From 6ff9f8b098c546dca13d28a61ca5f091d7b1beef Mon Sep 17 00:00:00 2001 From: Jeremi Piotrowski Date: Thu, 28 Jul 2022 12:07:51 +0000 Subject: [PATCH] Add support for secure boot in qemu_template.sh We have an existing qemu_uefi_secure format definition, but it is necessary to update it so that it actually works. Qemu needs to be passed the correct flags to enable SMM, we need to switch to the Q35 machine, and we need to copy over the secboot variant of the OVMF firmware. --- build_library/qemu_template.sh | 12 ++++++++---- build_library/vm_image_util.sh | 4 ++++ 2 files changed, 12 insertions(+), 4 deletions(-) diff --git a/build_library/qemu_template.sh b/build_library/qemu_template.sh index 3118ef96c9..50c254fd46 100755 --- a/build_library/qemu_template.sh +++ b/build_library/qemu_template.sh @@ -155,10 +155,14 @@ if [ "${SAFE_ARGS}" -eq 1 ]; then else case "${VM_BOARD}+$(uname -m)" in amd64-usr+x86_64) + set -- -global ICH9-LPC.disable_s3=1 \ + -global driver=cfi.pflash01,property=secure,value=on \ + "$@" # Emulate the host CPU closely in both features and cores. - set -- -machine accel=kvm:hvf:tcg -cpu host -smp "${VM_NCPUS}" "$@" ;; + set -- -machine q35,accel=kvm:hvf:tcg,smm=on -cpu host -smp "${VM_NCPUS}" "$@" + ;; amd64-usr+*) - set -- -machine pc-q35-2.8 -cpu kvm64 -smp 1 -nographic "$@" ;; + set -- -machine q35 -cpu kvm64 -smp 1 -nographic "$@" ;; arm64-usr+aarch64) set -- -machine virt,accel=kvm,gic-version=3 -cpu host -smp "${VM_NCPUS}" -nographic "$@" ;; arm64-usr+*) @@ -215,8 +219,8 @@ fi if [ -n "${VM_PFLASH_RO}" ] && [ -n "${VM_PFLASH_RW}" ]; then set -- \ - -drive if=pflash,file="${SCRIPT_DIR}/${VM_PFLASH_RO}",format=raw,readonly=on \ - -drive if=pflash,file="${SCRIPT_DIR}/${VM_PFLASH_RW}",format=raw "$@" + -drive if=pflash,unit=0,file="${SCRIPT_DIR}/${VM_PFLASH_RO}",format=raw,readonly=on \ + -drive if=pflash,unit=1,file="${SCRIPT_DIR}/${VM_PFLASH_RW}",format=raw "$@" fi if [ -n "${IGNITION_CONFIG_FILE}" ]; then diff --git a/build_library/vm_image_util.sh b/build_library/vm_image_util.sh index 3f50810243..70c4564ef3 100644 --- a/build_library/vm_image_util.sh +++ b/build_library/vm_image_util.sh @@ -821,14 +821,18 @@ _write_qemu_uefi_conf() { _write_qemu_uefi_secure_conf() { local flash_rw="$(_dst_name "_efi_vars.fd")" + local flash_ro="$(_dst_name "_efi_code.fd")" + local script="$(_dst_dir)/$(_dst_name ".sh")" _write_qemu_uefi_conf + cp "/usr/share/edk2-ovmf/OVMF_CODE.secboot.fd" "$(_dst_dir)/${flash_ro}" cert-to-efi-sig-list "/usr/share/sb_keys/PK.crt" "${VM_TMP_DIR}/PK.esl" cert-to-efi-sig-list "/usr/share/sb_keys/KEK.crt" "${VM_TMP_DIR}/KEK.esl" cert-to-efi-sig-list "/usr/share/sb_keys/DB.crt" "${VM_TMP_DIR}/DB.esl" flash-var "$(_dst_dir)/${flash_rw}" "PK" "${VM_TMP_DIR}/PK.esl" flash-var "$(_dst_dir)/${flash_rw}" "KEK" "${VM_TMP_DIR}/KEK.esl" flash-var "$(_dst_dir)/${flash_rw}" "db" "${VM_TMP_DIR}/DB.esl" + sed -e "s%^SECURE_BOOT=.*%SECURE_BOOT=1%" -i "${script}" } _write_pxe_conf() {