From a9e737fbfe60bd0b8a25cbdfa6f6c96ef50b88fc Mon Sep 17 00:00:00 2001 From: James Le Cuirot Date: Wed, 2 Oct 2024 17:59:29 +0100 Subject: [PATCH] Reuse Secure Boot EFI variables image prepared by Gentoo Rather than starting with a blank image, reuse the image that already has the Microsoft certificates and the latest DBX revocation list applied. Gentoo also applies the Red Hat certificates, which we don't need, but this is okay. Signed-off-by: James Le Cuirot --- build_library/vm_image_util.sh | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/build_library/vm_image_util.sh b/build_library/vm_image_util.sh index 6cf937036b..deec4c5497 100644 --- a/build_library/vm_image_util.sh +++ b/build_library/vm_image_util.sh @@ -856,24 +856,27 @@ _write_qemu_uefi_secure_conf() { local flash_ro="$(_dst_name "_efi_code.qcow2")" local script="$(_dst_dir)/$(_dst_name ".sh")" local owner="00000000-0000-0000-0000-000000000000" + local flash_in _write_qemu_uefi_conf case $BOARD in amd64-usr) cp "/usr/share/edk2/OvmfX64/OVMF_CODE_4M.secboot.qcow2" "$(_dst_dir)/${flash_ro}" + flash_in="/usr/share/edk2/OvmfX64/OVMF_VARS_4M.secboot.qcow2" ;; arm64-usr) cp "/usr/share/edk2/ArmVirtQemu-AARCH64/QEMU_EFI.secboot_INSECURE.qcow2" "$(_dst_dir)/${flash_ro}" + flash_in="/usr/share/edk2/ArmVirtQemu-AARCH64/QEMU_VARS.secboot_INSECURE.qcow2" ;; esac virt-fw-vars \ - --inplace "$(_dst_dir)/${flash_rw}" \ + --input "${flash_in}" \ + --output "$(_dst_dir)/${flash_rw}" \ --set-pk "${owner}" /usr/share/sb_keys/PK.crt \ --add-kek "${owner}" /usr/share/sb_keys/KEK.crt \ - --add-db "${owner}" /usr/share/sb_keys/DB.crt \ - --secure-boot --no-microsoft + --add-db "${owner}" /usr/share/sb_keys/DB.crt sed -e "s%^SECURE_BOOT=.*%SECURE_BOOT=1%" -i "${script}" }