Using UEFI with QEMU

From FedoraProject

(Difference between revisions)
Jump to: navigation, search
(Grab LockDown_ms.efi: note possible progress in f20 qemu capabilities toward persistent efi var changes)
(edk2-ovmf is now in Fedora, update instructions, remove licensing restrictions section)
 
(12 intermediate revisions by 6 users not shown)
Line 1: Line 1:
 +
= Firmware installation =
  
= Testing secureboot with KVM =
+
UEFI for x86 QEMU/KVM VMs is called OVMF (Open Virtual Machine Firmware). It comes
 
+
This page documents how to test Fedora 18 [[Secureboot]] support inside
+
a KVM VM. The audience here is QA folks that want to test secureboot, and
+
any other curious parties.
+
 
+
== Install OVMF ==
+
 
+
OVMF (Open Virtual Machine Firmware) is basically UEFI for KVM. It comes
+
 
from EDK2 (EFI Development Kit), which is the UEFI reference implementation.
 
from EDK2 (EFI Development Kit), which is the UEFI reference implementation.
  
Unfortunately there are licensing issues which prevent us getting EDK2/OVMF
+
== Installing 'UEFI for QEMU' from Fedora repos ==
into Fedora (see [[#EDK2 Licensing Issues]] at the end of this document for more info). So we
+
have to grab external packages:
+
  
  sudo rpm -ivh http://fedorapeople.org/~crobinso/secureboot/edk2.manual-0-0.20130221.944c84a6.x86_64.rpm
+
Since June 2016, OVMF is available in Fedora repositories. All you need to have installed is <code>edk2-ovmf</code> RPM. Furthermore, it should be now a dependency of the {{pkg|qemu}} package, so you probably have it installed already.
  
== Install an F18 VM with UEFI ==
+
== Installing 'UEFI for QEMU' nightly builds ==
  
First we need to install a guest using UEFI instead of traditional bios.
+
Gerd Hoffmann, Red Hatter and QEMU developer, has a [[dnf]] repo on his personal
Anaconda will put all the right bits in place for us. You can probably
+
site that provides nightly builds of a whole bunch of QEMU/KVM firmware,
convert an existing bios guest to use UEFI but I haven't found steps to do
+
including EDK2/OVMF.
so.
+
  
I recommend using a DVD, network installs seem to be sloooow using OVMF:
+
Here's how to pull down the nightly builds for x86:
  
   sudo virt-install --name f18-uefi --ram 2048 --boot loader=/usr/share/edk2.manual/ovmf-x64/OVMF-pure-efi.fd --disk /var/lib/libvirt/images/f18-uefi.qcow,format=qcow2,size=10 --os-variant fedora18 --cdrom /path/to/Fedora-18-x86_64-DVD.iso
+
   sudo dnf install dnf-plugins-core
 +
  sudo dnf config-manager --add-repo http://www.kraxel.org/repos/firmware.repo
 +
  sudo dnf install edk2.git-ovmf-x64
  
Follow the install to completion, log in and do firstboot, then move along.
+
Note, these are nightly builds, and may occasionally be broken.
Secure boot isn't set up yet.
+
  
== Grab LockDown_ms.efi ==
+
== Optionally Configure libvirtd to advertise UEFI support ==
  
Since OVMF doesn't ship with any SecureBoot keys installed, we need to
+
Libvirt needs to know about UEFI->NVRAM config file mapping, so it can advertise it to tools like virt-manager/virt-install. On Fedora 22 and later, libvirt packages are configured to look for the nightly build paths, so this will work out of the box.
install some to mimic what an MS certified UEFI machine will ship with.
+
But here's a crappy thing about OVMF and KVM: right now there's no way to
+
persist UEFI config across VM start/stop. {{admon/note|Improvements in Fedora 20|
+
With qemu 1.6 and later, a ''-pflash bios.bin'' option, is supposed to enable persistent EFI variables.  This may or may not also require ''-no-kvm''.}}
+
So if we want to test SecureBoot,
+
we need to install the MS keys and enable secureboot on every VM restart.
+
  
