From 879decbe3a040f15589e4000d06298e82c1b0cb8 Mon Sep 17 00:00:00 2001
From: dann frazier <dannf@debian.org>
Date: Fri, 1 Nov 2019 16:35:08 -0600
Subject: [PATCH] Provide an OVMF_VARS.snakeoil.fd image and matching private
 key

For development testing. LP: #1850848.
---
 debian/PkKek-1-snakeoil.key                   | 30 +++++++++++++++++++
 debian/PkKek-1-snakeoil.pem                   | 19 ++++++++++++
 debian/changelog                              |  7 +++++
 debian/ovmf.install                           |  1 +
 .../ovmf-vars-generator-no-defaults.patch     | 24 +++++++++++++++
 debian/patches/series                         |  1 +
 debian/rules                                  | 29 +++++++++++++-----
 7 files changed, 104 insertions(+), 7 deletions(-)
 create mode 100644 debian/PkKek-1-snakeoil.key
 create mode 100644 debian/PkKek-1-snakeoil.pem
 create mode 100644 debian/patches/ovmf-vars-generator-no-defaults.patch

diff --git a/debian/PkKek-1-snakeoil.key b/debian/PkKek-1-snakeoil.key
new file mode 100644
index 0000000000..14a4115631
--- /dev/null
+++ b/debian/PkKek-1-snakeoil.key
@@ -0,0 +1,30 @@
+-----BEGIN ENCRYPTED PRIVATE KEY-----
+MIIFHDBOBgkqhkiG9w0BBQ0wQTApBgkqhkiG9w0BBQwwHAQIPHKKEsMGBRECAggA
+MAwGCCqGSIb3DQIJBQAwFAYIKoZIhvcNAwcECDMKbs0ZJj1QBIIEyPbHAHgcZAWR
+JifpHioOyVPOmPT78ACPoyPe2JEQrWWLxHCF2A1TVP/CNlahDPwd6J42oW833tiL
+8gEKBP11yQfivz9RBJSOuD2v3fZX5BKgzfRbfSh1Yecp2942nfU8QsEH+DOe2sma
+hqmM6TxmA7mJAhhafMlKXb5FsGBRBOf26zE6Aad/ZzmPdV5eqaPpJTJGWkW2XYCu
+dlp47GanAlNADF1AZteQZCWOi01D4A6mTrDU/2xevykX0wLuU1W054qwAjkA1nO8
+pN/Y6rFm8yYONJRn8FiKy7j6U8GX40CfeppF7zfKa+P9dqUhXGQoGzBqd7Xi38QK
+a8x3PGt9ZN9KJLazMBdYcypQvHuDoZqU26NpNvbYbUjuW1gktPf9qd6JohE3Ovyh
+Y3Hn3fC75GlMGDBxkR6tx76RU8bO0gaW+rFvYHPouhCq8iSxiKXd49+zorxWJrRh
+5Ad+6w9t6y/R5CGqSdqbaH1pCHq49kSRwA3LCkrHZ51bnUDVR83l7wISl2ZQ63Lo
+qFMxNNP8JzREblTpAcLH41Fk02BwWoE5CPF6wrZGCLRCnt99umrR1TUMuSSWE894
+vd6C5y1g1HpGym53D0Qyy4UJCt7ynUye8u4jSMnuLSx6y6qmawQTvK8ibDEzfd5M
+G5CPbv/qc6ul4GbaWeB0tQC2kr7NsgrReVQw0hNRIdGtq9tH5pHo3afk8XhQF+V/
+TQBX09nRquGQOJ0lNKuEvFDrAq6ebI2ORpy9Q27Dss65120jL+dDzyaQtAhboLiM
+Gk8DVxqKcdOLWf211MjO4GGxn+HccOAQ9UYLj2Y4nCJ4qoRuCVEqDzjMpsM7Tm7U
+FqFHN5mhdPuuIIZ5flPUOkDrugfu2AXBuk2Y8u4EmqccVQi9i59JzAwp6P31ra42
+uH4mGjWf0CA3YNdYPBjVOWq5bzzcByq+JPzejWXCJynUQzgUiegob0VgjaLMtr6j
+1KQPsjcxC9wguRXRVG8JYxdfRvusL0NxrNLg2A1NGJ9yhjzmvQhMWjukj23em7gh
+y0XBoEj0xo1pDPXtG1G5RruKgynpqImOQR+UczsOAl/j9D7w9BjhzFGc0Jx3u1L7
