From 1b3ab7c5e0692eaa8e192a7dabe80c5a26c482f0 Mon Sep 17 00:00:00 2001
From: Kristian Amlie <kristian.amlie@northern.tech>
Date: Tue, 15 Mar 2022 13:04:15 +0100
Subject: [PATCH] MEN-5255: Enable and start testing Secure Boot.

This is using pre-signed binaries by Microsoft, Canonical and Debian,
no customized signing.

Changelog: None

Signed-off-by: Kristian Amlie <kristian.amlie@northern.tech>
---
 scripts/test/mender-convert-qemu              |   3 +-
 tests/mender-image-tests                      |   2 +-
 .../MicCorThiParMarRoo_2010-10-05.crt         | Bin 0 -> 1539 bytes
 tests/uefi-nvram/OVMF_VARS.fd                 | Bin 0 -> 131072 bytes
 tests/uefi-nvram/README.md                    |  71 ++++++++++++++++++
 5 files changed, 74 insertions(+), 2 deletions(-)
 create mode 100644 tests/uefi-nvram/MicCorThiParMarRoo_2010-10-05.crt
 create mode 100644 tests/uefi-nvram/OVMF_VARS.fd
 create mode 100644 tests/uefi-nvram/README.md

diff --git a/scripts/test/mender-convert-qemu b/scripts/test/mender-convert-qemu
index 7e8cd6c..e9956fb 100755
--- a/scripts/test/mender-convert-qemu
+++ b/scripts/test/mender-convert-qemu
@@ -20,7 +20,8 @@ qemu-system-x86_64 \
     -m 512 \
     -net user,hostfwd=tcp::8822-:22 \
     -net nic,macaddr=52:54:00$(od -txC -An -N3 /dev/urandom|tr \  :) \
-    -bios ${ovmf_file} \
+    -drive file=${ovmf_file},if=pflash,format=raw,unit=0,readonly=on \
+    -drive file=./uefi-nvram/OVMF_VARS.fd,if=pflash,format=raw,unit=1,readonly=on \
     -drive format=raw,file=${DISK_IMG} &
 
