From cdc79846260165ed5455c4fec3a1e00fb53aadd1 Mon Sep 17 00:00:00 2001 From: Jeremi Piotrowski Date: Thu, 28 Jul 2022 12:07:51 +0000 Subject: [PATCH] Add support for secure boot in qemu_template.sh We have an existing qemu_uefi_secure format definition, but it is necessary to update it so that it actually works. Qemu needs to be passed the correct flags to enable SMM, we need to switch to the Q35 machine, and we need to copy over the secboot variant of the OVMF firmware. --- build_library/qemu_template.sh | 19 +++++++++++++++---- build_library/vm_image_util.sh | 4 ++++ 2 files changed, 19 insertions(+), 4 deletions(-) diff --git a/build_library/qemu_template.sh b/build_library/qemu_template.sh index 3118ef96c9..29fc148137 100755 --- a/build_library/qemu_template.sh +++ b/build_library/qemu_template.sh @@ -12,6 +12,7 @@ VM_CDROM= VM_PFLASH_RO= VM_PFLASH_RW= VM_NCPUS="$(getconf _NPROCESSORS_ONLN)" +SECURE_BOOT= SSH_PORT=2222 SSH_KEYS="" CLOUD_CONFIG_FILE="" @@ -147,6 +148,16 @@ if [ -z "${CONFIG_IMAGE}" ]; then "${CONFIG_DRIVE}/openstack/latest/user_data" fi fi +if [ -n "${SECURE_BOOT}" ]; then + smmarg=smm=on + set -- -global ICH9-LPC.disable_s3=1 \ + -global driver=cfi.pflash01,property=secure,value=on \ + "$@" + +else + smmarg= +fi + # Start assembling our default command line arguments if [ "${SAFE_ARGS}" -eq 1 ]; then @@ -156,9 +167,9 @@ else case "${VM_BOARD}+$(uname -m)" in amd64-usr+x86_64) # Emulate the host CPU closely in both features and cores. - set -- -machine accel=kvm:hvf:tcg -cpu host -smp "${VM_NCPUS}" "$@" ;; + set -- -machine q35,accel=kvm:hvf:tcg,$smmarg -cpu host -smp "${VM_NCPUS}" "$@" ;; amd64-usr+*) - set -- -machine pc-q35-2.8 -cpu kvm64 -smp 1 -nographic "$@" ;; + set -- -machine q35 -cpu kvm64 -smp 1 -nographic "$@" ;; arm64-usr+aarch64) set -- -machine virt,accel=kvm,gic-version=3 -cpu host -smp "${VM_NCPUS}" -nographic "$@" ;; arm64-usr+*) @@ -215,8 +226,8 @@ fi if [ -n "${VM_PFLASH_RO}" ] && [ -n "${VM_PFLASH_RW}" ]; then set -- \ - -drive if=pflash,file="${SCRIPT_DIR}/${VM_PFLASH_RO}",format=raw,readonly=on \ - -drive if=pflash,file="${SCRIPT_DIR}/${VM_PFLASH_RW}",format=raw "$@" + -drive if=pflash,unit=0,file="${SCRIPT_DIR}/${VM_PFLASH_RO}",format=raw,readonly=on \ + -drive if=pflash,unit=1,file="${SCRIPT_DIR}/${VM_PFLASH_RW}",format=raw "$@" fi if [ -n "${IGNITION_CONFIG_FILE}" ]; then diff --git a/build_library/vm_image_util.sh b/build_library/vm_image_util.sh index e7a966b75b..9c7ed0d0b6 100644 --- a/build_library/vm_image_util.sh +++ b/build_library/vm_image_util.sh @@ -825,14 +825,18 @@ _write_qemu_uefi_conf() { _write_qemu_uefi_secure_conf() { local flash_rw="$(_dst_name "_efi_vars.fd")" + local flash_ro="$(_dst_name "_efi_code.fd")" + local script="$(_dst_dir)/$(_dst_name ".sh")" _write_qemu_uefi_conf + cp "/usr/share/edk2-ovmf/OVMF_CODE.secboot.fd" "$(_dst_dir)/${flash_ro}" cert-to-efi-sig-list "/usr/share/sb_keys/PK.crt" "${VM_TMP_DIR}/PK.esl" cert-to-efi-sig-list "/usr/share/sb_keys/KEK.crt" "${VM_TMP_DIR}/KEK.esl" cert-to-efi-sig-list "/usr/share/sb_keys/DB.crt" "${VM_TMP_DIR}/DB.esl" flash-var "$(_dst_dir)/${flash_rw}" "PK" "${VM_TMP_DIR}/PK.esl" flash-var "$(_dst_dir)/${flash_rw}" "KEK" "${VM_TMP_DIR}/KEK.esl" flash-var "$(_dst_dir)/${flash_rw}" "db" "${VM_TMP_DIR}/DB.esl" + sed -e "s%^SECURE_BOOT=.*%SECURE_BOOT=1%" -i "${script}" } _write_pxe_conf() {