+g3WcuDXVSCxbvUDa4tSeKxWW+Vim9MIgU9FRsmNdaOIL8hkdMEv9w0X+sxNhx/nU
+VJiuA2bSgKv1DPqUYDshlsBoHYjoboTkPS7NWggIxsblgAlnPhoaoV5PjSdZf7NG
+iEm1BEmMP27DOmk4bEoM8ecwlss+8Lv/HmgZjVhj8jGwz8zLFS+LTcgLOVj2FMKg
+gqdfAfVB9L4bLZCkdnJBsuNWnCEIbQ/pwLbGckkDzNl2OKP8onw0KlM8+pilqDyM
+01eob2DdHXPqfpCeLcmh3U8MkNec0d5FkVzE/gIXMAq+pNIkSYGcYYGZ/5+dvTzB
+hUtNhOrs6Tufv36H1ehFU5f4ovuribjmwoJgSKM7WiLNxGxZo/bTtXhonRzyjPQ/
+KtXMOxqO6nN9QCkiPw22QPvteVhXXNxEUA+DKdLF9/26nyqXjO12Y60gP+MWw3XV
+gliVvp0A65IMjwYM+hOHqKdOAlRXkefeh+wC90fNI0K0OP/sclMak61fUfoWcRGz
+oNalGfk7QzVC2DCws9eFYg==
+-----END ENCRYPTED PRIVATE KEY-----
diff --git a/debian/PkKek-1-snakeoil.pem b/debian/PkKek-1-snakeoil.pem
new file mode 100644
index 0000000000..73936f78bd
--- /dev/null
+++ b/debian/PkKek-1-snakeoil.pem
@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDCTCCAfGgAwIBAgIUSbJC1oRCJUbGkwfWHscBeZrRHZcwDQYJKoZIhvcNAQEL
+BQAwFDESMBAGA1UECgwJU25ha2UgT2lsMB4XDTE5MTEwMTIyMDI1NVoXDTE5MTIw
+MTIyMDI1NVowFDESMBAGA1UECgwJU25ha2UgT2lsMIIBIjANBgkqhkiG9w0BAQEF
+AAOCAQ8AMIIBCgKCAQEAzUDpJwDzDpLo2ytVRSgt/QWRYk/Yjae5fbujitq73XYL
+uDZ+/Wf5U6zpOfyfzX/l5R0KCV9XYUJF47QEmNCnoWpg3cRdRry+3FIYtdnNK151
+AZ2L74OI4sMX1akSE+MfZFgdPFcm+n0uJgQuvRYGyYaR6N1wbhJ/2iOOba+sbKyc
+aKiL1fSjip2criHA/05cYSomdUT+rTUZALFdCQuOU+gX8Rqhmfbo8VEE7MpE3nrv
+HocQAFphyYgG8jadjggymE7sQEZGrBqOrwMDHitbpoGNlOI2VdFgL5jRKHuB61iC
+kqTmSWuS4lbOEJmms6hhQnTnu/yK7O3NEWegAPMrtQIDAQABo1MwUTAdBgNVHQ4E
+FgQUFD7OXb2T6sOysRo3hj2f15SX8I8wHwYDVR0jBBgwFoAUFD7OXb2T6sOysRo3
+hj2f15SX8I8wDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEANZRB
+NFVUVZVehpj3QGbbSjp77m0V6JrEYn6u/XjLRFsUNw5Hh35UCR0HkKZ0cLgrVKb/
+8yL6LaYLOY6yDwEFWMtLXiF2S4noO8raEgW6A7DHawb2Y4ZNFRO4oBkyWbtd36Uu
+UfSszs2av048wb5J/pNedRSx8I/FiCNWummzpkBHzx023TdLPd8fmkmG7ZBpStN0
+Y//EE4DKTfHxAwt5w7WdZF5EY/KHPopnR+WSrdutRIK6zT+/+vKihtHYZbrv+7Ap
+K7xOM/zJ6E9vUROmuOhL3YL3MuLn5qHEvhM0eMxEAlCnSJlFkQE4/RXhDpZJYbR7
+x+PQllgoo4H6W30Dew==
+-----END CERTIFICATE-----
diff --git a/debian/changelog b/debian/changelog
index 1155b35095..1f3fe24edb 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+edk2 (0~20190828.37eef910-4) UNRELEASED; urgency=medium
+
+  * Provide an OVMF_VARS.snakeoil.fd image and matching private key for
+    development testing. LP: #1850848.
+
+ -- dann frazier <dannf@debian.org>  Fri, 01 Nov 2019 16:21:46 -0600
+
 edk2 (0~20190828.37eef910-3) unstable; urgency=medium
 
