diff --git a/bin/recipes/edk2/make b/bin/recipes/edk2/make new file mode 100755 index 0000000..83e754b --- /dev/null +++ b/bin/recipes/edk2/make @@ -0,0 +1,108 @@ +#!/usr/bin/env bash + +rm -rf edk2 +rm -rf output + +git clone https://github.com/tianocore/edk2.git +cd edk2 +git checkout fc0fffa7e9089e7b79b9ae7babb950f1f153e0ae + + +# 0) Make sure LLVM is installed +brew install llvm acpica nasm +brew install lld + +# 1) Point PATH and tool vars to Homebrew’s LLVM (Apple Silicon path shown) +export LLVM_PREFIX="/opt/homebrew/opt/llvm" # Intel Macs: /usr/local/opt/llvm +export LLD_PREFIX="/opt/homebrew/opt/lld" +export PATH="$LLVM_PREFIX/bin:$LLD_PREFIX/bin:$PATH" + +hash -r + +# 2) Explicitly select LLVM tools so EDK2 doesn’t fall back to Apple’s +export CC="$LLVM_PREFIX/bin/clang" +export CXX="$LLVM_PREFIX/bin/clang++" +export LD="$LLD_PREFIX/bin/ld.lld" +export AR="$LLVM_PREFIX/bin/llvm-ar" +export RANLIB="$LLVM_PREFIX/bin/llvm-ranlib" +export NM="$LLVM_PREFIX/bin/llvm-nm" +export STRIP="$LLVM_PREFIX/bin/llvm-strip" +export OBJCOPY="$LLVM_PREFIX/bin/llvm-objcopy" +export OBJDUMP="$LLVM_PREFIX/bin/llvm-objdump" + +# 3) Sanity check — these MUST point into .../opt/llvm/bin +which clang; clang --version +which ld.lld +which llvm-ar + +# 4) Rebuild tools & firmware +make -C BaseTools -j +source ./edksetup.sh + +build -a AARCH64 -t CLANGDWARF \ + -p ShellPkg/ShellPkg.dsc \ + -m ShellPkg/Application/KeyTools/KeyTool/KeyTool.inf \ + -b RELEASE + + +cd .. + +mkdir -p output/keys/EFI/Boot +openssl x509 -in "microsoft corporation kek 2k ca 2023.crt" -outform DER -out output/keys/kek2023.cer +openssl x509 -in "windows uefi ca 2023.crt" -outform DER -out output/keys/db2023.cer + +open /Users/artur/projs/edk2 + +exit 0 + + +# (Optional) clean the previous failed build to avoid stale flags/objects +rm -rf Build/ArmVirtQemu-AARCH64 + +build -a AARCH64 \ + -t CLANGDWARF \ + -p ArmVirtPkg/ArmVirtQemu.dsc \ + -D SECURE_BOOT_ENABLE=TRUE \ + -b DEBUG + + + +# CODE="/Volumes/Cache/vms/image/win11-arm64/win11/QEMU_EFI.fd" +# VARS="/Volumes/Cache/vms/image/win11-arm64/win11/QEMU_VARS.fd" + + +# # Make blank 64 MiB raws +# qemu-img create -f raw QEMU_EFI-pflash.raw 64M +# qemu-img create -f raw QEMU_VARS-pflash.raw 64M + +# # Copy firmware into the front of each file without truncating the 64 MiB size +# dd if="$CODE" of=QEMU_EFI-pflash.raw conv=notrunc +# dd if="$VARS" of=QEMU_VARS-pflash.raw conv=notrunc + +# # Confirm size is exactly 67108864 bytes +# stat -f "%z %N" QEMU_EFI-pflash.raw QEMU_VARS-pflash.raw + + + +# https://learn.microsoft.com/en-us/windows-hardware/manufacture/desktop/windows-secure-boot-key-creation-and-management-guidance?view=windows-11 +# https://go.microsoft.com/fwlink/?linkid=2239775 +# https://go.microsoft.com/fwlink/?linkid=2239776 + + +# -drive if=none,id=mskeys,format=raw,file=fat:rw:keys +# -device usb-storage,drive=mskeys + + +# 5. Enroll the certs in firmware +# Boot into UEFI shell, run FS0:\EFI\Boot\KeyTool.efi. + +# In KeyTool: +# Go to Edit Keys → KEK → Add New Key, pick kek2023.cer. +# Go to Edit Keys → db → Add New Key, pick db2023.cer. +# If