Merge pull request #2434 from flatcar/chewi/new-firmware

Switch from raw to QCOW2 and 2MB to 4MB firmware, adjust firmware variables creation

.github/workflows/ci.yaml

@@ -278,7 +278,7 @@ jobs:
             scripts/artifacts/images/flatcar_production_image*.txt
             scripts/artifacts/images/flatcar_production_image*.json
             scripts/artifacts/images/flatcar_production_image_pcr_policy.zip
-            scripts/artifacts/images/flatcar_production_*_efi_*.fd
+            scripts/artifacts/images/flatcar_production_*_efi_*.qcow2
             scripts/artifacts/images/flatcar_production_qemu.sh
 
       - name: Upload developer container
@@ -317,7 +317,7 @@ jobs:
           path: |
             scripts/artifacts/images/*.img
             scripts/artifacts/images/*.bin
-            scripts/artifacts/images/flatcar_production_*_efi_*.fd
+            scripts/artifacts/images/flatcar_production_*_efi_*.qcow2
             scripts/artifacts/images/*.txt
             scripts/artifacts/images/flatcar-*.raw
             scripts/artifacts/images/flatcar_production_*.sh

.github/workflows/run-kola-tests.yaml

@@ -162,7 +162,7 @@ jobs:
           # Extract the generic image we'll use for qemu tests.
           # Note that the qemu[_uefi] tests use the generic image instead of the
           #  qemu vendor VM image ("Astronaut: [...] Always have been.").
-          mv flatcar_production_image.bin flatcar_production_qemu_uefi_efi_code.fd flatcar_production_qemu_uefi_efi_vars.fd scripts/
+          mv flatcar_production_image.bin flatcar_production_qemu_uefi_efi_code.qcow2 flatcar_production_qemu_uefi_efi_vars.qcow2 scripts/
 
           mv flatcar_test_update.gz scripts/
 
@@ -197,8 +197,8 @@ jobs:
           cat > sdk_container/.env <<EOF
           # export the QEMU_IMAGE_NAME to avoid to download it.
           export QEMU_IMAGE_NAME="/work/flatcar_production_image.bin"
-          export QEMU_UEFI_FIRMWARE="/work/flatcar_production_qemu_uefi_efi_code.fd"
-          export QEMU_UEFI_OVMF_VARS="/work/flatcar_production_qemu_uefi_efi_vars.fd"
+          export QEMU_UEFI_FIRMWARE="/work/flatcar_production_qemu_uefi_efi_code.qcow2"
+          export QEMU_UEFI_OVMF_VARS="/work/flatcar_production_qemu_uefi_efi_vars.qcow2"
           export QEMU_UPDATE_PAYLOAD="/work/flatcar_test_update.gz"
           export QEMU_DEVCONTAINER_URL="http://${TESTS_WEBSERVER_IP}:${TESTS_WEBSERVER_PORT}"
           export QEMU_DEVCONTAINER_BINHOST_URL="http://${TESTS_WEBSERVER_IP}:${TESTS_WEBSERVER_PORT}"

build_library/qemu_template.sh

@@ -274,8 +274,8 @@ fi
 
 if [ -n "${VM_PFLASH_RO}" ] && [ -n "${VM_PFLASH_RW}" ]; then
     set -- \
-        -drive if=pflash,unit=0,file="${SCRIPT_DIR}/${VM_PFLASH_RO}",format=raw,readonly=on \
-        -drive if=pflash,unit=1,file="${SCRIPT_DIR}/${VM_PFLASH_RW}",format=raw "$@"
+        -drive if=pflash,unit=0,file="${SCRIPT_DIR}/${VM_PFLASH_RO}",format=qcow2,readonly=on \
+        -drive if=pflash,unit=1,file="${SCRIPT_DIR}/${VM_PFLASH_RW}",format=qcow2 "$@"
 fi
 
 if [ -n "${IGNITION_CONFIG_FILE}" ]; then

build_library/vm_image_util.sh

@@ -825,25 +825,20 @@ _write_qemu_conf() {
 }
 
 _write_qemu_uefi_conf() {
-    local flash_ro="$(_dst_name "_efi_code.fd")"
-    local flash_rw="$(_dst_name "_efi_vars.fd")"
+    local flash_ro="$(_dst_name "_efi_code.qcow2")"
+    local flash_rw="$(_dst_name "_efi_vars.qcow2")"
     local script="$(_dst_dir)/$(_dst_name ".sh")"
 
