Revision as of 09:04, 6 October 2015

Firmware installation

Installing 'UEFI for QEMU' nightly builds

UEFI for x86 QEMU/KVM VMs is called OVMF (Open Virtual Machine Firmware). It comes from EDK2 (EFI Development Kit), which is the UEFI reference implementation.

Unfortunately there are licensing issues which prevent us getting EDK2/OVMF into Fedora (see #EDK2 Licensing Issues for more info). So we have to grab external packages.

Gerd Hoffmann, Red Hatter and QEMU developer, has a dnf|yum repo on his personal site that provides nightly builds of a whole bunch of QEMU/KVM firmware, including EDK2/OVMF.

Here's how to pull down the nightly builds for x86:

 sudo wget http://www.kraxel.org/repos/firmware.repo -O /etc/yum.repos.d/firmware.repo

And install using DNF:

 sudo dnf install edk2.git-ovmf-x64

Or with YUM:

 sudo yum install edk2.git-ovmf-x64

Note, these are nightly builds, and may occasionally be broken.

Configure libvirtd to advertise UEFI support

Libvirt needs to know about UEFI->NVRAM config file mapping, so it can advertise it to tools like virt-manager/virt-install.

As root, edit /etc/libvirt/qemu.conf, and add this section at the top of the file:

 nvram = [
    "/usr/share/edk2.git/ovmf-x64/OVMF_CODE-pure-efi.fd:/usr/share/edk2.git/ovmf-x64/OVMF_VARS-pure-efi.fd",
 ]

Then restart libvirtd: sudo systemctl restart libvirtd

Creating a VM

virt-manager

Create a new VM in virt-manager. When you get to the final page of the 'New VM' wizard, do the following:

Click 'Customize before install', then select 'Finish'
On the 'Overview' screen, Change the 'Firmware' field to select the 'UEFI x86_64' option.
Click 'Begin Installation'
The boot screen you'll see should use linuxefi commands to boot the installer, and you should be able to run efibootmgr inside that system, to verify that you're running an UEFI OS.

virt-install

Add --boot uefi to your virt-install command. Example:

 sudo virt-install --name f20-uefi \
   --ram 2048 --disk size=20 \
   --boot uefi \
   --location https://dl.fedoraproject.org/pub/fedora/linux/releases/22/Workstation/x86_64/os/

Testing Secureboot in a VM

These steps describe how to test Fedora Secureboot support inside a KVM VM. The audience here is QA folks that want to test secureboot, and any other curious parties. This requires configuring the VM to use UEFI, so it builds upon the previous UEFI steps.

Grab LockDown_ms.efi

Since OVMF doesn't ship with any SecureBoot keys installed, we need to install some to mimic what an MS certified UEFI machine will ship with. Luckily there's a tool that does all this for us, called LockDown_ms.efi. This is derived from code in efitools.git.

Inside the guest, do:

 sudo wget http://fedorapeople.org/~crobinso/secureboot/LockDown_ms.efi -O /boot/efi/EFI/fedora/LockDown_ms.efi

Now we need to enroll the keys in UEFI.

Reboot the VM
When the TianoCore splash screen pops up, hit ESC
Select 'Boot Manager'
Select 'EFI Internal Shell'
Hit ESC to skip startup.nsh, or wait for the 5 second timeout.
Shell> fs0:
FS0:\> \EFI\fedora\LockDown_ms.efi
FS0:\> reset
The VM will restart. Let it boot into Fedora as normal. Log in
You should see the string 'Secure boot enabled' in dmesg. Secureboot is now enabled for every subsequent boot.

Testing Fedora CD/DVD Secure Boot in a VM

Once you have a secureboot configured VM as described above, it's easy to use this to test ISO media secureboot support.

Use virt-manager to attach the ISO media to your VM
Use virt-manager to change the VM boot settings to boot off the CDROM
Start the VM
Switch to a terminal inside the VM, verify Secureboot is enabled by checking dmesg

Notes

EDK2 Licensing Issues

EDK2 contains a FAT filesystem driver that is licensed under terms that make it not acceptable for packaging in Fedora. Particularly that there's a usage restricition only allowing the code to be used in a UEFI implementation. More details here at Edk2-fat-driver

The driver is critical functionality so removing it is not an option.

Using UEFI with AArch64 VMs

Fedora's AArch64 releases will only run on UEFI, so require UEFI inside the VM. However the steps are slightly different. See this page for complete documentation: https://fedoraproject.org/wiki/Architectures/AArch64/Install_with_QEMU

Extra links

@@ Line 1: / Line 1: @@
+= Firmware installation =
-= Testing secureboot with KVM =
+== Installing 'UEFI for QEMU' nightly builds ==
-This page documents how to test Fedora 18+ [[Secureboot]] support inside
+UEFI for x86 QEMU/KVM VMs is called OVMF (Open Virtual Machine Firmware). It comes
-a KVM VM. The audience here is QA folks that want to test secureboot, and
-any other curious parties.
-== Install OVMF ==
-OVMF (Open Virtual Machine Firmware) is basically UEFI for KVM. It comes
 from EDK2 (EFI Development Kit), which is the UEFI reference implementation.
 Unfortunately there are licensing issues which prevent us getting EDK2/OVMF
-into Fedora (see [[#EDK2 Licensing Issues]] at the end of this document for more info). So we
+into Fedora (see [[#EDK2 Licensing Issues]] for more info). So we
 have to grab external packages.
-== Running EDK2/OVMF nightly builds ==
+Gerd Hoffmann, Red Hatter and QEMU developer, has a [[dnf]]|[[yum]] repo on his personal
-Gerd Hoffman, Red Hatter and QEMU developer, has a yum repo on his personal
 site that provides nightly builds of a whole bunch of QEMU/KVM firmware,
 including EDK2/OVMF.
-Here's how to pull down the nightly builds:
+Here's how to pull down the nightly builds for x86:
    sudo wget http://www.kraxel.org/repos/firmware.repo -O /etc/yum.repos.d/firmware.repo
-  # Disable by default, likely preferred for QA
+And install using [[dnf|DNF]]:
-  sudo sed -i -e "s/enabled=1/enabled=0/g" /etc/yum.repos.d/firmware.repo
+   sudo dnf install edk2.git-ovmf-x64
-   sudo yum --enablerepo=qemu-firmware-jenkins install edk2.git-ovmf-x64
-The OVMF image is at:
+Or with YUM:
+  sudo yum install edk2.git-ovmf-x64
-  /usr/share/edk2.git/ovmf-x64/OVMF-pure-efi.fd
+Note, these are nightly builds, and may occasionally be broken.
-Since these are nightly builds, occasionally things break. To work around this, use the following commands to get the February
+== Configure libvirtd to advertise UEFI support ==
-th 2014 nightly build:
-  sudo wget http://drsmith2.fedorapeople.org/edk2.git/edk2.git-0-20140226.b491.gb9b77ab.x86_64.rpm
+Libvirt needs to know about UEFI->NVRAM config file mapping, so it can advertise it to tools like virt-manager/virt-install.
-  sudo wget http://drsmith2.fedorapeople.org/edk2.git/edk2.git-ovmf-ia32-0-20140226.b491.gb9b77ab.x86_64.rpm
-  sudo rpm -ivh edk2.git-0-20140226.b491.gb9b77ab.x86_64.rpm edk2.git-ovmf-ia32-0-20140226.b491.gb9b77ab.x86_64.rpm
-== Install an F18+ VM with UEFI ==
+As root, edit /etc/libvirt/qemu.conf, and add this section at the top of the file:
-First we need to install a guest using UEFI instead of traditional bios.
+  nvram = [
-Anaconda will put all the right bits in place for us. You can probably
+     "/usr/share/edk2.git/ovmf-x64/OVMF_CODE-pure-efi.fd:/usr/share/edk2.git/ovmf-x64/OVMF_VARS-pure-efi.fd",
-convert an existing bios guest to use UEFI but I haven't found steps to do
+  ]
-so.
-Newer OVMF builds can use a network install, older builds were slow when using a network install. If the network install seems slow, switch to using a DVD install.
+Then restart libvirtd: <code>sudo systemctl restart libvirtd</code>
-Here's an example F20 install:
+= Creating a VM =
-  sudo virt-install --name f20-uefi --ram 2048 --boot loader=/usr/share/edk2.git/ovmf-x64/OVMF-pure-efi.fd --disk /var/lib/libvirt/images/f20-uefi.qcow,format=qcow2,size=10 --os-variant fedora20 --cdrom /path/to/Fedora-20-x86_64-netinst.iso
+== virt-manager ==
-(If you'd like to create a rawhide guest, you combine the above command with the following info: <https://fedoraproject.org/wiki/Releases/Rawhide?rd=Rawhide#Point_installer_to_Rawhide>)
+Create a new VM in virt-manager. When you get to the final page of the 'New VM' wizard, do the following:
-Follow the install to completion, log in and do firstboot, then move along.
+* Click 'Customize before install', then select 'Finish'
-Secure boot isn't set up yet.
+* On the 'Overview' screen, Change the 'Firmware' field to select the 'UEFI x86_64' option.
+* Click 'Begin Installation'
+* The boot screen you'll see should use <code>linuxefi</code> commands to boot the installer, and you should be able to run <code>efibootmgr</code> inside that system, to verify that you're running an UEFI OS.
-== Booting the VM with OVMF ==
+== virt-install ==
-If Fedora doesn't boot, try the following steps. First you'll need to be at the EFI Internal Shell. If you see a 'Shell> ' prompt you are in the shell.
+Add <code>--boot uefi</code> to your <code>virt-install</code> command. Example:
-If OVMF doesn't drop you into the EFI Internal Shell automatically, do the following:
-# Wait until the TianoCore splash screen pops up, hit ESC
+  sudo virt-install --name f20-uefi \
-# Select 'Boot Manager'
+    --ram 2048 --disk size=20 \
-# Select 'EFI Internal Shell'
+    --boot uefi \
+    --location https://dl.fedoraproject.org/pub/fedora/linux/releases/22/Workstation/x86_64/os/
-Once in the EFI Internal Shell, here are the commands you need to boot Fedora (assuming your guest only has a CDROM attached):
+= Testing Secureboot in a VM =
-  fs0:
+These steps describe how to test Fedora [[Secureboot]] support inside a KVM VM. The audience here is QA folks that want to test secureboot, and
-  \EFI\fedora\shim.efi
+any other curious parties. This requires configuring the VM to use UEFI, so it builds upon the previous UEFI steps.
-The above commands just get Fedora going, we haven't set up secure boot yet.
 == Grab LockDown_ms.efi ==
@@ Line 78: / Line 67: @@
 Since OVMF doesn't ship with any SecureBoot keys installed, we need to
 install some to mimic what an MS certified UEFI machine will ship with.
-But here's a crappy thing about OVMF and KVM: right now there's no way to
-persist UEFI config across VM start/stop, although we'll come close with the script we'll create below.
-{{admon/note|Improvements in Fedora 20|
-With qemu 1.6 and later, a ''-pflash bios.bin'' option, is supposed to enable persistent EFI variables.  This may or may not also require ''-no-kvm''.}}
-So if we want to test SecureBoot,
-we need to install the MS keys and enable secureboot on every VM restart.
 Luckily there's a tool that does all this for us, called LockDown_ms.efi.
 This is derived from code in [http://git.kernel.org/?p=linux/kernel/git/jejb/efitools.git;a=summary efitools.git].
@@ Line 92: / Line 74: @@
    sudo wget http://fedorapeople.org/~crobinso/secureboot/LockDown_ms.efi -O /boot/efi/EFI/fedora/LockDown_ms.efi
-== Automate SecureBoot startup ==
+Now we need to enroll the keys in UEFI.
-As mentioned above, we have to install the MS keys and enable secureboot on every VM restart. Luckily, OVMF by default runs a script at startup, called startup.nsh. We'll use this to automate startup. All we really need in the script are the following commands:
+* Reboot the VM
+* When the TianoCore splash screen pops up, hit ESC
+* Select 'Boot Manager'
+* Select 'EFI Internal Shell'
+* Hit ESC to skip startup.nsh, or wait for the 5 second timeout.
