From Fedora Project Wiki

m (typo in yum command: s/jenkings/jenkins/)
(→‎Grab LockDown_ms.efi: note possible progress in f20 qemu capabilities toward persistent efi var changes)
Line 36: Line 36:
install some to mimic what an MS certified UEFI machine will ship with.
install some to mimic what an MS certified UEFI machine will ship with.
But here's a crappy thing about OVMF and KVM: right now there's no way to
But here's a crappy thing about OVMF and KVM: right now there's no way to
persist UEFI config across VM start/stop. So if we want to test SecureBoot,
persist UEFI config across VM start/stop. {{admon/note|Improvements in Fedora 20|
With qemu 1.6 and later, a ''-pflash bios.bin'' option, is supposed to enable persistent EFI variables.  This may or may not also require ''-no-kvm''.}}
So if we want to test SecureBoot,
we need to install the MS keys and enable secureboot on every VM restart.
we need to install the MS keys and enable secureboot on every VM restart.



Revision as of 18:14, 24 January 2014

Testing secureboot with KVM

This page documents how to test Fedora 18 Secureboot support inside a KVM VM. The audience here is QA folks that want to test secureboot, and any other curious parties.

Install OVMF

OVMF (Open Virtual Machine Firmware) is basically UEFI for KVM. It comes from EDK2 (EFI Development Kit), which is the UEFI reference implementation.

Unfortunately there are licensing issues which prevent us getting EDK2/OVMF into Fedora (see #EDK2 Licensing Issues at the end of this document for more info). So we have to grab external packages:

 sudo rpm -ivh http://fedorapeople.org/~crobinso/secureboot/edk2.manual-0-0.20130221.944c84a6.x86_64.rpm

Install an F18 VM with UEFI

First we need to install a guest using UEFI instead of traditional bios. Anaconda will put all the right bits in place for us. You can probably convert an existing bios guest to use UEFI but I haven't found steps to do so.

I recommend using a DVD, network installs seem to be sloooow using OVMF:

 sudo virt-install --name f18-uefi --ram 2048 --boot loader=/usr/share/edk2.manual/ovmf-x64/OVMF-pure-efi.fd --disk /var/lib/libvirt/images/f18-uefi.qcow,format=qcow2,size=10 --os-variant fedora18 --cdrom /path/to/Fedora-18-x86_64-DVD.iso

Follow the install to completion, log in and do firstboot, then move along. Secure boot isn't set up yet.

Grab LockDown_ms.efi

Since OVMF doesn't ship with any SecureBoot keys installed, we need to install some to mimic what an MS certified UEFI machine will ship with. But here's a crappy thing about OVMF and KVM: right now there's no way to

persist UEFI config across VM start/stop.

Improvements in Fedora 20
With qemu 1.6 and later, a -pflash bios.bin option, is supposed to enable persistent EFI variables. This may or may not also require -no-kvm.

So if we want to test SecureBoot, we need to install the MS keys and enable secureboot on every VM restart.

Luckily there's a tool that does all this for us, called LockDown_ms.efi. This is derived from code in efitools.git.

Inside the guest, do:

 sudo wget http://fedorapeople.org/~crobinso/secureboot/LockDown_ms.efi -O /boot/efi/EFI/fedora/LockDown_ms.efi

Enable SecureBoot and verify it's all working

As mentioned above, this needs to be done on every VM boot.

  1. Wait until the TianoCore splash screen pops up, hit ESC
  2. Select 'Boot Manager'
  3. Select 'EFI Internal Shell'
  4. Shell> fs0:
  5. fs0:\> \EFI\fedora\LockDown_ms.efi
  6. fs0:\> \EFI\fedora\shim.efi
  7. Guest boots, log in, should see 'Secure boot enabled' in dmesg


Misc bits

EDK2 Licensing Issues

EDK2 contains a FAT filesystem driver that is licensed under terms that make it not acceptable for packaging in Fedora. Particularly that there's a usage restricition only allowing the code to be used in a UEFI implementation. More details here at Edk2-fat-driver

The driver is critical functionality so removing it is not an option.

Running EDK2 nightly builds

Gerd Hoffman, Red Hatter and QEMU developer, has a yum repo on his personal site that provides nightly builds of a whole bunch of QEMU/KVM firmware, including EDK2/OVMF.

Currently though, latest OVMF broke F18 SecureBoot: running the above steps will give the following error when trying to boot shim.efi:

 Error reported: Security Violation

There's a fix in upstream pesign, but as of this writing, shim in F18 hasn't been regenerated to pick up the fix.

Regardless, here's how to pull down the nightly builds:

 sudo wget http://www.kraxel.org/repos/firmware.repo -O /etc/yum.repos.d/firmware.repo
 # Disable by default, likely preferred for QA
 sudo sed -i -e "s/enabled=1/enabled=0/g" /etc/yum.repos.d/firmware.repo
 sudo yum --enablerepo=qemu-firmware-jenkins install edk2.git-ovmf-x64

The OVMF image is at:

 /usr/share/edk2.git/ovmf-x64/OVMF-pure-efi.fd

Pointing an existing guest at OVMF

To alter an existing guest to use OVMF, or change the OVMF build it uses, do sudo virsh edit $vmname and add

 <domain>
   ...
   <os>
    ...
     <loader>/path/to/OVMF-pure-efi.fd</loader>

Testing F18 DVD Secure Boot in a VM

Since we can't easily alter the DVD to add LockDown_ms.efi, we get it into the VM using a mini disk image:

 wget http://fedorapeople.org/~crobinso/secureboot/lockdown.qcow2
 sudo virsh attach-disk $VMNAME --target hdb --source lockdown.qcow2 --subdriver qcow2 --config

Then do

  • Launch the VM, drop to the EFI shell
  • If your guest only has a CDROM attached, lockdown.qcow2 should be fs0
  • Shell> fs0:
  • fs0:\> LockDown_ms.efi
  • fs0:\> exit
  • Back in the config screen, Select 'Boot Manager'
  • Select 'EFI DVD/CDROM'
  • Once anaconda starts, grab shell, log in, verify secure boot is enabled

Extra links