{"id":13339105,"url":"https://github.com/puzzleos/uefi-dev","last_synced_at":"2026-02-21T15:47:19.842Z","repository":{"id":39962365,"uuid":"308648189","full_name":"puzzleos/uefi-dev","owner":"puzzleos","description":"QEMU/OVMF/SWTPM UEFI Secure Boot development environment","archived":false,"fork":false,"pushed_at":"2022-05-20T20:44:53.000Z","size":74,"stargazers_count":13,"open_issues_count":1,"forks_count":4,"subscribers_count":6,"default_branch":"main","last_synced_at":"2024-11-19T03:44:02.236Z","etag":null,"topics":["ovmf","qemu","secureboot","tpm","uefi"],"latest_commit_sha":null,"homepage":"","language":"C","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/puzzleos.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE.txt","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"SECURITY.md","support":null}},"created_at":"2020-10-30T14:05:42.000Z","updated_at":"2024-09-18T18:26:56.000Z","dependencies_parsed_at":"2022-09-07T16:52:34.906Z","dependency_job_id":null,"html_url":"https://github.com/puzzleos/uefi-dev","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/puzzleos%2Fuefi-dev","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/puzzleos%2Fuefi-dev/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/puzzleos%2Fuefi-dev/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/puzzleos%2Fuefi-dev/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/puzzleos","download_url":"https://codeload.github.com/puzzleos/uefi-dev/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":243034857,"owners_count":20225415,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["ovmf","qemu","secureboot","tpm","uefi"],"created_at":"2024-07-29T19:19:01.289Z","updated_at":"2026-02-21T15:47:19.789Z","avatar_url":"https://github.com/puzzleos.png","language":"C","readme":"QEMU UEFI Secure Boot Development Environment\n===============================================================================\n\nThis repository provides a UEFI Secure Boot development environment based on\nQEMU, OVMF, and the libtpms/swtpm TPM emulator.  Links to all of these\nprojects can be found below, but some Linux distributions may already provide\npackages for each of the projects.\n\n * https://www.qemu.org\n * https://github.com/tianocore/edk2/tree/master/OvmfPkg\n * https://github.com/stefanberger/libtpms\n * https://github.com/stefanberger/swtpm\n\nThe efitools tool suite is also used to create and package the UEFI Secure Boot\nvariables for testing, but it is not part of the UEFI Secure Boot chain.\n\n * https://git.kernel.org/pub/scm/linux/kernel/git/jejb/efitools.git\n\n## How The Development Environment Works\n\n*NOTE: this README is still a bit crude, but it should get you started.*\n\nThe tools in this repo automate a number of tasks intended to make it easier\nfor developers to test EFI applications in a virtual UEFI Secure Boot\nenvironment.  Beyond simply running a QEMU instance with OVMF Secure Boot and\nemulated TPM support, the Makefiles in this repo also generate all of the\nnecessary keys/certificates and configuration tools to configure the virtual\nenvironment for UEFI Secure Boot.\n\nNormal usage is to simply run `make qemu-esp` or `make qemu-full`.  In both\ncases a small disk is created with a single FAT filesystem that contains\na tool, `sb_setup.efi`, which configures UEFI Secure Boot with random PK\nand KEK certificates and the Microsoft UEFI CA from 2011 loaded into the db\nvariable.  Additional certificates can be added to the db variable (see below),\nand any files placed in the \"fs_esp/\" directory will be copied to this FAT\nfilesystem.\n\n![QEMU screenshot](.readme_assets/screenshot_20201019_171322.png)\n\nThe included Microsoft UEFI CA should be sufficient to install and run many\nstock Linux distributions that support UEFI Secure Boot.  In order to install\na Linux distribution you will need to create raw disk image in the project's\nbase directory named \"drive_qemu.img\" and place a copy of the installer ISO\nin the project's base directory named \"distro.iso\".  With these disk images in\nplace you can run `make qemu-full` to start QEMU with the disk images attached.\n\nIn order to make it easier to transfer files to and from an installed Linux\nsystem, the \"fs_virtfs/\" directory is exported as a Plan 9 filesystem in the\nguest using the \"virtfs0\" mount tag.\n\nBuild time configuration can be found in the \"make.conf\" file in the project's\nbase directory.\n\n## Adding UEFI Keys/Certificates\n\nOne of the primary reasons for this project is to make it easier to test UEFI\nSecure Boot applications such as bootloaders.  This requires the ability to add\narbitrary certificates to the UEFI db variable.  In order to add new\ncertificates to the UEFI db, simply copy the PEM encoded certificate and\nassociated text file with the certificate's GUID into the \"keys/DB-extra\"\ndirectory.  Both files should follow the \"DB-xxx.{pem,guid}\" naming convention.\nMultiple certificates can be added to the db variable by adding them to this\ndirectory.\n\nHere is an example of adding a \"DB-test\" certificate to the \"keys/DB-extra\"\ndirectory:\n\n```\n% ls -l keys/DB-extra/DB-*\n-rw-r--r-- 1 user users   37 Oct 19 13:24 DB-test.guid\n-r--r--r-- 1 user users 1.7K Oct 19 13:24 DB-test.key\n-r--r--r-- 1 user users 1.2K Oct 19 15:30 DB-test.pem\n% cat keys/DB-extra/DB-test.guid\ne5c4bc7b-9cc8-4df9-9420-c86e64a7b495\n```\n\nOnce the certificates and GUID files have been placed in this directory, they\nwill be included in any future `sb_setup.efi` builds.  If you have already\nconfigured the virtual environment for secure boot, you may need to \"reset\" the\nsystem before you can load new certificates into the db.  You can do this by\ndeleting the \"ovmf_vars.fd\" file from the project's base directory, it will be\nrecreated the next time you start QEMU.\n\n## Adding UEFI Test Applications\n\nAny files, including UEFI applications, placed in the \"fs_esp/\" directory will\nbe included in a dynamically generated FAT filesystem/disk created by QEMU at\nruntime.\n\nSigning EFI binaries is beyond the scope of the tools presented here, but there\nare two projects that offer tools to sign EFI binaries in such a way that they\nare suitable for UEFI Secure Boot:\n\n * https://git.kernel.org/pub/scm/linux/kernel/git/jejb/sbsigntools.git\n * https://github.com/rhboot/pesign\n\n## Acknowledgements\n\nA special thanks to the READMEs, project documentation, and blog posts below\nas they were very helpful in creating the tools in this repository.\n\n * https://github.com/tianocore/edk2/blob/master/OvmfPkg/README\n * https://git.kernel.org/pub/scm/linux/kernel/git/jejb/efitools.git/tree/README\n * https://en.opensuse.org/openSUSE:UEFI_Secure_boot_using_qemu-kvm\n * https://en.opensuse.org/openSUSE:UEFI_Image_File_Sign_Tools\n * https://www.labbott.name/blog/2016/09/15/secure-ish-boot-with-qemu\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fpuzzleos%2Fuefi-dev","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fpuzzleos%2Fuefi-dev","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fpuzzleos%2Fuefi-dev/lists"}