Re: [PATCH 10/10] start_vm: add support for secureboot

public inbox for isar-users@googlegroups.com
 help / color / mirror / Atom feed

From: Florian Bezdeka <florian.bezdeka@siemens.com>
To: "Moessbauer, Felix" <felix.moessbauer@siemens.com>,
	"ubely@ilbers.de" <ubely@ilbers.de>,
	"isar-users@googlegroups.com" <isar-users@googlegroups.com>
Subject: Re: [PATCH 10/10] start_vm: add support for secureboot
Date: Fri, 27 Jan 2023 09:41:53 +0100	[thread overview]
Message-ID: <e883fe091f9bbede0389870dbbd845507286e0b2.camel@siemens.com> (raw)
In-Reply-To: <cde368c955cfa268b68da525e929aa2fe9719211.camel@siemens.com>

On Fri, 2023-01-27 at 08:11 +0000, Moessbauer, Felix wrote:
> On Fri, 2023-01-27 at 08:07 +0300, Uladzimir Bely wrote:
> > In mail from Friday, 23 December 2022 11:40:58 +03 user Felix
> > Moessbauer 
> > wrote:
> > > This patch adds a new -s parameter to enable the qemu secureboot
> > > support. To handle the persistency across reboots of the machine,
> > > we
> > > create a copy of the OVMF variables and pass that into qemu.
> > > 
> > > Signed-off-by: Felix Moessbauer <felix.moessbauer@siemens.com>
> > > ---
> > >  scripts/start_vm | 7 +++++++
> > >  1 file changed, 7 insertions(+)
> > > 
> > > diff --git a/scripts/start_vm b/scripts/start_vm
> > > index 3c0ba16..9cb7b9a 100755
> > > --- a/scripts/start_vm
> > > +++ b/scripts/start_vm
> > > @@ -51,6 +51,7 @@ show_help() {
> > >      echo "    -o, --out FILE        Route QEMU console output to"
> > >      echo "                          specified file."
> > >      echo "    -p, --pid FILE        Store QEMU pid to file."
> > > +    echo "    -s, --secureboot      Enable secureboot with default
> > > MS
> > > keys." echo "    --help                display this message and
> > > exit." echo
> > >      echo "Exit status:"
> > > @@ -93,6 +94,12 @@ do
> > >          EXTRA_ARGS="$EXTRA_ARGS -pidfile $2"
> > >          shift
> > >          ;;
> > > +    -s|--secureboot)
> > > +        OVMF_VARS_ORIG="/usr/share/OVMF/OVMF_VARS_4M.ms.fd"

WARNING: This path seems to be distribution specific. Does at least not
exist on my Fedora installation here.

$ find /usr -name "OVMF*"
/usr/share/OVMF
/usr/share/OVMF/OVMF_CODE.fd
/usr/share/OVMF/OVMF_CODE.secboot.fd
/usr/share/OVMF/OVMF_VARS.fd
/usr/share/OVMF/OVMF_VARS.secboot.fd
/usr/share/edk2/ovmf/OVMF.amdsev.fd
/usr/share/edk2/ovmf/OVMF.inteltdx.fd
/usr/share/edk2/ovmf/OVMF_CODE.cc.fd
/usr/share/edk2/ovmf/OVMF_CODE.fd
/usr/share/edk2/ovmf/OVMF_CODE.secboot.fd
/usr/share/edk2/ovmf/OVMF_VARS.fd
/usr/share/edk2/ovmf/OVMF_VARS.secboot.fd
/usr/share/edk2/ovmf-4m/OVMF_CODE.fd
/usr/share/edk2/ovmf-4m/OVMF_CODE.secboot.fd
/usr/share/edk2/ovmf-4m/OVMF_VARS.fd
/usr/share/edk2/ovmf-4m/OVMF_VARS.secboot.fd


