Discussion:
[libvirt-users] libvirt and UEFI/SecureBoot
Shmuel Melamud
2018-07-15 18:22:35 UTC
Permalink
Hi!

I'm working currently on integration of UEFI/SecureBoot support into
oVirt. And I have several questions about UEFI/SecureBoot support in
libvirt. Can you please help me with them?

For UEFI I add the following to the XML:

<loader readonly="yes" secure="no" type="pflash">
/usr/share/OVMF/OVMF_CODE.secboot.fd
</loader>
<nvram template="/usr/share/OVMF/OVMF_VARS.fd">
/var/lib/libvirt/qemu/nvram/VM_UUID.fd
</nvram>

1. Are all paths mandatory or there are some defaults?
2. If nvram image file is absent, libvirt creates it?
3. Is nvram image file only read or is it also written?
4. If nvram image file is present, is it used? Or removed and created again?
5. Is nvram image file used only on VM startup, or it must be present
all the time the VM is running? Is it used on VM shutdown?
6. What happens if the VM is migrated at the moment when nvram image
file is used? Is this file migrated also?
7. Is it enough to set secure="yes" to boot the VM with SecureBoot? Or
I need to prepare the nvram somehow (install keys etc.)?
8. How to verify that the VM was indeed booted with UEFI? With SecureBoot?

Shmuel
Peter Krempa
2018-07-16 10:08:39 UTC
Permalink
Post by Shmuel Melamud
Hi!
I'm working currently on integration of UEFI/SecureBoot support into
oVirt. And I have several questions about UEFI/SecureBoot support in
libvirt. Can you please help me with them?
<loader readonly="yes" secure="no" type="pflash">
/usr/share/OVMF/OVMF_CODE.secboot.fd
</loader>
<nvram template="/usr/share/OVMF/OVMF_VARS.fd">
/var/lib/libvirt/qemu/nvram/VM_UUID.fd
</nvram>
1. Are all paths mandatory or there are some defaults?
Template can be configured in /etc/libvirt/qemu.conf

See also:

https://libvirt.org/formatdomain.html#elementsOSBIOS
Post by Shmuel Melamud
2. If nvram image file is absent, libvirt creates it?
Libvirt creates it from the 'template' or the default template.
Post by Shmuel Melamud
3. Is nvram image file only read or is it also written?
NVRAM is written since it contains UEFI variables modified by the
firmware or guest OS.
Post by Shmuel Melamud
4. If nvram image file is present, is it used? Or removed and created again?
It's used. The file contains state which needs to be persisted across
shutdown/restart.
Post by Shmuel Melamud
5. Is nvram image file used only on VM startup, or it must be present
all the time the VM is running? Is it used on VM shutdown?
It contains the UEFI variables which the operating system can write, so
it needs to be present all the time. Deleting it will basically reset
any changes to the UEFI state. As the file is opened by qemu all the
time, if you delete it it will become apparent only after restart of the
QEMU process.
Post by Shmuel Melamud
6. What happens if the VM is migrated at the moment when nvram image
file is used? Is this file migrated also?
QEMU transport the pflash devices inside the migration stream along with
memory and then writes the changes, so for migration this is transparet.

The destination just needs to have the files available.
Post by Shmuel Melamud
7. Is it enough to set secure="yes" to boot the VM with SecureBoot? Or
I need to prepare the nvram somehow (install keys etc.)?0
That depends on the state of the nvram template. Keys may need to be
installed.
Post by Shmuel Melamud
8. How to verify that the VM was indeed booted with UEFI? With SecureBoot?
AFAIK we don't load any 'fallback' firmware so if you set it to uefi and
it boots it was via uefi. I don't know about secure boot though

Loading...