drop qosb

not needed any more now that we use virt-firmware instead
This commit is contained in:
Gerd Hoffmann 2022-05-25 13:37:49 +02:00
parent 0476d891c1
commit 35498843ac
4 changed files with 1 additions and 390 deletions

View File

@ -1,21 +0,0 @@
MIT License
Copyright (c) 2017 Patrick Uiterwijk
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.

View File

@ -1,22 +0,0 @@
-----BEGIN CERTIFICATE-----
MIIDoDCCAoigAwIBAgIJAP71iOjzlsDxMA0GCSqGSIb3DQEBCwUAMFExKzApBgNV
BAMTIlJlZCBIYXQgU2VjdXJlIEJvb3QgKFBLL0tFSyBrZXkgMSkxIjAgBgkqhkiG
9w0BCQEWE3NlY2FsZXJ0QHJlZGhhdC5jb20wHhcNMTQxMDMxMTExNTM3WhcNMzcx
MDI1MTExNTM3WjBRMSswKQYDVQQDEyJSZWQgSGF0IFNlY3VyZSBCb290IChQSy9L
RUsga2V5IDEpMSIwIAYJKoZIhvcNAQkBFhNzZWNhbGVydEByZWRoYXQuY29tMIIB
IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAkB+Ee42865cmgm2Iq4rJjGhw
+d9LB7I3gwsCyGdoMJ7j8PCZSrhZV8ZB9jiL/mZMSek3N5IumAEeWxRQ5qiNJQ31
huarMMtAFuqNixaGcEM38s7Akd9xFI6ZDom2TG0kHozkL08l0LoG+MboGRh2cx2B
bajYBc86yHsoyDajFg0pjJmaaNyrwE2Nv1q7K6k5SwSXHPk2u8U6hgSur9SCe+Cr
3kkFaPz2rmgabJBNVxk8ZGYD9sdSm/eUz5NqoWjJqs+Za7yqXgjnORz3+A+6Bn7x
y+h23f4i2q06Xls06rPJ4E0EKX64YLkF77XZF1hWFmC5MDLwNkrD8nmNEkBw8wID
AQABo3sweTAJBgNVHRMEAjAAMCwGCWCGSAGG+EIBDQQfFh1PcGVuU1NMIEdlbmVy
YXRlZCBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQUPOlg4/8ZoQp7o0L0jUIutNWccuww
HwYDVR0jBBgwFoAUPOlg4/8ZoQp7o0L0jUIutNWccuwwDQYJKoZIhvcNAQELBQAD
ggEBAFxNkoi0gl8drYsR7N8GpnqlK583VQyNbgUArbcMQYlpz9ZlBptReNKtx7+c
3AVzf+ceORO06rYwfUB1q5xDC9+wwhu/MOD0/sDbYiGY9sWv3jtPSQrmHvmGsD8N
1tRGN9tUdF7/EcJgxnBYxRxv7LLYbm/DvDOHOKTzRGScNDsolCZ4J58WF+g7aQol
qXM2fp43XOzoP9uR+RKzPc7n3RXDrowFIGGbld6br/qxXBzll+fDNBGF9YonJqRw
NuwM9oM9kPc28/nzFdSQYr5TtK/TSa/v9HPoe3bkRCo3uoGkmQw6MSRxoOTktxrL
R+SqIs/vdWGA40O3SFdzET14m2k=
-----END CERTIFICATE-----

