You are not logged in.
- Topics: Active | Unanswered
#1 2022-06-15 05:50:49
- giannis-arch
- Member
- Registered: 2017-09-20
- Posts: 20
[solved] Building OVMF fw with Secure Boot & TPM module for Windows
Hi,
Because the Archlinux ovmf files have not secure boot in Windows, an alternative proposal is to using ovmf files from an other distribution (i used Debian ovmf files and they are work well).
So now, I try to build a ovmf firmware with my_custom key, Windows cerificate, and TCG2_configuration. I created and imported the custom key. Then i downloaded and imported Microsoft Key Exchange Key (KEK) and Microsoft Alllowed Signature Database (DB).
I built ovmf file with -D SECURE_BOOT_ENABLE and the secure boot activated. Βut there is one more issue, the TPM module. It needed for Windows 11 installation (if you do not want hack registry ....)
I tried the parameters :
-D TPM_ENABLE -D TPM_CONFIG_ENABLE
-D TPM1_ENABLE -D TPM1_CONFIG_ENABLE
-D TPM2_ENABLE -D TPM2_CONFIG_ENABLE
but nothing was successful. The process is completed normally, but the TCG2_Configuration_menu is not visible in UEFI configuration menu.
The swtpm is installed. And of course there is TPM module in the host.
So, what is the right parameter(s) ?
Last edited by giannis-arch (2022-06-15 14:08:46)
Offline
#2 2022-06-15 10:32:00
- giannis-arch
- Member
- Registered: 2017-09-20
- Posts: 20
Re: [solved] Building OVMF fw with Secure Boot & TPM module for Windows
The parameter for TPM activation is -D TPM2_ENABLE, for TPM 2.0
The parameter for secure boot activation is -D SECURE_BOOT_ENABLE
To be visible the TCG2_Configuration_menu, it is required the swtpm to be enabled.
Offline
#3 2022-06-15 12:33:20
- progandy
- Member
- Registered: 2012-05-17
- Posts: 5,307
Re: [solved] Building OVMF fw with Secure Boot & TPM module for Windows
I think the OCMF_CODE.secureboot.fd provided by arch should work as well if you follow the traditional guide to set up secure boot with your own keys. Use them to sign the microsoft keys, attach a device with all files to your vm, boot te vm to the efi ui and import everything.
| alias CUTF='LANG=en_XX.UTF-8@POSIX ' | alias ENGLISH='LANG=C.UTF-8 ' |
Offline
#4 2022-06-15 14:08:32
- giannis-arch
- Member
- Registered: 2017-09-20
- Posts: 20
Re: [solved] Building OVMF fw with Secure Boot & TPM module for Windows
Yes, you are right. I tested the archlinux OVMF_CODE.secureboot.fd and i can insert my key, to sign the microsoft crt with it. And it has TCG2 - TPM module active. To note something extra from me.
It is not enough the -global ICH9-LPC.disable_s3=1 option. Because this OVMF file is built with SMM support, it is necessary the smm=on option, something as -M q35,smm=on,accel=kvm, to be able to boot.
Offline
#5 2022-06-15 14:20:42
- progandy
- Member
- Registered: 2012-05-17
- Posts: 5,307
Re: [solved] Building OVMF fw with Secure Boot & TPM module for Windows
ICH9-LPC.disable_s3=1 should not be necessary, since the secureboot image for arch is built as ia32x64. https://bugs.archlinux.org/task/59465
| alias CUTF='LANG=en_XX.UTF-8@POSIX ' | alias ENGLISH='LANG=C.UTF-8 ' |
Offline