Using UEFI with QEMU

From FedoraProject

(Difference between revisions)
Jump to: navigation, search
m (Fix a link)
(Minor formatting tweaks)
 
(8 intermediate revisions by 5 users not shown)
Line 1: Line 1:
  
= Testing secureboot with KVM =
+
= Using UEFI in a QEMU/KVM VM =
  
This page documents how to test Fedora 18 [[Secureboot]] support inside
+
== Installing 'UEFI for QEMU' nightly builds ==
a KVM VM. The audience here is QA folks that want to test secureboot, and
+
any other curious parties.
+
  
== Install OVMF ==
+
UEFI for x86 QEMU/KVM VMs is called OVMF (Open Virtual Machine Firmware). It comes
 
+
OVMF (Open Virtual Machine Firmware) is basically UEFI for KVM. It comes
+
 
from EDK2 (EFI Development Kit), which is the UEFI reference implementation.
 
from EDK2 (EFI Development Kit), which is the UEFI reference implementation.
  
 
Unfortunately there are licensing issues which prevent us getting EDK2/OVMF
 
Unfortunately there are licensing issues which prevent us getting EDK2/OVMF
into Fedora (see [[#EDK2 Licensing Issues]] at the end of this document for more info). So we
+
into Fedora (see [[#EDK2 Licensing Issues]] for more info). So we
have to grab external packages:
+
have to grab external packages.
  
  sudo rpm -ivh http://fedorapeople.org/~crobinso/secureboot/edk2.manual-0-0.20130221.944c84a6.x86_64.rpm
+
Gerd Hoffman, Red Hatter and QEMU developer, has a yum repo on his personal
 +
site that provides nightly builds of a whole bunch of QEMU/KVM firmware,
 +
including EDK2/OVMF.
  
== Install an F18 VM with UEFI ==
+
Here's how to pull down the nightly builds for x86:
 +
 
 +
  sudo wget http://www.kraxel.org/repos/firmware.repo -O /etc/yum.repos.d/firmware.repo
 +
  sudo yum install edk2.git-ovmf-x64
 +
 
 +
Note, these are nightly builds, and may occasionally be broken.
 +
 
 +
== Install a Fedora VM with UEFI ==
 +
 
 +
{{admon/note | This examples assume you are using Fedora 21 packages. | UEFI VMs can be installed with older Fedora versions, but since as of Fedora 21 this stuff is still under active development, it's recommended to run the latest bits. }}
  
 
First we need to install a guest using UEFI instead of traditional bios.
 
First we need to install a guest using UEFI instead of traditional bios.
Anaconda will put all the right bits in place for us. You can probably
+
Anaconda will put all the right bits in place for us.
convert an existing bios guest to use UEFI but I haven't found steps to do
+
so.
+
  
I recommend using a DVD, network installs seem to be sloooow using OVMF:
+
Here's an example F20 install:
  
   sudo virt-install --name f18-uefi --ram 2048 --boot loader=/usr/share/edk2.manual/ovmf-x64/OVMF-pure-efi.fd --disk /var/lib/libvirt/images/f18-uefi.qcow,format=qcow2,size=10 --os-variant fedora18 --cdrom /path/to/Fedora-18-x86_64-DVD.iso
+
   sudo virt-install --name f20-uefi \
 +
    --ram 2048 --disk size=20 \
 +
    --boot loader_type=pflash,loader_ro=yes,loader=/usr/share/edk2.git/ovmf-x64/OVMF_CODE-pure-efi.fd,nvram_template=/usr/share/edk2.git/ovmf-x64/OVMF_VARS-pure-efi.fd \
 +
    --location https://dl.fedoraproject.org/pub/fedora/linux/releases/20/Fedora/x86_64/os/
  
Follow the install to completion, log in and do firstboot, then move along.
+
= Testing Secureboot in a VM =
Secure boot isn't set up yet.
+
 
 +
These steps describe how to test Fedora [[Secureboot]] support inside a KVM VM. The audience here is QA folks that want to test secureboot, and
 +
any other curious parties. This requires configuring the VM to use UEFI, so it builds upon the previous UEFI steps.
  
 
== Grab LockDown_ms.efi ==
 
== Grab LockDown_ms.efi ==
Line 35: Line 45:
 
Since OVMF doesn't ship with any SecureBoot keys installed, we need to
 
Since OVMF doesn't ship with any SecureBoot keys installed, we need to
 
install some to mimic what an MS certified UEFI machine will ship with.
 
install some to mimic what an MS certified UEFI machine will ship with.
But here's a crappy thing about OVMF and KVM: right now there's no way to
 
persist UEFI config across VM start/stop. So if we want to test SecureBoot,
 
we need to install the MS keys and enable secureboot on every VM restart.
 
 
 
Luckily there's a tool that does all this for us, called LockDown_ms.efi.
 
Luckily there's a tool that does all this for us, called LockDown_ms.efi.
 
This is derived from code in [http://git.kernel.org/?p=linux/kernel/git/jejb/efitools.git;a=summary efitools.git].
 
