[libvirt-users] libvirt and UEFI/SecureBoot
Peter Krempa
pkrempa at redhat.com
Mon Jul 16 10:08:39 UTC 2018
On Sun, Jul 15, 2018 at 21:22:35 +0300, Shmuel Melamud wrote:
> Hi!
>
> I'm working currently on integration of UEFI/SecureBoot support into
> oVirt. And I have several questions about UEFI/SecureBoot support in
> libvirt. Can you please help me with them?
>
> For UEFI I add the following to the XML:
>
> <loader readonly="yes" secure="no" type="pflash">
> /usr/share/OVMF/OVMF_CODE.secboot.fd
> </loader>
> <nvram template="/usr/share/OVMF/OVMF_VARS.fd">
> /var/lib/libvirt/qemu/nvram/VM_UUID.fd
> </nvram>
>
> 1. Are all paths mandatory or there are some defaults?
Template can be configured in /etc/libvirt/qemu.conf
See also:
https://libvirt.org/formatdomain.html#elementsOSBIOS
> 2. If nvram image file is absent, libvirt creates it?
Libvirt creates it from the 'template' or the default template.
> 3. Is nvram image file only read or is it also written?
NVRAM is written since it contains UEFI variables modified by the
firmware or guest OS.
> 4. If nvram image file is present, is it used? Or removed and created again?
It's used. The file contains state which needs to be persisted across
shutdown/restart.
> 5. Is nvram image file used only on VM startup, or it must be present
> all the time the VM is running? Is it used on VM shutdown?
It contains the UEFI variables which the operating system can write, so
it needs to be present all the time. Deleting it will basically reset
any changes to the UEFI state. As the file is opened by qemu all the
time, if you delete it it will become apparent only after restart of the
QEMU process.
> 6. What happens if the VM is migrated at the moment when nvram image
> file is used? Is this file migrated also?
QEMU transport the pflash devices inside the migration stream along with
memory and then writes the changes, so for migration this is transparet.
The destination just needs to have the files available.
> 7. Is it enough to set secure="yes" to boot the VM with SecureBoot? Or
> I need to prepare the nvram somehow (install keys etc.)?0
That depends on the state of the nvram template. Keys may need to be
installed.
> 8. How to verify that the VM was indeed booted with UEFI? With SecureBoot?
AFAIK we don't load any 'fallback' firmware so if you set it to uefi and
it boots it was via uefi. I don't know about secure boot though
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/libvirt-users/attachments/20180716/c108a215/attachment.sig>
More information about the libvirt-users
mailing list