On Wed, Aug 03, 2022 at 11:00:30AM -0500, Andrea Bolognani wrote: > On Wed, Aug 03, 2022 at 01:17:33PM +0800, Lucas Liu wrote: > > Hello all: > > > > I am looking for a way to disable secure boot for UEFI guests: > > In 3.2.0 I use the command blow to achieve it: > > > > # virt-install --name GuestOne --location #URL --machine q35 --vcpus=2 > > --memory 4096 --file-size=20 --boot uefi --boot > > nvram.template=/usr/share/edk2/ovmf/OVMF_VARS.fd > > > > However, in 4.0.0 I cannot get the same result for this cmd > > > > Expect VM is booted with secureboot disabled. But the actual result is the > > VM is booted with secureboot enabled. > > > > # mokutil --sb-state > > SecureBoot enabled > > > > ... > > <os> > > <type arch='x86_64' machine='pc-q35-rhel9.0.0'>hvm</type> > > <loader readonly='yes' secure='no' > > type='pflash'>/usr/share/edk2/ovmf/OVMF_CODE.secboot.fd</loader> > > <nvram > > template='/usr/share/edk2/ovmf/OVMF_VARS.secboot.fd'>/var/lib/libvirt/qemu/nvram/rhel9_VARS.fd</nvram> > > <boot dev='hd'/> > > </os> > > ... > > > > It seems it still creates guests with > > "/usr/share/edk2/ovmf/OVMF_VARS.secboot.fd" as the nvram template. > > This should do what you want: > > --boot uefi,firmware.feature0.name=enrolled-keys,firmware.feature0.enabled=no,firmware.feature1.name=secure-boot,firmware.feature1.enabled=yes > > A bit of a mouthful, I know :) The equivalent XML snippet would be > > <os firmware='efi'> > <firmware> > <feature enabled='no' name='enrolled-keys'/> > <feature enabled='yes' name='secure-boot'/> > </firmware> > </os> This seems to kas to leave secureboot enabled, but with no enrolled keys. To disable secureboot fully I use this --boot firmware=efi,firmware.feature0.enabled=no,firmware.feature0.name=secure-boot \ With regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
