Giter Club home page Giter Club logo

uefi-dev's Introduction

QEMU UEFI Secure Boot Development Environment

Contact: [email protected] or [email protected]

This repository provides a UEFI Secure Boot development environment based on QEMU, OVMF, and the libtpms/swtpm TPM emulator. Links to all of these projects can be found below, but some Linux distributions may already provide packages for each of the projects.

The efitools tool suite is also used to create and package the UEFI Secure Boot variables for testing, but it is not part of the UEFI Secure Boot chain.

How The Development Environment Works

NOTE: this README is still a bit crude, but it should get you started.

The tools in this repo automate a number of tasks intended to make it easier for developers to test EFI applications in a virtual UEFI Secure Boot environment. Beyond simply running a QEMU instance with OVMF Secure Boot and emulated TPM support, the Makefiles in this repo also generate all of the necessary keys/certificates and configuration tools to configure the virtual environment for UEFI Secure Boot.

Normal usage is to simply run make qemu-esp or make qemu-full. In both cases a small disk is created with a single FAT filesystem that contains a tool, sb_setup.efi, which configures UEFI Secure Boot with random PK and KEK certificates and the Microsoft UEFI CA from 2011 loaded into the db variable. Additional certificates can be added to the db variable (see below), and any files placed in the "fs_esp/" directory will be copied to this FAT filesystem.

QEMU screenshot

The included Microsoft UEFI CA should be sufficient to install and run many stock Linux distributions that support UEFI Secure Boot. In order to install a Linux distribution you will need to create raw disk image in the project's base directory named "drive_qemu.img" and place a copy of the installer ISO in the project's base directory named "distro.iso". With these disk images in place you can run make qemu-full to start QEMU with the disk images attached.

In order to make it easier to transfer files to and from an installed Linux system, the "fs_virtfs/" directory is exported as a Plan 9 filesystem in the guest using the "virtfs0" mount tag.

Build time configuration can be found in the "make.conf" file in the project's base directory.

Adding UEFI Keys/Certificates

One of the primary reasons for this project is to make it easier to test UEFI Secure Boot applications such as bootloaders. This requires the ability to add arbitrary certificates to the UEFI db variable. In order to add new certificates to the UEFI db, simply copy the PEM encoded certificate and associated text file with the certificate's GUID into the "keys/DB-extra" directory. Both files should follow the "DB-xxx.{pem,guid}" naming convention. Multiple certificates can be added to the db variable by adding them to this directory.

Here is an example of adding a "DB-test" certificate to the "keys/DB-extra" directory:

% ls -l keys/DB-extra/DB-*
-rw-r--r-- 1 user users   37 Oct 19 13:24 DB-test.guid
-r--r--r-- 1 user users 1.7K Oct 19 13:24 DB-test.key
-r--r--r-- 1 user users 1.2K Oct 19 15:30 DB-test.pem
% cat keys/DB-extra/DB-test.guid
e5c4bc7b-9cc8-4df9-9420-c86e64a7b495

Once the certificates and GUID files have been placed in this directory, they will be included in any future sb_setup.efi builds. If you have already configured the virtual environment for secure boot, you may need to "reset" the system before you can load new certificates into the db. You can do this by deleting the "ovmf_vars.fd" file from the project's base directory, it will be recreated the next time you start QEMU.

Adding UEFI Test Applications

Any files, including UEFI applications, placed in the "fs_esp/" directory will be included in a dynamically generated FAT filesystem/disk created by QEMU at runtime.

Signing EFI binaries is beyond the scope of the tools presented here, but there are two projects that offer tools to sign EFI binaries in such a way that they are suitable for UEFI Secure Boot:

Acknowledgements

A special thanks to the READMEs, project documentation, and blog posts below as they were very helpful in creating the tools in this repository.

uefi-dev's People

Contributors

pcmoore avatar

Watchers

James Cloos avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.