mirror of
https://pagure.io/fedora-docs/quick-docs.git
synced 2024-11-28 14:56:35 +00:00
185 lines
6 KiB
Text
185 lines
6 KiB
Text
|
= Using UEFI with QEMU
|
|||
|
|
|||
|
'''
|
|||
|
|
|||
|
[NOTE]
|
|||
|
======
|
|||
|
|
|||
|
This page was automatically converted from https://fedoraproject.org/wiki/Using_UEFI_with_QEMU
|
|||
|
|
|||
|
It is probably
|
|||
|
|
|||
|
* Badly formatted
|
|||
|
* Missing graphics and tables that do not covert well from mediawiki
|
|||
|
* Out-of-date
|
|||
|
* In need of other love
|
|||
|
|
|||
|
Please fix it, remove this notice, and then add to `_topic_map.yml`
|
|||
|
|
|||
|
Pull requests accepted at https://pagure.io/fedora-docs/fedora-howto
|
|||
|
|
|||
|
Once that is live, go to the original wiki page and add an `{{old}}`
|
|||
|
tag, followed by a note like
|
|||
|
|
|||
|
....
|
|||
|
{{admon/note|This page has a new home!|
|
|||
|
This wiki page is no longer maintained. Please find the up-to-date
|
|||
|
version at: https://docs.fedoraproject.org/whatever-the-url
|
|||
|
}}
|
|||
|
....
|
|||
|
|
|||
|
======
|
|||
|
|
|||
|
'''
|
|||
|
|
|||
|
|
|||
|
[[firmware-installation]]
|
|||
|
Firmware installation
|
|||
|
---------------------
|
|||
|
|
|||
|
UEFI for x86 QEMU/KVM VMs is called OVMF (Open Virtual Machine
|
|||
|
Firmware). It comes from EDK2 (EFI Development Kit), which is the UEFI
|
|||
|
reference implementation.
|
|||
|
|
|||
|
[[installing-uefi-for-qemu-from-fedora-repos]]
|
|||
|
Installing 'UEFI for QEMU' from Fedora repos
|
|||
|
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|||
|
|
|||
|
Since June 2016, OVMF is available in Fedora repositories. All you need
|
|||
|
to have installed is `edk2-ovmf` RPM. Furthermore, it should be now a
|
|||
|
dependency of the package, so you probably have it installed already.
|
|||
|
This includes firmware for secureboot (`OVMF_CODE.secboot.fd`)
|
|||
|
|
|||
|
[[installing-uefi-for-qemu-nightly-builds]]
|
|||
|
Installing 'UEFI for QEMU' nightly builds
|
|||
|
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|||
|
|
|||
|
Gerd Hoffmann, Red Hatter and QEMU developer, has a dnf repo on his
|
|||
|
personal site that provides nightly builds of a whole bunch of QEMU/KVM
|
|||
|
firmware, including EDK2/OVMF.
|
|||
|
|
|||
|
Here's how to pull down the nightly builds for x86:
|
|||
|
|
|||
|
` sudo dnf install dnf-plugins-core` +
|
|||
|
` sudo dnf config-manager --add-repo `http://www.kraxel.org/repos/firmware.repo[`http://www.kraxel.org/repos/firmware.repo`] +
|
|||
|
` sudo dnf install edk2.git-ovmf-x64`
|
|||
|
|
|||
|
Note, these are nightly builds, and may occasionally be broken.
|
|||
|
|
|||
|
[[optionally-configure-libvirtd-to-advertise-uefi-support]]
|
|||
|
Optionally Configure libvirtd to advertise UEFI support
|
|||
|
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|||
|
|
|||
|
Libvirt needs to know about UEFI->NVRAM config file mapping, so it can
|
|||
|
advertise it to tools like virt-manager/virt-install. On Fedora 22 and
|
|||
|
later, libvirt packages are configured to look for the nightly build
|
|||
|
paths, so this will work out of the box.
|
|||
|
|
|||
|
However, if you want to use custom binaries, you will need to edit the
|
|||
|
nvram variable in /etc/libvirt/qemu.conf and restart libvirtd.
|
|||
|
|
|||
|
[[creating-a-vm]]
|
|||
|
Creating a VM
|
|||
|
-------------
|
|||
|
|
|||
|
[[virt-manager]]
|
|||
|
virt-manager
|
|||
|
~~~~~~~~~~~~
|
|||
|
|
|||
|
Create a new VM in virt-manager. When you get to the final page of the
|
|||
|
'New VM' wizard, do the following:
|
|||
|
|
|||
|
* Click 'Customize before install', then select 'Finish'
|
|||
|
* On the 'Overview' screen, Change the 'Firmware' field to select the
|
|||
|
'UEFI x86_64' option.
|
|||
|
* Click 'Begin Installation'
|
|||
|
* The boot screen you'll see should use `linuxefi` commands to boot the
|
|||
|
installer, and you should be able to run `efibootmgr` inside that
|
|||
|
system, to verify that you're running an UEFI OS.
