1 files changed, 32 insertions, 0 deletions
diff --git a/scripts/runqemu b/scripts/runqemu
index 9d6a2e86d4..df3c8aad08 100755
--- a/scripts/runqemu
+++ b/scripts/runqemu
@@ -148,6 +148,10 @@ class BaseConfig(object):
        # Setting one also adds "-vga std" because that is all that
        # OVMF supports.
        self.ovmf_bios = []
+        # When enrolling default Secure Boot keys, the hypervisor
+        # must provide the Platform Key and the first Key Exchange Key
+        # certificate in the Type 11 SMBIOS table.
+        self.ovmf_secboot_pkkek1 = ''
        self.qemuboot = ''
        self.qbconfload = False
        self.kernel = ''
@@ -638,6 +642,23 @@ class BaseConfig(object):
        if not os.path.exists(self.rootfs):
            raise RunQemuError("Can't find rootfs: %s" % self.rootfs)
+    def setup_pkkek1(self):
+        """
+        Extract from PEM certificate the Platform Key and first Key
+        Exchange Key certificate string. The hypervisor needs to provide
+        it in the Type 11 SMBIOS table
+        """
+        pemcert = '%s/%s' % (self.get('DEPLOY_DIR_IMAGE'), 'OvmfPkKek1.pem')
+        try:
+            with open(pemcert, 'r') as pemfile:
+                key = pemfile.read().replace('\n', ''). \
+                      replace('-----BEGIN CERTIFICATE-----', ''). \
+                      replace('-----END CERTIFICATE-----', '')
+                self.ovmf_secboot_pkkek1 = key
+        except FileNotFoundError:
+            raise RunQemuError("Can't open PEM certificate %s " % pemcert)
    def check_ovmf(self):
        """Check and set full path for OVMF firmware and variable file(s)."""
@@ -648,6 +669,8 @@ class BaseConfig(object):
                path = '%s/%s.%s' % (self.get('DEPLOY_DIR_IMAGE'), ovmf, suffix)
                if os.path.exists(path):
                    self.ovmf_bios[index] = path
+                    if ovmf.endswith('secboot'):
+                        self.setup_pkkek1()
                    break
            else:
                raise RunQemuError("Can't find OVMF firmware: %s" % ovmf)
@@ -914,6 +937,8 @@ class BaseConfig(object):
            print('ROOTFS: [%s]' % self.rootfs)
        if self.ovmf_bios:
            print('OVMF: %s' % self.ovmf_bios)
+        if (self.ovmf_secboot_pkkek1):
+            print('SECBOOT PKKEK1: [%s...]' % self.ovmf_secboot_pkkek1[0:100])
        print('CONFFILE: [%s]' % self.qemuboot)
        print('')
@@ -1262,6 +1287,13 @@ class BaseConfig(object):
        self.qemu_opt += ' ' + self.qemu_opt_script
+        if self.ovmf_secboot_pkkek1:
+                        # Provide the Platform Key and first Key Exchange Key certificate as an
+                        # OEM string in the SMBIOS Type 11 table. Prepend the certificate string
+                        # with "application prefix" of the EnrollDefaultKeys.efi application
+            self.qemu_opt += ' -smbios type=11,value=4e32566d-8e9e-4f52-81d3-5bb9715f9727:' \
+                             + self.ovmf_secboot_pkkek1
        # Append qemuparams to override previous settings
        if self.qemuparams:
            self.qemu_opt += ' ' + self.qemuparams

diff --git a/scripts/runqemu b/scripts/runqemu index 9d6a2e86d4..df3c8aad08 100755 --- a/scripts/runqemu +++ b/scripts/runqemu
@@ -148,6 +148,10 @@ class BaseConfig(object):
148	# Setting one also adds "-vga std" because that is all that	148	# Setting one also adds "-vga std" because that is all that
149	# OVMF supports.	149	# OVMF supports.
150	self.ovmf_bios = []	150	self.ovmf_bios = []
		151	# When enrolling default Secure Boot keys, the hypervisor
		152	# must provide the Platform Key and the first Key Exchange Key
		153	# certificate in the Type 11 SMBIOS table.
