You are not logged in.
Hello,
So I've been playing with LXD trying to setup a Windows 11 VM with all the security features enabled (Secure boot, BitLocker, HVCI, etc.) Some of those windows security feature require SecureBoot to be enabled to work properly. While troubleshooting, I stumbled across the "Starting_a_virtual_machine_fails" [1] article on the wiki. TL;DR: OVMF don't ship with Secureboot on Arch disable it on LXD.
So digging further, I found a superuser[2] post that explain exactly how to setup OVMF with SecureBoot for Windows using your own private key. You also have to use raw.qemu args to define the ovmf flash drives to get LXD to use it, but it's technically possible.
Now, I took the time to write a post here because it was incredibly hard to find the right information. I believe that being able to virtualize Windows VM properly secured is a very useful thing for the community. In my mind, there's a few ways to address this gap :
- Document the "hack" in the wiki
- Package a OMVF_VARS.ms.fd with Microsoft keys signed by Arch
- Ask LXD to generate that config on their hand
I hope someone more experienced with open source processes might help me in this endeavor.
Cheers!
References : 
[1] https://wiki.archlinux.org/title/LXD#St … hine_fails
[2] https://superuser.com/questions/1660806 … ot-enabled
Last edited by Unitiser (2023-09-10 16:22:08)
Offline
Option 1 you can easily do yourself - the Arch Wiki is open to anyone to edit and/or discuss edits on the Talk page(s). For options 2 and 3, are there any MS licensing complications with packaging that file?
Offline
Thank you for your reply.
I wouldn't be able to tell about the legal issues surrounding the use of those files. As far as I know Microsoft publishes the KEK and DB for this exact purpose.
I added an entry in the discussion page with a copy of the relevent details from the first post and added the actual workaround and some of my interogations. I'll put them here as reference.
---
The proper solution was to:
* Follow the procedure in [2] to generate OVMF_VARS.ms.fd.
* Place a copy of `OVMF_VARS.ms.fd` in the LXD vm folder (or anywhere LXD can manage). Here my VM is called `w11sb`.
* Point to it with `raw.qemu` args as follow :
```
raw.qemu: -drive if=pflash,format=raw,readonly=on,file="/usr/share/OVMF/x64/OVMF_CODE.secboot.fd"
     -drive if=pflash,format=raw,file="/var/lib/lxd/virtual-machines/w11sb/OVMF_VARS.ms.fd"
     -bios /usr/share/OVMF/x64/OVMF_CODE.secboot.fd
```
Now, I'm writting this talk section because of the following :
1) Generating the `OVMF_VARS.ms.fd` configuration using procedure [2] doesn't feel right in the LXD page context. Yet, I don't think there's an OVMF specific page. The closest thing would be Testing_UEFI_in_systems_without_native_support [3]
2) Having to manually manage the `OVMF_VARS.ms.fd` in the LXD internals when you spawn a VM feels quite horrible.
3) The raw.qemu workaround include an odd trick that I figure out myself through trial and error. I'm not sure if that should be documented or reported. Here are the details as reference :
```
It is my understanding that you should simply have to point "-bios" to "OVMF_CODE.secboot.fd" to get it working. Yet if I do just that, the VM doesn't load at all. Now you can also use "-drive" to specify the 2 pflash drive manually. If I do that, I get an error where the fd are already taken. So I noticed that when you add the "-bios" field, LXD detects it and ommits to generate the pflash drives in qemu.conf.
```
Offline