Ubuntu
edk2 package

  1. Bug #1986692
  2. Comment #9

Comment 9 for bug 1986692

Revision history for this message
Scott Moser (smoser) wrote :

I've verified this using the gist at https://gist.github.com/smoser/86781865f7191bbb790c74453967f28c (which is also attached).

$ lxc launch ubuntu:jammy j1
$ lxc exec j1 /bin/bash

% echo deb http://archive.ubuntu.com/ubuntu jammy-proposed main restricted >
/etc/apt/sources.list.d/proposed.list
% apt-get update
% apt-get install --no-install-recommends --assume-yes \
     mtools dosfstools qemu-system-x86 qemu-utils

% git clone https://gist.github.com/86781865f7191bbb790c74453967f28c.git gist
% cd gist
% ./collect-ovmf ovmf-jammy-proposed
...
wrote PkKek-1-snakeoil.pem from /usr/share/ovmf/PkKek-1-snakeoil.pem
linked from signing.pem to PkKek-1-snakeoil.pem
wrote PkKek-1-snakeoil.key from /usr/share/ovmf/PkKek-1-snakeoil.key
linked from signing.key to PkKek-1-snakeoil.key
wrote signing.password from text
wrote OVMF_VARS_4M.fd from /usr/share/OVMF/OVMF_VARS_4M.fd
wrote OVMF_CODE_4M.secboot.fd from /usr/share/OVMF/OVMF_CODE_4M.secboot.fd
wrote OVMF_VARS_4M.snakeoil.fd from /usr/share/OVMF/OVMF_VARS_4M.snakeoil.fd
linked from ovmf-insecure-code.fd to OVMF_CODE_4M.secboot.fd
linked from ovmf-insecure-vars.fd to OVMF_VARS_4M.fd
linked from ovmf-secure-code.fd to OVMF_CODE_4M.secboot.fd
linked from ovmf-secure-vars.fd to OVMF_VARS_4M.snakeoil.fd

% cat ovmf-jammy-proposed/firmware-info.yaml
release: jammy
packages:
  ovmf: "2022.02-3ubuntu0.22.04.1"

% sbsign \
    --key=ovmf-jammy-proposed/signing-nopassphrase.key \
    --cert=ovmf-jammy-proposed/signing.pem \
    --output=esp-jammy-proposed/hello-signed.efi \
    HelloWorld.efi
warning: data remaining[45056 vs 54568]: gaps between PE/COFF sections?
Signing Unsigned original image

% sbverify --list esp-jammy-proposed/hello-signed.efi
warning: data remaining[46760 vs 56272]: gaps between PE/COFF sections?
signature 1
image signature issuers:
 - /C=US/ST=Colorado/L=Fort Collins/O=SnakeOil
image signature certificates:
 - subject: /C=US/ST=Colorado/L=Fort Collins/O=SnakeOil
   issuer: /C=US/ST=Colorado/L=Fort Collins/O=SnakeOil

% ./gen-esp create esp-jammy-proposed.img esp-jammy-proposed/hello-signed.efi:hello-signed.efi
creating image 128MB in esp-jammy-proposed.img
EFI/BOOT/HELLO-SIGNED.EFI -> EFI/BOOT/HELLO-SIGNED.EFI

## local change to disable kvm , as it wont work in container
% git diff
diff --git a/boot-vm b/boot-vm
index 96217d7..cac7f4d 100755
--- a/boot-vm
+++ b/boot-vm
@@ -75,7 +75,7 @@ main() {
     # -object rng-random,filename=/dev/urandom,id=rng0 \
     # -device virtio-rng-pci,rng=rng0 \
     set -- qemu-system-x86_64 \
- -M "q35,smm=on,accel=kvm" \
+ -M "q35,smm=on" \
         -m 1024 \
         -vga none -serial mon:stdio \
         -global "driver=cfi.pflash01,property=secure,value=on" \

% ./boot-vm ovmf-jammy-proposed esp-jammy-proposed.img
...
Shell> fs0:
FS0:\> cd efi\boot
FS0:\efi\boot\> HELLO-SIGNED.EFI

������������������������������������������������������������������������Ŀ
� HelloWorld �
� �
� This file is used to prove you have managed �
� To execute an unsigned binary in secure boot mode �
� �
� �
� �
� �
� �
� �
� �
� �
� ����Ŀ �
� � OK � �
� ����� �
� �
� �
� �
� �
� �
� �
� �
������������������������������������������������������������������������