haowqs
diff --git a/‎doc/secure_boot_guide.md
Lines changed: 80 additions & 0 deletions b/‎doc/secure_boot_guide.md
Lines changed: 80 additions & 0 deletions
diff --git a/‎td-shim-tools/Cargo.toml
Lines changed: 12 additions & 0 deletions b/‎td-shim-tools/Cargo.toml
Lines changed: 12 additions & 0 deletions
diff --git a/‎td-shim-tools/src/bin/td-shim-enroll/README.md
Lines changed: 52 additions & 0 deletions b/‎td-shim-tools/src/bin/td-shim-enroll/README.md
Lines changed: 52 additions & 0 deletions
diff --git a/‎td-shim-tools/src/bin/td-shim-enroll/main.rs
Lines changed: 177 additions & 0 deletions b/‎td-shim-tools/src/bin/td-shim-enroll/main.rs
Lines changed: 177 additions & 0 deletions
@@ -0,0 +1,80 @@
+# Secure boot guide for td-shim
+
+This guide follows the [Secure Boot Specification](secure_boot.md) for td-shim.
+
+## Build td-shim with secure boot feature enabled
+
+```
+cargo xbuild -p td-shim --features "secure-boot" --target x86_64-unknown-uefi --release
+```
+
+## Build payload
+
+Refer to [README](../README.md), using ELF as example:
+
+```
+cargo xbuild -p td-payload --target devtools/rustc-targets/x86_64-unknown-none.json --release
+```
+
+## Generate Key
+
+1. ECDSA NIST P384
+
+Run below command to generate a DER encoded PKCS8 formate EC private key file (on Linux):
+```
+openssl genpkey -algorithm EC \
+        -pkeyopt ec_paramgen_curve:P-384 \
+        -pkeyopt ec_param_enc:named_curve \
+        -outform der -out ecdsa-p384-private.der
+
+openssl pkcs8 -topk8 -nocrypt -inform der -in ecdsa-p384-private.der -outform der -out ecdsa-p384-private.pk8
+```
+
+Generate public key file with private key:
+```
+openssl ec -inform der -in ecdsa-p384-private.der -pubout -outform der -out ecdsa-p384-public.der
+```
+
+2. RSA 3072
+
+Run below command to generate a DER encoded PKCS8 formate RSA private key file (on Linux).
+```
+openssl genpkey -algorithm RSA \
+        -pkeyopt rsa_keygen_bits:3072 \
+        -pkeyopt rsa_keygen_pubexp:65537 | \
+        openssl pkcs8 -topk8 -nocrypt -outform der > rsa-3072-private.pk8
+```
+
+Generate public key file with private key:
+```
+openssl rsa -inform der -in rsa-3072-private.pk8 -pubout -outform der -out rsa-3072-public.der
+```
+
+## Sign payload with [rust-tdpayload-signing](../td-shim-sign-payload)
+Using ECDSA NIST P384 as example:
+
+Clear environment varibles CC and AR at first:
+```
+set CC_x86_64_unknown_uefi=
+set AR_x86_64_unknown_uefi=
+```
+
+Run the signing tool:
+```
+cargo run -p td-shim-tools --bin td-shim-sign-payload -- -A ECDSA_NIST_P384_SHA384 data/sample-keys/ecdsa-p384-private.pk8 target/x86_64-unknown-none/release/td-payload 1 1 
+```
+The signed payload file **td-payload-signed** is located in the same folder with input `td-payload`.
+
+## Enroll public key into CFV with [rust-tdshim-key-enroll](../td-shim-tools)
+Build final.bin:
+```
+cargo run -p td-shim-tools --bin td-shim-ld -- target/x86_64-unknown-uefi/release/ResetVector.bin target/x86_64-unknown-uefi/release/rust-tdshim.efi target/x86_64-unknown-none/release/td-payload-signed -o target/x86_64-unknown-uefi/release/final.bin
+```
+
+Enroll public key:
+```
+cargo run -p td-shim-tools --bin td-shim-enroll-key -- -H SHA384 target/x86_64-unknown-uefi/release/final.bin data/sample-keys/ecdsa-p384-public.der
+```
+
+The output file **final.sb.bin** with secure boot enabled is located in the same folder with input final.bin.
+
@@ -7,6 +7,18 @@ homepage = "https://github.com/confidential-containers"
 license = "BSD-2-Clause-Patent"
 edition = "2018"
 
+[[bin]]
+name = "td-shim-enroll"
+required-features = ["enroller"]
+
+[[bin]]
+name = "td-shim-ld"
+required-features = ["linker"]
+
+[[bin]]
+name = "td-shim-sign-payload"
+required-features = ["signer"]
+
 [dependencies]
 r-efi = "3.2.0"
 scroll = { version = "0.10", default-features = false, features = ["derive"]}
 
@@ -0,0 +1,52 @@
+## Public key enrollment
+
+This tool accepts **DER encoded** public key file as input and enrolls the **public key hash** into CFV.
