Skip to content

fix(core): fix build uefi and ovmf with secure boot #925

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
universal-itengineer wants to merge 23 commits into
base: main
Choose a base branch
from
Draft

fix(core): fix build uefi and ovmf with secure boot #925

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
23 commits
Select commit Hold shift + click to select a range
7c0b408
fix(core): fix build uefi and ovmf
universal-itengineer Apr 11, 2025
1956565
add comment for no_enroll
universal-itengineer Apr 11, 2025
b512143
exec in ci . ./edksetup.sh
universal-itengineer Apr 11, 2025
c1f941c
enable enroll
universal-itengineer Apr 11, 2025
7f92690
add libs amd swtpm-localca
universal-itengineer Apr 11, 2025
e6a622a
change OVMF params
universal-itengineer Apr 11, 2025
0dd205a
remove patch 029
universal-itengineer Apr 11, 2025
32d9a91
remove enroll
universal-itengineer Apr 11, 2025
d964fef
enrol without generate
universal-itengineer Apr 11, 2025
d1115c5
build efishel separate func
universal-itengineer Apr 11, 2025
bc5cacf
turn off ro fs for virt-launcher
universal-itengineer Apr 11, 2025
490889d
add rm after build
universal-itengineer Apr 11, 2025
344f330
add edk2-vars py
universal-itengineer Apr 17, 2025
0045e7f
rm swtpm pkg from pkgs list
universal-itengineer Apr 18, 2025
861d152
test vars-generator
universal-itengineer Apr 18, 2025
78970d6
add python pkgs
universal-itengineer Apr 18, 2025
0342b76
try enrol with enroll-altlinux
universal-itengineer Apr 18, 2025
8176c9c
add swtpm_user
universal-itengineer Apr 18, 2025
1c50c21
change import swtpm
universal-itengineer Apr 18, 2025
70956b9
add lib for swtpm
universal-itengineer Apr 18, 2025
12f69f5
fix libtpms, up to v 10
universal-itengineer Apr 18, 2025
b112cbc
try apply ubuntu patches
universal-itengineer Apr 21, 2025
9049f3c
exclude some patch
universal-itengineer Apr 21, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion component_versions/version_map.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
firmware:
qemu: 9.2.0
libvirt: 10.9.0
edk2: stable202411
edk2: stable202502
package:
swtpm: 0.10.0
162 changes: 129 additions & 33 deletions images/edk2/build.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,13 @@ EOF
exit 0
}

echo_dbg() {
local str=$1
echo ""
echo "===$str==="
echo ""
}

parse_args() {
while [[ $# -gt 0 ]]; do
case "$1" in
Expand Down Expand Up @@ -81,22 +88,13 @@ fi
EDK2_DIR="/${gitRepoName}-${edk2Branch}"
FIRMWARE="/FIRMWARE"

mv -f Logo.bmp $EDK2_DIR/MdeModulePkg/Logo/
mv -f /Logo.bmp $EDK2_DIR/MdeModulePkg/Logo/
echo "=== cd $EDK2_DIR ==="
cd $EDK2_DIR

echo "= pwd ="
pwd
cd $EDK2_DIR

mkdir -p ${FIRMWARE}

echo_dbg() {
local str=$1
echo ""
echo "===$str==="
echo ""
}

# compiler
CC_FLAGS="-t GCC5"
CC_FLAGS="${CC_FLAGS} -b RELEASE"
Expand All @@ -109,18 +107,18 @@ CC_FLAGS="${CC_FLAGS} -D TPM1_ENABLE=FALSE"
CC_FLAGS="${CC_FLAGS} -D CAVIUM_ERRATUM_27456=TRUE"

# ovmf features
OVMF_2M_FLAGS="${CC_FLAGS} -D FD_SIZE_2MB=TRUE -D NETWORK_TLS_ENABLE=FALSE -D NETWORK_ISCSI_ENABLE=FALSE"
OVMF_4M_FLAGS="${CC_FLAGS} -D FD_SIZE_4MB=TRUE -D NETWORK_TLS_ENABLE=TRUE -D NETWORK_ISCSI_ENABLE=TRUE"

