all lists on lists.proxmox.com
 help / color / mirror / Atom feed
From: Fiona Ebner <f.ebner@proxmox.com>
To: pve-devel@lists.proxmox.com
Subject: [pve-devel] [PATCH edk2-firmware 4/6] Use virt-firmware to enroll default keys.
Date: Thu,  6 Nov 2025 16:42:55 +0100	[thread overview]
Message-ID: <20251106154314.772317-5-f.ebner@proxmox.com> (raw)
In-Reply-To: <20251106154314.772317-1-f.ebner@proxmox.com>

Follow Debian commit 6b7533cc86 ("Use virt-firmware to enroll default
keys.").

Path to the AAVMF variables image is different than in Debian's
upstream.

Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
---
 debian/control                |   1 +
 debian/edk2-vars-generator.py | 140 ----------------------------------
 debian/rules                  |  59 +++++---------
 3 files changed, 22 insertions(+), 178 deletions(-)
 delete mode 100755 debian/edk2-vars-generator.py

diff --git a/debian/control b/debian/control
index 632cea53bd..5624a3b5a1 100644
--- a/debian/control
+++ b/debian/control
@@ -16,6 +16,7 @@ Build-Depends: bc,
                pve-qemu-kvm | qemu-system-x86 (>= 1:2.12+dfsg),
                python3,
                python3-pexpect,
+               python3-virt-firmware,
                qemu-utils,
                uuid-dev,
                xorriso,
diff --git a/debian/edk2-vars-generator.py b/debian/edk2-vars-generator.py
deleted file mode 100755
index 351e556211..0000000000
--- a/debian/edk2-vars-generator.py
+++ /dev/null
@@ -1,140 +0,0 @@
-#!/usr/bin/env python3
-#
-# Copyright 2021 Canonical Ltd.
-# Authors:
-# - dann frazier <dann.frazier@canonical.com>
-#
-# This program is free software: you can redistribute it and/or modify it
-# under the terms of the GNU General Public License version 3, as published
-# by the Free Software Foundation.
-#
-# This program is distributed in the hope that it will be useful, but WITHOUT
-# ANY WARRANTY; without even the implied warranties of MERCHANTABILITY,
-# SATISFACTORY QUALITY, or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
-# General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License along with
-# this program.  If not, see <http://www.gnu.org/licenses/>.
-#
-
-import argparse
-import os.path
-import pexpect
-import shutil
-import sys
-from UEFI.Filesystems import FatFsImage, EfiBootableIsoImage
-from UEFI.Qemu import QemuEfiMachine, QemuEfiVariant, QemuEfiFlashSize
-from UEFI import Qemu
-
-if __name__ == '__main__':
-    parser = argparse.ArgumentParser()
-    parser.add_argument(
-        "-f", "--flavor", help="UEFI Flavor",
-        choices=['AAVMF', 'OVMF', 'OVMF_4M'],
-        required=True,
-    )
-    parser.add_argument(
-        "-e", "--enrolldefaultkeys",
-        help='Path to "EnrollDefaultKeys" EFI binary',
-        required=True,
-    )
-    parser.add_argument(
-        "-s", "--shell",
-        help='Path to "Shell" EFI binary',
-        required=True,
-    )
-    parser.add_argument(
-        "-C", "--certificate",
-        help='base64-encoded PK/KEK1 certificate',
-        required=True,
-    )
-    parser.add_argument(
-        "-c", "--code",
-        help='UEFI code image',
-        required=True,
-    )
-    parser.add_argument(
-        "--no-default",
-        action="store_true",
-        help='Do not enroll the default keys, just the PK/KEK1 certificate',
-    )
-    parser.add_argument(
-        "-V", "--vars-template",
-        help='UEFI vars template',
-        required=True,
-    )
-    parser.add_argument(
-        "-o", "--out-file",
-        help="Output file for generated vars template",
-        required=True,
-    )
-    parser.add_argument("-d", "--debug", action="store_true",
-                        help="Emit debug messages")
-    args = parser.parse_args()
-
-    FlavorConfig = {
-        'AAVMF': {
-            'EfiArch': 'AA64',
-            'QemuCommand': Qemu.QemuCommand(
-                QemuEfiMachine.AAVMF,
-                code_path=args.code,
-                vars_template_path=args.vars_template,
-            ),
-        },
-        'OVMF': {
-            'EfiArch': 'X64',
-            'QemuCommand': Qemu.QemuCommand(
-                QemuEfiMachine.OVMF_Q35,
-                variant=QemuEfiVariant.SECBOOT,
-                flash_size=QemuEfiFlashSize.SIZE_4MB,
-                code_path=args.code,
-                vars_template_path=args.vars_template,
-            ),
-        },
-        'OVMF_4M': {
-            'EfiArch': 'X64',
-            'QemuCommand': Qemu.QemuCommand(
-                QemuEfiMachine.OVMF_Q35,
-                variant=QemuEfiVariant.SECBOOT,
-                flash_size=QemuEfiFlashSize.SIZE_4MB,
-                code_path=args.code,
-                vars_template_path=args.vars_template,
-            ),
-        },
-    }
-
-    eltorito = FatFsImage(64)
-    eltorito.makedirs(os.path.join('EFI', 'BOOT'))
-    removable_media_path = os.path.join(
-        'EFI', 'BOOT', f"BOOT{FlavorConfig[args.flavor]['EfiArch']}.EFI"
-    )
-    eltorito.insert_file(args.shell, removable_media_path)
-    eltorito.insert_file(
-        args.enrolldefaultkeys,
-        args.enrolldefaultkeys.split(os.path.sep)[-1]
-    )
-    iso = EfiBootableIsoImage(eltorito)
-
-    q = FlavorConfig[args.flavor]['QemuCommand']
-    q.add_disk(iso.path)
-    q.add_oem_string(11, args.certificate)
-
-    child = pexpect.spawn(' '.join(q.command))
-    if args.debug:
-        child.logfile = sys.stdout.buffer
-    child.expect(['Press .* or any other key to continue'], timeout=None)
-    child.sendline('\x1b')
-    child.expect(['Shell> '], timeout=None)
-    child.sendline('FS0:\r')
-    child.expect(['FS0:\\\\> '], timeout=None)
-    enrollcmd = ['EnrollDefaultKeys.efi']
-    if args.no_default:
-        enrollcmd.append("--no-default")
-    child.sendline(f'{" ".join(enrollcmd)}\r')
-    child.expect(['FS0:\\\\> '], timeout=None)
-    # Clear the BootOrder. See #1015759
-    child.sendline('setvar BootOrder =\r')
-    child.expect(['FS0:\\\\> '], timeout=None)
-    child.sendline('reset -s\r')
-    child.wait()
-    shutil.copy(q.pflash.varfile_path, args.out_file)
diff --git a/debian/rules b/debian/rules
index c640833092..316a7b7727 100755
--- a/debian/rules
+++ b/debian/rules
@@ -165,49 +165,32 @@ debian/PkKek-1-vendor.pem: debian/PkKek-1-Debian.pem
 endif
 	ln -sf `basename $<` $@
 
