public inbox for pve-devel@lists.proxmox.com
 help / color / mirror / Atom feed
From: Fiona Ebner <f.ebner@proxmox.com>
To: pve-devel@lists.proxmox.com
Subject: [pve-devel] [PATCH edk2-firmware 4/6] Use virt-firmware to enroll default keys.
Date: Fri,  7 Nov 2025 09:54:31 +0100	[thread overview]
Message-ID: <20251107085441.5093-5-f.ebner@proxmox.com> (raw)
In-Reply-To: <20251107085441.5093-1-f.ebner@proxmox.com>

Follow Debian commit 6b7533cc86 ("Use virt-firmware to enroll default
keys.").

Path to the AAVMF variables image is different than in Debian's
upstream.

Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
---
 debian/control                |   1 +
 debian/edk2-vars-generator.py | 140 ----------------------------------
 debian/rules                  |  59 +++++---------
 3 files changed, 22 insertions(+), 178 deletions(-)
 delete mode 100755 debian/edk2-vars-generator.py

diff --git a/debian/control b/debian/control
index 632cea53bd..5624a3b5a1 100644
--- a/debian/control
+++ b/debian/control
@@ -16,6 +16,7 @@ Build-Depends: bc,
                pve-qemu-kvm | qemu-system-x86 (>= 1:2.12+dfsg),
                python3,
                python3-pexpect,
+               python3-virt-firmware,
                qemu-utils,
                uuid-dev,
                xorriso,
diff --git a/debian/edk2-vars-generator.py b/debian/edk2-vars-generator.py
deleted file mode 100755
index 351e556211..0000000000
--- a/debian/edk2-vars-generator.py
+++ /dev/null
@@ -1,140 +0,0 @@
-#!/usr/bin/env python3
-#
-# Copyright 2021 Canonical Ltd.
-# Authors:
-# - dann frazier <dann.frazier@canonical.com>
-#
-# This program is free software: you can redistribute it and/or modify it
-# under the terms of the GNU General Public License version 3, as published
-# by the Free Software Foundation.
-#
-# This program is distributed in the hope that it will be useful, but WITHOUT
-# ANY WARRANTY; without even the implied warranties of MERCHANTABILITY,
-# SATISFACTORY QUALITY, or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
-# General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License along with
-# this program.  If not, see <http://www.gnu.org/licenses/>.
-#
-
-import argparse
-import os.path
-import pexpect
-import shutil
-import sys
-from UEFI.Filesystems import FatFsImage, EfiBootableIsoImage
-from UEFI.Qemu import QemuEfiMachine, QemuEfiVariant, QemuEfiFlashSize
-from UEFI import Qemu
-
-if __name__ == '__main__':
-    parser = argparse.ArgumentParser()
-    parser.add_argument(
-        "-f", "--flavor", help="UEFI Flavor",
-        choices=['AAVMF', 'OVMF', 'OVMF_4M'],
-        required=True,
-    )
-    parser.add_argument(
-        "-e", "--enrolldefaultkeys",
-        help='Path to "EnrollDefaultKeys" EFI binary',
-        required=True,
-    )
-    parser.add_argument(
-        "-s", "--shell",
-        help='Path to "Shell" EFI binary',
-        required=True,
-    )
-    parser.add_argument(
-        "-C", "--certificate",
-        help='base64-encoded PK/KEK1 certificate',
-        required=True,
-    )
-    parser.add_argument(
-        "-c", "--code",
-        help='UEFI code image',
-        required=True,
-    )
-    parser.add_argument(
-        "--no-default",
-        action="store_true",
-        help='Do not enroll the default keys, just the PK/KEK1 certificate',
-    )
-    parser.add_argument(
-        "-V", "--vars-template",
-        help='UEFI vars template',
-        required=True,
-    )
-    parser.add_argument(
-        "-o", "--out-file",
-        help="Output file for generated vars template",
-        required=True,
