rpms/virt-manager
7
0
Fork 0
Code Issues Pull Requests Releases Activity
7dc901e13d
virt-manager/virt-manager-virt-install-Document-Secure-Boot-setups.patch
Jonathon Jongsma 68bc088ccd virt-manager-4.1.0-7.el10 
- cloner: Sync <uuid> and <sysinfo> system uuid (RHEL-34608)
- virtinstall: fix regression with --boot and no install method (RHEL-34608)
- progress: Fix showing correct final total (RHEL-34608)
- virtinstall: Fix the allocating disk size printed by the progress bar (RHEL-34608)
- virtinstall: Hide total_size in the progress bar if it doesn't need (RHEL-34608)
- virt-install: Recommend '--boot uefi' (RHEL-34608)
- virt-install: Document Secure Boot setups (RHEL-34608)
- tests: Add more cloud-init and TPM test cases (RHEL-34608)
- installer: drop default TPM for --cloud-init install phase (RHEL-34608)
- Add gating for centos stream 10 (RHEL-34608)
- xmleditor: make gtksourceview optional (RHEL-35859)

Resolves: RHEL-34608, RHEL-35859
2024-06-25 11:28:11 -05:00

62 lines
2.8 KiB
Diff
Raw Blame History

From a06231642804318239f07fd7e379da666190a6e6 Mon Sep 17 00:00:00 2001
From: Andrea Bolognani <abologna@redhat.com>
Date: Mon, 12 Dec 2022 19:38:22 +0100
Subject: [PATCH] virt-install: Document Secure Boot setups
Provide ready to use recipes for explicitly enabling and
explicitly disabling Secure Boot, as well as a pointer to
the more extensive information found on the libvirt website.
Setting loader_secure=yes is only one part of a proper Secure
Boot setup, so stop documenting it in the section about manual
firmware selection to avoid confusion.
https://bugzilla.redhat.com/show_bug.cgi?id=2112154
https://bugzilla.redhat.com/show_bug.cgi?id=2149971
Signed-off-by: Andrea Bolognani <abologna@redhat.com>
(cherry picked from commit 33ff193ee9fcfdb74f95d946a1b93239a1a12a61)
Resolves: https://issues.redhat.com/browse/RHEL-34608
Signed-off-by: Jonathon Jongsma <jjongsma@redhat.com>
---
man/virt-install.rst | 17 +++++++++++++++--
1 file changed, 15 insertions(+), 2 deletions(-)
diff --git a/man/virt-install.rst b/man/virt-install.rst
index 684f22655..a0df73280 100644
--- a/man/virt-install.rst
+++ b/man/virt-install.rst
@@ -957,13 +957,26 @@ Some examples:
via domcapabilities XML, so this will likely only work if using properly
configured distro packages. This is the recommended UEFI setup.
+``--boot uefi,firmware.feature0.name=secure-boot,firmware.feature0.enabled=yes,firmware.feature1.name=enrolled-keys,firmware.feature1.enabled=yes``
+ Configure the VM to boot from UEFI with Secure Boot support enabled.
+ Only signed operating systems will be able to boot with this configuration.
+
+``--boot uefi,firmware.feature0.name=secure-boot,firmware.feature0.enabled=no``
+ Configure the VM to boot from UEFI with Secure Boot support disabled.
+ This configuration allows both signed and unsigned operating systems to
+ run.
+
+ Additional information about the ``secure-boot`` and
+ ``enrolled-keys`` firmware features and how they can be used to
+ influence firmware selection is available at
+ https://libvirt.org/kbase/secureboot.html
+
``--boot loader=/.../OVMF_CODE.fd,loader.readonly=yes,loader.type=pflash,nvram.template=/.../OVMF_VARS.fd,loader_secure=no``
Specify that the virtual machine use the custom OVMF binary as boot firmware,
mapped as a virtual flash chip. In addition, request that libvirt instantiate
the VM-specific UEFI varstore from the custom "/.../OVMF_VARS.fd" varstore
template. This setup is not recommended, and should only be used if
- --boot uefi doesn't know about your UEFI binaries. If your UEFI firmware
- supports Secure boot feature you can enable it via loader_secure.
+ --boot uefi doesn't know about your UEFI binaries.
Use --boot=? to see a list of all available sub options.
Complete details at https://libvirt.org/formatdomain.html#elementsOS
--
2.45.1
Reference in New Issue View Git Blame Copy Permalink