This is a Vagrant Environment for setting up the OVMF UEFI EDK2 environment to play with UEFI Secure Boot using sbctl (Secure Boot key manager).
Install the base Ubuntu 22.04 UEFI box.
Start the environment:
# NB in my machine this takes ~30m to complete. time vagrant up --provider=libvirt --no-destroy-on-error --no-ttyStart ovmf/linux/u-boot in a test vm:
cd tmp ./run.shVerify that the platform is in Setup Mode:
sbctl statusIt must output:
Installed: ✗ sbctl is not installed Setup Mode: ✗ Enabled Secure Boot: ✗ Disabled Vendor Keys: none Create our own Platform Key (PK), Key Exchange Key (KEK), and Code Signing CAs:
sbctl create-keysIt should something alike:
Created Owner UUID 5c839e31-20eb-42a6-906b-824ab404e0dd Creating secure boot keys...✓ Secure boot keys created!In more detail, this created all these files:
# find -type f /usr/share/secureboot/keys /usr/share/secureboot/keys/KEK/KEK.key /usr/share/secureboot/keys/KEK/KEK.pem /usr/share/secureboot/keys/PK/PK.key /usr/share/secureboot/keys/PK/PK.pem /usr/share/secureboot/keys/db/db.key /usr/share/secureboot/keys/db/db.pemEnroll the keys with the firmware:
# NB this should be equivalent of using sbkeysync to write the EFI variables as: # sbkeysync --pk --verbose --keystore /usr/share/secureboot/keys # see https://github.com/Foxboron/sbctl/blob/fda4f2c1efd801cd04fb52923afcdb34baa42369/keys.go#L114-L115 sbctl enroll-keys --yes-this-might-brick-my-machineIt should display something alike:
Enrolling keys to EFI variables...✓ Enrolled keys to the EFI variables! Verify that the platform is now out of Setup Mode:
sbctl statusIt should output something alike:
Installed: ✓ sbctl is installed Owner GUID: 88f1e363-3f8e-4f73-9a86-57a2dcb1a285 Setup Mode: ✓ Disabled Secure Boot: ✗ Disabled Vendor Keys: none Sign the linux efi application:
sbctl sign /boot/efi/linuxIt should output something alike:
✓ Signed /boot/efi/linux Analyze the linux efi application:
efianalyze signed-image /boot/efi/linuxIt should output something alike:
Data Directory Header: Virtual Address: 0xa1e8a0 Size in bytes: 2192 Certificate Type: WIN_CERT_TYPE_PKCS_SIGNED_DATA Issuer Name: CN=Database Key,C=Database Key Serial Number: 48816627373166678216378579258444048592 Reboot the system:
umount /boot/efi shutdown -rAfter boot, verify that the platform is now in Secure Boot mode:
sbctl statusIt must output:
Installed: ✓ sbctl is installed Owner GUID: 88f1e363-3f8e-4f73-9a86-57a2dcb1a285 Setup Mode: ✓ Disabled Secure Boot: ✓ Enabled Vendor Keys: none Test loading a kernel module:
insmod /modules/configs.koIt must not return any output nor error.
And that's pretty much how you test drive Secure Boot in OVMF.
You can see all the qemu devices status by running the following command in another shell:
cd tmp echo info qtree | ./qmp-shell -H ./test/amd64.socket- Unified Extensible Firmware Interface (UEFI).
- UEFI Forum.
- EDK II (aka edk2): UEFI Reference Implementation .
- EDK II
bcfg boot dumpsource code. - UefiToolsPkg set of UEFI tools.
- These are useful on their own and as C source based UEFI application examples.
- sbctl (Secure Boot key manager).