runqemu: Add support to handle EnrollDefaultKeys PK/KEK1 certificate - openembedded-core-contrib - OpenEmbedded Core user contribution trees

diff options

author	Ricardo Neri <ricardo.neri-calderon@linux.intel.com>	2019-08-05 18:18:23 -0400
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2019-08-08 10:26:40 +0100
commit	5e47316ae62f7632fb62bc3b8093ac42f9e3541c (patch)
tree	153def7ea7fcb41f3e6584e45ef4ef0dbd9d1643 /meta/lib/oe/sstatesig.py
parent	daaf9d7bd8c3586609ab0eccf49af38dbdb0b02e (diff)
download	openembedded-core-contrib-5e47316ae62f7632fb62bc3b8093ac42f9e3541c.tar.gz

runqemu: Add support to handle EnrollDefaultKeys PK/KEK1 certificate

The EnrollDefaultKeys.efi application (distributed in ovmf-shell-image) expects the hypervisor to provide a Platform Key and first Key Exchange Key certificate. For QEMU, this is done by adding an OEM string in the Type 11 SMBIOS table. The string contains the EnrollDefaultKeys application GUID followed by the certificate string. For now, the string is passed in the command line until QEMU understands OEM strings from regular files (please see https://bugs.launchpad.net/qemu/+bug/1826200). If runqemu detects it is given an OVMF binary with support for Secure Boot (i.e., ovmf.secboot* binaries), extract the certificate string from the OvmfPkKek1.pem certificate and modify the command-line parameters to provide the key. Such certificate is created when building OVMF with support for Secure Boot. Cc: Ross Burton <ross.burton@intel.com> Cc: Patrick Ohly <patrick.ohly@intel.com> Signed-off-by: Ricardo Neri <ricardo.neri-calderon@linux.intel.com>

Diffstat (limited to 'meta/lib/oe/sstatesig.py')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: