Ask Your Question
1

wiki: Using UEFI with QEMU

asked 2016-04-13 20:12:55 -0500

rcpao gravatar image

updated 2016-04-14 04:25:05 -0500

https://fedoraproject.org/wiki/Using_... I am testing UEFI Secure Boot using Fedora 23 Workstation.

FS0:\EFI\fedora\> LockDown_ms.efi
No SetupMode variable ... is platform secure boot enabled?

I do not see any way to enable Secure Boot.

I installed the VM using this line and it boots up fine:

sudo virt-install --name f23-uefi \
   --ram 2048 --disk size=20 \
   --boot uefi \
   --location https://dl.fedoraproject.org/pub/fedora/linux/releases/23/Workstation

So next is to run LockDown_ms.efi to install the Microsoft keys, but I get the error above. Pressing Esc at the TianoCore Logo leads to UEFI Setup:

Continue
Select Language
Boot Manager
Device Manager
  RAM Disk Configuration
  OVMF Platform Configuration
    Preferred Resolution at Next Boot
    Change Preferred
    Resolution for Next Boot
  iSCSI Configuration
  Network Device list
Boot Maintenance Manager

None of these options enables Secure Boot or clearing/setting of any keys.

Update: http://www.linux-kvm.org/downloads/le... with edk2.git-ovmf-x64-0-20160413.b1684.g017fb1c.noarch.rpm

FS1:\> EnrollDefaultKeys.efi
error: GetVariable("SetupMode", 8BE4DF61-93CA-11D2AA0D-00E098032B8C): Not Found
edit retag flag offensive close merge delete

2 Answers

Sort by ยป oldest newest most voted
1

answered 2016-04-14 16:07:17 -0500

lersek gravatar image

The problem is that virt-install's --boot uefi option selects a firmware binary for you that does not contain the Secure Boot feature.

Let's list the contents of edk2.git-ovmf-x64-0-20160413.b1684.g017fb1c.noarch -- the relevant files are:

/usr/share/edk2.git/ovmf-x64/OVMF_CODE-need-smm.fd
/usr/share/edk2.git/ovmf-x64/OVMF_CODE-pure-efi.fd
/usr/share/edk2.git/ovmf-x64/OVMF_CODE-with-csm.fd

You are probably using "pure-efi", which no longer provides the Secure Boot feature. (Because without the SMM driver stack, the Secure Boot feature in OVMF_CODE-pure-efi.fd was never actually secure.)

Instead, you have to use OVMF_CODE-need-smm.fd, if you want a firmware binary with the Secure Boot feature. This binary, beyond including the Secure Boot feature, contains the SMM driver stack (which is a build time-only option), which gives the authenticated UEFI variables that underlie Secure Boot the appropriate protection.

The SMM driver stack imposes a number of requirements:

  • Your QEMU must be version 2.5 or later (well, 2.6 is not out yet, so it must be 2.5).

  • The minimum required QEMU machine type is pc-q35-2.5. The pc-i440fx-* machine types won't work. I think you'll have to pass this as --machine pc-q35-2.5 to virt-install.

  • The host kernel (KVM) must be at least Linux-4.4.

  • The domain XML for your guest must specify

    <loader readonly='yes' type='pflash'>/usr/share/edk2.git/ovmf-x64/OVMF_CODE-need-smm.fd</loader>

    You can pass this to virt-install with the following option, instead of the --boot uefi option:

    --boot loader=/usr/share/edk2.git/ovmf-x64/OVMF_CODE-need-smm.fd,loader_ro=yes,loader_type=pflash,nvram_template=/usr/share/edk2.git/ovmf-x64/OVMF_VARS-need-smm.fd

  • the root element of the domain XML should be edited like this:

    <domain type='kvm' xmlns:qemu='http://libvirt.org/schemas/domain/qemu/1.0'>

    then, near the end of the domain XML, you should add the following XML fragment, just before the closing </domain> tag:

    <qemu:commandline>
     <qemu:arg value='-global'/>
     <qemu:arg value='driver=cfi.pflash01,property=secure,value=on'/>
    </qemu:commandline>

edit flag offensive delete link more

Comments

Thank you for your detailed response. As I was not looking for security or penetration testing, I bypassed this issue by using the opensuse solution to test sign my UEFI driver and have verified it works as expected. I have marked your answer as accepted, but I have not personally tested it.

rcpao gravatar imagercpao ( 2016-05-04 17:24:32 -0500 )edit
0

answered 2016-04-14 04:44:00 -0500

rcpao gravatar image

https://firmwaresecurity.com/2015/07/... SMM for OVMF is bleeding edge and incomplete in 64-bit at the moment. I'll need to find some older version to test with.

edit flag offensive delete link more

Comments

Sorry, this comment is both incorrect and unrelated to the issue you are seeing.

First, the statement " SMM for OVMF is [...] incomplete in 64-bit at the moment" is incorrect: the blog post you are referring to is almost a year old, and since then, the SMM feature has been merged. The only "incomplete" part of it is that S3 suspend/resume is not supported with the SMM driver stack, if the PEI phase is also built for X64. But this is a limitation of the generic edk2 infrastructure, not of OvmfPkg. Anyway, you are almost certainly not using S3 in a VM.

lersek gravatar imagelersek ( 2016-04-14 15:16:22 -0500 )edit

I'll respond separately (directly to your topic-opener) too; that will explain why SMM is also unrelated to the issue you are seeing. (Short version: because the OVMF binary you are using lacks the Secure Boot feature completely.)

lersek gravatar imagelersek ( 2016-04-14 15:17:46 -0500 )edit

Question Tools

2 followers

Stats

Asked: 2016-04-13 20:12:55 -0500

Seen: 3,801 times

Last updated: Apr 14 '16