Add meta-trenchboot image to Xen - for testing requirements

[artur-rs]

Is your feature request related to a problem? Please describe.

TrenchBoot testing infrastructure should support validation in Xen and Linux.

Is your feature request related to a new idea or technology that would benefit the project? Please describe.

Describe the solution you'd like

• Add meta-trenchboot image to Xen
• Collect all existing tests: e.g. PCR validation; event log;
  • there is also a package (suite?), which requires QubesOS (but we can change the QubesOS condition, omit it)
• Prepare test-suite/cases:
  • Xen test-cases - TBD test scenarios
  • Get utility script from TB - TBD test scenarios. Note: The script should be then integrated by Zarhus Team (where?).
  • Xen with dom0 and the latest Grub
• Run the tests on the target platform - for example, PC Engines apu2

Describe alternatives you've considered A clear and concise description of any alternative solutions or features you've considered.

Additional context Add any other context or screenshots about the feature request here.

Let's start with the discussion about implementation plan for test-cases.

Relevant documentation you've consulted A list of links to any relevant documentation you have consulted.

[macpijan]

TrenchBoot can work with either Linux or Xen boot paths. We already have the first one, and the goal here would be to bring back the other one.

We've had some Xen image in this layer in the past: https://github.com/3mdeb/meta-trenchboot/blob/4404f91d727dc0ee61c9449c023a31e300012992/dynamic-layers/virtualization-layer/recipes-extended/images/xen-tb-dom0-image.bb

Another reference can be found e.g. here: https://github.com/Dasharo/meta-dasharo/blob/wip-firewall-xen/meta-dasharo-firewall/recipes-dasharo/images/dasharo-firewall-xen-image.bb

We should take a look at meta-virtualization for current state of Xen recipes.

This image should also use GRUB, and ideally, it is hybrid BIOS/UEFI as we have for the Linux right now.

We are going to use both of these images for testing of the future TrenchBoto changes to make sure we still support these both boot flows.

The test would be basically the same as we have for Linux right now. We simply check if we can boot and check the TPM.

Note: Linux used here does not need to be from TrenchBoot fork - the Xen will need to be, but we can use generic Linux kernel. It might be just easier to use the same Linux kernel in the Xen boo flow as well, I suppose. Kernel will need some Xen-related configs, though, to work as a dom0 kernel. That should be handled by the .cfg files in meta-virtualuzation if we use linux-yocto, not sure how it will be handled if we would use custom linux-tb recipe. We might need to port these config changes to our layer, or simply use linux-yocto, which should be compatible with meta-virtualization.

[macpijan]

Get utility script from TB

@krystian-hebel Can you point us to the utility you have mentioned, we could extract from TB/AEM repo and integrate here for some testing?

[krystian-hebel]

I can't remember what it was about, I know that the previous point is about https://github.com/TrenchBoot/qubes-antievilmaid/blob/main/sbin/anti-evil-maid-dump-evt-log with its two parsers, https://github.com/TrenchBoot/qubes-antievilmaid/blob/main/sbin/txt-tpm1-evt-log-parser.awk and https://github.com/TrenchBoot/qubes-antievilmaid/blob/main/sbin/tpm2-evt-log-parser.awk, and common https://github.com/TrenchBoot/qubes-antievilmaid/blob/main/sbin/tpm-evt-log-utils.awk used by parsers.

https://github.com/TrenchBoot/qubes-antievilmaid/blob/main/sbin/anti-evil-maid-lib should NOT be added, it is used only as a way of getting TPM family from /sys/class/tpm/tpm0/tpm_version_major, which can be done in the main script instead.

There is also https://github.com/TrenchBoot/secure-kernel-loader/blob/master/extend_multiboot.sh, but I don't think it would be useful here, as it was designed as an offline tool.

[EduKav1813]

Results of tests (the bootlog and the PCR registers content):

bootlog_xen.txt pcr_registers_xen.txt