Luckily there's a tool that does all this for us, called LockDown_ms.efi.
+
However, if you want to use custom binaries, you will need to edit the <b>nvram</b> variable in <b>/etc/libvirt/qemu.conf</b> and restart libvirtd.
This is derived from code in [http://git.kernel.org/?p=linux/kernel/git/jejb/efitools.git;a=summary efitools.git].
+
  
Inside the guest, do:
 
  
  sudo wget http://fedorapeople.org/~crobinso/secureboot/LockDown_ms.efi -O /boot/efi/EFI/fedora/LockDown_ms.efi
+
= Creating a VM =
  
== Enable SecureBoot and verify it's all working ==
+
== virt-manager ==
  
As mentioned above, this needs to be done on every VM boot.
+
Create a new VM in virt-manager. When you get to the final page of the 'New VM' wizard, do the following:
  
# Wait until the TianoCore splash screen pops up, hit ESC
+
* Click 'Customize before install', then select 'Finish'
# Select 'Boot Manager'
+
* On the 'Overview' screen, Change the 'Firmware' field to select the 'UEFI x86_64' option.
# Select 'EFI Internal Shell'
+
* Click 'Begin Installation'
# <code>Shell> fs0:</code>
+
* The boot screen you'll see should use <code>linuxefi</code> commands to boot the installer, and you should be able to run <code>efibootmgr</code> inside that system, to verify that you're running an UEFI OS.
# <code>fs0:\> \EFI\fedora\LockDown_ms.efi </code>
+
# <code>fs0:\> \EFI\fedora\shim.efi </code>
+
# Guest boots, log in, should see 'Secure boot enabled' in dmesg
+
  
 +
== virt-install ==
  
= Misc bits =
+
Add <code>--boot uefi</code> to your <code>virt-install</code> command. Example:
  
== EDK2 Licensing Issues ==
+
  sudo virt-install --name f20-uefi \
 +
    --ram 2048 --disk size=20 \
 +
    --boot uefi \
 +
    --location https://dl.fedoraproject.org/pub/fedora/linux/releases/22/Workstation/x86_64/os/
  
EDK2 contains a FAT filesystem driver that is licensed under terms that
+
= Testing Secureboot in a VM =
make it not acceptable for packaging in Fedora. Particularly that there's
+
a usage restricition only allowing the code to be used in a UEFI
+
implementation. More details here at [http://sourceforge.net/apps/mediawiki/tianocore/index.php?title=Edk2-fat-driver Edk2-fat-driver]
+
  
The driver is critical functionality so removing it is not an option.
+
These steps describe how to test Fedora [[Secureboot]] support inside a KVM VM. The audience here is QA folks that want to test secureboot, and
 +
any other curious parties. This requires configuring the VM to use UEFI, so it builds upon the previous UEFI steps.
  
== Running EDK2 nightly builds ==
+
== Grab LockDown_ms.efi ==
  
Gerd Hoffman, Red Hatter and QEMU developer, has a yum repo on his personal
+
Since OVMF doesn't ship with any SecureBoot keys installed, we need to
site that provides nightly builds of a whole bunch of QEMU/KVM firmware,
+
install some to mimic what an MS certified UEFI machine will ship with.
including EDK2/OVMF.
+
Luckily there's a tool that does all this for us, called LockDown_ms.efi.
 +
This is derived from code in [http://git.kernel.org/?p=linux/kernel/git/jejb/efitools.git;a=summary efitools.git].
  
Currently though, latest OVMF broke F18 SecureBoot: running the above steps
+
Inside the guest, do:
will give the following error when trying to boot shim.efi:
+
  
   Error reported: Security Violation
+
   sudo wget http://fedorapeople.org/~crobinso/secureboot/LockDown_ms.efi -O /boot/efi/EFI/fedora/LockDown_ms.efi
  
There's a fix in upstream <code>pesign</code>, but as of this writing, shim
+
Now we need to enroll the keys in UEFI.
in F18 hasn't been regenerated to pick up the fix.
+
  
Regardless, here's how to pull down the nightly builds:
+
* Reboot the VM
 +
* When the TianoCore splash screen pops up, hit ESC
 +
* Select 'Boot Manager'
 +
* Select 'EFI Internal Shell'
 +
* Hit ESC to skip startup.nsh, or wait for the 5 second timeout.
 +
* Shell> fs0:
 +
* FS0:\> \EFI\fedora\LockDown_ms.efi
 +
* FS0:\> reset
 +
* The VM will restart. Let it boot into Fedora as normal. Log in
 +
* You should see the string 'Secure boot enabled' in dmesg. Secureboot is now enabled for every subsequent boot.
  
  sudo wget http://www.kraxel.org/repos/firmware.repo -O /etc/yum.repos.d/firmware.repo
+
== Testing Fedora CD/DVD Secure Boot in a VM ==
  
  # Disable by default, likely preferred for QA
+
Once you have a secureboot configured VM as described above, it's easy to use this to test ISO media secureboot support.
  sudo sed -i -e "s/enabled=1/enabled=0/g" /etc/yum.repos.d/firmware.repo
+
  sudo yum --enablerepo=qemu-firmware-jenkins install edk2.git-ovmf-x64
+
  
The OVMF image is at:
+
* Use virt-manager to attach the ISO media to your VM
 +
* Use virt-manager to change the VM boot settings to boot off the CDROM
 +
* Start the VM
 +
* Switch to a terminal inside the VM, verify Secureboot is enabled by checking dmesg
  
  /usr/share/edk2.git/ovmf-x64/OVMF-pure-efi.fd
+
= Notes =
  
== Pointing an existing guest at OVMF ==
+
== Using UEFI with AArch64 VMs ==
  
To alter an existing guest to use OVMF, or change the OVMF build it uses, do
+
[[Architectures/ARM/AArch64|Fedora's AArch64 releases]] will only run on UEFI, so require UEFI inside the VM. However the steps are slightly different. See this page for complete documentation: https://fedoraproject.org/wiki/Architectures/AArch64/Install_with_QEMU
<code>sudo virsh edit $vmname</code> and add
+
  
  <domain>
+
= Extra links =
    ...
+
    <os>
+
    ...
+
      <loader>/path/to/OVMF-pure-efi.fd</loader>
+
 
+
== Testing F18 DVD Secure Boot in a VM ==
+
 
+
Since we can't easily alter the DVD to add LockDown_ms.efi, we get it into
+
the VM using a mini disk image:
+
 
+
  wget http://fedorapeople.org/~crobinso/secureboot/lockdown.qcow2
+
  sudo virsh attach-disk $VMNAME --target hdb --source lockdown.qcow2 --subdriver qcow2 --config
+
 
+
Then do
+
 
+
* Launch the VM, drop to the EFI shell
+
* If your guest only has a CDROM attached, lockdown.qcow2 should be fs0
+
* <code>Shell> fs0:</code>
+
* <code>fs0:\> LockDown_ms.efi </code>
+
* <code>fs0:\> exit </code>
+
* Back in the config screen, Select 'Boot Manager'
+
* Select 'EFI DVD/CDROM'
+
* Once anaconda starts, grab shell, log in, verify secure boot is enabled
+
 
+
== Extra links ==
+
  
 +
* [[QA:Testcase Virtualization UEFI]]
 +
* [http://www.linux-kvm.org/page/OVMF KVM wiki OVMF page]
 
* [https://wiki.ubuntu.com/SecurityTeam/SecureBoot Ubuntu secureboot page]
 
* [https://wiki.ubuntu.com/SecurityTeam/SecureBoot Ubuntu secureboot page]
 
* [http://en.opensuse.org/openSUSE:UEFI_Secure_boot_using_qemu-kvm OpenSUSE secureboot page]
 
* [http://en.opensuse.org/openSUSE:UEFI_Secure_boot_using_qemu-kvm OpenSUSE secureboot page]
* [http://www.linux-kvm.org/page/OVMF KVM wiki OVMF page]
 
  
 
[[Category:Virtualization]] [[Category:QA]]
 
[[Category:Virtualization]] [[Category:QA]]

Latest revision as of 12:40, 27 June 2016

Contents

[edit] Firmware installation

UEFI for x86 QEMU/KVM VMs is called OVMF (Open Virtual Machine Firmware). It comes from EDK2 (EFI Development Kit), which is the UEFI reference implementation.

