diff --git a/config/buildroot-cca.yaml b/config/buildroot-cca.yaml new file mode 100644 index 0000000000000000000000000000000000000000..e230bab2ed5e50d7fecee8e43cf64b468a379e64 --- /dev/null +++ b/config/buildroot-cca.yaml @@ -0,0 +1,113 @@ +# Copyright (c) 2024, Linaro Limited. +# SPDX-License-Identifier: MIT + +%YAML 1.2 +--- +description: >- + Integrate tools for CCA into the buildroot image: + - cca-workload-attestation to display an attestation token or send it to a + verifier. + https://git.codelinaro.org/linaro/dcap/cca-demos/cca-workload-attestation-poc + - keybroker-demo to demonstrate remote attestation for downloading secrets. + https://github.com/veraison/keybroker-demo/ + - cca-realm-measurements to generate a DTB and run a VMM. + https://github.com/veraison/cca-realm-measurements + - kvmtool and QEMU to run Realm VMs. + - Automatically mount the shared 9p folder to /mnt, mount configfs for + attestation, and create a tap interface. + + Use it with: + + .. code-block:: shell + $ shrinkwrap build cca-3world.yaml --overlay buildroot-cca.yaml + $ shrinkwrap run cca-3world.yaml + + In the host, launch a VM with: + + .. code-block:: shell + $ gen-run-vmm.sh [--kvmtool] + + In the guest, you can obtain an attestation token, and send it to a verifier: + + .. code-block:: shell + $ cca-workload-attestation report + { + "cca-platform-token": { + ... + $ cca-workload-attestation passport + { + "ear.verifier-id": { + "build": "N/A", + "developer": "Veraison Project" + }, + ... + + You can also obtain a key from a keybroker running locally that performs + attestation. Run the keybroker-server on the build machine, using the + external IP of the build machine to be accessible from the keybroker-app (in + this case 192.168.0.10 on a local network): + + .. code-block:: shell + $ keybroker-server -e http://192.168.0.10 -v -a 0.0.0.0 + + In the guest, connect to the server + + .. code-block:: shell + $ keybroker-app -v -e http://192.168.0.10:8088 skywalker + +layers: + - buildroot.yaml + +build: + linux: + prebuild: + # We extend buildroot with an initscript that creates a macvtap interface, + # so enable it in the kernel + - ./scripts/config --file ${param:builddir}/.config --enable CONFIG_MACVLAN --enable CONFIG_MACVTAP + + buildroot-external-cca: + repo: + remote: https://git.codelinaro.org/linaro/dcap/buildroot-external-cca.git + revision: main + + artifacts: + BUILDROOT_EXTERNAL_CCA: + path: ${param:sourcedir} + export: false + + buildroot: + repo: + remote: https://github.com/buildroot/buildroot.git + revision: 2024.08.2 + + prebuild: + - make BR2_JLEVEL=${param:jobs} O=${param:builddir} BR2_EXTERNAL=${artifact:BUILDROOT_EXTERNAL_CCA} cca_defconfig + + # gen-vmm-run.sh configuration for the shrinkwrap package/ layout + - cat < ${param:builddir}/gen-run-vmm.cfg + - KERNEL=/mnt/Image + - INITRD=/mnt/rootfs.cpio + - EDK2_DIR=/mnt/ + - RUN_DISK=/mnt/guest-disk.img + - EOF + + - sed -i '\@BR2_PACKAGE_CCA_REALM_MEASUREMENTS_CFG@s@=.*@="\${param:builddir}/gen-run-vmm.cfg"@' ${param:builddir}/.config + + artifacts: + GUEST_INITRD: ${param:builddir}/images/rootfs.cpio + +buildex: + btvars: + GUEST_ROOTFS: + type: path + value: ${artifact:BUILDROOT} + +run: + rtvars: + ROOTFS: + type: path + value: ${artifact:BUILDROOT} + + SHARE: + type: path + value: ${param:packagedir} diff --git a/config/cca-3world.yaml b/config/cca-3world.yaml index bcca35b8580ecaeb5b6b0952caba5628c812ef19..9898e130c1f71729bbcde4f2445533ae25a55ff5 100644 --- a/config/cca-3world.yaml +++ b/config/cca-3world.yaml @@ -112,7 +112,13 @@ build: linux: repo: remote: https://git.gitlab.arm.com/linux-arm/linux-cca.git - revision: cca-full/v5+v7 + revision: cca-host/v7 + prebuild: + # Use source dir modification time as timestamp (for locally reproducible build) + - export KBUILD_BUILD_TIMESTAMP="@$$(stat -c '%Y' ${param:sourcedir})" + - ./scripts/config --file ${param:builddir}/.config --enable CONFIG_VIRT_DRIVERS --enable CONFIG_ARM_CCA_GUEST + # Reduce the number of timer exits from the guest + - ./scripts/config --file ${param:builddir}/.config --disable CONFIG_HZ_250 --enable CONFIG_HZ_100 kvmtool: repo: @@ -120,7 +126,7 @@ build: revision: v1.6.1 kvmtool: remote: https://gitlab.arm.com/linux-arm/kvmtool-cca - revision: cca/v3 + revision: cca/v5 edk2-cca-guest: repo: diff --git a/documentation/userguide/configmodel.rst b/documentation/userguide/configmodel.rst index 827b5c83e795e119206c4765166a1065a9a7341b..93331eee0adc03c258b2bcfb2893ebf4b10c2823 100644 --- a/documentation/userguide/configmodel.rst +++ b/documentation/userguide/configmodel.rst @@ -133,6 +133,8 @@ macro scope ``${param:join_equal}`` build..{prebuild, build, postbuild} String containing all of the component's parameters (from its params dictionary), concatenated as ``key=value`` pairs. ``${param:join_space}`` build..{prebuild, build, postbuild} String containing all of the component's parameters (from its params dictionary), concatenated as ``key value`` pairs. ``${artifact:}`` build..{params, prebuild, build, postbuild, artifacts}, build.btvars Build path of an artifact declared by another component. Usage of these macros determine the component build dependency graph. +``${param:packagedir}`` run.rtvars + Root directory containing all component artifacts. ``${artifact:}`` run.rtvars Package path of an artifact. ``${rtvar:}`` run.params Run-time variables. The variable names, along with default values are declared in run.rtvars, and the user may override the value on the command line. ======================= ===================================================================================================================== ==== diff --git a/shrinkwrap/utils/config.py b/shrinkwrap/utils/config.py index 2f77d8dd5e9d9f83b8f7d1b89a2df7c8f37865ff..372b0c2cc5415d6a3e70f9722d6e45d31e6cf0e4 100644 --- a/shrinkwrap/utils/config.py +++ b/shrinkwrap/utils/config.py @@ -676,6 +676,7 @@ def resolver(config, rtvars={}, clivars={}): # values for. lut = { 'param': { + 'packagedir': os.path.join(workspace.package, config['name']), **dict(clivars), }, 'artifact': {k: v['dst']