Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

WIP: Dasharo UEFI Secure Boot support in QEMU Q35 #106

Closed
wants to merge 9 commits into from
Closed

WIP: Dasharo UEFI Secure Boot support in QEMU Q35 #106

wants to merge 9 commits into from

Conversation

pietrushnic
Copy link
Contributor

@pietrushnic
OvmfPkg/OvmfPkgX64: add support for ipxe.efi
62b6d31 
Extedn OvmfPkgX64 DSC and FDF to support adding externally build
ipxe.efi file in similar way as other Dasharo supported platforms do.
This patch requires improvements in PlatformBootmanagerLib to register
bootable iPXE option. Despite it does not have that yet it is first step
to enable iPXE support in Dasharo EDK II for QEMU Q35. In long run it
should allow enabling other Dasharo System Features like
enabling/disabling network stack.

Signed-off-by: Piotr Król <[email protected]>
@pietrushnic
OvmfPkg: improve PlatformBootManagerLib API
f203b1c 
OvmfPkg implementation of PlatformBootManagerLib was different than
UefiPayloadPkg implementation, becuase of that there were problems in
porting one to one code that register and unregister iPXE file as boot
option. PlatformBootManagerLib PlatformRegisterFvBootOption gined
BootNow parameter and PlatformUnregisterFvBootOption function.

Signed-off-by: Piotr Król <[email protected]>
@pietrushnic
OvmfPkg: register ipxe.efi file as boot option
689d3fc 
* Add ipxe.efi to the firmware volume.
* Based on NetBootEnable UEFI variable register or unregister iPXE as boot
option.

Signed-off-by: Piotr Król <[email protected]>
@pietrushnic
.github/{scripts,worflows}: add support to build ipxe.efi
bcc97a6 
Add support to build ipxe.efi and use it in Dasharo (UEFI) build for
QEMU Q35.

Signed-off-by: Piotr Król <[email protected]>
@pietrushnic
OvmfPkg/OvmfPkg.dec: change PcdiPXEOptionName to iPXE Network Boot
e11e978 
Signed-off-by: Piotr Król <[email protected]>
@pietrushnic
OvmfPkg/OvmfPkg.dec: make iPXE Option Name build time param
aa7fdee 
Provide gUefiPayloadPkgTokenSpaceGuid.PcdiPXEOptionName PCD as build
time option in ./github/scripts/build-qemu.sh

Signed-off-by: Piotr Król <[email protected]>
@pietrushnic
.github/workflows/build.yml: change tags naming scheme
207c049 
Signed-off-by: Piotr Król <[email protected]>
@pietrushnic
.github/scripts/build-qemu.sh: remove iPXE option name
3c61fe9 
Remove iPXE option name as built time paramater to keep Dasharo (UEFI)
build for QEMU Q35 as close to UefiPayloadPkg as possible.

Signed-off-by: Piotr Król <[email protected]>
@pietrushnic
Merge remote-tracking branch 'origin/dasharo' into qemu_q35_v0.1.0-rc2
481a292
This was referenced Oct 26, 2023
Closed
Closed
@macpijan
Copy link
Contributor

macpijan commented Nov 3, 2023

@pietrushnic Was anything missing in this MR?

@pietrushnic
Copy link
Contributor Author

@macpijan this is not validated. Was stuck on OS installation from netboot.xyz, before I can pass the next test. I would focus on merging things related to iPXE. Here there is nothing more yet and I don't know if there will be if UEFi Secure Boot will work on #101 + miczyg's new UEFI Secure Boot.

@pietrushnic pietrushnic changed the title Dasharo UEFI Secure Boot support in QEMU Q35 WIP: Dasharo UEFI Secure Boot support in QEMU Q35 Nov 3, 2023
@macpijan
Copy link
Contributor

macpijan commented Nov 9, 2023

@pietrushnic So I guess we do not need this anymore? SB works for me from the main branch (except the keys are reset by default, which is different than on real HW).

@pietrushnic
Copy link
Contributor Author

@pietrushnic So I guess we do not need this anymore?

@macpijan most likely yes. So far I have not introduced any EDK II modifications related to secure boot, but we didn't test it comprehensively.

except the keys are reset by default, which is different than on real HW

I don't understand that part. From what I see I can't enable secure boot if I do not reset keys which equals to provisioning default PK, db, dbx and KEK: https://docs.dasharo.com/dasharo-menu-docs/device-manager/#custom-mode-and-key-management)

@macpijan
Copy link
Contributor

@pietrushnic

From what I see I can't enable secure boot if I do not reset keys

On the QEMU you cannot, on the hardware you can. The initial behavior is different, that the default keys on the HW are already provisioned after flashing.

@macpijan
Copy link
Contributor

macpijan commented Dec 6, 2023

I could pass SB tests without these changes: Dasharo/open-source-firmware-validation#118 (comment)

@macpijan macpijan closed this Dec 6, 2023
@macpijan macpijan deleted the qemu_q35_v0.1.0-rc4 branch December 6, 2023 10:14
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Secure Boot Suite shall pass under QEMU
2 participants
@pietrushnic @macpijan