% git clone https://gist.github.com/86781865f7191bbb790c74453967f28c.git gist
% cd gist
% ./collect-ovmf ovmf-jammy-proposed
...
wrote PkKek-1-snakeoil.pem from /usr/share/ovmf/PkKek-1-snakeoil.pem
linked from signing.pem to PkKek-1-snakeoil.pem
wrote PkKek-1-snakeoil.key from /usr/share/ovmf/PkKek-1-snakeoil.key
linked from signing.key to PkKek-1-snakeoil.key
wrote signing.password from text
wrote OVMF_VARS_4M.fd from /usr/share/OVMF/OVMF_VARS_4M.fd
wrote OVMF_CODE_4M.secboot.fd from /usr/share/OVMF/OVMF_CODE_4M.secboot.fd
wrote OVMF_VARS_4M.snakeoil.fd from /usr/share/OVMF/OVMF_VARS_4M.snakeoil.fd
linked from ovmf-insecure-code.fd to OVMF_CODE_4M.secboot.fd
linked from ovmf-insecure-vars.fd to OVMF_VARS_4M.fd
linked from ovmf-secure-code.fd to OVMF_CODE_4M.secboot.fd
linked from ovmf-secure-vars.fd to OVMF_VARS_4M.snakeoil.fd
I've verified this using the gist at https:/ /gist.github. com/smoser/ 86781865f7191bb b790c74453967f2 8c (which is also attached).
$ lxc launch ubuntu:jammy j1
$ lxc exec j1 /bin/bash
% echo deb http:// archive. ubuntu. com/ubuntu jammy-proposed main restricted > sources. list.d/ proposed. list recommends --assume-yes \
/etc/apt/
% apt-get update
% apt-get install --no-install-
mtools dosfstools qemu-system-x86 qemu-utils
% git clone https:/ /gist.github. com/86781865f71 91bbb790c744539 67f28c. git gist snakeoil. pem from /usr/share/ ovmf/PkKek- 1-snakeoil. pem snakeoil. pem snakeoil. key from /usr/share/ ovmf/PkKek- 1-snakeoil. key snakeoil. key OVMF/OVMF_ VARS_4M. fd 4M.secboot. fd from /usr/share/ OVMF/OVMF_ CODE_4M. secboot. fd 4M.snakeoil. fd from /usr/share/ OVMF/OVMF_ VARS_4M. snakeoil. fd code.fd to OVMF_CODE_ 4M.secboot. fd vars.fd to OVMF_VARS_4M.fd 4M.secboot. fd 4M.snakeoil. fd
% cd gist
% ./collect-ovmf ovmf-jammy-proposed
...
wrote PkKek-1-
linked from signing.pem to PkKek-1-
wrote PkKek-1-
linked from signing.key to PkKek-1-
wrote signing.password from text
wrote OVMF_VARS_4M.fd from /usr/share/
wrote OVMF_CODE_
wrote OVMF_VARS_
linked from ovmf-insecure-
linked from ovmf-insecure-
linked from ovmf-secure-code.fd to OVMF_CODE_
linked from ovmf-secure-vars.fd to OVMF_VARS_
% cat ovmf-jammy- proposed/ firmware- info.yaml 3ubuntu0. 22.04.1"
release: jammy
packages:
ovmf: "2022.02-
% sbsign \ ovmf-jammy- proposed/ signing- nopassphrase. key \ ovmf-jammy- proposed/ signing. pem \ esp-jammy- proposed/ hello-signed. efi \
--key=
--cert=
--output=
HelloWorld.efi
warning: data remaining[45056 vs 54568]: gaps between PE/COFF sections?
Signing Unsigned original image
% sbverify --list esp-jammy- proposed/ hello-signed. efi Colorado/ L=Fort Collins/O=SnakeOil Colorado/ L=Fort Collins/O=SnakeOil Colorado/ L=Fort Collins/O=SnakeOil
warning: data remaining[46760 vs 56272]: gaps between PE/COFF sections?
signature 1
image signature issuers:
- /C=US/ST=
image signature certificates:
- subject: /C=US/ST=
issuer: /C=US/ST=
% ./gen-esp create esp-jammy- proposed. img esp-jammy- proposed/ hello-signed. efi:hello- signed. efi proposed. img HELLO-SIGNED. EFI -> EFI/BOOT/ HELLO-SIGNED. EFI
creating image 128MB in esp-jammy-
EFI/BOOT/
## local change to disable kvm , as it wont work in container filename= /dev/urandom, id=rng0 \ rng-pci, rng=rng0 \ on,accel= kvm" \ cfi.pflash01, property= secure, value=on" \
% git diff
diff --git a/boot-vm b/boot-vm
index 96217d7..cac7f4d 100755
--- a/boot-vm
+++ b/boot-vm
@@ -75,7 +75,7 @@ main() {
# -object rng-random,
# -device virtio-
set -- qemu-system-x86_64 \
- -M "q35,smm=
+ -M "q35,smm=on" \
-m 1024 \
-vga none -serial mon:stdio \
-global "driver=
% ./boot-vm ovmf-jammy-proposed esp-jammy- proposed. img
...
Shell> fs0:
FS0:\> cd efi\boot
FS0:\efi\boot\> HELLO-SIGNED.EFI
������� ������� ������� ������� ������� ������� ������� ������� ������� ������� ��Ŀ ������� ������� ������� ������� ������� ������� ������� ������� ������� ��
� HelloWorld �
� �
� This file is used to prove you have managed �
� To execute an unsigned binary in secure boot mode �
� �
� �
� �
� �
� �
� �
� �
� �
� ����Ŀ �
� � OK � �
� ����� �
� �
� �
� �
� �
� �
� �
� �
�������