE BOOL "Use Rust version of the security monitor.") set(SM_CONFIGURE_ARGS --enable-opt=2 CACHE STRING "Security Monitor configure script arguments") -set(SM_PLATFORM "default" CACHE STRING "Board name for SM hardware-specific functions") +set(SM_PLATFORM "generic" CACHE STRING "Board name for SM hardware-specific functions") set(platform ${SM_PLATFORM}) message(STATUS "platform=${platform}") @@ -98,11 +98,11 @@ set(linux_srcdir ${CMAKE_SOURCE_DIR}/linux) mkdir(linux_wrkdir ${CMAKE_BINARY_DIR}/linux.build) set(linux_symvers ${linux_wrkdir}/Modules.symvers) set(linux_image ${linux_wrkdir}/arch/riscv/boot/Image) -set(linux_vmlinux ${linux_wrkdir}/vmlinux) -set(linux_vmlinux_stripped ${linux_wrkdir}/vmlinux-stripped) set(driver_srcdir ${CMAKE_SOURCE_DIR}/linux-keystone-driver) set(driver_wrkdir ${CMAKE_BINARY_DIR}/linux-keystone-driver.build) -set(final_image ${CMAKE_BINARY_DIR}/bbl.bin) +set(fw_elf ${sm_wrkdir}/platform/${platform}/firmware/fw_payload.elf) +set(fw_bin ${sm_wrkdir}/platform/${platform}/firmware/fw_payload.bin) +set(final_image ${CMAKE_BINARY_DIR}/firmware.bin) set(initramfs_sysroot ${CMAKE_BINARY_DIR}/initramfs-sysroot) @@ -190,7 +190,7 @@ if(initramfs) execute_process(COMMAND id -g OUTPUT_VARIABLE gid) string(STRIP ${gid} gid) add_custom_command(OUTPUT ${initramfs_sysroot} COMMAND mkdir -p ${initramfs_sysroot}) - add_custom_command(OUTPUT ${linux_vmlinux_stripped} ${linux_vmlinux} ${linux_image} DEPENDS ${initramfs_sysroot} ${linux_srcdir} "linux-symvers" "buildroot" ${buildroot_wrkdir}/images/rootfs.tar + add_custom_command(OUTPUT ${linux_image} DEPENDS ${initramfs_sysroot} ${linux_srcdir} "linux-symvers" "buildroot" ${buildroot_wrkdir}/images/rootfs.tar COMMAND tar -xpf ${buildroot_wrkdir}/images/rootfs.tar -C ${initramfs_sysroot} --exclude ./dev --exclude ./usr/share/locale COMMAND echo "::sysinit:/bin/mount -t devtmpfs devtmpfs /dev" >> ${initramfs_sysroot}/etc/inittab COMMAND $(MAKE) -C ${linux_srcdir} @@ -198,20 +198,11 @@ if(initramfs) CONFIG_INITRAMFS_ROOT_UID=${uid} CONFIG_INITRAMFS_ROOT_GID=${gid} CONFIG_DEVTMPFS=y CONFIG_DEVTMPFS_MOUNT=y CROSS_COMPILE=${cross_compile} ARCH=riscv - - COMMAND $(MAKE) -C ${linux_srcdir} - O=${linux_wrkdir} CONFIG_INITRAMFS_SOURCE="${confdir}/initramfs.txt ${initramfs_sysroot}" - CONFIG_INITRAMFS_ROOT_UID=${uid} CONFIG_INITRAMFS_ROOT_GID=${gid} - CONFIG_DEVTMPFS=y CONFIG_DEVTMPFS_MOUNT=y - CROSS_COMPILE=${cross_compile} ARCH=riscv vmlinux - COMMAND ${cross_compile}strip -o ${linux_vmlinux_stripped} ${linux_vmlinux} COMMENT "Building linux (initramfs)" ) else() - add_custom_command(OUTPUT ${linux_vmlinux_stripped} ${linux_vmlinux} ${linux_image} DEPENDS ${linux_srcdir} "linux-symvers" - COMMAND $(MAKE) -C ${linux_srcdir} O=${linux_wrkdir} CROSS_COMPILE=${cross_compile} ARCH=riscv vmlinux + add_custom_command(OUTPUT ${linux_image} DEPENDS ${linux_srcdir} "linux-symvers" COMMAND $(MAKE) -C ${linux_srcdir} O=${linux_wrkdir} CROSS_COMPILE=${cross_compile} ARCH=riscv - COMMAND ${cross_compile}strip -o ${linux_vmlinux_stripped} ${linux_vmlinux} COMMENT "Building linux" ) endif() @@ -221,7 +212,7 @@ add_custom_command(OUTPUT ${linux_symvers} DEPENDS ${linux_srcdir} "linux-config COMMENT "Building linux symvers" ) add_custom_target("linux-symvers" DEPENDS ${linux_symvers}) -add_custom_target("linux" ALL DEPENDS ${linux_vmlinux_stripped} ${linux_vmlinux} ${linux_image}) +add_custom_target("linux" ALL DEPENDS ${linux_image}) ############################################################################### @@ -242,8 +233,9 @@ add_custom_target("driver" ALL DEPENDS ${driver_srcdir} ${linux_srcdir} "linux-s ## COMPONENT: security monitor (sm) ############################################################################### -add_custom_target("sm" ALL DEPENDS "linux" ${sm_wrkdir_exists} WORKING_DIRECTORY ${sm_wrkdir} - COMMAND $(MAKE) -C ${sm_srcdir}/opensbi O=${sm_wrkdir} PLATFORM_DIR=${sm_srcdir}/plat/generic +add_patch("sm/opensbi" "opensbi-firmware-secure-boot.patch" ${sm_srcdir}/opensbi sm_patches) +add_custom_target("sm" ALL DEPENDS "linux" ${sm_wrkdir_exists} ${sm_patches} WORKING_DIRECTORY ${sm_wrkdir} + COMMAND $(MAKE) -C ${sm_srcdir}/opensbi O=${sm_wrkdir} PLATFORM_DIR=${sm_srcdir}/plat/${platform} CROSS_COMPILE=riscv64-unknown-elf- FW_PAYLOAD_PATH=${linux_image} FW_PAYLOAD=y COMMENT "Building sm" ) @@ -268,9 +260,9 @@ add_custom_target("image-deps" DEPENDS "tests" "driver" ${overlay_root} COMMAND find ${driver_wrkdir} -name "*.ko" -exec cp {} ${overlay_root} \\\\; ) add_custom_target("image" DEPENDS "buildroot" "sm" - COMMAND ${cross_compile}objcopy -S -O binary --change-addresses -0x80000000 ${sm_wrkdir}/bbl ${final_image} COMMENT "Generating image" ) + add_dependencies("buildroot" "image-deps") ############################################################################### @@ -310,7 +302,7 @@ add_custom_command(OUTPUT ${scripts}/run-qemu.sh DEPENDS ${scripts} -nographic \ -machine virt \ -bios ${bootrom_wrkdir}/bootrom.bin \ - -kernel ${sm_wrkdir}/platform/generic/firmware/fw_payload.elf \ + -kernel ${fw_elf} \ ${extra_qemu_options} \ -netdev user,id=net0,net=192.168.100.1/24,dhcpstart=192.168.100.128,hostfwd=tcp::\$\{HOST_PORT\}-:22 \ -device virtio-net-device,netdev=net0 \ diff --git a/linux b/linux index 7111951b8..3d77e6a88 160000 --- a/linux +++ b/linux @@ -1 +1 @@ -Subproject commit 7111951b8d4973bda27ff663f2cf18b663d15b48 +Subproject commit 3d77e6a8804abcc0504c904bd6e5cdf3a5cf8162 diff --git a/linux-keystone-driver b/linux-keystone-driver index 9c1f0f9ad..fa4bccd95 160000 --- a/linux-keystone-driver +++ b/linux-keystone-driver @@ -1 +1 @@ -Subproject commit 9c1f0f9adf584f15bb30588fb0dbe715637e91e9 +Subproject commit fa4bccd95957b7a9e5cfad5993486c659e828a77 diff --git a/patches/sm/opensbi/opensbi-firmware-secure-boot.patch b/patches/sm/opensbi/opensbi-firmware-secure-boot.patch new file mode 100644 index 000000000..8035d90b8 --- /dev/null +++ b/patches/sm/opensbi/opensbi-firmware-secure-boot.patch @@ -0,0 +1,44 @@ +diff --git firmware/fw_base.ldS firmware/fw_base.ldS +index 0ac75f2..9aa9c1a 100644 +--- firmware/fw_base.ldS ++++ firmware/fw_base.ldS +@@ -79,3 +79,39 @@ + . = ALIGN(0x1000); /* Need this to create proper sections */ + + PROVIDE(_fw_end = .); ++ ++ * # Sanctum params */ ++ /* ================ */ ++ . = 0x801ff000; /* the last page before the payload */ ++ ++ /* ## manufacturer_keys : */ ++ ++ /* 32 Bytes : manufacturer public key */ ++ PROVIDE( sanctum_m_public_key = . ); ++ . += 0x20; ++ ++ /* 32 Bytes : device public key */ ++ PROVIDE( sanctum_dev_public_key = . ); ++ . += 0x20; ++ ++ /* 64 Bytes : device secret key */ ++ PROVIDE( sanctum_dev_secret_key = . ); ++ . += 0x40; ++ ++ /* ## security_monitor_keys : */ ++ ++ /* 64 Bytes : security monitor hash */ ++ PROVIDE( sanctum_sm_hash = . ); ++ . += 0x40; ++ ++ /* 32 Bytes : security monitor public key */ ++ PROVIDE( sanctum_sm_public_key = . ); ++ . += 0x20; ++ ++ /* 64 Bytes : security monitor secret key */ ++ PROVIDE( sanctum_sm_secret_key = . ); ++ . += 0x40; ++ ++ /* 64 Bytes : security monitor's signature by device */ ++ PROVIDE( sanctum_sm_signature = . ); ++ . += 0x40; diff --git a/sdk b/sdk index 04f11b275..20232b9bd 160000 --- a/sdk +++ b/sdk @@ -1 +1 @@ -Subproject commit 04f11b275e5cfeea96af7bf1f81fe2416813d29e +Subproject commit 20232b9bdebe2fd394ccb8d014c379989403ad1c diff --git a/sm b/sm index 2d349e4c1..0dde1767d 160000 --- a/sm +++ b/sm @@ -1 +1 @@ -Subproject commit 2d349e4c14802e853f1f25da011b4eadf267f130 +Subproject commit 0dde1767dea1737d3ee94491300a8dd35af6991b