-debian/oem-string-%: debian/PkKek-1-%.pem
-	tr -d '\n' < $< | \
-		sed -e 's/.*-----BEGIN CERTIFICATE-----/4e32566d-8e9e-4f52-81d3-5bb9715f9727:/' -e 's/-----END CERTIFICATE-----//' > $@
+# Usage: $(call enroll_vendor,<var-template>,<output-file>,<uefi-arch>)
+enroll_vendor   = virt-fw-vars --input $(1) --output $(2) \
+                    --enroll-cert debian/PkKek-1-vendor.pem
+# Usage: $(call enroll_snakeoil,<var-template>,<output-file>)
+enroll_snakeoil = virt-fw-vars --input $(1) --output $(2) \
+                    --set-pk OvmfEnrollDefaultKeys \
+                             debian/PkKek-1-snakeoil.pem \
+                    --add-kek OvmfEnrollDefaultKeys \
+                             debian/PkKek-1-snakeoil.pem \
+                    --add-db OvmfEnrollDefaultKeys \
+                             debian/PkKek-1-snakeoil.pem
 
-%/AAVMF_VARS.ms.fd: %/AAVMF_CODE.fd %/AAVMF_VARS.fd debian/oem-string-vendor $(AAVMF_ENROLL) $(AAVMF_SHELL)
-	PYTHONPATH=$(CURDIR)/debian/python \
-	python3 ./debian/edk2-vars-generator.py \
-		-f AAVMF -e $(AAVMF_ENROLL) -s $(AAVMF_SHELL) \
-		-c $(AAVMF_CODE) -V $(AAVMF_VARS) \
-		-C `< debian/oem-string-vendor` -o $@
+%/AAVMF_VARS.ms.fd: %/AAVMF_CODE.fd %/AAVMF_VARS.fd debian/PkKek-1-vendor.pem $(AAVMF_ENROLL) $(AAVMF_SHELL)
+	$(call enroll_vendor,$(AAVMF_VARS),$@,arm64)
 
-%/AAVMF_VARS.snakeoil.fd: %/AAVMF_CODE.fd %/AAVMF_VARS.fd debian/oem-string-snakeoil $(AAVMF_ENROLL) $(AAVMF_SHELL)
-	PYTHONPATH=$(CURDIR)/debian/python \
-	python3 ./debian/edk2-vars-generator.py \
-		-f AAVMF -e $(AAVMF_ENROLL) -s $(AAVMF_SHELL) \
-		-c $(AAVMF_CODE) -V $(AAVMF_VARS) \
-		--no-default \
-		-C `< debian/oem-string-snakeoil` -o $@
+%/AAVMF_VARS.snakeoil.fd: %/AAVMF_CODE.fd %/AAVMF_VARS.fd debian/PkKek-1-snakeoil.pem $(AAVMF_ENROLL) $(AAVMF_SHELL)
+	$(call enroll_snakeoil,$(AAVMF_VARS),$@)
 
