From 35510c658d533a926f9f76a430195dfddfbf2064 Mon Sep 17 00:00:00 2001 From: Jeremi Piotrowski Date: Thu, 28 Jul 2022 12:07:51 +0000 Subject: [PATCH] Add support for secure boot in qemu_template.sh We have an existing qemu_uefi_secure format definition, but it is necessary to update it so that it actually works. Qemu needs to be passed the correct flags to enable SMM, we need to switch to the Q35 machine, and we need to copy over the secboot variant of the OVMF firmware. --- build_library/qemu_template.sh | 19 +++++++++++++++---- build_library/vm_image_util.sh | 4 ++++ 2 files changed, 19 insertions(+), 4 deletions(-) diff --git a/build_library/qemu_template.sh b/build_library/qemu_template.sh index 3118ef96c9..29fc148137 100755 --- a/build_library/qemu_template.sh +++ b/build_library/qemu_template.sh @@ -12,6 +12,7 @@ VM_CDROM= VM_PFLASH_RO= VM_PFLASH_RW= VM_NCPUS="$(getconf _NPROCESSORS_ONLN)" +SECURE_BOOT= SSH_PORT=2222 SSH_KEYS="" CLOUD_CONFIG_FILE="" @@ -147,6 +148,16 @@ if [ -z "${CONFIG_IMAGE}" ]; then "${CONFIG_DRIVE}/openstack/latest/user_data" fi fi +if [ -n "${SECURE_BOOT}" ]; then + smmarg=smm=on + set -- -global ICH9-LPC.disable_s3=1 \ + -global driver=cfi.pflash01,property=secure,value=on \ + "$@" + +else + smmarg= +fi + # Start assembling our default command line arguments if [ "${SAFE_ARGS}" -eq 1 ]; then @@ -156,9 +167,9 @@ else case "${VM_BOARD}+$(uname -m)" in amd64-usr+x86_64) # Emulate the host CPU closely in both features and cores. - set -- -machine accel=kvm:hvf:tcg -cpu host -smp "${VM_NCPUS}" "$@" ;; + set -- -machine q35,accel=kvm:hvf:tcg,$smmarg -cpu host -smp "${VM_NCPUS}" "$@" ;; amd64-usr+*) - set -- -machine pc-q35-2.8 -cpu kvm64 -smp 1 -nographic "$@" ;; + set -- -machine q35 -cpu kvm64 -smp 1 -nographic "$@" ;; arm64-usr+aarch64) set -- -machine virt,accel=kvm,gic-version=3 -cpu host -smp "${VM_NCPUS}" -nographic "$@" ;; arm64-usr+*) @@ -215,8 +226,8 @@ fi if [ -n "${VM_PFLASH_RO}" ] && [ -n "${VM_PFLASH_RW}" ]; then set -- \ - -drive if=pflash,file="${SCRIPT_DIR}/${VM_PFLASH_RO}",format=raw,readonly=on \ - -drive if=pflash,file="${SCRIPT_DIR}/${VM_PFLASH_RW}",format=raw "$@" + -drive if=pflash,unit=0,file="${SCRIPT_DIR}/${VM_PFLASH_RO}",format=raw,readonly=on \ + -drive if=pflash,unit=1,file="${SCRIPT_DIR}/${VM_PFLASH_RW}",format=raw "$@" fi if [ -n "${IGNITION_CONFIG_FILE}" ]; then diff --git a/build_library/vm_image_util.sh b/build_library/vm_image_util.sh index 76159bf090..12481f6183 100644 --- a/build_library/vm_image_util.sh +++ b/build_library/vm_image_util.sh @@ -831,14 +831,18 @@ _write_qemu_uefi_conf() { _write_qemu_uefi_secure_conf() { local flash_rw="$(_dst_name "_efi_vars.fd")" + local flash_ro="$(_dst_name "_efi_code.fd")" + local script="$(_dst_dir)/$(_dst_name ".sh")" _write_qemu_uefi_conf + cp "/usr/share/edk2-ovmf/OVMF_CODE.secboot.fd" "$(_dst_dir)/${flash_ro}" cert-to-efi-sig-list "/usr/share/sb_keys/PK.crt" "${VM_TMP_DIR}/PK.esl" cert-to-efi-sig-list "/usr/share/sb_keys/KEK.crt" "${VM_TMP_DIR}/KEK.esl" cert-to-efi-sig-list "/usr/share/sb_keys/DB.crt" "${VM_TMP_DIR}/DB.esl" flash-var "$(_dst_dir)/${flash_rw}" "PK" "${VM_TMP_DIR}/PK.esl" flash-var "$(_dst_dir)/${flash_rw}" "KEK" "${VM_TMP_DIR}/KEK.esl" flash-var "$(_dst_dir)/${flash_rw}" "db" "${VM_TMP_DIR}/DB.esl" + sed -e "s%^SECURE_BOOT=.*%SECURE_BOOT=1%" -i "${script}" } _write_pxe_conf() {