From 4115aca5ba37c253ab5cebe0e120edf6cd89e3dd Mon Sep 17 00:00:00 2001 From: Maciej Pijanowski Date: Thu, 31 Oct 2024 23:20:16 +0100 Subject: [PATCH 1/4] support minimal (Linux) and full (Linux + Xen) imgs at the same time Should fix: https://github.com/3mdeb/meta-trenchboot/issues/44 Renamed the images to better match their content/usage to name than before. Udpdated documentation to reflect the actual content of the layer. For development, it's recommended to use the -full image. The -minimal image might still be useful later on, for demonstration purposes, or perhaps for Linux upstreaming process as well. xen recipes must be moved to dynamic-layers, to allow for building without meta-virtualization enabled. Signed-off-by: Maciej Pijanowski --- README.md | 78 +++++++++---------- conf/distro/include/tb-distro-common.conf | 2 +- conf/distro/tb-distro.conf | 1 + conf/distro/tb-xen-distro.conf | 2 + .../meta-virtualization}/xen/xen-tb.inc | 0 .../meta-virtualization}/xen/xen-tools_tb.bb | 0 .../meta-virtualization}/xen/xen_tb.bb | 0 kas-xen-tb.yml => kas-tb-full.yml | 2 +- kas-generic-tb.yml => kas-tb-minimal.yml | 0 .../{tb-xen-image.bb => tb-full-image.bb} | 0 scripts/tb.sh | 16 ++-- wic/{grub.cfg => grub-full.cfg} | 4 +- wic/grub-minimal.cfg | 33 ++++++++ ... => trenchboot-image-efipluslegacy.wks.in} | 2 +- 14 files changed, 84 insertions(+), 56 deletions(-) rename {recipes-extended => dynamic-layers/meta-virtualization}/xen/xen-tb.inc (100%) rename {recipes-extended => dynamic-layers/meta-virtualization}/xen/xen-tools_tb.bb (100%) rename {recipes-extended => dynamic-layers/meta-virtualization}/xen/xen_tb.bb (100%) rename kas-xen-tb.yml => kas-tb-full.yml (93%) rename kas-generic-tb.yml => kas-tb-minimal.yml (100%) rename recipes-extended/images/{tb-xen-image.bb => tb-full-image.bb} (100%) rename wic/{grub.cfg => grub-full.cfg} (97%) create mode 100644 wic/grub-minimal.cfg rename wic/{trenchboot-image-efipluslegacy.wks => trenchboot-image-efipluslegacy.wks.in} (87%) diff --git a/README.md b/README.md index 4671b03..6a53298 100644 --- a/README.md +++ b/README.md @@ -1,16 +1,7 @@ # meta-trenchboot -[![pipeline status](https://gitlab.com/trenchboot1/3mdeb/meta-trenchboot/badges/master/pipeline.svg)](https://gitlab.com/trenchboot1/3mdeb/meta-trenchboot/-/commits/master) - -Meta layer for the Trenchboot purposes - ---- - -## WARNING - -This is WIP repo and it is under development. Use it at your own risk. -If you have use-cases for such thing to be developed, please submit -an issue or PR with description of your needs / fixes. +Meta layer used for testing and demonstration of the +[TrenchBoot](https://trenchboot.org/) project. --- @@ -51,9 +42,16 @@ an issue or PR with description of your needs / fixes. * From `yocto` directory run: ```shell - kas-container build meta-trenchboot/kas-generic-tb.yml + kas-container build meta-trenchboot/.yml ``` +Available targets are: + - `kas-tb-minimal.yml` - will produce minimal TrenchBoot demonstration image, + supporting only Linux boot path (both legacy and UEFI) + - `kas-tb-full.yml` - will produce full TrenchBoot demonstration image, + supporting both Linux and Xen boot paths at the same time (selectable via + GRUB boot menu