View File

@ -14,11 +14,6 @@ ExclusiveArch: x86_64 aarch64
%define TOOLCHAIN GCC5 %define TOOLCHAIN GCC5
%define OPENSSL_VER 1.1.1k %define OPENSSL_VER 1.1.1k
%define qosb_testing 0
%ifarch x86_64
%define qosb_testing 1
%endif
%if %{defined rhel} %if %{defined rhel}
%define build_ovmf 0 %define build_ovmf 0
%define build_aarch64 0 %define build_aarch64 0
@ -52,9 +47,6 @@ URL: http://www.tianocore.org
Source0: edk2-%{GITCOMMIT}.tar.xz Source0: edk2-%{GITCOMMIT}.tar.xz
Source1: ovmf-whitepaper-c770f8c.txt Source1: ovmf-whitepaper-c770f8c.txt
Source2: openssl-rhel-bdd048e929dcfcf2f046d74e812e0e3d5fc58504.tar.xz Source2: openssl-rhel-bdd048e929dcfcf2f046d74e812e0e3d5fc58504.tar.xz
Source3: ovmf-vars-generator
Source4: LICENSE.qosb
Source5: RedHatSecureBootPkKek1.pem
Source10: edk2-aarch64-verbose.json Source10: edk2-aarch64-verbose.json
Source11: edk2-aarch64.json Source11: edk2-aarch64.json
@ -119,13 +111,6 @@ BuildRequires: xorriso
# enrolled. # enrolled.
BuildRequires: python3-virt-firmware BuildRequires: python3-virt-firmware
%if %{qosb_testing}
# For verifying SB enablement in the above variable store template, we need a
# guest kernel that prints "Secure boot enabled".
BuildRequires: kernel-core >= 4.18.0-161
BuildRequires: rpmdevtools
%endif
# endif build_ovmf # endif build_ovmf
%endif %endif
@ -217,14 +202,6 @@ License: BSD-2-Clause-Patent and OpenSSL
EFI Development Kit II EFI Development Kit II
ARMv7 UEFI Firmware ARMv7 UEFI Firmware
%package qosb
Summary: Tool to enroll secureboot
Requires: python3
Buildarch: noarch
%description qosb
This package contains QOSB (QEMU OVMF Secure Boot), which can enroll OVMF
variable files to enforce Secure Boot.
%package tools-python %package tools-python
Summary: EFI Development Kit II Tools Summary: EFI Development Kit II Tools
Requires: python3 Requires: python3
@ -250,27 +227,13 @@ git config am.keepcr true
# -D is passed to %%setup to not delete the existing archive dir # -D is passed to %%setup to not delete the existing archive dir
%autosetup -T -D -n edk2-%{GITCOMMIT} -S git_am %autosetup -T -D -n edk2-%{GITCOMMIT} -S git_am
cp -a -- %{SOURCE1} %{SOURCE3} . cp -a -- %{SOURCE1} .
cp -a -- %{SOURCE10} %{SOURCE11} %{SOURCE12} %{SOURCE13} %{SOURCE14} . cp -a -- %{SOURCE10} %{SOURCE11} %{SOURCE12} %{SOURCE13} %{SOURCE14} .
