runqemu: Add support to handle EnrollDefaultKeys PK/KEK1 certificate

author Ricardo Neri <ricardo.neri-calderon@linux.intel.com>

Mon, 5 Aug 2019 22:18:23 +0000 (18:18 -0400)

committer Richard Purdie <richard.purdie@linuxfoundation.org>

Thu, 8 Aug 2019 09:26:40 +0000 (10:26 +0100)
author Ricardo Neri <ricardo.neri-calderon@linux.intel.com>
Mon, 5 Aug 2019 22:18:23 +0000 (18:18 -0400)
committer Richard Purdie <richard.purdie@linuxfoundation.org>
Thu, 8 Aug 2019 09:26:40 +0000 (10:26 +0100)
diff --git a/scripts/runqemu b/scripts/runqemu

index 9d6a2e86d44fd73cedfb2f600039d8a36d1ab158..df3c8aad0844c1b3f3fc853b1548a699eb54d8d4 100755 (executable)
--- a/scripts/runqemu
+++ b/scripts/runqemu
@@ -148,6 +148,10 @@ class BaseConfig(object):
          # Setting one also adds "-vga std" because that is all that
          # OVMF supports.
          self.ovmf_bios = []
+        # When enrolling default Secure Boot keys, the hypervisor
+        # must provide the Platform Key and the first Key Exchange Key
+        # certificate in the Type 11 SMBIOS table.
+        self.ovmf_secboot_pkkek1 = ''
          self.qemuboot = ''
          self.qbconfload = False
          self.kernel = ''
@@ -638,6 +642,23 @@ class BaseConfig(object):
          if not os.path.exists(self.rootfs):
              raise RunQemuError("Can't find rootfs: %s" % self.rootfs)
  
+    def setup_pkkek1(self):
+        """
+        Extract from PEM certificate the Platform Key and first Key
+        Exchange Key certificate string. The hypervisor needs to provide
+        it in the Type 11 SMBIOS table
+        """
+        pemcert = '%s/%s' % (self.get('DEPLOY_DIR_IMAGE'), 'OvmfPkKek1.pem')
+        try:
+            with open(pemcert, 'r') as pemfile:
+                key = pemfile.read().replace('\n', ''). \
+                      replace('-----BEGIN CERTIFICATE-----', ''). \
+                      replace('-----END CERTIFICATE-----', '')
+                self.ovmf_secboot_pkkek1 = key
+
+        except FileNotFoundError:
+            raise RunQemuError("Can't open PEM certificate %s " % pemcert)
+
      def check_ovmf(self):
          """Check and set full path for OVMF firmware and variable file(s)."""
  
@@ -648,6 +669,8 @@ class BaseConfig(object):
                  path = '%s/%s.%s' % (self.get('DEPLOY_DIR_IMAGE'), ovmf, suffix)
                  if os.path.exists(path):
                      self.ovmf_bios[index] = path
+                    if ovmf.endswith('secboot'):
+                        self.setup_pkkek1()
                      break
              else:
                  raise RunQemuError("Can't find OVMF firmware: %s" % ovmf)
@@ -914,6 +937,8 @@ class BaseConfig(object):
              print('ROOTFS: [%s]' % self.rootfs)
          if self.ovmf_bios:
              print('OVMF: %s' % self.ovmf_bios)
+        if (self.ovmf_secboot_pkkek1):
+            print('SECBOOT PKKEK1: [%s...]' % self.ovmf_secboot_pkkek1[0:100])
          print('CONFFILE: [%s]' % self.qemuboot)
          print('')
  
@@ -1262,6 +1287,13 @@ class BaseConfig(object):
  
          self.qemu_opt += ' ' + self.qemu_opt_script
  
+        if self.ovmf_secboot_pkkek1:
+                       # Provide the Platform Key and first Key Exchange Key certificate as an
+                       # OEM string in the SMBIOS Type 11 table. Prepend the certificate string
+                       # with "application prefix" of the EnrollDefaultKeys.efi application
+            self.qemu_opt += ' -smbios type=11,value=4e32566d-8e9e-4f52-81d3-5bb9715f9727:' \
+                             + self.ovmf_secboot_pkkek1
+
          # Append qemuparams to override previous settings
          if self.qemuparams:
              self.qemu_opt += ' ' + self.qemuparams
author	Ricardo Neri <ricardo.neri-calderon@linux.intel.com>
	Mon, 5 Aug 2019 22:18:23 +0000 (18:18 -0400)
committer	Richard Purdie <richard.purdie@linuxfoundation.org>
	Thu, 8 Aug 2019 09:26:40 +0000 (10:26 +0100)