{"id":15694087,"url":"https://github.com/rgl/ovmf-secure-boot-vagrant","last_synced_at":"2025-05-08T06:07:37.956Z","repository":{"id":139753187,"uuid":"330446257","full_name":"rgl/ovmf-secure-boot-vagrant","owner":"rgl","description":"ovmf secure boot playground","archived":false,"fork":false,"pushed_at":"2023-10-16T07:22:33.000Z","size":32,"stargazers_count":8,"open_issues_count":0,"forks_count":2,"subscribers_count":3,"default_branch":"main","last_synced_at":"2025-05-08T06:07:32.845Z","etag":null,"topics":["ovmf","sbctl","secure-boot","uefi","uefi-secureboot"],"latest_commit_sha":null,"homepage":"","language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/rgl.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2021-01-17T17:23:44.000Z","updated_at":"2024-10-16T23:35:10.000Z","dependencies_parsed_at":null,"dependency_job_id":"7497679f-8666-439e-b587-d2bc57232110","html_url":"https://github.com/rgl/ovmf-secure-boot-vagrant","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rgl%2Fovmf-secure-boot-vagrant","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rgl%2Fovmf-secure-boot-vagrant/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rgl%2Fovmf-secure-boot-vagrant/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rgl%2Fovmf-secure-boot-vagrant/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/rgl","download_url":"https://codeload.github.com/rgl/ovmf-secure-boot-vagrant/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":253009991,"owners_count":21839718,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["ovmf","sbctl","secure-boot","uefi","uefi-secureboot"],"created_at":"2024-10-03T18:52:20.803Z","updated_at":"2025-05-08T06:07:37.932Z","avatar_url":"https://github.com/rgl.png","language":"Shell","funding_links":[],"categories":[],"sub_categories":[],"readme":"# About\n\nThis is a [Vagrant](https://www.vagrantup.com/) Environment for setting up\nthe [OVMF UEFI EDK2](https://github.com/tianocore/edk2) environment to play\nwith [UEFI Secure Boot](https://en.wikipedia.org/wiki/Unified_Extensible_Firmware_Interface#SECURE-BOOT) using [sbctl (Secure Boot key manager)](https://github.com/Foxboron/sbctl).\n\n## Usage (in Ubuntu 22.04)\n\nInstall the [base Ubuntu 22.04 UEFI box](https://github.com/rgl/ubuntu-vagrant).\n\nStart the environment:\n\n```bash\n# NB in my machine this takes ~30m to complete.\ntime vagrant up --provider=libvirt --no-destroy-on-error --no-tty\n```\n\nStart ovmf/linux/u-boot in a test vm:\n\n```bash\ncd tmp\n./run.sh\n```\n\nVerify that the platform is in Setup Mode:\n\n```bash\nsbctl status\n```\n\nIt must output:\n\n```plain\nInstalled:    ✗ sbctl is not installed\nSetup Mode:   ✗ Enabled\nSecure Boot:  ✗ Disabled\nVendor Keys:  none\n```\n\nCreate our own Platform Key (PK), Key Exchange Key (KEK), and Code Signing CAs:\n\n```bash\nsbctl create-keys\n```\n\nIt should something alike:\n\n```bash\nCreated Owner UUID 5c839e31-20eb-42a6-906b-824ab404e0dd\nCreating secure boot keys...✓ \nSecure boot keys created!\n```\n\nIn more detail, this created all these files:\n\n```bash\n# find -type f /usr/share/secureboot/keys\n/usr/share/secureboot/keys/KEK/KEK.key\n/usr/share/secureboot/keys/KEK/KEK.pem\n/usr/share/secureboot/keys/PK/PK.key\n/usr/share/secureboot/keys/PK/PK.pem\n/usr/share/secureboot/keys/db/db.key\n/usr/share/secureboot/keys/db/db.pem\n```\n\nEnroll the keys with the firmware:\n\n```bash\n# NB this should be equivalent of using sbkeysync to write the EFI variables as:\n#       sbkeysync --pk --verbose --keystore /usr/share/secureboot/keys\n# see https://github.com/Foxboron/sbctl/blob/fda4f2c1efd801cd04fb52923afcdb34baa42369/keys.go#L114-L115\nsbctl enroll-keys --yes-this-might-brick-my-machine\n```\n\nIt should display something alike:\n\n```plain\nEnrolling keys to EFI variables...✓ \nEnrolled keys to the EFI variables!\n```\n\nVerify that the platform is now out of Setup Mode:\n\n```bash\nsbctl status\n```\n\nIt should output something alike:\n\n```plain\nInstalled:    ✓ sbctl is installed\nOwner GUID:   88f1e363-3f8e-4f73-9a86-57a2dcb1a285\nSetup Mode:   ✓ Disabled\nSecure Boot:  ✗ Disabled\nVendor Keys:  none\n```\n\nSign the linux efi application:\n\n```bash\nsbctl sign /boot/efi/linux\n```\n\nIt should output something alike:\n\n```plain\n✓ Signed /boot/efi/linux\n```\n\nAnalyze the linux efi application:\n\n```bash\nefianalyze signed-image /boot/efi/linux\n```\n\nIt should output something alike:\n\n```plain\nData Directory Header:\n\tVirtual Address: 0xa1e8a0\n\tSize in bytes: 2192\nCertificate Type: WIN_CERT_TYPE_PKCS_SIGNED_DATA\n\tIssuer Name: CN=Database Key,C=Database Key\n\tSerial Number: 48816627373166678216378579258444048592\n```\n\nReboot the system:\n\n```bash\numount /boot/efi\nshutdown -r\n```\n\nAfter boot, verify that the platform is now in Secure Boot mode:\n\n```bash\nsbctl status\n```\n\nIt must output:\n\n```plain\nInstalled:    ✓ sbctl is installed\nOwner GUID:   88f1e363-3f8e-4f73-9a86-57a2dcb1a285\nSetup Mode:   ✓ Disabled\nSecure Boot:  ✓ Enabled\nVendor Keys:  none\n```\n\nTest loading a kernel module:\n\n```bash\ninsmod /modules/configs.ko\n```\n\nIt must not return any output nor error.\n\nAnd that's pretty much how you test drive Secure Boot in OVMF.\n\n## QEMU VM device tree\n\nYou can see all the qemu devices status by running the following command in another shell:\n\n```bash\ncd tmp\necho info qtree | ./qmp-shell -H ./test/amd64.socket\n```\n\n## Reference\n\n* [Unified Extensible Firmware Interface (UEFI)](https://en.wikipedia.org/wiki/Unified_Extensible_Firmware_Interface).\n* [UEFI Forum](http://www.uefi.org/).\n* [EDK II (aka edk2): UEFI Reference Implementation ](https://github.com/tianocore/edk2).\n* [EDK II `bcfg boot dump` source code](https://github.com/tianocore/edk2/blob/976d0353a6ce48149039849b52bb67527be5b580/ShellPkg/Library/UefiShellBcfgCommandLib/UefiShellBcfgCommandLib.c#L1301).\n* [UefiToolsPkg](https://github.com/andreiw/UefiToolsPkg) set of UEFI tools.\n  * These are useful on their own and as C source based UEFI application examples.\n* [sbctl (Secure Boot key manager)](https://github.com/Foxboron/sbctl).\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Frgl%2Fovmf-secure-boot-vagrant","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Frgl%2Fovmf-secure-boot-vagrant","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Frgl%2Fovmf-secure-boot-vagrant/lists"}