<div dir="ltr">Thanks guys. That was very useful!<div><br></div><div>Best regards</div><div>Lucas</div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Thu, Aug 4, 2022 at 12:09 AM Daniel P. Berrangé <<a href="mailto:berrange@redhat.com">berrange@redhat.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">On Wed, Aug 03, 2022 at 11:00:30AM -0500, Andrea Bolognani wrote:<br>
> On Wed, Aug 03, 2022 at 01:17:33PM +0800, Lucas Liu wrote:<br>
> > Hello all:<br>
> ><br>
> > I am looking for a way to disable secure boot for UEFI guests:<br>
> > In 3.2.0 I use the command blow to achieve it:<br>
> ><br>
> > # virt-install --name GuestOne --location #URL --machine q35 --vcpus=2<br>
> > --memory 4096 --file-size=20 --boot uefi --boot<br>
> > nvram.template=/usr/share/edk2/ovmf/OVMF_VARS.fd<br>
> ><br>
> > However, in 4.0.0 I cannot get the same result for this cmd<br>
> ><br>
> > Expect VM is booted with secureboot disabled. But the actual result is the<br>
> > VM is booted with secureboot enabled.<br>
> ><br>
> > # mokutil --sb-state<br>
> > SecureBoot enabled<br>
> ><br>
> > ...<br>
> > <os><br>
> >     <type arch='x86_64' machine='pc-q35-rhel9.0.0'>hvm</type><br>
> >     <loader readonly='yes' secure='no'<br>
> > type='pflash'>/usr/share/edk2/ovmf/OVMF_CODE.secboot.fd</loader><br>
> >     <nvram<br>
> > template='/usr/share/edk2/ovmf/OVMF_VARS.secboot.fd'>/var/lib/libvirt/qemu/nvram/rhel9_VARS.fd</nvram><br>
> >     <boot dev='hd'/><br>
> >   </os><br>
> > ...<br>
> ><br>
> > It seems it still creates guests with<br>
> > "/usr/share/edk2/ovmf/OVMF_VARS.secboot.fd" as the nvram template.<br>
> <br>
> This should do what you want:<br>
> <br>
>   --boot uefi,<a href="http://firmware.feature0.name" rel="noreferrer" target="_blank">firmware.feature0.name</a>=enrolled-keys,firmware.feature0.enabled=no,<a href="http://firmware.feature1.name" rel="noreferrer" target="_blank">firmware.feature1.name</a>=secure-boot,firmware.feature1.enabled=yes<br>
> <br>
> A bit of a mouthful, I know :) The equivalent XML snippet would be<br>
> <br>
>   <os firmware='efi'><br>
>     <firmware><br>
>       <feature enabled='no' name='enrolled-keys'/><br>
>       <feature enabled='yes' name='secure-boot'/><br>
>     </firmware><br>
>   </os><br>
<br>
This seems to kas to leave secureboot enabled, but with no enrolled<br>
keys.<br>
<br>
To disable secureboot fully I use this<br>
<br>
 --boot firmware=efi,firmware.feature0.enabled=no,<a href="http://firmware.feature0.name" rel="noreferrer" target="_blank">firmware.feature0.name</a>=secure-boot \<br>
<br>
<br>
<br>
With regards,<br>
Daniel<br>
-- <br>
|: <a href="https://berrange.com" rel="noreferrer" target="_blank">https://berrange.com</a>      -o-    <a href="https://www.flickr.com/photos/dberrange" rel="noreferrer" target="_blank">https://www.flickr.com/photos/dberrange</a> :|<br>
|: <a href="https://libvirt.org" rel="noreferrer" target="_blank">https://libvirt.org</a>         -o-            <a href="https://fstop138.berrange.com" rel="noreferrer" target="_blank">https://fstop138.berrange.com</a> :|<br>
|: <a href="https://entangle-photo.org" rel="noreferrer" target="_blank">https://entangle-photo.org</a>    -o-    <a href="https://www.instagram.com/dberrange" rel="noreferrer" target="_blank">https://www.instagram.com/dberrange</a> :|<br>
<br>
</blockquote></div>