From mboxrd@z Thu Jan  1 00:00:00 1970
X-GM-THRID: 7180261367669063680
X-Received: by 2002:a17:907:9008:b0:86d:dd96:bdcb with SMTP id ay8-20020a170907900800b0086ddd96bdcbmr5997392ejc.127.1674808916464;
        Fri, 27 Jan 2023 00:41:56 -0800 (PST)
X-BeenThere: isar-users@googlegroups.com
Received: by 2002:a17:907:9625:b0:879:6abc:3bea with SMTP id
 gb37-20020a170907962500b008796abc3beals1327769ejc.6.-pod-prod-gmail; Fri, 27
 Jan 2023 00:41:55 -0800 (PST)
X-Google-Smtp-Source: AK7set8rTjko5kd0lEWqVRQR2D0E5UnVMAfDJ284AiLseSyOx+r1L5oWh15BBFZvIW5T7yLqtbuU
X-Received: by 2002:a17:906:4ad7:b0:87b:da74:d272 with SMTP id u23-20020a1709064ad700b0087bda74d272mr597295ejt.45.1674808915113;
        Fri, 27 Jan 2023 00:41:55 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1674808915; cv=none;
        d=google.com; s=arc-20160816;
        b=M1hbLln142rk/FGS+fUOdnwjqIfVGvZHPBlIWewKya2uNFwwGR4KC4Ioh19rpCVVRM
         jwvkEfJiKfGBi8PoMki+bxQqBGqKCt7nOZCNd2LRZkFKT+1Q3MFpaFhJHiBMxwc0WK0V
         n2KNPwEU+MUJ1DShL3JSBnUpSslk6PaeWdzTJEDNPkB5ZlWAT/IdHvvTnCNJFaLQbzc9
         oSqn3aRSmIBk8ZPlEVyKxHVzFsk1tmZ1tWl7asDJZ67zc0gu9n5z9T+Z1IC08l50fYnG
         GbKiVVACsNKjph8RkYsed+ug5nEaRrT21tfiQdeRwq4MejiGvCcxFnmAS899EiKE+Kf+
         Zc0w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=feedback-id:mime-version:content-transfer-encoding:references
         :in-reply-to:date:to:from:subject:message-id:dkim-signature;
        bh=E9h2Ae1RjEXp8i5rRBAwTfdb0HPSuYYb+eIA4Ub5/QQ=;
        b=xF4DARvWhf33E8tOx+QHVxfYfwsGAbPZA3YoXfPt7n5n28HukzEJDbtyWKog1Auh4W
         uzIMfWhhxFdbc5kH5iLC1MXjcOrVMNsPmaarY4LN+Tj4Ow5oxwkF0TlcBsH4T6gEVZUv
         r9O/E8uI/PgT5NmF6mSEjcXi+uCC1pEHFkKeErKmBqwSx3gfp0KyZJV/KdQ2GS4PaQcj
         g/YfyJ/I3e5rBx3bg3FIHYFKp/EU7A9qJEedqaL6SxL3xy+xSy/ARhd+8e3M0T2ili0r
         p+CkAoAETzKmE/Vr5jwJfSsIU9rseA0HL+LzE0LTzAWfCpsHiGGdc5Ku72MQm+YoBgC5
         /N4g==
ARC-Authentication-Results: i=1; gmr-mx.google.com;
       dkim=pass header.i=@siemens.com header.s=fm1 header.b=G+5pmOiD;
       spf=pass (google.com: domain of fm-68982-202301270841542fa2cbd11bc9174b0c-sqklj_@rts-flowmailer.siemens.com designates 185.136.65.226 as permitted sender) smtp.mailfrom=fm-68982-202301270841542fa2cbd11bc9174b0c-sQklj_@rts-flowmailer.siemens.com;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=siemens.com
Return-Path: <fm-68982-202301270841542fa2cbd11bc9174b0c-sQklj_@rts-flowmailer.siemens.com>
Received: from mta-65-226.siemens.flowmailer.net (mta-65-226.siemens.flowmailer.net. [185.136.65.226])
        by gmr-mx.google.com with ESMTPS id d2-20020a170906174200b008778ede684dsi201454eje.1.2023.01.27.00.41.55
        for <isar-users@googlegroups.com>
        (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128);
        Fri, 27 Jan 2023 00:41:55 -0800 (PST)
Received-SPF: pass (google.com: domain of fm-68982-202301270841542fa2cbd11bc9174b0c-sqklj_@rts-flowmailer.siemens.com designates 185.136.65.226 as permitted sender) client-ip=185.136.65.226;
Authentication-Results: gmr-mx.google.com;
