Switch the --virt-uefi method to use SecureBoot

This updates the qemu arguments so that it will actually work, and
switches to using SecureBoot OVMF firmware.

Resolves: rhbz#1691661
This commit is contained in:
Brian C. Lane 2019-03-22 11:49:09 -07:00
parent 6529b3e5e8
commit d5fb43844f
3 changed files with 20 additions and 22 deletions

View File

@ -563,18 +563,10 @@ Creating UEFI disk images with virt
Partitioned disk images can only be created for the same platform as the host system (BIOS or
UEFI). You can use virt to create BIOS images on UEFI systems, and it is also possible
to create UEFI images on BIOS systems using OVMF. You first need to setup your system with
the OVMF firmware. The details can be `found here linux-kvm OVMF page <http://www.linux-kvm.org/page/OVMF>`_
but it amounts to:
to create UEFI images on BIOS systems using OVMF firmware and qemu.
1. Download the firmware.repo from `Gerd Hoffmann <https://www.kraxel.org/repos/>`_ and install it
in /etc/yum.repos.d/
2. Install the edk2.git-ovmf-x64 package
3. Copy /usr/share/edk2.git/ovmf-x64/OVMF_CODE-pure-efi.fd to /usr/share/OVMF/OVMF_CODE.fd
4. Copy /usr/share/edk2.git/ovmf-x64/OVMF_VARS-pure-efi.fd to /usr/share/OVMF/OVMF_VARS.fd
Install the lorax-lmc-virt package, this will install qemu and the OVMF
firmware files.
Now you can run livemedia-creator with ``--virt-uefi`` to boot and install using UEFI::
@ -585,11 +577,10 @@ Make sure that the kickstart you are using creates a /boot/efi partition by incl
part /boot/efi --fstype="efi" --size=500
Or use ``reqpart`` in the kickstart and Anaconda will create the required partitions.
.. note::
When using the resulting image with the current version of OVMF (edk2.git-ovmf-x64-0-20151103.b1295.ge5cffca)
it will not boot automatically because there is a problem with the fallback path.
You can boot it by entering the UEFI shell and running EFI/redhat/shim.efi and
then using efibootmgr to setup the correct boot entry.
The --virt-uefi method is currently only supported on the x86_64 architecture.
Debugging problems

View File

@ -172,7 +172,11 @@ class QEMUInstall(object):
qemu_cmd += ["-smp", str(vcpus)]
if not opts.no_kvm and os.path.exists("/dev/kvm"):
qemu_cmd += ["--machine", "accel=kvm"]
qemu_cmd += ["-machine", "accel=kvm"]
if boot_uefi:
qemu_cmd += ["-machine", "q35,smm=on"]
qemu_cmd += ["-global", "driver=cfi.pflash01,property=secure,value=on"]
# Copy the initrd from the iso, create a cpio archive of the kickstart files
# and append it to the temporary initrd.
@ -228,14 +232,17 @@ class QEMUInstall(object):
# Pass through rng from host
if opts.with_rng != "none":
qemu_cmd += ["-object", "rng-random,id=virtio-rng0,filename=%s" % opts.with_rng]
qemu_cmd += ["-device", "virtio-rng-pci,rng=virtio-rng0,id=rng0,bus=pci.0,addr=0x9"]
if boot_uefi:
qemu_cmd += ["-device", "virtio-rng-pci,rng=virtio-rng0,id=rng0,bus=pcie.0,addr=0x9"]
else:
qemu_cmd += ["-device", "virtio-rng-pci,rng=virtio-rng0,id=rng0,bus=pci.0,addr=0x9"]
if boot_uefi and ovmf_path:
qemu_cmd += ["-drive", "file=%s/OVMF_CODE.fd,if=pflash,format=raw,unit=0,readonly=on" % ovmf_path]
qemu_cmd += ["-drive", "file=%s/OVMF_CODE.secboot.fd,if=pflash,format=raw,unit=0,readonly=on" % ovmf_path]
# Make a copy of the OVMF_VARS.fd for this run
# Make a copy of the OVMF_VARS.secboot.fd for this run
ovmf_vars = tempfile.mktemp(prefix="lmc-OVMF_VARS-", suffix=".fd")
shutil.copy2(joinpaths(ovmf_path, "/OVMF_VARS.fd"), ovmf_vars)
shutil.copy2(joinpaths(ovmf_path, "/OVMF_VARS.secboot.fd"), ovmf_vars)
qemu_cmd += ["-drive", "file=%s,if=pflash,format=raw,unit=1" % ovmf_vars]

View File

@ -141,9 +141,9 @@ def main():
if opts.virt_uefi and not os.path.isdir(opts.ovmf_path):
errors.append("The OVMF firmware is missing from %s" % opts.ovmf_path)
elif opts.virt_uefi and os.path.isdir(opts.ovmf_path):
for f in ["OVMF_CODE.fd", "OVMF_VARS.fd"]:
for f in ["OVMF_CODE.secboot.fd", "OVMF_VARS.secboot.fd"]:
if not os.path.exists(joinpaths(opts.ovmf_path, f)):
errors.append("OVMF firmware file %s is missing from %s" % (f, opts.ovmf_path))
errors.append("OVMF secure boot firmware file %s is missing from %s" % (f, opts.ovmf_path))
if os.getuid() != 0:
errors.append("You need to run this as root")