1 files changed, 32 insertions, 0 deletions

diff --git a/scripts/runqemu b/scripts/runqemu
index 9d6a2e86d4..df3c8aad08 100755
--- a/scripts/runqemu
+++ b/scripts/runqemu
@@ -148,6 +148,10 @@ class BaseConfig(object):
         # Setting one also adds "-vga std" because that is all that
         # OVMF supports.
         self.ovmf_bios = []
+        # When enrolling default Secure Boot keys, the hypervisor
+        # must provide the Platform Key and the first Key Exchange Key
+        # certificate in the Type 11 SMBIOS table.
+        self.ovmf_secboot_pkkek1 = ''
         self.qemuboot = ''
         self.qbconfload = False
         self.kernel = ''
@@ -638,6 +642,23 @@ class BaseConfig(object):
         if not os.path.exists(self.rootfs):
             raise RunQemuError("Can't find rootfs: %s" % self.rootfs)
 
+    def setup_pkkek1(self):
+        """
+        Extract from PEM certificate the Platform Key and first Key
+        Exchange Key certificate string. The hypervisor needs to provide
+        it in the Type 11 SMBIOS table
+        """
+        pemcert = '%s/%s' % (self.get('DEPLOY_DIR_IMAGE'), 'OvmfPkKek1.pem')
+        try:
+            with open(pemcert, 'r') as pemfile:
+                key = pemfile.read().replace('\n', ''). \
+                      replace('-----BEGIN CERTIFICATE-----', ''). \
+                      replace('-----END CERTIFICATE-----', '')
+                self.ovmf_secboot_pkkek1 = key
+
+        except FileNotFoundError:
+            raise RunQemuError("Can't open PEM certificate %s " % pemcert)
+
     def check_ovmf(self):
         """Check and set full path for OVMF firmware and variable file(s)."""
 
@@ -648,6 +669,8 @@ class BaseConfig(object):
                 path = '%s/%s.%s' % (self.get('DEPLOY_DIR_IMAGE'), ovmf, suffix)
                 if os.path.exists(path):
                     self.ovmf_bios[index] = path
+                    if ovmf.endswith('secboot'):
+                        self.setup_pkkek1()
                     break
             else:
                 raise RunQemuError("Can't find OVMF firmware: %s" % ovmf)
@@ -914,6 +937,8 @@ class BaseConfig(object):
             print('ROOTFS: [%s]' % self.rootfs)
         if self.ovmf_bios:
             print('OVMF: %s' % self.ovmf_bios)
+        if (self.ovmf_secboot_pkkek1):
+            print('SECBOOT PKKEK1: [%s...]' % self.ovmf_secboot_pkkek1[0:100])
         print('CONFFILE: [%s]' % self.qemuboot)
         print('')
 
@@ -1262,6 +1287,13 @@ class BaseConfig(object):
 
         self.qemu_opt += ' ' + self.qemu_opt_script
 
+        if self.ovmf_secboot_pkkek1:
+			# Provide the Platform Key and first Key Exchange Key certificate as an
+			# OEM string in the SMBIOS Type 11 table. Prepend the certificate string
+			# with "application prefix" of the EnrollDefaultKeys.efi application
+            self.qemu_opt += ' -smbios type=11,value=4e32566d-8e9e-4f52-81d3-5bb9715f9727:' \
+                             + self.ovmf_secboot_pkkek1
+
         # Append qemuparams to override previous settings
         if self.qemuparams:
             self.qemu_opt += ' ' + self.qemuparams