From e6f11389499e442ec86c78e9626378818c237476 Mon Sep 17 00:00:00 2001 From: Kroese Date: Fri, 29 Dec 2023 21:12:26 +0100 Subject: [PATCH 1/3] fix: UEFI boot --- src/boot.sh | 48 +++++++++++++++++++++++++++++++++++------------- 1 file changed, 35 insertions(+), 13 deletions(-) diff --git a/src/boot.sh b/src/boot.sh index 83d03150..375d567f 100644 --- a/src/boot.sh +++ b/src/boot.sh @@ -1,34 +1,56 @@ #!/usr/bin/env bash set -Eeuo pipefail -OVMF="/usr/share/OVMF" - # Docker environment variables : ${BOOT_MODE:='legacy'} # Boot mode case "${BOOT_MODE,,}" in uefi) - VARS="$OVMF/OVMF_VARS_4M.fd" - [ ! -f "$VARS" ] && error "UEFI vars file ($VARS) not found!" && exit 44 - [ ! -f "$STORAGE/uefi.vars" ] && cp "$VARS" "$STORAGE/uefi.vars" - BOOT_OPTS="-bios $OVMF/OVMF_CODE_4M.fd" - BOOT_OPTS="$BOOT_OPTS -drive file=$STORAGE/uefi.vars,if=pflash,format=raw" + ROM="OVMF_CODE_4M.fd" + VARS="OVMF_VARS_4M.fd" ;; secure) - VARS="$OVMF/OVMF_VARS_4M.secboot.fd" - [ ! -f "$VARS" ] && error "UEFI vars file ($VARS) not found!" && exit 44 - [ ! -f "$STORAGE/uefi.vars" ] && cp "$VARS" "$STORAGE/uefi.vars" - BOOT_OPTS="-bios $OVMF/OVMF_CODE_4M.secboot.fd" - BOOT_OPTS="$BOOT_OPTS -drive file=$STORAGE/uefi.vars,if=pflash,format=raw" + ROM="OVMF_CODE_4M.secboot.fd" + VARS="OVMF_VARS_4M.secboot.fd" + ;; + windows) + ROM="OVMF_CODE_4M.ms.fd" + VARS="OVMF_VARS_4M.ms.fd" ;; legacy) BOOT_OPTS="" ;; *) - info "Unknown boot mode '${BOOT_MODE}', defaulting to 'legacy'" BOOT_OPTS="" + info "Unknown boot mode '${BOOT_MODE}', defaulting to 'legacy'" + BOOT_MODE="legacy" ;; esac +if [[ "${BOOT_MODE,,}" != "legacy" ]]; then + + BOOT_OPTS="" + OVMF="/usr/share/OVMF" + DEST="$STORAGE/${BOOT_MODE,,}" + + if [ ! -f "$DEST.rom" ]; then + [ ! -f "$OVMF/$ROM" ] && error "UEFI boot file ($OVMF/$ROM) not found!" && exit 44 + cp "$OVMF/$ROM" "$DEST.rom" + fi + + if [ ! -f "$DEST.vars" ]; then + [ ! -f "$OVMF/$VARS" ] && error "UEFI vars file ($OVMF/$VARS) not found!" && exit 45 + cp "$OVMF/$VARS" "$DEST.vars" + fi + + if [[ "${BOOT_MODE,,}" != "uefi" ]]; then + BOOT_OPTS="$BOOT_OPTS -global driver=cfi.pflash01,property=secure,value=on" + fi + + BOOT_OPTS="$BOOT_OPTS -drive file=$DEST.rom,if=pflash,unit=0,format=raw,readonly=on" + BOOT_OPTS="$BOOT_OPTS -drive file=$DEST.vars,if=pflash,unit=1,format=raw" + +fi + return 0 From 011394331f60641acab94ed720323ac7e748e84f Mon Sep 17 00:00:00 2001 From: Kroese Date: Fri, 29 Dec 2023 21:15:02 +0100 Subject: [PATCH 2/3] fix: Secure boot --- src/config.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/config.sh b/src/config.sh index 5a0c8fcc..22ed6890 100644 --- a/src/config.sh +++ b/src/config.sh @@ -6,7 +6,7 @@ SERIAL_OPTS="-serial mon:stdio" MON_OPTS="-monitor telnet:localhost:7100,server,nowait,nodelay" RAM_OPTS=$(echo "-m $RAM_SIZE" | sed 's/MB/M/g;s/GB/G/g;s/TB/T/g') CPU_OPTS="-cpu $CPU_MODEL -smp $CPU_CORES,sockets=1,dies=1,cores=$CPU_CORES,threads=1" -MAC_OPTS="-machine type=q35,graphics=off,usb=off,dump-guest-core=off,hpet=off${KVM_OPTS}" +MAC_OPTS="-machine type=q35${SECURE},graphics=off,usb=off,dump-guest-core=off,hpet=off${KVM_OPTS}" DEV_OPTS="-device virtio-balloon-pci,id=balloon0,bus=pcie.0,addr=0x4" DEV_OPTS="$DEV_OPTS -object rng-random,id=objrng0,filename=/dev/urandom" DEV_OPTS="$DEV_OPTS -device virtio-rng-pci,rng=objrng0,id=rng0,bus=pcie.0,addr=0x1c" From 08f7f7137cea51f5f03d763a28c43bc333ea5009 Mon Sep 17 00:00:00 2001 From: Kroese Date: Fri, 29 Dec 2023 21:18:12 +0100 Subject: [PATCH 3/3] fix: Secure boot --- src/boot.sh | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/src/boot.sh b/src/boot.sh index 375d567f..a9b5a9ce 100644 --- a/src/boot.sh +++ b/src/boot.sh @@ -5,6 +5,9 @@ set -Eeuo pipefail : ${BOOT_MODE:='legacy'} # Boot mode +SECURE="" +BOOT_OPTS="" + case "${BOOT_MODE,,}" in uefi) ROM="OVMF_CODE_4M.fd" @@ -22,7 +25,6 @@ case "${BOOT_MODE,,}" in BOOT_OPTS="" ;; *) - BOOT_OPTS="" info "Unknown boot mode '${BOOT_MODE}', defaulting to 'legacy'" BOOT_MODE="legacy" ;; @@ -45,6 +47,7 @@ if [[ "${BOOT_MODE,,}" != "legacy" ]]; then fi if [[ "${BOOT_MODE,,}" != "uefi" ]]; then + SECURE=",smm=on" BOOT_OPTS="$BOOT_OPTS -global driver=cfi.pflash01,property=secure,value=on" fi