[libvirt] On the content of 'nvram' section in /etc/libvirt/qemu.conf
I learnt from Dan Berrangé that the 'nvram' section in `/etc/libvirt/qemu.conf` will now go away in light of all the work done in QEMU ('firmware.json', et al) and libvirt (the firmware auto-selection). But for my own education, can anyone confirm that the current content of 'nvram' is out of date in terms of mapping of OVMF binaries to their corresponding variable store ("VARS") files? Let's see what I mean. On my Fedora 29 box, in `/etc/libvirt/qemu.conf`, I see the following mapping of OVMF binaries to their correspoindg "VARS" file under the 'nvram' section: #nvram = [ # "/usr/share/OVMF/OVMF_CODE.fd:/usr/share/OVMF/OVMF_VARS.fd", # "/usr/share/OVMF/OVMF_CODE.secboot.fd:/usr/share/OVMF/OVMF_VARS.fd", # "/usr/share/AAVMF/AAVMF_CODE.fd:/usr/share/AAVMF/AAVMF_VARS.fd", # "/usr/share/AAVMF/AAVMF32_CODE.fd:/usr/share/AAVMF/AAVMF32_VARS.fd" #] Now let's enumerate the content of 'edk2-ovmf' package: $> rpm -ql edk2-ovmf /usr/share/OVMF /usr/share/OVMF/OVMF_CODE.fd /usr/share/OVMF/OVMF_CODE.secboot.fd /usr/share/OVMF/OVMF_VARS.fd /usr/share/OVMF/OVMF_VARS.secboot.fd /usr/share/OVMF/UefiShell.iso /usr/share/doc/edk2-ovmf /usr/share/doc/edk2-ovmf/README /usr/share/doc/edk2-ovmf/ovmf-whitepaper-c770f8c.txt /usr/share/edk2 /usr/share/edk2/ovmf /usr/share/edk2/ovmf/EnrollDefaultKeys.efi /usr/share/edk2/ovmf/OVMF_CODE.fd /usr/share/edk2/ovmf/OVMF_CODE.secboot.fd /usr/share/edk2/ovmf/OVMF_VARS.fd /usr/share/edk2/ovmf/OVMF_VARS.secboot.fd /usr/share/edk2/ovmf/Shell.efi /usr/share/edk2/ovmf/UefiShell.iso /usr/share/licenses/edk2-ovmf /usr/share/licenses/edk2-ovmf/LICENSE.openssl /usr/share/licenses/edk2-ovmf/License.txt There is the /usr/share/edk2/ovmf/OVMF_VARS.secboot.fd file (which comes with the default UEFI keys enrolled). So, the mapping of OVMF binary to VARS file in the earlier mentioned 'nvram' section should have been: /usr/share/OVMF/OVMF_CODE.secboot.fd:/usr/share/edk2/ovmf/OVMF_VARS.secboot.fd Yes? -- /kashyap
On 4/16/19 12:50 PM, Kashyap Chamarthy wrote:
I learnt from Dan Berrangé that the 'nvram' section in `/etc/libvirt/qemu.conf` will now go away in light of all the work done in QEMU ('firmware.json', et al) and libvirt (the firmware auto-selection).
But for my own education, can anyone confirm that the current content of 'nvram' is out of date in terms of mapping of OVMF binaries to their corresponding variable store ("VARS") files?
Let's see what I mean.
On my Fedora 29 box, in `/etc/libvirt/qemu.conf`, I see the following mapping of OVMF binaries to their correspoindg "VARS" file under the 'nvram' section:
#nvram = [ # "/usr/share/OVMF/OVMF_CODE.fd:/usr/share/OVMF/OVMF_VARS.fd", # "/usr/share/OVMF/OVMF_CODE.secboot.fd:/usr/share/OVMF/OVMF_VARS.fd", # "/usr/share/AAVMF/AAVMF_CODE.fd:/usr/share/AAVMF/AAVMF_VARS.fd", # "/usr/share/AAVMF/AAVMF32_CODE.fd:/usr/share/AAVMF/AAVMF32_VARS.fd" #]
Now let's enumerate the content of 'edk2-ovmf' package:
$> rpm -ql edk2-ovmf /usr/share/OVMF /usr/share/OVMF/OVMF_CODE.fd /usr/share/OVMF/OVMF_CODE.secboot.fd /usr/share/OVMF/OVMF_VARS.fd /usr/share/OVMF/OVMF_VARS.secboot.fd /usr/share/OVMF/UefiShell.iso /usr/share/doc/edk2-ovmf /usr/share/doc/edk2-ovmf/README /usr/share/doc/edk2-ovmf/ovmf-whitepaper-c770f8c.txt /usr/share/edk2 /usr/share/edk2/ovmf /usr/share/edk2/ovmf/EnrollDefaultKeys.efi /usr/share/edk2/ovmf/OVMF_CODE.fd /usr/share/edk2/ovmf/OVMF_CODE.secboot.fd /usr/share/edk2/ovmf/OVMF_VARS.fd /usr/share/edk2/ovmf/OVMF_VARS.secboot.fd /usr/share/edk2/ovmf/Shell.efi /usr/share/edk2/ovmf/UefiShell.iso /usr/share/licenses/edk2-ovmf /usr/share/licenses/edk2-ovmf/LICENSE.openssl /usr/share/licenses/edk2-ovmf/License.txt
There is the /usr/share/edk2/ovmf/OVMF_VARS.secboot.fd file (which comes with the default UEFI keys enrolled).
So, the mapping of OVMF binary to VARS file in the earlier mentioned 'nvram' section should have been:
/usr/share/OVMF/OVMF_CODE.secboot.fd:/usr/share/edk2/ovmf/OVMF_VARS.secboot.fd
Yes?
