Add support for secure boot in qemu_template.sh

We have an existing qemu_uefi_secure format definition, but it is necessary to update it so that it actually works. Qemu needs to be passed the correct flags to enable SMM, we need to switch to the Q35 machine, and we need to copy over the secboot variant of the OVMF firmware.
2025-08-07 13:06:59 +02:00 · 2022-07-28 12:07:51 +00:00 · 2022-07-28 12:07:51 +00:00 · 6ff9f8b098
commit 6ff9f8b098
parent fc28e72322
2 changed files with 12 additions and 4 deletions
--- a/build_library/qemu_template.sh
+++ b/build_library/qemu_template.sh
@ -155,10 +155,14 @@ if [ "${SAFE_ARGS}" -eq 1 ]; then
 else
    case "${VM_BOARD}+$(uname -m)" in
        amd64-usr+x86_64)
+            set -- -global ICH9-LPC.disable_s3=1 \
+                   -global driver=cfi.pflash01,property=secure,value=on \
+                   "$@"
            # Emulate the host CPU closely in both features and cores.
-            set -- -machine accel=kvm:hvf:tcg -cpu host -smp "${VM_NCPUS}" "$@" ;;
+            set -- -machine q35,accel=kvm:hvf:tcg,smm=on -cpu host -smp "${VM_NCPUS}" "$@"
+            ;;
        amd64-usr+*)
-            set -- -machine pc-q35-2.8 -cpu kvm64 -smp 1 -nographic "$@" ;;
+            set -- -machine q35 -cpu kvm64 -smp 1 -nographic "$@" ;;
        arm64-usr+aarch64)
            set -- -machine virt,accel=kvm,gic-version=3 -cpu host -smp "${VM_NCPUS}" -nographic "$@" ;;
        arm64-usr+*)
@ -215,8 +219,8 @@ fi

 if [ -n "${VM_PFLASH_RO}" ] && [ -n "${VM_PFLASH_RW}" ]; then
    set -- \
-        -drive if=pflash,file="${SCRIPT_DIR}/${VM_PFLASH_RO}",format=raw,readonly=on \
-        -drive if=pflash,file="${SCRIPT_DIR}/${VM_PFLASH_RW}",format=raw "$@"
+        -drive if=pflash,unit=0,file="${SCRIPT_DIR}/${VM_PFLASH_RO}",format=raw,readonly=on \
+        -drive if=pflash,unit=1,file="${SCRIPT_DIR}/${VM_PFLASH_RW}",format=raw "$@"
 fi

 if [ -n "${IGNITION_CONFIG_FILE}" ]; then
--- a/build_library/vm_image_util.sh
+++ b/build_library/vm_image_util.sh
@ -821,14 +821,18 @@ _write_qemu_uefi_conf() {

 _write_qemu_uefi_secure_conf() {
    local flash_rw="$(_dst_name "_efi_vars.fd")"
+    local flash_ro="$(_dst_name "_efi_code.fd")"
+    local script="$(_dst_dir)/$(_dst_name ".sh")"

    _write_qemu_uefi_conf
+    cp "/usr/share/edk2-ovmf/OVMF_CODE.secboot.fd" "$(_dst_dir)/${flash_ro}"
    cert-to-efi-sig-list "/usr/share/sb_keys/PK.crt" "${VM_TMP_DIR}/PK.esl"
    cert-to-efi-sig-list "/usr/share/sb_keys/KEK.crt" "${VM_TMP_DIR}/KEK.esl"
    cert-to-efi-sig-list "/usr/share/sb_keys/DB.crt" "${VM_TMP_DIR}/DB.esl"
    flash-var "$(_dst_dir)/${flash_rw}" "PK" "${VM_TMP_DIR}/PK.esl"
    flash-var "$(_dst_dir)/${flash_rw}" "KEK" "${VM_TMP_DIR}/KEK.esl"
    flash-var "$(_dst_dir)/${flash_rw}" "db" "${VM_TMP_DIR}/DB.esl"
+    sed -e "s%^SECURE_BOOT=.*%SECURE_BOOT=1%" -i "${script}"
 }

 _write_pxe_conf() {