       dkim=pass header.i=@siemens.com header.s=fm1 header.b=G+5pmOiD;
       spf=pass (google.com: domain of fm-68982-202301270841542fa2cbd11bc9174b0c-sqklj_@rts-flowmailer.siemens.com designates 185.136.65.226 as permitted sender) smtp.mailfrom=fm-68982-202301270841542fa2cbd11bc9174b0c-sQklj_@rts-flowmailer.siemens.com;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=siemens.com
Received: by mta-65-226.siemens.flowmailer.net with ESMTPSA id 202301270841542fa2cbd11bc9174b0c
        for <isar-users@googlegroups.com>;
        Fri, 27 Jan 2023 09:41:54 +0100
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1;
 d=siemens.com; i=florian.bezdeka@siemens.com;
 h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:References:In-Reply-To;
 bh=E9h2Ae1RjEXp8i5rRBAwTfdb0HPSuYYb+eIA4Ub5/QQ=;
 b=G+5pmOiD76LsOR5q771xikv4Svpui2twwqA/Ai3OlTdTbIxtSDv3nHWILqDp5BFkS+0Ztb
 GAWvEqcuL7ORPwq2Kj14wdBDFIKSM39tvV2rbgBcpaIwCFI46Tft8HkfLK1VK0tKAYsABofg
 GHsoGMAwPvlhpVvaQL4QVXzVMII9c=;
Message-ID: <e883fe091f9bbede0389870dbbd845507286e0b2.camel@siemens.com>
Subject: Re: [PATCH 10/10] start_vm: add support for secureboot
From: Florian Bezdeka <florian.bezdeka@siemens.com>
To: "Moessbauer, Felix" <felix.moessbauer@siemens.com>, "ubely@ilbers.de"
 <ubely@ilbers.de>, "isar-users@googlegroups.com"
 <isar-users@googlegroups.com>
Date: Fri, 27 Jan 2023 09:41:53 +0100
In-Reply-To: <cde368c955cfa268b68da525e929aa2fe9719211.camel@siemens.com>
References: <20221223084058.1899957-1-felix.moessbauer@siemens.com>
	 <20221223084058.1899957-11-felix.moessbauer@siemens.com>
	 <2210927.vFx2qVVIhK@hp>
	 <cde368c955cfa268b68da525e929aa2fe9719211.camel@siemens.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Flowmailer-Platform: Siemens
Feedback-ID: 519:519-68982:519-21489:flowmailer
X-TUID: uKCvjQVicgJ+

On Fri, 2023-01-27 at 08:11 +0000, Moessbauer, Felix wrote:
> On Fri, 2023-01-27 at 08:07 +0300, Uladzimir Bely wrote:
> > In mail from Friday, 23 December 2022 11:40:58 +03 user Felix
> > Moessbauer=20
> > wrote:
> > > This patch adds a new -s parameter to enable the qemu secureboot
> > > support. To handle the persistency across reboots of the machine,
> > > we
> > > create a copy of the OVMF variables and pass that into qemu.
> > >=20
> > > Signed-off-by: Felix Moessbauer <felix.moessbauer@siemens.com>
> > > ---
> > > =C2=A0scripts/start_vm | 7 +++++++
> > > =C2=A01 file changed, 7 insertions(+)
> > >=20
> > > diff --git a/scripts/start_vm b/scripts/start_vm
> > > index 3c0ba16..9cb7b9a 100755
> > > --- a/scripts/start_vm
> > > +++ b/scripts/start_vm
> > > @@ -51,6 +51,7 @@ show_help() {
> > > =C2=A0=C2=A0=C2=A0=C2=A0 echo "=C2=A0=C2=A0=C2=A0 -o, --out FILE=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 Route QEMU console output to"
> > > =C2=A0=C2=A0=C2=A0=C2=A0 echo "=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 specified file."
> > > =C2=A0=C2=A0=C2=A0=C2=A0 echo "=C2=A0=C2=A0=C2=A0 -p, --pid FILE=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 Store QEMU pid to file."
> > > +=C2=A0=C2=A0=C2=A0 echo "=C2=A0=C2=A0=C2=A0 -s, --secureboot=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0 Enable secureboot with default
> > > MS
> > > keys." echo "=C2=A0=C2=A0=C2=A0 --help=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 display this m=
essage and
> > > exit." echo
> > > =C2=A0=C2=A0=C2=A0=C2=A0 echo "Exit status:"
> > > @@ -93,6 +94,12 @@ do
> > > =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 EXTRA_ARGS=3D"$EXTRA=
_ARGS -pidfile $2"
> > > =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 shift
> > > =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 ;;
> > > +=C2=A0=C2=A0=C2=A0 -s|--secureboot)
> > > +=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 OVMF_VARS_ORIG=3D"/usr/sh=
are/OVMF/OVMF_VARS_4M.ms.fd"

WARNING: This path seems to be distribution specific. Does at least not
exist on my Fedora installation here.

$ find /usr -name "OVMF*"
/usr/share/OVMF
/usr/share/OVMF/OVMF_CODE.fd
/usr/share/OVMF/OVMF_CODE.secboot.fd
/usr/share/OVMF/OVMF_VARS.fd
/usr/share/OVMF/OVMF_VARS.secboot.fd
/usr/share/edk2/ovmf/OVMF.amdsev.fd
/usr/share/edk2/ovmf/OVMF.inteltdx.fd
/usr/share/edk2/ovmf/OVMF_CODE.cc.fd
/usr/share/edk2/ovmf/OVMF_CODE.fd
/usr/share/edk2/ovmf/OVMF_CODE.secboot.fd
/usr/share/edk2/ovmf/OVMF_VARS.fd
/usr/share/edk2/ovmf/OVMF_VARS.secboot.fd
/usr/share/edk2/ovmf-4m/OVMF_CODE.fd
/usr/share/edk2/ovmf-4m/OVMF_CODE.secboot.fd
/usr/share/edk2/ovmf-4m/OVMF_VARS.fd
/usr/share/edk2/ovmf-4m/OVMF_VARS.secboot.fd


> > > +=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 OVMF_VARS=3D"$(basename "=
${OVMF_VARS_ORIG}")"
> > > +=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 cp "${OVMF_VARS_ORIG}" "$=
{OVMF_VARS}"
> >=20
> > Hi.
> >=20
> > Since I'm working on some testsuite improvements, I made an attempt
> > to port=20
> > this functionality (while it's already merged to 'next') from shell
> > `scripts/
> > start_vm` (that we plan to drop or just make a compatibility wrapper)
> > to=20
> > python's `testsuite/start_vm.py`. But I faced the following problem:
> >=20
> > cp: cannot stat '/usr/share/OVMF/OVMF_VARS_4M.ms.fd': No such file or
> > directory.
> >=20
> > I have no such file neither on my any of my machines, nor on any
> > debian=20
> > chroots I have, no in 'kas' docker images. It is not also mentioned
> > in the=20
> > recipes. How does it work on your side?=20
>=20
> This is part of the ovmf package on debian (both the vars and the code
> / firmware). For secureboot, keys have to be deployed. As this series
> implements the debian sb chain, the efi shim is signed with the
> Microsoft keys, hence the `OVMF_VARS_4M.ms.fd` file is needed.
>=20
> Further details can be found here: https://wiki.debian.org/SecureBoot
>=20
> >=20
> > Additionally, we definitely need a testcase for secureboot support.
>=20
> Yes, that would be great. The question is just what to test. Doing a
> simple EFI + kernel boot test is trivial, but does not test the MOK
> integration and also not the signing of custom modules (modules have to
> be signed using a valid key so that the debian kernel is willing to
> load them when running under SB).
>=20
> To test MOK, we have to boot, then enroll our MOK, reboot into the
> mokutil, inject our keys (e.g. via the passphrase workflow), then
> reboot into debian. And that cannot be done via SSH but needs local
> access to the terminal. Another option would be to enroll our keys
> directly into the OVMF_VARS, as it is done in cip-core SB.
>=20
> All that is not trivial to implement.
>=20
> Felix
>=20
> >=20
> > > +=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 EXTRA_ARGS=3D"$EXTRA_ARGS=
 -drive
> > > if=3Dpflash,format=3Draw,unit=3D1,file=3D${OVMF_VARS}" +=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 ;;
> > > =C2=A0=C2=A0=C2=A0=C2=A0 *)
> > > =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 echo "error: invalid=
 parameter '$key', please try '--help'
> > > to get
> > > list of supported parameters" exit $ES_BUG
> >=20
> >=20
> >=20
> >=20
>=20