# secure boot features
OVMF_SB_FLAGS="${OVMF_SB_FLAGS} -D SECURE_BOOT_ENABLE=TRUE"
OVMF_SB_FLAGS="${OVMF_SB_FLAGS} -D SMM_REQUIRE=TRUE"
OVMF_SB_FLAGS="${OVMF_SB_FLAGS} -D EXCLUDE_SHELL_FROM_FD=TRUE -D BUILD_SHELL=FALSE"

# unset MAKEFLAGS
echo "run source edksetup.sh"
source ./edksetup.sh BaseTools
source ./edksetup.sh
if ! command -v build 2>&1 >/dev/null
then
echo "build could not be found"
exit 1
fi

build_iso() {
dir="$1"
Expand Down Expand Up @@ -156,66 +154,164 @@ build_iso() {
-o "$ISO_IMAGE" "$UEFI_SHELL_IMAGE"
}

prep() {
build -a X64 -p MdeModulePkg/MdeModulePkg.dsc -t GCC5 -b RELEASE
}

# Build with SB and SMM; exclude UEFI shell.

build_ovmf() {
echo_dbg "build ${OVMF_4M_FLAGS} -a X64 -p OvmfPkg/OvmfPkgX64.dsc"
build ${OVMF_4M_FLAGS} -a X64 -p OvmfPkg/OvmfPkgX64.dsc
cp -p Build/OvmfX64/*/FV/OVMF_CODE.fd $FIRMWARE/OVMF_CODE.fd
cp -p Build/OvmfX64/*/FV/OVMF_VARS.fd $FIRMWARE/OVMF_VARS.fd
# echo_dbg "build ${OVMF_4M_FLAGS} -a X64 -p OvmfPkg/OvmfPkgX64.dsc"
build -a X64 \
-t GCC5 \
-p OvmfPkg/OvmfPkgX64.dsc \
-DCC_MEASUREMENT_ENABLE=TRUE -DNETWORK_HTTP_BOOT_ENABLE=TRUE -DNETWORK_IP6_ENABLE=TRUE -DNETWORK_TLS_ENABLE --pcd PcdFirmwareVendor=L"DVP distribution of EDK II\\0" --pcd PcdFirmwareVersionString=L"2025.02-1\\0" --pcd PcdFirmwareReleaseDateString=L"03/02/2025\\0" -DTPM2_ENABLE=TRUE -DFD_SIZE_4MB -b RELEASE
cp -p Build/OvmfX64/*/FV/OVMF_CODE.fd $FIRMWARE/OVMF_CODE.fd
cp -p Build/OvmfX64/*/FV/OVMF_VARS.fd $FIRMWARE/OVMF_VARS.fd
rm -rf Build/OvmfX64
# build ${OVMF_4M_FLAGS} \
# -a X64 -p OvmfPkg/OvmfPkgX64.dsc \
# -DCC_MEASUREMENT_ENABLE=TRUE \
# --pcd PcdFirmwareVendor=L"DVP distribution of EDK II\\0" \
# --pcd PcdFirmwareVersionString=L"2025.02-1\\0" \
# --pcd PcdFirmwareReleaseDateString=L"03/02/2025\\0"

# cp -p Build/OvmfX64/*/FV/OVMF_CODE.fd $FIRMWARE/OVMF_CODE.fd
# cp -p Build/OvmfX64/*/FV/OVMF_VARS.fd $FIRMWARE/OVMF_VARS.fd
}

# Build with SB and SMM with secure boot; exclude UEFI shell.
build_ovmf_secboot() {
echo_dbg "build ${OVMF_4M_FLAGS} ${OVMF_SB_FLAGS} -a X64 -p OvmfPkg/OvmfPkgX64.dsc"
build ${OVMF_4M_FLAGS} ${OVMF_SB_FLAGS} -a X64 -p OvmfPkg/OvmfPkgX64.dsc
cp -p Build/OvmfX64/*/FV/OVMF_CODE.fd $FIRMWARE/OVMF_CODE.secboot.fd
# echo_dbg "build ${OVMF_4M_FLAGS} ${OVMF_SB_FLAGS} -a X64 -p OvmfPkg/OvmfPkgX64.dsc"
build -a X64 \
-t GCC5 \
-b RELEASE \
-p OvmfPkg/OvmfPkgX64.dsc \
-DCC_MEASUREMENT_ENABLE=TRUE \
-DNETWORK_HTTP_BOOT_ENABLE=TRUE \
-DNETWORK_IP6_ENABLE=TRUE \
-DNETWORK_TLS_ENABLE \
-DTPM_ENABLE=TRUE \
-DTPM2_ENABLE=TRUE \
-DFD_SIZE_4MB \
-DBUILD_SHELL=FALSE \
-DSECURE_BOOT_ENABLE=TRUE \
-DSMM_REQUIRE=TRUE \
--pcd PcdFirmwareVendor=L"DVP distribution of EDK II\\0" \
--pcd PcdFirmwareVersionString=L"2025.02-1\\0" \
--pcd PcdFirmwareReleaseDateString=L"03/02/2025\\0"

cp -p Build/OvmfX64/*/FV/OVMF_CODE.fd $FIRMWARE/OVMF_CODE.secboot.fd
cp -p Build/OvmfX64/*/FV/OVMF_VARS.fd $FIRMWARE/OVMF_VARS.secboot.fd
rm -rf Build/OvmfX64
# cp -p Build/OvmfX64/*/X64/EnrollDefaultKeys.efi $FIRMWARE/
# cp -p Build/OvmfX64/*/X64/Shell.efi $FIRMWARE/
# build ${OVMF_4M_FLAGS} ${OVMF_SB_FLAGS} \
# -a X64 -p OvmfPkg/OvmfPkgX64.dsc \
# --pcd PcdFirmwareVendor=L"DVP distribution of EDK II\\0" \
# --pcd PcdFirmwareVersionString=L"2025.02-1\\0" \
# --pcd PcdFirmwareReleaseDateString=L"03/02/2025\\0"

# cp -p Build/OvmfX64/*/FV/OVMF_CODE.fd $FIRMWARE/OVMF_CODE.secboot.fd
# cp -p Build/OvmfX64/*/FV/OVMF_VARS.fd $FIRMWARE/OVMF_VARS.secboot.fd
# cp -p Build/OvmfX64/*/X64/EnrollDefaultKeys.efi $FIRMWARE/
# cp -p Build/OvmfX64/*/X64/Shell.efi $FIRMWARE/
}

# Build AmdSev and IntelTdx variants
build_ovmf_amdsev() {
touch OvmfPkg/AmdSev/Grub/grub.efi

echo_dbg "build ${OVMF_4M_FLAGS} -a X64 -p OvmfPkg/AmdSev/AmdSevX64.dsc"
build ${OVMF_4M_FLAGS} -a X64 -p OvmfPkg/AmdSev/AmdSevX64.dsc
build ${OVMF_4M_FLAGS} -a X64 -p OvmfPkg/AmdSev/AmdSevX64.dsc \
--pcd PcdFirmwareVendor=L"DVP distribution of EDK II\\0" \
--pcd PcdFirmwareVersionString=L"2025.02-1\\0" \
--pcd PcdFirmwareReleaseDateString=L"03/02/2025\\0"

cp -p Build/AmdSev/*/FV/OVMF.fd $FIRMWARE/OVMF.amdsev.fd
}

echo_dbg "build ${OVMF_4M_FLAGS} -a X64 -p OvmfPkg/IntelTdx/IntelTdxX64.dsc"
build ${OVMF_4M_FLAGS} -a X64 -p OvmfPkg/IntelTdx/IntelTdxX64.dsc
build_ovmf_inteltdx() {
build ${OVMF_4M_FLAGS} -a X64 -p OvmfPkg/IntelTdx/IntelTdxX64.dsc \
--pcd PcdFirmwareVendor=L"DVP distribution of EDK II\\0" \
--pcd PcdFirmwareVersionString=L"2025.02-1\\0" \
--pcd PcdFirmwareReleaseDateString=L"03/02/2025\\0"
cp -p Build/IntelTdx/*/FV/OVMF.fd $FIRMWARE/OVMF.inteltdx.fd
rm -rf Build/IntelTdx
}

