[arch-releng] [PATCH] [configs/releng] Add SecureBoot support via prebootloader
Tested only under QEMU using OVMF SecureBoot enabled firmware plus lockdown-ms. Both loader.efi (gummiboot) and vmlinuz.efi should be hashed before boot in secure mode. Signed-off-by: Gerardo Exequiel Pozzi <vmlinuz386@yahoo.com.ar> --- configs/releng/build.sh | 10 ++++++++-- configs/releng/packages.x86_64 | 1 + 2 files changed, 9 insertions(+), 2 deletions(-) diff --git a/configs/releng/build.sh b/configs/releng/build.sh index 6e9e2f8..bec9a42 100755 --- a/configs/releng/build.sh +++ b/configs/releng/build.sh @@ -128,7 +128,10 @@ make_isolinux() { # Prepare /EFI make_efi() { mkdir -p ${work_dir}/iso/EFI/boot - cp ${work_dir}/x86_64/root-image/usr/lib/gummiboot/gummibootx64.efi ${work_dir}/iso/EFI/boot/bootx64.efi + cp ${work_dir}/x86_64/root-image/usr/lib/prebootloader/PreLoader.efi ${work_dir}/iso/EFI/boot/bootx64.efi + cp ${work_dir}/x86_64/root-image/usr/lib/prebootloader/HashTool.efi ${work_dir}/iso/EFI/boot/ + + cp ${work_dir}/x86_64/root-image/usr/lib/gummiboot/gummibootx64.efi ${work_dir}/iso/EFI/boot/loader.efi mkdir -p ${work_dir}/iso/loader/entries cp ${script_path}/efiboot/loader/loader.conf ${work_dir}/iso/loader/ @@ -159,7 +162,10 @@ make_efiboot() { cp ${work_dir}/iso/${install_dir}/boot/x86_64/archiso.img ${work_dir}/efiboot/EFI/archiso/archiso.img mkdir -p ${work_dir}/efiboot/EFI/boot - cp ${work_dir}/x86_64/root-image/usr/lib/gummiboot/gummibootx64.efi ${work_dir}/efiboot/EFI/boot/bootx64.efi + cp ${work_dir}/x86_64/root-image/usr/lib/prebootloader/PreLoader.efi ${work_dir}/efiboot/EFI/boot/bootx64.efi + cp ${work_dir}/x86_64/root-image/usr/lib/prebootloader/HashTool.efi ${work_dir}/efiboot/EFI/boot/ + + cp ${work_dir}/x86_64/root-image/usr/lib/gummiboot/gummibootx64.efi ${work_dir}/efiboot/EFI/boot/loader.efi mkdir -p ${work_dir}/efiboot/loader/entries cp ${script_path}/efiboot/loader/loader.conf ${work_dir}/efiboot/loader/ diff --git a/configs/releng/packages.x86_64 b/configs/releng/packages.x86_64 index aceb6cf..3b75077 100644 --- a/configs/releng/packages.x86_64 +++ b/configs/releng/packages.x86_64 @@ -1,3 +1,4 @@ grub-efi-x86_64 gummiboot +prebootloader refind-efi -- 1.8.3.1
On 06/19/2013 08:41 PM, Gerardo Exequiel Pozzi wrote:
Tested only under QEMU using OVMF SecureBoot enabled firmware plus lockdown-ms.
Both loader.efi (gummiboot) and vmlinuz.efi should be hashed before boot in secure mode.
Signed-off-by: Gerardo Exequiel Pozzi <vmlinuz386@yahoo.com.ar> --- configs/releng/build.sh | 10 ++++++++-- configs/releng/packages.x86_64 | 1 + 2 files changed, 9 insertions(+), 2 deletions(-)
diff --git a/configs/releng/build.sh b/configs/releng/build.sh index 6e9e2f8..bec9a42 100755 --- a/configs/releng/build.sh +++ b/configs/releng/build.sh @@ -128,7 +128,10 @@ make_isolinux() { # Prepare /EFI make_efi() { mkdir -p ${work_dir}/iso/EFI/boot - cp ${work_dir}/x86_64/root-image/usr/lib/gummiboot/gummibootx64.efi ${work_dir}/iso/EFI/boot/bootx64.efi + cp ${work_dir}/x86_64/root-image/usr/lib/prebootloader/PreLoader.efi ${work_dir}/iso/EFI/boot/bootx64.efi + cp ${work_dir}/x86_64/root-image/usr/lib/prebootloader/HashTool.efi ${work_dir}/iso/EFI/boot/ + + cp ${work_dir}/x86_64/root-image/usr/lib/gummiboot/gummibootx64.efi ${work_dir}/iso/EFI/boot/loader.efi
mkdir -p ${work_dir}/iso/loader/entries cp ${script_path}/efiboot/loader/loader.conf ${work_dir}/iso/loader/ @@ -159,7 +162,10 @@ make_efiboot() { cp ${work_dir}/iso/${install_dir}/boot/x86_64/archiso.img ${work_dir}/efiboot/EFI/archiso/archiso.img
mkdir -p ${work_dir}/efiboot/EFI/boot - cp ${work_dir}/x86_64/root-image/usr/lib/gummiboot/gummibootx64.efi ${work_dir}/efiboot/EFI/boot/bootx64.efi + cp ${work_dir}/x86_64/root-image/usr/lib/prebootloader/PreLoader.efi ${work_dir}/efiboot/EFI/boot/bootx64.efi + cp ${work_dir}/x86_64/root-image/usr/lib/prebootloader/HashTool.efi ${work_dir}/efiboot/EFI/boot/ + + cp ${work_dir}/x86_64/root-image/usr/lib/gummiboot/gummibootx64.efi ${work_dir}/efiboot/EFI/boot/loader.efi
mkdir -p ${work_dir}/efiboot/loader/entries cp ${script_path}/efiboot/loader/loader.conf ${work_dir}/efiboot/loader/ diff --git a/configs/releng/packages.x86_64 b/configs/releng/packages.x86_64 index aceb6cf..3b75077 100644 --- a/configs/releng/packages.x86_64 +++ b/configs/releng/packages.x86_64 @@ -1,3 +1,4 @@ grub-efi-x86_64 gummiboot +prebootloader refind-efi
http://www.youtube.com/watch?v=jZz3D68_8bo $ qemu-system-x86_64 -enable-kvm -m 1024 -bios ~/arch/OVMF/bios.bin -drive file=fat:rw:~/arch/EFI -drive file=/tmp/releng/out/archlinux-2013.06.19-dual.iso,media=cdrom $ ls -l ~/arch/OVMF/ ~/arch/EFI/EFI/ /home/djgera/arch/EFI/EFI/: total 64 -rw-r--r-- 1 djgera djgera 65156 Jun 20 00:20 LockDown_ms.efi /home/djgera/arch/OVMF/: total 1024 -rw-r--r-- 1 djgera djgera 1048576 Jun 19 21:06 bios.bin OVMF build from: https://bitbucket.org/the_ridikulus_rat/ovmf-tianocore-edk2-pkgbuild/src PS: looks like newer versions of OVMF/QEMU works fine with kvm enabled :) -- Gerardo Exequiel Pozzi \cos^2\alpha + \sin^2\alpha = 1
On 06/20/2013 01:02 AM, Gerardo Exequiel Pozzi wrote:
On 06/19/2013 08:41 PM, Gerardo Exequiel Pozzi wrote:
Tested only under QEMU using OVMF SecureBoot enabled firmware plus lockdown-ms.
Both loader.efi (gummiboot) and vmlinuz.efi should be hashed before boot in secure mode.
Signed-off-by: Gerardo Exequiel Pozzi <vmlinuz386@yahoo.com.ar> --- configs/releng/build.sh | 10 ++++++++-- configs/releng/packages.x86_64 | 1 + 2 files changed, 9 insertions(+), 2 deletions(-)
diff --git a/configs/releng/build.sh b/configs/releng/build.sh index 6e9e2f8..bec9a42 100755 --- a/configs/releng/build.sh +++ b/configs/releng/build.sh @@ -128,7 +128,10 @@ make_isolinux() { # Prepare /EFI make_efi() { mkdir -p ${work_dir}/iso/EFI/boot - cp ${work_dir}/x86_64/root-image/usr/lib/gummiboot/gummibootx64.efi ${work_dir}/iso/EFI/boot/bootx64.efi + cp ${work_dir}/x86_64/root-image/usr/lib/prebootloader/PreLoader.efi ${work_dir}/iso/EFI/boot/bootx64.efi + cp ${work_dir}/x86_64/root-image/usr/lib/prebootloader/HashTool.efi ${work_dir}/iso/EFI/boot/ + + cp ${work_dir}/x86_64/root-image/usr/lib/gummiboot/gummibootx64.efi ${work_dir}/iso/EFI/boot/loader.efi
mkdir -p ${work_dir}/iso/loader/entries cp ${script_path}/efiboot/loader/loader.conf ${work_dir}/iso/loader/ @@ -159,7 +162,10 @@ make_efiboot() { cp ${work_dir}/iso/${install_dir}/boot/x86_64/archiso.img ${work_dir}/efiboot/EFI/archiso/archiso.img
mkdir -p ${work_dir}/efiboot/EFI/boot - cp ${work_dir}/x86_64/root-image/usr/lib/gummiboot/gummibootx64.efi ${work_dir}/efiboot/EFI/boot/bootx64.efi + cp ${work_dir}/x86_64/root-image/usr/lib/prebootloader/PreLoader.efi ${work_dir}/efiboot/EFI/boot/bootx64.efi + cp ${work_dir}/x86_64/root-image/usr/lib/prebootloader/HashTool.efi ${work_dir}/efiboot/EFI/boot/ + + cp ${work_dir}/x86_64/root-image/usr/lib/gummiboot/gummibootx64.efi ${work_dir}/efiboot/EFI/boot/loader.efi
mkdir -p ${work_dir}/efiboot/loader/entries cp ${script_path}/efiboot/loader/loader.conf ${work_dir}/efiboot/loader/ diff --git a/configs/releng/packages.x86_64 b/configs/releng/packages.x86_64 index aceb6cf..3b75077 100644 --- a/configs/releng/packages.x86_64 +++ b/configs/releng/packages.x86_64 @@ -1,3 +1,4 @@ grub-efi-x86_64 gummiboot +prebootloader refind-efi
http://www.youtube.com/watch?v=jZz3D68_8bo
$ qemu-system-x86_64 -enable-kvm -m 1024 -bios ~/arch/OVMF/bios.bin -drive file=fat:rw:~/arch/EFI -drive file=/tmp/releng/out/archlinux-2013.06.19-dual.iso,media=cdrom
$ ls -l ~/arch/OVMF/ ~/arch/EFI/EFI/ /home/djgera/arch/EFI/EFI/: total 64 -rw-r--r-- 1 djgera djgera 65156 Jun 20 00:20 LockDown_ms.efi
/home/djgera/arch/OVMF/: total 1024 -rw-r--r-- 1 djgera djgera 1048576 Jun 19 21:06 bios.bin
OVMF build from: https://bitbucket.org/the_ridikulus_rat/ovmf-tianocore-edk2-pkgbuild/src
PS: looks like newer versions of OVMF/QEMU works fine with kvm enabled :)
Perfect! I also tested on real hardware of a friend (Sony Vaio SVT13132CXS), and works fine :) -- Gerardo Exequiel Pozzi \cos^2\alpha + \sin^2\alpha = 1
participants (1)
-
Gerardo Exequiel Pozzi