entries) + * Image build takes time, so be patient and after build's finish you should see something similar to (the exact tasks numbers may differ): @@ -64,7 +62,10 @@ something similar to (the exact tasks numbers may differ): NOTE: Tasks Summary: Attempted 4774 tasks of which 4749 didn't need to be rerun and all succeeded. ``` -Thanks to publishing the build cache on cache.dasharo.com the time needed to +> Note: the cache might not be always up to date currently due to +> [this issue](https://github.com/3mdeb/meta-trenchboot/issues/47). + +Thanks to publishing the build cache on `cache.dasharo.com`, the time needed to finish the process should be significantly decreased. Using the cache is enabled in `kas/cache.yml` file and can be disabled by removing reference to this file in `kas/common.yml`: @@ -122,15 +123,19 @@ To flash resulting image: ## Booting -To run TrenchBoot connect drive with flashed image to target platform and boot -from it. In GRUB menu you can choose normal `boot` or `slaunch-boot`. +To run TrenchBoot, connect drive with flashed image to target platform and boot +from it. In GRUB menu you can select one of the boot paths. + +> Note: the `minimal` image will contain only the Linux entries. ```text GNU GRUB version 2.06 +----------------------------------------------------------------------------+ - |*boot | - | slaunch-boot | + |*Boot Linux normally | + | Boot Linux with TrenchBoot | + | Boot Xen normally | + | Boot Xen with TrenchBoot | | | | | | | @@ -140,30 +145,13 @@ from it. In GRUB menu you can choose normal `boot` or `slaunch-boot`. Press enter to boot the selected OS, `e' to edit the commands ``` -After a while you should see login prompt. +After a while you should see a login prompt. ```text -early console in extract_kernel -input_data: 0x0000000006801548 -input_len: 0x000000000121e953 -output: 0x0000000004600000 -output_len: 0x00000000033caee8 -kernel_total_size: 0x0000000003030000 -needed_size: 0x0000000003400000 -trampoline_32bit: 0x0000000000000000 -Physical KASLR using RDRAND RDTSC... -Virtual KASLR using RDRAND RDTSC... - -Decompressing Linux... Parsing ELF... Performing relocations... done. -Booting the kernel (entry_offset: 0x0000000000000000). - - -Reference Yocto distro for PC Engines hardware 0.2.0 tb ttyS0 - tb login: ``` -To login use `root` account without password. +To login use `root` username, with no password. ## Running in QEMU @@ -185,9 +173,14 @@ qemu-system-x86_64 -serial stdio -enable-kvm \ Below is list of main recipes/components of this layer, path to main recipe file and short description of component +* tb-full-image + - Recipe: recipes-extended/images/tb-full-image.bb + - Content: Recipe to build image containing TrenchBoot components for both + Linux and Xen boot paths * tb-minimal-image - Recipe: recipes-extended/images/tb-minimal-image.bb - - Content: Recipe to build image containing all TB components + - Content: Recipe to build image containing TrenchBoot components for Linux + boot path * intel-sinit-acm - Recipe: recipes-support/intel-sinit-acm/intel-sinit-acm_630744.bb - Content: Download and deploy Intel ACM `*.bin` files. @@ -196,14 +189,13 @@ and short description of component - Content: Secure Kernel