From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) by lore.proxmox.com (Postfix) with ESMTPS id E293C1FF16B for ; Fri, 7 Nov 2025 09:54:17 +0100 (CET) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 91B3FA076; Fri, 7 Nov 2025 09:54:50 +0100 (CET) From: Fiona Ebner To: pve-devel@lists.proxmox.com Date: Fri, 7 Nov 2025 09:54:31 +0100 Message-ID: <20251107085441.5093-5-f.ebner@proxmox.com> X-Mailer: git-send-email 2.47.3 In-Reply-To: <20251107085441.5093-1-f.ebner@proxmox.com> References: <20251107085441.5093-1-f.ebner@proxmox.com> MIME-Version: 1.0 X-Bm-Milter-Handled: 55990f41-d878-4baa-be0a-ee34c49e34d2 X-Bm-Transport-Timestamp: 1762505665570 X-SPAM-LEVEL: Spam detection results: 0 AWL -0.890 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment KAM_SHORT 0.001 Use of a URL Shortener for very short URL MIME_BASE64_TEXT 1.741 Message text disguised using base64 encoding SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record Subject: [pve-devel] [PATCH edk2-firmware 4/6] Use virt-firmware to enroll default keys. X-BeenThere: pve-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox VE development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: Proxmox VE development discussion Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: pve-devel-bounces@lists.proxmox.com Sender: "pve-devel" Follow Debian commit 6b7533cc86 ("Use virt-firmware to enroll default keys."). Path to the AAVMF variables image is different than in Debian's upstream. Signed-off-by: Fiona Ebner --- debian/control | 1 + debian/edk2-vars-generator.py | 140 ---------------------------------- debian/rules | 59 +++++--------- 3 files changed, 22 insertions(+), 178 deletions(-) delete mode 100755 debian/edk2-vars-generator.py diff --git a/debian/control b/debian/control index 632cea53bd..5624a3b5a1 100644 --- a/debian/control +++ b/debian/control @@ -16,6 +16,7 @@ Build-Depends: bc, pve-qemu-kvm | qemu-system-x86 (>= 1:2.12+dfsg), python3, python3-pexpect, + python3-virt-firmware, qemu-utils, uuid-dev, xorriso, diff --git a/debian/edk2-vars-generator.py b/debian/edk2-vars-generator.py deleted file mode 100755 index 351e556211..0000000000 --- a/debian/edk2-vars-generator.py +++ /dev/null @@ -1,140 +0,0 @@ -#!/usr/bin/env python3 -# -# Copyright 2021 Canonical Ltd. -# Authors: -# - dann frazier -# -# This program is free software: you can redistribute it and/or modify it -# under the terms of the GNU General Public License version 3, as published -# by the Free Software Foundation. -# -# This program is distributed in the hope that it will be useful, but WITHOUT -# ANY WARRANTY; without even the implied warranties of MERCHANTABILITY, -# SATISFACTORY QUALITY, or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -# General Public License for more details. -# -# You should have received a copy of the GNU General Public License along with -# this program. If not, see . -# - -import argparse -import os.path -import pexpect -import shutil -import sys -from UEFI.Filesystems import FatFsImage, EfiBootableIsoImage -from UEFI.Qemu import QemuEfiMachine, QemuEfiVariant, QemuEfiFlashSize -from UEFI import Qemu - -if __name__ == '__main__': - parser = argparse.ArgumentParser() - parser.add_argument( - "-f", "--flavor", help="UEFI Flavor", - choices=['AAVMF', 'OVMF', 'OVMF_4M'], - required=True, - ) - parser.add_argument( - "-e", "--enrolldefaultkeys", - help='Path to "EnrollDefaultKeys" EFI binary', - required=True, - ) - parser.add_argument( - "-s", "--shell", - help='Path to "Shell" EFI binary', - required=True, - ) - parser.add_argument( - "-C", "--certificate", - help='base64-encoded PK/KEK1 certificate', - required=True, - ) - parser.add_argument( - "-c", "--code", - help='UEFI code image', - required=True, - ) - parser.add_argument( - "--no-default", - action="store_true", - help='Do not enroll the default keys, just the PK/KEK1 certificate', - ) - parser.add_argument( - "-V", "--vars-template", - help='UEFI vars template', - required=True, - ) - parser.add_argument( - "-o", "--out-file", - help="Output file for generated vars template", - required=True, - ) - parser.add_argument("-d", "--debug", action="store_true", - help="Emit debug messages") - args = parser.parse_args() - - FlavorConfig = { - 'AAVMF': { - 'EfiArch': 'AA64', - 'QemuCommand': Qemu.QemuCommand( - QemuEfiMachine.AAVMF, - code_path=args.code, - vars_template_path=args.vars_template, - ), - }, - 'OVMF': { - 'EfiArch': 'X64', - 'QemuCommand': Qemu.QemuCommand( - QemuEfiMachine.OVMF_Q35, - variant=QemuEfiVariant.SECBOOT, - flash_size=QemuEfiFlashSize.SIZE_4MB, - code_path=args.code, - vars_template_path=args.vars_template, - ), - }, - 'OVMF_4M': { - 'EfiArch': 'X64', - 'QemuCommand': Qemu.QemuCommand( - QemuEfiMachine.OVMF_Q35, - variant=QemuEfiVariant.SECBOOT, - flash_size=QemuEfiFlashSize.SIZE_4MB, - code_path=args.code, - vars_template_path=args.vars_template, - ), - }, - } - - eltorito = FatFsImage(64) - eltorito.makedirs(os.path.join('EFI', 'BOOT')) - removable_media_path = os.path.join( - 'EFI', 'BOOT', f"BOOT{FlavorConfig[args.flavor]['EfiArch']}.EFI" - ) - eltorito.insert_file(args.shell, removable_media_path) - eltorito.insert_file( - args.enrolldefaultkeys, - args.enrolldefaultkeys.split(os.path.sep)[-1] - ) - iso = EfiBootableIsoImage(eltorito) - - q = FlavorConfig[args.flavor]['QemuCommand'] - q.add_disk(iso.path) - q.add_oem_string(11, args.certificate) - - child = pexpect.spawn(' '.join(q.command)) - if args.debug: - child.logfile = sys.stdout.buffer - child.expect(['Press .* or any other key to continue'], timeout=None) - child.sendline('\x1b') - child.expect(['Shell> '], timeout=None) - child.sendline('FS0:\r') - child.expect(['FS0:\\\\> '], timeout=None) - enrollcmd = ['EnrollDefaultKeys.efi'] - if args.no_default: - enrollcmd.append("--no-default") - child.sendline(f'{" ".join(enrollcmd)}\r') - child.expect(['FS0:\\\\> '], timeout=None) - # Clear the BootOrder. See #1015759 - child.sendline('setvar BootOrder =\r') - child.expect(['FS0:\\\\> '], timeout=None) - child.sendline('reset -s\r') - child.wait() - shutil.copy(q.pflash.varfile_path, args.out_file) diff --git a/debian/rules b/debian/rules index c640833092..316a7b7727 100755 --- a/debian/rules +++ b/debian/rules @@ -165,49 +165,32 @@ debian/PkKek-1-vendor.pem: debian/PkKek-1-Debian.pem endif ln -sf `basename $<` $@ -debian/oem-string-%: debian/PkKek-1-%.pem - tr -d '\n' < $< | \ - sed -e 's/.