This closes an old gap in system integration testing for the very complex ARM firmware stacks by adding fairly advanced Replay Protected Memory Block (RPMB) emulation to the eMMC device model. Key programming and message authentication are working, so is the write counter. Known users are happy with the result. What is missing, but not only for RPMB- related registers, is state persistence across QEMU restarts. This is OK at this stage for most test scenarios, though, and could still be added later on.
What can already be done with it is demonstrated in the WIP branch of isar-cip-core at [1]: TF-A + OP-TEE + StandaloneMM TA + fTPM TA, used by U-Boot and Linux for UEFI variable storage and TPM scenarios. If you want to try: build qemu-arm64 target for trixie with 6.12-cip *head* kernel, enable secure boot and disk encryption, then run $ QEMU_PATH=/path/to/qemu-build/ ./start-qemu.sh Deploy snakeoil keys into PK, KEK and db after first boot to enable secure booting: root@demo:~# cert-to-efi-sig-list PkKek-1-snakeoil.pem PK.esl root@demo:~# sign-efi-sig-list -k PkKek-1-snakeoil.key -c PkKek-1-snakeoil.pem PK PK.esl PK.auth root@demo:~# efi-updatevar -f PK.auth db root@demo:~# efi-updatevar -f PK.auth KEK root@demo:~# efi-updatevar -f PK.auth PK Note that emulation is a bit slow in general, and specifically the partition encryption on first boot is taking 20 min. - we should probably reduce its size or understand if there is still something to optimize. Jan [1] https://gitlab.com/cip-project/cip-core/isar-cip-core/-/commits/wip/qemu-rpmb Cc: "Daniel P. Berrangé" <berra...@redhat.com> Jan Kiszka (8): hw/sd/sdcard: Fix size check for backing block image hw/sd/sdcard: Add validation for boot-partition-size hw/sd/sdcard: Allow user-instantiated eMMC hw/sd/sdcard: Refactor sd_bootpart_offset hw/sd/sdcard: Add basic support for RPMB partition crypto/hmac: Allow to build hmac over multiple qcrypto_gnutls_hmac_bytes[v] calls hw/sd/sdcard: Handle RPMB MAC field scripts: Add helper script to generate eMMC block device images crypto/hmac-gcrypt.c | 4 +- crypto/hmac-glib.c | 4 +- crypto/hmac-gnutls.c | 4 +- crypto/hmac-nettle.c | 4 +- hw/sd/sd.c | 314 ++++++++++++++++++++++++++++++++++++++--- hw/sd/sdmmc-internal.h | 24 +++- hw/sd/trace-events | 2 + include/crypto/hmac.h | 12 ++ scripts/mkemmc.sh | 185 ++++++++++++++++++++++++ 9 files changed, 530 insertions(+), 23 deletions(-) create mode 100755 scripts/mkemmc.sh -- 2.43.0