-%/OVMF_VARS.ms.fd: %/OVMF_CODE.fd %/OVMF_VARS.fd debian/oem-string-vendor $(OVMF_ENROLL) $(OVMF_SHELL)
-	PYTHONPATH=$(CURDIR)/debian/python \
-	python3 ./debian/edk2-vars-generator.py \
-		-f OVMF -e $(OVMF_ENROLL) -s $(OVMF_SHELL) \
-		-c $(OVMF_INSTALL_DIR)/OVMF_CODE.fd \
-		-V $(OVMF_INSTALL_DIR)/OVMF_VARS.fd \
-		-C `< debian/oem-string-vendor` -o $@
+%/OVMF_VARS.ms.fd: %/OVMF_CODE.secboot.fd %/OVMF_VARS.fd debian/PkKek-1-vendor.pem $(OVMF_ENROLL) $(OVMF_SHELL)
+	$(call enroll_vendor,$(OVMF_INSTALL_DIR)/OVMF_VARS.fd,$@,amd64)
 
-%/OVMF_VARS_4M.ms.fd: %/OVMF_CODE_4M.fd %/OVMF_VARS_4M.fd debian/oem-string-vendor $(OVMF_ENROLL) $(OVMF_SHELL)
-	PYTHONPATH=$(CURDIR)/debian/python \
-	python3 ./debian/edk2-vars-generator.py \
-		-f OVMF_4M -e $(OVMF_ENROLL) -s $(OVMF_SHELL) \
-		-c $(OVMF_INSTALL_DIR)/OVMF_CODE_4M.fd \
-		-V $(OVMF_INSTALL_DIR)/OVMF_VARS_4M.fd \
-		-C `< debian/oem-string-vendor` -o $@
+%/OVMF_VARS_4M.ms.fd: %/OVMF_CODE_4M.secboot.fd %/OVMF_VARS_4M.fd debian/PkKek-1-vendor.pem $(OVMF_ENROLL) $(OVMF_SHELL)
+	$(call enroll_vendor,$(OVMF_INSTALL_DIR)/OVMF_VARS_4M.fd,$@,amd64)
 
-%/OVMF_VARS_4M.snakeoil.fd: %/OVMF_CODE_4M.fd %/OVMF_VARS_4M.fd debian/oem-string-snakeoil $(OVMF_ENROLL) $(OVMF_SHELL)
-	PYTHONPATH=$(CURDIR)/debian/python \
-	python3 ./debian/edk2-vars-generator.py \
-		-f OVMF_4M -e $(OVMF_ENROLL) -s $(OVMF_SHELL) \
-		-c $(OVMF_INSTALL_DIR)/OVMF_CODE_4M.fd \
-		-V $(OVMF_INSTALL_DIR)/OVMF_VARS_4M.fd \
-		--no-default \
-		-C `< debian/oem-string-snakeoil` -o $@
+%/OVMF_VARS_4M.snakeoil.fd: %/OVMF_CODE_4M.fd %/OVMF_VARS_4M.fd debian/PkKek-1-snakeoil.pem $(OVMF_ENROLL) $(OVMF_SHELL)
+	$(call enroll_snakeoil,$(OVMF_INSTALL_DIR)/OVMF_VARS_4M.fd,$@)
 
 BaseTools/Bin/GccLto/liblto-aarch64.a:	BaseTools/Bin/GccLto/liblto-aarch64.s
 	$($(EDK2_TOOLCHAIN)_AARCH64_PREFIX)gcc -c -fpic $< -o $@
-- 
2.47.3



_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel


  parent reply	other threads:[~2025-11-06 15:43 UTC|newest]

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-11-06 15:42 [pve-devel] [PATCH-SERIES edk2-firmware 0/6] partially fix #6985: pre-enroll Microsoft UEFI CA 2023 keys Fiona Ebner
2025-11-06 15:42 ` [pve-devel] [PATCH edk2-firmware 1/6] update edk2 to edk2-stable202505 tag and refresh patches Fiona Ebner
2025-11-06 15:42 ` [pve-devel] [PATCH edk2-firmware 2/6] d/patches: pick up CVE fix from Debian tag debian/2025.05-1 Fiona Ebner
2025-11-06 15:42 ` [pve-devel] [PATCH edk2-firmware 3/6] d/rules: pick up some improvements from Debian Fiona Ebner
2025-11-06 15:42 ` Fiona Ebner [this message]
2025-11-06 15:42 ` [pve-devel] [PATCH edk2-firmware 5/6] Initialize the Secure Boot dbx in *.ms.fd with the latest revocations Fiona Ebner
2025-11-06 15:42 ` [pve-devel] [PATCH edk2-firmware 6/6] partially fix #6985: pre-enroll Microsoft UEFI CA 2023 keys Fiona Ebner

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20251106154314.772317-5-f.ebner@proxmox.com \
    --to=f.ebner@proxmox.com \
    --cc=pve-devel@lists.proxmox.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.
Service provided by Proxmox Server Solutions GmbH | Privacy | Legal