runqemu: Add support to handle EnrollDefaultKeys PK/KEK1 certificate - linux/poky.git

diff options

author	Ricardo Neri <ricardo.neri-calderon@linux.intel.com>	2019-08-05 18:18:23 -0400
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2019-08-12 16:23:57 +0100
commit	9b90717e9102a31dd8b99b16d62cd644091fd57e (patch)
tree	d2ec7b9abd1542350e672e02efbc860563157614 /scripts/lnr
parent	c7fb87ee6fb9cc4c6ed8bf93978445a0794e40aa (diff)
download	poky-9b90717e9102a31dd8b99b16d62cd644091fd57e.tar.gz

runqemu: Add support to handle EnrollDefaultKeys PK/KEK1 certificate

The EnrollDefaultKeys.efi application (distributed in ovmf-shell-image) expects the hypervisor to provide a Platform Key and first Key Exchange Key certificate. For QEMU, this is done by adding an OEM string in the Type 11 SMBIOS table. The string contains the EnrollDefaultKeys application GUID followed by the certificate string. For now, the string is passed in the command line until QEMU understands OEM strings from regular files (please see https://bugs.launchpad.net/qemu/+bug/1826200). If runqemu detects it is given an OVMF binary with support for Secure Boot (i.e., ovmf.secboot* binaries), extract the certificate string from the OvmfPkKek1.pem certificate and modify the command-line parameters to provide the key. Such certificate is created when building OVMF with support for Secure Boot. Cc: Ross Burton <ross.burton@intel.com> Cc: Patrick Ohly <patrick.ohly@intel.com> (From OE-Core rev: 5e47316ae62f7632fb62bc3b8093ac42f9e3541c) Signed-off-by: Ricardo Neri <ricardo.neri-calderon@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>

Diffstat (limited to 'scripts/lnr')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: