I have had too many problems trying to setup a proper secure boot in a kvm virtual machine.
.
Feel free to edit wiki page if you find anything that can be improved.
In any case in order to ease feedback I copy and paste the current page contents so that you can comment inline here in the mailing list.
Introduction
These instructions let you setup a virtual machine setup based on KVM and Tianocore which has secure boot on. This setup has already Microsoft keys built-in and probably the Redhat ones.
These instructions should be run as a normal user. We assume sudo has been installed and the user who runs the commands can use sudo to get root privileges.
Requirements
VT-Technology or AMD-V (virtualization) turned on on your computer
Debian Buster 10 amd64 installation booted from an 64-bit kernel
Initial UEFI Setup
We will use separate OVMF_CODE.fd an OVMF_VARS.fd files so that each virtual machine can have its own UEFI variables
Install kvm if we have not yet and ovmf (ovmf is not strictly needed, see #TO DO below).
sudo apt-get install qemu-kvm ovmf
Create our virtual machine directory where its associated files live.
mkdir ~/gnu/secureboot-vm
cd ~/gnu/secureboot-vm
Get secureboot firmware from Fedora
First of all we get rpm package so that we can extract its contents.
sudo apt-get install rpm
We will create and use a temporary directory so that we don't mess too much our system.
mkdir tmp-fedora-rpm
cd tmp-fedora-rpm
We are interested on the Fedora's secboot version of the OVMF_CODE and OVMF_VARS fd files. So that we don't have to add secure boot keys manually.
wget "
https://download-ib01.fedoraproject.org/pub/fedora-secondary/updates/30/Everything/i386/Packages/e/edk2-ovmf-20190501stable-2.fc30.noarch.rpm"
rpm2cpio edk2-ovmf-20190501stable-2.fc30.noarch.rpm | cpio -idmv
cp ./usr/share/OVMF/UefiShell.iso ../
cp ./usr/share/edk2/ovmf/OVMF_CODE.secboot.fd ../OVMF_CODE.fd
cp ./usr/share/edk2/ovmf/OVMF_VARS.secboot.fd ../OVMF_VARS.fd
Now we can remove temporary stuff.
cd ..
rm -rf tmp-fedora-rpm
Test a virtual machine and change its boot order
In this case we want to test a raw image as the main hard disk with this filename: /home/rescatuxs/super_grub2_disk_hybrid_secureboot_usb_2.04s2-beta1.img .
sudo kvm \
-m 2048 \
--machine pc-q35-2.5 \
-drive if=pflash,format=raw,readonly,file=./OVMF_CODE.fd \
-drive if=pflash,format=raw,file=./OVMF_VARS.fd \
-drive file=/home/rescatuxs/super_grub2_disk_hybrid_secureboot_usb_2.04s2-beta1.img,format=raw,index=0,media=disk \
-boot menu=on
Press ESC when the machine boots and you see: Start boot option at the bottom.
Choose the following options from the UEFI menus:
Boot Maintenance Manager
Boot Options
Change Boot Order
Press Enter
What you get is:
UEFI QEMU DVD-ROM
UEFI PXEv4
UEFI PXEv4
UEFI PXEv6
UEFI QEMU HARDDISK QM00001
Now, we will change the list into this order:
UEFI QEMU DVD-ROM
UEFI QEMU HARDDISK QM00001
UEFI PXEv4
UEFI PXEv4
UEFI PXEv6
.
That way we avoid having to wait for the different UEFI PXE entries to timeout.
Press enter when finished. Commit Changes and Exit Press ESC till you get out of the BIOS.
Test a virtual machine
sudo kvm \
-m 2048 \
--machine pc-q35-2.5 \
-drive if=pflash,format=raw,readonly,file=./OVMF_CODE.fd \
-drive if=pflash,format=raw,file=./OVMF_VARS.fd \
-drive file=/home/rescatuxs/super_grub2_disk_hybrid_secureboot_usb_2.04s2-beta1.img,format=raw,index=0,media=disk \
-boot menu=on
What you get
You should be able to boot secure boot enabled cdrom or hard disk images. If any of these images are not properly signed by the Microsoft or Redhat keys then they will fail to boot.
The read only firmware for your virtual machine is located at: ~/gnu/secureboot-vm/OVMF_CODE.fd .
The read and write state of your UEFI variables for that specific virtual machine is located at: ~/gnu/secureboot-vm/OVMF_VARS.fd .
Notes
Apparently pc-q35-2.5 qemu machine type is needed so that secureboot works or, at least, shows a graphical output.
Useful links
https://fedoraproject.org/wiki/Using_UEFI_with_QEMUhttps://artem.services/?p=752https://ubs_csse.gitlab.io/secu_os/tutorials/virtual_env.htmlhttps://askbot.fedoraproject.org/en/question/86384/wiki-using-uefi-with-qemu/TO DO
Debian only method with secureboot images
If Debian ovmf package provides:
OVMF_CODE.secboot.fd
OVMF_VARS.secboot.fd
in the future just install Debian ovmf package instead and use them instead.
Debian only method with UefiShell.iso from Fedora
If someone else manages to use default Debian files:
/usr/share/OVMF/OVMF_CODE.fd
/usr/share/OVMF/OVMF_VARS.fd
with the ?UefiShell.iso file from Fedora's edk2-ovmf package so that you can turn on a non secure boot vm to a secure boot one manually. Please update this page. I prefer doing that step manually than relying on:
OVMF_CODE.secboot.fd
OVMF_VARS.secboot.fd
which have those keys embedded.
virt-manager
I prefer using qemu or kvm rather than relying on virt-manager or another GUI. If you manage to adapt these instructions to virt-manager please write another page and link to it from this one.
Thank you
Thanks to the people from #debian-efi channel on OFTC for their patience because I usually make too many questions there.