Re: On the content of 'nvram' section in /etc/libvirt/qemu.conf

Kashyap Chamarthy <kchamart@xxxxxxxxxx> · Wed, 17 Apr 2019 15:44:33 +0200

On Tue, Apr 16, 2019 at 05:07:30PM -0400, Cole Robinson wrote:
> On 4/16/19 12:50 PM, Kashyap Chamarthy wrote:

[...]

> > There is the /usr/share/edk2/ovmf/OVMF_VARS.secboot.fd file (which comes
> > with the default UEFI keys enrolled).
> > 
> > So, the mapping of OVMF binary to VARS file in the earlier mentioned
> > 'nvram' section should have been:
> > 
> >     /usr/share/OVMF/OVMF_CODE.secboot.fd:/usr/share/edk2/ovmf/OVMF_VARS.secboot.fd
> > 
> > Yes?
> > 
> 
> Unfortunately the qemu.conf comment is not authoritatize. I believe
> that's the default value hardcoded in libvirt, but it can also be
> changed with a build time flag, which we do for fedora. The spec file
> has this change:
> 
> %if 0%{?fedora}
>     # Nightly edk2.git-ovmf-x64
> 
> LOADERS="/usr/share/edk2.git/ovmf-x64/OVMF_CODE-pure-efi.fd:/usr/share/edk2.git/ovmf-x64/OVMF_VARS-pure-efi.fd"
>     # Nightly edk2.git-ovmf-ia32
> 
> LOADERS="$LOADERS:/usr/share/edk2.git/ovmf-ia32/OVMF_CODE-pure-efi.fd:/usr/share/edk2.git/ovmf-ia32/OVMF_VARS-pure-efi.fd"
>     # Nightly edk2.git-aarch64
> 
> LOADERS="$LOADERS:/usr/share/edk2.git/aarch64/QEMU_EFI-pflash.raw:/usr/share/edk2.git/aarch64/vars-template-pflash.raw"
>     # Nightly edk2.git-arm
> 
> LOADERS="$LOADERS:/usr/share/edk2.git/arm/QEMU_EFI-pflash.raw:/usr/share/edk2.git/arm/vars-template-pflash.raw"
> 
>     # Fedora edk2-ovmf
> 
> LOADERS="$LOADERS:/usr/share/edk2/ovmf/OVMF_CODE.fd:/usr/share/edk2/ovmf/OVMF_VARS.fd"
>     # Fedora edk2-ovmf-ia32
> 
> LOADERS="$LOADERS:/usr/share/edk2/ovmf-ia32/OVMF_CODE.fd:/usr/share/edk2/ovmf-ia32/OVMF_VARS.fd"
>     # Fedora edk2-aarch64
> 
> LOADERS="$LOADERS:/usr/share/edk2/aarch64/QEMU_EFI-pflash.raw:/usr/share/edk2/aarch64/vars-template-pflash.raw"
>     # Fedora edk2-arm
> 
> LOADERS="$LOADERS:/usr/share/edk2/arm/QEMU_EFI-pflash.raw:/usr/share/edk2/arm/vars-template-pflash.raw"
>     %define arg_loader_nvram --with-loader-nvram="$LOADERS"
> %endif
> 
> So that's 8 pairs that we look for in fedora. 

Hmm, we should keep the comments in sync.  Because unsuspecting users of
management tools get confused :-(  I'll see if I can send a patch to
clean it up, if Michal or others already doesn't beat me to it.

> That default commented out
> value is probably what we use on RHEL with standard RHEL packaging

Even for RHEL it's wrong :-)  Because RHEL only ships the OVMF binary
and its corresponding variable store ("VARS") file that are Secure
Boot-ready "out-of-the-box" (because it comes with UEFI keys enrolled in
it).  Which are the following:

    /usr/share/OVMF/OVMF_CODE.secboot.fd
    /usr/share/OVMF/OVMF_VARS.secboot.fd

-- 
/kashyap

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list