almalinux/lorax
13
0
Fork 0
Code Issues Pull Requests Releases Activity

Switch the --virt-uefi method to use SecureBoot

Browse Source 
This updates the qemu arguments so that it will actually work, and
switches to using SecureBoot OVMF firmware.

Resolves: rhbz#1691661
This commit is contained in:
Brian C. Lane 2019-03-22 11:49:09 -07:00
parent 6529b3e5e8
commit d5fb43844f
3 changed files with 20 additions and 22 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
docs/livemedia-creator.rst
View File

@ -563,18 +563,10 @@ Creating UEFI disk images with virt
Partitioned disk images can only be created for the same platform as the host system (BIOS or Partitioned disk images can only be created for the same platform as the host system (BIOS or
UEFI). You can use virt to create BIOS images on UEFI systems, and it is also possible UEFI). You can use virt to create BIOS images on UEFI systems, and it is also possible
to create UEFI images on BIOS systems using OVMF. You first need to setup your system with to create UEFI images on BIOS systems using OVMF firmware and qemu.
the OVMF firmware. The details can be `found here linux-kvm OVMF page <http://www.linux-kvm.org/page/OVMF>`_
but it amounts to:
1. Download the firmware.repo from `Gerd Hoffmann <https://www.kraxel.org/repos/>`_ and install it Install the lorax-lmc-virt package, this will install qemu and the OVMF
in /etc/yum.repos.d/ firmware files.
2. Install the edk2.git-ovmf-x64 package
3. Copy /usr/share/edk2.git/ovmf-x64/OVMF_CODE-pure-efi.fd to /usr/share/OVMF/OVMF_CODE.fd
4. Copy /usr/share/edk2.git/ovmf-x64/OVMF_VARS-pure-efi.fd to /usr/share/OVMF/OVMF_VARS.fd
Now you can run livemedia-creator with ``--virt-uefi`` to boot and install using UEFI:: Now you can run livemedia-creator with ``--virt-uefi`` to boot and install using UEFI::
@ -585,11 +577,10 @@ Make sure that the kickstart you are using creates a /boot/efi partition by incl
part /boot/efi --fstype="efi" --size=500 part /boot/efi --fstype="efi" --size=500
Or use ``reqpart`` in the kickstart and Anaconda will create the required partitions.
.. note:: .. note::
When using the resulting image with the current version of OVMF (edk2.git-ovmf-x64-0-20151103.b1295.ge5cffca) The --virt-uefi method is currently only supported on the x86_64 architecture.
it will not boot automatically because there is a problem with the fallback path.
You can boot it by entering the UEFI shell and running EFI/redhat/shim.efi and
then using efibootmgr to setup the correct boot entry.
Debugging problems Debugging problems

15
src/pylorax/installer.py
View File

@ -172,7 +172,11 @@ class QEMUInstall(object):
qemu_cmd += ["-smp", str(vcpus)] qemu_cmd += ["-smp", str(vcpus)]
if not opts.no_kvm and os.path.exists("/dev/kvm"): if not opts.no_kvm and os.path.exists("/dev/kvm"):
qemu_cmd += ["--machine", "accel=kvm"] qemu_cmd += ["-machine", "accel=kvm"]
if boot_uefi:
qemu_cmd += ["-machine", "q35,smm=on"]
qemu_cmd += ["-global", "driver=cfi.pflash01,property=secure,value=on"]
# Copy the initrd from the iso, create a cpio archive of the kickstart files # Copy the initrd from the iso, create a cpio archive of the kickstart files
# and append it to the temporary initrd. # and append it to the temporary initrd.
@ -228,14 +232,17 @@ class QEMUInstall(object):
# Pass through rng from host # Pass through rng from host
if opts.with_rng != "none": if opts.with_rng != "none":
qemu_cmd += ["-object", "rng-random,id=virtio-rng0,filename=%s" % opts.with_rng] qemu_cmd += ["-object", "rng-random,id=virtio-rng0,filename=%s" % opts.with_rng]
if boot_uefi:
qemu_cmd += ["-device", "virtio-rng-pci,rng=virtio-rng0,id=rng0,bus=pcie.0,addr=0x9"]
else:
qemu_cmd += ["-device", "virtio-rng-pci,rng=virtio-rng0,id=rng0,bus=pci.0,addr=0x9"] qemu_cmd += ["-device", "virtio-rng-pci,rng=virtio-rng0,id=rng0,bus=pci.0,addr=0x9"]
if boot_uefi and ovmf_path: if boot_uefi and ovmf_path:
qemu_cmd += ["-drive", "file=%s/OVMF_CODE.fd,if=pflash,format=raw,unit=0,readonly=on" % ovmf_path] qemu_cmd += ["-drive", "file=%s/OVMF_CODE.secboot.fd,if=pflash,format=raw,unit=0,readonly=on" % ovmf_path]
# Make a copy of the OVMF_VARS.fd for this run # Make a copy of the OVMF_VARS.secboot.fd for this run
ovmf_vars = tempfile.mktemp(prefix="lmc-OVMF_VARS-", suffix=".fd") ovmf_vars = tempfile.mktemp(prefix="lmc-OVMF_VARS-", suffix=".fd")
shutil.copy2(joinpaths(ovmf_path, "/OVMF_VARS.fd"), ovmf_vars) shutil.copy2(joinpaths(ovmf_path, "/OVMF_VARS.secboot.fd"), ovmf_vars)
qemu_cmd += ["-drive", "file=%s,if=pflash,format=raw,unit=1" % ovmf_vars] qemu_cmd += ["-drive", "file=%s,if=pflash,format=raw,unit=1" % ovmf_vars]

4
src/sbin/livemedia-creator
View File

@ -141,9 +141,9 @@ def main():
if opts.virt_uefi and not os.path.isdir(opts.ovmf_path): if opts.virt_uefi and not os.path.isdir(opts.ovmf_path):
errors.append("The OVMF firmware is missing from %s" % opts.ovmf_path) errors.append("The OVMF firmware is missing from %s" % opts.ovmf_path)
elif opts.virt_uefi and os.path.isdir(opts.ovmf_path): elif opts.virt_uefi and os.path.isdir(opts.ovmf_path):
for f in ["OVMF_CODE.fd", "OVMF_VARS.fd"]: for f in ["OVMF_CODE.secboot.fd", "OVMF_VARS.secboot.fd"]:
if not os.path.exists(joinpaths(opts.ovmf_path, f)): if not os.path.exists(joinpaths(opts.ovmf_path, f)):
errors.append("OVMF firmware file %s is missing from %s" % (f, opts.ovmf_path)) errors.append("OVMF secure boot firmware file %s is missing from %s" % (f, opts.ovmf_path))
if os.getuid() != 0: if os.getuid() != 0:
errors.append("You need to run this as root") errors.append("You need to run this as root")