About

This is a Vagrant Environment for setting up the OVMF UEFI EDK2 environment to play with UEFI Secure Boot using sbctl (Secure Boot key manager).

Usage (in Ubuntu 22.04)

Install the base Ubuntu 22.04 UEFI box.

Start the environment:

# NB in my machine this takes ~30m to complete.
time vagrant up --provider=libvirt --no-destroy-on-error --no-tty

Start ovmf/linux/u-boot in a test vm:

cd tmp
./run.sh

Verify that the platform is in Setup Mode:

sbctl status

It must output:

Installed:    ✗ sbctl is not installed
Setup Mode:   ✗ Enabled
Secure Boot:  ✗ Disabled
Vendor Keys:  none

Create our own Platform Key (PK), Key Exchange Key (KEK), and Code Signing CAs:

sbctl create-keys

It should something alike:

Created Owner UUID 5c839e31-20eb-42a6-906b-824ab404e0dd
Creating secure boot keys...✓ 
Secure boot keys created!

In more detail, this created all these files:

# find -type f /usr/share/secureboot/keys
/usr/share/secureboot/keys/KEK/KEK.key
/usr/share/secureboot/keys/KEK/KEK.pem
/usr/share/secureboot/keys/PK/PK.key
/usr/share/secureboot/keys/PK/PK.pem
/usr/share/secureboot/keys/db/db.key
/usr/share/secureboot/keys/db/db.pem

Enroll the keys with the firmware:

# NB this should be equivalent of using sbkeysync to write the EFI variables as:
#       sbkeysync --pk --verbose --keystore /usr/share/secureboot/keys
# see https://github.com/Foxboron/sbctl/blob/fda4f2c1efd801cd04fb52923afcdb34baa42369/keys.go#L114-L115
sbctl enroll-keys --yes-this-might-brick-my-machine

It should display something alike:

Enrolling keys to EFI variables...✓ 
Enrolled keys to the EFI variables!

Verify that the platform is now out of Setup Mode:

sbctl status

It should output something alike:

Installed:    ✓ sbctl is installed
Owner GUID:   88f1e363-3f8e-4f73-9a86-57a2dcb1a285
Setup Mode:   ✓ Disabled
Secure Boot:  ✗ Disabled
Vendor Keys:  none

Sign the linux efi application:

sbctl sign /boot/efi/linux

It should output something alike:

✓ Signed /boot/efi/linux

Analyze the linux efi application:

efianalyze signed-image /boot/efi/linux

It should output something alike:

Data Directory Header:
	Virtual Address: 0xa1e8a0
	Size in bytes: 2192
Certificate Type: WIN_CERT_TYPE_PKCS_SIGNED_DATA
	Issuer Name: CN=Database Key,C=Database Key
	Serial Number: 48816627373166678216378579258444048592

Reboot the system:

umount /boot/efi
shutdown -r

After boot, verify that the platform is now in Secure Boot mode:

sbctl status

It must output:

Installed:    ✓ sbctl is installed
Owner GUID:   88f1e363-3f8e-4f73-9a86-57a2dcb1a285
Setup Mode:   ✓ Disabled
Secure Boot:  ✓ Enabled
Vendor Keys:  none

Test loading a kernel module:

insmod /modules/configs.ko

It must not return any output nor error.

And that's pretty much how you test drive Secure Boot in OVMF.

QEMU VM device tree

You can see all the qemu devices status by running the following command in another shell:

cd tmp
echo info qtree | ./qmp-shell -H ./test/amd64.socket

Reference

• Unified Extensible Firmware Interface (UEFI).
• UEFI Forum.
• EDK II (aka edk2): UEFI Reference Implementation .
• EDK II bcfg boot dump source code.
• UefiToolsPkg set of UEFI tools.
  • These are useful on their own and as C source based UEFI application examples.
• sbctl (Secure Boot key manager).