summaryrefslogtreecommitdiffstats
path: root/scripts/lnr
diff options
context:
space:
mode:
authorRicardo Neri <ricardo.neri-calderon@linux.intel.com>2019-08-05 18:18:23 -0400
committerRichard Purdie <richard.purdie@linuxfoundation.org>2019-08-12 16:23:57 +0100
commit9b90717e9102a31dd8b99b16d62cd644091fd57e (patch)
treed2ec7b9abd1542350e672e02efbc860563157614 /scripts/lnr
parentc7fb87ee6fb9cc4c6ed8bf93978445a0794e40aa (diff)
downloadpoky-9b90717e9102a31dd8b99b16d62cd644091fd57e.tar.gz
runqemu: Add support to handle EnrollDefaultKeys PK/KEK1 certificate
The EnrollDefaultKeys.efi application (distributed in ovmf-shell-image) expects the hypervisor to provide a Platform Key and first Key Exchange Key certificate. For QEMU, this is done by adding an OEM string in the Type 11 SMBIOS table. The string contains the EnrollDefaultKeys application GUID followed by the certificate string. For now, the string is passed in the command line until QEMU understands OEM strings from regular files (please see https://bugs.launchpad.net/qemu/+bug/1826200). If runqemu detects it is given an OVMF binary with support for Secure Boot (i.e., ovmf.secboot* binaries), extract the certificate string from the OvmfPkKek1.pem certificate and modify the command-line parameters to provide the key. Such certificate is created when building OVMF with support for Secure Boot. Cc: Ross Burton <ross.burton@intel.com> Cc: Patrick Ohly <patrick.ohly@intel.com> (From OE-Core rev: 5e47316ae62f7632fb62bc3b8093ac42f9e3541c) Signed-off-by: Ricardo Neri <ricardo.neri-calderon@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'scripts/lnr')
0 files changed, 0 insertions, 0 deletions