Using UEFI in a QEMU/KVM VM
Installing 'UEFI for QEMU' nightly builds
UEFI for x86 QEMU/KVM VMs is called OVMF (Open Virtual Machine Firmware). It comes from EDK2 (EFI Development Kit), which is the UEFI reference implementation.
Unfortunately there are licensing issues which prevent us getting EDK2/OVMF into Fedora (see #EDK2 Licensing Issues for more info). So we have to grab external packages.
Gerd Hoffman, Red Hatter and QEMU developer, has a yum repo on his personal site that provides nightly builds of a whole bunch of QEMU/KVM firmware, including EDK2/OVMF.
Here's how to pull down the nightly builds for x86:
sudo wget http://www.kraxel.org/repos/firmware.repo -O /etc/yum.repos.d/firmware.repo sudo yum install edk2.git-ovmf-x64
Install a Fedora VM with UEFI
First we need to install a guest using UEFI instead of traditional bios. Anaconda will put all the right bits in place for us.
Here's an example F20 install:
sudo virt-install --name f20-uefi \ --ram 2048 --disk size=20 \ --boot loader_type=pflash,loader_ro=yes,loader=/usr/share/edk2.git/ovmf-x64/OVMF_CODE-pure-efi.fd,nvram_template=/usr/share/edk2.git/ovmf-x64/OVMF_VARS-pure-efi.fd \ --location https://dl.fedoraproject.org/pub/fedora/linux/releases/20/Fedora/x86_64/os/
Testing Secureboot in a VM
These steps describe how to test Fedora Secureboot support inside a KVM VM. The audience here is QA folks that want to test secureboot, and any other curious parties. This requires configuring the VM to use UEFI, so it builds upon the previous UEFI steps.
Since OVMF doesn't ship with any SecureBoot keys installed, we need to install some to mimic what an MS certified UEFI machine will ship with. Luckily there's a tool that does all this for us, called LockDown_ms.efi. This is derived from code in efitools.git.
Inside the guest, do:
sudo wget http://fedorapeople.org/~crobinso/secureboot/LockDown_ms.efi -O /boot/efi/EFI/fedora/LockDown_ms.efi
Now we need to enroll the keys in UEFI.
- Reboot the VM
- When the TianoCore splash screen pops up, hit ESC
- Select 'Boot Manager'
- Select 'EFI Internal Shell'
- Hit ESC to skip startup.nsh, or wait for the 5 second timeout.
- Shell> fs0:
- FS0:\> \EFI\fedora\LockDown_ms.efi
- FS0:\> reset
- The VM will restart. Let it boot into Fedora as normal. Log in
- You should see the string 'Secure boot enabled' in dmesg. Secureboot is now enabled for every subsequent boot.
Testing Fedora CD/DVD Secure Boot in a VM
Once you have a secureboot configured VM as described above, it's easy to use this to test ISO media secureboot support.
- Use virt-manager to attach the ISO media to your VM
- Use virt-manager to change the VM boot settings to boot off the CDROM
- Start the VM
- Switch to a terminal inside the VM, verify Secureboot is enabled by checking dmesg
EDK2 Licensing Issues
EDK2 contains a FAT filesystem driver that is licensed under terms that make it not acceptable for packaging in Fedora. Particularly that there's a usage restricition only allowing the code to be used in a UEFI implementation. More details here at Edk2-fat-driver
The driver is critical functionality so removing it is not an option.
Using UEFI with AArch64 VMs
Fedora's AArch64 releases will only run on UEFI, so require UEFI inside the VM. However the steps are slightly different. See this page for complete documentation: https://fedoraproject.org/wiki/Architectures/AArch64/Install_with_QEMU