From Fedora Project Wiki

m (Crobinso moved page Testing secureboot with KVM to Using UEFI with QEMU: Page isn't specific to secureboot, making the title more accurate)
m (Migrate to https from http)
(15 intermediate revisions by 6 users not shown)
Line 1: Line 1:
= Firmware installation =


= Using UEFI in a QEMU/KVM VM =
UEFI for x86 QEMU/KVM VMs is called OVMF (Open Virtual Machine Firmware). It comes
from EDK2 (EFI Development Kit), which is the UEFI reference implementation.


== Installing 'UEFI for QEMU' nightly builds ==
== Installing 'UEFI for QEMU' from Fedora repos ==


UEFI for x86 QEMU/KVM VMs is called OVMF (Open Virtual Machine Firmware). It comes
Since June 2016, OVMF is available in Fedora repositories. All you need to have installed is <code>edk2-ovmf</code> RPM. Furthermore, it should be now a dependency of the {{pkg|qemu}} package, so you probably have it installed already. This includes firmware for secureboot (<code>OVMF_CODE.secboot.fd</code>)
from EDK2 (EFI Development Kit), which is the UEFI reference implementation.


Unfortunately there are licensing issues which prevent us getting EDK2/OVMF
== Installing 'UEFI for QEMU' nightly builds ==
into Fedora (see [[#EDK2 Licensing Issues]] for more info). So we
have to grab external packages.


Gerd Hoffman, Red Hatter and QEMU developer, has a yum repo on his personal
Gerd Hoffmann, Red Hatter and QEMU developer, has a [[dnf]] repo on his personal
site that provides nightly builds of a whole bunch of QEMU/KVM firmware,
site that provides nightly builds of a whole bunch of QEMU/KVM firmware,
including EDK2/OVMF.
including EDK2/OVMF.
Line 17: Line 16:
Here's how to pull down the nightly builds for x86:
Here's how to pull down the nightly builds for x86:


   sudo wget http://www.kraxel.org/repos/firmware.repo -O /etc/yum.repos.d/firmware.repo
   sudo dnf install dnf-plugins-core
   sudo yum install edk2.git-ovmf-x64
  sudo dnf config-manager --add-repo https://www.kraxel.org/repos/firmware.repo
   sudo dnf install edk2.git-ovmf-x64
 
Note, these are nightly builds, and may occasionally be broken.


== Install a Fedora VM with UEFI ==
== Optionally Configure libvirtd to advertise UEFI support ==


{{admon/note | This examples assume you are using Fedora 21 packages. | UEFI VMs can be installed with older Fedora versions, but since as of Fedora 21 this stuff is still under active development, it's recommended to run the latest bits. }}
Libvirt needs to know about UEFI->NVRAM config file mapping, so it can advertise it to tools like virt-manager/virt-install. On Fedora 22 and later, libvirt packages are configured to look for the nightly build paths, so this will work out of the box.


First we need to install a guest using UEFI instead of traditional bios.
However, if you want to use custom binaries, you will need to edit the <b>nvram</b> variable in <b>/etc/libvirt/qemu.conf</b> and restart libvirtd.
Anaconda will put all the right bits in place for us.


Here's an example F20 install:


  sudo virt-install --name f20-uefi \
= Creating a VM =
    --ram 2048 --disk size=20 \
    --boot loader_type=pflash,loader_ro=yes,loader=/usr/share/edk2.git/ovmf-x64/OVMF_CODE-pure-efi.fd,nvram_template=/usr/share/edk2.git/ovmf-x64/OVMF_VARS-pure-efi.fd \
    --location https://dl.fedoraproject.org/pub/fedora/linux/releases/20/Fedora/x86_64/os/


== Booting the VM with OVMF ==
== virt-manager ==


If Fedora doesn't boot, try the following steps. First you'll need to be at the EFI Internal Shell. If you see a 'Shell> ' prompt you are in the shell.
Create a new VM in virt-manager. When you get to the final page of the 'New VM' wizard, do the following:
If OVMF doesn't drop you into the EFI Internal Shell automatically, do the following:


# Wait until the TianoCore splash screen pops up, hit ESC
* Click 'Customize before install', then select 'Finish'
# Select 'Boot Manager'
* On the 'Overview' screen, Change the 'Firmware' field to select the 'UEFI x86_64' option.
# Select 'EFI Internal Shell'
* Click 'Begin Installation'
* The boot screen you'll see should use <code>linuxefi</code> commands to boot the installer, and you should be able to run <code>efibootmgr</code> inside that system, to verify that you're running an UEFI OS.


Once in the EFI Internal Shell, here are the commands you need to boot Fedora (assuming your guest only has a CDROM attached):
== virt-install ==


  fs0:
Add <code>--boot uefi</code> to your <code>virt-install</code> command. Example:
  \EFI\fedora\shim.efi


The above commands just get Fedora going, we haven't set up secure boot yet.
  sudo virt-install --name f20-uefi \
    --ram 2048 --disk size=20 \
    --boot uefi \
    --location https://dl.fedoraproject.org/pub/fedora/linux/releases/22/Workstation/x86_64/os/


= Testing Secureboot in a VM =
= Testing Secureboot in a VM =
Line 55: Line 54:
any other curious parties. This requires configuring the VM to use UEFI, so it builds upon the previous UEFI steps.
any other curious parties. This requires configuring the VM to use UEFI, so it builds upon the previous UEFI steps.


== Grab LockDown_ms.efi ==
== Run EnrollDefaultKeys.efi ==


Since OVMF doesn't ship with any SecureBoot keys installed, we need to
(Formerly this article recommended the independent utility "LockDown_ms.efi".)
install some to mimic what an MS certified UEFI machine will ship with.
But here's a crappy thing about OVMF and KVM: right now there's no way to
persist UEFI config across VM start/stop, although we'll come close with the script we'll create below.
{{admon/note|Improvements in Fedora 20|
With qemu 1.6 and later, a ''-pflash bios.bin'' option, is supposed to enable persistent EFI variables. This may or may not also require ''-no-kvm''.}}
So if we want to test SecureBoot,
we need to install the MS keys and enable secureboot on every VM restart.


Luckily there's a tool that does all this for us, called LockDown_ms.efi.
Since OVMF doesn't ship with any SecureBoot keys installed, we need to install some to mimic what an MS certified UEFI machine will ship with. OVMF now ships with the binaries required to set up a default set of keys. The easiest way is to use UefiShell.iso which is available at <code>/usr/share/edk2/ovmf/UefiShell.iso</code>. Boot your VM with this as the CD-ROM image and it should boot into the UEFI shell. At the prompt
This is derived from code in [http://git.kernel.org/?p=linux/kernel/git/jejb/efitools.git;a=summary efitools.git].


Inside the guest, do:
* Shell> fs0:
* FS0:\> EnrollDefaultKeys.efi
* FS0:\> reset
* The VM will restart. Let it boot into Fedora as normal. Log in
* You should see the string 'Secure boot enabled' in dmesg. Secureboot is now enabled for every subsequent boot.


  sudo wget http://fedorapeople.org/~crobinso/secureboot/LockDown_ms.efi -O /boot/efi/EFI/fedora/LockDown_ms.efi
== Testing Fedora CD/DVD Secure Boot in a VM ==


== Automate SecureBoot startup ==
Once you have a secureboot configured VM as described above, it's easy to use this to test ISO media secureboot support.


As mentioned above, we have to install the MS keys and enable secureboot on every VM restart. Luckily, OVMF by default runs a script at startup, called startup.nsh. We'll use this to automate startup. All we really need in the script are the following commands:
* Use virt-manager to attach the ISO media to your VM
 
* Use virt-manager to change the VM boot settings to boot off the CDROM
  fs0:
* Start the VM
  \EFI\fedora\LockDown_ms.efi
* Switch to a terminal inside the VM, verify Secureboot is enabled by checking dmesg
  \EFI\fedora\shim.efi
 
But, life is complicated by the fact that if you are rebooting the VM where LockDown_ms.efi has been loaded, it can't be loaded a second time (without powering off the VM). If you try, you'll get a "Error reported: Security Violation" message when loading LockDown_ms.efi and the script will stop. So, the script needs to check if SecureBoot is already on before trying to load LockDown_ms.efi.
 