This is derived from code in [http://git.kernel.org/?p=linux/kernel/git/jejb/efitools.git;a=summary efitools.git].
Line 46: Line 52:
 
   sudo wget http://fedorapeople.org/~crobinso/secureboot/LockDown_ms.efi -O /boot/efi/EFI/fedora/LockDown_ms.efi
 
   sudo wget http://fedorapeople.org/~crobinso/secureboot/LockDown_ms.efi -O /boot/efi/EFI/fedora/LockDown_ms.efi
  
== Enable SecureBoot and verify it's all working ==
+
Now we need to enroll the keys in UEFI.
  
As mentioned above, this needs to be done on every VM boot.
+
* Reboot the VM
 +
* When the TianoCore splash screen pops up, hit ESC
 +
* Select 'Boot Manager'
 +
* Select 'EFI Internal Shell'
 +
* Hit ESC to skip startup.nsh, or wait for the 5 second timeout.
 +
* Shell> fs0:
 +
* FS0:\> \EFI\fedora\LockDown_ms.efi
 +
* FS0:\> reset
 +
* The VM will restart. Let it boot into Fedora as normal. Log in
 +
* You should see the string 'Secure boot enabled' in dmesg. Secureboot is now enabled for every subsequent boot.
  
# Wait until the TianoCore splash screen pops up, hit ESC
+
== Testing Fedora CD/DVD Secure Boot in a VM ==
# Select 'Boot Manager'
+
# Select 'EFI Internal Shell'
+
# <code>Shell> fs0:</code>
+
# <code>fs0:\> \EFI\fedora\LockDown_ms.efi </code>
+
# <code>fs0:\> \EFI\fedora\shim.efi </code>
+
# Guest boots, log in, should see 'Secure boot enabled' in dmesg
+
  
 +
Once you have a secureboot configured VM as described above, it's easy to use this to test ISO media secureboot support.
  
= Misc bits =
+
* Use virt-manager to attach the ISO media to your VM
 +
* Use virt-manager to change the VM boot settings to boot off the CDROM
 +
* Start the VM
 +
* Switch to a terminal inside the VM, verify Secureboot is enabled by checking dmesg
 +
 
 +
= Notes =
  
 
== EDK2 Licensing Issues ==
 
== EDK2 Licensing Issues ==
Line 66: Line 81:
 
make it not acceptable for packaging in Fedora. Particularly that there's
 
make it not acceptable for packaging in Fedora. Particularly that there's
 
a usage restricition only allowing the code to be used in a UEFI
 
a usage restricition only allowing the code to be used in a UEFI
implementation. More details here at [http://sourceforge.net/apps/mediawiki/tianocore/index.php?title=Edk2-fat-driver Edk2-fat-driver]
+
implementation. More details here at [http://tianocore.sourceforge.net/wiki/Edk2-fat-driver Edk2-fat-driver]
  
 
The driver is critical functionality so removing it is not an option.
 
The driver is critical functionality so removing it is not an option.
  
== Running EDK2 nightly builds ==
+
== Using UEFI with AArch64 VMs ==
 
+
Gerd Hoffman, Red Hatter and QEMU developer, has a yum repo on his personal
+
site that provides nightly builds of a whole bunch of QEMU/KVM firmware,
+
including EDK2/OVMF.
+
 
+
Currently though, latest OVMF broke F18 SecureBoot: running the above steps
+
will give the following error when trying to boot shim.efi:
+
 
+
  Error reported: Security Violation
+
 
+
There's a fix in upstream <code>pesign</code>, but as of this writing, shim
+
in F18 hasn't been regenerated to pick up the fix.
+
 
+
Regardless, here's how to pull down the nightly builds:
+
 
+
  sudo wget http://www.kraxel.org/repos/firmware.repo -O /etc/yum.repos.d/firmware.repo
+
 
+
  # Disable by default, likely preferred for QA
+
  sudo sed -i -e "s/enabled=1/enabled=0/g" /etc/yum.repos.d/firmware.repo
+
  sudo yum --enablerepo=qemu-firmware-jenkings install edk2.git-ovmf-x64
+
 
+
The OVMF image is at:
+
 
+
  /usr/share/edk2.git/ovmf-x64/OVMF-pure-efi.fd
+
 
+
== Pointing an existing guest at OVMF ==
+
 
+
To alter an existing guest to use OVMF, or change the OVMF build it uses, do
+
<code>sudo virsh edit $vmname</code> and add
+
 
+
  <domain>
+
    ...
+
    <os>
+
    ...
+
      <loader>/path/to/OVMF-pure-efi.fd</loader>
+
 
+
== Testing F18 DVD Secure Boot in a VM ==
+
 
+
Since we can't easily alter the DVD to add LockDown_ms.efi, we get it into
+
the VM using a mini disk image:
+
 
+
  wget http://fedorapeople.org/~crobinso/secureboot/lockdown.qcow2
+
  sudo virsh attach-disk $VMNAME --target hdb --source lockdown.qcow2 --subdriver qcow2 --config
+
 
