Refactor secure boot initialization: remove initsecureboot, integrate into initefi, and update drive references to use ovmfcodesb
This commit is contained in:
23
src/bootdisk
23
src/bootdisk
@@ -18,20 +18,17 @@ ovmfcode=/usr/share/edk2-ovmf/x64/OVMF_CODE.4m.fd
|
||||
ovmfcodesb=/usr/share/edk2-ovmf/x64/OVMF_CODE.secboot.4m.fd
|
||||
ovmfvars=/usr/share/edk2-ovmf/x64/OVMF_VARS.4m.fd
|
||||
|
||||
initefi(){
|
||||
if [[ ! -f ${qemuworkdir}/OVMF_VARS.fd ]]; then
|
||||
cp ${ovmfvars} ${qemuworkdir}/OVMF_VARS.fd
|
||||
fi
|
||||
}
|
||||
inittpm(){
|
||||
swtpm socket \
|
||||
--tpm2 \
|
||||
--tpmstate dir=${qemuworkdir} \
|
||||
--ctrl type=unixio,path=${qemuworkdir}/swtpm-sock &
|
||||
}
|
||||
initsecureboot(){
|
||||
if [[ ! -f ${qemuworkdir}/OVMF_CODE.secboot.fd ]]; then
|
||||
cp ${ovmfcodesb} ${qemuworkdir}/OVMF_CODE.secboot.fd
|
||||
fi
|
||||
if [[ ! -f ${qemuworkdir}/OVMF_VARS.fd ]]; then
|
||||
cp ${ovmfvars} ${qemuworkdir}/OVMF_VARS.fd
|
||||
fi
|
||||
}
|
||||
initbootargs(){
|
||||
bootargs="-boot menu=on,strict=on,reboot-timeout=1000 "
|
||||
bootargs+="-rtc base=${qemurtcbase} "
|
||||
@@ -56,21 +53,27 @@ bootbios(){
|
||||
bootefi(){
|
||||
echo "Booting EFI..."
|
||||
initbootargs
|
||||
initefi
|
||||
${qemubin} \
|
||||
-bios ${ovmfcode} \
|
||||
${bootargs} \
|
||||
-machine accel=kvm \
|
||||
-drive if=pflash,format=raw,unit=0,file=${ovmfcode},readonly=on \
|
||||
-drive if=pflash,format=raw,unit=1,file=${qemuworkdir}/OVMF_VARS.fd \
|
||||
${qemusrctype} ${qemusrc} \
|
||||
${qemusdb}
|
||||
}
|
||||
bootefitpm(){
|
||||
echo "Booting EFI + TPM..."
|
||||
initefi
|
||||
inittpm
|
||||
initbootargs
|
||||
${qemubin} \
|
||||
-bios ${ovmfcode} \
|
||||
${bootargs} \
|
||||
-machine accel=kvm \
|
||||
-drive if=pflash,format=raw,unit=0,file=${ovmfcode},readonly=on \
|
||||
-drive if=pflash,format=raw,unit=1,file=${qemuworkdir}/OVMF_VARS.fd \
|
||||
-chardev socket,id=tpmchar,path=${qemuworkdir}/swtpm-sock \
|
||||
-tpmdev emulator,id=tpmdev,chardev=tpmchar \
|
||||
-device tpm-tis,tpmdev=tpmdev \
|
||||
@@ -79,8 +82,8 @@ bootefitpm(){
|
||||
}
|
||||
bootefisec(){
|
||||
echo "Booting EFI + TPM + Secure boot..."
|
||||
initefi
|
||||
inittpm
|
||||
initsecureboot
|
||||
initbootargs
|
||||
${qemubin} \
|
||||
-bios ${ovmfcode} \
|
||||
@@ -88,7 +91,7 @@ bootefisec(){
|
||||
-machine type=q35,smm=on,accel=kvm \
|
||||
-global driver=cfi.pflash01,property=secure,value=on \
|
||||
-global ICH9-LPC.disable_s3=1 \
|
||||
-drive if=pflash,format=raw,unit=0,file=${qemuworkdir}/OVMF_CODE.secboot.fd,readonly=on \
|
||||
-drive if=pflash,format=raw,unit=0,file=${ovmfcodesb},readonly=on \
|
||||
-drive if=pflash,format=raw,unit=1,file=${qemuworkdir}/OVMF_VARS.fd \
|
||||
-chardev socket,id=tpmchar,path=${qemuworkdir}/swtpm-sock \
|
||||
-tpmdev emulator,id=tpmdev,chardev=tpmchar \
|
||||
|
||||
Reference in New Issue
Block a user