From mboxrd@z Thu Jan  1 00:00:00 1970
X-GM-THRID: 7180261367669063680
X-Received: by 2002:a05:6870:9f0d:b0:15f:79b:295c with SMTP id xl13-20020a0568709f0d00b0015f079b295cmr2254361oab.169.1674796093506;
        Thu, 26 Jan 2023 21:08:13 -0800 (PST)
X-BeenThere: isar-users@googlegroups.com
Received: by 2002:a4a:88d3:0:b0:498:10f0:1c with SMTP id q19-20020a4a88d3000000b0049810f0001cls172203ooh.7.-pod-prod-gmail;
 Thu, 26 Jan 2023 21:08:12 -0800 (PST)
X-Google-Smtp-Source: AK7set8SqqV7SB9AF0jlsUhHJv2Wa5pykIuCbAXchJNU756VZeZRPiHzzuC/HZyGqaxhkA0PQ7kc
X-Received: by 2002:a05:6820:162b:b0:512:d9f1:8f87 with SMTP id bb43-20020a056820162b00b00512d9f18f87mr2907896oob.1.1674796092882;
        Thu, 26 Jan 2023 21:08:12 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1674796092; cv=none;
        d=google.com; s=arc-20160816;
        b=pEmk2eLmrgzLmow4PPqu9tkgrxYniGD9907HdB8OhWJGpkmzWjsFmV6EjJPPNFkUff
         5jBRv4g8vru1WhASF72IrbDtxUfcwyUDkkf1I9bfe2nRI1fO6PyvNz5r68OiWCmQGA2X
         0S3VdyS/MI8czh19ebr79ARd0cRzpsbCi9h08uB7UJAUpH5sPR6lpFhezvd8snxD3uV5
         zM8mJ8/PyYofw6h7b9xpj7ZkZEFOSbyHzz9mm1m2E6Bp9CrNVfkcjfz0b9tvmU3J8mlg
         xZfXfTET3O8ii0Dop53l8wEfQ6euBEvPhr0JtlqSUGc7QLfbVMeZmRykgNXiyQD82JgQ
         9wcA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from;
        bh=5WoAX6z1oLOTyal3l1z10BAbdMmhR3tIw2U5W8xEArI=;
        b=FbDKVgYMoHm8v9ysIJfPWQd5991i80hEJSRA2GGZVF2oMbUBq9402YTEtoAk+XzGeu
         Zq67WPe6eALdKB/ojXGmmmp3q9bOr7r0Idh8I/FvCMWYsbSB8/6v1AjC08Oa1oN5WsrC
         T/9jnbUTiyQ5s8r88Q4tzC9kInBI2QSnQrL+egSFdxYXNkTvqquZUPwIJXpSm5T5NeYi
         mGMPeMghPJL1ZjyxegQCijCtBmQQd4ajg826UBQPlEbT0siYvpW2mg0baRFWn4gYI/C7
         vUisahKm+mSEH9Bvfo7hF1Ybub/Yaw7eKXfcvK7vMljnclwwPguL72HKhDLWZ8+RrJQw
         UJrg==
ARC-Authentication-Results: i=1; gmr-mx.google.com;
       spf=pass (google.com: domain of ubely@ilbers.de designates 85.214.156.166 as permitted sender) smtp.mailfrom=ubely@ilbers.de
Return-Path: <ubely@ilbers.de>
Received: from shymkent.ilbers.de (shymkent.ilbers.de. [85.214.156.166])
        by gmr-mx.google.com with ESMTPS id m28-20020a4a391c000000b004f2ad7ebc2fsi366461ooa.0.2023.01.26.21.08.12
        for <isar-users@googlegroups.com>
        (version=TLS1_2 cipher=ECDHE-ECDSA-CHACHA20-POLY1305 bits=256/256);
        Thu, 26 Jan 2023 21:08:12 -0800 (PST)
Received-SPF: pass (google.com: domain of ubely@ilbers.de designates 85.214.156.166 as permitted sender) client-ip=85.214.156.166;
Authentication-Results: gmr-mx.google.com;
       spf=pass (google.com: domain of ubely@ilbers.de designates 85.214.156.166 as permitted sender) smtp.mailfrom=ubely@ilbers.de
Received: from hp.localnet (host-80-81-17-52.static.customer.m-online.net [80.81.17.52])
	(authenticated bits=0)
	by shymkent.ilbers.de (8.15.2/8.15.2/Debian-8+deb9u1) with ESMTPSA id 30R5803R002598
	(version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT);
	Fri, 27 Jan 2023 06:08:10 +0100
From: Uladzimir Bely <ubely@ilbers.de>
To: isar-users@googlegroups.com,
        Felix Moessbauer <felix.moessbauer@siemens.com>
Subject: Re: [PATCH 10/10] start_vm: add support for secureboot
Date: Fri, 27 Jan 2023 08:07:55 +0300
Message-ID: <2210927.vFx2qVVIhK@hp>
In-Reply-To: <20221223084058.1899957-11-felix.moessbauer@siemens.com>
References: <20221223084058.1899957-1-felix.moessbauer@siemens.com> <20221223084058.1899957-11-felix.moessbauer@siemens.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 7Bit
Content-Type: text/plain; charset="us-ascii"
X-Spam-Status: No, score=-1.0 required=5.0 tests=ALL_TRUSTED
	autolearn=unavailable autolearn_force=no version=3.4.2
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on shymkent.ilbers.de
X-TUID: TKmlLyrx9vuH