+Public keys are a SubjectPublicKeyInfo as specified in [IETF RFC 3280](https://datatracker.ietf.org/doc/html/rfc3280).
+
+### Configuration Firmware Volume (CFV)
+
+Quotation from [Intel TDX Virtual Firmware Design Guide](https://www.intel.com/content/dam/develop/external/us/en/documents/tdx-virtual-firmware-design-guide-rev-1.pdf),
+section 3.2:
+```
+TDVF/TD-SHIM may also include a configuration firmware volume (CFV) that is seperated from the boot firmware volume (BFV).
+The reason to do so is because the CFV is measured in the `RTMR`, while the BFV is measured in `TDMR`.
+
+Configuration Firmware Volume includes all the provisoned data and this region is read-only. One possible usage is to
+provide UEFI Secure Boot Variable content in this region, such as PK, KEK, db, dbx.
+
+The filesystem GUID must be `EFI_SYSTEM_NV_DATA_FV_GUID`, defined in 
+[https://github.com/tianocore/edk2/blob/master/MdeModulePkg/Include/Guid/SystemNvDataGuid.h](https://github.com/tianocore/edk2/blob/master/MdeModulePkg/Include/Guid/SystemNvDataGuid.h)
+```
+
+### Generate public key
+
+1. ECDSA NIST P384
+
+Generate DER encoded public key from DER encoded EC private key file. 
+```
+openssl ec -inform der -in ecdsa-p384-private.der -pubout -outform der -out ecdsa-p384-public.der
+```
+
+2. RSA 3072
+
+Generate DER encoded public key from DER encoded pkcs8 formated private key:
+```
+openssl rsa -inform der -in rsa-3072-private.pk8 -pubout -outform der -out rsa-3072-public.der
+```
+
+### Enrollment
+
+Run the tool:
+```
+cargo run -p td-shim-tools --bin td-shim-enroll -- [-H {hash_algorithm}] [-o {output_file}] [-k {public_key_file}] [-f {Firmware_file}] {tdshim_file} 
+```
+
+For example:
+```
+cargo run -p td-shim-tools --bin td-shim-enroll -- -H SHA384 -o final.sb.bin target/x86_64-unknown-uefi/release/final.bin -k data/sample-keys/ecdsa-p384-public.der
+```
+
+To enroll raw files into CFV:
+```
+cargo run -p td-shim-tools --bin td-shim-enroll -- -o final.sb.bin target/x86_64-unknown-uefi/release/final.bin -f AB122746-2735-4013-A5C4-90F739CA29BD data/sample-keys/ecdsa-p384-public.der 4EF32D2C-7DD1-44BD-A4C9-E0F8FCC5372A data/sample-keys/rsa-3072-public.der
+```
@@ -0,0 +1,177 @@
+// Copyright (c) 2021 Intel Corporation
+// Copyright (c) 2022 Alibaba Cloud
+//
+// SPDX-License-Identifier: BSD-2-Clause-Patent
+
+#[macro_use]
+extern crate clap;
+use log::{error, LevelFilter};
+use std::path::PathBuf;
+use std::str::FromStr;
+use std::vec::Vec;
+use std::{env, io, path::Path};
+use td_shim_tools::enroller::{create_key_file, enroll_files, FirmwareRawFile};
+use td_shim_tools::InputData;
+use td_uefi_pi::pi::guid;
+const TDSHIM_SB_NAME: &str = "final.sb.bin";
+
+struct Config {
+    // Input file path to be read
+    pub input: String,
+    // Output file path to be written
+    pub output: PathBuf,
+    // Public key file path
+    pub key: Option<String>,
+    // Hash algorithm "SHA384" by default
+    pub hash_alg: String,
+    // Firmware file information to be enrolled into CFV,
+    // consists of (Guid, FilePath)
+    pub firmware_files: Vec<(guid::Guid, String)>,
+    // Log level "SHA384" by default
+    pub log_level: String,
+}
+
+#[derive(Debug)]
+pub enum ConfigParseError {
+    InvlidGuid,
+    InvalidLogLevel,
+    InvalidInputFilePath,
+}
+
+impl Config {
+    pub fn new() -> Result<Self, ConfigParseError> {
+        let matches = command!()
+            .arg(
+                arg!([tdshim] "shim binary file")
+                    .required(true)
+                    .allow_invalid_utf8(false),
+            )
+            .arg(
+                arg!(-k --key "public key file for enrollment")
+                    .required(false)
+                    .takes_value(true)
+                    .allow_invalid_utf8(false),
+            )
+            .arg(
+                arg!(-H --hash "hash algorithm to compute digest")
+                    .required(false)
+                    .takes_value(true)
+                    .default_value("SHA384"),
+            )
+            .arg(
+                arg!(-f --file "<Guid> <FilePath> Firmware file to be enrolled into CFV")
+                    .required(false)
+                    .multiple_values(true)
+                    .multiple_occurrences(true)
+                    .takes_value(true)
+                    .allow_invalid_utf8(false),
+            )
+            .arg(
+                arg!(-l --"log-level" "logging level: [off, error, warn, info, debug, trace]")
+                    .required(false)
+                    .default_value("info"),
+            )
+            .arg(
+                arg!(-o --output "output of the enrolled shim binary file")
+                    .required(false)
+                    .takes_value(true)
+                    .allow_invalid_utf8(false),
+            )
+            .get_matches();
+
+        // Safe to unwrap() because they are mandatory or have default values.