Inside the guest, as root edit /boot/efi/startup.nsh and add the following text:
 
  fs0:
  # If we don't have the secure boot dmp file, assume this is the first
  # time this script has been run and secure boot is off.
  set __lockdown 0
  if not exist SecureBoot.dmp then
    set __lockdown 1
  # Otherwise we check the current state of the 'SecureBoot' variable
  # to see if LockDown_ms.efi has already been loaded.
  else
    dmpstore SecureBoot -s SecureBoot.tmp
    comp SecureBoot.dmp SecureBoot.tmp
    if not %lasterror% == 0 then
      set __lockdown 1
    endif
    rm SecureBoot.tmp
  endif
  if %__lockdown% == 1 then
    \EFI\fedora\LockDown_ms.efi
    dmpstore SecureBoot -s SecureBoot.dmp
  endif
  \EFI\fedora\shim.efi
 
== Verify SecureBoot ==
 
At this point reboot the guest. After logging in, you should see 'Secure boot enabled' in dmesg. Success!
 
== Testing F18 DVD Secure Boot in a VM ==
 
Since we can't easily alter the DVD to add LockDown_ms.efi, we get it into
the VM using a mini disk image:
 
  wget http://fedorapeople.org/~crobinso/secureboot/lockdown.qcow2
  sudo virsh attach-disk $VMNAME --target hdb --source lockdown.qcow2 --subdriver qcow2 --config
 
Then do
 
* Launch the VM, drop to the EFI shell
* If your guest only has a CDROM attached, lockdown.qcow2 should be fs0
* <code>Shell> fs0:</code>
* <code>fs0:\> LockDown_ms.efi </code>
* <code>fs0:\> exit </code>
* Back in the config screen, Select 'Boot Manager'
* Select 'EFI DVD/CDROM'
* Once anaconda starts, grab shell, log in, verify secure boot is enabled


= Notes =
= Notes =
== EDK2 Licensing Issues ==
EDK2 contains a FAT filesystem driver that is licensed under terms that
make it not acceptable for packaging in Fedora. Particularly that there's
a usage restricition only allowing the code to be used in a UEFI
implementation. More details here at [http://tianocore.sourceforge.net/wiki/Edk2-fat-driver Edk2-fat-driver]
The driver is critical functionality so removing it is not an option.


== Using UEFI with AArch64 VMs ==
== Using UEFI with AArch64 VMs ==
Line 145: Line 81:
[[Architectures/ARM/AArch64|Fedora's AArch64 releases]] will only run on UEFI, so require UEFI inside the VM. However the steps are slightly different. See this page for complete documentation: https://fedoraproject.org/wiki/Architectures/AArch64/Install_with_QEMU
[[Architectures/ARM/AArch64|Fedora's AArch64 releases]] will only run on UEFI, so require UEFI inside the VM. However the steps are slightly different. See this page for complete documentation: https://fedoraproject.org/wiki/Architectures/AArch64/Install_with_QEMU


== Extra links ==
= Extra links =


* [[QA:Testcase Virtualization UEFI]]
* [http://www.linux-kvm.org/page/OVMF KVM wiki OVMF page]
* [https://wiki.ubuntu.com/SecurityTeam/SecureBoot Ubuntu secureboot page]
* [https://wiki.ubuntu.com/SecurityTeam/SecureBoot Ubuntu secureboot page]
* [http://en.opensuse.org/openSUSE:UEFI_Secure_boot_using_qemu-kvm OpenSUSE secureboot page]
* [http://en.opensuse.org/openSUSE:UEFI_Secure_boot_using_qemu-kvm OpenSUSE secureboot page]
* [http://www.linux-kvm.org/page/OVMF KVM wiki OVMF page]
* [http://www.labbott.name/blog/2016/09/15/secure-ish-boot-with-qemu/ Using SecureBoot with QEMU]


[[Category:Virtualization]] [[Category:QA]]
[[Category:Virtualization]] [[Category:QA]]

Revision as of 18:51, 25 December 2017

Firmware installation

UEFI for x86 QEMU/KVM VMs is called OVMF (Open Virtual Machine Firmware). It comes from EDK2 (EFI Development Kit), which is the UEFI reference implementation.

