Move mkosi folder to old image folder location

image/secure-boot/generate_nvram_vars.sh

@@ -0,0 +1,92 @@
+#!/usr/bin/env bash
+# Copyright (c) Edgeless Systems GmbH
+#
+# SPDX-License-Identifier: AGPL-3.0-only
+
+SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
+BASE_DIR=$(realpath "${SCRIPT_DIR}/..")
+
+# Set to qemu+tcp://localhost:16599/system for dockerized libvirt setup
+if [[ -z "${LIBVIRT_SOCK}" ]]; then
+    LIBVIRT_SOCK=qemu:///system
+fi
+
+libvirt_nvram_gen () {
+    local image_path="${1}"
+    if test -f "${BASE_DIR}/image.nvram.template"; then
+        echo "NVRAM template already generated: $(realpath "--relative-to=$(pwd)" ${BASE_DIR}/image.nvram.template)"
+        return
+    fi
+    if ! test -f "${image_path}"; then
+        echo "Image \"${image_path}\" does not exist yet. To generate nvram, create disk image first."
+        return
+    fi
+
+    OVMF_CODE=/usr/share/OVMF/OVMF_CODE_4M.ms.fd
+    OVMF_VARS=/usr/share/OVMF/OVMF_VARS_4M.ms.fd
+    if ! test -f "${OVMF_CODE}"; then
+        OVMF_CODE=/usr/share/OVMF/OVMF_CODE.secboot.fd
+    fi
+    if ! test -f "${OVMF_VARS}"; then
+        OVMF_VARS=/usr/share/OVMF/OVMF_VARS.secboot.fd
+    fi
+
+    echo "Using OVMF_CODE: ${OVMF_CODE}"
+    echo "Using OVMF_VARS: ${OVMF_VARS}"
+
+    # generate nvram file using libvirt
+    virt-install --name constell-nvram-gen \
+        --connect ${LIBVIRT_SOCK} \
+        --nonetworks \
+        --description 'Constellation' \
+        --ram 1024 \
+        --vcpus 1 \
+        --osinfo detect=on,require=off \
+        --disk "${image_path},format=raw" \
+        --boot "machine=q35,menu=on,loader=${OVMF_CODE},loader.readonly=yes,loader.type=pflash,nvram.template=${OVMF_VARS},nvram=${BASE_DIR}/image.nvram,loader_secure=yes" \
+        --features smm.state=on \
+        --noautoconsole
+    echo -e 'connect using'
+    echo -e '    \u001b[1mvirsh console constell-nvram-gen\u001b[0m'
+    echo -e ''
+    echo -e 'Load db cert with MokManager or enroll full PKI with firmware setup'
+    echo -e ''
+    echo -e '    \u001b[1mMokManager\u001b[0m'
+    echo -e '    For mokmanager, try to boot as usual. You will see this message:'
+    echo -e '    > "Verification failed: (0x1A) Security Violation"'
+    echo -e '    Press OK, then ENTER, then "Enroll key from disk"'
+    echo -e '    Select the following key:'
+    echo -e '    > \u001b[1m/EFI/loader/keys/auto/db.cer\u001b[0m'
+    echo -e '    Press Continue, then choose "Yes" to the question "Enroll the key(s)?"'
+    echo -e '    Choose reboot and continue this script.'
+    echo -e ''
+    echo -e '    \u001b[1mFirmware setup\u001b[0m'
+    echo -e '    For firmware setup, press F2.'
+    echo -e '    Go to "Device Manager">"Secure Boot Configuration">"Secure Boot Mode"'
+    echo -e '    Choose "Custom Mode"'
+    echo -e '    Go to "Custom Securee Boot Options"'
+    echo -e '    Go to "PK Options">"Enroll PK", Press "Y" if queried, "Enroll PK using File"'
+    echo -e '    Select the following cert: \u001b[1m/EFI/loader/keys/auto/PK.cer\u001b[0m'
+    echo -e '    Choose "Commit Changes and Exit"'
+    echo -e '    Go to "KEK Options">"Enroll KEK", Press "Y" if queried, "Enroll KEK using File"'
+    echo -e '    Select the following cert: \u001b[1m/EFI/loader/keys/auto/KEK.cer\u001b[0m'
+    echo -e '    Choose "Commit Changes and Exit"'
+    echo -e '    Go to "DB Options">"Enroll Signature">"Enroll Signature using File"'
+    echo -e '    Select the following cert: \u001b[1m/EFI/loader/keys/auto/db.cer\u001b[0m'
+    echo -e '    Choose "Commit Changes and Exit"'
+    echo -e '    Repeat the last step for the following certs:'
+    echo -e '    > \u001b[1m/EFI/loader/keys/auto/MicWinProPCA2011_2011-10-19.crt\u001b[0m'
+    echo -e '    > \u001b[1m/EFI/loader/keys/auto/MicCorUEFCA2011_2011-06-27.crt\u001b[0m'
+    echo -e '    Reboot and continue this script.'
+    echo -e ''
+    echo -e 'Press ENTER to continue after you followed one of the guides from above.'
+    read
+    sudo cp "${BASE_DIR}/image.nvram" "${BASE_DIR}/image.nvram.template"
+    virsh --connect "${LIBVIRT_SOCK}" destroy --domain constell-nvram-gen
+    virsh --connect "${LIBVIRT_SOCK}" undefine --nvram constell-nvram-gen
+    rm -f "${BASE_DIR}/image.nvram"
+
+    echo "NVRAM template generated: $(realpath "--relative-to=$(pwd)" ${BASE_DIR}/image.nvram.template)"
+}
+
+libvirt_nvram_gen $1