How can I disable secure boot using virt-install cli?

Lucas Liu hongzliu at redhat.com
Thu Aug 4 02:41:41 UTC 2022 

Thanks guys. That was very useful!

Best regards
Lucas

On Thu, Aug 4, 2022 at 12:09 AM Daniel P. Berrangé <berrange at redhat.com>
wrote:

> On Wed, Aug 03, 2022 at 11:00:30AM -0500, Andrea Bolognani wrote:
> > On Wed, Aug 03, 2022 at 01:17:33PM +0800, Lucas Liu wrote:
> > > Hello all:
> > >
> > > I am looking for a way to disable secure boot for UEFI guests:
> > > In 3.2.0 I use the command blow to achieve it:
> > >
> > > # virt-install --name GuestOne --location #URL --machine q35 --vcpus=2
> > > --memory 4096 --file-size=20 --boot uefi --boot
> > > nvram.template=/usr/share/edk2/ovmf/OVMF_VARS.fd
> > >
> > > However, in 4.0.0 I cannot get the same result for this cmd
> > >
> > > Expect VM is booted with secureboot disabled. But the actual result is
> the
> > > VM is booted with secureboot enabled.
> > >
> > > # mokutil --sb-state
> > > SecureBoot enabled
> > >
> > > ...
> > > <os>
> > >     <type arch='x86_64' machine='pc-q35-rhel9.0.0'>hvm</type>
> > >     <loader readonly='yes' secure='no'
> > > type='pflash'>/usr/share/edk2/ovmf/OVMF_CODE.secboot.fd</loader>
> > >     <nvram
> > >
> template='/usr/share/edk2/ovmf/OVMF_VARS.secboot.fd'>/var/lib/libvirt/qemu/nvram/rhel9_VARS.fd</nvram>
> > >     <boot dev='hd'/>
> > >   </os>
> > > ...
> > >
> > > It seems it still creates guests with
> > > "/usr/share/edk2/ovmf/OVMF_VARS.secboot.fd" as the nvram template.
> >
> > This should do what you want:
> >
> >   --boot uefi,firmware.feature0.name
> =enrolled-keys,firmware.feature0.enabled=no,firmware.feature1.name
> =secure-boot,firmware.feature1.enabled=yes
> >
> > A bit of a mouthful, I know :) The equivalent XML snippet would be
> >
> >   <os firmware='efi'>
> >     <firmware>
> >       <feature enabled='no' name='enrolled-keys'/>
> >       <feature enabled='yes' name='secure-boot'/>
> >     </firmware>
> >   </os>
>
> This seems to kas to leave secureboot enabled, but with no enrolled
> keys.
>
> To disable secureboot fully I use this
>
>  --boot firmware=efi,firmware.feature0.enabled=no,firmware.feature0.name=secure-boot
> \
>
>
>
> With regards,
> Daniel
> --
> |: https://berrange.com      -o-
> https://www.flickr.com/photos/dberrange :|
> |: https://libvirt.org         -o-
> https://fstop138.berrange.com :|
> |: https://entangle-photo.org    -o-
> https://www.instagram.com/dberrange :|
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/virt-tools-list/attachments/20220804/770714da/attachment.htm>

More information about the virt-tools-list mailing list