From mboxrd@z Thu Jan 1 00:00:00 1970 X-GM-THRID: 7180261367669063680 X-Received: by 2002:a63:150c:0:b0:4da:42a7:7b62 with SMTP id v12-20020a63150c000000b004da42a77b62mr1043922pgl.32.1674810655570; Fri, 27 Jan 2023 01:10:55 -0800 (PST) X-BeenThere: isar-users@googlegroups.com Received: by 2002:a17:90b:4a92:b0:226:e7:18f9 with SMTP id lp18-20020a17090b4a9200b0022600e718f9ls9103619pjb.0.-pod-canary-gmail; Fri, 27 Jan 2023 01:10:54 -0800 (PST) X-Google-Smtp-Source: AK7set9hq/kNDspcXKWlGFVXx3zs2alUHa/NJDGP0JnhVgZrsUN7b+xofOeAy2k3IdcczTzu5DQq X-Received: by 2002:a17:902:ce87:b0:196:341b:ed7 with SMTP id f7-20020a170902ce8700b00196341b0ed7mr8989835plg.15.1674810654582; Fri, 27 Jan 2023 01:10:54 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1674810654; cv=none; d=google.com; s=arc-20160816; b=EC7fOlFaMgehuuLXkkjK0RiLxe27QMGX920oVFrTLqc5ptXIdAGaVDLuRsSvHABDIV 5Cgo10rdsTgHslhwY+ZyhsiYmofn2OFyfaGTmrvjjvvF79MmmWwzR+JeHHqlGIpG92wc tRqn+SZLrMonl3cVmeyyKuQ1amkcf9vc0Pm02JrTapFVUXj0nqHL3q/sM05Bj0SnDe2C VQh9FDN4CWxlCVnOZ2RkmJZLyMfpQudCn3XnoIEqGJBhhFBEKJowhp064ZivLtC3eOmO aHXEe0jbM6uSV8/u9NxAcCEFWWRCcyxlUgDAMU34Fm7dRUmj8DxiY/FTyVP717h7iYKW v6fQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from; bh=ue8ExM9gewhU6nr86IDjLzpuEK2BGIK/Xq+aQNkGGks=; b=ZQlfZ7Ex+Einq/uyUxK9eGOKLz1GjiP36dG/+YjGyRZ+smmktLHlqh/hQVjw3P32s8 DINduJU6W3ULneksQXRYTpdy6dNrkg6Umzt7o2HnaiF9LoUBQNkqII9Xz196Vh27j0B1 Y9sT2NG1yn8t9gYthxaSu31l4wuxPLNelid5RIntZOjH//f2S6nVOoBUOyOX20HzqHC5 BlVPuAyjm6DY2lsh9KVpmwBG9b5dX8J7WMKzmHDBGnCRHJdCkGCNOm+lOvokmN1iyq+V 4Y4JCObvsloDCnfz+A0rLyPs24qDgkB9ed/Mw6/xp7onniDq5p/ZzR6nSCjFPNbk6Txi /8Lg== ARC-Authentication-Results: i=1; gmr-mx.google.com; spf=pass (google.com: domain of ubely@ilbers.de designates 85.214.156.166 as permitted sender) smtp.mailfrom=ubely@ilbers.de Return-Path: Received: from shymkent.ilbers.de (shymkent.ilbers.de. [85.214.156.166]) by gmr-mx.google.com with ESMTPS id d5-20020a170902cec500b0017824ebedc5si12861plg.1.2023.01.27.01.10.53 for (version=TLS1_2 cipher=ECDHE-ECDSA-CHACHA20-POLY1305 bits=256/256); Fri, 27 Jan 2023 01:10:54 -0800 (PST) Received-SPF: pass (google.com: domain of ubely@ilbers.de designates 85.214.156.166 as permitted sender) client-ip=85.214.156.166; Authentication-Results: gmr-mx.google.com; spf=pass (google.com: domain of ubely@ilbers.de designates 85.214.156.166 as permitted sender) smtp.mailfrom=ubely@ilbers.de Received: from hp.localnet (host-80-81-17-52.static.customer.m-online.net [80.81.17.52]) (authenticated bits=0) by shymkent.ilbers.de (8.15.2/8.15.2/Debian-8+deb9u1) with ESMTPSA id 30R9Ao1H003361 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Fri, 27 Jan 2023 10:10:51 +0100 From: Uladzimir Bely To: "Moessbauer, Felix" , "isar-users@googlegroups.com" , Florian Bezdeka Subject: Re: [PATCH 10/10] start_vm: add support for secureboot Date: Fri, 27 Jan 2023 12:10:45 +0300 Message-ID: <3477660.dWV9SEqChM@hp> In-Reply-To: References: <20221223084058.1899957-1-felix.moessbauer@siemens.com> MIME-Version: 1.0 Content-Transfer-Encoding: 7Bit Content-Type: text/plain; charset="us-ascii" X-Spam-Status: No, score=-1.0 required=5.0 tests=ALL_TRUSTED autolearn=unavailable autolearn_force=no version=3.4.2 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on shymkent.ilbers.de X-TUID: /zMqI1FbANWp In mail from Friday, 27 January 2023 11:41:53 +03 user Florian Bezdeka wrote: > On Fri, 2023-01-27 at 08:11 +0000, Moessbauer, Felix wrote: > > On Fri, 2023-01-27 at 08:07 +0300, Uladzimir Bely wrote: > > > In mail from Friday, 23 December 2022 11:40:58 +03 user Felix > > > Moessbauer > > > > > > wrote: > > > > This patch adds a new -s parameter to enable the qemu secureboot > > > > support. To handle the persistency across reboots of the machine, > > > > we > > > > create a copy of the OVMF variables and pass that into qemu. > > > > > > > > Signed-off-by: Felix Moessbauer > > > > --- > > > > scripts/start_vm | 7 +++++++ > > > > 1 file