Bug#973780: autopkgtest: support of UEFI secure boot in autopkgtest-virt-qemu

Mon, 09 Nov 2020 20:15:20 -0800 

Control: tags -1 + patch
Control: retitle -1 patch available: support of UEFI secure boot in 
autopkgtest-virt-qemu

With secure boot capable OVMF installed,
I verified that the attached modification to autopkgtest-virt-qemu
starts Linux kernel in a testbed in the locked down mode.

Specifically, 
autopkgtest -B -u debci bash -- qemu /var/lib/debci/qemu/sid-amd64.img 
--secure-boot --debug --show-boot shows

[    0.000000] Kernel is locked down from EFI Secure Boot; see 
https://wiki.debian.org/SecureBoot
[    0.000000] secureboot: Secure boot enabled

Ryutaroh

--- usr/bin/autopkgtest-virt-qemu-5.15  2020-11-10 10:08:09.037957338 +0900
+++ usr/bin/autopkgtest-virt-qemu       2020-11-10 10:31:51.402707908 +0900
@@ -94,6 +94,8 @@
                         help='Provide a read-only copy of the base image at 
/dev/baseimage')
     parser.add_argument('--efi', action='store_true', default=False,
                         help='Use OVMF or AAVMF to boot virtual machine using 
EFI (default: BIOS)')
+    parser.add_argument('--secure-boot', action='store_true', default=False,
+                        help='Enable Secure Boot implying --efi (default: 
Non-Secure Boot)')
     parser.add_argument('image', nargs='+',
                         help='disk image to add to the VM (in order)')
 
@@ -583,7 +585,29 @@
             
'local,id=autopkgtest,path=%s,security_model=none,mount_tag=autopkgtest' % 
shareddir,
             '-drive', 'file=%s,cache=unsafe,if=virtio,index=0,format=qcow2' % 
overlay]
 
-    if args.efi:
+    if args.secure_boot:
+        code = None
+        data = None
+
+        if 'qemu-system-x86_64' in args.qemu_command:
+            code = '/usr/local/share/OVMF-Fedora33/OVMF_CODE.secboot.fd'
+            data = '/usr/local/share/OVMF-Fedora33/OVMF_VARS.secboot.fd'
+        elif 'qemu-system-i386' in args.qemu_command:
+            code = '/usr/share/OVMF/OVMF32_CODE.ms.fd'
+            data = '/usr/share/OVMF/OVMF32_VARS.ms.fd'
+        else:
+            VirtSubproc.bomb('Unknown architecture for Secure Boot')
+
+        shutil.copy(data, '%s/efivars.fd' % workdir)
+        argv.append('-machine')
+        argv.append('q35,smm=on')
+        argv.append('-global')
+        argv.append('driver=cfi.pflash01,property=secure,value=on')
+        argv.append('-drive')
+        argv.append('if=pflash,unit=0,format=raw,read-only=on,file=' + code)
+        argv.append('-drive')
+        argv.append('if=pflash,unit=1,format=raw,file=%s/efivars.fd' % workdir)
+    elif args.efi:
         code = None
         data = None

Reply via email to