How do you test heads with QEMU? #516
Comments
|
Is this what your looking for https://github.com/osresearch/heads-wiki/blob/master/Emulating-Heads.md |
|
@itay-grudev : I think Emulating Heads needs to be updated. Heads doesn't include Xen anymore since kexec got fixed. |
|
I'm compiling the |
|
if anyone knows how to play around qemu in docker, that would be aweome to share. |
|
Another Heads issue directs to bypass coreboot booting and instruct to boot kernel and initrd, which unfortunately misses the point of measuring coreboot. |
|
@itay-grudev how were your tests? :) |
|
|
|
On 02/15/19 11:52, Itay Grudev wrote:
`make run` fails with:
```
❯ make run
qemu-system-x86_64 \
--machine q35 \
--serial /dev/tty \
--bios /home/ito/Projects/heads/build/qemu-coreboot/coreboot.rom \
; stty sane
qemu-system-x86_64: Initialization of device e1000e failed: failed to find romfile "efi-e1000e.rom"
```
As a workaround, please add `-nic none` to that call, and
check, if it fixes the issue. Otherwise, you need to find
the option ROM somewhere.
|
|
Thanks. I was able to get it working with: diff --git a/boards/qemu-coreboot/qemu-coreboot.config b/boards/qemu-coreboot/qemu-coreboot.config
index 9427a2a..a0520fe 100644
--- a/boards/qemu-coreboot/qemu-coreboot.config
+++ b/boards/qemu-coreboot/qemu-coreboot.config
@@ -42,4 +42,5 @@ run:
--machine q35 \
--serial /dev/tty \
--bios $(build)/$(BOARD)/coreboot.rom \
+ -nic none \
; stty sane |
|
Do you know how can I get the GUI working? I am currently getting: It's probably some QEMU option, I just can't find it. |
|
FYI: debian-9 can install qemu tools in a TemplateVM, fedora-29 can't for the moment. It will be fixed in QubesOS 4.1. I gave up a long time ago trying to build Heads in debian templates, and CI based on ubuntu are currently failing @osresearch. |
@itay-grudev : https://github.com/flammit/heads/tree/qemu-gui-init |
add "-nic none" to fix #516 (comment)
|
@itay-grudev @paulmenzel Are you able to access a block device under qemu-coreboot build? Drive option hda standard support: ide-drive: AHCI There is no /dev/sda under Heads (debian-9 QubesOS template with qemu deployed, so no kvm). Only /sys/block/loop* and /sys/block/ram* devices. Was wondering if I was doing something wrong or if there is a concept i'm missing? |
|
@flammit used: |
|
Trying to find my way with qemu without KVM since QubesOS doesn't support nested virtualization. Works on QubesOS debian-9 template based qube, on which qemu was installed on parent template. Didn't found a way to pass devices yet, which is problematic, but I can at least test script changes without having to flash real hardware internally for everything. gui-init requires an existing /boot. My testing requires a functional /media where oem-provisioning is found. Create disks and required content to be tested: Note: unfortunately, minimal size for LUKS container is 1049600 bytes, and adding a 500Mb + disk image into rom is not desirable. Wish I could find a way to test this by providing qemu-image disks to qemu without hacking my way like this, but it really seems kvm is required for this, even when "if=none" is passed, which from my understanding doesn't depend on virtio internals. Ho well. Make those disks mounted by /initrd/init which feeds /etc/fstab correctly: build and test run: |
|
It also seems that from Gentoo documentation that it would be possible to pass host random stream by adding: |
|
As pointed in #700 (comment) by @orangecms : Should be fixed in qemu-coreboot |
|
So qemu-coreboot TPM support, which would rely on swtpm support which depends on libtpms support seems possible as dependencies of the qemu-coreboot board, but would be linked to a totally different build path depending if on fedora build system or debian (debian not providing libtpms packages for some reason, requiring to build everything from source) @orangecms: any success that path? |
|
A lot of documentation lies in this ticket for PR propositions. Reopening. |
@tlaurion I'm not sure what |
|
@pietrushnic : qemu-coreboot in Heads term is just the board config So one can build Heads for qemu calling Any advice welcome, since building those qemu board configs without them being linked to a software TPM (swtpm), not having functional USB passthrough (to be able to sign /boot components and remotely attest through HOTP) nor assigned prepared block devices/images attached (installed OS or at least a /dev/sda1 to be recognized by Heads as boot partition which is a requirement, sign /boot config with passed USB device) is pretty useless but to show that heads produces a valid ROM only. qemu-coreboot boards have TPM deactivated, and as reported by issue #688, since no valid block devices are passed to qemu, the board is a diskless machine without proper changes on board configs themselves doing some more magic for the end user calling @orangecms helped here. Maybe he could share some more light on the subject? |
So the coreboot.rom or linuxboot.rom built by heads when I calling 'make BOARD=qemu-linuxboot run' is not able to boot the real kernel and root filesystem, since there is no disk can be mounted. Is it possible to build the necessary components separately and then combine them into the linuxboot.rom, and subsequently run it on QEMU with the real kernel and root filesystem? Because I found QEMU can directly run the real kernel and root filesystem without linuxboot.rom, but when I added it, it would be stuck in the recovery shell, just as same as ‘make BOARD=qemu-linuxboot run’. Or, do you have some other good way to solve this problem? Sincerely thanks a lot. |
|
@ReLIFE9527 : I was successful applying some hacks here while some help would be required to pass disks (or img) from the host to qemu so that the original mappings would be valid without hacking Heads board configurations but by having a make run statement that works out of the box successfully: mapping usb devices (HOTP tests) with a swtpm being setuped correctly in a precedent step, with its required dependencies. I am on unknown territories here. Edit:
|
|
Interesting USB usage tests were done here |
|
@ReLIFE9527 @itay-grudev @pietrushnic : important breakthrough in code on the safeboot side for swtpm+qemu communication and board adjustments. Reimplementing dependencies on qemu boards, Makefile and modules will lead to be able to test heads with TPM (and some additional tinkering would make USB pass-through of USB Security dongle work) |
|
@tlaurion thanks. We discussed that architecture and potential use cases extensively during QubesOS minisummit SRTM talk. Slides are here |
|
That was implemented as draft into #893 (doesn't build correctly as of now) |
|
For USB support (HOTP support) https://qemu.readthedocs.io/en/latest/system/devices/usb.html |
Kyle Ranking told me that when playing with heads one option to test is to simulate it with QEMU and some of you are using it. That will be much more convenient than re-flashing every time, but when I tried setting it up I couldn't.
Do you have a script or can you provide the qemu command with all the args and options you use?
The text was updated successfully, but these errors were encountered: