OVMF: Difference between revisions

From KVM
(add and describe the qemu wrapper script I use on RHEL-6.4 for development)
(replace stale contents with link to whitepaper)
 
(6 intermediate revisions by 2 users not shown)
Line 1: Line 1:
== Intro ==
OVMF "is a project to enable UEFI support for Virtual Machines".


OVMF "is a project to enable UEFI support for Virtual Machines". This page tries to give yet another mini-howto about playing with OVMF boot firmware in qemu-kvm virtual machines plus libvirt, deferring heavily to the TianoCore upstream wiki. <em>Do</em> mercilessly edit any inaccuracies or wrong statements.
The earlier contents of this article have been replaced with the following link to the OVMF whitepaper:


This page is written as of edk2 svn rev 14423 (virtio-blk, virtio-scsi and virtio-net are supported, and several guests can be booted with, and recognize secure boot). For using OVMF directly with the qemu command line, refer to the [https://github.com/tianocore/edk2/blob/master/OvmfPkg/README README]; this page tries to detail OVMF usage under (RHEL-6.4) libvirt.
http://www.linux-kvm.org/downloads/lersek/ovmf-whitepaper-c770f8c.txt


The recommended way for testing OVMF is installing Gerd Hoffman's RPM packages from his repo at http://www.kraxel.org/repos/, using yum. (The package to install is <code>edk2.git-ovmf-x64</code>; yum will pull in several dependencies from the repo.)
The whitepaper covers everything this article used to cover, and the whitepaper is much more up-to-date and extensive. Please use the History link near the bottom if you'd like to see the previous (now stale) contents.
 
The firmware images are located in the <code>/usr/share/edk2.git/ovmf-x64</code> directory. <code>OVMF-pure-efi.fd</code> is a "pure UEFI" image, while <code>OVMF-with-csm.fd</code> includes the Compatibility Support Module (CSM) build of SeaBIOS. <code>bios.bin</code> is a symlink to the latter. Both images support Secure Boot.
 
== Building from source ==
 
Clone either the main SVN repository (git svn recommended) or one of the git mirrors listed in the [http://sourceforge.net/apps/mediawiki/tianocore/index.php?title=Source_Control TianoCore wiki].
 
=== Frequent rebuilds ===
 
For developers it is recommended to create a branch called <code>base_config</code> or something similar off the master branch (in the git svn or plain git clone), capture the config steps described [http://sourceforge.net/apps/mediawiki/tianocore/index.php?title=How_to_build_OVMF here] in commits (including setting up a reasonable <code>.gitignore</code> file), and keep rebasing <code>base_config</code> after <code>git svn rebase --use-log-author</code> / <code>git pull</code> commands. Fork/rebase your own development branches off/to <code>base_config</code>.
 
The very first time you build the tree, and after <code>git clean -fdx</code> commands, you must (re)build BaseTools with <code>make -C "$EDK_TOOLS_PATH"</code>. (You're going to have that variable set in your environment after sourcing <code>edksetup.sh</code> in the root project dir; see the [http://sourceforge.net/apps/mediawiki/tianocore/index.php?title=OVMF TianoCore Wiki] again.)
 
=== One-off builds ===
 
<code>OvmfPkg/build.sh</code> takes care of BaseTools, configuration (according to command line options) and the main build. One potentially useful option is <code>-n THREADNUMBER</code>, which enables parallel make.
 
<code>-D FLAG</code> options control optional build features/aspects; among other things, verbosity of OVMF's debug log. Consult <code>OvmfPkg/build.sh</code>, <code>OvmfPkg/README</code>, the <code>OvmfPkg/*.dsc</code> and <code>OvmfPkg/*.fdf</code> files, and Gerd's SRPMs.
 
== Using the firmware image with libvirt ==
 
The boot firmware is set in the domain XML file under the <code>/domain/os/loader</code> element.
 
Neither <code>virt-manager</code> nor <code>virt-install</code> seem to expose this XML node on RHEL-6.4. The following list of commands is one workaround. The <code>EMULATOR</code> bit is discussed later -- it is useful to have a wrapper script in place, between libvirt and qemu, to add custom options.
 
<pre>
# "configuration"
NAME=set_guest_name_here
INSTALL_ISO=/full/path/to/install/iso
DRIVER_ISO=/full/path/to/virtio/driver/iso
EMULATOR=/full/path/to/emulator
LOADER=/full/path/to/OVMF.fd
 
# create a domain XML template for guest installation:
# - 4 VCPUs, 4G RAM
# - virtio target disk, 25 GB in size
# - first IDE CD-ROM has install disk
# - second IDE CD-ROM has virtio driver disk
#  (should only be necessary for proprietary guests without built-in drivers)
TARGET_DISK=/var/lib/libvirt/images/"$NAME".img
virt-install                                                                \
    --connect=qemu:///system                                                \
    --name=$NAME                                                            \
    --ram=4096                                                              \
    --arch=x86_64                                                            \
    --machine=rhel6.4.0                                                      \
    --vcpus=4                                                                \
    --boot=cdrom,hd                                                          \
    --disk=path=$TARGET_DISK,size=25,bus=virtio,format=qcow2                \
    --disk=path=$INSTALL_ISO,device=cdrom,bus=ide,perms=ro,format=raw        \
    --disk=path=$DRIVER_ISO,device=cdrom,bus=ide,perms=ro,format=raw        \
    --print-step=1                                                          \
| xmlstarlet ed -u /domain/devices/emulator                    -v $EMULATOR \
                -s /domain/os                -t elem -n loader -v $LOADER  \
    >template.xml
 
# Import the template to libvirt
virsh define template.xml
 
# Now customize the guest further with "virsh edit" or inside virt-manager,
# then start the installation.
</pre>
 
For a virtio-scsi disk, apply the following changes:
 
<ol>
<li>in the <code>TARGET_DISK</code> specification, replace <code>bus=virtio</code> with <code>bus=scsi</code>,</li>
<li>append the following options to the <code>xmlstarlet</code> command line:
<pre>
                -s /domain/devices            -t elem -n controller -v ''          \
                -s /domain/devices/controller -t attr -n type      -v scsi        \
                -s /domain/devices/controller -t attr -n model      -v virtio-scsi \
</pre>
</li>
</ol>
 
=== qemu wrapper script under libvirt ===
 
Libvirt (and its frontends, eg. virsh and virt-manager) provide a convenient way to manage virtual machines. However some qemu command line options are not directly exposed (at least not on a RHEL-6.4 host) that would prove useful otherwise. A script that wraps qemu and plays the emulator role for libvirt allows extra flexibility. On the other side of the coin, it may introduce extra confusion, so use with care.
 
The full path to the wrapper script is specified in the <code>/domain/devices/emulator</code> element of the libvirt guest XML.
 
On an SELinux enabled system, the script's context should be set to that of the wrapped emulator binary. See <code>chcon --reference</code>.
 
(Needless to say, never use a wrapper script in production.)
 
An example script follows.
 
<pre>
#!/bin/bash
set -e -C -u
 
# Operating modes:
# - AD_HOC: use local OVMF & SeaVGABIOS build, ignore iPXE roms,
# - AD_HOC_IPXE: same, but make use of ad-hoc iPXE roms,
# - KRAXEL_RPMS: use Kraxel's RPMs whole-sale
MODE=KRAXEL_RPMS
 
# Location of ad-hoc ROMs.
AD_HOC_PATH=/home/virt-images
 
# Root installation directory of Kraxel's RPMs.
KRAXEL_PATH=/usr/share/edk2.git/ovmf-x64
 
# Whether to load extra SMBIOS tables.
SMBIOS_EXTRA=0
 
# Argument array constructed for qemu-kvm.
NEW_ARGS=()
append()
{
  for I in "$@"; do
    NEW_ARGS[${#NEW_ARGS[@]}]=$I
  done
}
 