 qemu_pid=$!
diff --git a/tests/mender-image-tests b/tests/mender-image-tests
index 626c9f4..7c081c0 160000
--- a/tests/mender-image-tests
+++ b/tests/mender-image-tests
@@ -1 +1 @@
-Subproject commit 626c9f43f615531d4ec45c2e388b8829d91e087c
+Subproject commit 7c081c042f0024e87e9e15144b18d991fb378bcd
diff --git a/tests/uefi-nvram/MicCorThiParMarRoo_2010-10-05.crt b/tests/uefi-nvram/MicCorThiParMarRoo_2010-10-05.crt
new file mode 100644
index 0000000000000000000000000000000000000000..d6a50b817ab7263155aa5f49f293d87a4e696fa2
GIT binary patch
literal 1539
zcmXqLV*PK>#Qb~#GZP~dlYsHmIg$Y$g%h1D?iXL)GRxM0myJ`a&7<u*FC!y2D}zDf
zL_=-^PB!LH7B*p~&|pJh13?gnLzpW(u{a|$FTEr`&rraC4<yJg%pR1QlAE8GVkl=I
z0}|m97WK_cF3K;?Pb*Py&Mzv+FG?)Q1nRIhums673majTR|v_-EJ{%bNGvL;RPaqK
z%1$jQ$Vp62RS3$@FENl4=QT7iG%zqVGBPkSvWODrH8zEEEsc$%2Bn*un3Rx%mXVc#
zxrvFN!JvtWi>Zl;k>SJIxF!cy-3*n;)AzVuw4CwSX)U{<J4lsJNaToss8!3p#s{U(
zcJcj4e4H(NZm!(@`5MM%x0;PkEL`|D((6%A0#8=c##x+;VwChO-%k40$XNA%V#b8l
z#dEr*Hx~*`$uqhxs{SmUyZ&hv)9(rYKX@`ooj2gA{{PZ%1>0XGL$Ta@p1IRjO;i(O
zcAPCH@@~eCXz$A(^>5c1{Ha`)A>`FoZu91;@!|Wg8bc-5a>S)xzPEmFT#2w+^PF=L
zVIB{<mS;|STXZ|U>CiI^zw`0h3#>06?w&PETqrbTSxWJgAHiXtWFPLnd2Z4p_2}9o
zVRK%G|KXkYWKmV*%)QD-QgbHca%_rgm&#jy@xv=tqt*(x0MBVNIyJ(wc{M9d(|07z
zUwr<3Yx0kMVt3w7VX4VY<eyz(BG=?|S4*Zpw_)4eDpvWHw>Lts3%+ijEIxmhFP}!q
zsx_Scd>s4#Mea{~_vmw=jCh}&U39%l#bTK+rw(0{{QKhdTmLCb<4umtc@(nCqq#f9
z<+78tXx1^V3;`7_rF!oTmDlb)eJn0HVFsJk>&V7seqW|3+b`-pQ+7hqZ*NAZ&5ghP
zEiRUwz5<C;rC!WAv;L#6#kwY$WSRXLuUr?IZR^Nl(aAoYcICJuC-2(N8@9|4D$Z2z
zOL)fi=3Q65!PD5=VIMwd2iYvQ){?3_@SpkUn+KZrnV1<F7#9Z`_#1EoGlncb3kxuR
zwi)n)IKqsK|5;cKn1PgmEJ%QlMT|wnH7&^bVO@ma{%d~oltVeJt(3A>7znU&YO^u2
zFgBTsGJ;HCKu&bP{0vNVj12md!e>_9J-H;|k=asrM<ITPmW3WXb^=SjZJm5xODkoH
zquU!fm9HnFuar%fa^3pmYT$|6u`?a~Y@WKWJi4$g)>ty<V&6yZuV+ejDCEs|_d2mD
zAh|HOZ7Xm3NonbD?wN|$Pt4Vu^x8Jcp>kLIw*A6idm9&gbKITMwf)hJebOd>tqKI6
zulT*|XR*sEE8l&Oi&pVTE;HP1QdfVdruK4P^KGu#hrK8F--~{4knfgec1^Q+MbwT2
zo+mbZn_LQHYGSkvOA0OGcb#1!^UJkslKjO~fugA|{0%hrJo@IISZgh3rmDp&=5}&@
zw7`Od^#xO(F~@&la@us}|Ejk8Y9}n(b{zPh>!Wn^vB{G(&I?gbqIFg$pLkm+W^&s{
z=2ww}w2^sZn$q!=(f0SBGE6xl_)WT-b3^k9=}y;u^VhT0xBvB=#cuHN%c17EyH2vi
zHCqNpGricg>AG@h{L0F28WXRrFixJa(m1cd>Dwt&iJ%QysmW?RFS`9RCV1U`(&84K
z(6WE;o%vJcYCNRdo30nfKD6zRP}&sqM225guHdXy$dqL>PR!iTBg}a9hO6sDPgAd$
zO|dig*?a$1`Etu-?RH1s13xxMc(Lkv|M+!&qm#rc!AgHVukS}Rrs#3?l*~0^nPs}W
pF+=^=!e8yV8*eV>d4KM}x;(Qt2l_wzDg0gb_*-tGv8T#8JpkSSbU*+A

literal 0
HcmV?d00001

diff --git a/tests/uefi-nvram/OVMF_VARS.fd b/tests/uefi-nvram/OVMF_VARS.fd
new file mode 100644
index 0000000000000000000000000000000000000000..fbb72b7206521efb08fc387c00ec2869e8fdd699
GIT binary patch
literal 131072
zcmeI&2V7J~9tZH*0@8~hiXb6aKqO|VDxiXbQlyB03N}JlSa3ljMxzuViWRYd1xsus
zis96F8quh^pfQ%1SYo0E(RhmOG{l%7_n%$KsoBNN$C}G;_`KbHZ)fMtd}rRwym>J8
zXqeUIR^!6)g#$KBv+ds^IwX`ap*+IKevy8S_r=VQng2ougx3715r0vH2@bc*-zhHb
zyK-t*)8Kt?7i~YsSk!&RcjXbDOw<%n#k(0D7tp3xH-3*@dP(0Eva#2P`4pD*W#d=|
z%VcRRl?Bmj9E;~EG?qv7X14rOGr@qq6VoQWSatflai{&aoZRa2x?$|ZSV}`iX~wa)
z9>i#*^gLPnX42wcwWW>c@qBH@+`3WHz!K2_8_!OLo{^NElu}EhR0HXA7UejYjpwoD
z`D{U-nhRR=CC{g^SNc_<>2c%PZ?hE#l4Tx2ES&YF<NTaFe@{xsl;ZK)iaA$XcyRt#
z#^w6#{9;j;nSCf{X;j`2${+WWQ5+&vD{n0+W-r=Qr72;GKgP5vn+`03B{Of9PJdLU
z7N+dLuI-bq-gOBnztXF=BHnDJSksifUhdG(biBwnS2|<corLy|QyRrozTQtPA8&5T
z$`?-OOr>(AQCrERIO>*-*C%h6kC!c!rLY)EDM4PNscZo4Nm(MrjF%FdT5dWNo7d^%
zX+NA+qMCKk)b1`%`G<H@y{_M`Z@QhHIbwQwB;`xSd}))(bJ|ayZ=O#@dwx=T(W96)
zO7hs3Qj;=&+Q?g=$Buf7cyX9Oph+(ej>s=)UUTZ5i(iZWv_0;jI9JGnnp1T)fd)Un
z$iRfZF}9aq5sYaG1R@<%HmLun=c|7C%D7aI&9&|QX^=cq>Rd0p{9|ZSo+q`+FA%E~
zdOmqp<)~-{FUOJRsYs>cv&~bp;JjJ<iAJJs8`+|=Y%jKryy&v4s@Lby)?P;0Hmj`H
zSG3J4LlO!_G=C5XrmEi;^M3EP%Ci4O+cen-#HMUXR8;=(?F0JfMZ_Pg$_uRdy*r@t
zJ_t`WX7Fp`25rj6jK5^Nc?NRo&jF4pv3sTalV_l#?%bBQt;gGy;(p?PvuujuHSpx3
zGP+ZukLt}u`Mmi_X**IJ3J=n5O&`^-)3p@)@q9mzd0q3}-_uu=I`zaI`3(EzmsdXZ
zmfyFkGtVzqndcYY-#=|Pt=9e5Uv+N(o|1ZcPW|HxsRw?&D7)`_9%bTJ1iyymx2AMn
zRe|46^R<#=QlDtu3*{jNZQa7_R*#zM%AA-hbCIuTIMQcl`s~WwD5iU;fEK$dD)=3}
z;@(r;{*j+Y**bvoH5q|g>mYnhCX}|v`=F*Y6{7|3(Rp5NXidhK^`ly_rq>j@x96)f
zS@eynyKOPu<}=3UlffTqWgC|b4Vq?9(>BauXr+2%0xvU9LRJ1AU566TnvQzo7%z8t
zGwCYI?L;w}E4MY(Y;$GjzkRy0^YuLS%Pvy8&PO+suA=PD6ocpA>Y+LxNVOkC`_{~d
zMbh>L3!|05Ale^DuT3)xXWIXx3N5e*wB#u&6H({>nYRVLc=TsH6l+RPUJvB$A*GqL
z6=idw7^+SDXtgqoRD9_A7(}bLkE%E}qe96(Wjo<x)Sq+FP`j<nY9?)kiz~(8E*=lH
zl~6W>TFZFq_pF&6wGMAue|D!nP<g-DnST9;K13wa?a0EySxc8l`dUR0C~Hn?&1HCd
zQZ|=u>ihoKw}`0!)u8@J{XS+BokLZ<DD3!{!0n<Qvh$<9DV+M{7oaE7v!IhJ4Wc$;
zrL9t(xh=Ql_X?`YuG+SR+U;^kGwCaAyHN~o>+t)i#b>CQ^5+&(TJcVywmFC;(SC~j
z>R0uYA$N^<Qm^HfAsge*hb0}|a*Q`QMH_h1{J??E?nPUf*nB`Y@8dyBjS3g7@7-`O
zh|ZZRUun;xn$Dt8G@g15>F>`8_%nlK`P#Xn&$FjAv}xnx0T1nI<Kv<&6^}1yucM9U
z#f&Bhe2$RTiZMfa=YjXFPs*nm#p6=yJu_20i?Zd3KM0pvhzxZ*+coXV-+BJtq?gCr
zKq&Q%jIA8HXH9MKx`2YMAG8|Q<))0s<iSMAFC;k{jglPEk1Iq%flz4VykMz$sNdLm
zeY&5^IKHK{r$k><+dkhf|7U%HKv#oFvgbMKO0+da5n@dfVZ<Ou6Nxe3(K68)9Fvih
zEKSTzlR6qn4EVtoCN09^<5JV4agJ6JOMXPhq*YLItSl`fEg{poZ<;JUO%{`xOuz7u
z^x)r%Oq`T{ZylbLEQ_-ajge($SqH_)#>8i)r^Lj@TZg5kWlF4C>pMyuB@$OBCyA3&
z_o&wT&aMx3dpJ8sy^?v(5!yUVOHUz0IYL7w$r0)ZbA$qRbK{5{FO4^nIt=~dtj^`U
zLw^7CXt%jAtfN6o)BQ%R-1Dlk&yTyb!{Bbrg)!|8FS9yVX6NkoZLU-G%9YoK2Gq<P
zr8hd~qf+fv!)&_txK>o3EtuFiFKO<y)k|kA${pLXSn71LmF=ZO-6<C*3V)s3c+;P?
zJtEP2r}5vx>opr}9L-YC`ll`|pV!Gu<h{hq^!noM(SgTry?N$c$!}R}lUfGkzwKFf
z(RtswE7=j|8?{EnA3s~MYec3=r`)B7heZ0FpRq2v=$h<IV$R-6-Gh&e?6Sh+_`br@
z($*~_!q>)S6yF^b`JZ+_>^yzAsKz#W^8U!BR|o&5zr1$U#Gxg-+V77~nVYIrIijGg
zbltI=S2UcaP0$SWU$}U>UE~=3&RMRB+utf%edNZp*t=C`-(4#fPfCq3Tr$DMDrdm=
z_Lg%}r*8XxqQ+}^*G@&8G`?Cezjaw@kbzxh`G?ve23ouC58a(`z2^2n%ht1d^@^U-
zVZv(5I|uikFmJeg^;$^rnvpL1m)3;u@XIZX^Euwfqt)nt=_DC-u(z2KxH;>@*^3ui
zo6lXW>3(%+_S)b(3)}ZzHS5s$YV+V-NfDl>8s_Br^q3xG6tkf1<)w!zZUuGUlw%od
zxjX5K?<%)#?~N8ajQJwr>(9Nl^*7$$yk&9AjAYx{qb_OIU7wLAxj6hx<jtF1!aUb`
z*tdOmPowCwy7QgS2}J@XSUpe@BGIJ_qn)8xOxI_=#E|cp2n3B{4T*@}B<=VC1F@Od
z)Hfll?+@<|G2VS5czOE>Ef05_(d#8fn%Z471!6%?w^jn40(-d8(e+G?PQczQ8eB5*
z`vdQfs&QM>-@B!uSKdlLy<SG|*KeJF#NIxx*t=hyRfnIdqrV=%sIBkT+HVF{pBY}_
z73_Jj|Ax<2<_~u^PdPUGmhMl7GPhex%lZdYSBA!p9hARSKk<Nt#bDi%*H2b2>soZR
zXOvggj)HBwO@5k{y`tWGXWWdBYfe>JxHPz@8~?ce*B!rP_#AW(s=6R6H!xr8xYOm`
zDSIbPJ}%8YqqAgR;QTpfqi;yk`X#uX=$yMgYWpa?T2F&YpLEMf!@4+Tj_p2j$Cv9Z
z@A=LsdhJ-ek!-=`5Q*I<HTC^tCVN=9b+p$v>vy0c+Gxe7iu47SL?iDA`&1rkEYCmJ
zsk(dq_C1ZM18hFK;8L5QeKe{z+TnxP>T6@oT+R%zyeIRraO#$wVDtHg=-%fpvf};5
z^%jNNn{%rzru$ZvRcKBrXz(v>A-Q#DZ|<@k2gD<Cdkl&eUfxl8vi-P`8?x%{=ABsY
z9J_dfvvg{o`h%`*!ZzE-$99@|xiBPYZorw^ynfN6@^<g~u55wTBtMISoRb;Df9N@9
zh)rc!t)*c{tMo73!;9B0t}fZFXCnCKl&|kRf7gIvmBUM_dI$d6;m)@%8$b3A+H-ev
zn*fcjfp_m6`KV8ua^tKJgMgp++ZA`!nVGrFNnGl>Gds!l-pYFgsUMwQr+4G<o=sA>
zx;=Al2U|C+y-=ST<LuwzaMuUV%K5n0Txfc}t^WU2sCS>wpKbH;@pIkPH?=AveM|N;
zBkcq3K7(l7j-@BgGJ0>CH~P{z9z*{Rl0wJmSMs^&vmJkVo?p<IZr|w<Zazr!k@|~D
z^ONp97y7RL<lCbLiScQQ|9@$2On)R9+QFFqQsyBT(=n!FOvjl13XSQ{dTgYr0s;ge
z009U<00Izz00bZa0SG_<0uX=z1Rwwb2tWV=5P$##AOHafKmY;|fB*y_009U<00Izz
z00bZa0SG_<0uX=z1Rwwb2tWV=5P$##AOHafKmY;|fB*y_009U<00Izz00bZa0SG_<
z0uX=z1Rwwb2tWV=5P$##AOHafKmY;|fB*y_009U<00Izz00bZa0SG_<0uX=z1Rwwb
z2tWV=5P$##AOHafKmY;|fB*y_009U<00Izz00bZa0SG_<0uX=z1Rwwb2tWV=5P$##
zAOHafKmY;|fB*y_009U<00Izz00bZa0SG_<0uX=z1Rwwb2tWV=5P$##AOHafKmY;|
zfB*y_@HZ3a(s{`8q)C(gR~(LK4P_P!94Z{*?vufJLnaS@GY%9N0uX=z1Rwwb2tWV=
z5P$##AOHafKmY;|fB*y_009U<00Izz00bZa0SG_<0uX=z1Rwwb2tWV=5P$##AOHaf
zKmY;|fB*y_009U<00Izz00bZa0SG_<0uX=z1Rwwb2tWV=5P$##AOHafKmY;|fB*y_
z009U<00Izz00bZa0SG_<0uX=z1Rwwb2tWV=5P$##AOHafKmY;|fB*y_009U<00Izz
z00bZa0SG_<0uX=z1Rwwb2tWV=5P$##AOHafKmY;|fB*y_009U<00Izz00bZa0SG_<
z0uX=z1Rwwb2tWV=5P$##AOHafKmY;|fB*y_009U<00Izz00bZa0SG_<0uX=z1Rwwb
z2tWV=5P$##AOHafKmY;|fB*y_009U<00Izz00bZa0SG_<0uX=z1Rwwb2tWV=5P$##
zAOHafKmY;|fB*y_009U<00Izz00bZa0SG_<0uX=z1Rwwb2tWV=5P-n{t-yZ)?w7#p

literal 0
HcmV?d00001

diff --git a/tests/uefi-nvram/README.md b/tests/uefi-nvram/README.md
new file mode 100644
index 0000000..3c9cdd4
--- /dev/null
+++ b/tests/uefi-nvram/README.md
@@ -0,0 +1,71 @@
+UEFI NVRAM
+==========
+
+This directory holds the NVRAM file which is used as the firmware memory of the UEFI software which
+runs under QEMU. It's main purpose is to start the UEFI software with certificates pre-loaded into
+the firmware memory, and Secure Boot enabled.
+
+How to recreate the `OVMF_VARS.fd` file
+--------------------------------
+
+1. Create the `OVMF_VARS.fd` file:
+   ```bash
+   cp /usr/share/OVMF/OVMF_VARS.fd OVMF_VARS.fd
+   ```
+
+2. Create a filesystem which contains the UEFI certificates:
+   ```bash
+   dd if=/dev/zero of=/tmp/cert-filesystem.fs bs=1M count=10; \
+   mkfs.vfat /tmp/cert-filesystem.fs; \
+   mkdir cert-filesystem; \
+   sudo mount /tmp/cert-filesystem.fs cert-filesystem -o loop,uid=$UID; \
+   cp *.crt cert-filesystem; \
+   sudo umount cert-filesystem; \
+   rmdir cert-filesystem
+   ```
+
+   Tip: If you ever need to re-fetch the certificate files, run `mokutil --db` on your own
+   computer. This lists your installed certificates, and they come with URLs which say where you can
+   download them. Make sure you download the `.crt`, not the `.crl`.
+
+3. Launch QEMU with the NVRAM and the filesystem containing the certificates. *Make sure to press F2
+   quickly after the window appears to enter the firmware menu*:
+   ```bash
+   qemu-system-x86_64 \
+       -drive file=/usr/share/OVMF/OVMF_CODE.fd,if=pflash,format=raw,unit=0,readonly=on \
+       -drive file=./OVMF_VARS.fd,if=pflash,format=raw,unit=1 \
+       -drive file=/tmp/cert-filesystem.fs,if=ide,format=raw
+   ```
+
+4. After having entered the firmware menu, perform the following steps:
+
+    1. Enter "Device Manager".
+
+    2. Enter "Secure Boot Configuration".
+
+    3. Switch "Secure Boot Mode" to "Custom Mode".
+
+    4. Enter "Custom Secure Boot Options".
+
+    5. Enter "PK Options".
+
+    6. Enter "Enroll OK".
+
+    7. Enter "Enroll PK Using File".
+
+    8. Locate the certificate file in the filesystem that you created in main step 2, and add it.
+
+    9. Make sure to select "Commit Changes".
+
+    10. Repeat the same process starting from sub step 5, except for "DB Options" instead.
+
+    11. Go back to the "Secure Boot Configuration" screen. "Attempt Secure Boot" should now have
+        been auto-selected. If it's not, enable it and save the change.
+
+    12. Go back to the main manu and select "Reset". After the setup has been exited, you can kill
+        QEMU.
+
+5. Clean up:
+   ```bash
+   rm -f /tmp/cert-filesystem.fs
+   ```