Initial Qubes OS support

[jevank]

This allows to build qubes-safeboot package using qubes-builder and use it to generate and setup UEFI Secure Boot keys and configuration, generate and sign unified EFI executable bundle with xen, xen config, kernel and ramdisk.

References to issues https://github.com/osresearch/safeboot/issues/21 https://github.com/QubesOS/qubes-issues/issues/4371

[jevank]

Tested with Lenovo X1C6/C7 and Qubes OS r4.1. It requires manual boot configuration with xen.efi loader instead of grub2.

I'm not sure that it should be merged as is, but it might help step forward.

[JordanBoulan]

EDIT nvm see my comment below first

I ended up just installing sbsigntools and mtools from qubes repo cause they were there. It was telling me that the safeboot rpm relied on efitools, and that wasn't in the your repo at all. I checked what the tpm repos provided on pkgs.com and efitools was not listed. The oldest efitools I could find was for fedora 34 but I decided I would try it. That wanted an updated version of glibc so I got the oldest one possible that satisfied the rec was from fedora 33. Then after copying rpms to dom0 I ran qubes-dom0-update ./efitools.rpm ./glibc-common.rpm ./glibc-lang-en.rpm .... ./safeboot.rpm all the dependencies were resolved and everything installed fine.

However on restart my vms would start but no windows would open for any of my vms. Even running xterm in a running vm didn't do anything or open a window. I figured it was most likely because of updating glibc was the problem. so i did qubes-dom0-update --action=downgrade to downgrade glibc to the same version it was before and then on restart my qubes wouldn't even boot. Maybe because I was stupid and forgot to uninstall efitools to, but that also doesn't make much sense because it never needed that to boot before. I ended up having to reinstall my entire OS, which isn't a huge deal. I even made a new test installation and installed the rpms again just to confirm that was the issue and it was. Efitools didn't even seem to exist at all for F32 but safeboot rpm requires it. The Efitools is what required the updated glibc**. That seems to make all my vms unusable though unless im wrong about what caused it.

[JordanBoulan]

@jevank nvm efitools is linked in the repo but maybe I missed it cause it can't be clicked on github.com cause its from kernel.org. Cause I went through all the highlighted/clickable repos that were linked and tried to manually build the ones without spec files. So installing the newer one was probably what caused all my problems. It seems wierd I wasn't able to find efitools built for fc32 anywhere though even though the project is decades old and I looked for like an hour.

Still instructions and tips on building and installing to make the steps a bit more clear would be appreciated.

Can you please share your builder.conf as well as instructions on commands and stuff as far as order and how you go about installing. No need to go into extreme detail on building but detail on places I may have went wrong building would be great. how I go about installing it properly.

Do I need to do something as simple as update my whole system to the testing branch or something? I'm on 4.1 stable everything updated.

Am I not supposed to be installing this in dom0 or something? If that's the case I'm confused about how it's supposed to work at boot-time. Thanks for your help and time. I'm sure I missed something simple or did something really stupid. Keep in mind I have never used safeboot on normal linux either, which may be why I am so confused on how this works.

it seems like at least safeboot needs to be installed in dom0 since the specfile says

%triggerin -- xen-hypervisor if [ -f /boot/efi/EFI/qubes/qubes.efi.signed ]; then /usr/sbin/safeboot qubes-sign fi

Thanks again.

[jevank]

Efitools didn't even seem to exist at all for F32 but safeboot rpm requires it.

Hi, all necessary packages (efitools and sbsigntools) are available in dom0 from fedora repositories. This implementation does not provide yubikey support so there is no need to build them from sources.

Still instructions and tips on building and installing to make the steps a bit more clear would be appreciated.

Agree. I'll make additional description.

In short you need to build a package (I think qubes-r4.1.conf is OK), copy this package to dom0 and install with qubes-dom0-update tool (to get all requited packages from repos).

[JordanBoulan]

Still not sure how to get efitools requirement. I can build the module fine but when i try to install after transfering rpm to dom0... I run qubes-dom0-update ./safeboot.rpm in dom0 and it wants efitools packages and can't find it.

I'm on 4.1 with fc32 dom0 (basically everything is default 4.1, updated on current stable branch) and can't seem to find efitools when a try to install or search for packages. First a try to install efitools with qubes-dom0-update, in the 2nd screenshot I use --action=search to look for efi related packages and scroll up to ones starting with e in package name

sudo qubes-dom0-update efitools 
sudo qubes-dom0-update --action=search efi

[jevank]

Missed that, efitools must be built from source for fedora 32. I will try to add the spec file here

[JordanBoulan]

Thanks, appreciated. I can just build efitools for now possible from the commit you specified. Also what needs to be done to get yubikey working? Maybe I could help?

Are you on the testing or unstable branch of qubes or something with newer fedora in dom0? just wondering. I'm on 4.1 stable with all the latest updates. Says you tested it on r4.1 in the 2nd comment, maybe you just manually built efi tools or something.

[jevank]

Thanks, appreciated. I can just build efitools for now possible from the commit you specified.

Added commit to build efitools with qubes-builder. You can try to update sources and rebuild.

Also what needs to be done to get yubikey working? Maybe I could help?

I don't have yubikey available, and even if I did, it's hard to use in Qubes OS because of the untrusted sys-usb. A possible way would be to use two USB controllers, one of which stays in dom0 and is used for yubikey. In that case it requires to build sbsigntools with yubikey support.

Are you on the testing or unstable branch of qubes or something with newer fedora in dom0?

I use heavy customized Qubes OS from sources.

[jevank]

Build from sources instructions (uses repo/branch from this PR)

git clone https://github.com/QubesOS/qubes-builder
cd qubes-builder
cp example-configs/qubes-r4.1.conf builder.conf
make COMPONENTS=builder-rpm get-sources
make COMPONENTS=safeboot GIT_URL_safeboot=https://github.com/jevank/safeboot BRANCH_safeboot=jevank INSECURE_SKIP_CHECKING=safeboot get-sources
make USE_DIST_BUILD_TOOLS=1 install-deps
make remount
make USE_DIST_BUILD_TOOLS=1 COMPONENTS=safeboot safeboot-dom0

Copy and install packages to dom0

[user@dom0 ~]$ qvm-run -p VMNAME -- cat qubes-builder/qubes-src/safeboot/pkgs/dom0-fc32/qubes-safeboot-0.8-1.fc32.x86_64.rpm > qubes-safeboot-0.8-1.fc32.x86_64.rpm 
[user@dom0 ~]$ qvm-run -p VMNAME -- cat qubes-builder/qubes-src/safeboot/pkgs/dom0-fc32/efitools-1.9.2-7.fc32.x86_64.rpm > efitools-1.9.2-7.fc32.x86_64.rpm
[user@dom0 ~]$ sudo qubes-dom0-update mtools sbsigntools
[user@dom0 ~]$ sudo dnf localinstall qubes-safeboot-0.8-1.fc32.x86_64.rpm efitools-1.9.2-7.fc32.x86_64.rpm

Setup safeboot (requires clearing existing keys from UEFI)

[user@dom0 ~]$ sudo safeboot key-init "/CN=user/OU=test/O=myorg"
[user@dom0 ~]$ sudo safeboot uefi-sign-keys
[user@dom0 ~]$ sudo safeboot qubes-sign

[jevank]

Added support for Qubes OS in the luks-seal and prcs-sign procedures. Also added dracut unseal module based on AEM and initramfs unseal script. Key differences w/ Linux:

• not implementing recovery mode (not sure if this is necessary with Qubes)
• using kernel command line option instead of modifying crypttab. Not sure about any advantages of this, but it is similar to AEM.

Tested with Qubes R4.1 on X1C5-C7. Have a problem with PCR4 prediction on X1C8 I assume because of GPU ROM. Any ideas with it?

I'm really not sure about merging as is, specially with building the required packages from single repo, but I hope to get your review @marmarek @osresearch

thanks

[marmarek]

specially with building the required packages from single repo

It shouldn't be needed anymore, I've put all mentioned backports into R4.1's repo (current-testing right now).

[jevank]

It shouldn't be needed anymore, I've put all mentioned backports into R4.1's repo (current-testing right now).

Great to see you here! It needs at least one modification to sbsigtools (the --hash-only option https://github.com/osresearch/sbsigntools/commit/370abb7c49ec2a600f64fcbd441d9297124a5cb7) and I'm not sure about openssl3.patch - it was made for Fedora 36 AFAIK.

[jevank]

Fixed PCR4 computing with Lenovo X1C7+ devices where the EFI ACTION event appears. It needs setup TPM_EFI_ACTION=1 in local.conf to get all work.

[jevank]

Also it needs to disable Absolute Persistent Module in UEFI settings (I prefer permanent disabling :).

[pietrushnic]

@jevank @marmarek I'm trying to follow above instruction to build on debian and getting this:

debian@build-engine:~/src/qubes-summit/qubes-builder$ make COMPONENTS=safeboot GIT_URL_safeboot=https://github.com/jevank/safeboot BRANCH_safeboot=jevank INSECURE_SKIP_CHECKING=safeboot get-sources
-> Updating sources for safeboot...
--> Fetching from https://github.com/jevank/safeboot jevank...
--> NOT verifying tags
--> Switching branch from jevank branch to jevank
Reset branch 'jevank'
Your branch is up to date with 'origin/jevank'.

debian@build-engine:~/src/qubes-summit/qubes-builder$ make install-deps
[sudo] password for debian: 
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
E: Unable to locate package createrepo
E: Unable to locate package perl-Digest-MD5
E: Unable to locate package perl-Digest-SHA
E: Unable to locate package rpm-build
E: Unable to locate package rpmdevtools
make: *** [Makefile:1148: install-deps.dpkg] Error 100

Of course I cannot use USE_DIST_BUILD_TOOLS=1 since this is not Fedora.

[jevank]

I've never tried to build components under debian-based environment... does it should work?..

[pietrushnic]

@jevank it has many problems that qubes-builderv2 should resolve. Do we really want to say you can build Qubes packages only on Fedora?

Ideally if Qubes would allow Debian dom0. Anyway I want to give a try for your changes and help merging that to Qubes, so I probably will setup Fedora VM just for building but it is additional overhead.