Add support for Secure Boot images and sign unofficial builds with test keys

Add qemu_uefi_secure target for building Secure Boot images. These are identical to qemu_uefi images with the exception that the test keys have been installed into the flash image, enabling Secure Boot by default. In addition, sign the grub binary with the test keys during build when producing unofficial images.
2025-09-24 23:21:17 +02:00 · 2015-04-13 14:15:57 -07:00 · 2015-04-13 14:15:57 -07:00 · 707803ed43
commit 707803ed43
parent a6824e7bbe
2 changed files with 28 additions and 2 deletions
--- a/build_library/grub_install.sh
+++ b/build_library/grub_install.sh
@ -141,8 +141,17 @@ case "${FLAGS_target}" in
    x86_64-efi)
        info "Installing default x86_64 UEFI bootloader."
        sudo mkdir -p "${ESP_DIR}/EFI/boot"
+	# Use the test keys for signing unofficial builds
+	if [[ ${COREOS_OFFICIAL:-0} -ne 1 ]]; then
+            sudo sbsign --key /usr/share/sb_keys/DB.key \
+		--cert /usr/share/sb_keys/DB.crt \
+                    "${ESP_DIR}/${GRUB_DIR}/${CORE_NAME}"
+            sudo cp "${ESP_DIR}/${GRUB_DIR}/${CORE_NAME}.signed" \
+                "${ESP_DIR}/EFI/boot/bootx64.efi"
+        else
            sudo cp "${ESP_DIR}/${GRUB_DIR}/${CORE_NAME}" \
                "${ESP_DIR}/EFI/boot/bootx64.efi"
+	fi
        ;;
    x86_64-xen)
        info "Installing default x86_64 Xen bootloader."
--- a/build_library/vm_image_util.sh
+++ b/build_library/vm_image_util.sh
@ -12,6 +12,7 @@ VALID_IMG_TYPES=(
    openstack
    qemu
    qemu_uefi
+    qemu_uefi_secure
    qemu_xen
    rackspace
    rackspace_onmetal
@ -115,6 +116,10 @@ IMG_qemu_uefi_DISK_FORMAT=qcow2
 IMG_qemu_uefi_DISK_LAYOUT=vm
 IMG_qemu_uefi_CONF_FORMAT=qemu_uefi

+IMG_qemu_uefi_secure_DISK_FORMAT=qcow2
+IMG_qemu_uefi_secure_DISK_LAYOUT=vm
+IMG_qemu_uefi_secure_CONF_FORMAT=qemu_uefi_secure
+
 IMG_qemu_xen_DISK_FORMAT=qcow2
 IMG_qemu_xen_DISK_LAYOUT=vm
 IMG_qemu_xen_CONF_FORMAT=qemu_xen
@ -590,6 +595,18 @@ _write_qemu_uefi_conf() {
    VM_GENERATED_FILES+=( "$(_dst_dir)/${ovmf_ro}" "$(_dst_dir)/${ovmf_rw}" )
 }

+_write_qemu_uefi_secure_conf() {
+    local ovmf_rw="$(_dst_name "_ovmf_vars.fd")"
+
+    _write_qemu_uefi_conf
+    cert-to-efi-sig-list "/usr/share/sb_keys/PK.crt" "${VM_TMP_DIR}/PK.esl"
+    cert-to-efi-sig-list "/usr/share/sb_keys/KEK.crt" "${VM_TMP_DIR}/KEK.esl"
+    cert-to-efi-sig-list "/usr/share/sb_keys/DB.crt" "${VM_TMP_DIR}/DB.esl"
+    flash-var "$(_dst_dir)/${ovmf_rw}" "PK" "${VM_TMP_DIR}/PK.esl"
+    flash-var "$(_dst_dir)/${ovmf_rw}" "KEK" "${VM_TMP_DIR}/KEK.esl"
+    flash-var "$(_dst_dir)/${ovmf_rw}" "db" "${VM_TMP_DIR}/DB.esl"
+}
+
 _write_qemu_xen_conf() {
    local script="$(_dst_dir)/$(_dst_name ".sh")"
    local dst_name=$(basename "$VM_DST_IMG")