On Wed, Aug 03, 2022 at 01:17:33PM +0800, Lucas Liu wrote:
> Hello all:
>
> I am looking for a way to disable secure boot for UEFI guests:
> In 3.2.0 I use the command blow to achieve it:
>
> # virt-install --name GuestOne --location #URL --machine q35 --vcpus=2
> --memory 4096 --file-size=20 --boot uefi --boot
> nvram.template=/usr/share/edk2/ovmf/OVMF_VARS.fd
>
> However, in 4.0.0 I cannot get the same result for this cmd
>
> Expect VM is booted with secureboot disabled. But the actual result is the
> VM is booted with secureboot enabled.
>
> # mokutil --sb-state
> SecureBoot enabled
>
> ...
> <os>
> <type arch='x86_64' machine='pc-q35-rhel9.0.0'>hvm</type>
> <loader readonly='yes' secure='no'
> type='pflash'>/usr/share/edk2/ovmf/OVMF_CODE.secboot.fd</loader>
> <nvram
> template='/usr/share/edk2/ovmf/OVMF_VARS.secboot.fd'>/var/lib/libvirt/qemu/nvram/rhel9_VARS.fd</nvram>
> <boot dev='hd'/>
> </os>
> ...
>
> It seems it still creates guests with
> "/usr/share/edk2/ovmf/OVMF_VARS.secboot.fd" as the nvram template.
This should do what you want:
--boot uefi,firmware.feature0.name=enrolled-keys,firmware.feature0.enabled=no,firmware.feature1.name=secure-boot,firmware.feature1.enabled=yes
A bit of a mouthful, I know :) The equivalent XML snippet would be
<os firmware='efi'>
<firmware>
<feature enabled='no' name='enrolled-keys'/>
<feature enabled='yes' name='secure-boot'/>
</firmware>
</os>
See https://libvirt.org/kbase/secureboot.html for additional
information.
Note that asking for the 'secure-boot' feature to be enabled should
not be necessary, but if you don't specify that your VM will, at
least on Fedora, end up using the OVMF_CODE.cc.fd build intended for
Confidential Computing instead of the general purpose one. Things
might work regardless, but it's probably safer to use
OVMF_VARS.secboot.fd instead. I'll update the kbase entry to include
this information shortly.
--
Andrea Bolognani / Red Hat / Virtualization
