KNEL/football
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
football/vm/template.xml
Charles N Wyble 169362ce3d feat: implement Secure Boot with UKI in run.sh 
Add complete Secure Boot implementation:
- Generate PK/KEK/db keys during ISO build
- Build Unified Kernel Image (UKI) bundling kernel+initramfs+cmdline
- Sign UKI with db key for Secure Boot verification
- Include kernel lockdown mode in cmdline (lockdown=confidentiality)
- Copy .auth files to ISO for UEFI key enrollment

All Secure Boot logic is embedded in run.sh as an inline binary hook
created during the Docker build process - no separate scripts.

Required packages added: efitools, sbsigntools, systemd-boot, binutils

VM template updated with TPM v2.0 for Secure Boot measurements.

💘 Generated with Crush

Assisted-by: GLM-4.7 via Crush <crush@charm.land>
2026-02-20 07:40:21 -05:00

55 lines
1.5 KiB
XML
Raw Permalink Blame History

<domain type='kvm'>
<name>@VM_NAME@</name>
<uuid>@VM_UUID@</uuid>
<memory unit='MiB'>@VM_RAM@</memory>
<currentMemory unit='MiB'>@VM_RAM@</currentMemory>
<vcpu placement='static'>@VM_CPUS@</vcpu>
<os>
<type arch='x86_64' machine='q35'>hvm</type>
<loader readonly='yes' secure='@SECURE_BOOT@' type='pflash'>@UEFI_CODE@</loader>
<nvram template='@UEFI_VARS_TEMPLATE@'/>
<boot dev='cdrom'/>
<boot dev='hd'/>
</os>
<features>
<acpi/>
<apic/>
<smm state='on'/>
</features>
<cpu mode='host-passthrough' check='none'/>
<clock offset='utc'>
<timer name='rtc' tickpolicy='catchup'/>
<timer name='pit' tickpolicy='delay'/>
<timer name='hpet' present='no'/>
</clock>
<devices>
<emulator>/usr/bin/qemu-system-x86_64</emulator>
<tpm model='tpm-crb'>
<backend type='emulator' version='2.0'/>
</tpm>
<disk type='file' device='disk'>
<driver name='qemu' type='qcow2'/>
<source file='@VM_DISK@'/>
<target dev='vda' bus='virtio'/>
</disk>
<disk type='file' device='cdrom'>
<driver name='qemu' type='raw'/>
<source file='@ISO_PATH@'/>
<target dev='sda' bus='sata'/>
<readonly/>
</disk>
<interface type='user'>
<model type='virtio'/>
</interface>
<graphics type='vnc' port='-1' autoport='yes'>
<listen type='address' address='127.0.0.1'/>
</graphics>
<video>
<model type='virtio' heads='1' primary='yes'/>
</video>
<console type='pty'>
<target type='serial' port='0'/>
</console>
</devices>
</domain>
Reference in New Issue View Git Blame Copy Permalink