> > > +        OVMF_VARS="$(basename "${OVMF_VARS_ORIG}")"
> > > +        cp "${OVMF_VARS_ORIG}" "${OVMF_VARS}"
> > 
> > Hi.
> > 
> > Since I'm working on some testsuite improvements, I made an attempt
> > to port 
> > this functionality (while it's already merged to 'next') from shell
> > `scripts/
> > start_vm` (that we plan to drop or just make a compatibility wrapper)
> > to 
> > python's `testsuite/start_vm.py`. But I faced the following problem:
> > 
> > cp: cannot stat '/usr/share/OVMF/OVMF_VARS_4M.ms.fd': No such file or
> > directory.
> > 
> > I have no such file neither on my any of my machines, nor on any
> > debian 
> > chroots I have, no in 'kas' docker images. It is not also mentioned
> > in the 
> > recipes. How does it work on your side? 
> 
> This is part of the ovmf package on debian (both the vars and the code
> / firmware). For secureboot, keys have to be deployed. As this series
> implements the debian sb chain, the efi shim is signed with the
> Microsoft keys, hence the `OVMF_VARS_4M.ms.fd` file is needed.
> 
> Further details can be found here: https://wiki.debian.org/SecureBoot
> 
> > 
> > Additionally, we definitely need a testcase for secureboot support.
> 
> Yes, that would be great. The question is just what to test. Doing a
> simple EFI + kernel boot test is trivial, but does not test the MOK
> integration and also not the signing of custom modules (modules have to
> be signed using a valid key so that the debian kernel is willing to
> load them when running under SB).
> 
> To test MOK, we have to boot, then enroll our MOK, reboot into the
> mokutil, inject our keys (e.g. via the passphrase workflow), then
> reboot into debian. And that cannot be done via SSH but needs local
> access to the terminal. Another option would be to enroll our keys
> directly into the OVMF_VARS, as it is done in cip-core SB.
> 
> All that is not trivial to implement.
> 
> Felix
> 
> > 
> > > +        EXTRA_ARGS="$EXTRA_ARGS -drive
> > > if=pflash,format=raw,unit=1,file=${OVMF_VARS}" +        ;;
> > >      *)
> > >          echo "error: invalid parameter '$key', please try '--help'
> > > to get
> > > list of supported parameters" exit $ES_BUG
> > 
> > 
> > 
> > 
>

next prev parent reply	other threads:[~2023-01-27  8:41 UTC|newest]

Thread overview: 17+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-12-23  8:40 [PATCH 00/10] Add support for secureboot using Debian boot chain Felix Moessbauer
2022-12-23  8:40 ` [PATCH 01/10] wic: add option to use debian EFI shim Felix Moessbauer
2022-12-23  8:40 ` [PATCH 02/10] add debian sb chain bootloader dependencies Felix Moessbauer
2022-12-23  8:40 ` [PATCH 03/10] add example wic file for sb debian boot chain Felix Moessbauer
2022-12-23  8:40 ` [PATCH 04/10] style: split overlong line in module.inc Felix Moessbauer
2022-12-23  8:40 ` [PATCH 05/10] add support to sign kernel modules Felix Moessbauer
2022-12-23  8:40 ` [PATCH 06/10] add example to generated and distribute MOK data Felix Moessbauer
2023-02-03  6:05   ` Jan Kiszka
2022-12-23  8:40 ` [PATCH 07/10] add signed variant of example-module Felix Moessbauer
2022-12-23  8:40 ` [PATCH 08/10] add new machine qemuamd64-sb and corresponding mc Felix Moessbauer
2022-12-23  8:40 ` [PATCH 09/10] fix: only append kargs and extra_kargs if set Felix Moessbauer
2022-12-23  8:40 ` [PATCH 10/10] start_vm: add support for secureboot Felix Moessbauer
2023-01-27  5:07   ` Uladzimir Bely
2023-01-27  8:11     ` Moessbauer, Felix
2023-01-27  8:41       ` Florian Bezdeka [this message]
2023-01-27  9:10         ` Uladzimir Bely
2023-01-25  7:17 ` [PATCH 00/10] Add support for secureboot using Debian boot chain Uladzimir Bely

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=e883fe091f9bbede0389870dbbd845507286e0b2.camel@siemens.com \
    --to=florian.bezdeka@siemens.com \
    --cc=felix.moessbauer@siemens.com \
    --cc=isar-users@googlegroups.com \
    --cc=ubely@ilbers.de \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox