Follow Debian commit 6b7533cc86 ("Use virt-firmware to enroll default
keys.").Path to the AAVMF variables image is different than in Debian's upstream. Signed-off-by: Fiona Ebner <[email protected]> --- debian/control | 1 + debian/edk2-vars-generator.py | 140 ---------------------------------- debian/rules | 59 +++++--------- 3 files changed, 22 insertions(+), 178 deletions(-) delete mode 100755 debian/edk2-vars-generator.py diff --git a/debian/control b/debian/control index 632cea53bd..5624a3b5a1 100644 --- a/debian/control +++ b/debian/control @@ -16,6 +16,7 @@ Build-Depends: bc, pve-qemu-kvm | qemu-system-x86 (>= 1:2.12+dfsg), python3, python3-pexpect, + python3-virt-firmware, qemu-utils, uuid-dev, xorriso, diff --git a/debian/edk2-vars-generator.py b/debian/edk2-vars-generator.py deleted file mode 100755 index 351e556211..0000000000 --- a/debian/edk2-vars-generator.py +++ /dev/null @@ -1,140 +0,0 @@ -#!/usr/bin/env python3 -# -# Copyright 2021 Canonical Ltd. -# Authors: -# - dann frazier <[email protected]> -# -# This program is free software: you can redistribute it and/or modify it -# under the terms of the GNU General Public License version 3, as published -# by the Free Software Foundation. -# -# This program is distributed in the hope that it will be useful, but WITHOUT -# ANY WARRANTY; without even the implied warranties of MERCHANTABILITY, -# SATISFACTORY QUALITY, or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -# General Public License for more details. -# -# You should have received a copy of the GNU General Public License along with -# this program. If not, see <http://www.gnu.org/licenses/>. -# - -import argparse -import os.path -import pexpect -import shutil -import sys -from UEFI.Filesystems import FatFsImage, EfiBootableIsoImage -from UEFI.Qemu import QemuEfiMachine, QemuEfiVariant, QemuEfiFlashSize -from UEFI import Qemu - -if __name__ == '__main__': - parser = argparse.ArgumentParser() - parser.add_argument( - "-f", "--flavor", help="UEFI Flavor", - choices=['AAVMF', 'OVMF', 'OVMF_4M'], - required=True, - ) - parser.add_argument( - "-e", "--enrolldefaultkeys", - help='Path to "EnrollDefaultKeys" EFI binary', - required=True, - ) - parser.add_argument( - "-s", "--shell", - help='Path to "Shell" EFI binary', - required=True, - ) - parser.add_argument( - "-C", "--certificate", - help='base64-encoded PK/KEK1 certificate', - required=True, - ) - parser.add_argument( - "-c", "--code", - help='UEFI code image', - required=True, - ) - parser.add_argument( - "--no-default", - action="store_true", - help='Do not enroll the default keys, just the PK/KEK1 certificate', - ) - parser.add_argument( - "-V", "--vars-template", - help='UEFI vars template', - required=True, - ) - parser.add_argument( - "-o", "--out-file", - help="Output file for generated vars template", - required=True, - ) - parser.add_argument("-d", "--debug", action="store_true", - help="Emit debug messages") - args = parser.parse_args() - - FlavorConfig = { - 'AAVMF': { - 'EfiArch': 'AA64', - 'QemuCommand': Qemu.QemuCommand( - QemuEfiMachine.AAVMF, - code_path=args.code, - vars_template_path=args.vars_template, - ), - }, - 'OVMF': { - 'EfiArch': 'X64', - 'QemuCommand': Qemu.QemuCommand( - QemuEfiMachine.OVMF_Q35, - variant=QemuEfiVariant.SECBOOT, - flash_size=QemuEfiFlashSize.SIZE_4MB, - code_path=args.code, - vars_template_path=args.vars_template, - ), - }, - 'OVMF_4M': { - 'EfiArch': 'X64', - 'QemuCommand': Qemu.QemuCommand( - QemuEfiMachine.OVMF_Q35, - variant=QemuEfiVariant.SECBOOT, - flash_size=QemuEfiFlashSize.SIZE_4MB, - code_path=args.code, - vars_template_path=args.vars_template, - ), - }, - } - - eltorito = FatFsImage(64) - eltorito.makedirs(os.path.join('EFI', 'BOOT')) - removable_media_path = os.path.join( - 'EFI', 'BOOT', f"BOOT{FlavorConfig[args.flavor]['EfiArch']}.EFI" - ) - eltorito.insert_file(args.shell, removable_media_path) - eltorito.insert_file( - args.enrolldefaultkeys, - args.enrolldefaultkeys.split(os.path.sep)[-1] - ) - iso = EfiBootableIsoImage(eltorito) - - q = FlavorConfig[args.flavor]['QemuCommand'] - q.add_disk(iso.path) - q.add_oem_string(11, args.certificate) - - child = pexpect.spawn(' '.join(q.command)) - if args.debug: - child.logfile = sys.stdout.buffer - child.expect(['Press .* or any other key to continue'], timeout=None) - child.sendline('\x1b') - child.expect(['Shell> '], timeout=None) - child.sendline('FS0:\r') - child.expect(['FS0:\\\\> '], timeout=None) - enrollcmd = ['EnrollDefaultKeys.efi'] - if args.no_default: - enrollcmd.append("--no-default") - child.sendline(f'{" ".join(enrollcmd)}\r') - child.expect(['FS0:\\\\> '], timeout=None) - # Clear the BootOrder. See #1015759 - child.sendline('setvar BootOrder =\r') - child.expect(['FS0:\\\\> '], timeout=None) - child.sendline('reset -s\r') - child.wait() - shutil.copy(q.pflash.varfile_path, args.out_file) diff --git a/debian/rules b/debian/rules index c640833092..316a7b7727 100755 --- a/debian/rules +++ b/debian/rules @@ -165,49 +165,32 @@ debian/PkKek-1-vendor.pem: debian/PkKek-1-Debian.pem endif ln -sf `basename $<` $@ -debian/oem-string-%: debian/PkKek-1-%.pem - tr -d '\n' < $< | \ - sed -e 's/.*-----BEGIN CERTIFICATE-----/4e32566d-8e9e-4f52-81d3-5bb9715f9727:/' -e 's/-----END CERTIFICATE-----//' > $@ +# Usage: $(call enroll_vendor,<var-template>,<output-file>,<uefi-arch>) +enroll_vendor = virt-fw-vars --input $(1) --output $(2) \ + --enroll-cert debian/PkKek-1-vendor.pem +# Usage: $(call enroll_snakeoil,<var-template>,<output-file>) +enroll_snakeoil = virt-fw-vars --input $(1) --output $(2) \ + --set-pk OvmfEnrollDefaultKeys \ + debian/PkKek-1-snakeoil.pem \ + --add-kek OvmfEnrollDefaultKeys \ + debian/PkKek-1-snakeoil.pem \ + --add-db OvmfEnrollDefaultKeys \ + debian/PkKek-1-snakeoil.pem -%/AAVMF_VARS.ms.fd: %/AAVMF_CODE.fd %/AAVMF_VARS.fd debian/oem-string-vendor $(AAVMF_ENROLL) $(AAVMF_SHELL) - PYTHONPATH=$(CURDIR)/debian/python \ - python3 ./debian/edk2-vars-generator.py \ - -f AAVMF -e $(AAVMF_ENROLL) -s $(AAVMF_SHELL) \ - -c $(AAVMF_CODE) -V $(AAVMF_VARS) \ - -C `< debian/oem-string-vendor` -o $@ +%/AAVMF_VARS.ms.fd: %/AAVMF_CODE.fd %/AAVMF_VARS.fd debian/PkKek-1-vendor.pem $(AAVMF_ENROLL) $(AAVMF_SHELL) + $(call enroll_vendor,$(AAVMF_VARS),$@,arm64) -%/AAVMF_VARS.snakeoil.fd: %/AAVMF_CODE.fd %/AAVMF_VARS.fd debian/oem-string-snakeoil $(AAVMF_ENROLL) $(AAVMF_SHELL) - PYTHONPATH=$(CURDIR)/debian/python \ - python3 ./debian/edk2-vars-generator.py \ - -f AAVMF -e $(AAVMF_ENROLL) -s $(AAVMF_SHELL) \ - -c $(AAVMF_CODE) -V $(AAVMF_VARS) \ - --no-default \ - -C `< debian/oem-string-snakeoil` -o $@ +%/AAVMF_VARS.snakeoil.fd: %/AAVMF_CODE.fd %/AAVMF_VARS.fd debian/PkKek-1-snakeoil.pem $(AAVMF_ENROLL) $(AAVMF_SHELL) + $(call enroll_snakeoil,$(AAVMF_VARS),$@) -%/OVMF_VARS.ms.fd: %/OVMF_CODE.fd %/OVMF_VARS.fd debian/oem-string-vendor $(OVMF_ENROLL) $(OVMF_SHELL) - PYTHONPATH=$(CURDIR)/debian/python \ - python3 ./debian/edk2-vars-generator.py \ - -f OVMF -e $(OVMF_ENROLL) -s $(OVMF_SHELL) \ - -c $(OVMF_INSTALL_DIR)/OVMF_CODE.fd \ - -V $(OVMF_INSTALL_DIR)/OVMF_VARS.fd \ - -C `< debian/oem-string-vendor` -o $@ +%/OVMF_VARS.ms.fd: %/OVMF_CODE.secboot.fd %/OVMF_VARS.fd debian/PkKek-1-vendor.pem $(OVMF_ENROLL) $(OVMF_SHELL) + $(call enroll_vendor,$(OVMF_INSTALL_DIR)/OVMF_VARS.fd,$@,amd64) -%/OVMF_VARS_4M.ms.fd: %/OVMF_CODE_4M.fd %/OVMF_VARS_4M.fd debian/oem-string-vendor $(OVMF_ENROLL) $(OVMF_SHELL) - PYTHONPATH=$(CURDIR)/debian/python \ - python3 ./debian/edk2-vars-generator.py \ - -f OVMF_4M -e $(OVMF_ENROLL) -s $(OVMF_SHELL) \ - -c $(OVMF_INSTALL_DIR)/OVMF_CODE_4M.fd \ - -V $(OVMF_INSTALL_DIR)/OVMF_VARS_4M.fd \ - -C `< debian/oem-string-vendor` -o $@ +%/OVMF_VARS_4M.ms.fd: %/OVMF_CODE_4M.secboot.fd %/OVMF_VARS_4M.fd debian/PkKek-1-vendor.pem $(OVMF_ENROLL) $(OVMF_SHELL) + $(call enroll_vendor,$(OVMF_INSTALL_DIR)/OVMF_VARS_4M.fd,$@,amd64) -%/OVMF_VARS_4M.snakeoil.fd: %/OVMF_CODE_4M.fd %/OVMF_VARS_4M.fd debian/oem-string-snakeoil $(OVMF_ENROLL) $(OVMF_SHELL) - PYTHONPATH=$(CURDIR)/debian/python \ - python3 ./debian/edk2-vars-generator.py \ - -f OVMF_4M -e $(OVMF_ENROLL) -s $(OVMF_SHELL) \ - -c $(OVMF_INSTALL_DIR)/OVMF_CODE_4M.fd \ - -V $(OVMF_INSTALL_DIR)/OVMF_VARS_4M.fd \ - --no-default \ - -C `< debian/oem-string-snakeoil` -o $@ +%/OVMF_VARS_4M.snakeoil.fd: %/OVMF_CODE_4M.fd %/OVMF_VARS_4M.fd debian/PkKek-1-snakeoil.pem $(OVMF_ENROLL) $(OVMF_SHELL) + $(call enroll_snakeoil,$(OVMF_INSTALL_DIR)/OVMF_VARS_4M.fd,$@) BaseTools/Bin/GccLto/liblto-aarch64.a: BaseTools/Bin/GccLto/liblto-aarch64.s $($(EDK2_TOOLCHAIN)_AARCH64_PREFIX)gcc -c -fpic $< -o $@ -- 2.47.3 _______________________________________________ pve-devel mailing list [email protected] https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