Loader * linux-tb - Recipe: recipes-kernel/linux/linux-tb_6.6.bb - - Content: Linux kernel + - Content: Linux kernel with TrenchBoot patches +* xen_tb + - Recipe: recipes-extended/xen/xen_tb.bb + - Content: Xen with TrenchBoot patches * grub - Recipe: recipes-bsp/grub/grub_%.bbappend -* grub-efi - - Recipe: recipes-bsp/grub/grub-efi_%.bbappend -* grub & grub-efi - - Recipe: recipes-bsp/grub/grub-tb-common.inc - - Content: Common config for both recipes + - Content: GRUB with TrenchBoot patches ### Source revision diff --git a/conf/distro/include/tb-distro-common.conf b/conf/distro/include/tb-distro-common.conf index d5c633d..bbf59a3 100644 --- a/conf/distro/include/tb-distro-common.conf +++ b/conf/distro/include/tb-distro-common.conf @@ -33,7 +33,7 @@ INITRAMFS_IMAGE = "core-image-initramfs-boot" INITRAMFS_IMAGE_BUNDLE = "1" # wks related variables -WKS_FILES = "trenchboot-image-efipluslegacy.wks" +WKS_FILES = "trenchboot-image-efipluslegacy.wks.in" WKS_FILE_DEPENDS:append = " grub-native" # explicitly use systemd and disable sysvinit completely diff --git a/conf/distro/tb-distro.conf b/conf/distro/tb-distro.conf index 9c4e06c..98d9d4a 100644 --- a/conf/distro/tb-distro.conf +++ b/conf/distro/tb-distro.conf @@ -1,3 +1,4 @@ require conf/distro/include/tb-distro-common.conf DISTRO = "tb-distro" +TB_GRUB_CFG_FILE = "grub-minimal.cfg" diff --git a/conf/distro/tb-xen-distro.conf b/conf/distro/tb-xen-distro.conf index 13b250b..17fb625 100644 --- a/conf/distro/tb-xen-distro.conf +++ b/conf/distro/tb-xen-distro.conf @@ -11,3 +11,5 @@ PREFERRED_VERSION_xen = "4.17+tb" # TODO: for some reason, building tools from TB fork does not build all of the # tools - many basic binaries are missing PREFERRED_VERSION_xen-tools = "4.17+stable" + +TB_GRUB_CFG_FILE = "grub-full.cfg" diff --git a/recipes-extended/xen/xen-tb.inc b/dynamic-layers/meta-virtualization/xen/xen-tb.inc similarity index 100% rename from recipes-extended/xen/xen-tb.inc rename to dynamic-layers/meta-virtualization/xen/xen-tb.inc diff --git a/recipes-extended/xen/xen-tools_tb.bb b/dynamic-layers/meta-virtualization/xen/xen-tools_tb.bb similarity index 100% rename from recipes-extended/xen/xen-tools_tb.bb rename to dynamic-layers/meta-virtualization/xen/xen-tools_tb.bb diff --git a/recipes-extended/xen/xen_tb.bb b/dynamic-layers/meta-virtualization/xen/xen_tb.bb similarity index 100% rename from recipes-extended/xen/xen_tb.bb rename to dynamic-layers/meta-virtualization/xen/xen_tb.bb diff --git a/kas-xen-tb.yml b/kas-tb-full.yml similarity index 93% rename from kas-xen-tb.yml rename to kas-tb-full.yml index c2216d4..729d6a5 100644 --- a/kas-xen-tb.yml +++ b/kas-tb-full.yml @@ -12,4 +12,4 @@ repos: distro: tb-xen-distro machine: genericx86-64 target: - - tb-xen-image + - tb-full-image diff --git a/kas-generic-tb.yml b/kas-tb-minimal.yml similarity index 100% rename from kas-generic-tb.yml rename to kas-tb-minimal.yml diff --git a/recipes-extended/images/tb-xen-image.bb b/recipes-extended/images/tb-full-image.bb similarity index 100% rename from recipes-extended/images/tb-xen-image.bb rename to recipes-extended/images/tb-full-image.bb diff --git a/scripts/tb.sh b/scripts/tb.sh index b108d9f..fc95847 100755 --- a/scripts/tb.sh +++ b/scripts/tb.sh @@ -27,7 +27,7 @@ Usage: linux-tb - Linux kernel grub - GRUB legacy grub-efi - GRUB EFI - tb-minimal-image - Complete image with all components. Can only + tb-full-image - Complete image with all components. Can only be build or deployed destination: @@ -122,7 +122,7 @@ parse_args() { esac case $RECIPE_ARG in - skl|grub|grub-efi|linux-tb|tb-minimal-image) + skl|grub|grub-efi|linux-tb|tb-full-image) ;; *) usage_error "Wrong recipe" @@ -158,7 +158,7 @@ reset_recipe() { } build_recipe() { - if [ "$RECIPE_ARG" == "tb-minimal-image" ]; then + if [ "$RECIPE_ARG" == "tb-full-image" ]; then rm -rf "build/workspace/sources/grub/gnulib" 2&>/dev/null || true rm -rf "build/workspace/sources/grub-efi/gnulib" 2&>/dev/null || true kas-container shell "$KAS_YAML" \ @@ -216,7 +216,7 @@ update_grub() { fi kas-container --runtime-args \ "--device=$disk_device:$disk_device -v $DESTINATION_ARG:/mnt" \ - shell meta-trenchboot/kas-generic-tb.yml -c " \ + shell meta-trenchboot/kas-tb-full.yml -c " \ $verbose && cd /build/tmp/sysroots-components/x86_64/grub-native/usr && sudo ./bin/grub-mkimage -p '(hd0,msdos1)/grub' -d $grub_dir/i386-pc \ @@ -241,7 +241,7 @@ deploy_recipe() { local genericx86_path="$work_dir/genericx86_64-tb-linux" recipe_version=$( - kas-container shell meta-trenchboot/kas-generic-tb.yml \ + kas-container shell meta-trenchboot/kas-tb-full.yml \ -c "devtool latest-version $RECIPE_ARG" 2>&1 | sed -n 's/INFO: Current version: //p' ) @@ -277,11 +277,11 @@ deploy_recipe() { ${SUDO} rsync -chrtvP --inplace \ "$kernel_path/deploy-linux-tb/bzImage-initramfs-genericx86-64.bin" "$DESTINATION_ARG/boot/bzImage" ;; - tb-minimal-image) + tb-full-image) tmp_dir=$(mktemp -d) mkdir "$tmp_dir/boot" mkdir "$tmp_dir/rootfs" - device_path=$(sudo losetup --show -Prf "$deploy_dir/tb-minimal-image-genericx86-64.rootfs.wic") + device_path=$(sudo losetup --show -Prf "$deploy_dir/tb-full-image-genericx86-64.rootfs.wic") # shellcheck disable=SC2064 trap "set +e ; sudo umount ${device_path}p* ; \ sudo losetup -d $device_path ; set -e ; cleanup" EXIT @@ -305,7 +305,7 @@ trap cleanup EXIT SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd ) LAYER_DIR="$(dirname "$SCRIPT_DIR")" WORK_DIR="$(dirname "$LAYER_DIR")" -KAS_YAML="$LAYER_DIR/kas-generic-tb.yml" +KAS_YAML="$LAYER_DIR/kas-tb-full.yml" pushd "$WORK_DIR" &>/dev/null || exit 1 parse_args "$@" diff --git a/wic/grub.cfg b/wic/grub-full.cfg similarity index 97% rename from wic/grub.cfg rename to wic/grub-full.cfg index dbf9167..5feac8b 100644 --- a/wic/grub.cfg +++ b/wic/grub-full.cfg @@ -13,7 +13,7 @@ menuentry 'Boot Linux normally'{ linux /bzImage-initramfs-genericx86-64.bin rootwait root=LABEL=root rootfstype=ext4 console=ttyS0,115200 earlyprintk=serial,ttyS0,115200 } -menuentry 'Boot Linux with DRTM'{ +menuentry 'Boot Linux with TrenchBoot'{ echo 'Enabling slaunch ...' slaunch echo 'Loading ACMs ...' @@ -39,7 +39,7 @@ menuentry 'Boot Xen normally' { module2 /bzImage rootwait root=LABEL=root rootfstype=ext4 console=ttyS0,115200 earlyprintk=serial,ttyS0,115200 } -menuentry 'Boot Xen with DRTM' { +menuentry 'Boot Xen with TrenchBoot' { echo 'Enabling slaunch ...' slaunch echo 'Loading ACMs ...' diff --git a/wic/grub-minimal.cfg