From Fedora Project Wiki

m (→‎Run EnrollDefaultKeys.efi (formerly LockDown_ms.efi): typo fix (will the binaries --> with the binaries))
Line 56: Line 56:
== Run EnrollDefaultKeys.efi (formerly LockDown_ms.efi) ==
== Run EnrollDefaultKeys.efi (formerly LockDown_ms.efi) ==


Since OVMF doesn't ship with any SecureBoot keys installed, we need to install some to mimic what an MS certified UEFI machine will ship with. OVMF now ships will the binaries required to set up a default set of keys. The easiest way is to use UefiShell.iso which is available at <code>/usr/share/edk2/ovmf/UefiShell.iso</code>. Boot your VM with this as the CD-ROM image and it should boot into the UEFI shell. At the prompt
Since OVMF doesn't ship with any SecureBoot keys installed, we need to install some to mimic what an MS certified UEFI machine will ship with. OVMF now ships with the binaries required to set up a default set of keys. The easiest way is to use UefiShell.iso which is available at <code>/usr/share/edk2/ovmf/UefiShell.iso</code>. Boot your VM with this as the CD-ROM image and it should boot into the UEFI shell. At the prompt


* Shell> fs0:
* Shell> fs0:

Revision as of 08:00, 24 September 2016

Firmware installation

UEFI for x86 QEMU/KVM VMs is called OVMF (Open Virtual Machine Firmware). It comes from EDK2 (EFI Development Kit), which is the UEFI reference implementation.

Installing 'UEFI for QEMU' from Fedora repos

Since June 2016, OVMF is available in Fedora repositories. All you need to have installed is edk2-ovmf RPM. Furthermore, it should be now a dependency of the qemu package, so you probably have it installed already. This includes firmware for secureboot (OVMF_CODE.secboot.fd)

Installing 'UEFI for QEMU' nightly builds

Gerd Hoffmann, Red Hatter and QEMU developer, has a dnf repo on his personal site that provides nightly builds of a whole bunch of QEMU/KVM firmware, including EDK2/OVMF.

Here's how to pull down the nightly builds for x86:

 sudo dnf install dnf-plugins-core
 sudo dnf config-manager --add-repo http://www.kraxel.org/repos/firmware.repo
 sudo dnf install edk2.git-ovmf-x64

Note, these are nightly builds, and may occasionally be broken.

Optionally Configure libvirtd to advertise UEFI support

Libvirt needs to know about UEFI->NVRAM config file mapping, so it can advertise it to tools like virt-manager/virt-install. On Fedora 22 and later, libvirt packages are configured to look for the nightly build paths, so this will work out of the box.

However, if you want to use custom binaries, you will need to edit the nvram variable in /etc/libvirt/qemu.conf and restart libvirtd.


Creating a VM

virt-manager

Create a new VM in virt-manager. When you get to the final page of the 'New VM' wizard, do the following:

  • Click 'Customize before install', then select 'Finish'
  • On the 'Overview' screen, Change the 'Firmware' field to select the 'UEFI x86_64' option.
  • Click 'Begin Installation'
  • The boot screen you'll see should use linuxefi commands to boot the installer, and you should be able to run efibootmgr inside that system, to verify that you're running an UEFI OS.

virt-install

Add --boot uefi to your virt-install command. Example:

 sudo virt-install --name f20-uefi \
   --ram 2048 --disk size=20 \
   --boot uefi \
   --location https://dl.fedoraproject.org/pub/fedora/linux/releases/22/Workstation/x86_64/os/

Testing Secureboot in a VM

These steps describe how to test Fedora Secureboot support inside a KVM VM. The audience here is QA folks that want to test secureboot, and any other curious parties. This requires configuring the VM to use UEFI, so it builds upon the previous UEFI steps.

Run EnrollDefaultKeys.efi (formerly LockDown_ms.efi)

Since OVMF doesn't ship with any SecureBoot keys installed, we need to install some to mimic what an MS certified UEFI machine will ship with. OVMF now ships with the binaries required to set up a default set of keys. The easiest way is to use UefiShell.iso which is available at /usr/share/edk2/ovmf/UefiShell.iso. Boot your VM with this as the CD-ROM image and it should boot into the UEFI shell. At the prompt

  • Shell> fs0:
  • FS0:\> EnrollDefaultKeys.efi
  • FS0:\> reset
  • The VM will restart. Let it boot into Fedora as normal. Log in
  • You should see the string 'Secure boot enabled' in dmesg. Secureboot is now enabled for every subsequent boot.

Testing Fedora CD/DVD Secure Boot in a VM

Once you have a secureboot configured VM as described above, it's easy to use this to test ISO media secureboot support.

  • Use virt-manager to attach the ISO media to your VM
  • Use virt-manager to change the VM boot settings to boot off the CDROM
  • Start the VM
  • Switch to a terminal inside the VM, verify Secureboot is enabled by checking dmesg

Notes

Using UEFI with AArch64 VMs

Fedora's AArch64 releases will only run on UEFI, so require UEFI inside the VM. However the steps are slightly different. See this page for complete documentation: https://fedoraproject.org/wiki/Architectures/AArch64/Install_with_QEMU

Extra links