   * Don't require an SMM for the OVMF.fd image. Closes: #939928.
diff --git a/debian/ovmf.install b/debian/ovmf.install
index c2f19ec19e..3029cf1121 100644
--- a/debian/ovmf.install
+++ b/debian/ovmf.install
@@ -3,3 +3,4 @@ debian/ovmf-install/OVMF_CODE*.fd	/usr/share/OVMF
 debian/ovmf-install/OVMF_VARS*.fd	/usr/share/OVMF
 debian/descriptors/50-edk2-x86_64-secure.json	/usr/share/qemu/firmware
 debian/descriptors/60-edk2-x86_64.json		/usr/share/qemu/firmware
+debian/PkKek-1-snakeoil.key			/usr/share/ovmf
diff --git a/debian/patches/ovmf-vars-generator-no-defaults.patch b/debian/patches/ovmf-vars-generator-no-defaults.patch
new file mode 100644
index 0000000000..2ae03d781b
--- /dev/null
+++ b/debian/patches/ovmf-vars-generator-no-defaults.patch
@@ -0,0 +1,24 @@
+Index: edk2/qemu-ovmf-secureboot-1-1-3/ovmf-vars-generator
+===================================================================
+--- edk2.orig/qemu-ovmf-secureboot-1-1-3/ovmf-vars-generator
++++ edk2/qemu-ovmf-secureboot-1-1-3/ovmf-vars-generator
+@@ -122,7 +122,8 @@ def enroll_keys(args):
+     # change into the first file system device; install the default
+     # keys and certificates, and reboot
+     p.stdin.write(b'fs0:\r\n')
+-    p.stdin.write(b'EnrollDefaultKeys.efi\r\n')
++    p.stdin.write(b'EnrollDefaultKeys.efi%s\r\n' %
++                  (b' --no-defaults' if args.no_defaults else b''))
+     p.stdin.write(b'reset -s\r\n')
+     p.stdin.flush()
+     while True:
+@@ -227,6 +228,9 @@ def parse_args():
+                               'used for testing, could undermine Secure '
+                               'Boot.'),
+                         action='store_true')
++    parser.add_argument('--no-defaults',
++                        help=('Don\'t enroll default keys.'),
++                        action='store_true')
+     parser.add_argument('--oem-string',
+                         help=('Pass the argument to the guest as a string in '
+                               'the SMBIOS Type 11 (OEM Strings) table. '
diff --git a/debian/patches/series b/debian/patches/series
index 1b0444b368..05a618e60b 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -5,3 +5,4 @@ ovmf-vars-generator-Pass-OEM-Strings-to-the-guest.patch
 ovmf-vars-generator-ignore-qemu-warnings.patch
 python3.patch
 BaseTools-Fix-the-lib-order-in-static_library_files..patch
+ovmf-vars-generator-no-defaults.patch
diff --git a/debian/rules b/debian/rules
index ca911a870a..6498e4b65c 100755
--- a/debian/rules
+++ b/debian/rules
@@ -63,7 +63,7 @@ OVMF_IMAGES := OVMF_CODE.fd OVMF_CODE.secboot.fd OVMF_VARS.fd
 OVMF_BINARIES = $(OVMF_ENROLL) $(OVMF_SHELL)
 OVMF_BINARIES += $(prefix debian/ovmf-install/,$(OVMF_IMAGES))
 
