diff --git a/scripts/test/mender-convert-qemu b/scripts/test/mender-convert-qemu index 7e8cd6c..e9956fb 100755 --- a/scripts/test/mender-convert-qemu +++ b/scripts/test/mender-convert-qemu @@ -20,7 +20,8 @@ qemu-system-x86_64 \ -m 512 \ -net user,hostfwd=tcp::8822-:22 \ -net nic,macaddr=52:54:00$(od -txC -An -N3 /dev/urandom|tr \ :) \ - -bios ${ovmf_file} \ + -drive file=${ovmf_file},if=pflash,format=raw,unit=0,readonly=on \ + -drive file=./uefi-nvram/OVMF_VARS.fd,if=pflash,format=raw,unit=1,readonly=on \ -drive format=raw,file=${DISK_IMG} & qemu_pid=$! diff --git a/tests/mender-image-tests b/tests/mender-image-tests index 626c9f4..7c081c0 160000 --- a/tests/mender-image-tests +++ b/tests/mender-image-tests @@ -1 +1 @@ -Subproject commit 626c9f43f615531d4ec45c2e388b8829d91e087c +Subproject commit 7c081c042f0024e87e9e15144b18d991fb378bcd diff --git a/tests/uefi-nvram/MicCorThiParMarRoo_2010-10-05.crt b/tests/uefi-nvram/MicCorThiParMarRoo_2010-10-05.crt new file mode 100644 index 0000000..d6a50b8 Binary files /dev/null and b/tests/uefi-nvram/MicCorThiParMarRoo_2010-10-05.crt differ diff --git a/tests/uefi-nvram/OVMF_VARS.fd b/tests/uefi-nvram/OVMF_VARS.fd new file mode 100644 index 0000000..fbb72b7 Binary files /dev/null and b/tests/uefi-nvram/OVMF_VARS.fd differ diff --git a/tests/uefi-nvram/README.md b/tests/uefi-nvram/README.md new file mode 100644 index 0000000..3c9cdd4 --- /dev/null +++ b/tests/uefi-nvram/README.md @@ -0,0 +1,71 @@ +UEFI NVRAM +========== + +This directory holds the NVRAM file which is used as the firmware memory of the UEFI software which +runs under QEMU. It's main purpose is to start the UEFI software with certificates pre-loaded into +the firmware memory, and Secure Boot enabled. + +How to recreate the `OVMF_VARS.fd` file +-------------------------------- + +1. Create the `OVMF_VARS.fd` file: + ```bash + cp /usr/share/OVMF/OVMF_VARS.fd OVMF_VARS.fd + ``` + +2. Create a filesystem which contains the UEFI certificates: + ```bash + dd if=/dev/zero of=/tmp/cert-filesystem.fs bs=1M count=10; \ + mkfs.vfat /tmp/cert-filesystem.fs; \ + mkdir cert-filesystem; \ + sudo mount /tmp/cert-filesystem.fs cert-filesystem -o loop,uid=$UID; \ + cp *.crt cert-filesystem; \ + sudo umount cert-filesystem; \ + rmdir cert-filesystem + ``` + + Tip: If you ever need to re-fetch the certificate files, run `mokutil --db` on your own + computer. This lists your installed certificates, and they come with URLs which say where you can + download them. Make sure you download the `.crt`, not the `.crl`. + +3. Launch QEMU with the NVRAM and the filesystem containing the certificates. *Make sure to press F2 + quickly after the window appears to enter the firmware menu*: + ```bash + qemu-system-x86_64 \ + -drive file=/usr/share/OVMF/OVMF_CODE.fd,if=pflash,format=raw,unit=0,readonly=on \ + -drive file=./OVMF_VARS.fd,if=pflash,format=raw,unit=1 \ + -drive file=/tmp/cert-filesystem.fs,if=ide,format=raw + ``` + +4. After having entered the firmware menu, perform the following steps: + + 1. Enter "Device Manager". + + 2. Enter "Secure Boot Configuration". + + 3. Switch "Secure Boot Mode" to "Custom Mode". + + 4. Enter "Custom Secure Boot Options". + + 5. Enter "PK Options". + + 6. Enter "Enroll OK". + + 7. Enter "Enroll PK Using File". + + 8. Locate the certificate file in the filesystem that you created in main step 2, and add it. + + 9. Make sure to select "Commit Changes". + + 10. Repeat the same process starting from sub step 5, except for "DB Options" instead. + + 11. Go back to the "Secure Boot Configuration" screen. "Attempt Secure Boot" should now have + been auto-selected. If it's not, enable it and save the change. + + 12. Go back to the main manu and select "Reset". After the setup has been exited, you can kill + QEMU. + +5. Clean up: + ```bash + rm -f /tmp/cert-filesystem.fs + ```