support testing secureboot in Qemu#556
Conversation
d7b7a14 to
ff74ce5
Compare
build
Outdated
| mkdir -p "bin/$a" | ||
| CGO_ENABLED=0 GOARCH=$a \ | ||
| go build -mod=vendor -ldflags "${ldflags}" \ | ||
| go build -mod=vendor -ldflags "${ldflags}" -gcflags="all=-N -l" \ |
There was a problem hiding this comment.
This disables optimizations and inlining. Why?
platform/qemu.go
Outdated
| ovmfVarsSrc, err := os.Open(ovmfVars) | ||
| if err != nil { | ||
| return "", err | ||
| } | ||
| defer ovmfVarsSrc.Close() | ||
|
|
||
| ovmfVarsCopy, err := os.Create(ovmfVarsDst) | ||
| if err != nil { | ||
| return "", err | ||
| } | ||
| defer ovmfVarsCopy.Close() | ||
|
|
||
| if _, err := io.Copy(ovmfVarsCopy, ovmfVarsSrc); err != nil { | ||
| os.Remove(ovmfVarsCopy.Name()) | ||
| return "", err |
There was a problem hiding this comment.
There is a CopyRegularFile function in github.com/flatcar/mantle/system package. Maybe you could use it instead?
There was a problem hiding this comment.
i was looking for something like this. Switched to CopyRegularFile
| ) | ||
| if enableSecureboot { | ||
| qmCmd = append(qmCmd, | ||
| "-global", "ICH9-LPC.disable_s3=1", |
There was a problem hiding this comment.
This one could use a comment, really.
There was a problem hiding this comment.
added a comment with what i know
Signed-off-by: Sayan Chowdhury <schowdhury@microsoft.com>
Continue supporting BIOS by passing `-bios` and only enable `smm=on` when secure boot is requested, as it requires build of OVMF code. This special build is required for secure boot support, but non-sboot OVMFs won't support it.
and cleanup on shutdown. Signed-off-by: Jeremi Piotrowski <jpiotrowski@microsoft.com>
To make this change easier to apply to all channels. Signed-off-by: Jeremi Piotrowski <jpiotrowski@microsoft.com>
Kernel lockdown blocks loading unsigned kernel modules, so these tests need to be disabled. Eventually the zfs sysext should ship a signed kernel modules, but falco is built on the running system and won't work the same way. Falco suggests running in eBPF mode instead.
Signed-off-by: Jeremi Piotrowski <jpiotrowski@microsoft.com>
ff74ce5 to
6dc4d85
Compare
The previous instructions still work, but update to show the newly added cli options. Signed-off-by: Jeremi Piotrowski <jpiotrowski@microsoft.com>
Yes, the instructions are still accurate. |
@sayanchowdhury + @jepio
bootindexTested here: http://jenkins.infra.kinvolk.io:8080/job/container/job/test_dispatcher/5120/cldsv/ with ghcr.io/flatcar/mantle:pr-554