tar -C CryptoPkg/Library/OpensslLib -a -f %{SOURCE2} -x tar -C CryptoPkg/Library/OpensslLib -a -f %{SOURCE2} -x
# Format the Red Hat-issued certificate that is to be enrolled as both Platform
# Key and first Key Exchange Key, as an SMBIOS OEM String. This means stripping
# the PEM header and footer, and prepending the textual representation of the
# GUID that identifies this particular OEM String to "EnrollDefaultKeys.efi",
# plus the separator ":". For details, see
# <https://bugzilla.tianocore.org/show_bug.cgi?id=1747> comments 2, 7, 14.
sed \
-e 's/^-----BEGIN CERTIFICATE-----$/4e32566d-8e9e-4f52-81d3-5bb9715f9727:/' \
-e '/^-----END CERTIFICATE-----$/d' \
%{SOURCE5} \
> PkKek1.oemstr
# Done by %setup, but we do not use it for the auxiliary tarballs # Done by %setup, but we do not use it for the auxiliary tarballs
chmod -Rf a+rX,u+w,g-w,o-w . chmod -Rf a+rX,u+w,g-w,o-w .
# Fedora specific
cp -a -- %{SOURCE4} .
# extract softfloat into place # extract softfloat into place
tar -xf %{SOURCE50} --strip-components=1 --directory ArmPkg/Library/ArmSoftFloatLib/berkeley-softfloat-3/ tar -xf %{SOURCE50} --strip-components=1 --directory ArmPkg/Library/ArmSoftFloatLib/berkeley-softfloat-3/
@ -584,24 +547,15 @@ done
%py_byte_compile %{python3} %{buildroot}%{_datadir}/edk2/Python %py_byte_compile %{python3} %{buildroot}%{_datadir}/edk2/Python
%endif %endif
# edk2-qosb install
install -p ovmf-vars-generator %{buildroot}%{_bindir}
# endif defined fedora # endif defined fedora
%endif %endif
%check %check
%if %{qosb_testing}
virt-fw-vars --input Build/Ovmf3264/DEBUG_%{TOOLCHAIN}/FV/OVMF_VARS.secboot.fd \ virt-fw-vars --input Build/Ovmf3264/DEBUG_%{TOOLCHAIN}/FV/OVMF_VARS.secboot.fd \
--print | grep "SecureBootEnable.*ON" --print | grep "SecureBootEnable.*ON"
# endif qosb_testing
%endif
%global common_files \ %global common_files \
%%license License.txt License.OvmfPkg.txt License-History.txt LICENSE.openssl \ %%license License.txt License.OvmfPkg.txt License-History.txt LICENSE.openssl \
%%dir %%{_datadir}/%%{name}/ \ %%dir %%{_datadir}/%%{name}/ \
@ -726,11 +680,6 @@ virt-fw-vars --input Build/Ovmf3264/DEBUG_%{TOOLCHAIN}/FV/OVMF_VARS.secboot.fd \
%dir %{_datadir}/%{name} %dir %{_datadir}/%{name}
%{_datadir}/%{name}/Python %{_datadir}/%{name}/Python
%files qosb
%license LICENSE.qosb
%{_bindir}/ovmf-vars-generator
# endif fedora # endif fedora
%endif %endif