     _write_qemu_conf
 
     case $BOARD in
         amd64-usr)
-            cp "/usr/share/edk2-ovmf/OVMF_CODE.fd" "$(_dst_dir)/${flash_ro}"
-            cp "/usr/share/edk2-ovmf/OVMF_VARS.fd" "$(_dst_dir)/${flash_rw}"
+            cp "/usr/share/edk2/OvmfX64/OVMF_CODE_4M.qcow2" "$(_dst_dir)/${flash_ro}"
+            cp "/usr/share/edk2/OvmfX64/OVMF_VARS_4M.qcow2" "$(_dst_dir)/${flash_rw}"
             ;;
         arm64-usr)
-            # Get edk2 files into local build workspace.
-            info "Updating edk2 in /build/${BOARD}"
-            emerge-${BOARD} --nodeps --select --verbose --update --getbinpkg --newuse sys-firmware/edk2-aarch64
-            cp "${BOARD_ROOT}/usr/share/AAVMF/AAVMF_CODE.fd" "$(_dst_dir)/${flash_ro}"
-            cp "${BOARD_ROOT}/usr/share/AAVMF/AAVMF_VARS.fd" "$(_dst_dir)/${flash_rw}"
-            truncate -s 64M "$(_dst_dir)/${flash_ro}"
-            truncate -s 64M "$(_dst_dir)/${flash_rw}"
+            cp "/usr/share/edk2/ArmVirtQemu-AARCH64/QEMU_EFI.qcow2" "$(_dst_dir)/${flash_ro}"
+            cp "/usr/share/edk2/ArmVirtQemu-AARCH64/QEMU_VARS.qcow2" "$(_dst_dir)/${flash_rw}"
             ;;
     esac
 
@@ -866,20 +861,32 @@ _write_qemu_uefi_conf() {
 }
 
 _write_qemu_uefi_secure_conf() {
-    local flash_rw="$(_dst_name "_efi_vars.fd")"
-    local flash_ro="$(_dst_name "_efi_code.fd")"
+    local flash_rw="$(_dst_name "_efi_vars.qcow2")"
+    local flash_ro="$(_dst_name "_efi_code.qcow2")"
     local script="$(_dst_dir)/$(_dst_name ".sh")"
     local owner="00000000-0000-0000-0000-000000000000"
+    local flash_in
 
     _write_qemu_uefi_conf
-    cp "/usr/share/edk2-ovmf/OVMF_CODE.secboot.fd" "$(_dst_dir)/${flash_ro}"
+
+    case $BOARD in
+        amd64-usr)
+            cp "/usr/share/edk2/OvmfX64/OVMF_CODE_4M.secboot.qcow2" "$(_dst_dir)/${flash_ro}"
+            flash_in="/usr/share/edk2/OvmfX64/OVMF_VARS_4M.secboot.qcow2"
+            ;;
+        arm64-usr)
+            # This firmware is not considered secure due to the lack of an SMM
+            # implementation, which is needed to protect the variable store, but
+            # it's only supposed to be used for testing anyway.
+            cp "/usr/share/edk2/ArmVirtQemu-AARCH64/QEMU_EFI.secboot_INSECURE.qcow2" "$(_dst_dir)/${flash_ro}"
+            flash_in="/usr/share/edk2/ArmVirtQemu-AARCH64/QEMU_VARS.secboot_INSECURE.qcow2"
+            ;;
+    esac
 
     virt-fw-vars \
-        --inplace "$(_dst_dir)/${flash_rw}" \
-        --set-pk  "${owner}" /usr/share/sb_keys/PK.crt \
-        --add-kek "${owner}" /usr/share/sb_keys/KEK.crt \
-        --add-db  "${owner}" /usr/share/sb_keys/DB.crt \
-        --secure-boot --no-microsoft
+        --input "${flash_in}" \
+        --output "$(_dst_dir)/${flash_rw}" \
+        --add-db  "${owner}" /usr/share/sb_keys/DB.crt
 
     sed -e "s%^SECURE_BOOT=.*%SECURE_BOOT=1%" -i "${script}"
 }

changelog/changes/2024-11-08-uefi-firmware.md

@@ -0,0 +1,2 @@
+- The UEFI firmware has changed from raw (.fd) format to QCOW2 format. In addition, the amd64 firmware variables are now held in a 4MB image rather than a 2MB image. Note that this firmware is only intended for testing with QEMU. Do not use it in production. ([scripts#2434](https://github.com/flatcar/scripts/pull/2434))
+- The arm64 UEFI firmware now supports Secure Boot. Be aware that this is not considered secure due to the lack of an SMM implementation, which is needed to protect the variable store. As above, this firmware should not be used in production anyway. ([scripts#2434](https://github.com/flatcar/scripts/pull/2434))

ci-automation/ci-config.env

@@ -65,10 +65,10 @@ QEMU_FIRMWARE="/usr/share/qemu/bios-256k.bin"
 
 # UEFI firmware filename on build cache.
 # Published by vms.sh as part of the qemu vendor build.
-QEMU_UEFI_FIRMWARE="${QEMU_UEFI_FIRMWARE:-flatcar_production_qemu_uefi_efi_code.fd}"
-QEMU_UEFI_SECURE_FIRMWARE="${QEMU_UEFI_SECURE_FIRMWARE:-flatcar_production_qemu_uefi_secure_efi_code.fd}"
-QEMU_UEFI_OVMF_VARS="${QEMU_UEFI_OVMF_VARS:-flatcar_production_qemu_uefi_efi_vars.fd}"
-QEMU_UEFI_SECURE_OVMF_VARS="${QEMU_UEFI_SECURE_OVMF_VARS:-flatcar_production_qemu_uefi_secure_efi_vars.fd}"
+QEMU_UEFI_FIRMWARE="${QEMU_UEFI_FIRMWARE:-flatcar_production_qemu_uefi_efi_code.qcow2}"
+QEMU_UEFI_SECURE_FIRMWARE="${QEMU_UEFI_SECURE_FIRMWARE:-flatcar_production_qemu_uefi_secure_efi_code.qcow2}"
+QEMU_UEFI_OVMF_VARS="${QEMU_UEFI_OVMF_VARS:-flatcar_production_qemu_uefi_efi_vars.qcow2}"
+QEMU_UEFI_SECURE_OVMF_VARS="${QEMU_UEFI_SECURE_OVMF_VARS:-flatcar_production_qemu_uefi_secure_efi_vars.qcow2}"
 
 # Update payload for the qemu_update.sh test.
 # The default path set below is relative to TEST_WORK_DIR

ci-automation/vendor-testing/qemu_update.sh

@@ -71,12 +71,19 @@ fi
 bios="${QEMU_FIRMWARE}"
 if [ "${CIA_ARCH}" = "arm64" ]; then
     bios="${QEMU_UEFI_FIRMWARE}"
+    ovmf_vars="${QEMU_UEFI_OVMF_VARS}"
     if [ -f "${bios}" ] ; then
         echo "++++ qemu_update.sh: Using existing ./${bios} ++++"
     else
         echo "++++ qemu_update.sh: downloading ${bios} for ${CIA_VERNUM} (${CIA_ARCH}) ++++"
         copy_from_buildcache "images/${CIA_ARCH}/${CIA_VERNUM}/${bios}" .
     fi
+    if [ -f "${ovmf_vars}" ] ; then
+        echo "++++ ${CIA_TESTSCRIPT}: Using existing ${ovmf_vars} ++++"
+    else
+        echo "++++ ${CIA_TESTSCRIPT}: downloading ${ovmf_vars} for ${CIA_VERNUM} (${CIA_ARCH}) ++++"
+        copy_from_buildcache "images/${CIA_ARCH}/${CIA_VERNUM}/${ovmf_vars}" .
+    fi
 fi
 
 query_kola_tests() {
@@ -118,6 +125,7 @@ run_kola_tests() {
       --qemu-image="${image}" \
       --tapfile="${instance_tapfile}" \
       --update-payload="${QEMU_UPDATE_PAYLOAD}" \
+      "${ovmf_vars:+--qemu-ovmf-vars=${ovmf_vars}}" \
       ${QEMU_KOLA_SKIP_MANGLE:+--qemu-skip-mangle} \
       "${tests[@]}"
 }

jenkins/kola/qemu_common.sh

@@ -7,7 +7,7 @@ if [ "${PLATFORM}" = qemu ]; then
   BIOS="bios-256k.bin"
 elif [ "${PLATFORM}" = qemu_uefi ]; then
   TIMEOUT="14h"
-  BIOS="/mnt/host/source/tmp/flatcar_production_qemu_uefi_efi_code.fd"
+  BIOS="/mnt/host/source/tmp/flatcar_production_qemu_uefi_efi_code.qcow2"
 else
   echo "Unknown platform: \"${PLATFORM}\""
 fi