-    )
-    parser.add_argument("-d", "--debug", action="store_true",
-                        help="Emit debug messages")
-    args = parser.parse_args()
-
-    FlavorConfig = {
-        'AAVMF': {
-            'EfiArch': 'AA64',
-            'QemuCommand': Qemu.QemuCommand(
-                QemuEfiMachine.AAVMF,
-                code_path=args.code,
-                vars_template_path=args.vars_template,
-            ),
-        },
-        'OVMF': {
-            'EfiArch': 'X64',
-            'QemuCommand': Qemu.QemuCommand(
-                QemuEfiMachine.OVMF_Q35,
-                variant=QemuEfiVariant.SECBOOT,
-                flash_size=QemuEfiFlashSize.SIZE_4MB,
-                code_path=args.code,
-                vars_template_path=args.vars_template,
-            ),
-        },
-        'OVMF_4M': {
-            'EfiArch': 'X64',
-            'QemuCommand': Qemu.QemuCommand(
-                QemuEfiMachine.OVMF_Q35,
-                variant=QemuEfiVariant.SECBOOT,
-                flash_size=QemuEfiFlashSize.SIZE_4MB,
-                code_path=args.code,
-                vars_template_path=args.vars_template,
-            ),
-        },
-    }
-
-    eltorito = FatFsImage(64)
-    eltorito.makedirs(os.path.join('EFI', 'BOOT'))
-    removable_media_path = os.path.join(
-        'EFI', 'BOOT', f"BOOT{FlavorConfig[args.flavor]['EfiArch']}.EFI"
-    )
-    eltorito.insert_file(args.shell, removable_media_path)
-    eltorito.insert_file(
-        args.enrolldefaultkeys,
-        args.enrolldefaultkeys.split(os.path.sep)[-1]
-    )
-    iso = EfiBootableIsoImage(eltorito)
-
-    q = FlavorConfig[args.flavor]['QemuCommand']
-    q.add_disk(iso.path)
-    q.add_oem_string(11, args.certificate)
-
-    child = pexpect.spawn(' '.join(q.command))
-    if args.debug:
-        child.logfile = sys.stdout.buffer
-    child.expect(['Press .* or any other key to continue'], timeout=None)
-    child.sendline('\x1b')
-    child.expect(['Shell> '], timeout=None)
-    child.sendline('FS0:\r')
-    child.expect(['FS0:\\\\> '], timeout=None)
-    enrollcmd = ['EnrollDefaultKeys.efi']
-    if args.no_default:
-        enrollcmd.append("--no-default")
-    child.sendline(f'{" ".join(enrollcmd)}\r')
-    child.expect(['FS0:\\\\> '], timeout=None)
-    # Clear the BootOrder. See #1015759
-    child.sendline('setvar BootOrder =\r')
-    child.expect(['FS0:\\\\> '], timeout=None)
-    child.sendline('reset -s\r')
-    child.wait()
-    shutil.copy(q.pflash.varfile_path, args.out_file)
diff --git a/debian/rules b/debian/rules
index c640833092..316a7b7727 100755
--- a/debian/rules
+++ b/debian/rules
@@ -165,49 +165,32 @@ debian/PkKek-1-vendor.pem: debian/PkKek-1-Debian.pem
 endif
 	ln -sf `basename $<` $@
 
-debian/oem-string-%: debian/PkKek-1-%.pem
-	tr -d '\n' < $< | \
-		sed -e 's/.*-----BEGIN CERTIFICATE-----/4e32566d-8e9e-4f52-81d3-5bb9715f9727:/' -e 's/-----END CERTIFICATE-----//' > $@
+# Usage: $(call enroll_vendor,<var-template>,<output-file>,<uefi-arch>)
+enroll_vendor   = virt-fw-vars --input $(1) --output $(2) \
+                    --enroll-cert debian/PkKek-1-vendor.pem
+# Usage: $(call enroll_snakeoil,<var-template>,<output-file>)
+enroll_snakeoil = virt-fw-vars --input $(1) --output $(2) \
+                    --set-pk OvmfEnrollDefaultKeys \
+                             debian/PkKek-1-snakeoil.pem \
+                    --add-kek OvmfEnrollDefaultKeys \
+                             debian/PkKek-1-snakeoil.pem \
+                    --add-db OvmfEnrollDefaultKeys \
+                             debian/PkKek-1-snakeoil.pem
 
-%/AAVMF_VARS.ms.fd: %/AAVMF_CODE.fd %/AAVMF_VARS.fd debian/oem-string-vendor $(AAVMF_ENROLL) $(AAVMF_SHELL)
-	PYTHONPATH=$(CURDIR)/debian/python \
-	python3 ./debian/edk2-vars-generator.py \
-		-f AAVMF -e $(AAVMF_ENROLL) -s $(AAVMF_SHELL) \
-		-c $(AAVMF_CODE) -V $(AAVMF_VARS) \
-		-C `< debian/oem-string-vendor` -o $@
+%/AAVMF_VARS.ms.fd: %/AAVMF_CODE.fd %/AAVMF_VARS.fd debian/PkKek-1-vendor.pem $(AAVMF_ENROLL) $(AAVMF_SHELL)
+	$(call enroll_vendor,$(AAVMF_VARS),$@,arm64)
 
-%/AAVMF_VARS.snakeoil.fd: %/AAVMF_CODE.fd %/AAVMF_VARS.fd debian/oem-string-snakeoil $(AAVMF_ENROLL) $(AAVMF_SHELL)
-	PYTHONPATH=$(CURDIR)/debian/python \
-	python3 ./debian/edk2-vars-generator.py \
-		-f AAVMF -e $(AAVMF_ENROLL) -s $(AAVMF_SHELL) \
-		-c $(AAVMF_CODE) -V $(AAVMF_VARS) \
-		--no-default \
-		-C `< debian/oem-string-snakeoil` -o $@
+%/AAVMF_VARS.snakeoil.fd: %/AAVMF_CODE.fd %/AAVMF_VARS.fd debian/PkKek-1-snakeoil.pem $(AAVMF_ENROLL) $(AAVMF_SHELL)
+	$(call enroll_snakeoil,$(AAVMF_VARS),$@)
 
-%/OVMF_VARS.ms.fd: %/OVMF_CODE.fd %/OVMF_VARS.fd debian/oem-string-vendor $(OVMF_ENROLL) $(OVMF_SHELL)
-	PYTHONPATH=$(CURDIR)/debian/python \
-	python3 ./debian/edk2-vars-generator.py \
-		-f OVMF -e $(OVMF_ENROLL) -s $(OVMF_SHELL) \
-		-c $(OVMF_INSTALL_DIR)/OVMF_CODE.fd \
-		-V $(OVMF_INSTALL_DIR)/OVMF_VARS.fd \
-		-C `< debian/oem-string-vendor` -o $@
+%/OVMF_VARS.ms.fd: %/OVMF_CODE.secboot.fd %/OVMF_VARS.fd debian/PkKek-1-vendor.pem $(OVMF_ENROLL) $(OVMF_SHELL)
+	$(call enroll_vendor,$(OVMF_INSTALL_DIR)/OVMF_VARS.fd,$@,amd64)
 
-%/OVMF_VARS_4M.ms.fd: %/OVMF_CODE_4M.fd %/OVMF_VARS_4M.fd debian/oem-string-vendor $(OVMF_ENROLL) $(OVMF_SHELL)
-	PYTHONPATH=$(CURDIR)/debian/python \
-	python3 ./debian/edk2-vars-generator.py \
-		-f OVMF_4M -e $(OVMF_ENROLL) -s $(OVMF_SHELL) \
-		-c $(OVMF_INSTALL_DIR)/OVMF_CODE_4M.fd \
-		-V $(OVMF_INSTALL_DIR)/OVMF_VARS_4M.fd \
-		-C `< debian/oem-string-vendor` -o $@
+%/OVMF_VARS_4M.ms.fd: %/OVMF_CODE_4M.secboot.fd %/OVMF_VARS_4M.fd debian/PkKek-1-vendor.pem $(OVMF_ENROLL) $(OVMF_SHELL)
+	$(call enroll_vendor,$(OVMF_INSTALL_DIR)/OVMF_VARS_4M.fd,$@,amd64)
 
-%/OVMF_VARS_4M.snakeoil.fd: %/OVMF_CODE_4M.fd %/OVMF_VARS_4M.fd debian/oem-string-snakeoil $(OVMF_ENROLL) $(OVMF_SHELL)
-	PYTHONPATH=$(CURDIR)/debian/python \
-	python3 ./debian/edk2-vars-generator.py \
-		-f OVMF_4M -e $(OVMF_ENROLL) -s $(OVMF_SHELL) \
-		-c $(OVMF_INSTALL_DIR)/OVMF_CODE_4M.fd \
-		-V $(OVMF_INSTALL_DIR)/OVMF_VARS_4M.fd \
-		--no-default \
-		-C `< debian/oem-string-snakeoil` -o $@
+%/OVMF_VARS_4M.snakeoil.fd: %/OVMF_CODE_4M.fd %/OVMF_VARS_4M.fd debian/PkKek-1-snakeoil.pem $(OVMF_ENROLL) $(OVMF_SHELL)
+	$(call enroll_snakeoil,$(OVMF_INSTALL_DIR)/OVMF_VARS_4M.fd,$@)
 
 BaseTools/Bin/GccLto/liblto-aarch64.a:	BaseTools/Bin/GccLto/liblto-aarch64.s
 	$($(EDK2_TOOLCHAIN)_AARCH64_PREFIX)gcc -c -fpic $< -o $@
-- 
2.47.3

_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel


  parent reply	other threads:[~2025-11-07  8:54 UTC|newest]

Thread overview: 8+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-11-07  8:54 [pve-devel] [PATCH-SERIES RESEND edk2-firmware 0/6] partially fix #6985: pre-enroll Microsoft UEFI CA 2023 keys Fiona Ebner
2025-11-07  8:54 ` [pve-devel] [PATCH edk2-firmware 1/6] update edk2 to edk2-stable202505 tag and refresh patches Fiona Ebner
2025-11-07  8:54 ` [pve-devel] [PATCH edk2-firmware 2/6] d/patches: pick up CVE fix from Debian tag debian/2025.05-1 Fiona Ebner
2025-11-07  8:54 ` [pve-devel] [PATCH edk2-firmware 3/6] d/rules: pick up some improvements from Debian Fiona Ebner
2025-11-07  8:54 ` Fiona Ebner [this message]
2025-11-07  8:54 ` [pve-devel] [PATCH edk2-firmware 5/6] Initialize the Secure Boot dbx in *.ms.fd with the latest revocations Fiona Ebner
2025-11-07  8:54 ` [pve-devel] [PATCH edk2-firmware 6/6] partially fix #6985: pre-enroll Microsoft UEFI CA 2023 keys Fiona Ebner
  -- strict thread matches above, loose matches on Subject: below --
2025-11-06 15:42 [pve-devel] [PATCH-SERIES edk2-firmware 0/6] " Fiona Ebner
2025-11-06 15:42 ` [pve-devel] [PATCH edk2-firmware 4/6] Use virt-firmware to enroll default keys Fiona Ebner

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20251107085441.5093-5-f.ebner@proxmox.com \
    --to=f.ebner@proxmox.com \
    --cc=pve-devel@lists.proxmox.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox
Service provided by Proxmox Server Solutions GmbH | Privacy | Legal