Re: UEFI Secure boot using qemu-kvm

Re: UEFI Secure boot using qemu-kvm

[joeyli]

Hi James, 

On Wed, Jun 27, 2012 at 06:34:05PM +0100, James Bottomley wrote:

> The purpose of this email is to widen the pool of people who are playing
> with UEFI Secure boot.  The Linux Foundation Technical Advisory Board
> have been looking into this because it turns out to be rather difficult
> to lay your hands on real UEFI Secure Boot enabled hardware.
 

I am following your approach to reproduce your UEFI environment with
qemu-kvm. After run qemu-system-x86_64 the kvm launched and go to UEFI
shell success. So far so good!

But, I got a problem is the keyboard layout is not US keyboard, So I
need build a mapping table for reference when key-in any letter:

[		e
/		x
s		i
enter		t
down		enter
page up		down
...


Did you meet this issue on your side? 


Thanks a lot!
Joey Lee

Re: UEFI Secure boot using qemu-kvm

[James Bottomley]

joeyli <jlee@suse.com> wrote:

>Hi James, 
>
>On Wed, Jun 27, 2012 at 06:34:05PM +0100, James Bottomley wrote:
>
>> The purpose of this email is to widen the pool of people who are
>playing
>> with UEFI Secure boot.  The Linux Foundation Technical Advisory Board
>> have been looking into this because it turns out to be rather
>difficult
>> to lay your hands on real UEFI Secure Boot enabled hardware.
> 
>
>I am following your approach to reproduce your UEFI environment with
>qemu-kvm. After run qemu-system-x86_64 the kvm launched and go to UEFI
>shell success. So far so good!
>
>But, I got a problem is the keyboard layout is not US keyboard, So I
>need build a mapping table for reference when key-in any letter:
>
>[		e
>/		x
>s		i
>enter		t
>down		enter
>page up		down
>...
>
>
>Did you meet this issue on your side? 

Well no. I've got a US keyboard. You probably need the keymap directory from qemu-kvm. 

The best thing is probably to copy all the qemu files to a new directory and then copy in the qemu-ovmf ones (assuming standard qemu-kvm works for you).

James
-- 
Sent from my Android phone with K-9 Mail. Please excuse my brevity.

Re: Fwd: UEFI Secure boot using qemu-kvm

[joeyli]

Hi James, 

於 四，2012-06-28 於 18:11 +0800，lee joey 提到：
> 
> 
> ---------- Forwarded message ----------
> From: joeyli <jlee@suse.com>
> Date: 2012/6/28
> Subject: Re: UEFI Secure boot using qemu-kvm
> To: JBottomley@parallels.com
> Cc: linux-kernel@vger.kernel.org
> 
> 
> Hi James,
> 
> On Wed, Jun 27, 2012 at 06:34:05PM +0100, James Bottomley wrote:
> 
> > The purpose of this email is to widen the pool of people who are
> playing
> > with UEFI Secure boot.  The Linux Foundation Technical Advisory
> Board
> > have been looking into this because it turns out to be rather
> difficult
> > to lay your hands on real UEFI Secure Boot enabled hardware.
> 
> 
> 
> I am following your approach to reproduce your UEFI environment with
> qemu-kvm. After run qemu-system-x86_64 the kvm launched and go to UEFI
> shell success. So far so good!
> 
> But, I got a problem is the keyboard layout is not US keyboard, So I
> need build a mapping table for reference when key-in any letter:
> 
> [               e
> /               x
> s               i
> enter           t
> down            enter
> page up         down
> ...
> 
> 
> Did you meet this issue on your side?
> 

I just found this issue only happen on when I used ssh connect to the
machine that setup environment then run qemu-kvm.

When direct launch qemu-kvm on the machine, there have no keyboard
layout problem. Not sure this problem is dependent to qemu or UEFI
image.


Thanks a lot!
Joey Lee

Re: UEFI Secure boot using qemu-kvm

[joeyli]

於 四，2012-06-28 於 11:22 +0100，James Bottomley 提到：
> 
> joeyli <jlee@suse.com> wrote:
> 
> >Hi James, 
> >
> >On Wed, Jun 27, 2012 at 06:34:05PM +0100, James Bottomley wrote:
> >
> >> The purpose of this email is to widen the pool of people who are
> >playing
> >> with UEFI Secure boot.  The Linux Foundation Technical Advisory Board
> >> have been looking into this because it turns out to be rather
> >difficult
> >> to lay your hands on real UEFI Secure Boot enabled hardware.
> > 
> >
> >I am following your approach to reproduce your UEFI environment with
> >qemu-kvm. After run qemu-system-x86_64 the kvm launched and go to UEFI
> >shell success. So far so good!
> >
> >But, I got a problem is the keyboard layout is not US keyboard, So I
> >need build a mapping table for reference when key-in any letter:
> >
> >[		e
> >/		x
> >s		i
> >enter		t
> >down		enter
> >page up		down
> >...
> >
> >
> >Did you meet this issue on your side? 
> 
> Well no. I've got a US keyboard. You probably need the keymap directory from qemu-kvm. 
> 
> The best thing is probably to copy all the qemu files to a new directory and then copy in the qemu-ovmf ones (assuming standard qemu-kvm works for you).
> 
> James

Yes, I just found the problem happen on using SSH login to the machine
that have qemu-kvm and launch it with UEFI shell.
If I direct launch kvm on the machine, everything is OK!

I already import your PK.cer and KEK.cer and run
HelloWorld.efi/HelloWorld-signed.efi to verify the secure boot success.

When running non-signed file, shell show up:
	Error reported: Access Denied

Thanks a lot for your document and RPMs on OBS, it's really useful to me
for verify secure boot.


Regards
Joey Lee 

Re: Fwd: UEFI Secure boot using qemu-kvm

[joeyli]

於 四，2012-06-28 於 18:24 +0800，joeyli 提到：
> Hi James, 
> 
> 於 四，2012-06-28 於 18:11 +0800，lee joey 提到：
> > 
> > 
> > ---------- Forwarded message ----------
> > From: joeyli <jlee@suse.com>
> > Date: 2012/6/28
> > Subject: Re: UEFI Secure boot using qemu-kvm
> > To: JBottomley@parallels.com
> > Cc: linux-kernel@vger.kernel.org
> > 
> > 
> > Hi James,
> > 
> > On Wed, Jun 27, 2012 at 06:34:05PM +0100, James Bottomley wrote:
> > 
> > > The purpose of this email is to widen the pool of people who are
> > playing
> > > with UEFI Secure boot.  The Linux Foundation Technical Advisory
> > Board
> > > have been looking into this because it turns out to be rather
> > difficult
> > > to lay your hands on real UEFI Secure Boot enabled hardware.
> > 
> > 
> > 
> > I am following your approach to reproduce your UEFI environment with
> > qemu-kvm. After run qemu-system-x86_64 the kvm launched and go to UEFI
> > shell success. So far so good!
> > 
> > But, I got a problem is the keyboard layout is not US keyboard, So I
> > need build a mapping table for reference when key-in any letter:
> > 
> > [               e
> > /               x
> > s               i
> > enter           t
> > down            enter
> > page up         down
> > ...
> > 
> > 
> > Did you meet this issue on your side?
> > 
> 
> I just found this issue only happen on when I used ssh connect to the
> machine that setup environment then run qemu-kvm.
> 
> When direct launch qemu-kvm on the machine, there have no keyboard
> layout problem. Not sure this problem is dependent to qemu or UEFI
> image.
> 
> 
> Thanks a lot!
> Joey Lee
> 

Base on James's approach, wrote a wiki page have steps and screenshot:
	http://en.opensuse.org/KVM/UEFI_Secure_boot_using_qemu-kvm


Thanks
Joey Lee

Re: Fwd: UEFI Secure boot using qemu-kvm

[Khalid Aziz]

