Adventures with the UEFI shim
Paul Moore
paul at paul-moore.com
Fri Oct 30 14:24:22 GMT 2020
On Thu, Oct 8, 2020 at 11:42 AM Paul Moore <paul at paul-moore.com> wrote:
> On Wed, Oct 7, 2020 at 3:17 PM Peter Jones <pjones at redhat.com> wrote:
> > On Thu, Oct 01, 2020 at 03:16:08PM -0400, Paul Moore wrote:
...
> > > As an aside, how do people do dev/test of the UEFI shim when UEFI
> > > Secure Boot is enabled? I originally thought I could use a Microsoft
> > > signed shim to boot my development shim which would finally boot the
> > > kernel/OS, but I'm running afoul of the nested EFI service hooks. Any
> > > advice you can provide would be appreciated.
> >
> > We use Qemu with OVMF (see the "edk2" packages in fedora for example
> > builds) and enroll our own certs and self-sign everything. The biggest
> > "gotcha" there is to be sure you have one cert that's in 'db' and signs
> > shim, and a completely different cert that shim trusts, which signs
> > anything shim might be loading. That said, my statement here is
> > obviously not written with your attempt to use systemd-boot in mind.
>
> You wouldn't happen to have a doc/guide written up on this, would you?
> Bonus points if it uses QEMU directly and doesn't require libvirt.
> The past two days I started playing around with using QEMU+OVMF to
> ease UEFI development, but I haven't properly tried to get UEFI Secure
> Boot working yet.
I suspect many (all?) of the people on this list already have an
established QEMU+OVMF development environment, but for those who don't
I put together a repo with a working QEMU+OVMF+swtpm setup. The docs
are pretty minimal right now so if you have any questions let me know.
* https://github.com/atomixos/uefi-dev
--
paul moore
www.paul-moore.com
More information about the Efi
mailing list