+
Then do
+
  
* Launch the VM, drop to the EFI shell
+
[[Architectures/ARM/AArch64|Fedora's AArch64 releases]] will only run on UEFI, so require UEFI inside the VM. However the steps are slightly different. See this page for complete documentation: https://fedoraproject.org/wiki/Architectures/AArch64/Install_with_QEMU
* If your guest only has a CDROM attached, lockdown.qcow2 should be fs0
+
* <code>Shell> fs0:</code>
+
* <code>fs0:\> LockDown_ms.efi </code>
+
* <code>fs0:\> exit </code>
+
* Back in the config screen, Select 'Boot Manager'
+
* Select 'EFI DVD/CDROM'
+
* Once anaconda starts, grab shell, log in, verify secure boot is enabled
+
  
 
== Extra links ==
 
== Extra links ==

Latest revision as of 20:52, 23 November 2014

Contents

[edit] Using UEFI in a QEMU/KVM VM

[edit] Installing 'UEFI for QEMU' nightly builds

UEFI for x86 QEMU/KVM VMs is called OVMF (Open Virtual Machine Firmware). It comes from EDK2 (EFI Development Kit), which is the UEFI reference implementation.

Unfortunately there are licensing issues which prevent us getting EDK2/OVMF into Fedora (see #EDK2 Licensing Issues for more info). So we have to grab external packages.

Gerd Hoffman, Red Hatter and QEMU developer, has a yum repo on his personal site that provides nightly builds of a whole bunch of QEMU/KVM firmware, including EDK2/OVMF.

Here's how to pull down the nightly builds for x86:

 sudo wget http://www.kraxel.org/repos/firmware.repo -O /etc/yum.repos.d/firmware.repo
 sudo yum install edk2.git-ovmf-x64

Note, these are nightly builds, and may occasionally be broken.

[edit] Install a Fedora VM with UEFI

Note.png
This examples assume you are using Fedora 21 packages.
UEFI VMs can be installed with older Fedora versions, but since as of Fedora 21 this stuff is still under active development, it's recommended to run the latest bits.

First we need to install a guest using UEFI instead of traditional bios. Anaconda will put all the right bits in place for us.

Here's an example F20 install:

 sudo virt-install --name f20-uefi \
   --ram 2048 --disk size=20 \
   --boot loader_type=pflash,loader_ro=yes,loader=/usr/share/edk2.git/ovmf-x64/OVMF_CODE-pure-efi.fd,nvram_template=/usr/share/edk2.git/ovmf-x64/OVMF_VARS-pure-efi.fd \
   --location https://dl.fedoraproject.org/pub/fedora/linux/releases/20/Fedora/x86_64/os/

[edit] Testing Secureboot in a VM

These steps describe how to test Fedora Secureboot support inside a KVM VM. The audience here is QA folks that want to test secureboot, and any other curious parties. This requires configuring the VM to use UEFI, so it builds upon the previous UEFI steps.

[edit] Grab LockDown_ms.efi

Since OVMF doesn't ship with any SecureBoot keys installed, we need to install some to mimic what an MS certified UEFI machine will ship with. Luckily there's a tool that does all this for us, called LockDown_ms.efi. This is derived from code in efitools.git.

Inside the guest, do:

 sudo wget http://fedorapeople.org/~crobinso/secureboot/LockDown_ms.efi -O /boot/efi/EFI/fedora/LockDown_ms.efi

Now we need to enroll the keys in UEFI.

  • Reboot the VM
  • When the TianoCore splash screen pops up, hit ESC
  • Select 'Boot Manager'
  • Select 'EFI Internal Shell'
  • Hit ESC to skip startup.nsh, or wait for the 5 second timeout.
  • Shell> fs0:
  • FS0:\> \EFI\fedora\LockDown_ms.efi
  • FS0:\> reset
  • The VM will restart. Let it boot into Fedora as normal. Log in
  • You should see the string 'Secure boot enabled' in dmesg. Secureboot is now enabled for every subsequent boot.

[edit] Testing Fedora CD/DVD Secure Boot in a VM

Once you have a secureboot configured VM as described above, it's easy to use this to test ISO media secureboot support.

  • Use virt-manager to attach the ISO media to your VM
  • Use virt-manager to change the VM boot settings to boot off the CDROM
  • Start the VM
  • Switch to a terminal inside the VM, verify Secureboot is enabled by checking dmesg

[edit] Notes

[edit] EDK2 Licensing Issues

EDK2 contains a FAT filesystem driver that is licensed under terms that make it not acceptable for packaging in Fedora. Particularly that there's a usage restricition only allowing the code to be used in a UEFI implementation. More details here at Edk2-fat-driver

The driver is critical functionality so removing it is not an option.

[edit] Using UEFI with AArch64 VMs

Fedora's AArch64 releases will only run on UEFI, so require UEFI inside the VM. However the steps are slightly different. See this page for complete documentation: https://fedoraproject.org/wiki/Architectures/AArch64/Install_with_QEMU

[edit] Extra links