Installing 'UEFI for QEMU' from Fedora repos

Since June 2016, OVMF is available in Fedora repositories. All you need to have installed is edk2-ovmf RPM. Furthermore, it should be now a dependency of the qemu package, so you probably have it installed already. This includes firmware for secureboot (OVMF_CODE.secboot.fd)

Installing 'UEFI for QEMU' nightly builds

Gerd Hoffmann, Red Hatter and QEMU developer, has a dnf repo on his personal site that provides nightly builds of a whole bunch of QEMU/KVM firmware, including EDK2/OVMF.

Here's how to pull down the nightly builds for x86:

 sudo dnf install dnf-plugins-core
 sudo dnf config-manager --add-repo https://www.kraxel.org/repos/firmware.repo
 sudo dnf install edk2.git-ovmf-x64

Note, these are nightly builds, and may occasionally be broken.

Optionally Configure libvirtd to advertise UEFI support

Libvirt needs to know about UEFI->NVRAM config file mapping, so it can advertise it to tools like virt-manager/virt-install. On Fedora 22 and later, libvirt packages are configured to look for the nightly build paths, so this will work out of the box.

However, if you want to use custom binaries, you will need to edit the nvram variable in /etc/libvirt/qemu.conf and restart libvirtd.


Creating a VM

virt-manager

Create a new VM in virt-manager. When you get to the final page of the 'New VM' wizard, do the following:

  • Click 'Customize before install', then select 'Finish'
  • On the 'Overview' screen, Change the 'Firmware' field to select the 'UEFI x86_64' option.
  • Click 'Begin Installation'
  • The boot screen you'll see should use linuxefi commands to boot the installer, and you should be able to run efibootmgr inside that system, to verify that you're running an UEFI OS.

virt-install

Add --boot uefi to your virt-install command. Example:

 sudo virt-install --name f20-uefi \
   --ram 2048 --disk size=20 \
   --boot uefi \
   --location https://dl.fedoraproject.org/pub/fedora/linux/releases/22/Workstation/x86_64/os/

Testing Secureboot in a VM

These steps describe how to test Fedora Secureboot support inside a KVM VM. The audience here is QA folks that want to test secureboot, and any other curious parties. This requires configuring the VM to use UEFI, so it builds upon the previous UEFI steps.

Run EnrollDefaultKeys.efi

(Formerly this article recommended the independent utility "LockDown_ms.efi".)

Since OVMF doesn't ship with any SecureBoot keys installed, we need to install some to mimic what an MS certified UEFI machine will ship with. OVMF now ships with the binaries required to set up a default set of keys. The easiest way is to use UefiShell.iso which is available at /usr/share/edk2/ovmf/UefiShell.iso. Boot your VM with this as the CD-ROM image and it should boot into the UEFI shell. At the prompt

  • Shell> fs0:
  • FS0:\> EnrollDefaultKeys.efi
  • FS0:\> reset
  • The VM will restart. Let it boot into Fedora as normal. Log in
  • You should see the string 'Secure boot enabled' in dmesg. Secureboot is now enabled for every subsequent boot.

Testing Fedora CD/DVD Secure Boot in a VM

Once you have a secureboot configured VM as described above, it's easy to use this to test ISO media secureboot support.

  • Use virt-manager to attach the ISO media to your VM
  • Use virt-manager to change the VM boot settings to boot off the CDROM
  • Start the VM
  • Switch to a terminal inside the VM, verify Secureboot is enabled by checking dmesg

Notes

Using UEFI with AArch64 VMs

Fedora's AArch64 releases will only run on UEFI, so require UEFI inside the VM. However the steps are slightly different. See this page for complete documentation: https://fedoraproject.org/wiki/Architectures/AArch64/Install_with_QEMU

Extra links