Initial Qubes OS support #156
Conversation
This allows to build qubes-safeboot package using qubes-builder and use it to generate and setup UEFI Secure Boot keys and configuration, generate and sign unified EFI executable bundle with xen, xen config, kernel and ramdisk.
|
Tested with Lenovo X1C6/C7 and Qubes OS r4.1. It requires manual boot configuration with xen.efi loader instead of grub2. I'm not sure that it should be merged as is, but it might help step forward. |
|
EDIT nvm see my comment below first I ended up just installing sbsigntools and mtools from qubes repo cause they were there. It was telling me that the safeboot rpm relied on efitools, and that wasn't in the your repo at all. I checked what the tpm repos provided on pkgs.com and efitools was not listed. The oldest efitools I could find was for fedora 34 but I decided I would try it. That wanted an updated version of glibc so I got the oldest one possible that satisfied the rec was from fedora 33. Then after copying rpms to dom0 I ran qubes-dom0-update ./efitools.rpm ./glibc-common.rpm ./glibc-lang-en.rpm .... ./safeboot.rpm all the dependencies were resolved and everything installed fine. However on restart my vms would start but no windows would open for any of my vms. Even running xterm in a running vm didn't do anything or open a window. I figured it was most likely because of updating glibc was the problem. so i did qubes-dom0-update --action=downgrade to downgrade glibc to the same version it was before and then on restart my qubes wouldn't even boot. Maybe because I was stupid and forgot to uninstall efitools to, but that also doesn't make much sense because it never needed that to boot before. I ended up having to reinstall my entire OS, which isn't a huge deal. I even made a new test installation and installed the rpms again just to confirm that was the issue and it was. |
|
@jevank nvm efitools is linked in the repo but maybe I missed it cause it can't be clicked on github.com cause its from kernel.org. Cause I went through all the highlighted/clickable repos that were linked and tried to manually build the ones without spec files. So installing the newer one was probably what caused all my problems. It seems wierd I wasn't able to find efitools built for fc32 anywhere though even though the project is decades old and I looked for like an hour. Still instructions and tips on building and installing to make the steps a bit more clear would be appreciated. Can you please share your builder.conf as well as instructions on commands and stuff as far as order and how you go about installing. No need to go into extreme detail on building but detail on places I may have went wrong building would be great. how I go about installing it properly. Do I need to do something as simple as update my whole system to the testing branch or something? I'm on 4.1 stable everything updated. Am I not supposed to be installing this in dom0 or something? If that's the case I'm confused about how it's supposed to work at boot-time. Thanks for your help and time. I'm sure I missed something simple or did something really stupid. Keep in mind I have never used safeboot on normal linux either, which may be why I am so confused on how this works. it seems like at least safeboot needs to be installed in dom0 since the specfile says %triggerin -- xen-hypervisor Thanks again. |
Hi, all necessary packages (efitools and sbsigntools) are available in dom0 from fedora repositories. This implementation does not provide yubikey support so there is no need to build them from sources.
Agree. I'll make additional description. In short you need to build a package (I think qubes-r4.1.conf is OK), copy this package to dom0 and install with qubes-dom0-update tool (to get all requited packages from repos). |
|
Still not sure how to get efitools requirement. I can build the module fine but when i try to install after transfering rpm to dom0... I'm on 4.1 with fc32 dom0 (basically everything is default 4.1, updated on current stable branch) and can't seem to find efitools when a try to install or search for packages. First a try to install efitools with qubes-dom0-update, in the 2nd screenshot I use --action=search to look for efi related packages and scroll up to ones starting with e in package name
|
|
Missed that, efitools must be built from source for fedora 32. I will try to add the spec file here |
|
Thanks, appreciated. I can just build efitools for now possible from the commit you specified. Also what needs to be done to get yubikey working? Maybe I could help? Are you on the testing or unstable branch of qubes or something with newer fedora in dom0? just wondering. I'm on 4.1 stable with all the latest updates. Says you tested it on r4.1 in the 2nd comment, maybe you just manually built efi tools or something. |
Added commit to build efitools with qubes-builder. You can try to update sources and rebuild.
I don't have yubikey available, and even if I did, it's hard to use in Qubes OS because of the untrusted sys-usb. A possible way would be to use two USB controllers, one of which stays in dom0 and is used for yubikey. In that case it requires to build sbsigntools with yubikey support.