|
|||
|
|
|||
|
[[virt-install]]
|
|||
|
virt-install
|
|||
|
~~~~~~~~~~~~
|
|||
|
|
|||
|
Add `--boot uefi` to your `virt-install` command. Example:
|
|||
|
|
|||
|
` sudo virt-install --name f20-uefi \` +
|
|||
|
` --ram 2048 --disk size=20 \` +
|
|||
|
` --boot uefi \` +
|
|||
|
` --location `https://dl.fedoraproject.org/pub/fedora/linux/releases/22/Workstation/x86_64/os/[`https://dl.fedoraproject.org/pub/fedora/linux/releases/22/Workstation/x86_64/os/`]
|
|||
|
|
|||
|
[[testing-secureboot-in-a-vm]]
|
|||
|
Testing Secureboot in a VM
|
|||
|
--------------------------
|
|||
|
|
|||
|
These steps describe how to test Fedora Secureboot support inside a KVM
|
|||
|
VM. The audience here is QA folks that want to test secureboot, and any
|
|||
|
other curious parties. This requires configuring the VM to use UEFI, so
|
|||
|
it builds upon the previous UEFI steps.
|
|||
|
|
|||
|
[[run-enrolldefaultkeys.efi]]
|
|||
|
Run EnrollDefaultKeys.efi
|
|||
|
~~~~~~~~~~~~~~~~~~~~~~~~~
|
|||
|
|
|||
|
(Formerly this article recommended the independent utility
|
|||
|
"LockDown_ms.efi".)
|
|||
|
|
|||
|
Since OVMF doesn't ship with any SecureBoot keys installed, we need to
|
|||
|
install some to mimic what an MS certified UEFI machine will ship with.
|
|||
|
OVMF now ships with the binaries required to set up a default set of
|
|||
|
keys. The easiest way is to use UefiShell.iso which is available at
|
|||
|
`/usr/share/edk2/ovmf/UefiShell.iso`. Boot your VM with this as the
|
|||
|
CD-ROM image and it should boot into the UEFI shell. At the prompt
|
|||
|
|
|||
|
* Shell> fs0:
|
|||
|
* FS0:\> EnrollDefaultKeys.efi
|
|||
|
* FS0:\> reset
|
|||
|
* The VM will restart. Let it boot into Fedora as normal. Log in
|
|||
|
* You should see the string 'Secure boot enabled' in dmesg. Secureboot
|
|||
|
is now enabled for every subsequent boot.
|
|||
|
|
|||
|
[[testing-fedora-cddvd-secure-boot-in-a-vm]]
|
|||
|
Testing Fedora CD/DVD Secure Boot in a VM
|
|||
|
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|||
|
|
|||
|
Once you have a secureboot configured VM as described above, it's easy
|
|||
|
to use this to test ISO media secureboot support.
|
|||
|
|
|||
|
* Use virt-manager to attach the ISO media to your VM
|
|||
|
* Use virt-manager to change the VM boot settings to boot off the CDROM
|
|||
|
* Start the VM
|
|||
|
* Switch to a terminal inside the VM, verify Secureboot is enabled by
|
|||
|
checking dmesg
|
|||
|
|
|||
|
[[notes]]
|
|||
|
Notes
|
|||
|
-----
|
|||
|
|
|||
|
[[using-uefi-with-aarch64-vms]]
|
|||
|
Using UEFI with AArch64 VMs
|
|||
|
~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|||
|
|
|||
|
link:Architectures/ARM/AArch64[Fedora's AArch64 releases] will only run
|
|||
|
on UEFI, so require UEFI inside the VM. However the steps are slightly
|
|||
|
different. See this page for complete documentation:
|
|||
|
https://fedoraproject.org/wiki/Architectures/AArch64/Install_with_QEMU
|
|||
|
|
|||
|
[[extra-links]]
|
|||
|
Extra links
|
|||
|
-----------
|
|||
|
|
|||
|
* QA:Testcase_Virtualization_UEFI[QA:Testcase Virtualization UEFI]
|
|||
|
* http://www.linux-kvm.org/page/OVMF[KVM wiki OVMF page]
|
|||
|
* https://wiki.ubuntu.com/SecurityTeam/SecureBoot[Ubuntu secureboot
|
|||
|
page]
|
|||
|
* http://en.opensuse.org/openSUSE:UEFI_Secure_boot_using_qemu-kvm[OpenSUSE
|
|||
|
secureboot page]
|
|||
|
* http://www.labbott.name/blog/2016/09/15/secure-ish-boot-with-qemu/[Using
|
|||
|
SecureBoot with QEMU]
|
|||
|
|
|||
|
Category:Virtualization Category:QA
|
|||
|
'''
|
|||
|
|
|||
|
See a typo, something missing or out of date, or anything else which can be
|
|||
|
improved? Edit this document at https://pagure.io/fedora-docs/fedora-howto.
|