run_local_tests.sh

@@ -52,8 +52,8 @@ function set_vars() {
   # The local directory ("pwd") will be mounted to /work/ in the container.
   cat > sdk_container/.env <<EOF
 export QEMU_IMAGE_NAME=/work/__build__/images/images/${arch@Q}-usr/latest/flatcar_production_image.bin
-export QEMU_UEFI_FIRMWARE=/work/__build__/images/images/${arch@Q}-usr/latest/flatcar_production_qemu_uefi_efi_code.fd
-export QEMU_UEFI_OVMF_VARS=/work/__build__/images/images/${arch@Q}-usr/latest/flatcar_production_qemu_uefi_efi_vars.fd
+export QEMU_UEFI_FIRMWARE=/work/__build__/images/images/${arch@Q}-usr/latest/flatcar_production_qemu_uefi_efi_code.qcow2
+export QEMU_UEFI_OVMF_VARS=/work/__build__/images/images/${arch@Q}-usr/latest/flatcar_production_qemu_uefi_efi_vars.qcow2
 export QEMU_UPDATE_PAYLOAD=/work/__build__/images/images/${arch@Q}-usr/latest/flatcar_test_update.gz
 export PARALLEL_TESTS=${parallel@Q}
 EOF

sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-sb-keys/README.md

@@ -1,7 +1,5 @@
 ## Keys & Certificates
 
-- PK (Platform Key): The Platform Key is the key to the platform.
-- KEK (Key Exchange Key): The Key Exchange Key is used to update the signature database.
 - DB (Signature Database): The signature database is used to validate signed EFI binaries.
 - Shim Certificates: Our set of certificates
 

sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-sb-keys/coreos-sb-keys-0.0.3.ebuild → sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-sb-keys/coreos-sb-keys-1.0.0.ebuild

@@ -16,10 +16,6 @@ S="${WORKDIR}"
 
 src_install() {
   insinto /usr/share/sb_keys
-  newins "${FILESDIR}/PK.key" PK.key
-  newins "${FILESDIR}/PK.crt" PK.crt
-  newins "${FILESDIR}/KEK.key" KEK.key
-  newins "${FILESDIR}/KEK.crt" KEK.crt
   newins "${FILESDIR}/DB.key" DB.key
   newins "${FILESDIR}/DB.crt" DB.crt
 

sdk_container/src/third_party/coreos-overlay/coreos-base/coreos/coreos-0.0.1.ebuild

@@ -76,7 +76,6 @@ RDEPEND="${RDEPEND}
 	amd64? (
 		app-emulation/xenserver-pv-version
 		app-emulation/xenstore
-		sys-boot/mokutil
 	)"
 
 # sys-devel/gettext: it embeds 'envsubst' binary which is useful for simple file templating.
@@ -185,6 +184,7 @@ RDEPEND="${RDEPEND}
 	sys-block/open-iscsi
 	sys-block/parted
 	sys-boot/efibootmgr
+	sys-boot/mokutil
 	sys-cluster/ipvsadm
 	sys-devel/gettext
 	sys-fs/btrfs-progs

sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/make.defaults

@@ -56,10 +56,9 @@ USE="${USE} bindist"
 # no-source-code - license for sys-kernel/coreos-firmware
 # linux-fw-redistributable - license for sys-kernel/coreos-firmware
 # freedist - license for sys-kernel/coreos-kernel
-# BSD-2-Clause-Patent - license for sys-firmware/edk2-aarch64
 # intel-ucode - license for sys-firmware/intel-microcode
 ACCEPT_LICENSE="${ACCEPT_LICENSE} no-source-code
-    linux-fw-redistributable freedist BSD-2-Clause-Patent intel-ucode"
+    linux-fw-redistributable freedist intel-ucode"
 
 # Favor our own mirrors over Gentoo's
 GENTOO_MIRRORS="

sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords

@@ -107,7 +107,7 @@
 =sys-apps/zram-generator-1.1.2 ~arm64
 
 # Upgrade to latest version for secureboot
-=sys-boot/mokutil-0.6.0 ~amd64
+=sys-boot/mokutil-0.6.0 ~amd64 ~arm64
 
 # Enable ipvsadm for arm64.
 =sys-cluster/ipvsadm-1.31-r1 ~arm64