build_EnrollDefaultKeys() {
build ${OVMF_4M_FLAGS} -a X64 -p OvmfPkg/OvmfPkgX64.dsc -D ENROLL_DEFAULT_KEYS
cp Build/OvmfX64/*/X64/EnrollDefaultKeys.efi $FIRMWARE/
rm -rf Build/OvmfX64
}
# Build ovmf (x64) shell iso with EnrollDefaultKeys
build_shell() {
echo_dbg "build shell"
build ${OVMF_4M_FLAGS} -a X64 -p ShellPkg/ShellPkg.dsc
build ${OVMF_4M_FLAGS} -a IA32 -p ShellPkg/ShellPkg.dsc

cp Build/Shell/*/X64/Shell.efi $$FIRMWARE/
rm -rf Build/Shell
# build ${OVMF_4M_FLAGS} -a IA32 -p ShellPkg/ShellPkg.dsc

cp -p Build/Shell/*/X64/ShellPkg/Application/Shell/Shell/OUTPUT/Shell.efi $FIRMWARE/
cp -p Build/OvmfX64/*/X64/EnrollDefaultKeys.efi $FIRMWARE/
# cp -p Build/Shell/*/X64/ShellPkg/Application/Shell/Shell/OUTPUT/Shell.efi $FIRMWARE/
# cp -p Build/OvmfX64/*/X64/EnrollDefaultKeys.efi $FIRMWARE/
}


enroll() {
virt-fw-vars --input $FIRMWARE/OVMF_VARS.fd \
--output $FIRMWARE/OVMF_VARS.secboot.fd \
--set-dbx $FIRMWARE/DBXUpdate-20230509.x64.bin \
--secure-boot
--secure-boot \
--enroll-altlinux
# --enroll-generate dvp.deckhouse.io

virt-fw-vars --input $FIRMWARE/OVMF.inteltdx.fd \
--output $FIRMWARE/OVMF.inteltdx.secboot.fd \
--set-dbx $FIRMWARE/DBXUpdate-20230509.x64.bin \
--secure-boot
--secure-boot \
--enroll-altlinux
# --enroll-generate dvp.deckhouse.io
}

# no sec boot but makes json happy
no_enroll() {
cp -p $FIRMWARE/OVMF_VARS.fd $FIRMWARE/OVMF_VARS.secboot.fd
cp -p $FIRMWARE/OVMF.inteltdx.fd $FIRMWARE/OVMF.inteltdx.secboot.fd
}


echo_dbg "prep"
prep 2>&1 > /dev/null

echo_dbg "build_ovmf"
build_ovmf 2>&1 > /dev/null

echo_dbg "build_ovmf_secboot"
build_ovmf_secboot 2>&1 > /dev/null

echo_dbg "build_ovmf_amdsev"
build_ovmf_amdsev 2>&1 > /dev/null

echo_dbg "build_ovmf_inteltdx"
build_ovmf_inteltdx 2>&1 > /dev/null

echo_dbg "build_EnrollDefaultKeys"
build_EnrollDefaultKeys 2>&1 > /dev/null

echo_dbg "build_shell"
build_shell 2>&1 > /dev/null

build_iso $FIRMWARE
no_enroll
enroll

ls -la $FIRMWARE

# no_enroll

# echo_dbg "run edk2-vars-generator.py"
# /edk2-vars-generator.py -d \
# -f OVMF_4M -e $FIRMWARE/EnrollDefaultKeys.efi -s $FIRMWARE/Shell.efi \
# -c $FIRMWARE/OVMF_CODE.secboot.fd \
# -V $FIRMWARE/OVMF_VARS.fd \
# -C `< debian/oem-string-vendor` -o $FIRMWARE/OVMF_VARS.ms.fd
142 changes: 142 additions & 0 deletions images/edk2/edk2-vars-generator.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,142 @@
#!/usr/bin/env python3

# Copyright 2024 Flant JSC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

# Copyright 2021 Canonical Ltd.
# Authors:
# - dann frazier <dann.frazier@canonical.com>


import argparse
import os.path
import pexpect
import shutil
import sys
from UEFI.Filesystems import FatFsImage, EfiBootableIsoImage
from UEFI.Qemu import QemuEfiMachine, QemuEfiVariant, QemuEfiFlashSize
from UEFI import Qemu

if __name__ == '__main__':
parser = argparse.ArgumentParser()
parser.add_argument(
"-f", "--flavor", help="UEFI Flavor",
choices=['AAVMF', 'OVMF', 'OVMF_4M'],
required=True,
)
parser.add_argument(
"-e", "--enrolldefaultkeys",
help='Path to "EnrollDefaultKeys" EFI binary',
required=True,
)
parser.add_argument(
"-s", "--shell",
help='Path to "Shell" EFI binary',
required=True,
)
parser.add_argument(
"-C", "--certificate",
help='base64-encoded PK/KEK1 certificate',
required=True,
)
parser.add_argument(
"-c", "--code",
help='UEFI code image',
required=True,
)
parser.add_argument(
"--no-default",
action="store_true",
help='Do not enroll the default keys, just the PK/KEK1 certificate',
)
parser.add_argument(
"-V", "--vars-template",
help='UEFI vars template',
required=True,
)
parser.add_argument(
"-o", "--out-file",
help="Output file for generated vars template",
required=True,
)
parser.add_argument("-d", "--debug", action="store_true",
help="Emit debug messages")
args = parser.parse_args()

FlavorConfig = {
'AAVMF': {
'EfiArch': 'AA64',
'QemuCommand': Qemu.QemuCommand(
QemuEfiMachine.AAVMF,
code_path=args.code,
vars_template_path=args.vars_template,
),
},
'OVMF': {
'EfiArch': 'X64',
'QemuCommand': Qemu.QemuCommand(
QemuEfiMachine.OVMF_Q35,
variant=QemuEfiVariant.SECBOOT,
flash_size=QemuEfiFlashSize.SIZE_4MB,
code_path=args.code,
vars_template_path=args.vars_template,
),
},
'OVMF_4M': {
'EfiArch': 'X64',
'QemuCommand': Qemu.QemuCommand(
QemuEfiMachine.OVMF_Q35,
variant=QemuEfiVariant.SECBOOT,
flash_size=QemuEfiFlashSize.SIZE_4MB,
code_path=args.code,
vars_template_path=args.vars_template,
),
},
}

eltorito = FatFsImage(64)
eltorito.makedirs(os.path.join('EFI', 'BOOT'))
removable_media_path = os.path.join(
'EFI', 'BOOT', f"BOOT{FlavorConfig[args.flavor]['EfiArch']}.EFI"
)
eltorito.insert_file(args.shell, removable_media_path)
eltorito.insert_file(
args.enrolldefaultkeys,
args.enrolldefaultkeys.split(os.path.sep)[-1]
)
iso = EfiBootableIsoImage(eltorito)

q = FlavorConfig[args.flavor]['QemuCommand']
q.add_disk(iso.path)
q.add_oem_string(11, args.certificate)

child = pexpect.spawn(' '.join(q.command))
if args.debug:
child.logfile = sys.stdout.buffer
child.expect(['Press .* or any other key to continue'], timeout=None)
child.sendline('\x1b')
child.expect(['Shell> '], timeout=None)
child.sendline('FS0:\r')
child.expect(['FS0:\\\\> '], timeout=None)
enrollcmd = ['EnrollDefaultKeys.efi']
if args.no_default:
enrollcmd.append("--no-default")
child.sendline(f'{" ".join(enrollcmd)}\r')
child.expect(['FS0:\\\\> '], timeout=None)
# Clear the BootOrder. See #1015759
child.sendline('setvar BootOrder =\r')
child.expect(['FS0:\\\\> '], timeout=None)
child.sendline('reset -s\r')
child.wait()
shutil.copy(q.pflash.varfile_path, args.out_file)
Loading
Loading