Generate certs, feed them to a webserver & coreboot

20190203-FOSDEM-barberio-hendricks/config/kea6.conf

@@ -10,7 +10,7 @@
 
 # Next we setup the interfaces to be used by the server.
     "interfaces-config": {
-        "interfaces": [ "ens3" ]
+        "interfaces": [ "tap0" ]
     },
 
 # And we specify the type of lease database
@@ -25,13 +25,13 @@
         {
             "subnet": "2001:db8:1::/64",
             "id": 1024,
-            "interface": "ens3",
+            "interface": "tap0",
             "pools": [
                  {
-                     "pool": "2001:db8:1::10-2001:db8:1::ffff"
+                     "pool": "2001:db8:1::10-2001:db8:1::200"
                  }
              ]
-        }
+	}
     ],
 
     "option-data": [
@@ -47,7 +47,7 @@
             "code": 59,
             "csv-format": true,
             "space": "dhcp6",
-            "data": "http://[2001:db8:0:1::1]:80/nbp"
+            "data": "https://[2001:db8:1::1]:443/nbp"
         }
     ]
 # DHCPv6 configuration ends with the next line

20190203-FOSDEM-barberio-hendricks/scripts/00-fetch.sh

@@ -18,8 +18,8 @@ get_kernel() {
     if [ ! -e "linux-${KERNEL_VER}" ]
     then
         wget https://cdn.kernel.org/pub/linux/kernel/v4.x/linux-${KERNEL_VER}.tar.xz
+        tar xvJf linux-${KERNEL_VER}.tar.xz
     fi
-    tar xvJf linux-${KERNEL_VER}.tar.xz
     cp ../config/linux-config linux-${KERNEL_VER}/.config
 }
 

20190203-FOSDEM-barberio-hendricks/scripts/01-build.sh

@@ -1,5 +1,7 @@
 #!/bin/bash -exu
 
+(cd webserver ; go build)
+
 # Create the u-root initramfs with systemboot tools
 rm -f /tmp/initramfs.linux_amd64.cpio
 rm -f /tmp/initramfs.linux_amd64.cpio.xz
@@ -11,6 +13,9 @@ u-root \
 
 xz --check=crc32 --lzma2=dict=512KiB /tmp/initramfs.linux_amd64.cpio
 
+# Generate some to embed in coreboot, and to be passed to a webserver for TLS
+bash ./certs.sh
+
 # build a kernel with the provided initramfs. The CONFIG_INITRAMFS parameter is hardcoded
 # in the provided linux config file to point to /tmp/initramfs.linux_amd64.cpio . Adjust
 # it if necessary.
@@ -21,15 +26,19 @@ make -j$(nproc)
 # build coreboot for qemu with the provided config file.
 cd ../coreboot/
 make
-cd ..
+pwd
+
 
 # Write VPD variables. These will be available read-only via /sys/firmware/vpd/*
 # RW_VPD partition
-vpd -f build/coreboot.rom -i RW_VPD -O
-vpd -f build/coreboot.rom -i RW_VPD -s 'LinuxBoot=IsCool'
+ vpd -f build/coreboot.rom -i RW_VPD -O
+ vpd -f build/coreboot.rom -i RW_VPD -s 'LinuxBoot=IsCool'
 # RO_VPD partition
-vpd -f build/coreboot.rom -i RO_VPD -O
-vpd -f build/coreboot.rom -i RO_VPD -s 'Boot0000={"type":"netboot","method":"dhcpv6"}'
-vpd -f build/coreboot.rom -i RO_VPD -g Boot0000
+ vpd -f build/coreboot.rom -i RO_VPD -O
+ vpd -f build/coreboot.rom -i RO_VPD -s 'Boot0000={"type":"netboot","method":"dhcpv6"}'
+ vpd -f build/coreboot.rom -i RO_VPD -g Boot0000
+ base64 < ../../rootCA.crt > rootCA.crt.base64
+ vpd -f build/coreboot.rom -i RO_VPD -S ca_certs=rootCA.crt.base64
+
 
 echo 'Image built under coreboot/build/coreboot.rom'

