Introduction

These instructions let you setup a virtual machine setup based on KVM and Tianocore which has secure boot on. This setup has already Microsoft keys built-in and probably the Redhat ones.

These instructions should be run as a normal user. We assume sudo has been installed and the user who runs the commands can use sudo to get root privileges.

Requirements

Initial UEFI Setup

We will use separate OVMF_CODE.fd an OVMF_VARS.fd files so that each virtual machine can have its own UEFI variables

Install kvm if we have not yet and ovmf (ovmf is not strictly needed, see #TO DO below).

sudo apt-get install qemu-kvm ovmf

Create our virtual machine directory where its associated files live.

mkdir ~/gnu/secureboot-vm
cd ~/gnu/secureboot-vm

Get secureboot firmware from Fedora

/!\ This is not needed any more: ovmf 0~20191122.bd85bf54-1 contains OVMF_CODE.secboot.fd and OVMF_VARS.ms.fd.

Note that there are three differences between Fedora 33's package and ovmf 2020.08-1

First of all we get rpm package so that we can extract its contents.

sudo apt-get install rpm

We will create and use a temporary directory so that we don't mess too much our system.

mkdir tmp-fedora-rpm
cd tmp-fedora-rpm

We are interested on the Fedora's secboot version of the OVMF_CODE and OVMF_VARS fd files. So that we don't have to add secure boot keys manually.

wget "https://download-ib01.fedoraproject.org/pub/fedora-secondary/updates/30/Everything/i386/Packages/e/edk2-ovmf-20190501stable-2.fc30.noarch.rpm"
rpm2cpio edk2-ovmf-20190501stable-2.fc30.noarch.rpm | cpio -idmv
cp ./usr/share/OVMF/UefiShell.iso ../
cp ./usr/share/edk2/ovmf/OVMF_CODE.secboot.fd ../OVMF_CODE.fd
cp ./usr/share/edk2/ovmf/OVMF_VARS.secboot.fd ../OVMF_VARS.fd

Now we can remove temporary stuff.

cd ..
rm -rf tmp-fedora-rpm

Updates on November 2020 (Debian Bullseye is assumed)

Seeing if secure boot is active

When recent Linux (including Debian Buster's 4.19) is booted with the secure boot, dmesg should print

secureboot: Secure boot enabled
Kernel is locked down from EFI Secure Boot mode

Otherwise the secure boot is not activated.

Change of the boot order

Recent Fedora RPM package does not need the change of boot order described below. For ovmf 2020.08-1, the change of boot order is usually necessary because the UEFI shell has the highest boot priority in OVMF_VARS*.ms.fd.

QEMU options to activate secure boot

Start qemu-system-x86_64 or qemu-system-i386 with -machine q35,smm=on -global driver=cfi.pflash01,property=secure,value=on -drive if=pflash,format=raw,unit=0,file=OVMF_CODE.secboot.fd,readonly=on -drive if=pflash,format=raw,unit=1,file=copy_of_OVMF_VARS.secboot.fd. Note that OVMF*.ms.fd in ovmf 2020.08-1 does not work with the above options due to 973783

Test a virtual machine and change its boot order

In this case we want to test a raw image as the main hard disk with this filename: /home/rescatuxs/super_grub2_disk_hybrid_secureboot_usb_2.04s2-beta1.img .

sudo kvm \
 -m 2048 \
 --machine pc-q35-2.5 \
 -drive if=pflash,format=raw,readonly,file=./OVMF_CODE.fd \
 -drive if=pflash,format=raw,file=./OVMF_VARS.fd \
 -drive file=/home/rescatuxs/super_grub2_disk_hybrid_secureboot_usb_2.04s2-beta1.img,format=raw,index=0,media=disk \
 -boot menu=on

Press ESC when the machine boots and you see: Start boot option at the bottom.

Choose the following options from the UEFI menus:

Press Enter

What you get is:

UEFI QEMU DVD-ROM
UEFI PXEv4
UEFI PXEv4
UEFI PXEv6
UEFI QEMU HARDDISK QM00001

Now, we will change the list into this order:

UEFI QEMU DVD-ROM
UEFI QEMU HARDDISK QM00001
UEFI PXEv4
UEFI PXEv4
UEFI PXEv6

.

That way we avoid having to wait for the different UEFI PXE entries to timeout.

Press enter when finished. Commit Changes and Exit Press ESC till you get out of the BIOS.

Test a virtual machine

sudo kvm \
 -m 2048 \
 --machine pc-q35-2.5 \
 -drive if=pflash,format=raw,readonly,file=./OVMF_CODE.fd \
 -drive if=pflash,format=raw,file=./OVMF_VARS.fd \
 -drive file=/home/rescatuxs/super_grub2_disk_hybrid_secureboot_usb_2.04s2-beta1.img,format=raw,index=0,media=disk \
 -boot menu=on

What you get

You should be able to boot secure boot enabled cdrom or hard disk images. If any of these images are not properly signed by the Microsoft or Redhat keys then they will fail to boot.

The read only firmware for your virtual machine is located at: ~/gnu/secureboot-vm/OVMF_CODE.fd .

The read and write state of your UEFI variables for that specific virtual machine is located at: ~/gnu/secureboot-vm/OVMF_VARS.fd .

Notes

virt-manager

I prefer using qemu or kvm rather than relying on virt-manager or another GUI. If you manage to adapt these instructions to virt-manager please write another page and link to it from this one. It is really easy to activate secure boot by virt-manager 1:3.1.0-1, ovmf 2020.08-1 and qemu-system-x86 1:5.1-dfsg-4+b1.

  1. Choose Customize configuration before install as
    http://34.83.134.122/virt-manager1.png

  2. Choose Q35 as Chipset and OVMF_CODE_4M.ms.fd as Firmware as
    http://34.83.134.122/virt-manager2.png

  3. That's all!

Useful links

TO DO

Debian only method with secureboot images

The Debian ovmf package provides:

Just install the Debian ovmf package and use these files instead.

Debian only method with UefiShell.iso from Fedora

If someone else manages to use default Debian files:

with the ?UefiShell.iso file from Fedora's edk2-ovmf package so that you can turn on a non secure boot vm to a secure boot one manually. Please update this page. I prefer doing that step manually than relying on:

which have those keys embedded.

Thank you

Thanks to the people from #debian-efi channel on OFTC for their patience because I usually make too many questions there.