no PK is present yet, you must enroll a Platform Key (PK) first (can be self-signed with OpenSSL; KeyTool can also generate). Without a PK, Secure Boot remains “greyed out.” + +# ✅ After PK + KEK + DB are enrolled, reboot → go into firmware setup → Secure Boot option will be toggleable → set it to Enabled. +# Now Windows 11 installer/bootloader should run under Secure Boot. +# Ref: 68adf715-f29c-832e-89d7-a37025f63cf3 + + diff --git a/bin/recipes/edk2/microsoft corporation kek 2k ca 2023.crt b/bin/recipes/edk2/microsoft corporation kek 2k ca 2023.crt new file mode 100644 index 0000000..e6ffb4f Binary files /dev/null and b/bin/recipes/edk2/microsoft corporation kek 2k ca 2023.crt differ diff --git a/bin/recipes/edk2/notes.md b/bin/recipes/edk2/notes.md new file mode 100644 index 0000000..cbb8a67 --- /dev/null +++ b/bin/recipes/edk2/notes.md @@ -0,0 +1,61 @@ +That error means your **WORKSPACE** points to a *different* edk2 tree: + +``` +/Users/artur/.dat/bin/recipes/edk2/edk2 +``` + +so `build` is looking for `ShellPkg/.../KeyTool.inf` **there**, not in `~/projs/edk2`. + +Fix by resetting your env and sourcing `edksetup.sh` from the repo you actually want to build. + +## Do this exactly + +```bash +# 0) Go to the edk2 you want to use +cd ~/projs/edk2 +git rev-parse --show-toplevel # should print /Users/artur/projs/edk2 + +# 1) Clear any stale EDK2 env from previous shells +unset WORKSPACE EDK_TOOLS_PATH PACKAGES_PATH + +# 2) Rebuild BaseTools (with your LLVM/lld PATH still set like earlier) +make -C BaseTools -j + +# 3) Reset Conf inside THIS tree and re-source +rm -f Conf/target.txt Conf/tools_def.txt +source ./edksetup.sh + +# Sanity checks — these must point into ~/projs/edk2 +echo "WORKSPACE=$WORKSPACE" +echo "EDK_TOOLS_PATH=$EDK_TOOLS_PATH" +test -f "$WORKSPACE/ShellPkg/Application/KeyTools/KeyTool/KeyTool.inf" && echo "KeyTool found" + +# 4) Build KeyTool for AArch64 with clang/lld +build -a AARCH64 -t CLANGDWARF \ + -p ShellPkg/ShellPkg.dsc \ + -m ShellPkg/Application/KeyTools/KeyTool/KeyTool.inf \ + -b RELEASE +``` + +### If you still see it picking the wrong path + +You probably have these variables exported in your shell config. Force them for this shell: + +```bash +export WORKSPACE="$PWD" +export EDK_TOOLS_PATH="$WORKSPACE/BaseTools" +export PACKAGES_PATH="$WORKSPACE" +source ./edksetup.sh +``` + +Then re-run the `build` command above. + +### Where the binary will land + +Typical output path (adjust for your build target): + +``` +Build/Shell/RELEASE_CLANGDWARF/AARCH64/ShellPkg/Application/KeyTools/KeyTool/KeyTool/OUTPUT/KeyTool.efi +``` + +Once you’ve got `KeyTool.efi`, mount it along with your `kek2023.cer` and `db2023.cer`, enroll **PK → KEK → db**, reboot into the firmware UI, and enable **Secure Boot**. diff --git a/bin/recipes/edk2/windows uefi ca 2023.crt b/bin/recipes/edk2/windows uefi ca 2023.crt new file mode 100644 index 0000000..4c5430b Binary files /dev/null and b/bin/recipes/edk2/windows uefi ca 2023.crt differ diff --git a/bin/vm-cmd b/bin/vm-cmd index 41874eb..b62323d 100755 --- a/bin/vm-cmd +++ b/bin/vm-cmd @@ -1,5 +1,11 @@ #!