Public bug reported:
[Impact]
Older versions of libvirt, such as the one in bionic, have an nvram variable in
/etc/libvirt/qemu.conf that pairs firmware images with the corresponding nvram
template files:
#nvram = [
# "/usr/share/OVMF/OVMF_CODE.fd:/usr/share/OVMF/OVMF_VARS.fd",
# "/usr/share/OVMF/OVMF_CODE.secboot.fd:/usr/share/OVMF/OVMF_VARS.fd",
# "/usr/share/AAVMF/AAVMF_CODE.fd:/usr/share/AAVMF/AAVMF_VARS.fd",
# "/usr/share/AAVMF/AAVMF32_CODE.fd:/usr/share/AAVMF/AAVMF32_VARS.fd"
#]
If you wanted to create a QEMU guest running with secure boot mode, you
should be able to just specify the secboot OVMF_CODE variant, and
libvirt should know to pair it with the NVRAM template that has the
default SB keys built-in and secure boot activated. However, today it
picks up the "blank" NVRAM template instead, which will cause it to boot
w/ SB disabled. To workaround this, you have to either manually correct
the configuration file, or explicitly specify the nvram_template like
so:
$ virt-install --name dannf-uefi-test --boot
loader=/usr/share/OVMF/OVMF_CODE.secboot.fd,loader_ro=yes,loader_type=pflash,nvram_template=/usr/share/OVMF/OVMF_VARS.ms.fd
--cdrom ubuntu-18.04.4-server-amd64.iso --disk
pool=default,size=20,bus=virtio,format=qcow2 --ram 1024 --feature smm=on
--vcpus 1 --os-type linux --os-variant ubuntu18.04 --network
network:default --graphics none --console pty,target_type=serial
Note that bionic didn't ship an secure boot variant of OVMF, but later
releases do. So the impact is limited to users who have manually
installed a later ovmf package version on their bionic system.
[Test Case]
$ virt-install --name dannf-uefi-test --boot
loader=/usr/share/OVMF/OVMF_CODE.secboot.fd,loader_ro=yes,loader_type=pflash
--cdrom ubuntu-18.04.4-server-amd64.iso --disk
pool=default,size=20,bus=virtio,format=qcow2 --ram 1024 --feature smm=on
--vcpus 1 --os-type linux --os-variant ubuntu18.04 --network
network:default --graphics none --console pty,target_type=serial
Once booted into Linux, check dmesg for Secure Boot mode:
~ # dmesg | grep -i secure
[ 0.000000] secureboot: Secure boot enabled
[ 0.000000] Kernel is locked down from EFI secure boot; see man
kernel_lockdown.7
~ #
[Regression Risk]
Some user out there might be (consciously or not) relying on this misbehavior.
By fixing it, a user who thought they were running in Secure Boot the whole
time may run into issues once new VMs start actually booting in SB mode. This
change will not impact existing VMs (each VM retains its own copy of the
template that retains local modifications).
** Affects: libvirt (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1864532
Title:
Incorrect nvram template for secboot firmware
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1864532/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