# -vga cirrus found in AD_HOC* modes
AD_HOC_CIRRUS=0
 
# -name XXX found; XXX saved in $NAME
NAME=
 
# previous argument processed
LAST=
for ARG in "$@"; do
  if [ x-vga = x"$LAST" ] && [ cirrus = "$ARG" ] \
      && ([ AD_HOC = "$MODE" ] || [ AD_HOC_IPXE = "$MODE" ]); then
    AD_HOC_CIRRUS=1
    append "$ARG"
  elif [ x-device = x"$LAST" ] && [ AD_HOC_IPXE = "$MODE" ]; then
    case "$ARG" in
      (e1000*)
        append "$ARG,romfile=$AD_HOC_PATH/efi-roms/efi-e1000.rom"
        ;;
      (ne2k_pci*)
        append "$ARG,romfile=$AD_HOC_PATH/efi-roms/efi-ne2k_pci.rom"
        ;;
      (pcnet*)
        append "$ARG,romfile=$AD_HOC_PATH/efi-roms/efi-pcnet.rom"
        ;;
      (rtl8139*)
        append "$ARG,romfile=$AD_HOC_PATH/efi-roms/efi-rtl8139.rom"
        ;;
      (virtio-net-pci*)
        append "$ARG,romfile=$AD_HOC_PATH/efi-roms/efi-virtio.rom"
        ;;
      (*)
        append "$ARG"
        ;;
    esac
  elif [ x-bios = x"$LAST" ] && [ KRAXEL_RPMS = "$MODE" ]; then
    append "$KRAXEL_PATH/bios.bin" -L "$KRAXEL_PATH"
  elif [ x-name = x"$LAST" ]; then
    NAME=$ARG
    append "$ARG"
  else
    append "$ARG"
  fi
 
  LAST=$ARG
done
 
if [ -n "$NAME" ]; then
  append -debugcon file:/tmp/"$NAME".debug -global isa-debugcon.iobase=0x402 \
      -global PIIX4_PM.disable_s3=0 -global PIIX4_PM.disable_s4=0
 
  if [ 0 -ne $SMBIOS_EXTRA ]; then
    append -smbios file=$AD_HOC_PATH/smbios/type3
  fi
 
  if [[ x"$NAME" = xovmf.win2k8* ]] && [ 0 -ne $AD_HOC_CIRRUS ]; then
    append -global cirrus-vga.romfile=$AD_HOC_PATH/vgabios-cirrus.csm.bin
  fi
fi
 
exec /usr/libexec/qemu-kvm "${NEW_ARGS[@]}"
</pre>
 
This particular script accounts for libvirt invoking the emulator in two forms. XML validation after <code>virsh edit</code> seems to invoke the emulator for verification purposes only, without the <code>-name</code> option. In this case no debug file should be created / rewritten, plus other static options are useless. When libvirt starts the guest, the <code>-name</code> option is present, the script constructs the logfile's name from the corresponding option-argument, and adds some extra static options.
 
In more detail, the script supports three "operating modes".
 
<ol>
<li>The <code>KRAXEL_RPMS</code> mode is the recommended one for qemu-1.5+. This mode overrides the <code>/domain/os/loader</code> element of the guest XML, and uses the OVMF firmware and any other required files from Gerd's package. Notably, EFI drivers for the emulated / virtio NICs from the iPXE project will be available in the guest as option ROMs.</li>
<li>The <code>AD_HOC</code> mode serves development purposes. It disables any iPXE NIC drivers on qemu versions under 1.5 (so that the built-in VirtioNetDxe driver can be tested), lets <code>/domain/os/loader</code>  (= custom OVMF build) take effect, and specifies a custom SeaVGABIOS binary for Windows 2008 R2 guests (based on their name). The Windows 2008 R2 guest is discussed below some more.</li>
<li>The <code>AD_HOC_IPXE</code> mode is the same, a development helper, except it gives priority to custom iPXE NIC drivers. (Consult <code>OvmfPkg/README</code> for networking options.)</li>
</ol>
 
The static options enable S3/S4 in RHEL-6.4 qemu, and set the location of OVMF's debug log.
 
