Can't enable Secure Boot in qemu

sighoya · 2022-04-16 12:32:18

Hi Guys,

I've tried enabling secure boot in virt-manager (Gui for libvirtd) according to this manual: https://specs.openstack.org/openstack/n … uests.html
In detail, I changed the OS Information XML config in such a way that secure is set to yes and feature smm is enabled:

  <os>
    <type arch="x86_64" machine="pc-q35-6.2">hvm</type>
    <loader readonly="yes" secure="yes" type="pflash">/usr/share/edk2-ovmf/x64/OVMF_CODE.fd</loader>
    <nvram>/var/lib/libvirt/qemu/nvram/ArchLinux64bit_VARS.fd</nvram>
    <boot dev="hd"/>
  </os>
  <features>
    <acpi/>
    <apic/>
    <vmport state="off"/>
    <smm state="on"/>
  </features>

But still I got for my virtual arch linux installation:

sudo dmesg | grep -i secure
[sudo] password for sighoya: 
[    0.013570] Secure boot disabled

Package versions are:

libvirt 1:8.2.0-4
libvirt-glib 4.0.0-1
libvirt-python 1:8.2.0-1
libvirt-sandbox 0.8.0-2
qemu 6.2.0-4
qemu-arch-extra 6.2.0-4
qemu-block-gluster 6.2.0-4
qemu-block-iscsi 6.2.0-4
qemu-block-rbd 6.2.0-4
qt-virt-manager 0.72.99-4
virt-manager 4.0.0-1

Lone_Wolf · 2022-04-17 11:44:17

https://wiki.archlinux.org/title/QEMU#V … abled_OVMF and the links in it may help to figure out what is wrong.

Keep in mind that often it's much easier to confirm something works by starting qemu from cli and only after that look into achieving the same from libvirt gui .

sighoya · 2022-04-17 21:51:01

@Lone_Wolf,

thanks for mentioning this, but it was already disabled in libvirt:

  <pm>
    <suspend-to-mem enabled="no"/>
    <suspend-to-disk enabled="no"/>
  </pm>

but it doesn't do anything.

Now, I changed the loader and nvram to /usr/share/edk2-ovmf/x64/OVMF_CODE_4M.secboot.fd and /usr/share/edk2-ovmf/x64/OVMF_VARS_4M.fd mentioned in https://github.com/quickemu-project/qui … -945024268, respectively.
I retrieved them from https://packages.debian.org/sid/all/ovmf/download by

ar xv ovmf_2022.02-3_all.deb
tar -xvf data.tar.xz
sudo cp usr/share/OVMF/*4M* /usr/share/edk2-ovmf/x64# Install dir can be custom

Now secure boot is enabled in Windows and even emulated tpm works now. Anyway, I still don't understand why ArchLinux states it is disabled with the same settings. But I see it is disabled in bios so I can enable it from there, strange.

Lone_Wolf · 2022-04-19 11:27:02

edk2-ovmf archlinux package has OVMF_CODE.secboot.fd and OVMF_VARS.fd .
The first of those 2 files is mentioned on the wiki link I posted, have you tried wtih those files ?

sighoya · 2022-04-19 16:55:56

The first of those 2 files is mentioned on the wiki link I posted, have you tried wtih those files

Yes, I tried it with OVMF_CODE.secboot.fd in Windows and Arch, but with no success. Maybe we just need to enable it in qemu bios because for the secboot.CODE there is not dedicated secboot.VARS enabling secboot by default. Anyway, with OVMF_{VARS,CODE}_4M.fd it worked out of the box in Windows but not in Arch Linux.
Could this be a bug in Arch, I don't know.

ansemjo · 2022-04-22 09:26:29

Just to chip in: I needed to use OVMF_CODE_4M.secboot.fd and OVMF_VARS_4M.ms.fd to get both Secure Boot and the emulated TPM2.0 working in a Windows 10 VM. I got those from the ovmf deb package in Ubuntu focal.

Using OVMF_CODE.secboot.fd with the default nvram created by virt-manager supported Secure Boot in general; but there were no default keys enrolled, so it couldn't be enabled without enrolling custom keys first.
Using OVMF_CODE.secboot.fd with OVMF_VARS.ms.fd enabled Secure Boot alright ... but activating the TPM2.0 failed with weird errors. (Something about a Code 10 when you look at its properties in the Device Manager).
OVMF_CODE_4M.secboot.fd together with OVMF_VARS.ms.fd just doesn't boot at all.
Finally, OVMF_CODE_4M.secboot.fd and OVMF_VARS_4M.ms.fd booted fine and the emulated TPM2.0 (TIS) was suddenly working, too.

