From: Daan De Meyer Date: Wed, 22 Jan 2025 16:11:56 +0000 (+0100) Subject: Add support for FirmwareVariables=microsoft-mok X-Git-Tag: v25~9 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=c3fc91e00eb7fcd11a83a369ccc08b84715b2d4d;p=thirdparty%2Fmkosi.git Add support for FirmwareVariables=microsoft-mok This new setting will use firmware variables with enrolled microsoft keys and extend them with the required MOK variables to trust the user's secure boot key/certificate. Co-authored-by: Luca Boccassi --- diff --git a/mkosi/config.py b/mkosi/config.py index a1a24dca9..4e5da727c 100644 --- a/mkosi/config.py +++ b/mkosi/config.py @@ -3699,7 +3699,7 @@ SETTINGS: list[ConfigSetting[Any]] = [ dest="firmware_variables", metavar="PATH", section="Runtime", - parse=config_make_path_parser(constants=("custom", "microsoft")), + parse=config_make_path_parser(constants=("custom", "microsoft", "microsoft-mok")), help="Set the path to the firmware variables file to use", compat_longs=("--qemu-firmware-variables",), compat_names=("QemuFirmwareVariables",), diff --git a/mkosi/qemu.py b/mkosi/qemu.py index 2e54b8c85..f99ad0f15 100644 --- a/mkosi/qemu.py +++ b/mkosi/qemu.py @@ -243,11 +243,17 @@ def find_ovmf_firmware(config: Config, firmware: Firmware) -> Optional[OvmfConfi logging.debug(f"{p.name} firmware description includes secure boot, skipping") continue - if config.firmware_variables == Path("microsoft") and "enrolled-keys" not in j["features"]: + if ( + config.firmware_variables in (Path("microsoft"), Path("microsoft-mok")) + and "enrolled-keys" not in j["features"] + ): logging.debug(f"{p.name} firmware description does not have enrolled Microsoft keys, skipping") continue - if config.firmware_variables != Path("microsoft") and "enrolled-keys" in j["features"]: + if ( + config.firmware_variables not in (Path("microsoft"), Path("microsoft-mok")) + and "enrolled-keys" in j["features"] + ): logging.debug(f"{p.name} firmware description has enrolled Microsoft keys, skipping") continue @@ -744,6 +750,25 @@ def finalize_firmware_variables( ], ), ) # fmt: skip + elif config.firmware_variables == Path("microsoft-mok"): + assert config.secure_boot_certificate + + run( + [ + "virt-fw-vars", + "--input", workdir(ovmf.vars), + "--output", workdir(ovmf_vars), + "--add-mok", "605dab50-e046-4300-abb6-3dd810dd8b23", workdir(config.secure_boot_certificate), + "--loglevel", "WARNING", + ], + sandbox=config.sandbox( + options=[ + "--bind", ovmf_vars, workdir(ovmf_vars), + "--ro-bind", ovmf.vars, workdir(ovmf.vars), + "--ro-bind", config.secure_boot_certificate, workdir(config.secure_boot_certificate), + ], + ), + ) # fmt: skip else: vars = ( config.tools() / ovmf.vars.relative_to("/") @@ -1083,8 +1108,11 @@ def run_qemu(args: Args, config: Config) -> None: "the native host architecture" ) - if config.firmware_variables == Path("custom") and not config.secure_boot_certificate: - die("SecureBootCertificate= must be configured to use FirmwareVariables=custom") + if ( + config.firmware_variables in (Path("custom"), Path("microsoft-mok")) + and not config.secure_boot_certificate + ): + die("SecureBootCertificate= must be configured to use FirmwareVariables=custom|microsoft-mok") # After we unshare the user namespace to sandbox qemu, we might not have access to /dev/kvm or related # device nodes anymore as access to these might be gated behind the kvm group and we won't be part of the diff --git a/mkosi/resources/man/mkosi.1.md b/mkosi/resources/man/mkosi.1.md index e255c884c..5444a8f8d 100644 --- a/mkosi/resources/man/mkosi.1.md +++ b/mkosi/resources/man/mkosi.1.md @@ -1637,6 +1637,13 @@ boolean argument: either `1`, `yes`, or `true` to enable, or `0`, `no`, When set to `microsoft`, a firmware variables file with the Microsoft secure boot certificates already enrolled will be used. + When set to `microsoft-mok`, a firmware variables file with the + Microsoft secure boot certificates already enrolled will be extended + with a `MokList` variable containing the secure boot certificate + from `SecureBootCertificate=`. This is intended to be used together + with shim binaries signed by the distribution and locally signed EFI + binaries. + When set to `custom`, the secure boot certificate from `SecureBootCertificate=` will be enrolled into the default firmware variables file.