[edit] Installing 'UEFI for QEMU' from Fedora repos

Since June 2016, OVMF is available in Fedora repositories. All you need to have installed is edk2-ovmf RPM. Furthermore, it should be now a dependency of the qemu package, so you probably have it installed already.

[edit] Installing 'UEFI for QEMU' nightly builds

Gerd Hoffmann, Red Hatter and QEMU developer, has a dnf repo on his personal site that provides nightly builds of a whole bunch of QEMU/KVM firmware, including EDK2/OVMF.

Here's how to pull down the nightly builds for x86:

 sudo dnf install dnf-plugins-core
 sudo dnf config-manager --add-repo http://www.kraxel.org/repos/firmware.repo
 sudo dnf install edk2.git-ovmf-x64

Note, these are nightly builds, and may occasionally be broken.

[edit] Optionally Configure libvirtd to advertise UEFI support

Libvirt needs to know about UEFI->NVRAM config file mapping, so it can advertise it to tools like virt-manager/virt-install. On Fedora 22 and later, libvirt packages are configured to look for the nightly build paths, so this will work out of the box.

However, if you want to use custom binaries, you will need to edit the nvram variable in /etc/libvirt/qemu.conf and restart libvirtd.


[edit] Creating a VM

[edit] virt-manager

Create a new VM in virt-manager. When you get to the final page of the 'New VM' wizard, do the following:

  • Click 'Customize before install', then select 'Finish'
  • On the 'Overview' screen, Change the 'Firmware' field to select the 'UEFI x86_64' option.
  • Click 'Begin Installation'
  • The boot screen you'll see should use linuxefi commands to boot the installer, and you should be able to run efibootmgr inside that system, to verify that you're running an UEFI OS.

[edit] virt-install

Add --boot uefi to your virt-install command. Example:

 sudo virt-install --name f20-uefi \
   --ram 2048 --disk size=20 \
   --boot uefi \
   --location https://dl.fedoraproject.org/pub/fedora/linux/releases/22/Workstation/x86_64/os/

[edit] Testing Secureboot in a VM

These steps describe how to test Fedora Secureboot support inside a KVM VM. The audience here is QA folks that want to test secureboot, and any other curious parties. This requires configuring the VM to use UEFI, so it builds upon the previous UEFI steps.

[edit] Grab LockDown_ms.efi

Since OVMF doesn't ship with any SecureBoot keys installed, we need to install some to mimic what an MS certified UEFI machine will ship with. Luckily there's a tool that does all this for us, called LockDown_ms.efi. This is derived from code in efitools.git.

Inside the guest, do:

 sudo wget http://fedorapeople.org/~crobinso/secureboot/LockDown_ms.efi -O /boot/efi/EFI/fedora/LockDown_ms.efi

Now we need to enroll the keys in UEFI.

  • Reboot the VM
  • When the TianoCore splash screen pops up, hit ESC
  • Select 'Boot Manager'
  • Select 'EFI Internal Shell'
  • Hit ESC to skip startup.nsh, or wait for the 5 second timeout.
  • Shell> fs0:
  • FS0:\> \EFI\fedora\LockDown_ms.efi
  • FS0:\> reset
  • The VM will restart. Let it boot into Fedora as normal. Log in
  • You should see the string 'Secure boot enabled' in dmesg. Secureboot is now enabled for every subsequent boot.

[edit] Testing Fedora CD/DVD Secure Boot in a VM

Once you have a secureboot configured VM as described above, it's easy to use this to test ISO media secureboot support.

  • Use virt-manager to attach the ISO media to your VM
  • Use virt-manager to change the VM boot settings to boot off the CDROM
  • Start the VM
  • Switch to a terminal inside the VM, verify Secureboot is enabled by checking dmesg

[edit] Notes

[edit] Using UEFI with AArch64 VMs

Fedora's AArch64 releases will only run on UEFI, so require UEFI inside the VM. However the steps are slightly different. See this page for complete documentation: https://fedoraproject.org/wiki/Architectures/AArch64/Install_with_QEMU

[edit] Extra links