On an SELinux enabled system, a new instance of the same guest will be seclabelled differently from the previous instance, and will fail to overwrite the debug log produced by the previous instance. This could be worked around perhaps by reconfiguring libvirt's labelling practices for the guest, or changing the SELinux profile, or (horribile dictu) flipping SELinux to permissive. Removing the debug file manually before starting the next instance of the guest is simplest.
 
== Tested guest OS'en ==
 
=== Apparently working nicely ===
 
<ul>
<li>Fedora 18 Alpha (XFCE edition). [[#Confirmation of secure boot in Fedora 18|Secure boot tested]] as well.</li>
<li>RHEL-6.3. (Its grub does not support booting from a virtio-blk disk. See [[#Making guests use it]] how to specify a virtio-scsi boot disk.)</li>
<li>Windows 8 Consumer Preview Build 8250. [[#Confirmation of secure boot in Windows 8 Consumer Preview Build 8250|Secure boot tested]] as well. The fix for qemu-kvm [https://bugzilla.redhat.com/show_bug.cgi?id=854304 RHBZ#854304] may be necessary to run this guest. (Upstream qemu contains the [http://git.qemu.org/?p=qemu.git;a=commitdiff;h=4d09d37c6aa9a02b44b1fdb6268820fab92499bd fix] of course.)</li>
<li>Reportedly, Windows Server 2012.</li>
</ul>
 
=== Windows Server 2008 R2 SP1 ===
 
This guest does not work correctly. Its UEFI installer is composed of several programs, some being UEFI applications, and the last layer being the Windows Pre-Installation Environment, running on the Windows 2008 R2 kernel.
 
The UEFI applications before the last layer correctly use the OVMF GOP (graphics output protocol), which drives the emulated Cirrus 5446 video card. Unfortunately, the last layer (WinPE) has a hard dependency on VGA BIOS interrupt 0x10, which is not provided by any OVMF CSM (compatibility support module) as of now.
 
This <em>hard</em> dependency is a Windows 2008 R2 bug; the WinPE layer should (actively) inherit the linear framebuffer characteristics from the GOP (UEFI boot phase), and use that until the kernel-level graphics drivers are loaded.
 
One (quite shabby) workaround for the time being is automated installation of this OS on top of OVMF, and then connecting to it with <code>rdesktop</code>.
 
During most of the installation (ie. in the WinPE phase), nothing can be seen in the VNC window. The VM reboots several times, at which points <code>cdboot.efi</code> shortly displays a (visible) message, "press a key to continue booting from the installation CD". No key should be pressed, as expected, but after the timeout, <code>cdboot.efi</code> tends to crash, violating an edk2 framework ASSERT and falling into an infinite loop (watch the debug log).
 
If this happens, force off the VM, restart it, enter the OVMF setup utility, and manually set the on-hdd boot loader. The installation should resume then.
 
For the remote desktop connection, the IP address of the running guest can be fetched by searching <code>/var/lib/libvirt/dnsmasq/default.leases</code> for the guest's MAC address (which is present in its libvirt XML file).
 
An example <code>AutoUnattend.xml</code> file, and a corresponding guest XML template (to be used with <code>virsh define</code>) are inserted below as a base-64 encoded, xz-compressed tarball. (Unfortunately, File Upload refuses xml and xml.gz files.) The install ISO that was augmented with the <code>AutoUnattend.xml</code> file is named <code>en_windows_server_2008_r2_with_sp1_x64_dvd_617601.iso</code>, its SHA1 is <code>D3FD7BF85EE1D5BDD72DE5B2C69A7B470733CD0A</code>.
 
Note: the first <code>ProductKey</code> element in the XML is a default key from
<code>\SOURCES\PRODUCT.INI</code>. It does not participate in product
activation, it contributes to product <em>selection</em> at installation time.
 