/usr/bin/env bash +rm -rf /Volumes/Cache/vms/image/win11-arm64/win11/code.fd +rm -rf /Volumes/Cache/vms/image/win11-arm64/win11/vars.fd +cp /opt/homebrew/share/qemu/edk2-aarch64-code.fd /Volumes/Cache/vms/image/win11-arm64/win11/code.fd +cp /opt/homebrew/share/qemu/edk2-arm-vars.fd /Volumes/Cache/vms/image/win11-arm64/win11/vars.fd + + # brew install qemu swtpm # qemu-system-aarch64 -drive if=pflash,format=raw,unit=0,readonly=on,file=/Volumes/Cache/vms/image/win11-arm64/win11/code.fd -drive if=pflash,format=raw,unit=1,file=/Volumes/Cache/vms/image/win11-arm64/win11/vars.fd -display cocoa -device qemu-xhci,id=xhci -device usb-kbd -device usb-tablet -device virtio-keyboard-device -device virtio-mouse-device -device virtio-gpu -device virtio-net,netdev=n0 -netdev user,id=n0 -accel hvf -machine virt -cpu max -m 16384 -smp 6 -name FirstVM -boot order=d -drive file=/Volumes/Cache/vms/image/win11-arm64/win11/root.img,if=virtio,cache=writeback,format=raw,id=nvme0 -drive id=cd,format=raw,file=/Volumes/Cache/downloads/win11arm64.iso,media=cdrom -device usb-storage,drive=cd,bootindex=1 -device ramfb -chardev socket,id=chrtpm,path=/Users/agurgul/Downloads/tpm/tpm.sock -tpmdev emulator,id=tpm0,chardev=chrtpm -device tpm-tis-device,tpmdev=tpm0 @@ -15,28 +21,36 @@ # -device virtio-keyboard-pci \ # -device virtio-tablet-pci \ +# -device ich9-ahci,id=ahci0 \ +# -device ide-hd,drive=drv0,bus=ahci0.0 \ -qemu-system-aarch64 \ - -boot order=d \ - -machine virt,accel=hvf \ - -cpu host -smp 6 -m 8G \ - -drive if=pflash,format=raw,file=/Volumes/Cache/vms/image/win11-arm64/win11/code.fd,readonly=on \ - -drive if=pflash,format=raw,file=/Volumes/Cache/vms/image/win11-arm64/win11/vars.fd \ - -drive file=/Volumes/Cache/vms/image/win11-arm64/win11/root.img,if=none,format=raw,id=drv0 \ - -device ich9-ahci,id=ahci0 \ - -device nvme,drive=drv0,serial=nvme0 \ - -device virtio-scsi-pci,id=scsi0 \ - -drive file=/Volumes/Cache/downloads/win11arm64.iso,if=none,media=cdrom,id=cd0 \ - -device scsi-cd,drive=cd0,bus=scsi0.0,bootindex=1 \ - -device ramfb \ - -device qemu-xhci,id=xhci \ - -device usb-kbd,bus=xhci.0,port=1 \ - -device usb-tablet,bus=xhci.0,port=2 \ - -netdev user,id=net0,hostfwd=tcp::33890-:3389 \ - -device virtio-net-pci,netdev=net0 \ - -chardev socket,id=chrtpm,path=/Users/artur/Downloads/tpm/tpm.sock \ - -tpmdev emulator,id=tpm0,chardev=chrtpm \ - -device tpm-tis-device,tpmdev=tpm0 +# -device nvme,drive=drv0,serial=nvme0 + +# -boot order=d \ +# -device usb-storage,drive=udisk,port=3\ + +# wget http://http.us.debian.org/debian/pool/main/e/edk2/qemu-efi-aarch64_2025.02-8_all.deb +# qemu-system-aarch64 \ +# -machine virt,accel=hvf \ +# -cpu host -smp 6 -m 8G \ +# --boot order=d,menu=on \ +# -bios /Users/artur/Downloads/tpm/QEMU_EFI.fd \ +# -device qemu-xhci,id=xhci \ +# \ +# -drive file=/Volumes/Cache/vms/image/win11-arm64/win11/root.img,format=raw \ +# \ +# -device virtio-scsi-pci,id=scsi0 \ +# -drive file=/Volumes/Cache/downloads/win11arm64.iso,if=none,media=cdrom,id=cd0 \ +# -device scsi-cd,drive=cd0,bus=scsi0.0,bootindex=1 \ +# -device ramfb \ +# -device usb-kbd,bus=xhci.0,port=1 \ +# -device usb-tablet,bus=xhci.0,port=2 \ +# -netdev user,id=net0,hostfwd=tcp::35890-:3589 \ +# -device virtio-net-pci,netdev=net0 \ +# -chardev socket,id=chrtpm,path=/Users/artur/Downloads/tpm/tpm.sock \ +# -tpmdev emulator,id=tpm0,chardev=chrtpm \ +# -device tpm-tis-device,tpmdev=tpm0 \ +# -monitor stdio # in Shell @@ -46,4 +60,163 @@ qemu-system-aarch64 \ # Disk driver: https://fedorapeople.org/groups/virt/virtio-win/direct-downloads/archive-virtio/ -# Used: https://fedorapeople.org/groups/virt/virtio-win/direct-downloads/archive-virtio/virtio-win-0.1.271-1/ \ No newline at end of file +# Used: https://fedorapeople.org/groups/virt/virtio-win/direct-downloads/archive-virtio/virtio-win-0.1.271-1/ + + + + + + + + +# Attempt 1 +# qemu-system-aarch64 \ +# -machine virt,accel=hvf \ +# -cpu host -smp 6 -m 8G \ +# --boot order=d,menu=on \ +# -drive if=pflash,format=raw,file=/Volumes/Cache/vms/image/win11-arm64/win11/code.fd,readonly=on \ +# -drive if=pflash,format=raw,file=/Volumes/Cache/vms/image/win11-arm64/win11/vars.fd \ +# -drive file=/Volumes/Cache/vms/image/win11-arm64/win11/root.img,if=none,format=raw,id=drv0 \ +# -device nvme,drive=drv0,serial=nvme0 \ +# -device virtio-scsi-pci,id=scsi0 \ +# -drive file=/Volumes/Cache/downloads/win11arm64.iso,if=none,media=cdrom,id=cd0 \ +# -device scsi-cd,drive=cd0,bus=scsi0.0,bootindex=1 \ +# -device ramfb \ +# -device qemu-xhci,id=xhci \ +# -device usb-kbd,bus=xhci.0,port=1 \ +# -device usb-tablet,bus=xhci.0,port=2 \ +# -netdev user,id=net0,hostfwd=tcp::33890-:3389 \ +# -device virtio-net-pci,netdev=net0 \ +# -chardev socket,id=chrtpm,path=/Users/artur/Downloads/tpm/tpm.sock \ +# -tpmdev emulator,id=tpm0,chardev=chrtpm \ +# -device tpm-tis-device,tpmdev=tpm0 \ +# -monitor stdio + + +# Attempt 2 +# qemu-system-aarch64 \ +# -machine virt,accel=hvf \ +# -cpu host -smp 6 -m 8G \ +# --boot order=d,menu=on \ +# -drive if=pflash,format=raw,file=/Volumes/Cache/vms/image/win11-arm64/win11/code.fd,readonly=on \ +# -drive if=pflash,format=raw,file=/Volumes/Cache/vms/image/win11-arm64/win11/vars.fd \ +# -drive file=/Volumes/Cache/vms/image/win11-arm64/win11/root.img,if=none,format=raw,id=drv0 \ +# -device ich9-ahci,id=ahci0 \ +# -device ide-hd,drive=drv0,bus=ahci0.0 \ +# -device virtio-scsi-pci,id=scsi0 \ +# -drive file=/Volumes/Cache/downloads/win11arm64.iso,if=none,media=cdrom,id=cd0 \ +# -device scsi-cd,drive=cd0,bus=scsi0.0,bootindex=1 \ +# -device ramfb \ +# -device qemu-xhci,id=xhci \ +# -device usb-kbd,bus=xhci.0,port=1 \ +# -device usb-tablet,bus=xhci.0,port=2 \ +# -netdev user,id=net0,hostfwd=tcp::33890-:3389 \ +# -device virtio-net-pci,netdev=net0 \ +# -chardev socket,id=chrtpm,path=/Users/artur/Downloads/tpm/tpm.sock \ +# -tpmdev emulator,id=tpm0,chardev=chrtpm \ +# -device tpm-tis-device,tpmdev=tpm0 \ +# -monitor stdio + + + + + + + + + +# Attempt 3 +# qemu-system-aarch64 \ +# -machine virt,accel=hvf \ +# -cpu host -smp 6 -m 8G \ +# --boot menu=on \ +# \ +# -drive if=pflash,format=raw,readonly=on,file=/Volumes/Cache/vms/image/win11-arm64/win11/code.fd \ +# -drive if=pflash,format=raw,file=/Volumes/Cache/vms/image/win11-arm64/win11/vars.fd \ +# \ +# -drive if=none,file=/Volumes/Cache/vms/image/win11-arm64/win11/root.qcow2,format=qcow2,id=drv0 \ +# -device nvme,drive=drv0,serial=nvme-1 \ +# \ +# -device qemu-xhci,id=xhci \ +# -drive if=none,id=winiso,media=cdrom,readonly=on,file=/Volumes/Cache/downloads/win11arm64.iso \ +# -device usb-storage,drive=winiso,bootindex=1 \ +# \ +# -device ramfb \ +# -device usb-kbd \ +# -device usb-tablet \ +# -netdev user,id=net0,hostfwd=tcp::33890-:3389 \ +# -device virtio-net-pci,netdev=net0 \ +# \ +# -chardev socket,id=chrtpm,path=/Users/artur/Downloads/tpm/tpm.sock \ +# -tpmdev emulator,id=tpm0,chardev=chrtpm \ +# -device tpm-tis-device,tpmdev=tpm0 + + + +# -serial mon:stdio + +# File: bypass.reg +# Windows Registry Editor Version 5.00 + +# [HKEY_LOCAL_MACHINE\SYSTEM\Setup\LabConfig] +# "BypassTPMCheck"=dword:00000001 +# "BypassSecureBootCheck"=dword:00000001 +# "BypassCPUCheck"=dword:00000001 +# "BypassRAMCheck"=dword:00000001 + +# hdiutil makehybrid -iso -joliet -o bypass.iso bypass.reg + +# Shift+F10 +# reg import D:\bypass.reg + + +## Build EDK2 +# brew install nasm iasl python@3 openssl pkg-config +# brew install llvm acpica nasm +# git clone https://github.com/tianocore/edk2.git +# cd edk2 +# git submodule update --init +# make -C BaseTools +# source ./edksetup.sh +# export PATH="/opt/homebrew/opt/llvm/bin:$PATH" +# build -a X64 \ +# -t XCODE5 \ +# -p OvmfPkg/OvmfPkgX64.dsc \ +# -D SECURE_BOOT_ENABLE=TRUE +# build -a AARCH64 \ +# -t XCODE5 \ +# -p ArmVirtPkg/ArmVirtQemu.dsc \ +# -D SECURE_BOOT_ENABLE=TRUE + +# build -a AARCH64 \ +# -t CLANGDWARF \ +# -p ArmVirtPkg/ArmVirtQemu.dsc \ +# -D SECURE_BOOT_ENABLE=TRUE \ +# -b DEBUG +# Steps moved to /bin/recipes/make-edk2 + +# Attempt 4 +qemu-system-aarch64 \ + -machine virt,accel=hvf \ + -cpu host -smp 6 -m 8G \ + --boot menu=on \ + \ + -drive if=pflash,format=raw,readonly=on,file=/Volumes/Cache/vms/image/win11-arm64/win11/QEMU_EFI-pflash.raw \ + -drive if=pflash,format=raw,file=/Volumes/Cache/vms/image/win11-arm64/win11/QEMU_VARS-pflash.raw \ + \ + -drive if=none,file=/Volumes/Cache/vms/image/win11-arm64/win11/root.qcow2,format=qcow2,id=drv0 \ + -device nvme,drive=drv0,serial=nvme-1 \ + \ + -device qemu-xhci,id=xhci \ + -drive if=none,id=winiso,media=cdrom,readonly=on,file=/Volumes/Cache/downloads/win11arm64.iso \ + -device usb-storage,drive=winiso,bootindex=1 \ + \ + -device ramfb \ + -device usb-kbd \ + -device usb-tablet \ + -netdev user,id=net0,hostfwd=tcp::33890-:3389 \ + -device virtio-net-pci,netdev=net0 \ + \ + -chardev socket,id=chrtpm,path=/Users/artur/Downloads/tpm/tpm.sock \ + -tpmdev emulator,id=tpm0,chardev=chrtpm \ + -device tpm-tis-device,tpmdev=tpm0 \ No newline at end of file diff --git a/lib/virtual-machine.rb b/lib/virtual-machine.rb index 20c2ca7..898c54f 100644 --- a/lib/virtual-machine.rb +++ b/lib/virtual-machine.rb @@ -123,7 +123,7 @@ module VirtualMachine get_cdrom_image(options) do |path| disk_img_path = root_img_path(options) - create_disk_image(disk_img_path, 64000) + create_disk_image(disk_img_path, 64000 * 4) Qemu.launch( options[:arch],