Refactor OVMF detection and add SecureBoot support

Add 'secureboot="on"' to a VM configuration to enable SecureBoot.

README.md

@@ -44,7 +44,7 @@ comprehensive support for macOS and Windows**.
   * Automatic SSH port forwarding to guests
   * Network port forwarding
   * Full duplex audio
-  * EFI and Legacy BIOS booting
+  * EFI (with or without SecureBoot) and Legacy BIOS boot
   * Graphical user interfaces available
 
 Quickemu is a wrapper for the excellent [QEMU](https://www.qemu.org/) that
@@ -62,6 +62,7 @@ See this (old) video where I explain some of my motivations for creating Quickem
   * [QEMU](https://www.qemu.org/) (*6.0.0 or newer*)
   * [bash](https://www.gnu.org/software/bash/) (*4.0 or newer*)
   * [Coreutils](https://www.gnu.org/software/coreutils/)
+  * [EDK II](https://github.com/tianocore/edk2)
   * [grep](https://www.gnu.org/software/grep/)
   * [jq](https://stedolan.github.io/jq/)
   * [LSB](https://wiki.linuxfoundation.org/lsb/start)

quickemu

@@ -193,6 +193,7 @@ function efi_vars() {
 
 function vm_boot() {
   local BALLOON="-device virtio-balloon"
+  local BOOT_STATUS=""
   local CPU=""
   local DISK_USED=""
   local DISPLAY_DEVICE=""
@@ -322,7 +323,6 @@ function vm_boot() {
   # Always Boot macOS using EFI
   if [ "${guest_os}" == "macos" ]; then
     boot="efi"
-    echo " - BOOT:     EFI (${guest_os})"
     if [ -e "${VMDIR}/OVMF_CODE.fd" ] && [ -e "${VMDIR}/OVMF_VARS-1024x768.fd" ]; then
       EFI_CODE="${VMDIR}/OVMF_CODE.fd"
       EFI_VARS="${VMDIR}/OVMF_VARS-1024x768.fd"
@@ -344,6 +344,7 @@ function vm_boot() {
       echo "       Use 'quickget' to download the required files."
       exit 1
     fi
+    BOOT_STATUS="EFI (macOS), OVMF ($(basename "${EFI_CODE}")), SecureBoot (${secureboot})."
   elif [[ "${boot}" == *"efi"* ]]; then
     EFI_VARS="${VMDIR}/OVMF_VARS.fd"
 
@@ -354,36 +355,54 @@ function vm_boot() {
       mv "${VMDIR}/OVMF_VARS_4M.fd" "${EFI_VARS}"
     fi
 
-    if [ -e "/usr/share/OVMF/OVMF_CODE_4M.fd" ] ||
+    # OVMF_CODE_4M.fd is for booting guests in non-Secure Boot mode.
-       [ -e "/usr/share/OVMF/x64/OVMF_CODE.fd" ] ||
+    # While this image technically supports Secure Boot, it does so
-       [ -e "/usr/share/OVMF/OVMF_CODE.fd" ]; then
+    # without requiring SMM support from QEMU
-      echo " - BOOT:     EFI (${guest_os})"
 