<pre>
begin-base64 600 example.tar.xz
/Td6WFoAAATm1rRGAgAhARwAAAAQz1jM4E//CfBeABcLxoeSWjrZw/K8YRQW
idsezUdpMAqJW5IviTmcQju7k4hzXixJbgHx/lAbmsS4smaCA12Xj2lLrVcL
E1Z9mz09+Ij1Kt0XX+FZ71T3wbLjFAtmMqv2ZX4v22sO46I2MWFU73vaGh4O
GjeLF6R3VInHrsdMGiZWBcuJBtuLjfCw1fL34okX9kyOayKqAhX6Apf7hTDV
nG9aCmkmSlXL8JXEnbfni0kCGWadOF1U8hKOHlwoO+RHqsjV6UHjj+ODN654
XEvjRvNNBWqx1xwiN+wfseijss/SEsWHBAuDENkfTDNcButwZSjtMGFAGZYa
V8hb+emUu9dc+FG0KcnF6uuEpsf75afmB5PZbVt97SanoylqMGXT6etzXqfE
vvf6XsFC/Xlg3pZ7wgKkZuPNuR7eBcSLatQ9ZLHfndTFlUjcFJT2WyBfZXPV
ahyxItkAjzdi8s0EjfxXqYXgvdWYHqXzZ427QvEo4InkCU6E1TuE7vnMxy7X
1AEIHKU6V+LxEL6X7jTZL/JRFBsmn6A7wTzX58yeo5aiMwKLbvjDuEZEXQFM
3+OXEHPCO/4nQZjyIYNkfnXD8oBKVs+9/wxtQNkvRNw2+guySBPjCX5n3+uR
S2ThSwxwE0y8vRdtggwQK/MfkHL18/IuSJiqSzw0mdoRlwMmpPtgCyI+iryK
rrSsO1qckmHCah6t3FKss86wE0ODbC9WoOVUGxnjE7cjbHg/rh+j4dvFm4Z8
+D6gWK/GXyEI3mbBnp4UqOWEWj6gZmO2QpvHxY9AFaiiSQ+hwUVPk3anufNk
ZIUQdtcsKYNw2V4UdP8CXlU9gWGPw8Y4TvgNXOVNbFbqBA+5gRXj/JNzxyDk
Bkol0zFlRAIcf6yvnmahXkIh6Cu/BnRoJ4IZ1lttvWT8yBTJpkwjjyhHsutM
jSmq8TCHXp2xi7O5bDfYTqSIXVlVs1ltwPQ2++CI5kshoIdq2D09OcrXoq75
Tl+vHDwq6ZhPXWQZ4EPfLztvAKDz2koNOZsMsLOO6TdMSuqJ78f2mliXNeVo
ENEpkYMa6+8XDBx3cv4uXYYhI+WY4ceObv/Og3SV+x4R+cEd4ULVJkRh36U9
NC3BL6krhuIBTR+9SFktjue/5/f0vkPDtstIFTwfByRkHWeGVvIVW0u8dIVW
Fi8Xd0PzLMeym8Oxff4dqbuxK3+CrB/75Pv5ZylACCuzyS5YUxuosPvMf9ME
nCk9Mw+VNyMocjkY7oujQUHwOK481GvX0Yuitc/7kjbyGGsbuAuE+Zi0zsPX
7XirMMRO73TorzyofaFJT6CyeHak6vyP3meDjulDphSgiCvWCSRgP4GYcHgY
uNjZXFOr1mDNLz3qgowmrPrTsLDvi+ByX6jo8RuP/S3P76yJj93bHDVuKcwS
W8CMtDRBc265yAIZARrq/mO53AeZyMlBqDJ/bp/8TTboKTG8IdbHSdVetcWx
WqVNCAb8qgvuN9z4ziarfAbpkNnuQ37hyiFsE4DKJVUXVac/E9vPXP7jcX/S
xhjVULDlMxFl76n8b6pVqW0AnZkpnEujgojQaS0/9Z+h9fQjBwzDlBpgLHeO
Loxh93Jm+aEYpa2Vk5xvQkwkwA8g5mGBm38+lb1BeGP33ygTf9j34SDa/BQa
iJKKEbtH4jW8Dg0bzmtdUNjhRbUYRTyGfseVig8aE5CHfPxkMSeSqGXV7cZh
qIzgrHPi+5kL23NfekhmZRC2IcfWgjoGuGtJYKWQ0u/VLIB1qiRjqauRxt/3
0VUapTQzcLT9JwCZXYyuQu5fMYGoOGvPg3Tjs0N5viZkRyowWSlJoTsof0hd
wajrKWJTXfvdl4AdsTBbaWFkfgZMSg5C7xoFhEa86B+0NO61CAFUvXYiP6PP
tjTNFvSFNvLnWyydFFaMIwET4UHo0gSYmsE9jtzcPxZ2EPkHEVdpVINMM/5Z
SBeDwPGczcXVD/kekhe7YlnUs6GKsdCP9fTcuEQzOat8agFazZkgeT44Ybwi
4xWFD4dlSkeWOAJOfJbU3BDo639qt38+x6/GX3Ad4j/911w0vMlEtMhk/Wg3
ppIfxwlUQ6oB5bB03rOUUJQf4xFwh4eT2JzL33Cve18FjCO2eRAXylTxC1j1
Uh539CcXjlYj908fUl7fkiTMg4V9XW39c8zRpHUXJWWUkCXf5wqRJoQ7sWZ6
kGlr6wmui7kEGP0wumPzn0yJeHx9JWjvLy2SPFp4znCgxISlPksgweyyeejc
FoZzqVmAwvF47bytD8OQ+8FWEpPVFO6S1VLjq/LlNukrfwODWEv+JzazWpy/
CXBmgebmWCFG+Gtdidmc4LMljonAaOdoj0+aXlTVjWzlGZcTDcXQNvDfdsza
2XhRxQyB/yST5auqElN5M+E4sco7AgRFC7em8H3NVfFn12z1mjZBVkWuT/e1
X4QURf4rw3LSZ5HssJdpE7gMR4yPd5tEkVB4a193LVi0o001icPUrwNHBjge
WJd1ecDQwXmtyRlyF/0sPgIdU8g3LaZiEp13M+gGK+3oXcWwpFouav9DzUQr
WPhB7yNGaSK/YH+dPwdif5C9EtyWYcue73YCGtxXgYCUvALKoSxFyeCNnbWH
VY9VFrtC84a4npJ29LurGCXQEMUfDyGqEayJa4iL3u3i7VA1+NgHdtMFZN5o
rL4/d+NZYUsPzqYN2RfOOBLMv4E7lkOIPiMIShD5/cyUEoc2nRT7dr6F1dib
ZjFua4YDUTOWF/4Tt3qg67wTWKsKUObciAKLrreL9u/lxpEHarAXZMiz2oHw
7vZJYLRWyuoJcIm3v4tptkIYk66iMY1oXfM+AmYMtg71XLFyOIiqR0HLj7m3
UW3ANa7RaJG0xaabvpcx5syoeudWOKy1geJurk645d6JTB9pvb71Kcy7kvlx
bwTgR3ITDGb+A9ZByqofoEojQN7fBk0LI0ucHiNGyHDBCXHPOIhHypWRJvyA
bmhY0YIY6ul9RaBhPJnJ2MzVY58NS9s39yolC7cq/ONYh43yyyiECg41wD4K
fN+c0PQ1HXhgm1JMxAYK02GJP5sOHfaW2e/9U54Y+Cnn2Nw33Fbk5a85Vmrq
A0g6s2tJpo1uiawxK4cQKbV4YO8O9+Km0ICk1YkpBWd4szLBeFjk/73Bu618
rAWez/0z41lEaJpEbqDr3ww4YSZiI6BSOwuEbvEuhAkXjA9WvnFQZsys6CFR
mYYT0RT/kvaMvCvH7gJSgjRKnvheUiXB1jd+nlYQ8Ag4qk/8SAfee1r8mZee
NBH0Lr0llRnfnIXBQskmSaBAoQDubDsR1wzgVZKvnCEzFow2colupVMcAdx6
djzC/XgCOPqyX6RtHNrZ/DvTjNhQtGEp9TFLmdoYgvPOqizHGRm28yr5Te07
rr2OzQuw7nLDAACI8Ak60A6nlgABjBSAoAEAJut9ErHEZ/sCAAAAAARZWg==
====
</pre>
 
=== Confirmation of secure boot in Fedora 18 ===
 
(This is a write-up of an earlier test.)
 
<ol>
<li>I rebuilt OVMF with secure boot support.</li>
 
<li>I downloaded the x86_64 binary RPM for [http://koji.fedoraproject.org/koji/buildinfo?buildID=357608 pesign-0.10-5.fc18] and extracted the <code>/etc/pki/pesign</code> directory to <code>$HOME/tmp/f18-keys</code>.</li>
 
<li>I extracted two certificates in DER format, standing in <code>$HOME/tmp</code>:
 
<pre>
certutil -L -d f18-keys -n 'Red Hat Test Certificate' -r \
    >RedHatTestCertificate.der
 
certutil -L -d f18-keys -n 'Red Hat Test CA' -r \
    >RedHatTestCA.der
</pre>
</li>
 
<li>I created a 64MB zero file,</li>
 
<ul>
<li>set up <code>/dev/loop1</code> on it,</li>
<li>created an MBR partition table with one 0x0c partition (cfdisk),</li>
<li>(maybe ran <code>kpartx -a /dev/loop1</code>,)</li>
<li>formatted <code>/dev/mapper/loop1p1</code> as FAT32 with mkdosfs,</li>
<li>mounted it, created a directory called <code>Red Hat Secure Boot Keys</code>,</li>
<li>copied the output files from the previous step there.</li>
<li>NOTE: libguestfs / guestfish is a <em>much</em> better way to do the same.
</li>
</ul>
 
<li>I attached the above image file as second disk to my preexistent
guest while it was shut down.</li>
 
<li>I started the guest.</li>
 
<ul>
<li>As soon as the TianoCore splash screen showed, I entered the setup
menu and selected <code>Device Manager | Secure Boot Options</code>,</li>
<li>enrolled <code>RedHatTestCA.der</code> as PK.</li>
<li>enrolled <code>RedHatTestCertificate.der</code> as one KEK and one DB entry,</li>
<li>made sure <code>shim.efi</code> from the first disk was the first boot option in <code>Boot Maintenance Manager | Boot Options</code>,</li>
<li>allowed the boot to continue.</li>
</ul>
 
<li>
<code>shim.efi</code> printed <code>Binary is whitelisted</code>. grub2 printed <code>secure boot forbids insmod</code> four times. The F18 XFCE GUI started. The guest dmesg contains
 
<pre>
[    0.000000] Secure boot enabled
</pre>
</li>
 
<li>
OVMF secure boot configuration (enrolled keys etc) don't persist
across guest shutdown (maybe not even across in-guest reboot); OVMF
reverts to non-secure boot. Copying the certificates to the F18 boot
partition didn't change this. What's more, when OVMF is built with
Secure Boot support, even the boot order saved from last time is
forgotten and default options are regenerated (even with no keys enrolled).
</li>
</ol>
 
=== Confirmation of secure boot in Windows 8 Consumer Preview Build 8250 ===
 
(This is also a write-up of an earlier test.)
 
Basically re-executed [[#Confirmation of secure boot in Fedora 18]], with the following changes:
 
<ul>
<li>I downloaded the platform key, the key exchange key, and three DB entries from [http://blog.hansenpartnership.com/the-microsoft-keys/ James Bottomley's blog].</li>
<li>Once inside the guest, I [http://msdn.microsoft.com/en-us/library/windows/desktop/hh847889.aspx started PowerShell as an administrator] and
then [http://communities.intel.com/community/vproexpert/blog/2012/06/26/microsoft-windows-8--enabling-secure-boot verified that Secure Boot was enabled].</li>
</ul>

Latest revision as of 10:27, 10 March 2015

OVMF "is a project to enable UEFI support for Virtual Machines".

The earlier contents of this article have been replaced with the following link to the OVMF whitepaper:

http://www.linux-kvm.org/downloads/lersek/ovmf-whitepaper-c770f8c.txt

The whitepaper covers everything this article used to cover, and the whitepaper is much more up-to-date and extensive. Please use the History link near the bottom if you'd like to see the previous (now stale) contents.