xen: vTPM and vTPM Manager stubdoms

The vTPM stubdomain allows a virtual TPM to be created and used to provide TPM functionality to Xen guest domains. The vTPM Manager stubdomain seals the secrets of each vTPM to the physical TPM, thereby extending the chain of trust to the virtual machines in Xen. More information on Xen vTPMs found at https://xenbits.xen.org/docs/unstable/man/xen-vtpm.7.html This xen-vtpm recipe uses Xen/stubdom source tree to build the Xen vTPM and vTPM Manager binaries and MiniOS source tree to build the Xen vTPM and vTPM Manager stubdomains. This recipe provides the ability to modify how the vTPM stubdomains are created and the ability to independently patch the vTPM stubdomain source code as necessary. Signed-off-by: Kurt Bodiker <kurt.bodiker@braintrust-us.com> Signed-off-by: Bruce Ashfield <bruce.ashfield@windriver.com>
author: Kurt Bodiker <kurt.bodiker@braintrust-us.com> 2018-05-01 10:05:34 -0400
committer: Bruce Ashfield <bruce.ashfield@windriver.com> 2018-05-01 23:17:29 -0400
commit: fda48193e60b22471dd962682faab33e4e721d72 (patch)
tree: 5e249a70af3de90ec54dec4e8c51d68bee71435e
parent: 230198a7d1f9d3cc7df986b4fbc4ab1cc4211640 (diff)
download: meta-virtualization-fda48193e60b22471dd962682faab33e4e721d72.tar.gz
2 files changed, 132 insertions, 0 deletions
diff --git a/recipes-extended/xen/xen-vtpm.inc b/recipes-extended/xen/xen-vtpm.inc
new file mode 100644
index 00000000..a94c7503
--- /dev/null
+++ b/recipes-extended/xen/xen-vtpm.inc
@@ -0,0 +1,111 @@
+# Copyright (C) 2017 Kurt Bodiker <kurt.bodiker@braintrust-us.com>
+# Released under the MIT license (see COPYING.MIT for the terms)
+require stubdom.inc
+DEPENDS = "\
+    newlib \
+    lwip \
+    mini-os \
+    polarssl \
+    stubdom-gmp \
+    tpm-emulator \
+"
+# These were unset by stubdom.inc to allow us to scope them per recipe
+export CC="${HOST_PREFIX}gcc --sysroot=${RECIPE_SYSROOT}"
+export CCLD="${HOST_PREFIX}gcc --sysroot=${RECIPE_SYSROOT}"
+export CXX="${HOST_PREFIX}g++ --sysroot=${RECIPE_SYSROOT}"
+export CPP="${HOST_PREFIX}gcc -E --sysroot=${RECIPE_SYSROOT}"
+export LD="${HOST_PREFIX}ld --sysroot=${RECIPE_SYSROOT}"
+export LD_LTO="${HOST_PREFIX}ld --sysroot=${RECIPE_SYSROOT}"
+export AS="${HOST_PREFIX}as"
+export AR="${HOST_PREFIX}ar"
+export NM="${HOST_PREFIX}nm"
+export RANLIB="${HOST_PREFIX}ranlib"
+export OBJDUMP="${HOST_PREFIX}objdump"
+export OBJCOPY="${HOST_PREFIX}objcopy"
+export STRIP="${HOST_PREFIX}strip"
+export STRINGS="${HOST_PREFIX}strings"
+export READELF="${HOST_PREFIX}readelf"
+# Required for some of the config stuff
+export STUBDOM_TARGETS="vtpm vtpmmgr"
+VTPM_CPPFLAGS = "\
+    -I${RECIPE_SYSROOT}/cross-root-${GNU_TARGET_ARCH}/${GNU_TARGET_ARCH}-xen-elf/include/tpm-emulator/build \
+    -I${RECIPE_SYSROOT}/cross-root-${GNU_TARGET_ARCH}/${GNU_TARGET_ARCH}-xen-elf/include/tpm-emulator/crypto \
+    -I${RECIPE_SYSROOT}/cross-root-${GNU_TARGET_ARCH}/${GNU_TARGET_ARCH}-xen-elf/include/tpm-emulator/tpm \
+    -I${RECIPE_SYSROOT}/cross-root-${GNU_TARGET_ARCH}/${GNU_TARGET_ARCH}-xen-elf/include/tpm-emulator \
+"
+# The includes from this Xen directory are not in the MiniOS repo, although they probably should be.
