support testing secureboot in Qemu #556
Conversation
jepio
force-pushed
the
sayan/secureboot-implement-ci+jepio
branch
from
d7b7a14 to
ff74ce5
Compare
build
Outdated
| @@ -30,7 +30,7 @@ cross_build() { | |||
| echo "Building $a/$1" | |||
| mkdir -p "bin/$a" | |||
| CGO_ENABLED=0 GOARCH=$a \ | |||
| go build -mod=vendor -ldflags "${ldflags}" \ | |||
| go build -mod=vendor -ldflags "${ldflags}" -gcflags="all=-N -l" \ | |||
There was a problem hiding this comment.
This disables optimizations and inlining. Why?
platform/qemu.go
Outdated
| ovmfVarsSrc, err := os.Open(ovmfVars) | ||
| if err != nil { | ||
| return "", err | ||
| } | ||
| defer ovmfVarsSrc.Close() | ||
|
|
||
| ovmfVarsCopy, err := os.Create(ovmfVarsDst) | ||
| if err != nil { | ||
| return "", err | ||
| } | ||
| defer ovmfVarsCopy.Close() | ||
|
|
||
| if _, err := io.Copy(ovmfVarsCopy, ovmfVarsSrc); err != nil { | ||
| os.Remove(ovmfVarsCopy.Name()) | ||
| return "", err |
There was a problem hiding this comment.
There is a CopyRegularFile function in github.com/flatcar/mantle/system package. Maybe you could use it instead?
There was a problem hiding this comment.
i was looking for something like this. Switched to CopyRegularFile
| ) | ||
| if enableSecureboot { | ||
| qmCmd = append(qmCmd, | ||
| "-global", "ICH9-LPC.disable_s3=1", |
There was a problem hiding this comment.
This one could use a comment, really.
There was a problem hiding this comment.
added a comment with what i know
Signed-off-by: Sayan Chowdhury <[email protected]>
Continue supporting BIOS by passing `-bios` and only enable `smm=on` when secure boot is requested, as it requires build of OVMF code. This special build is required for secure boot support, but non-sboot OVMFs won't support it.
and cleanup on shutdown. Signed-off-by: Jeremi Piotrowski <[email protected]>
To make this change easier to apply to all channels. Signed-off-by: Jeremi Piotrowski <[email protected]>
Kernel lockdown blocks loading unsigned kernel modules, so these tests need to be disabled. Eventually the zfs sysext should ship a signed kernel modules, but falco is built on the running system and won't work the same way. Falco suggests running in eBPF mode instead.
Signed-off-by: Jeremi Piotrowski <[email protected]>
jepio
force-pushed
the
sayan/secureboot-implement-ci+jepio
branch
from
ff74ce5 to
6dc4d85
Compare
There was a problem hiding this comment.
Is this still accurate:
Line 86 in aad4b72
qemu-bios to qemu-firmware ?)
The previous instructions still work, but update to show the newly added cli options. Signed-off-by: Jeremi Piotrowski <[email protected]>
Yes, the instructions are still accurate. |
@sayanchowdhury + @jepio
bootindexTested here: http://jenkins.infra.kinvolk.io:8080/job/container/job/test_dispatcher/5120/cldsv/ with ghcr.io/flatcar/mantle:pr-554