b/wic/grub-minimal.cfg new file mode 100644 index 0000000..73a526d --- /dev/null +++ b/wic/grub-minimal.cfg @@ -0,0 +1,33 @@ +serial --unit=0 --speed=115200 --word=8 --parity=no --stop=1 +set debug=linux,relocator,multiboot,multiboot_loader,slaunch +terminal_output console serial +terminal_input console serial +default=boot +timeout=5 + +insmod multiboot2 +insmod slaunch + +menuentry 'Boot Linux normally'{ + echo 'Loading Linux ...' + linux /bzImage-initramfs-genericx86-64.bin rootwait root=LABEL=root rootfstype=ext4 console=ttyS0,115200 earlyprintk=serial,ttyS0,115200 +} + +menuentry 'Boot Linux with TrenchBoot'{ + echo 'Enabling slaunch ...' + slaunch + echo 'Loading ACMs ...' + slaunch_module /skl.bin + slaunch_module /acm/ADL_SINIT_v1_18_16_20230427_REL_NT_O1.PW_signed.bin + slaunch_module /acm/BDW_SINIT_20190708_1.3.2_PW.bin + slaunch_module /acm/CFL_SINIT_20221220_PRODUCTION_REL_NT_O1_1.10.1_signed.bin + slaunch_module /acm/CML_RKL_S_SINIT_v1.13.33_REL_NT_O1.PW_signed.bin + slaunch_module /acm/CML_S_SINIT_1_13_33_REL_NT_O1.PW_signed.bin + slaunch_module /acm/CMLSTGP_SINIT_v1_14_46_20220819_REL_NT_O1.PW_signed.bin + slaunch_module /acm/RKLS_SINIT_v1_14_46_20220819_REL_NT_O1.PW_signed.bin + slaunch_module /acm/SKL_KBL_AML_SINIT_20211019_PRODUCTION_REL_NT_O1_1.10.0.bin + slaunch_module /acm/SNB_IVB_SINIT_20190708_PW.bin + slaunch_module /acm/TGL_SINIT_v1_14_46_20220819_REL_NT_O1.PW_signed.bin + echo 'Loading Linux ...' + linux /bzImage-initramfs-genericx86-64.bin rootwait root=LABEL=root rootfstype=ext4 console=ttyS0,115200 earlyprintk=serial,ttyS0,115200 +} diff --git a/wic/trenchboot-image-efipluslegacy.wks b/wic/trenchboot-image-efipluslegacy.wks.in similarity index 87% rename from wic/trenchboot-image-efipluslegacy.wks rename to wic/trenchboot-image-efipluslegacy.wks.in index af6e8a2..841c626 100644 --- a/wic/trenchboot-image-efipluslegacy.wks +++ b/wic/trenchboot-image-efipluslegacy.wks.in @@ -1,4 +1,4 @@ -bootloader --configfile="grub.cfg" +bootloader --configfile="${TB_GRUB_CFG_FILE}" part /boot --source bootimg-biosplusefi --sourceparams="loader=grub-efi,loader-pcbios=grub" --ondisk sda --label boot --align 1024 --use-uuid --active --system-id 0xef part / --source rootfs --fstype=ext4 --ondisk sda --label root --align 1024 --use-uuid --fixed-size 1024 From 543a022c05a6bd3f56c3ef769a3132dd814e4849 Mon Sep 17 00:00:00 2001 From: Maciej Pijanowski Date: Mon, 4 Nov 2024 12:49:25 +0100 Subject: [PATCH 2/4] bsp: grup-efi: extend modules to match legacy config Builtin modules used in legacy build: https://github.com/zarhus/poky/blob/wic-plugin-pcbios-grub/scripts/lib/wic/plugins/source/bootimg-pcbios.py#L39 Modules: vga, biosdisk have not been present in the EFI build and could not be included. Signed-off-by: Maciej Pijanowski --- recipes-bsp/grub/grub-efi_%.bbappend | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/recipes-bsp/grub/grub-efi_%.bbappend b/recipes-bsp/grub/grub-efi_%.bbappend index 3c2fee1..88aa330 100644 --- a/recipes-bsp/grub/grub-efi_%.bbappend +++ b/recipes-bsp/grub/grub-efi_%.bbappend @@ -7,5 +7,6 @@ SRC_URI += "file://cfg" GRUB_BUILDIN = " \ boot linux ext2 fat serial part_msdos part_gpt normal \ efi_gop iso9660 configfile search