From 99cf2d1e882f0677996420d37f4e0bb70b75f68a Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Fri, 1 Mar 2024 20:01:35 +0100 Subject: [PATCH 1/3] OVMF: remove invalid `assert` on SMM Someone seems to believe that SMM implies x86, this is wrong. aarch64 supports SMM too, see upstream QEMU code. The proper way to do this is to signal support via QEMU itself, this is something we cannot do because we have no way to communicate QEMU support itself (yet?). Signed-off-by: Raito Bezarius --- pkgs/applications/virtualization/OVMF/default.nix | 1 - 1 file changed, 1 deletion(-) diff --git a/pkgs/applications/virtualization/OVMF/default.nix b/pkgs/applications/virtualization/OVMF/default.nix index 2e8c5bd1f603..4798e324141d 100644 --- a/pkgs/applications/virtualization/OVMF/default.nix +++ b/pkgs/applications/virtualization/OVMF/default.nix @@ -74,7 +74,6 @@ let in assert platformSpecific ? ${cpuName}; -assert systemManagementModeRequired -> stdenv.hostPlatform.isx86; assert msVarsTemplate -> fdSize4MB; assert msVarsTemplate -> platformSpecific.${cpuName} ? msVarsArgs; From ce1d1f3e6c9759be7f2cf807827623d8ac47516c Mon Sep 17 00:00:00 2001 From: nikstur Date: Fri, 1 Mar 2024 21:06:47 +0100 Subject: [PATCH 2/3] nixos/qemu-vm: remove implicit dependency on SSM The qemu module shouldn't implicitly (and for all architectures) enable SSM when enabling Secure Boot. Additionally, this breaks aarch64 Secure Boot tests because this module doesn't use the right machine type for anything but X86. --- nixos/modules/virtualisation/qemu-vm.nix | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/nixos/modules/virtualisation/qemu-vm.nix b/nixos/modules/virtualisation/qemu-vm.nix index 75ba6dacc122..b5a8b08eee70 100644 --- a/nixos/modules/virtualisation/qemu-vm.nix +++ b/nixos/modules/virtualisation/qemu-vm.nix @@ -877,11 +877,9 @@ in type = types.package; default = (pkgs.OVMF.override { secureBoot = cfg.useSecureBoot; - systemManagementModeRequired = cfg.useSecureBoot; }).fd; defaultText = ''(pkgs.OVMF.override { secureBoot = cfg.useSecureBoot; - systemManagementModeRequired = cfg.useSecureBoot; }).fd''; description = lib.mdDoc "OVMF firmware package, defaults to OVMF configured with secure boot if needed."; @@ -1185,7 +1183,7 @@ in "-tpmdev emulator,id=tpm_dev_0,chardev=chrtpm" "-device ${cfg.tpm.deviceModel},tpmdev=tpm_dev_0" ]) - (mkIf (cfg.efi.OVMF.systemManagementModeRequired or false) [ + (mkIf (pkgs.stdenv.hostPlatform.isx86 && cfg.efi.OVMF.systemManagementModeRequired) [ "-machine" "q35,smm=on" "-global" "driver=cfi.pflash01,property=secure,value=on" ]) From ee2a53dc86295b4169b8378c8c3688c31ad28597 Mon Sep 17 00:00:00 2001 From: nikstur Date: Fri, 1 Mar 2024 22:34:43 +0100 Subject: [PATCH 3/3] nixos/tests/systemd-boot: make secureBoot test work on different architectures --- nixos/tests/systemd-boot.nix | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/nixos/tests/systemd-boot.nix b/nixos/tests/systemd-boot.nix index 1b7e83253e59..90a8769592b6 100644 --- a/nixos/tests/systemd-boot.nix +++ b/nixos/tests/systemd-boot.nix @@ -115,15 +115,17 @@ in virtualisation.useSecureBoot = true; }; - testScript = '' + testScript = let + efiArch = pkgs.stdenv.hostPlatform.efiArch; + in { nodes, ... }: '' machine.start(allow_reboot=True) machine.wait_for_unit("multi-user.target") machine.succeed("sbctl create-keys") machine.succeed("sbctl enroll-keys --yes-this-might-brick-my-machine") - machine.succeed('sbctl sign /boot/EFI/systemd/systemd-bootx64.efi') - machine.succeed('sbctl sign /boot/EFI/BOOT/BOOTX64.EFI') - machine.succeed('sbctl sign /boot/EFI/nixos/*bzImage.efi') + machine.succeed('sbctl sign /boot/EFI/systemd/systemd-boot${efiArch}.efi') + machine.succeed('sbctl sign /boot/EFI/BOOT/BOOT${toUpper efiArch}.EFI') + machine.succeed('sbctl sign /boot/EFI/nixos/*${nodes.machine.system.boot.loader.kernelFile}.efi') machine.reboot()