+STUBDOM_CPPFLAGS += "-isystem ${B}/include/"
+do_configure() {
+    # GCC 7 fails linking header defined inlines if not declared 'static' or 'extern'
+    # This appears to be fixed in Xen 4.10.0+, so let's look at version of Xen source
+    # to determine if we need to modify inline declarations.
+    #
+    # 'echo -e' to enable interpretation of backslashes
+    # 'sort -V' to natural sort version numbers
+    # 'head -n1' to capture the first line of output from sort command
+    if [ "${PV}" = "$(echo "${PV};4.9.999" | sed 's/;/\n/' | sort -V | head -n1)" ]; then
+        sed -i "s/^inline/static inline/g" ${B}/vtpmmgr/*.h
+    fi
+    for i in AR AS NM RANLIB OBJDUMP OBJCOPY STRIP STRINGS READELF CXX LD LD_LTO CC CPP; do
+        sed -i "s/^\($i\s\s*\).*=/\1?=/" ${MINIOS_SRCDIR}/Config.mk
+    done
+    # replicate the TARGETS_MINIOS target in xen/stubdom/Makefile
+    for i in ${STUBDOM_TARGETS}; do
+        [ -d ${B}/mini-os-${XEN_TARGET_ARCH}-$i ] ||
+        for j in $(cd ${MINIOS_SRCDIR} ; find . -type d) ; do \
+                mkdir -p ${B}/mini-os-${XEN_TARGET_ARCH}-$i/$j; \
+        done
+    done
+}
+do_compile() {
+    ${MAKE} MINIOS_CONFIG="${B}/vtpm/minios.cfg" CONFIG_FILE="${B}/vtpm-minios-config.mk" DESTDIR= -C ${MINIOS_SRCDIR} config
+    CPPFLAGS="`cat ${B}/vtpm-minios-config.mk` ${STUBDOM_CPPFLAGS} ${VTPM_CPPFLAGS}" CFLAGS="${STUBDOM_CFLAGS}" ${MAKE} -C ${B}/vtpm
+    DEF_CPPFLAGS="${STUBDOM_CPPFLAGS}" \
+        DEF_CFLAGS="${STUBDOM_CFLAGS}" \
+        DEF_LDFLAGS="${STUBDOM_LDFLAGS}" \
+        MINIOS_CONFIG="${B}/vtpm/minios.cfg" \
+        ${MAKE} -C ${MINIOS_SRCDIR} \
+        OBJ_DIR=${B}/mini-os-${XEN_TARGET_ARCH}-vtpm \
+        APP_OBJS="${B}/vtpm/vtpm.a" \
+        APP_LDLIBS="-ltpm -ltpm_crypto -lgmp -lpolarssl"
+    ${MAKE} MINIOS_CONFIG="${B}/vtpmmgr/minios.cfg" CONFIG_FILE="${B}/vtpmmgr-minios-config.mk" DESTDIR= -C ${MINIOS_SRCDIR} config
+    CPPFLAGS="`cat ${B}/vtpmmgr-minios-config.mk` ${STUBDOM_CPPFLAGS}" CFLAGS="${STUBDOM_CFLAGS}" ${MAKE} -C ${B}/vtpmmgr
+    DEF_CPPFLAGS="${STUBDOM_CPPFLAGS}" \
+        DEF_CFLAGS="${STUBDOM_CFLAGS}" \
+        DEF_LDFLAGS="${STUBDOM_LDFLAGS}" \
+        MINIOS_CONFIG="${B}/vtpmmgr/minios.cfg" \
+        ${MAKE} -C ${MINIOS_SRCDIR} \
+        OBJ_DIR=${B}/mini-os-${XEN_TARGET_ARCH}-vtpmmgr \
+        APP_OBJS="${B}/vtpmmgr/vtpmmgr.a" \
+        APP_LDLIBS="-lm -lpolarssl"
+}
+PACKAGES = "\
+    ${PN}-vtpm-stubdom \
+    ${PN}-vtpmmgr-stubdom \
+"
+FILES_${PN}-vtpm-stubdom="\
+    ${libdir}/xen/boot/vtpm-stubdom.gz \
