From c0b58cf56b06e5762d9ebbc7ca99b048a6f8fad9 Mon Sep 17 00:00:00 2001 From: James Le Cuirot Date: Wed, 2 Oct 2024 17:59:29 +0100 Subject: [PATCH] Reuse Secure Boot EFI variables image prepared by Gentoo Rather than starting with a blank image, reuse the image that already has the Microsoft certificates and the latest DBX revocation list applied. Gentoo also applies the Red Hat certificates, which we don't need, but this is okay. Signed-off-by: James Le Cuirot --- build_library/vm_image_util.sh | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/build_library/vm_image_util.sh b/build_library/vm_image_util.sh index 28e88099ed..1791108d0b 100644 --- a/build_library/vm_image_util.sh +++ b/build_library/vm_image_util.sh @@ -865,27 +865,30 @@ _write_qemu_uefi_secure_conf() { local flash_ro="$(_dst_name "_efi_code.qcow2")" local script="$(_dst_dir)/$(_dst_name ".sh")" local owner="00000000-0000-0000-0000-000000000000" + local flash_in _write_qemu_uefi_conf case $BOARD in amd64-usr) cp "/usr/share/edk2/OvmfX64/OVMF_CODE_4M.secboot.qcow2" "$(_dst_dir)/${flash_ro}" + flash_in="/usr/share/edk2/OvmfX64/OVMF_VARS_4M.secboot.qcow2" ;; arm64-usr) # This firmware is not considered secure due to the lack of an SMM # implementation, which is needed to protect the variable store, but # it's only supposed to be used for testing anyway. cp "/usr/share/edk2/ArmVirtQemu-AARCH64/QEMU_EFI.secboot_INSECURE.qcow2" "$(_dst_dir)/${flash_ro}" + flash_in="/usr/share/edk2/ArmVirtQemu-AARCH64/QEMU_VARS.secboot_INSECURE.qcow2" ;; esac virt-fw-vars \ - --inplace "$(_dst_dir)/${flash_rw}" \ + --input "${flash_in}" \ + --output "$(_dst_dir)/${flash_rw}" \ --set-pk "${owner}" /usr/share/sb_keys/PK.crt \ --add-kek "${owner}" /usr/share/sb_keys/KEK.crt \ - --add-db "${owner}" /usr/share/sb_keys/DB.crt \ - --secure-boot --no-microsoft + --add-db "${owner}" /usr/share/sb_keys/DB.crt sed -e "s%^SECURE_BOOT=.*%SECURE_BOOT=1%" -i "${script}" }