+        //
+        // rust-td binary file
+        let input = matches.value_of("tdshim").unwrap().to_string();
+        let output = match matches.value_of("output") {
+            Some(v) => Path::new(v).to_path_buf(),
+            None => {
+                let p = Path::new(input.as_str())
+                    .canonicalize()
+                    .map_err(|_| ConfigParseError::InvalidInputFilePath)?;
+                p.parent().unwrap_or(Path::new("/")).join(TDSHIM_SB_NAME)
+            }
+        };
+        let hash_alg = String::from_str(matches.value_of("hash").unwrap()).unwrap();
+        let key = match matches.value_of("key") {
+            Some(v) => Some(v.to_string()),
+            None => None,
+        };
+
+        let firmware_files = match matches.values_of("file") {
+            Some(inputs) => {
+                let inputs = inputs.collect::<Vec<&str>>();
+                let mut firmware_files: Vec<(guid::Guid, String)> = Vec::new();
+                for i in 0..(inputs.len() / 2) {
+                    firmware_files.push((
+                        // Guid
+                        guid::Guid::from_str(inputs[i * 2])
+                            .map_err(|_| ConfigParseError::InvlidGuid)?,
+                        // File path
+                        inputs[i * 2 + 1].to_string(),
+                    ));
+                }
+                firmware_files
+            }
+            None => Vec::new(),
+        };
+
+        // Safe to unwrap() because they are mandatory or have default values.
+        let log_level = String::from_str(matches.value_of("log-level").unwrap())
+            .map_err(|_| ConfigParseError::InvalidLogLevel)?;
+
+        Ok(Self {
+            input,
+            output,
+            hash_alg,
+            key,
+            firmware_files,
+            log_level,
+        })
+    }
+}
+
+fn main() -> io::Result<()> {
+    use env_logger::Env;
+    let env = Env::default()
+        .filter_or("MY_LOG_LEVEL", "info")
+        .write_style_or("MY_LOG_STYLE", "always");
+    env_logger::init_from_env(env);
+    let config = Config::new().map_err(|e| {
+        error!("Parse command line error: {:?}", e);
+        io::Error::new(io::ErrorKind::Other, "Invalid command line parameter")
+    })?;
+
+    if let Ok(lvl) = LevelFilter::from_str(config.log_level.as_str()) {
+        log::set_max_level(lvl);
+    }
+
+    // Convert input files as firmware file format
+    let ffs = create_firmware_files(&config)?;
+    // Enroll the files into CFV
+    enroll_files(config.input.as_str(), config.output, ffs)?;
+
+    Ok(())
+}
+
+// Build firmware files according to command line input
+// 0 / 1 public key file to be enrolled
+// 0 ~ n raw file read from system path to be enrolled
+fn create_firmware_files(config: &Config) -> io::Result<Vec<FirmwareRawFile>> {
+    let mut files: Vec<FirmwareRawFile> = Vec::new();
+
+    if let Some(key) = &config.key {
+        let ff_sb = create_key_file(key.as_str(), config.hash_alg.as_str())?;
+        files.push(ff_sb);
+    }
+
+    for (guid, path) in &config.firmware_files {
+        // Create a firmware file
+        let mut f = FirmwareRawFile::new(guid.as_bytes());
+        let data = InputData::new(path, 1..=1024 * 1024, "firmware file")?;
+        f.append(data.as_bytes());
+        files.push(f)
+    }
+
+    Ok(files)
+}