Skip to content
master
Switch branches/tags
Go to file
Code

Latest commit

- Supplying the "--oem-string" (containing an X.509 certificate in
  base64-encoded form) as an input is mandatory, otherwise the default
  invocation fails with:

    $> ./ovmf-vars-generator output_VARS.fd
    INFO:root:Starting enrollment
    INFO:root:Performing enrollment
    INFO:root:Finished enrollment
    INFO:root:Grabbing test kernel
    INFO:root:Starting verification
    INFO:root:Performing verification
    Traceback (most recent call last):
      File "./ovmf-vars-generator", line 298, in <module>
        main()
      File "./ovmf-vars-generator", line 286, in main
        test_keys(args)
      File "./ovmf-vars-generator", line 167, in test_keys
        raise Exception('Secure Boot was disabled')
    Exception: Secure Boot was disabled

  So add a section on how to use the OEM String.

- Update the examples.  And some minor tweaks along the way.

- Also address Laszlo's feedback
  (#32 (comment))

Signed-off-by: Kashyap Chamarthy <kchamart@redhat.com>
4da81a4

Git stats

Files

Permalink
Failed to load latest commit information.

README.md

QEMU, OVMF and Secure Boot

Description

ovmf-vars-generator is a script to generate OVMF variables ("VARS") file with default Secure Boot keys enrolled in it. And validate that it works correctly.

Prerequisite

To successfully generate a VARS file, we first need an X.509 certificate from a given Linux distribution vendor, so that we can supply it as an SMBIOS "OEM String" to QEMU (via ovmf-vars-generator). Each Linux distribution should provide an X.509 certificate, to be enrolled as Secure Boot Platform Key in OVMF virtual machines.

For the sake of demonstration, let's create a self-signed CA (as described here https://bugzilla.tianocore.org/show_bug.cgi?id=1747#c2):

$> openssl req
-x509
-newkey rsa:2048
-outform PEM
-keyout PkKek1.private.key
-out PkKek1.pem

Fill out the details. Then, "strip the header, footer; prepend the application prefix" (borrowed from the same bug as above) from the base64-encoded PkKek1.pem file:

$> sed \
    -e 's/^-----BEGIN CERTIFICATE-----$/4e32566d-8e9e-4f52-81d3-5bb9715f9727:/' \
    -e '/^-----END CERTIFICATE-----$/d' \
    ./PkKek1.pem > PkKek1.oemstr

Now we're ready use the PkKek1.oemstr as an OEM Sting input for ovmf-vars-generator.

Invocation

The minimal invocation expects you to supply the OEM String and the name of the output file:

$> ./ovmf-vars-generator --oem-string "$(< PkKek1.oemstr)" \
    1_SB_VARS.fd
INFO:root:Starting enrollment
INFO:root:Performing enrollment
INFO:root:Finished enrollment
INFO:root:Grabbing test kernel
INFO:root:Starting verification
INFO:root:Performing verification
INFO:root:Confirmed: Secure Boot is enabled
INFO:root:Finished verification
INFO:root:Created and verified output1_VARS.fd

Now the output1_VARS.fd file can be used, in combination with OVMF_CODE.secboot.fd, to launch a QEMU/KVM guest with Secure Boot.

A longer command-line variant allows you to specify more details:

$> ./ovmf-vars-generator \
    --ovmf-binary /usr/share/edk2/ovmf/OVMF_CODE.secboot.fd \
    --uefi-shell-iso /usr/share/edk2/ovmf/UefiShell.iso \
    --ovmf-template-vars /usr/share/edk2/ovmf/OVMF_VARS.fd \
    --fedora-version 33 \
    --kernel-path /tmp/qosb.kernel \
    --oem-string "$(< PkKek1.oemstr)" \
    --enable-kvm \
    2_SB_VARS.fd
[...]

It is doing the following, in that order:

(1) Launches a QEMU guest with the UefiShell.iso as a CD-ROM.

(2) Automatically enrolls the cryptographic keys in the UEFI shell.

(3) Finally, downloads a Fedora kernel and 'initrd' file and boots into it, and confirms Secure Boot is really in effect.

Alternatively: You can also verify that Secure Boot is enabled properly in a full virtual machine by explicitly running dmesg, and grepping for the "secure" string. On a recent Fedora (e.g. Fedora 33) QEMU/KVM virtual machine, it looks as follows:

(fedora-vm)$ dmesg | grep -i secure
      [    0.000000] secureboot: Secure boot enabled
      [    0.000000] Kernel is locked down from EFI Secure Boot mode; see man kernel_lockdown.7

What certificates and keys are enrolled?

The following certificates and keys are enrolled by the tool:

  • As Platform Key, and as one of the two Key Exchange Keys that we set up, the EnrollDefaultKeys.efi binary on both Fedora and RHEL, uses the same digital certificate called Red Hat Secure Boot (PK/KEK key 1)/emailAddress=secalert@redhat.com, and Red Hat's Product Security team has the private key for it.

  • The certificate that is enrolled as the second Key Exchange Key is called Microsoft Corporation KEK CA 2011. Updates to the authenticated dbx (basically, "blacklist") variable, periodically released at http://www.uefi.org/revocationlistfile , are signed such that the signature chain ends in this certificate. The update can be installed in the guest Linux OS with the dbxtool utility.

  • Then, the authenticated db variable gets the following two cetificates: Microsoft Windows Production PCA 2011 (for accepting Windows 8, Windows Server 2012 R2, etc boot loaders), and Microsoft Corporation UEFI CA 2011 (for verifying the shim binary, and PCI expansion ROMs).

References

About

Script to generate an OVMF vars file with default secure boot key enrolled.

Resources

License

Packages

No packages published

Contributors 4

  •  
  •  
  •  
  •