View File

@ -1,295 +0,0 @@
#!/bin/python3
# Copyright (C) 2017 Red Hat
# Authors:
# - Patrick Uiterwijk <puiterwijk@redhat.com>
# - Kashyap Chamarthy <kchamart@redhat.com>
#
# Licensed under MIT License, for full text see LICENSE
#
# Purpose: Launch a QEMU guest and enroll ithe UEFI keys into an OVMF
# variables ("VARS") file. Then boot a Linux kernel with QEMU.
# Finally, perform a check to verify if Secure Boot
# is enabled.
from __future__ import print_function
import argparse
import os
import logging
import tempfile
import shutil
import string
import subprocess
def strip_special(line):
return ''.join([c for c in str(line) if c in string.printable])
def generate_qemu_cmd(args, readonly, *extra_args):
if args.disable_smm:
machinetype = 'pc'
else:
machinetype = 'q35,smm=on'
machinetype += ',accel=%s' % ('kvm' if args.enable_kvm else 'tcg')
if args.oem_string is None:
oemstrings = []
else:
oemstring_values = [
",value=" + s.replace(",", ",,") for s in args.oem_string ]
oemstrings = [
'-smbios',
"type=11" + ''.join(oemstring_values) ]
return [
args.qemu_binary,
'-machine', machinetype,
'-display', 'none',
'-no-user-config',
'-nodefaults',
'-m', '768',
'-smp', '2,sockets=2,cores=1,threads=1',
'-chardev', 'pty,id=charserial1',
'-device', 'isa-serial,chardev=charserial1,id=serial1',
'-global', 'driver=cfi.pflash01,property=secure,value=%s' % (
'off' if args.disable_smm else 'on'),
'-drive',
'file=%s,if=pflash,format=raw,unit=0,readonly=on' % (
args.ovmf_binary),
'-drive',
'file=%s,if=pflash,format=raw,unit=1,readonly=%s' % (
args.out_temp, 'on' if readonly else 'off'),
'-serial', 'stdio'] + oemstrings + list(extra_args)
def download(url, target, suffix, no_download):
istemp = False
if target and os.path.exists(target):
return target, istemp
if not target:
temped = tempfile.mkstemp(prefix='qosb.', suffix='.%s' % suffix)
os.close(temped[0])
target = temped[1]
istemp = True
if no_download:
raise Exception('%s did not exist, but downloading was disabled' %
target)
import requests
logging.debug('Downloading %s to %s', url, target)
r = requests.get(url, stream=True)
with open(target, 'wb') as f:
for chunk in r.iter_content(chunk_size=1024):
if chunk:
f.write(chunk)
return target, istemp
def enroll_keys(args):
shutil.copy(args.ovmf_template_vars, args.out_temp)
logging.info('Starting enrollment')
cmd = generate_qemu_cmd(
args,
False,
'-drive',
'file=%s,format=raw,if=none,media=cdrom,id=drive-cd1,'
'readonly=on' % args.uefi_shell_iso,
'-device',
'ide-cd,drive=drive-cd1,id=cd1,'
'bootindex=1')
p = subprocess.Popen(cmd,
stdin=subprocess.PIPE,
stdout=subprocess.PIPE,
stderr=subprocess.STDOUT)
logging.info('Performing enrollment')
# Wait until the UEFI shell starts (first line is printed)
read = p.stdout.readline()
if b'char device redirected' in read:
read = p.stdout.readline()
# Skip passed QEMU warnings, like the following one we see in Ubuntu:
# qemu-system-x86_64: warning: TCG doesn't support requested feature: CPUID.01H:ECX.vmx [bit 5]
while b'qemu-system-x86_64: warning:' in read:
read = p.stdout.readline()
if args.print_output:
print(strip_special(read), end='')
print()
# Send the escape char to enter the UEFI shell early
p.stdin.write(b'\x1b')
p.stdin.flush()
# And then run the following three commands from the UEFI shell:
# change into the first file system device; install the default
# keys and certificates, and reboot
p.stdin.write(b'fs0:\r\n')
p.stdin.write(b'EnrollDefaultKeys.efi\r\n')
p.stdin.write(b'reset -s\r\n')
p.stdin.flush()
while True:
read = p.stdout.readline()
if args.print_output:
print('OUT: %s' % strip_special(read), end='')
print()
if b'info: success' in read:
break
p.wait()
if args.print_output:
print(strip_special(p.stdout.read()), end='')
logging.info('Finished enrollment')
def test_keys(args):
logging.info('Grabbing test kernel')
kernel, kerneltemp = download(args.kernel_url, args.kernel_path,
'kernel', args.no_download)
logging.info('Starting verification')
try:
cmd = generate_qemu_cmd(
args,
True,
'-append', 'console=tty0 console=ttyS0,115200n8',
'-kernel', kernel)
p = subprocess.Popen(cmd,
stdin=subprocess.PIPE,
stdout=subprocess.PIPE,
stderr=subprocess.STDOUT)
logging.info('Performing verification')
while True:
read = p.stdout.readline()
if args.print_output:
print('OUT: %s' % strip_special(read), end='')
print()