*-----BEGIN CERTIFICATE-----/4e32566d-8e9e-4f52-81d3-5bb9715f9727:/' -e 's/-----END CERTIFICATE-----//' > $@ +# Usage: $(call enroll_vendor,,,) +enroll_vendor = virt-fw-vars --input $(1) --output $(2) \ + --enroll-cert debian/PkKek-1-vendor.pem +# Usage: $(call enroll_snakeoil,,) +enroll_snakeoil = virt-fw-vars --input $(1) --output $(2) \ + --set-pk OvmfEnrollDefaultKeys \ + debian/PkKek-1-snakeoil.pem \ + --add-kek OvmfEnrollDefaultKeys \ + debian/PkKek-1-snakeoil.pem \ + --add-db OvmfEnrollDefaultKeys \ + debian/PkKek-1-snakeoil.pem -%/AAVMF_VARS.ms.fd: %/AAVMF_CODE.fd %/AAVMF_VARS.fd debian/oem-string-vendor $(AAVMF_ENROLL) $(AAVMF_SHELL) - PYTHONPATH=$(CURDIR)/debian/python \ - python3 ./debian/edk2-vars-generator.py \ - -f AAVMF -e $(AAVMF_ENROLL) -s $(AAVMF_SHELL) \ - -c $(AAVMF_CODE) -V $(AAVMF_VARS) \ - -C `< debian/oem-string-vendor` -o $@ +%/AAVMF_VARS.ms.fd: %/AAVMF_CODE.fd %/AAVMF_VARS.fd debian/PkKek-1-vendor.pem $(AAVMF_ENROLL) $(AAVMF_SHELL) + $(call enroll_vendor,$(AAVMF_VARS),$@,arm64) -%/AAVMF_VARS.snakeoil.fd: %/AAVMF_CODE.fd %/AAVMF_VARS.fd debian/oem-string-snakeoil $(AAVMF_ENROLL) $(AAVMF_SHELL) - PYTHONPATH=$(CURDIR)/debian/python \ - python3 ./debian/edk2-vars-generator.py \ - -f AAVMF -e $(AAVMF_ENROLL) -s $(AAVMF_SHELL) \ - -c $(AAVMF_CODE) -V $(AAVMF_VARS) \ - --no-default \ - -C `< debian/oem-string-snakeoil` -o $@ +%/AAVMF_VARS.snakeoil.fd: %/AAVMF_CODE.fd %/AAVMF_VARS.fd debian/PkKek-1-snakeoil.pem $(AAVMF_ENROLL) $(AAVMF_SHELL) + $(call enroll_snakeoil,$(AAVMF_VARS),$@) -%/OVMF_VARS.ms.fd: %/OVMF_CODE.fd %/OVMF_VARS.fd debian/oem-string-vendor $(OVMF_ENROLL) $(OVMF_SHELL) - PYTHONPATH=$(CURDIR)/debian/python \ - python3 ./debian/edk2-vars-generator.py \ - -f OVMF -e $(OVMF_ENROLL) -s $(OVMF_SHELL) \ - -c $(OVMF_INSTALL_DIR)/OVMF_CODE.fd \ - -V $(OVMF_INSTALL_DIR)/OVMF_VARS.fd \ - -C `< debian/oem-string-vendor` -o $@ +%/OVMF_VARS.ms.fd: %/OVMF_CODE.secboot.fd %/OVMF_VARS.fd debian/PkKek-1-vendor.pem $(OVMF_ENROLL) $(OVMF_SHELL) + $(call enroll_vendor,$(OVMF_INSTALL_DIR)/OVMF_VARS.fd,$@,amd64) -%/OVMF_VARS_4M.ms.fd: %/OVMF_CODE_4M.fd %/OVMF_VARS_4M.fd debian/oem-string-vendor $(OVMF_ENROLL) $(OVMF_SHELL) - PYTHONPATH=$(CURDIR)/debian/python \ - python3 ./debian/edk2-vars-generator.py \ - -f OVMF_4M -e $(OVMF_ENROLL) -s $(OVMF_SHELL) \ - -c $(OVMF_INSTALL_DIR)/OVMF_CODE_4M.fd \ - -V $(OVMF_INSTALL_DIR)/OVMF_VARS_4M.fd \ - -C `< debian/oem-string-vendor` -o $@ +%/OVMF_VARS_4M.ms.fd: %/OVMF_CODE_4M.secboot.fd %/OVMF_VARS_4M.fd debian/PkKek-1-vendor.pem $(OVMF_ENROLL) $(OVMF_SHELL) + $(call enroll_vendor,$(OVMF_INSTALL_DIR)/OVMF_VARS_4M.fd,$@,amd64) -%/OVMF_VARS_4M.snakeoil.fd: %/OVMF_CODE_4M.fd %/OVMF_VARS_4M.fd debian/oem-string-snakeoil $(OVMF_ENROLL) $(OVMF_SHELL) - PYTHONPATH=$(CURDIR)/debian/python \ - python3 ./debian/edk2-vars-generator.py \ - -f OVMF_4M -e $(OVMF_ENROLL) -s $(OVMF_SHELL) \ - -c $(OVMF_INSTALL_DIR)/OVMF_CODE_4M.fd \ - -V $(OVMF_INSTALL_DIR)/OVMF_VARS_4M.fd \ - --no-default \ - -C `< debian/oem-string-snakeoil` -o $@ +%/OVMF_VARS_4M.snakeoil.fd: %/OVMF_CODE_4M.fd %/OVMF_VARS_4M.fd debian/PkKek-1-snakeoil.pem $(OVMF_ENROLL) $(OVMF_SHELL) + $(call enroll_snakeoil,$(OVMF_INSTALL_DIR)/OVMF_VARS_4M.fd,$@) BaseTools/Bin/GccLto/liblto-aarch64.a: BaseTools/Bin/GccLto/liblto-aarch64.s $($(EDK2_TOOLCHAIN)_AARCH64_PREFIX)gcc -c -fpic $< -o $@ -- 2.47.3 _______________________________________________ pve-devel mailing list pve-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel