[arch-releng] [PATCH] [configs/releng] Add SecureBoot support via prebootloader
Gerardo Exequiel Pozzi
vmlinuz386 at yahoo.com.ar
Thu Jun 27 23:04:40 EDT 2013
On 06/20/2013 01:02 AM, Gerardo Exequiel Pozzi wrote:
> On 06/19/2013 08:41 PM, Gerardo Exequiel Pozzi wrote:
>> Tested only under QEMU using OVMF SecureBoot enabled firmware plus lockdown-ms.
>>
>> Both loader.efi (gummiboot) and vmlinuz.efi should be hashed before boot in secure mode.
>>
>> Signed-off-by: Gerardo Exequiel Pozzi <vmlinuz386 at yahoo.com.ar>
>> ---
>> configs/releng/build.sh | 10 ++++++++--
>> configs/releng/packages.x86_64 | 1 +
>> 2 files changed, 9 insertions(+), 2 deletions(-)
>>
>> diff --git a/configs/releng/build.sh b/configs/releng/build.sh
>> index 6e9e2f8..bec9a42 100755
>> --- a/configs/releng/build.sh
>> +++ b/configs/releng/build.sh
>> @@ -128,7 +128,10 @@ make_isolinux() {
>> # Prepare /EFI
>> make_efi() {
>> mkdir -p ${work_dir}/iso/EFI/boot
>> - cp ${work_dir}/x86_64/root-image/usr/lib/gummiboot/gummibootx64.efi ${work_dir}/iso/EFI/boot/bootx64.efi
>> + cp ${work_dir}/x86_64/root-image/usr/lib/prebootloader/PreLoader.efi ${work_dir}/iso/EFI/boot/bootx64.efi
>> + cp ${work_dir}/x86_64/root-image/usr/lib/prebootloader/HashTool.efi ${work_dir}/iso/EFI/boot/
>> +
>> + cp ${work_dir}/x86_64/root-image/usr/lib/gummiboot/gummibootx64.efi ${work_dir}/iso/EFI/boot/loader.efi
>>
>> mkdir -p ${work_dir}/iso/loader/entries
>> cp ${script_path}/efiboot/loader/loader.conf ${work_dir}/iso/loader/
>> @@ -159,7 +162,10 @@ make_efiboot() {
>> cp ${work_dir}/iso/${install_dir}/boot/x86_64/archiso.img ${work_dir}/efiboot/EFI/archiso/archiso.img
>>
>> mkdir -p ${work_dir}/efiboot/EFI/boot
>> - cp ${work_dir}/x86_64/root-image/usr/lib/gummiboot/gummibootx64.efi ${work_dir}/efiboot/EFI/boot/bootx64.efi
>> + cp ${work_dir}/x86_64/root-image/usr/lib/prebootloader/PreLoader.efi ${work_dir}/efiboot/EFI/boot/bootx64.efi
>> + cp ${work_dir}/x86_64/root-image/usr/lib/prebootloader/HashTool.efi ${work_dir}/efiboot/EFI/boot/
>> +
>> + cp ${work_dir}/x86_64/root-image/usr/lib/gummiboot/gummibootx64.efi ${work_dir}/efiboot/EFI/boot/loader.efi
>>
>> mkdir -p ${work_dir}/efiboot/loader/entries
>> cp ${script_path}/efiboot/loader/loader.conf ${work_dir}/efiboot/loader/
>> diff --git a/configs/releng/packages.x86_64 b/configs/releng/packages.x86_64
>> index aceb6cf..3b75077 100644
>> --- a/configs/releng/packages.x86_64
>> +++ b/configs/releng/packages.x86_64
>> @@ -1,3 +1,4 @@
>> grub-efi-x86_64
>> gummiboot
>> +prebootloader
>> refind-efi
>>
>
> http://www.youtube.com/watch?v=jZz3D68_8bo
>
> $ qemu-system-x86_64 -enable-kvm -m 1024 -bios ~/arch/OVMF/bios.bin
> -drive file=fat:rw:~/arch/EFI -drive
> file=/tmp/releng/out/archlinux-2013.06.19-dual.iso,media=cdrom
>
> $ ls -l ~/arch/OVMF/ ~/arch/EFI/EFI/
> /home/djgera/arch/EFI/EFI/:
> total 64
> -rw-r--r-- 1 djgera djgera 65156 Jun 20 00:20 LockDown_ms.efi
>
> /home/djgera/arch/OVMF/:
> total 1024
> -rw-r--r-- 1 djgera djgera 1048576 Jun 19 21:06 bios.bin
>
> OVMF build from:
> https://bitbucket.org/the_ridikulus_rat/ovmf-tianocore-edk2-pkgbuild/src
>
>
> PS: looks like newer versions of OVMF/QEMU works fine with kvm enabled :)
>
Perfect! I also tested on real hardware of a friend (Sony Vaio
SVT13132CXS), and works fine :)
--
Gerardo Exequiel Pozzi
\cos^2\alpha + \sin^2\alpha = 1
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 555 bytes
Desc: OpenPGP digital signature
URL: <http://mailman.archlinux.org/pipermail/arch-releng/attachments/20130628/af1b215f/attachment-0001.asc>
More information about the arch-releng
mailing list