Skip to content

Commit

Permalink
rm: security: add UEFI provisioning with QEMU section
Browse files Browse the repository at this point in the history 
Signed-off-by: Jorge Ramirez-Ortiz <jorge@foundries.io>
  • Loading branch information
@ldts
ldts committed Sep 6, 2024
1 parent 9298a86 commit 0e7bd89
Show file tree
Hide file tree
Showing 2 changed files with 38 additions and 0 deletions.
38 changes: 38 additions & 0 deletions source/reference-manual/security/secure-boot-uefi.rst
View file
Original file line number Diff line number Diff line change
Expand Up @@ -144,6 +144,44 @@ LmP provides access to the application through a systemd-boot menu. Simply selec
:alt: UEFI Secure Boot Provisioning


Testing UEFI Secure Boot Provisioning With QEMU
-----------------------------------------------

The ``LockDown.efi`` application can be tested in a virtual environment using QEMU.

An easy way to do this, as QEMU includes a PXE server, is to run the application standalone in the UEFI environment.

Check warning on line 152 in source/reference-manual/security/secure-boot-uefi.rst

View workflow job for this annotation

GitHub Actions / runner / vale 

[vale] reported by reviewdog 🐶
[Fio-docs.expand-acronyms] 'PXE' has no definition, definition is missing capitalization, or is a variable name and should be written as a literal.

Raw Output:
{"message": "[Fio-docs.expand-acronyms] 'PXE' has no definition, definition is missing capitalization, or is a variable name and should be written as a literal.", "location": {"path": "source/reference-manual/security/secure-boot-uefi.rst", "range": {"start": {"line": 152, "column": 44}}}, "severity": "WARNING"}

In the following code snippet, we have copied both ``LockDown.efi`` and ``ovmf.secboot.qcow2`` to the ``tmp`` directory and configured QEMU to act as a PXE server, allowing it to fetch the ``LockDown.efi`` file.

Check warning on line 154 in source/reference-manual/security/secure-boot-uefi.rst

View workflow job for this annotation

GitHub Actions / runner / vale 

[vale] reported by reviewdog 🐶
[Fio-docs.sentence-length] Aim for sentences no longer than 25 words

Raw Output:
{"message": "[Fio-docs.sentence-length] Aim for sentences no longer than 25 words", "location": {"path": "source/reference-manual/security/secure-boot-uefi.rst", "range": {"start": {"line": 154, "column": 1}}}, "severity": "INFO"}

Check warning on line 154 in source/reference-manual/security/secure-boot-uefi.rst

View workflow job for this annotation

GitHub Actions / runner / vale 

[vale] reported by reviewdog 🐶
[Fio-docs.expand-acronyms] 'PXE' has no definition, definition is missing capitalization, or is a variable name and should be written as a literal.

Raw Output:
{"message": "[Fio-docs.expand-acronyms] 'PXE' has no definition, definition is missing capitalization, or is a variable name and should be written as a literal.", "location": {"path": "source/reference-manual/security/secure-boot-uefi.rst", "range": {"start": {"line": 154, "column": 153}}}, "severity": "WARNING"}

.. prompt::

qemu-system-x86_64 \
-device virtio-net-pci,netdev=net0,mac=52:54:00:12:35:02 \
-netdev user,id=net0,tftp=/tmp/,bootfile=/LockDown.efi \
-object rng-random,filename=/dev/urandom,id=rng0 -device virtio-rng-pci,rng=rng0 \
-drive if=pflash,format=qcow2,file=/tmp/ovmf.secboot.qcow2 --no-reboot\
-nographic -m 4096 \
-boot nc

You can also boot a WIC image in QEMU and select the Secure Boot Provisioning menu using the following command:

Check warning on line 166 in source/reference-manual/security/secure-boot-uefi.rst

View workflow job for this annotation

GitHub Actions / runner / vale 

[vale] reported by reviewdog 🐶
[Fio-docs.expand-acronyms] 'WIC' has no definition, definition is missing capitalization, or is a variable name and should be written as a literal.

Raw Output:
{"message": "[Fio-docs.expand-acronyms] 'WIC' has no definition, definition is missing capitalization, or is a variable name and should be written as a literal.", "location": {"path": "source/reference-manual/security/secure-boot-uefi.rst", "range": {"start": {"line": 166, "column": 21}}}, "severity": "WARNING"}

.. prompt::

qemu-system-x86_64 -device virtio-net-pci,netdev=net0,mac=52:54:00:12:35:02 \
-netdev user,id=net0,hostfwd=tcp::5522-:22 \
-object rng-random,filename=/dev/urandom,id=rng0 -device virtio-rng-pci,rng=rng0 \
-drive if=none,id=hd,file=/tmp/lmp-mini-image-intel-corei7-64.wic,format=raw \
-drive if=pflash,format=qcow2,file=/tmp/ovmf.secboot.qcow2 -no-reboot \
-drive if=pflash,format=qcow2,file=/tmp/ovmf.vars.qcow2

After selecting the menu, you can expect the following output, after which the system will reset.

.. figure:: secure-boot-uefi/uefi-lockdown-wic-qemu-trace.png
:alt: UEFI Secure Boot Provisioning Image QEMU trace.

Running the command again will boot the system with Secure Boot enabled, just as it would do on real hardware.


Backup Current UEFI Secure Boot Certificates
--------------------------------------------

Expand Down
Binary file added source/reference-manual/security/secure-boot-uefi/uefi-lockdown-wic-qemu-trace.png
View file
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.

0 comments on commit 0e7bd89

Please sign in to comment.