From c7fb87ee6fb9cc4c6ed8bf93978445a0794e40aa Mon Sep 17 00:00:00 2001
From: Ricardo Neri <ricardo.neri-calderon@linux.intel.com>
Date: Tue, 30 Jul 2019 18:28:29 -0400
Subject: ovmf: Generate test Platform key and first Key Exchange Key

Commit from EDK2 be9470b3c91f ("OvmfPkg/EnrollDefaultKeys: enroll
PK/KEK1 from the Type 11 SMBIOS table") mandates that a Platform Key
and first Key Exchange Key certificate is provided to the
EnrollDefaultKeys application.

Previously, the application was using a hard-coded certificate
from Red Hat embedded in the application.

Create a certificate that can QEMU can subsequently pass to
EnrollDefaultKeys when running qemu-shell-image.

Cc: Ross Burton <ross.burton@intel.com>
Cc: Patrick Ohly <patrick.ohly@intel.com>
Cc: Alexander Kanavin <alex.kanavin@gmail.com>
(From OE-Core rev: daaf9d7bd8c3586609ab0eccf49af38dbdb0b02e)

Signed-off-by: Ricardo Neri <ricardo.neri-calderon@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
---
 meta/recipes-core/ovmf/ovmf_git.bb | 8 ++++++++
 1 file changed, 8 insertions(+)

(limited to 'meta/recipes-core')

diff --git a/meta/recipes-core/ovmf/ovmf_git.bb b/meta/recipes-core/ovmf/ovmf_git.bb
index 834ee32466..7944ee97d4 100644
--- a/meta/recipes-core/ovmf/ovmf_git.bb
+++ b/meta/recipes-core/ovmf/ovmf_git.bb
@@ -217,6 +217,7 @@ FILES_ovmf-shell-efi = " \
 
 DEPLOYDEP = ""
 DEPLOYDEP_class-target = "qemu-system-native:do_populate_sysroot"
+DEPLOYDEP_class-target += " ${@bb.utils.contains('PACKAGECONFIG', 'secureboot', 'openssl-native:do_populate_sysroot', '', d)}"
 do_deploy[depends] += "${DEPLOYDEP}"
 
 do_deploy() {
@@ -232,6 +233,13 @@ do_deploy_class-target() {
         ; do
         qemu-img convert -f raw -O qcow2 ${WORKDIR}/ovmf/$i.fd ${DEPLOYDIR}/$i.qcow2
     done
+
+    if ${@bb.utils.contains('PACKAGECONFIG', 'secureboot', 'true', 'false', d)}; then
+        # Create a test Platform Key and first Key Exchange Key to use with EnrollDefaultKeys
+        openssl req -new -x509 -newkey rsa:2048 -keyout ${DEPLOYDIR}/OvmfPkKek1.key \
+                -out ${DEPLOYDIR}/OvmfPkKek1.crt -nodes -days 20 -subj "/CN=OVMFSecBootTest"
+        openssl x509 -in ${DEPLOYDIR}/OvmfPkKek1.crt -out ${DEPLOYDIR}/OvmfPkKek1.pem -outform PEM
+    fi
 }
 addtask do_deploy after do_compile before do_build
 
-- 
cgit 1.2.3-korg