[pve-devel] [PATCH edk2-firmware 4/6] Use virt-firmware to enroll default keys.
Fiona Ebner
f.ebner at proxmox.com
Thu Nov 6 16:42:55 CET 2025
Follow Debian commit 6b7533cc86 ("Use virt-firmware to enroll default
keys.").
Path to the AAVMF variables image is different than in Debian's
upstream.
Signed-off-by: Fiona Ebner <f.ebner at proxmox.com>
---
debian/control | 1 +
debian/edk2-vars-generator.py | 140 ----------------------------------
debian/rules | 59 +++++---------
3 files changed, 22 insertions(+), 178 deletions(-)
delete mode 100755 debian/edk2-vars-generator.py
diff --git a/debian/control b/debian/control
index 632cea53bd..5624a3b5a1 100644
--- a/debian/control
+++ b/debian/control
@@ -16,6 +16,7 @@ Build-Depends: bc,
pve-qemu-kvm | qemu-system-x86 (>= 1:2.12+dfsg),
python3,
python3-pexpect,
+ python3-virt-firmware,
qemu-utils,
uuid-dev,
xorriso,
diff --git a/debian/edk2-vars-generator.py b/debian/edk2-vars-generator.py
deleted file mode 100755
index 351e556211..0000000000
--- a/debian/edk2-vars-generator.py
+++ /dev/null
@@ -1,140 +0,0 @@
-#!/usr/bin/env python3
-#
-# Copyright 2021 Canonical Ltd.
-# Authors:
-# - dann frazier <dann.frazier at canonical.com>
-#
-# This program is free software: you can redistribute it and/or modify it
-# under the terms of the GNU General Public License version 3, as published
-# by the Free Software Foundation.
-#
-# This program is distributed in the hope that it will be useful, but WITHOUT
-# ANY WARRANTY; without even the implied warranties of MERCHANTABILITY,
-# SATISFACTORY QUALITY, or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
-# General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License along with
-# this program. If not, see <http://www.gnu.org/licenses/>.
-#
-
-import argparse
-import os.path
-import pexpect
-import shutil
-import sys
-from UEFI.Filesystems import FatFsImage, EfiBootableIsoImage
-from UEFI.Qemu import QemuEfiMachine, QemuEfiVariant, QemuEfiFlashSize
-from UEFI import Qemu
-
-if __name__ == '__main__':
- parser = argparse.ArgumentParser()
- parser.add_argument(
- "-f", "--flavor", help="UEFI Flavor",
- choices=['AAVMF', 'OVMF', 'OVMF_4M'],
- required=True,
- )
- parser.add_argument(
- "-e", "--enrolldefaultkeys",
- help='Path to "EnrollDefaultKeys" EFI binary',
- required=True,
- )
- parser.add_argument(
- "-s", "--shell",
- help='Path to "Shell" EFI binary',
- required=True,
- )
- parser.add_argument(
- "-C", "--certificate",
- help='base64-encoded PK/KEK1 certificate',
- required=True,
- )
- parser.add_argument(
- "-c", "--code",
- help='UEFI code image',
- required=True,
- )
- parser.add_argument(
- "--no-default",
- action="store_true",
- help='Do not enroll the default keys, just the PK/KEK1 certificate',
- )
- parser.add_argument(
- "-V", "--vars-template",
- help='UEFI vars template',
- required=True,
- )
- parser.add_argument(
- "-o", "--out-file",
- help="Output file for generated vars template",
- required=True,
- )
- parser.add_argument("-d", "--debug", action="store_true",
- help="Emit debug messages")
- args = parser.parse_args()
-
- FlavorConfig = {
- 'AAVMF': {
- 'EfiArch': 'AA64',
- 'QemuCommand': Qemu.QemuCommand(
- QemuEfiMachine.AAVMF,
- code_path=args.code,
- vars_template_path=args.vars_template,
- ),
- },
- 'OVMF': {
- 'EfiArch': 'X64',
- 'QemuCommand': Qemu.QemuCommand(
- QemuEfiMachine.OVMF_Q35,
- variant=QemuEfiVariant.SECBOOT,
- flash_size=QemuEfiFlashSize.SIZE_4MB,
- code_path=args.code,
- vars_template_path=args.vars_template,
- ),
- },
- 'OVMF_4M': {
- 'EfiArch': 'X64',
- 'QemuCommand': Qemu.QemuCommand(
- QemuEfiMachine.OVMF_Q35,
- variant=QemuEfiVariant.SECBOOT,
- flash_size=QemuEfiFlashSize.SIZE_4MB,
- code_path=args.code,
- vars_template_path=args.vars_template,
- ),
- },
- }
-
- eltorito = FatFsImage(64)
- eltorito.makedirs(os.path.join('EFI', 'BOOT'))
- removable_media_path = os.path.join(
- 'EFI', 'BOOT', f"BOOT{FlavorConfig[args.flavor]['EfiArch']}.EFI"
- )
- eltorito.insert_file(args.shell, removable_media_path)
- eltorito.insert_file(
- args.enrolldefaultkeys,
- args.enrolldefaultkeys.split(os.path.sep)[-1]
- )
- iso = EfiBootableIsoImage(eltorito)
-
- q = FlavorConfig[args.flavor]['QemuCommand']
- q.add_disk(iso.path)
- q.add_oem_string(11, args.certificate)
-
- child = pexpect.spawn(' '.join(q.command))
- if args.debug:
- child.logfile = sys.stdout.buffer
- child.expect(['Press .* or any other key to continue'], timeout=None)
- child.sendline('\x1b')
- child.expect(['Shell> '], timeout=None)
- child.sendline('FS0:\r')
- child.expect(['FS0:\\\\> '], timeout=None)
- enrollcmd = ['EnrollDefaultKeys.efi']
- if args.no_default:
- enrollcmd.append("--no-default")
- child.sendline(f'{" ".join(enrollcmd)}\r')
- child.expect(['FS0:\\\\> '], timeout=None)
- # Clear the BootOrder. See #1015759
- child.sendline('setvar BootOrder =\r')
- child.expect(['FS0:\\\\> '], timeout=None)
- child.sendline('reset -s\r')
- child.wait()
- shutil.copy(q.pflash.varfile_path, args.out_file)
diff --git a/debian/rules b/debian/rules
index c640833092..316a7b7727 100755
--- a/debian/rules
+++ b/debian/rules
@@ -165,49 +165,32 @@ debian/PkKek-1-vendor.pem: debian/PkKek-1-Debian.pem
endif
ln -sf `basename $<` $@
-debian/oem-string-%: debian/PkKek-1-%.pem
- tr -d '\n' < $< | \
- sed -e 's/.*-----BEGIN CERTIFICATE-----/4e32566d-8e9e-4f52-81d3-5bb9715f9727:/' -e 's/-----END CERTIFICATE-----//' > $@
+# Usage: $(call enroll_vendor,<var-template>,<output-file>,<uefi-arch>)
+enroll_vendor = virt-fw-vars --input $(1) --output $(2) \
+ --enroll-cert debian/PkKek-1-vendor.pem
+# Usage: $(call enroll_snakeoil,<var-template>,<output-file>)
+enroll_snakeoil = virt-fw-vars --input $(1) --output $(2) \
+ --set-pk OvmfEnrollDefaultKeys \
+ debian/PkKek-1-snakeoil.pem \
+ --add-kek OvmfEnrollDefaultKeys \
+ debian/PkKek-1-snakeoil.pem \