		154	self.ovmf_secboot_pkkek1 = ''
151	self.qemuboot = ''	155	self.qemuboot = ''
152	self.qbconfload = False	156	self.qbconfload = False
153	self.kernel = ''	157	self.kernel = ''
@@ -638,6 +642,23 @@ class BaseConfig(object):
638	if not os.path.exists(self.rootfs):	642	if not os.path.exists(self.rootfs):
639	raise RunQemuError("Can't find rootfs: %s" % self.rootfs)	643	raise RunQemuError("Can't find rootfs: %s" % self.rootfs)
640		644
		645	def setup_pkkek1(self):
		646	"""
		647	Extract from PEM certificate the Platform Key and first Key
		648	Exchange Key certificate string. The hypervisor needs to provide
		649	it in the Type 11 SMBIOS table
		650	"""
		651	pemcert = '%s/%s' % (self.get('DEPLOY_DIR_IMAGE'), 'OvmfPkKek1.pem')
		652	try:
		653	with open(pemcert, 'r') as pemfile:
		654	key = pemfile.read().replace('\n', ''). \
		655	replace('-----BEGIN CERTIFICATE-----', ''). \
		656	replace('-----END CERTIFICATE-----', '')
		657	self.ovmf_secboot_pkkek1 = key
		658
		659	except FileNotFoundError:
		660	raise RunQemuError("Can't open PEM certificate %s " % pemcert)
		661
641	def check_ovmf(self):	662	def check_ovmf(self):
642	"""Check and set full path for OVMF firmware and variable file(s)."""	663	"""Check and set full path for OVMF firmware and variable file(s)."""
643		664
@@ -648,6 +669,8 @@ class BaseConfig(object):
648	path = '%s/%s.%s' % (self.get('DEPLOY_DIR_IMAGE'), ovmf, suffix)	669	path = '%s/%s.%s' % (self.get('DEPLOY_DIR_IMAGE'), ovmf, suffix)
649	if os.path.exists(path):	670	if os.path.exists(path):
650	self.ovmf_bios[index] = path	671	self.ovmf_bios[index] = path
		672	if ovmf.endswith('secboot'):
		673	self.setup_pkkek1()
651	break	674	break
652	else:	675	else:
653	raise RunQemuError("Can't find OVMF firmware: %s" % ovmf)	676	raise RunQemuError("Can't find OVMF firmware: %s" % ovmf)
@@ -914,6 +937,8 @@ class BaseConfig(object):
914	print('ROOTFS: [%s]' % self.rootfs)	937	print('ROOTFS: [%s]' % self.rootfs)
915	if self.ovmf_bios:	938	if self.ovmf_bios:
916	print('OVMF: %s' % self.ovmf_bios)	939	print('OVMF: %s' % self.ovmf_bios)
		940	if (self.ovmf_secboot_pkkek1):
		941	print('SECBOOT PKKEK1: [%s...]' % self.ovmf_secboot_pkkek1[0:100])
917	print('CONFFILE: [%s]' % self.qemuboot)	942	print('CONFFILE: [%s]' % self.qemuboot)
918	print('')	943	print('')
919		944
@@ -1262,6 +1287,13 @@ class BaseConfig(object):
1262		1287
1263	self.qemu_opt += ' ' + self.qemu_opt_script	1288	self.qemu_opt += ' ' + self.qemu_opt_script
1264		1289
		1290	if self.ovmf_secboot_pkkek1:
		1291	# Provide the Platform Key and first Key Exchange Key certificate as an
		1292	# OEM string in the SMBIOS Type 11 table. Prepend the certificate string
		1293	# with "application prefix" of the EnrollDefaultKeys.efi application
		1294	self.qemu_opt += ' -smbios type=11,value=4e32566d-8e9e-4f52-81d3-5bb9715f9727:' \
		1295	+ self.ovmf_secboot_pkkek1
		1296
1265	# Append qemuparams to override previous settings	1297	# Append qemuparams to override previous settings
1266	if self.qemuparams:	1298	if self.qemuparams:
1267	self.qemu_opt += ' ' + self.qemuparams	1299	self.qemu_opt += ' ' + self.qemuparams