I Tried to follow the steps Joey had written down (Thanks for doing
that!) on Ubuntu 12.04 and ran into some problems. Here is what I had to
do differently to get it to work:

- Install libssl-dev

- Use "sudo alien --to-deb sbsigntools-0.3-1.1.x86_64.rpm" to convert
sbsigntools package and "dpkg -i" the resulting deb package

- Before building efitools, edit Make.rules and replace "/usr/lib64"
with "/usr/lib"

- Run "make PK.h DB.h KEK.h" followed by "make". Make will fail to build
Loader.so with error being __stack_chk_fail is undefined. Ubuntu's
version of gcc enables stack check by default and adding
-fno-stack-protector to CFLAGS did not help. I haven't figured this one
out yet but Helloworld.efi builds correctly.

- Run "make HelloWorld-kek-signed.efi" to build signed version of hello
world.

- At this point I could fire up qemu and run the signed and unsigned
versions of hello world (HelloWorld-kek-signed.efi and HelloWorld.efi)
with secure boot disabled and enabled after importing PK and KEK as Joey
showed in his instructions.

Hope this helps someone who is trying this on Ubuntu. Now on to figuring
out how to build Loader.efi.

-- 
Khalid Aziz <khalid.aziz@hp.com>

Re: Fwd: UEFI Secure boot using qemu-kvm

[James Bottomley]

On Thu, 2012-07-12 at 16:17 -0600, Khalid Aziz wrote:
> I Tried to follow the steps Joey had written down (Thanks for doing
> that!) on Ubuntu 12.04 and ran into some problems. Here is what I had to
> do differently to get it to work:
> 
> - Install libssl-dev
> 
> - Use "sudo alien --to-deb sbsigntools-0.3-1.1.x86_64.rpm" to convert
> sbsigntools package and "dpkg -i" the resulting deb package
> 
> - Before building efitools, edit Make.rules and replace "/usr/lib64"
> with "/usr/lib"
> 
> - Run "make PK.h DB.h KEK.h" followed by "make". Make will fail to build
> Loader.so with error being __stack_chk_fail is undefined. Ubuntu's
> version of gcc enables stack check by default and adding
> -fno-stack-protector to CFLAGS did not help. I haven't figured this one
> out yet but Helloworld.efi builds correctly.

Actually, I just ran into this too.  Apparently libefi.a needs to be
build with -fno-stack-protector ... at least that's where the problem is
coming from in my environment.  I don't have an ubuntu system to check,
but to verify this is your issue, try:

nm -D /usr/lib/libefi.a | grep __stack_chk_fail

(or whatever your path is to libefi.a) ... probably you should also
check libgnuefi.a, although this one is clear in my setup.

James

Re: Fwd: UEFI Secure boot using qemu-kvm

[Khalid Aziz]

On Thu, 2012-07-19 at 10:41 +0100, James Bottomley wrote:
> Actually, I just ran into this too.  Apparently libefi.a needs to be
> build with -fno-stack-protector ... at least that's where the problem is
> coming from in my environment.  I don't have an ubuntu system to check,
> but to verify this is your issue, try:
> 
> nm -D /usr/lib/libefi.a | grep __stack_chk_fail
> 
> (or whatever your path is to libefi.a) ... probably you should also
> check libgnuefi.a, although this one is clear in my setup.

On Ubuntu, it is coming from lib/lib.a. It so happens that "make clean"
does not descend into lib/ and remove *.o and lib.a. So, I added
"-fno-stack-protector" to top level Makefile, ran "make clean" followed
by make and it didn't help because I continuesd to use the old lib.a.
Now that I have realized it, I added "(cd lib; rm -f *.o lib.a)" to the
clean target in toplevel Makefile and ran a "make clean". After this
lib/Makefile inherited -fno-stack-protector in CFLAGS from Make.rules
and everything builds correctly now. 

-- 
Khalid Aziz <khalid.aziz@hp.com>