Unfortunately the qemu.conf comment is not authoritatize. I believe that's the default value hardcoded in libvirt, but it can also be changed with a build time flag, which we do for fedora. The spec file has this change: %if 0%{?fedora} # Nightly edk2.git-ovmf-x64 LOADERS="/usr/share/edk2.git/ovmf-x64/OVMF_CODE-pure-efi.fd:/usr/share/edk2.git/ovmf-x64/OVMF_VARS-pure-efi.fd" # Nightly edk2.git-ovmf-ia32 LOADERS="$LOADERS:/usr/share/edk2.git/ovmf-ia32/OVMF_CODE-pure-efi.fd:/usr/share/edk2.git/ovmf-ia32/OVMF_VARS-pure-efi.fd" # Nightly edk2.git-aarch64 LOADERS="$LOADERS:/usr/share/edk2.git/aarch64/QEMU_EFI-pflash.raw:/usr/share/edk2.git/aarch64/vars-template-pflash.raw" # Nightly edk2.git-arm LOADERS="$LOADERS:/usr/share/edk2.git/arm/QEMU_EFI-pflash.raw:/usr/share/edk2.git/arm/vars-template-pflash.raw" # Fedora edk2-ovmf LOADERS="$LOADERS:/usr/share/edk2/ovmf/OVMF_CODE.fd:/usr/share/edk2/ovmf/OVMF_VARS.fd" # Fedora edk2-ovmf-ia32 LOADERS="$LOADERS:/usr/share/edk2/ovmf-ia32/OVMF_CODE.fd:/usr/share/edk2/ovmf-ia32/OVMF_VARS.fd" # Fedora edk2-aarch64 LOADERS="$LOADERS:/usr/share/edk2/aarch64/QEMU_EFI-pflash.raw:/usr/share/edk2/aarch64/vars-template-pflash.raw" # Fedora edk2-arm LOADERS="$LOADERS:/usr/share/edk2/arm/QEMU_EFI-pflash.raw:/usr/share/edk2/arm/vars-template-pflash.raw" %define arg_loader_nvram --with-loader-nvram="$LOADERS" %endif So that's 8 pairs that we look for in fedora. That default commented out value is probably what we use on RHEL with standard RHEL packaging - Cole
On Tue, Apr 16, 2019 at 05:07:30PM -0400, Cole Robinson wrote:
On 4/16/19 12:50 PM, Kashyap Chamarthy wrote:
[...]
There is the /usr/share/edk2/ovmf/OVMF_VARS.secboot.fd file (which comes with the default UEFI keys enrolled).
So, the mapping of OVMF binary to VARS file in the earlier mentioned 'nvram' section should have been:
/usr/share/OVMF/OVMF_CODE.secboot.fd:/usr/share/edk2/ovmf/OVMF_VARS.secboot.fd
Yes?
Unfortunately the qemu.conf comment is not authoritatize. I believe that's the default value hardcoded in libvirt, but it can also be changed with a build time flag, which we do for fedora. The spec file has this change:
%if 0%{?fedora} # Nightly edk2.git-ovmf-x64
LOADERS="/usr/share/edk2.git/ovmf-x64/OVMF_CODE-pure-efi.fd:/usr/share/edk2.git/ovmf-x64/OVMF_VARS-pure-efi.fd" # Nightly edk2.git-ovmf-ia32
LOADERS="$LOADERS:/usr/share/edk2.git/ovmf-ia32/OVMF_CODE-pure-efi.fd:/usr/share/edk2.git/ovmf-ia32/OVMF_VARS-pure-efi.fd" # Nightly edk2.git-aarch64
LOADERS="$LOADERS:/usr/share/edk2.git/aarch64/QEMU_EFI-pflash.raw:/usr/share/edk2.git/aarch64/vars-template-pflash.raw" # Nightly edk2.git-arm
LOADERS="$LOADERS:/usr/share/edk2.git/arm/QEMU_EFI-pflash.raw:/usr/share/edk2.git/arm/vars-template-pflash.raw"
# Fedora edk2-ovmf
LOADERS="$LOADERS:/usr/share/edk2/ovmf/OVMF_CODE.fd:/usr/share/edk2/ovmf/OVMF_VARS.fd" # Fedora edk2-ovmf-ia32
LOADERS="$LOADERS:/usr/share/edk2/ovmf-ia32/OVMF_CODE.fd:/usr/share/edk2/ovmf-ia32/OVMF_VARS.fd" # Fedora edk2-aarch64
LOADERS="$LOADERS:/usr/share/edk2/aarch64/QEMU_EFI-pflash.raw:/usr/share/edk2/aarch64/vars-template-pflash.raw" # Fedora edk2-arm
LOADERS="$LOADERS:/usr/share/edk2/arm/QEMU_EFI-pflash.raw:/usr/share/edk2/arm/vars-template-pflash.raw" %define arg_loader_nvram --with-loader-nvram="$LOADERS" %endif
So that's 8 pairs that we look for in fedora.
Hmm, we should keep the comments in sync. Because unsuspecting users of management tools get confused :-( I'll see if I can send a patch to clean it up, if Michal or others already doesn't beat me to it.
That default commented out value is probably what we use on RHEL with standard RHEL packaging
Even for RHEL it's wrong :-) Because RHEL only ships the OVMF binary and its corresponding variable store ("VARS") file that are Secure Boot-ready "out-of-the-box" (because it comes with UEFI keys enrolled in it). Which are the following: /usr/share/OVMF/OVMF_CODE.secboot.fd /usr/share/OVMF/OVMF_VARS.secboot.fd -- /kashyap
participants (2)
-
Cole Robinson -
Kashyap Chamarthy