+ --add-db OvmfEnrollDefaultKeys \
+ debian/PkKek-1-snakeoil.pem
-%/AAVMF_VARS.ms.fd: %/AAVMF_CODE.fd %/AAVMF_VARS.fd debian/oem-string-vendor $(AAVMF_ENROLL) $(AAVMF_SHELL)
- PYTHONPATH=$(CURDIR)/debian/python \
- python3 ./debian/edk2-vars-generator.py \
- -f AAVMF -e $(AAVMF_ENROLL) -s $(AAVMF_SHELL) \
- -c $(AAVMF_CODE) -V $(AAVMF_VARS) \
- -C `< debian/oem-string-vendor` -o $@
+%/AAVMF_VARS.ms.fd: %/AAVMF_CODE.fd %/AAVMF_VARS.fd debian/PkKek-1-vendor.pem $(AAVMF_ENROLL) $(AAVMF_SHELL)
+ $(call enroll_vendor,$(AAVMF_VARS),$@,arm64)
-%/AAVMF_VARS.snakeoil.fd: %/AAVMF_CODE.fd %/AAVMF_VARS.fd debian/oem-string-snakeoil $(AAVMF_ENROLL) $(AAVMF_SHELL)
- PYTHONPATH=$(CURDIR)/debian/python \
- python3 ./debian/edk2-vars-generator.py \
- -f AAVMF -e $(AAVMF_ENROLL) -s $(AAVMF_SHELL) \
- -c $(AAVMF_CODE) -V $(AAVMF_VARS) \
- --no-default \
- -C `< debian/oem-string-snakeoil` -o $@
+%/AAVMF_VARS.snakeoil.fd: %/AAVMF_CODE.fd %/AAVMF_VARS.fd debian/PkKek-1-snakeoil.pem $(AAVMF_ENROLL) $(AAVMF_SHELL)
+ $(call enroll_snakeoil,$(AAVMF_VARS),$@)
-%/OVMF_VARS.ms.fd: %/OVMF_CODE.fd %/OVMF_VARS.fd debian/oem-string-vendor $(OVMF_ENROLL) $(OVMF_SHELL)
- PYTHONPATH=$(CURDIR)/debian/python \
- python3 ./debian/edk2-vars-generator.py \
- -f OVMF -e $(OVMF_ENROLL) -s $(OVMF_SHELL) \
- -c $(OVMF_INSTALL_DIR)/OVMF_CODE.fd \
- -V $(OVMF_INSTALL_DIR)/OVMF_VARS.fd \
- -C `< debian/oem-string-vendor` -o $@
+%/OVMF_VARS.ms.fd: %/OVMF_CODE.secboot.fd %/OVMF_VARS.fd debian/PkKek-1-vendor.pem $(OVMF_ENROLL) $(OVMF_SHELL)
+ $(call enroll_vendor,$(OVMF_INSTALL_DIR)/OVMF_VARS.fd,$@,amd64)
-%/OVMF_VARS_4M.ms.fd: %/OVMF_CODE_4M.fd %/OVMF_VARS_4M.fd debian/oem-string-vendor $(OVMF_ENROLL) $(OVMF_SHELL)
- PYTHONPATH=$(CURDIR)/debian/python \
- python3 ./debian/edk2-vars-generator.py \
- -f OVMF_4M -e $(OVMF_ENROLL) -s $(OVMF_SHELL) \
- -c $(OVMF_INSTALL_DIR)/OVMF_CODE_4M.fd \
- -V $(OVMF_INSTALL_DIR)/OVMF_VARS_4M.fd \
- -C `< debian/oem-string-vendor` -o $@
+%/OVMF_VARS_4M.ms.fd: %/OVMF_CODE_4M.secboot.fd %/OVMF_VARS_4M.fd debian/PkKek-1-vendor.pem $(OVMF_ENROLL) $(OVMF_SHELL)
+ $(call enroll_vendor,$(OVMF_INSTALL_DIR)/OVMF_VARS_4M.fd,$@,amd64)
-%/OVMF_VARS_4M.snakeoil.fd: %/OVMF_CODE_4M.fd %/OVMF_VARS_4M.fd debian/oem-string-snakeoil $(OVMF_ENROLL) $(OVMF_SHELL)
- PYTHONPATH=$(CURDIR)/debian/python \
- python3 ./debian/edk2-vars-generator.py \
- -f OVMF_4M -e $(OVMF_ENROLL) -s $(OVMF_SHELL) \
- -c $(OVMF_INSTALL_DIR)/OVMF_CODE_4M.fd \
- -V $(OVMF_INSTALL_DIR)/OVMF_VARS_4M.fd \
- --no-default \
- -C `< debian/oem-string-snakeoil` -o $@
+%/OVMF_VARS_4M.snakeoil.fd: %/OVMF_CODE_4M.fd %/OVMF_VARS_4M.fd debian/PkKek-1-snakeoil.pem $(OVMF_ENROLL) $(OVMF_SHELL)
+ $(call enroll_snakeoil,$(OVMF_INSTALL_DIR)/OVMF_VARS_4M.fd,$@)
BaseTools/Bin/GccLto/liblto-aarch64.a: BaseTools/Bin/GccLto/liblto-aarch64.s
$($(EDK2_TOOLCHAIN)_AARCH64_PREFIX)gcc -c -fpic $< -o $@
--
2.47.3
More information about the pve-devel
mailing list