2022-10-19 07:10:15 -04:00
|
|
|
#!/usr/bin/env bash
|
2022-10-11 05:34:57 -04:00
|
|
|
# Copyright (c) Edgeless Systems GmbH
|
|
|
|
#
|
|
|
|
# SPDX-License-Identifier: AGPL-3.0-only
|
2022-10-19 07:10:15 -04:00
|
|
|
|
|
|
|
SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
|
|
|
|
BASE_DIR=$(realpath "${SCRIPT_DIR}/..")
|
|
|
|
|
|
|
|
# Set to qemu+tcp://localhost:16599/system for dockerized libvirt setup
|
|
|
|
if [[ -z "${LIBVIRT_SOCK}" ]]; then
|
|
|
|
LIBVIRT_SOCK=qemu:///system
|
|
|
|
fi
|
|
|
|
|
|
|
|
libvirt_nvram_gen () {
|
|
|
|
local image_path="${1}"
|
|
|
|
if test -f "${BASE_DIR}/image.nvram.template"; then
|
|
|
|
echo "NVRAM template already generated: $(realpath "--relative-to=$(pwd)" ${BASE_DIR}/image.nvram.template)"
|
|
|
|
return
|
|
|
|
fi
|
|
|
|
if ! test -f "${image_path}"; then
|
|
|
|
echo "Image \"${image_path}\" does not exist yet. To generate nvram, create disk image first."
|
|
|
|
return
|
|
|
|
fi
|
|
|
|
|
|
|
|
OVMF_CODE=/usr/share/OVMF/OVMF_CODE_4M.ms.fd
|
|
|
|
OVMF_VARS=/usr/share/OVMF/OVMF_VARS_4M.ms.fd
|
|
|
|
if ! test -f "${OVMF_CODE}"; then
|
|
|
|
OVMF_CODE=/usr/share/OVMF/OVMF_CODE.secboot.fd
|
|
|
|
fi
|
|
|
|
if ! test -f "${OVMF_VARS}"; then
|
|
|
|
OVMF_VARS=/usr/share/OVMF/OVMF_VARS.secboot.fd
|
|
|
|
fi
|
|
|
|
|
|
|
|
echo "Using OVMF_CODE: ${OVMF_CODE}"
|
|
|
|
echo "Using OVMF_VARS: ${OVMF_VARS}"
|
|
|
|
|
|
|
|
# generate nvram file using libvirt
|
|
|
|
virt-install --name constell-nvram-gen \
|
|
|
|
--connect ${LIBVIRT_SOCK} \
|
|
|
|
--nonetworks \
|
|
|
|
--description 'Constellation' \
|
|
|
|
--ram 1024 \
|
|
|
|
--vcpus 1 \
|
|
|
|
--osinfo detect=on,require=off \
|
|
|
|
--disk "${image_path},format=raw" \
|
|
|
|
--boot "machine=q35,menu=on,loader=${OVMF_CODE},loader.readonly=yes,loader.type=pflash,nvram.template=${OVMF_VARS},nvram=${BASE_DIR}/image.nvram,loader_secure=yes" \
|
|
|
|
--features smm.state=on \
|
|
|
|
--noautoconsole
|
|
|
|
echo -e 'connect using'
|
|
|
|
echo -e ' \u001b[1mvirsh console constell-nvram-gen\u001b[0m'
|
|
|
|
echo -e ''
|
|
|
|
echo -e 'Load db cert with MokManager or enroll full PKI with firmware setup'
|
|
|
|
echo -e ''
|
|
|
|
echo -e ' \u001b[1mMokManager\u001b[0m'
|
|
|
|
echo -e ' For mokmanager, try to boot as usual. You will see this message:'
|
|
|
|
echo -e ' > "Verification failed: (0x1A) Security Violation"'
|
|
|
|
echo -e ' Press OK, then ENTER, then "Enroll key from disk"'
|
|
|
|
echo -e ' Select the following key:'
|
|
|
|
echo -e ' > \u001b[1m/EFI/loader/keys/auto/db.cer\u001b[0m'
|
|
|
|
echo -e ' Press Continue, then choose "Yes" to the question "Enroll the key(s)?"'
|
|
|
|
echo -e ' Choose reboot and continue this script.'
|
|
|
|
echo -e ''
|
|
|
|
echo -e ' \u001b[1mFirmware setup\u001b[0m'
|
|
|
|
echo -e ' For firmware setup, press F2.'
|
|
|
|
echo -e ' Go to "Device Manager">"Secure Boot Configuration">"Secure Boot Mode"'
|
|
|
|
echo -e ' Choose "Custom Mode"'
|
|
|
|
echo -e ' Go to "Custom Securee Boot Options"'
|
|
|
|
echo -e ' Go to "PK Options">"Enroll PK", Press "Y" if queried, "Enroll PK using File"'
|
|
|
|
echo -e ' Select the following cert: \u001b[1m/EFI/loader/keys/auto/PK.cer\u001b[0m'
|
|
|
|
echo -e ' Choose "Commit Changes and Exit"'
|
|
|
|
echo -e ' Go to "KEK Options">"Enroll KEK", Press "Y" if queried, "Enroll KEK using File"'
|
|
|
|
echo -e ' Select the following cert: \u001b[1m/EFI/loader/keys/auto/KEK.cer\u001b[0m'
|
|
|
|
echo -e ' Choose "Commit Changes and Exit"'
|
|
|
|
echo -e ' Go to "DB Options">"Enroll Signature">"Enroll Signature using File"'
|
|
|
|
echo -e ' Select the following cert: \u001b[1m/EFI/loader/keys/auto/db.cer\u001b[0m'
|
|
|
|
echo -e ' Choose "Commit Changes and Exit"'
|
|
|
|
echo -e ' Repeat the last step for the following certs:'
|
|
|
|
echo -e ' > \u001b[1m/EFI/loader/keys/auto/MicWinProPCA2011_2011-10-19.crt\u001b[0m'
|
|
|
|
echo -e ' > \u001b[1m/EFI/loader/keys/auto/MicCorUEFCA2011_2011-06-27.crt\u001b[0m'
|
|
|
|
echo -e ' Reboot and continue this script.'
|
|
|
|
echo -e ''
|
|
|
|
echo -e 'Press ENTER to continue after you followed one of the guides from above.'
|
|
|
|
read
|
|
|
|
sudo cp "${BASE_DIR}/image.nvram" "${BASE_DIR}/image.nvram.template"
|
|
|
|
virsh --connect "${LIBVIRT_SOCK}" destroy --domain constell-nvram-gen
|
|
|
|
virsh --connect "${LIBVIRT_SOCK}" undefine --nvram constell-nvram-gen
|
|
|
|
rm -f "${BASE_DIR}/image.nvram"
|
|
|
|
|
|
|
|
echo "NVRAM template generated: $(realpath "--relative-to=$(pwd)" ${BASE_DIR}/image.nvram.template)"
|
|
|
|
}
|
|
|
|
|
|
|
|
libvirt_nvram_gen $1
|