20190203-FOSDEM-barberio-hendricks/scripts/02-run.sh

@@ -5,18 +5,19 @@ then
     exit $?
 fi
 
+./webserver/webserver &
+echo "Webserver launched" 
+
 FIRMWARE=coreboot/build/coreboot.rom
 
-HELPER=/usr/lib/qemu/qemu-bridge-helper
 qemu-system-x86_64 \
     -M q35 \
     -bios "${FIRMWARE}" \
     -m 1024 \
     -enable-kvm \
     -nographic \
-    -hda disk.img \
-    -net bridge,br=virbr1 \
-    -net nic -net bridge,br=virbr1 \
+    -hda /home/johnlooney/debian_squeeze_i386_standard.qcow2 \
+    -netdev tap,script=/dev/shm/run.sh,downscript=no,id=net0 -device e1000,netdev=net0 \
     -object rng-random,filename=/dev/urandom,id=rng0 \
     -device virtio-rng-pci,rng=rng0 \
     $@

20190203-FOSDEM-barberio-hendricks/scripts/certs.sh

@@ -0,0 +1,21 @@
+#!/bin/bash
+
+openssl genrsa  -out rootCA.key 4096
+openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.crt -subj "/C=US/ST=CA/O=MyOrg, Inc./CN=2001:db8:1::1"
+openssl genrsa -out '2001:db8:1::1'.key 2048
+
+CNF=/etc/pki/tls/openssl.cnf 
+openssl req -new -sha256 \
+	-key 2001\:db8\:1\:\:1.key \
+	-subj "/C=US/ST=CA/O=MyOrg, Inc./CN=2001:db8:1::1" \
+	-out '2001:db8:1::1'.csr \
+	-addext "subjectAltName = 'IP:2001:db8:1:0:0:0:0:1'" -extensions  SAN -config <(printf "[SAN]\nsubjectAltName='IP:2001:db8:1:0:0:0:0:1'\n"| cat $CNF -)
+
+openssl x509 -req -in 2001\:db8\:1\:\:1.csr \
+	-CA rootCA.crt -CAkey rootCA.key -CAcreateserial \
+	-out 2001\:db8\:1\:\:1.crt -days 500 -sha256 \
+	-extfile <(printf "subjectAltName='IP:2001:db8:1:0:0:0:0:1'\n")
+
+
+
+

20190203-FOSDEM-barberio-hendricks/scripts/run-kea.sh

@@ -16,5 +16,5 @@ fi
 
 ip6tables -P INPUT ACCEPT
 iptables -P INPUT ACCEPT
-sudo kea-dhcp6 -c kea6.conf -d
+sudo kea-dhcp6 -c config/kea6.conf -d
 

20190203-FOSDEM-barberio-hendricks/webserver/main.go

@@ -0,0 +1,38 @@
+package main
+
+import (
+    "os"
+    "io"
+    "net/http"
+    "log"
+)
+
+
+func netbootServer(w http.ResponseWriter, req *http.Request) {
+    w.Header().Set("Content-Type", "application/octet-stream")
+    nbp, err := os.Open("linux-4.19.6/vmlinux")
+    if err != nil {
+	    log.Fatal("Couldn't open linux-4.19.6/vmlinux")
+    }
+    buf := make([]byte, 10240)
+    for {
+        n, err := nbp.Read(buf)
+        if err != nil && err != io.EOF {
+            panic(err)
+        }
+        if n == 0 {
+            break
+        }
+        if _, err := w.Write(buf[:n]); err != nil {
+            panic(err)
+        }
+    }
+}
+
+func main() {
+    http.HandleFunc("/nbp", netbootServer)
+    err := http.ListenAndServeTLS("[2001:db8:1::1]:443", "2001:db8:1::1.crt", "2001:db8:1::1.key", nil)
+    if err != nil {
+        log.Fatal("ListenAndServeTLS: ", err)
+    }
+}