changed, 7 insertions(+) > > > > > > > > diff --git a/scripts/start_vm b/scripts/start_vm > > > > index 3c0ba16..9cb7b9a 100755 > > > > --- a/scripts/start_vm > > > > +++ b/scripts/start_vm > > > > @@ -51,6 +51,7 @@ show_help() { > > > > echo " -o, --out FILE Route QEMU console output to" > > > > echo " specified file." > > > > echo " -p, --pid FILE Store QEMU pid to file." > > > > + echo " -s, --secureboot Enable secureboot with default > > > > MS > > > > keys." echo " --help display this message and > > > > exit." echo > > > > echo "Exit status:" > > > > @@ -93,6 +94,12 @@ do > > > > EXTRA_ARGS="$EXTRA_ARGS -pidfile $2" > > > > shift > > > > ;; > > > > + -s|--secureboot) > > > > + OVMF_VARS_ORIG="/usr/share/OVMF/OVMF_VARS_4M.ms.fd" > > WARNING: This path seems to be distribution specific. Does at least not > exist on my Fedora installation here. Yes, that's why I was a bit confused. I didn't see it in my Gentoo system, didn't find it in buster (which we still use for CI). Kas image (bullseye- based) also don't include it, but it's at least installable. > > $ find /usr -name "OVMF*" > /usr/share/OVMF > /usr/share/OVMF/OVMF_CODE.fd > /usr/share/OVMF/OVMF_CODE.secboot.fd > /usr/share/OVMF/OVMF_VARS.fd > /usr/share/OVMF/OVMF_VARS.secboot.fd > /usr/share/edk2/ovmf/OVMF.amdsev.fd > /usr/share/edk2/ovmf/OVMF.inteltdx.fd > /usr/share/edk2/ovmf/OVMF_CODE.cc.fd > /usr/share/edk2/ovmf/OVMF_CODE.fd > /usr/share/edk2/ovmf/OVMF_CODE.secboot.fd > /usr/share/edk2/ovmf/OVMF_VARS.fd > /usr/share/edk2/ovmf/OVMF_VARS.secboot.fd > /usr/share/edk2/ovmf-4m/OVMF_CODE.fd > /usr/share/edk2/ovmf-4m/OVMF_CODE.secboot.fd > /usr/share/edk2/ovmf-4m/OVMF_VARS.fd > /usr/share/edk2/ovmf-4m/OVMF_VARS.secboot.fd > > > > > + OVMF_VARS="$(basename "${OVMF_VARS_ORIG}")" > > > > + cp "${OVMF_VARS_ORIG}" "${OVMF_VARS}" > > > > > > Hi. > > > > > > Since I'm working on some testsuite improvements, I made an attempt > > > to port > > > this functionality (while it's already merged to 'next') from shell > > > `scripts/ > > > start_vm` (that we plan to drop or just make a compatibility wrapper) > > > to > > > python's `testsuite/start_vm.py`. But I faced the following problem: > > > > > > cp: cannot stat '/usr/share/OVMF/OVMF_VARS_4M.ms.fd': No such file or > > > directory. > > > > > > I have no such file neither on my any of my machines, nor on any > > > debian > > > chroots I have, no in 'kas' docker images. It is not also mentioned > > > in the > > > recipes. How does it work on your side? > > > > This is part of the ovmf package on debian (both the vars and the code > > / firmware). For secureboot, keys have to be deployed. As this series > > implements the debian sb chain, the efi shim is signed with the > > Microsoft keys, hence the `OVMF_VARS_4M.ms.fd` file is needed. > > > > Further details can be found here: https://wiki.debian.org/SecureBoot > > > > > Additionally, we definitely need a testcase for secureboot support. > > > > Yes, that would be great. The question is just what to test. Doing a > > simple EFI + kernel boot test is trivial, but does not test the MOK > > integration and also not the signing of custom modules (modules have to > > be signed using a valid key so that the debian kernel is willing to > > load them when running under SB). > > > > To test MOK, we have to boot, then enroll our MOK, reboot into the > > mokutil, inject our keys (e.g. via the passphrase workflow), then > > reboot into debian. And that cannot be done via SSH but needs local > > access to the terminal. Another option would be to enroll our keys > > directly into the OVMF_VARS, as it is done in cip-core SB. > > > > All that is not trivial to implement. > > > > Felix > > > > > > + EXTRA_ARGS="$EXTRA_ARGS -drive > > > > if=pflash,format=raw,unit=1,file=${OVMF_VARS}" + ;; > > > > *) > > > > echo "error: invalid parameter '$key', please try '--help' > > > > to get > > > > list of supported parameters" exit $ES_BUG