MEN-5255: Enable and start testing Secure Boot.

This is using pre-signed binaries by Microsoft, Canonical and Debian, no customized signing. Changelog: None Signed-off-by: Kristian Amlie <kristian.amlie@northern.tech>
3 years ago · 1b3ab7c5e0
5 changed files with 74 additions and 2 deletions
--- a/scripts/test/mender-convert-qemu
+++ b/scripts/test/mender-convert-qemu
@ -20,7 +20,8 @@ qemu-system-x86_64 \
    -m 512 \
    -net user,hostfwd=tcp::8822-:22 \
    -net nic,macaddr=52:54:00$(od -txC -An -N3 /dev/urandom|tr \  :) \
-    -bios ${ovmf_file} \
+    -drive file=${ovmf_file},if=pflash,format=raw,unit=0,readonly=on \
+    -drive file=./uefi-nvram/OVMF_VARS.fd,if=pflash,format=raw,unit=1,readonly=on \
    -drive format=raw,file=${DISK_IMG} &

 qemu_pid=$!
--- a/tests/mender-image-tests
+++ b/tests/mender-image-tests
@ -1 +1 @@
-Subproject commit 626c9f43f615531d4ec45c2e388b8829d91e087c
+Subproject commit 7c081c042f0024e87e9e15144b18d991fb378bcd
--- a/tests/uefi-nvram/MicCorThiParMarRoo_2010-10-05.crt
+++ b/tests/uefi-nvram/MicCorThiParMarRoo_2010-10-05.crt
--- a/tests/uefi-nvram/OVMF_VARS.fd
+++ b/tests/uefi-nvram/OVMF_VARS.fd
--- a/tests/uefi-nvram/README.md
+++ b/tests/uefi-nvram/README.md
@ -0,0 +1,71 @@
+UEFI NVRAM
+==========
+
+This directory holds the NVRAM file which is used as the firmware memory of the UEFI software which
+runs under QEMU. It's main purpose is to start the UEFI software with certificates pre-loaded into
+the firmware memory, and Secure Boot enabled.
+
+How to recreate the `OVMF_VARS.fd` file
+--------------------------------
+
+1. Create the `OVMF_VARS.fd` file:
+   ```bash
+   cp /usr/share/OVMF/OVMF_VARS.fd OVMF_VARS.fd
+   ```
+
+2. Create a filesystem which contains the UEFI certificates:
+   ```bash
+   dd if=/dev/zero of=/tmp/cert-filesystem.fs bs=1M count=10; \
+   mkfs.vfat /tmp/cert-filesystem.fs; \
+   mkdir cert-filesystem; \
+   sudo mount /tmp/cert-filesystem.fs cert-filesystem -o loop,uid=$UID; \
+   cp *.crt cert-filesystem; \
+   sudo umount cert-filesystem; \
+   rmdir cert-filesystem
+   ```
+
+   Tip: If you ever need to re-fetch the certificate files, run `mokutil --db` on your own
+   computer. This lists your installed certificates, and they come with URLs which say where you can
+   download them. Make sure you download the `.crt`, not the `.crl`.
+
+3. Launch QEMU with the NVRAM and the filesystem containing the certificates. *Make sure to press F2
+   quickly after the window appears to enter the firmware menu*:
+   ```bash
+   qemu-system-x86_64 \
+       -drive file=/usr/share/OVMF/OVMF_CODE.fd,if=pflash,format=raw,unit=0,readonly=on \
+       -drive file=./OVMF_VARS.fd,if=pflash,format=raw,unit=1 \
+       -drive file=/tmp/cert-filesystem.fs,if=ide,format=raw
+   ```
+
+4. After having entered the firmware menu, perform the following steps:
+
+    1. Enter "Device Manager".
+
+    2. Enter "Secure Boot Configuration".
+
+    3. Switch "Secure Boot Mode" to "Custom Mode".
+
+    4. Enter "Custom Secure Boot Options".
+
+    5. Enter "PK Options".
+
+    6. Enter "Enroll OK".
+
+    7. Enter "Enroll PK Using File".
+
+    8. Locate the certificate file in the filesystem that you created in main step 2, and add it.
+
+    9. Make sure to select "Commit Changes".
+
+    10. Repeat the same process starting from sub step 5, except for "DB Options" instead.
+
+    11. Go back to the "Secure Boot Configuration" screen. "Attempt Secure Boot" should now have
+        been auto-selected. If it's not, enable it and save the change.
+
+    12. Go back to the main manu and select "Reset". After the setup has been exited, you can kill
+        QEMU.
+
+5. Clean up:
+   ```bash
+   rm -f /tmp/cert-filesystem.fs
+   ```