-      if [ -e "/usr/share/OVMF/OVMF_CODE_4M.fd" ]; then
+    # OVMF_CODE.secboot.fd is like OVMF_CODE_4M.fd, but will abort if QEMU
-        EFI_CODE="/usr/share/OVMF/OVMF_CODE_4M.fd"
+    # does not support SMM.
-      elif [ -e "/usr/share/OVMF/x64/OVMF_CODE.fd" ]; then
+    case ${secureboot} in
-        EFI_CODE="/usr/share/OVMF/x64/OVMF_CODE.fd"
+      on)
-      elif [ -e "/usr/share/OVMF/OVMF_CODE.fd" ]; then
+        if [ -e "/usr/share/OVMF/OVMF_CODE_4M.secboot.fd" ]; then
-        EFI_CODE="/usr/share/OVMF/OVMF_CODE.fd"
+          EFI_CODE="/usr/share/OVMF/OVMF_CODE_4M.secboot.fd"
-      fi
+          efi_vars "/usr/share/OVMF/OVMF_VARS_4M.fd" "${EFI_VARS}"
-
+        elif [ -e "/usr/share/OVMF/OVMF_CODE.secboot.fd" ]; then
-      if [ ! -e "${EFI_VARS}" ]; then
+          EFI_CODE="/usr/share/OVMF/OVMF_CODE.secboot.fd" "${EFI_VARS}"
-        if [ -e "/usr/share/OVMF/OVMF_VARS_4M.fd" ]; then
+          efi_vars "/usr/share/OVMF/OVMF_VARS.fd" "${EFI_VARS}"
-          cp "/usr/share/OVMF/OVMF_VARS_4M.fd" "${EFI_VARS}"
+        elif [ -e "/usr/share/OVMF/x64/OVMF_CODE.secboot.fd" ]; then
-        elif [ -e "/usr/share/OVMF/x64/OVMF_VARS.fd" ]; then
+          EFI_CODE="/usr/share/OVMF/x64/OVMF_CODE.secboot.fd" "${EFI_VARS}"
-          cp "/usr/share/OVMF/x64/OVMF_VARS.fd" "${EFI_VARS}"
+          efi_vars "/usr/share/OVMF/x64/OVMF_VARS.fd" "${EFI_VARS}"
-        elif [ -e "/usr/share/OVMF/OVMF_VARS.fd" ]; then
+        else
-          cp "/usr/share/OVMF/OVMF_VARS.fd" "${EFI_VARS}"
+          echo "ERROR! SecureBoot was requested but no SecureBoot capable firmware was found."
+          exit 1
         fi
-      fi
+        BOOT_STATUS="EFI (${guest_os^}), OVMF ($(basename "${EFI_CODE}")), SecureBoot (${secureboot})."
-    else
+        ;;
-      boot="legacy"
+      *)
-      echo " - BOOT:     Legacy BIOS (${guest_os}) - EFI requested but no EFI firmware found."
+        if [ -e "/usr/share/OVMF/OVMF_CODE_4M.fd" ]; then
-    fi
+          EFI_CODE="/usr/share/OVMF/OVMF_CODE_4M.fd"
+          efi_vars "/usr/share/OVMF/OVMF_VARS_4M.fd" "${EFI_VARS}"
+        elif [ -e "/usr/share/OVMF/OVMF_CODE.fd" ]; then
+          EFI_CODE="/usr/share/OVMF/OVMF_CODE.fd"
+          efi_vars "/usr/share/OVMF/OVMF_VARS.fd" "${EFI_VARS}"
+        elif [ -e "/usr/share/OVMF/x64/OVMF_CODE.fd" ]; then
+          EFI_CODE="/usr/share/OVMF/x64/OVMF_CODE.fd"
+          efi_vars "/usr/share/OVMF/x64/OVMF_VARS.fd" "${EFI_VARS}"
+        else
+          BOOT_STATUS="Legacy BIOS (${guest_os^}) - EFI requested but no EFI firmware found."
+          boot="legacy"
+          secureboot="off"
+        fi
+        BOOT_STATUS="EFI (${guest_os^}), OVMF ($(basename "${EFI_CODE}")), SecureBoot (${secureboot})."
+        ;;
+    esac
   else
-    echo " - BOOT:     Legacy BIOS (${guest_os})"
+    BOOT_STATUS="Legacy BIOS (${guest_os^})"
+    secureboot="off"
   fi
 
+  echo " - BOOT:     ${BOOT_STATUS}"
+
   # Make any OS specific adjustments
   case ${guest_os} in
     freebsd|linux|openbsd)
@@ -926,6 +945,7 @@ macos_release=""
 port_forwards=()
 preallocation="off"
 ram=""
+secureboot="off"
 tpm="off"
 usb_devices=()