+* Shell> fs0:
+* FS0:\> \EFI\fedora\LockDown_ms.efi
+* FS0:\> reset
+* The VM will restart. Let it boot into Fedora as normal. Log in
+* You should see the string 'Secure boot enabled' in dmesg. Secureboot is now enabled for every subsequent boot.
-  fs0:
+== Testing Fedora CD/DVD Secure Boot in a VM ==
-  \EFI\fedora\LockDown_ms.efi
-  \EFI\fedora\shim.efi
-But, life is complicated by the fact that if you are rebooting the VM where LockDown_ms.efi has been loaded, it can't be loaded a second time (without powering off the VM). If you try, you'll get a "Error reported: Security Violation" message when loading LockDown_ms.efi and the script will stop. So, the script needs to check if SecureBoot is already on before trying to load LockDown_ms.efi.
+Once you have a secureboot configured VM as described above, it's easy to use this to test ISO media secureboot support.
-Inside the guest, as root edit /boot/efi/startup.nsh and add the following text:
+* Use virt-manager to attach the ISO media to your VM
+* Use virt-manager to change the VM boot settings to boot off the CDROM
+* Start the VM
+* Switch to a terminal inside the VM, verify Secureboot is enabled by checking dmesg
-  fs0:
+= Notes =
-  # If we don't have the secure boot dmp file, assume this is the first
-  # time this script has been run and secure boot is off.
-  set __lockdown 0
-  if not exist SecureBoot.dmp then
-    set __lockdown 1
-  # Otherwise we check the current state of the 'SecureBoot' variable
-  # to see if LockDown_ms.efi has already been loaded.
-  else
-    dmpstore SecureBoot -s SecureBoot.tmp
-    comp SecureBoot.dmp SecureBoot.tmp
-    if not %lasterror% == 0 then
-      set __lockdown 1
-    endif
-    rm SecureBoot.tmp
-  endif
-  if %__lockdown% == 1 then
-    \EFI\fedora\LockDown_ms.efi
-    dmpstore SecureBoot -s SecureBoot.dmp
-  endif
-  \EFI\fedora\shim.efi
-== Verify SecureBoot ==
-At this point reboot the guest. After logging in, you should see 'Secure boot enabled' in dmesg. Success!
-= Misc bits =
 == EDK2 Licensing Issues ==
@@ Line 141: / Line 107: @@
 The driver is critical functionality so removing it is not an option.
-== Testing F18 DVD Secure Boot in a VM ==
+== Using UEFI with AArch64 VMs ==
-Since we can't easily alter the DVD to add LockDown_ms.efi, we get it into
+[[Architectures/ARM/AArch64|Fedora's AArch64 releases]] will only run on UEFI, so require UEFI inside the VM. However the steps are slightly different. See this page for complete documentation: https://fedoraproject.org/wiki/Architectures/AArch64/Install_with_QEMU
-the VM using a mini disk image:
-  wget http://fedorapeople.org/~crobinso/secureboot/lockdown.qcow2
+= Extra links =
-  sudo virsh attach-disk $VMNAME --target hdb --source lockdown.qcow2 --subdriver qcow2 --config
-Then do
-* Launch the VM, drop to the EFI shell
-* If your guest only has a CDROM attached, lockdown.qcow2 should be fs0
-* <code>Shell> fs0:</code>
-* <code>fs0:\> LockDown_ms.efi </code>
-* <code>fs0:\> exit </code>
-* Back in the config screen, Select 'Boot Manager'
-* Select 'EFI DVD/CDROM'
-* Once anaconda starts, grab shell, log in, verify secure boot is enabled
-== Extra links ==
+* [[QA:Testcase Virtualization UEFI]]
+* [http://www.linux-kvm.org/page/OVMF KVM wiki OVMF page]
 * [https://wiki.ubuntu.com/SecurityTeam/SecureBoot Ubuntu secureboot page]
 * [http://en.opensuse.org/openSUSE:UEFI_Secure_boot_using_qemu-kvm OpenSUSE secureboot page]
-* [http://www.linux-kvm.org/page/OVMF KVM wiki OVMF page]
 [[Category:Virtualization]] [[Category:QA]]

Search

Using UEFI with QEMU: Difference between revisions