I use heavy customized Qubes OS from sources. |
|
Build from sources instructions (uses repo/branch from this PR) git clone https://github.com/QubesOS/qubes-builder
cd qubes-builder
cp example-configs/qubes-r4.1.conf builder.conf
make COMPONENTS=builder-rpm get-sources
make COMPONENTS=safeboot GIT_URL_safeboot=https://github.com/jevank/safeboot BRANCH_safeboot=jevank INSECURE_SKIP_CHECKING=safeboot get-sources
make USE_DIST_BUILD_TOOLS=1 install-deps
make remount
make USE_DIST_BUILD_TOOLS=1 COMPONENTS=safeboot safeboot-dom0Copy and install packages to dom0 [user@dom0 ~]$ qvm-run -p VMNAME -- cat qubes-builder/qubes-src/safeboot/pkgs/dom0-fc32/qubes-safeboot-0.8-1.fc32.x86_64.rpm > qubes-safeboot-0.8-1.fc32.x86_64.rpm
[user@dom0 ~]$ qvm-run -p VMNAME -- cat qubes-builder/qubes-src/safeboot/pkgs/dom0-fc32/efitools-1.9.2-7.fc32.x86_64.rpm > efitools-1.9.2-7.fc32.x86_64.rpm
[user@dom0 ~]$ sudo qubes-dom0-update mtools sbsigntools
[user@dom0 ~]$ sudo dnf localinstall qubes-safeboot-0.8-1.fc32.x86_64.rpm efitools-1.9.2-7.fc32.x86_64.rpmSetup safeboot (requires clearing existing keys from UEFI) [user@dom0 ~]$ sudo safeboot key-init "/CN=user/OU=test/O=myorg"
[user@dom0 ~]$ sudo safeboot uefi-sign-keys
[user@dom0 ~]$ sudo safeboot qubes-sign |
This should prevents from such errors: > DEBUG: ./cert-to-efi-sig-list PK.crt PK-blacklist.esl > DEBUG: make: ./cert-to-efi-sig-list: Command not found > DEBUG: make: *** [Make.rules:75: PK-blacklist.esl] Error 127
This could be useful to support unattended updates in a secure environment, such as Qubes OS.
Update qubes.efi after linux-firmware upgrading.
This fixes error: > tail: 'standard input': cannot seek to relative offset 4: Illegal seek
|
Added support for Qubes OS in the luks-seal and prcs-sign procedures. Also added dracut unseal module based on AEM and initramfs unseal script.
Tested with Qubes R4.1 on X1C5-C7. Have a problem with PCR4 prediction on X1C8 I assume because of GPU ROM. Any ideas with it? I'm really not sure about merging as is, specially with building the required packages from single repo, but I hope to get your review @marmarek @osresearch thanks |
It shouldn't be needed anymore, I've put all mentioned backports into R4.1's repo (current-testing right now). |
Great to see you here! It needs at least one modification to sbsigtools (the --hash-only option osresearch/sbsigntools@370abb7) and I'm not sure about openssl3.patch - it was made for Fedora 36 AFAIK. |
Backported packages are available in Qubes OS repos.
This fixes PCR computing on Lenovo X1C7+ and others.
|
Fixed PCR4 computing with Lenovo X1C7+ devices where the EFI ACTION event appears. It needs setup TPM_EFI_ACTION=1 in local.conf to get all work. |
|
Also it needs to disable Absolute Persistent Module in UEFI settings (I prefer permanent disabling :). |
|
@jevank @marmarek I'm trying to follow above instruction to build on debian and getting this: Of course I cannot use |
|
I've never tried to build components under debian-based environment... does it should work?.. |
|
@jevank it has many problems that qubes-builderv2 should resolve. Do we really want to say you can build Qubes packages only on Fedora? Ideally if Qubes would allow Debian dom0. Anyway I want to give a try for your changes and help merging that to Qubes, so I probably will setup Fedora VM just for building but it is additional overhead. |
They were needed in fc32 dom0, but R4.2 has newer one. sbsigntools carries one extra patch: osresearch/safeboot#156 (comment)
They were needed in fc32 dom0, but R4.2 has newer one. sbsigntools carries one extra patch: osresearch/safeboot#156 (comment)
This allows to build qubes-safeboot package using qubes-builder and
use it to generate and setup UEFI Secure Boot keys and configuration,
generate and sign unified EFI executable bundle with xen, xen config,
kernel and ramdisk.
References to issues
#21
QubesOS/qubes-issues#4371