+"
+FILES_${PN}-vtpmmgr-stubdom="\
+    ${libdir}/xen/boot/vtpmmgr-stubdom.gz \
+"
+do_install() {
+    install -m 644 -D ${B}/mini-os-${XEN_TARGET_ARCH}-vtpm/mini-os.gz ${D}${libdir}/xen/boot/vtpm-stubdom.gz
+    install -m 644 -D ${B}/mini-os-${XEN_TARGET_ARCH}-vtpmmgr/mini-os.gz ${D}${libdir}/xen/boot/vtpmmgr-stubdom.gz
+}
diff --git a/recipes-extended/xen/xen-vtpm_4.9.0.bb b/recipes-extended/xen/xen-vtpm_4.9.0.bb
new file mode 100644
index 00000000..c58a02d8
--- /dev/null
+++ b/recipes-extended/xen/xen-vtpm_4.9.0.bb
@@ -0,0 +1,21 @@
+# Copyright (C) 2017 Kurt Bodiker <kurt.bodiker@braintrust-us.com>
+# Released under the MIT license (see COPYING.MIT for the terms)
+DESCRIPTION = "MiniOS-based vTPMs for Xen"
+HOMEPAGE = "https://www.xenproject.org"
+LICENSE = "GPLv2 & BSD-3-Clause"
+LIC_FILES_CHKSUM = "file://COPYING;md5=b1ceb1b03a49b202ee6f41ffd1ed0155 \
+                    file://vtpm/COPYING;md5=75a98062ab0322ded060d9026a1bda61 \
+"
+# git commit hash for Xen's RELEASE-4.9.0 tag
+SRCREV_xen = "c30bf55594a53fae8aae08aabf16fc192faad7da"
+SRC_URI = "\
+    git://xenbits.xen.org/xen.git;protocol=git;nobranch=1;name=xen;subpath=stubdom \
+    git://xenbits.xen.org/xen.git;protocol=git;nobranch=1;name=xen;destsuffix=stubdom/include;subpath=tools/xenstore/include \
+"
+S="${WORKDIR}/stubdom"
+B="${S}"
+require xen-vtpm.inc
author	Kurt Bodiker <kurt.bodiker@braintrust-us.com>	2018-05-01 10:05:34 -0400
committer	Bruce Ashfield <bruce.ashfield@windriver.com>	2018-05-01 23:17:29 -0400
commit	fda48193e60b22471dd962682faab33e4e721d72 (patch)
tree	5e249a70af3de90ec54dec4e8c51d68bee71435e
parent	230198a7d1f9d3cc7df986b4fbc4ab1cc4211640 (diff)
download	meta-virtualization-fda48193e60b22471dd962682faab33e4e721d72.tar.gz

diff --git a/recipes-extended/xen/xen-vtpm.inc b/recipes-extended/xen/xen-vtpm.inc new file mode 100644 index 00000000..a94c7503 --- /dev/null +++ b/recipes-extended/xen/xen-vtpm.inc
@@ -0,0 +1,111 @@
	1	# Copyright (C) 2017 Kurt Bodiker <kurt.bodiker@braintrust-us.com>
	2	# Released under the MIT license (see COPYING.MIT for the terms)
	3
	4	require stubdom.inc
	5
	6	DEPENDS = "\
	7	newlib \
	8	lwip \
	9	mini-os \
	10	polarssl \
	11	stubdom-gmp \
	12	tpm-emulator \
	13	"
	14	# These were unset by stubdom.inc to allow us to scope them per recipe
	15	export CC="${HOST_PREFIX}gcc --sysroot=${RECIPE_SYSROOT}"
	16	export CCLD="${HOST_PREFIX}gcc --sysroot=${RECIPE_SYSROOT}"
	17	export CXX="${HOST_PREFIX}g++ --sysroot=${RECIPE_SYSROOT}"