In mail from Friday, 23 December 2022 11:40:58 +03 user Felix Moessbauer 
wrote:
> This patch adds a new -s parameter to enable the qemu secureboot
> support. To handle the persistency across reboots of the machine, we
> create a copy of the OVMF variables and pass that into qemu.
> 
> Signed-off-by: Felix Moessbauer <felix.moessbauer@siemens.com>
> ---
>  scripts/start_vm | 7 +++++++
>  1 file changed, 7 insertions(+)
> 
> diff --git a/scripts/start_vm b/scripts/start_vm
> index 3c0ba16..9cb7b9a 100755
> --- a/scripts/start_vm
> +++ b/scripts/start_vm
> @@ -51,6 +51,7 @@ show_help() {
>      echo "    -o, --out FILE        Route QEMU console output to"
>      echo "                          specified file."
>      echo "    -p, --pid FILE        Store QEMU pid to file."
> +    echo "    -s, --secureboot      Enable secureboot with default MS
> keys." echo "    --help                display this message and exit." echo
>      echo "Exit status:"
> @@ -93,6 +94,12 @@ do
>          EXTRA_ARGS="$EXTRA_ARGS -pidfile $2"
>          shift
>          ;;
> +    -s|--secureboot)
> +        OVMF_VARS_ORIG="/usr/share/OVMF/OVMF_VARS_4M.ms.fd"
> +        OVMF_VARS="$(basename "${OVMF_VARS_ORIG}")"
> +        cp "${OVMF_VARS_ORIG}" "${OVMF_VARS}"

Hi.

Since I'm working on some testsuite improvements, I made an attempt to port 
this functionality (while it's already merged to 'next') from shell `scripts/
start_vm` (that we plan to drop or just make a compatibility wrapper) to 
python's `testsuite/start_vm.py`. But I faced the following problem:

cp: cannot stat '/usr/share/OVMF/OVMF_VARS_4M.ms.fd': No such file or 
directory.

I have no such file neither on my any of my machines, nor on any debian 
chroots I have, no in 'kas' docker images. It is not also mentioned in the 
recipes. How does it work on your side? 

Additionally, we definitely need a testcase for secureboot support.

> +        EXTRA_ARGS="$EXTRA_ARGS -drive
> if=pflash,format=raw,unit=1,file=${OVMF_VARS}" +        ;;
>      *)
>          echo "error: invalid parameter '$key', please try '--help' to get
> list of supported parameters" exit $ES_BUG