I haven't checked an actual Archlinux install but an Ubuntu ISO reported that Secure Boot is enabled and it could communicate with the TPM (even when Windows couldn't, i.e. only using the second combination from the list above).

Kobold · 2022-05-18 09:30:14

Suffering from the same issue in qemu/libvirt in vanilla Archlinux.
What would be the proper way of having edk2-ovmf package updated or fixed?
unfortunetaly the edk2-ovmf-git package in AUR does not help either.

Moo-Crumpus · 2022-09-26 16:24:27

ansemjo wrote:

Just to chip in: I needed to use OVMF_CODE_4M.secboot.fd and OVMF_VARS_4M.ms.fd to get both Secure Boot and the emulated TPM2.0 working in a Windows 10 VM. I got those from the ovmf deb package in Ubuntu focal.
Finally, OVMF_CODE_4M.secboot.fd and OVMF_VARS_4M.ms.fd booted fine and the emulated TPM2.0 (TIS) was suddenly working, too.

How to use them as qemu option? This won't do:
-drive if=pflash,format=raw,unit=0,file=/mnt/data/qemu_images/EFI/OVMF_CODE_4M.secboot.fd,readonly=on \
-drive if=pflash,format=raw,unit=1,file=/mnt/data/qemu_images/EFI/OVMF_VARS_4M.ms.fd

ansemjo · 2022-09-26 16:42:58

Moo-Crumpus wrote:

ansemjo wrote:
Just to chip in: I needed to use OVMF_CODE_4M.secboot.fd and OVMF_VARS_4M.ms.fd to get both Secure Boot and the emulated TPM2.0 working in a Windows 10 VM. I got those from the ovmf deb package in Ubuntu focal.
Finally, OVMF_CODE_4M.secboot.fd and OVMF_VARS_4M.ms.fd booted fine and the emulated TPM2.0 (TIS) was suddenly working, too.
How to use them as qemu option? This won't do:
-drive if=pflash,format=raw,unit=0,file=/mnt/data/qemu_images/EFI/OVMF_CODE_4M.secboot.fd,readonly=on \
-drive if=pflash,format=raw,unit=1,file=/mnt/data/qemu_images/EFI/OVMF_VARS_4M.ms.fd

I'm using libvirt to manage my virtual machines, which produces a commandline with these arguments:

-blockdev '{"driver":"file","filename":".../qemu/OVMF_CODE_4M.secboot.fd","node-name":"libvirt-pflash0-storage","auto-read-only":true,"discard":"unmap"}' \
-blockdev '{"node-name":"libvirt-pflash0-format","read-only":true,"driver":"raw","file":"libvirt-pflash0-storage"}' \
-blockdev '{"driver":"file","filename":".../qemu/nvram/windows.fd","node-name":"libvirt-pflash1-storage","auto-read-only":true,"discard":"unmap"}' \
-blockdev '{"node-name":"libvirt-pflash1-format","read-only":false,"driver":"raw","file":"libvirt-pflash1-storage"}' \

Moo-Crumpus · 2022-09-26 19:21:43

Not quite what I was expecting. I am no XML to qemu option translator hero.

Arch Linux

#1 2022-04-16 12:32:18

Can't enable Secure Boot in qemu

#2 2022-04-17 11:44:17

Re: Can't enable Secure Boot in qemu

#3 2022-04-17 21:51:01

Re: Can't enable Secure Boot in qemu

#4 2022-04-19 11:27:02

Re: Can't enable Secure Boot in qemu

#5 2022-04-19 16:55:56

Re: Can't enable Secure Boot in qemu

#6 2022-04-22 09:26:29

Re: Can't enable Secure Boot in qemu

#7 2022-05-18 09:30:14

Re: Can't enable Secure Boot in qemu

#8 2022-09-26 16:24:27

Re: Can't enable Secure Boot in qemu

#9 2022-09-26 16:42:58

Re: Can't enable Secure Boot in qemu

#10 2022-09-26 19:21:43

Re: Can't enable Secure Boot in qemu

Board footer