loadenv test linux16 \ - slaunch search_label multiboot2 \ + slaunch search_label multiboot2 echo ls reboot chain \ + at_keyboard \ " From f7f80ea48adef60b02541f40a43abc2f56ef6bd0 Mon Sep 17 00:00:00 2001 From: Maciej Pijanowski Date: Wed, 6 Nov 2024 19:46:48 +0100 Subject: [PATCH 3/4] README.md: inform that legacy and UEFI are supported by all imgs Signed-off-by: Maciej Pijanowski --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 6a53298..0ecbce0 100644 --- a/README.md +++ b/README.md @@ -45,9 +45,9 @@ Meta layer used for testing and demonstration of the kas-container build meta-trenchboot/.yml ``` -Available targets are: +Available targets are (all image support both legacy and UEFI): - `kas-tb-minimal.yml` - will produce minimal TrenchBoot demonstration image, - supporting only Linux boot path (both legacy and UEFI) + supporting only Linux boot path - `kas-tb-full.yml` - will produce full TrenchBoot demonstration image, supporting both Linux and Xen boot paths at the same time (selectable via GRUB boot menu entries) From d384869a14ea623ff0b09068d1bfc92cc1c19177 Mon Sep 17 00:00:00 2001 From: Maciej Pijanowski Date: Wed, 6 Nov 2024 19:48:33 +0100 Subject: [PATCH 4/4] README.md: use tb-full-image as a default one Signed-off-by: Maciej Pijanowski --- README.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index 0ecbce0..85a122b 100644 --- a/README.md +++ b/README.md @@ -107,7 +107,7 @@ To flash resulting image: ```shell cd build/tmp/deploy/images/genericx86-64/ sudo umount /dev/sdx* - sudo bmaptool copy tb-minimal-image-genericx86-64.rootfs.wic.gz /dev/sdx + sudo bmaptool copy tb-full-image-genericx86-64.rootfs.wic.gz /dev/sdx ``` and you should see output similar to this (the exact size number may differ): @@ -115,7 +115,7 @@ To flash resulting image: ```shell bmaptool: info: block map format version 2.0 bmaptool: info: 275200 blocks of size 4096 (1.0 GiB), mapped 73240 blocks (286.1 MiB or 26.6%) - bmaptool: info: copying image 'tb-minimal-image-genericx86-64.rootfs.wic.gz' to block device '/dev/sdx' using bmap file 'tb-minimal-image-genericx86-64.rootfs.wic.bmap' + bmaptool: info: copying image 'tb-full-image-genericx86-64.rootfs.wic.gz' to block device '/dev/sdx' using bmap file 'tb-full-image-genericx86-64.rootfs.wic.bmap' bmaptool: info: 100% copied bmaptool: info: synchronizing '/dev/sdx' bmaptool: info: copying time: 19.3s, copying speed 14.9 MiB/sec @@ -163,7 +163,7 @@ To start QEMU: ```shell cd build/tmp/deploy/images/genericx86-64/ qemu-system-x86_64 -serial stdio -enable-kvm \ - -drive file=tb-minimal-image-genericx86-64.rootfs.wic,if=virtio + -drive file=tb-full-image-genericx86-64.rootfs.wic,if=virtio ``` ## Development @@ -220,7 +220,7 @@ INFO: Recipe skl now set up to build from /build/workspace/sources/ All recipes' sources you wish to modify will be in `../build/workspace/sources`. After modifications, you can try to a build recipe by using -`./scripts/tb.sh build ` or `./scripts/tb.sh build tb-minimal-image` to +`./scripts/tb.sh build ` or `./scripts/tb.sh build tb-full-image` to build whole image containing modified recipes. After building the image, you can [install](#flash) and [boot](#booting) it or run it in [QEMU](#running-in-qemu).