-build-ovmf: $(OVMF_BINARIES) debian/ovmf-install/OVMF_VARS.ms.fd
+build-ovmf: $(OVMF_BINARIES) debian/ovmf-install/OVMF_VARS.ms.fd debian/ovmf-install/OVMF_VARS.snakeoil.fd
 
 $(OVMF_BINARIES): EDK2_ARCH_DIR=X64
 $(OVMF_BINARIES): EDK2_HOST_ARCH=X64
@@ -87,7 +87,11 @@ $(OVMF_BINARIES): debian/setup-build-stamp
 			debian/ovmf-install/OVMF_CODE.secboot.fd
 
 dpkg_vendor = $(shell dpkg-vendor --query vendor)
-debian/oem-string: debian/PkKek-1-$(dpkg_vendor).pem
+debian/oem-string-vendor: debian/PkKek-1-$(dpkg_vendor).pem
+	tr -d '\n' < $< | \
+		sed -e 's/.*-----BEGIN CERTIFICATE-----/4e32566d-8e9e-4f52-81d3-5bb9715f9727:/' -e 's/-----END CERTIFICATE-----//' > $@
+
+debian/oem-string-snakeoil: debian/PkKek-1-snakeoil.pem
 	tr -d '\n' < $< | \
 		sed -e 's/.*-----BEGIN CERTIFICATE-----/4e32566d-8e9e-4f52-81d3-5bb9715f9727:/' -e 's/-----END CERTIFICATE-----//' > $@
 
@@ -106,16 +110,26 @@ debian/UefiShell.iso: debian/iso-root/shell.img
 	xorriso --as mkisofs -input-charset ASCII -J -rational-rock \
 		-e `basename $<` -no-emul-boot -o $@ `dirname $<`
 
-debian/ovmf-install/OVMF_VARS.ms.fd: debian/UefiShell.iso debian/oem-string
+debian/ovmf-install/OVMF_VARS.ms.fd: debian/UefiShell.iso debian/oem-string-vendor
+	python3 $(OVMF_VARS_GENERATOR) --qemu-binary /usr/bin/qemu-system-x86_64 \
+		--print-output \
+		--disable-smm \
+		--skip-testing \
+		--oem-string `< debian/oem-string-vendor` \
+		--ovmf-binary debian/ovmf-install/OVMF_CODE.fd \
+		--ovmf-template-vars debian/ovmf-install/OVMF_VARS.fd \
+		--uefi-shell-iso debian/UefiShell.iso $@
+
+debian/ovmf-install/OVMF_VARS.snakeoil.fd: debian/UefiShell.iso debian/oem-string-snakeoil
 	python3 $(OVMF_VARS_GENERATOR) --qemu-binary /usr/bin/qemu-system-x86_64 \
 		--print-output \
 		--disable-smm \
 		--skip-testing \
-		--oem-string `< debian/oem-string` \
+		--no-defaults \
+		--oem-string `< debian/oem-string-snakeoil` \
 		--ovmf-binary debian/ovmf-install/OVMF_CODE.fd \
 		--ovmf-template-vars debian/ovmf-install/OVMF_VARS.fd \
-		--uefi-shell-iso debian/UefiShell.iso \
-		debian/ovmf-install/OVMF_VARS.ms.fd
+		--uefi-shell-iso debian/UefiShell.iso $@
 
 build-qemu-efi: debian/setup-build-stamp
 	set -e; . ./edksetup.sh; \
@@ -141,8 +155,9 @@ override_dh_auto_clean:
 	fi
 	rm -rf Conf/.cache Build .pc-post
 	rm -rf debian/ovmf-install debian/iso-root debian/vfat-root
-	rm -f debian/oem-string debian/setup-build-stamp
+	rm -f debian/oem-string-vendor debian/oem-string-snakeoil
 	rm -f debian/shell.img debian/UefiShell.iso
+	rm -f debian/setup-build-stamp
 
 get-orig-source:
 	# Should be executed on a checkout of the upstream master branch,
-- 
2.24.0.rc2