	18	export CPP="${HOST_PREFIX}gcc -E --sysroot=${RECIPE_SYSROOT}"
	19	export LD="${HOST_PREFIX}ld --sysroot=${RECIPE_SYSROOT}"
	20	export LD_LTO="${HOST_PREFIX}ld --sysroot=${RECIPE_SYSROOT}"
	21	export AS="${HOST_PREFIX}as"
	22	export AR="${HOST_PREFIX}ar"
	23	export NM="${HOST_PREFIX}nm"
	24	export RANLIB="${HOST_PREFIX}ranlib"
	25	export OBJDUMP="${HOST_PREFIX}objdump"
	26	export OBJCOPY="${HOST_PREFIX}objcopy"
	27	export STRIP="${HOST_PREFIX}strip"
	28	export STRINGS="${HOST_PREFIX}strings"
	29	export READELF="${HOST_PREFIX}readelf"
	30
	31
	32	# Required for some of the config stuff
	33	export STUBDOM_TARGETS="vtpm vtpmmgr"
	34
	35	VTPM_CPPFLAGS = "\
	36	-I${RECIPE_SYSROOT}/cross-root-${GNU_TARGET_ARCH}/${GNU_TARGET_ARCH}-xen-elf/include/tpm-emulator/build \
	37	-I${RECIPE_SYSROOT}/cross-root-${GNU_TARGET_ARCH}/${GNU_TARGET_ARCH}-xen-elf/include/tpm-emulator/crypto \
	38	-I${RECIPE_SYSROOT}/cross-root-${GNU_TARGET_ARCH}/${GNU_TARGET_ARCH}-xen-elf/include/tpm-emulator/tpm \
	39	-I${RECIPE_SYSROOT}/cross-root-${GNU_TARGET_ARCH}/${GNU_TARGET_ARCH}-xen-elf/include/tpm-emulator \
	40	"
	41
	42	# The includes from this Xen directory are not in the MiniOS repo, although they probably should be.
	43	STUBDOM_CPPFLAGS += "-isystem ${B}/include/"
	44
	45	do_configure() {
	46
	47	# GCC 7 fails linking header defined inlines if not declared 'static' or 'extern'
	48	# This appears to be fixed in Xen 4.10.0+, so let's look at version of Xen source
	49	# to determine if we need to modify inline declarations.
	50	#
	51	# 'echo -e' to enable interpretation of backslashes
	52	# 'sort -V' to natural sort version numbers
	53	# 'head -n1' to capture the first line of output from sort command
	54
	55	if [ "${PV}" = "$(echo "${PV};4.9.999" \| sed 's/;/\n/' \| sort -V \| head -n1)" ]; then
	56	sed -i "s/^inline/static inline/g" ${B}/vtpmmgr/*.h
	57	fi
	58
	59	for i in AR AS NM RANLIB OBJDUMP OBJCOPY STRIP STRINGS READELF CXX LD LD_LTO CC CPP; do
	60	sed -i "s/^\($i\s\s\).=/\1?=/" ${MINIOS_SRCDIR}/Config.mk
	61	done
	62
	63	# replicate the TARGETS_MINIOS target in xen/stubdom/Makefile
	64	for i in ${STUBDOM_TARGETS}; do
	65	[ -d ${B}/mini-os-${XEN_TARGET_ARCH}-$i ] \|\|
	66	for j in $(cd ${MINIOS_SRCDIR} ; find . -type d) ; do \
	67	mkdir -p ${B}/mini-os-${XEN_TARGET_ARCH}-$i/$j; \
	68	done
	69	done
	70	}
	71
	72	do_compile() {
	73	${MAKE} MINIOS_CONFIG="${B}/vtpm/minios.cfg" CONFIG_FILE="${B}/vtpm-minios-config.mk" DESTDIR= -C ${MINIOS_SRCDIR} config
	74	CPPFLAGS="`cat ${B}/vtpm-minios-config.mk` ${STUBDOM_CPPFLAGS} ${VTPM_CPPFLAGS}" CFLAGS="${STUBDOM_CFLAGS}" ${MAKE} -C ${B}/vtpm
	75	DEF_CPPFLAGS="${STUBDOM_CPPFLAGS}" \
	76	DEF_CFLAGS="${STUBDOM_CFLAGS}" \
	77	DEF_LDFLAGS="${STUBDOM_LDFLAGS}" \
	78	MINIOS_CONFIG="${B}/vtpm/minios.cfg" \
	79	${MAKE} -C ${MINIOS_SRCDIR} \
	80	OBJ_DIR=${B}/mini-os-${XEN_TARGET_ARCH}-vtpm \
	81	APP_OBJS="${B}/vtpm/vtpm.a" \
	82	APP_LDLIBS="-ltpm -ltpm_crypto -lgmp -lpolarssl"
	83
	84	${MAKE} MINIOS_CONFIG="${B}/vtpmmgr/minios.cfg" CONFIG_FILE="${B}/vtpmmgr-minios-config.mk" DESTDIR= -C ${MINIOS_SRCDIR} config
	85	CPPFLAGS="`cat ${B}/vtpmmgr-minios-config.mk` ${STUBDOM_CPPFLAGS}" CFLAGS="${STUBDOM_CFLAGS}" ${MAKE} -C ${B}/vtpmmgr
	86	DEF_CPPFLAGS="${STUBDOM_CPPFLAGS}" \
	87	DEF_CFLAGS="${STUBDOM_CFLAGS}" \
	88	DEF_LDFLAGS="${STUBDOM_LDFLAGS}" \
	89	MINIOS_CONFIG="${B}/vtpmmgr/minios.cfg" \
	90	${MAKE} -C ${MINIOS_SRCDIR} \
	91	OBJ_DIR=${B}/mini-os-${XEN_TARGET_ARCH}-vtpmmgr \
	92	APP_OBJS="${B}/vtpmmgr/vtpmmgr.a" \
	93	APP_LDLIBS="-lm -lpolarssl"
	94	}
	95
	96	PACKAGES = "\
	97	${PN}-vtpm-stubdom \
	98	${PN}-vtpmmgr-stubdom \
	99	"
	100	FILES_${PN}-vtpm-stubdom="\
	101	${libdir}/xen/boot/vtpm-stubdom.gz \
	102	"
	103
	104	FILES_${PN}-vtpmmgr-stubdom="\
	105	${libdir}/xen/boot/vtpmmgr-stubdom.gz \
	106	"
	107
	108	do_install() {
	109	install -m 644 -D ${B}/mini-os-${XEN_TARGET_ARCH}-vtpm/mini-os.gz ${D}${libdir}/xen/boot/vtpm-stubdom.gz
	110	install -m 644 -D ${B}/mini-os-${XEN_TARGET_ARCH}-vtpmmgr/mini-os.gz ${D}${libdir}/xen/boot/vtpmmgr-stubdom.gz
	111	}


diff --git a/recipes-extended/xen/xen-vtpm_4.9.0.bb b/recipes-extended/xen/xen-vtpm_4.9.0.bb new file mode 100644 index 00000000..c58a02d8 --- /dev/null +++ b/recipes-extended/xen/xen-vtpm_4.9.0.bb
@@ -0,0 +1,21 @@
	1	# Copyright (C) 2017 Kurt Bodiker <kurt.bodiker@braintrust-us.com>
	2	# Released under the MIT license (see COPYING.MIT for the terms)
	3
	4	DESCRIPTION = "MiniOS-based vTPMs for Xen"
	5	HOMEPAGE = "https://www.xenproject.org"
	6	LICENSE = "GPLv2 & BSD-3-Clause"
	7	LIC_FILES_CHKSUM = "file://COPYING;md5=b1ceb1b03a49b202ee6f41ffd1ed0155 \
	8	file://vtpm/COPYING;md5=75a98062ab0322ded060d9026a1bda61 \
	9	"
	10
	11	# git commit hash for Xen's RELEASE-4.9.0 tag
	12	SRCREV_xen = "c30bf55594a53fae8aae08aabf16fc192faad7da"
	13	SRC_URI = "\
	14	git://xenbits.xen.org/xen.git;protocol=git;nobranch=1;name=xen;subpath=stubdom \
	15	git://xenbits.xen.org/xen.git;protocol=git;nobranch=1;name=xen;destsuffix=stubdom/include;subpath=tools/xenstore/include \
	16	"
	17
	18	S="${WORKDIR}/stubdom"
	19	B="${S}"
	20
	21	require xen-vtpm.inc