if b'Secure boot disabled' in read:
raise Exception('Secure Boot was disabled')
elif b'Secure boot enabled' in read:
logging.info('Confirmed: Secure Boot is enabled')
break
elif b'Kernel is locked down from EFI secure boot' in read:
logging.info('Confirmed: Secure Boot is enabled')
break
p.kill()
if args.print_output:
print(strip_special(p.stdout.read()), end='')
logging.info('Finished verification')
finally:
if kerneltemp:
os.remove(kernel)
def parse_args():
parser = argparse.ArgumentParser()
parser.add_argument('output', help='Filename for output vars file')
parser.add_argument('--out-temp', help=argparse.SUPPRESS)
parser.add_argument('--force', help='Overwrite existing output file',
action='store_true')
parser.add_argument('--print-output', help='Print the QEMU guest output',
action='store_true')
parser.add_argument('--verbose', '-v', help='Increase verbosity',
action='count')
parser.add_argument('--quiet', '-q', help='Decrease verbosity',
action='count')
parser.add_argument('--qemu-binary', help='QEMU binary path',
default='/usr/bin/qemu-system-x86_64')
parser.add_argument('--enable-kvm', help='Enable KVM acceleration',
action='store_true')
parser.add_argument('--ovmf-binary', help='OVMF secureboot code file',
default='/usr/share/edk2/ovmf/OVMF_CODE.secboot.fd')
parser.add_argument('--ovmf-template-vars', help='OVMF empty vars file',
default='/usr/share/edk2/ovmf/OVMF_VARS.fd')
parser.add_argument('--uefi-shell-iso', help='Path to uefi shell iso',
default='/usr/share/edk2/ovmf/UefiShell.iso')
parser.add_argument('--skip-enrollment',
help='Skip enrollment, only test', action='store_true')
parser.add_argument('--skip-testing',
help='Skip testing generated "VARS" file',
action='store_true')
parser.add_argument('--kernel-path',
help='Specify a consistent path for kernel')
parser.add_argument('--no-download', action='store_true',
help='Never download a kernel')
parser.add_argument('--fedora-version',
help='Fedora version to get kernel for checking',
default='27')
parser.add_argument('--kernel-url', help='Kernel URL',
default='https://download.fedoraproject.org/pub/fedora'
'/linux/releases/%(version)s/Everything/x86_64'
'/os/images/pxeboot/vmlinuz')
parser.add_argument('--disable-smm',
help=('Don\'t restrict varstore pflash writes to '
'guest code that executes in SMM. Use this '
'option only if your OVMF binary doesn\'t have '
'the edk2 SMM driver stack built into it '
'(possibly because your QEMU binary lacks SMM '
'emulation). Note that without restricting '
'varstore pflash writes to guest code that '
'executes in SMM, a malicious guest kernel, '
'used for testing, could undermine Secure '
'Boot.'),
action='store_true')
parser.add_argument('--oem-string',
help=('Pass the argument to the guest as a string in '
'the SMBIOS Type 11 (OEM Strings) table. '
'Multiple occurrences of this option are '
'collected into a single SMBIOS Type 11 table. '
'A pure ASCII string argument is strongly '
'suggested.'),
action='append')
args = parser.parse_args()
args.kernel_url = args.kernel_url % {'version': args.fedora_version}
validate_args(args)
return args
def validate_args(args):
if (os.path.exists(args.output)
and not args.force
and not args.skip_enrollment):
raise Exception('%s already exists' % args.output)
if args.skip_enrollment and not os.path.exists(args.output):
raise Exception('%s does not yet exist' % args.output)
verbosity = (args.verbose or 1) - (args.quiet or 0)
if verbosity >= 2:
logging.basicConfig(level=logging.DEBUG)
elif verbosity == 1:
logging.basicConfig(level=logging.INFO)
elif verbosity < 0:
logging.basicConfig(level=logging.ERROR)
else:
logging.basicConfig(level=logging.WARN)
if args.skip_enrollment:
args.out_temp = args.output
else:
temped = tempfile.mkstemp(prefix='qosb.', suffix='.vars')
os.close(temped[0])
args.out_temp = temped[1]
logging.debug('Temp output: %s', args.out_temp)
def move_to_dest(args):
shutil.copy(args.out_temp, args.output)
os.remove(args.out_temp)
def main():
args = parse_args()
if not args.skip_enrollment:
enroll_keys(args)
if not args.skip_testing:
test_keys(args)
if not args.skip_enrollment:
move_to_dest(args)
if args.skip_testing:
logging.info('Created %s' % args.output)
else:
logging.info('Created and verified %s' % args.output)
else:
logging.info('Verified %s', args.output)
if __name__ == '__main__':
main()