Add support for secure boot in qemu_template.sh

We have an existing qemu_uefi_secure format definition, but it is necessary to update it so that it actually works. Qemu needs to be passed the correct flags to enable SMM, we need to switch to the Q35 machine, and we need to copy over the secboot variant of the OVMF firmware.
2026-03-03 20:41:16 +01:00 · 2022-07-28 12:07:51 +00:00 · 2022-07-28 12:07:51 +00:00 · cdc7984626
commit cdc7984626
parent e8a298533e
2 changed files with 19 additions and 4 deletions
--- a/build_library/qemu_template.sh
+++ b/build_library/qemu_template.sh
@ -12,6 +12,7 @@ VM_CDROM=
 VM_PFLASH_RO=
 VM_PFLASH_RW=
 VM_NCPUS="$(getconf _NPROCESSORS_ONLN)"
+SECURE_BOOT=
 SSH_PORT=2222
 SSH_KEYS=""
 CLOUD_CONFIG_FILE=""
@ -147,6 +148,16 @@ if [ -z "${CONFIG_IMAGE}" ]; then
            "${CONFIG_DRIVE}/openstack/latest/user_data"
    fi
 fi
+if [ -n "${SECURE_BOOT}" ]; then
+    smmarg=smm=on
+    set -- -global ICH9-LPC.disable_s3=1 \
+           -global driver=cfi.pflash01,property=secure,value=on \
+           "$@"
+
+else
+    smmarg=
+fi
+

 # Start assembling our default command line arguments
 if [ "${SAFE_ARGS}" -eq 1 ]; then
@ -156,9 +167,9 @@ else
    case "${VM_BOARD}+$(uname -m)" in
        amd64-usr+x86_64)
            # Emulate the host CPU closely in both features and cores.
-            set -- -machine accel=kvm:hvf:tcg -cpu host -smp "${VM_NCPUS}" "$@" ;;
+            set -- -machine q35,accel=kvm:hvf:tcg,$smmarg -cpu host -smp "${VM_NCPUS}" "$@" ;;
        amd64-usr+*)
-            set -- -machine pc-q35-2.8 -cpu kvm64 -smp 1 -nographic "$@" ;;
+            set -- -machine q35 -cpu kvm64 -smp 1 -nographic "$@" ;;
        arm64-usr+aarch64)
            set -- -machine virt,accel=kvm,gic-version=3 -cpu host -smp "${VM_NCPUS}" -nographic "$@" ;;
        arm64-usr+*)
@ -215,8 +226,8 @@ fi

 if [ -n "${VM_PFLASH_RO}" ] && [ -n "${VM_PFLASH_RW}" ]; then
    set -- \
-        -drive if=pflash,file="${SCRIPT_DIR}/${VM_PFLASH_RO}",format=raw,readonly=on \
-        -drive if=pflash,file="${SCRIPT_DIR}/${VM_PFLASH_RW}",format=raw "$@"
+        -drive if=pflash,unit=0,file="${SCRIPT_DIR}/${VM_PFLASH_RO}",format=raw,readonly=on \
+        -drive if=pflash,unit=1,file="${SCRIPT_DIR}/${VM_PFLASH_RW}",format=raw "$@"
 fi

 if [ -n "${IGNITION_CONFIG_FILE}" ]; then
--- a/build_library/vm_image_util.sh
+++ b/build_library/vm_image_util.sh
@ -825,14 +825,18 @@ _write_qemu_uefi_conf() {

 _write_qemu_uefi_secure_conf() {
    local flash_rw="$(_dst_name "_efi_vars.fd")"
+    local flash_ro="$(_dst_name "_efi_code.fd")"
+    local script="$(_dst_dir)/$(_dst_name ".sh")"

    _write_qemu_uefi_conf
+    cp "/usr/share/edk2-ovmf/OVMF_CODE.secboot.fd" "$(_dst_dir)/${flash_ro}"
    cert-to-efi-sig-list "/usr/share/sb_keys/PK.crt" "${VM_TMP_DIR}/PK.esl"
    cert-to-efi-sig-list "/usr/share/sb_keys/KEK.crt" "${VM_TMP_DIR}/KEK.esl"
    cert-to-efi-sig-list "/usr/share/sb_keys/DB.crt" "${VM_TMP_DIR}/DB.esl"
    flash-var "$(_dst_dir)/${flash_rw}" "PK" "${VM_TMP_DIR}/PK.esl"
    flash-var "$(_dst_dir)/${flash_rw}" "KEK" "${VM_TMP_DIR}/KEK.esl"
    flash-var "$(_dst_dir)/${flash_rw}" "db" "${VM_TMP_DIR}/DB.esl"
+    sed -e "s%^SECURE_BOOT=.*%SECURE_BOOT=1%" -i "${script}"
 }

 _write_pxe_conf() {