Re: How can I disable secure boot using virt-install cli?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]


On Wed, Aug 03, 2022 at 01:17:33PM +0800, Lucas Liu wrote:
> Hello all:
> I am looking for a way to disable secure boot for UEFI guests:
> In 3.2.0 I use the command blow to achieve it:
> # virt-install --name GuestOne --location #URL --machine q35 --vcpus=2
> --memory 4096 --file-size=20 --boot uefi --boot
> nvram.template=/usr/share/edk2/ovmf/OVMF_VARS.fd
> However, in 4.0.0 I cannot get the same result for this cmd
> Expect VM is booted with secureboot disabled. But the actual result is the
> VM is booted with secureboot enabled.
> # mokutil --sb-state
> SecureBoot enabled
> ...
> <os>
>     <type arch='x86_64' machine='pc-q35-rhel9.0.0'>hvm</type>
>     <loader readonly='yes' secure='no'
> type='pflash'>/usr/share/edk2/ovmf/OVMF_CODE.secboot.fd</loader>
>     <nvram
> template='/usr/share/edk2/ovmf/OVMF_VARS.secboot.fd'>/var/lib/libvirt/qemu/nvram/rhel9_VARS.fd</nvram>
>     <boot dev='hd'/>
>   </os>
> ...
> It seems it still creates guests with
> "/usr/share/edk2/ovmf/OVMF_VARS.secboot.fd" as the nvram template.

This should do what you want:

  --boot uefi,,firmware.feature0.enabled=no,,firmware.feature1.enabled=yes

A bit of a mouthful, I know :) The equivalent XML snippet would be

  <os firmware='efi'>
      <feature enabled='no' name='enrolled-keys'/>
      <feature enabled='yes' name='secure-boot'/>

See for additional

Note that asking for the 'secure-boot' feature to be enabled should
not be necessary, but if you don't specify that your VM will, at
least on Fedora, end up using the build intended for
Confidential Computing instead of the general purpose one. Things
might work regardless, but it's probably safer to use
OVMF_VARS.secboot.fd instead. I'll update the kbase entry to include
this information shortly.

Andrea Bolognani / Red Hat / Virtualization

[Index of Archives]     [Linux Virtualization]     [KVM Development]     [CentOS Virtualization]     [Netdev]     [Ethernet Bridging]     [Linux Wireless]     [Kernel Newbies]     [Security]     [Linux for Hams]     [Netfilter]     [Bugtraq]     [Yosemite Forum]     [MIPS Linux]     [ARM Linux]     [Linux RAID]     [Linux Admin]     [Samba]     [Video 4 Linux]

  Powered by Linux