Home Wiki > openSUSE:UEFI Secure boot using qemu-kvm
Sign up | Login

openSUSE:UEFI Secure boot using qemu-kvm

tagline: From openSUSE

This is based on James Bottomley <James.Bottomley@parallels.com>'s approach:

Prepare Environment

Prepare a openSUSE 12.2 machine

Yes! Just use a openSUSE 12.2 DVD to install a machine. Please remember need use 64-bits openSUSE because Jeremy's efi signing tools only really do x86_64 binaries.

Install OVMF

Add James's repo on OBS:

zypper ar -f -n UEFI http://download.opensuse.org/repositories/home:/jejb1:/UEFI/openSUSE_12.2/home:jejb1:UEFI.repo

OVMF is a UEFI BIOS image build from EDK2 used by qemu-kvm, let's install:

 # zypper in OVMF

Build James's efitools

James's git have a efitools set for test UEFI secure boot. Clone it:

 # cd ~/
 # git clone git://git.kernel.org/pub/scm/linux/kernel/git/jejb/efitools.git

Before compiling it, please install the standard dev environment gnu-efi, help2man and sbsigntools as well as libopenssl-devel libraries used by efitools and finally of course you also need gcc and make:

 # zypper in gnu-efi help2man sbsigntools gcc make libopenssl-devel

Then, yes, make it:

 # cd ~/efitools
 # make

Please make sure generated out the following .efi files:

# ls *.efi
HelloWorld.efi  HelloWorld-signed.efi  LockDown.efi  LockDown-signed.efi

Prepare hda for Qemu

We will need to import PK/KEK/DB to UEFI BIOS for secure boot testing, and, also need to run some *.efi executable to verify security. So, we should prepare a hda contents folder then feed it to qemu-kvm later:

# cd ~/
# mkdir hda-contents

Copy PK.crt, KEK.crt and *.efi file from efitools folder to ~/hda-contents:

# cd ~/hda-contents
# cp ~/efitools/KEK.crt ~/efitools/DB.crt ~/efitools/PK.crt ~/efitools/*.efi ./
# ls ~/hda-contents

DB.crt HelloWorld.efi HelloWorld-signed.efi KEK.crt LockDown.efi LockDown-signed.efi PK.crt

Due to openSUSE certificate is PEM format, we need transfer to DER format for enroll to UEFI BIOS:

# openssl x509 -in KEK.crt -outform DER -out KEK.der
# openssl x509 -in PK.crt -outform DER -out PK.der
# openssl x509 -in DB.crt -outform DER -out DB.der

Launch qemu-kvm with UEFI

The BIOS image folder of OVMF rpm is in /usr/share/qemu-ovmf/bios :

linux-8wu0:~/efitools # rpm -ql OVMF
/usr/share/qemu-ovmf
/usr/share/qemu-ovmf/README
/usr/share/qemu-ovmf/bios
/usr/share/qemu-ovmf/bios/bios.bin
/usr/share/qemu-ovmf/bios/vgabios-cirrus.bin
/usr/share/qemu-ovmf/efi
/usr/share/qemu-ovmf/efi/HelloWorld.efi

Run qemu-system-x86_64 to launch virtual machine:

# qemu-system-x86_64 -L /usr/share/qemu-ovmf/bios -hda fat:hda-contents/

After boot progress finished, will see UEFI shell prompt show up like following:

Test Secure Boot

Enable Secure Boot

Close UEFI shell then go to UEFI configuration menu:

Shell> exit

Go to Secure Boot Mode option:

Device Manager >> Secure Boot Configuration >> Secure Boot Mode

Change it to "Custom Mode":

After change to "Custom Mode", will show up Custom Secure Boot Options

Import PK/KEK

Import PK

Please go to the following option:

Custom Secure Boot Options >> PK Options >> Enroll PK >> Enroll PK Using File

Select the one and only one HD space:

Select PK.der

Select "Commit Changes and Exit", then PK will import to DB in UEFI BIOS.

Import KEK

The process the same with PK, just need use "KEK Options":

Custom Secure Boot Options >> KEK Options >> Enroll KEK >> Enroll KEK Using File

Then select "KEK.der" file, don't forget "Commit Changes and Exit"!

