On Sun, Jul 15, 2018 at 21:22:35 +0300, Shmuel Melamud wrote:
Hi!
I'm working currently on integration of UEFI/SecureBoot support into
oVirt. And I have several questions about UEFI/SecureBoot support in
libvirt. Can you please help me with them?
For UEFI I add the following to the XML:
<loader readonly="yes" secure="no" type="pflash">
/usr/share/OVMF/OVMF_CODE.secboot.fd
</loader>
<nvram template="/usr/share/OVMF/OVMF_VARS.fd">
/var/lib/libvirt/qemu/nvram/VM_UUID.fd
</nvram>
1. Are all paths mandatory or there are some defaults?
Template can be configured in /etc/libvirt/qemu.conf
See also:
https://libvirt.org/formatdomain.html#elementsOSBIOS
2. If nvram image file is absent, libvirt creates it?
Libvirt creates it from the 'template' or the default template.
3. Is nvram image file only read or is it also written?
NVRAM is written since it contains UEFI variables modified by the
firmware or guest OS.
4. If nvram image file is present, is it used? Or removed and created
again?
It's used. The file contains state which needs to be persisted across
shutdown/restart.
5. Is nvram image file used only on VM startup, or it must be
present
all the time the VM is running? Is it used on VM shutdown?
It contains the UEFI variables which the operating system can write, so
it needs to be present all the time. Deleting it will basically reset
any changes to the UEFI state. As the file is opened by qemu all the
time, if you delete it it will become apparent only after restart of the
QEMU process.
6. What happens if the VM is migrated at the moment when nvram image
file is used? Is this file migrated also?
QEMU transport the pflash devices inside the migration stream along with
memory and then writes the changes, so for migration this is transparet.
The destination just needs to have the files available.
7. Is it enough to set secure="yes" to boot the VM with
SecureBoot? Or
I need to prepare the nvram somehow (install keys etc.)?0
That depends on the state of the nvram template. Keys may need to be
installed.
8. How to verify that the VM was indeed booted with UEFI? With
SecureBoot?
AFAIK we don't load any 'fallback' firmware so if you set it to uefi and
it boots it was via uefi. I don't know about secure boot though