running lastest OVMF(secure boot+smm) with stock QEMU ( Ubintu 20.04)


alys <alys-work@...>
 

Hello All.

I am playing with OVMF and want to run lastest Ubuntu 20.04 ISO disk, booting it securely from OVMF.

I've got lastest edk2 repository, and have it built with options for secure_boot and smm, and without it.

then i tried to run OVMF_CODE.fd and OVMF_VARS.fd (for unsecured and no smm build) under QEMU. and everything was fine. it normally started Ubuntu installation.

next, i tried to run the same for SEC_BOOT+smm, but qemu said - graphics not initialized.

OK. may be i've built something wrong, and I tried to run OVMF from stock ubuntu 20.04 package(sec_boot+smm)

after few experiments I found needed options to run in successfully.

this is an options script to run QEMU.

*********************************

opts="-machine q35,smm=on,accel=kvm -m 2048"

opts="$opts -global driver=cfi.pflash01,property=secure,value=on"

#add two flashes
opts="$opts -drive file=OVMF_CODE.secboot.fd,if=pflash,format=raw,unit=0,readonly=on"
opts="$opts -drive file=OVMF_VARS.ms.fd,if=pflash,format=raw,unit=1,readonly=off"

##virtual fat disk - where to unstall Ubuntu
opts="$opts -hda fat:rw:hda_"

##virtual cdrom with ubuntu installation
opts="$opts -drive file=ubuntu.iso,media=cdrom"

##disable net
opts="$opts -net none"

## to avoid warning that something is not supperted
opts="$opts -cpu host"

##would not run without it!!! if the build has smm support!!!
##at least for me
opts="$opts -global ICH9-LPC.disable_s3=1"

opts="$opts -boot menu=on"
############################
qemu-system-x86_64 $opts
*********************************

and this script normally starts my Ubuntu stock OVMF. and because OVMF_VARS.ms.fd from there already

has all needed keys inside, I enjoy the Ubuntu installation started in secured boot mode.


But though i can run stock ovmf, I still cannot start ovmf, which I've built manually...

it normally starts ovmf, which I've built with secured boot enabled, but without smm.


so, facts - stock ovmf (from Ubuntu packet) has been started normally by my script in QEMU.

build from lastest git starts normally, only if there is no SMM support, but SECURED_BOOT support is on.

But I need to start lastest OVMF with secured boot and smm support.

All advises appreciated.

Thank you. Alex.

Join discuss@edk2.groups.io to automatically receive all group messages.