Executing LockDown.efi

In case if you cannot locate the PK.cer file, then quit QEMU and restart again ( redo launch qemu-kvm with UEFI )

Select "Continue", type "fs0:" and then type "LockDown.efi".

When you type make at folder "efitools", it will generate a set of keys and place them into a binary called LockDown.efi. Execution of this efi binary will provision all the keys and place the platform into Secure Boot enabled User Mode (from this point on, it will only execute signed efi binaries)

Run .efi file

OK! Now We imported PK and KEK, that means we enabled secure boot. Then, we can run HelloWorld efi to verify it.

Press ESC back to the UEFI main menu, select:

Boot Manager >> EFI Internal Shell

you will see the EFI shell prompt show up again.

Then we need go to hda-contents because our *.efi executable put there. Key-in fs0 then press enter like DOS:

Shell> fs0:
fs0:\> 

You can use ls or dir to list all files in fs0:

There have 2 HelloWorld* efi file, one is unsigned another is signed.

Run HelloWorld.efi:

fs0:\> HelloWorld.efi
Error reported: Access Denied

Yes, it will show up "Access Denied"

Run HelloWorld-signed.efi

fs0:\> HelloWorld-signed.efi
Hello World!

OK, pass!

Disable Secure Boot

Then you can try the option for temporary disable secure boot:

Device Manager >> Secure Boot Configuration >> Attempt Secure Boot [x]

Press Enter key to remove the [x] on "Attempt Secure Boot" Back to shell prompt to run HelloWorld.efi, you will find it available, now.

Per information from Insyde, the code path of this option is fully the same with "enabled secure boot", just it ignore the result of secure boot check.

running openSUSE

In order to get openSUSE running the DB.crt and KEK.crt keys will have to be replaced by the public Microsoft keys:

# cd ~/hda-contents
# wget http://www.microsoft.com/pkiops/certs/MicCorUEFCA2011_2011-06-27.crt
# wget http://www.microsoft.com/pkiops/certs/MicCorKEKCA2011_2011-06-24.crt

Now get yourself an openSUSE image of your choice, prepare a virtual harddisk with qemu-img and start again qemu:

# qemu-system-x86_64 -L /usr/share/qemu-ovmf/bios -hda [your virtual harddisk] -cdrom [your iso img] -hdb fat:~/hda-contents/

Now like described before in the section #Import PK/KEK enroll the PK-Key: 'PK.der' (you can use the KEK-key too if you don't want to create your own PK, but it is better to create your own),the KEK-Key: 'MicCorKEKCA2011_2011-06-24.crt' and the DB-Key: 'MicCorUEFCA2011_2011-06-27.crt'. (Note GUID used to identify Microsoft 77fa9abd-0359-4d32-bd60-28f4e78f784b)

# now boot

Note that in the Installation Setting's Booting section you may have to set the option manually to "Enable Secure Boot:true"

openSUSE CA

For openSUSE CA, the public space for grab it is from shim RPM source on OBS: devel:openSUSE:Factory > shim

Due to openSUSE certificate is PEM format, we need transfer to DER format for enroll to UEFI BIOS:

# openssl x509 -inform PEM -in openSUSE-UEFI-CA-Certificate.crt -outform DER -out openSUSE-UEFI-CA-Certificate.der
# openssl x509 -inform PEM -in openSUSE-UEFI-SIGN-Certificate.crt -outform DER -out openSUSE-UEFI-SIGN-Certificate.der
  • *UEFI-CA*.der is certificate for enroll to KEK database in UEFI BIOS.
  • *UEFI-SIGN*.der is certificate for enroll to db database in UEFI BIOS.

Then enroll them by this procedure: enroll PK, KEK and db

If you want test the openSUSE signed shim, please install shim package, it includes the following files:

# rpm -ql shim
  /usr/lib64/efi
  /usr/lib64/efi/MokManager.efi
  /usr/lib64/efi/shim-opensuse.der
  /usr/lib64/efi/shim-opensuse.efi
  /usr/lib64/efi/shim.efi

Please copy shim-opensuse.efi and shim.efi(signed by Microsoft) to hda-contents then launch kvm with OVMF:

# qemu-kvm -L /usr/share/qemu-ovmf/bios -hda fat:<absolute_path_to_user_home_directory>/hda-contents/

Switch to fs0: in shell console, then we can test the openSUSE CA works on signed shim.

Difference on other Distro