Re: running lastest OVMF(secure boot+smm) with stock QEMU ( Ubintu 20.04)


dann frazier
 

On Thu, Aug 12, 2021 at 09:49:10PM +0300, alys via groups.io wrote:
Hello All.

I am playing with OVMF and want to run lastest Ubuntu
20.04 ISO disk, booting it securely from OVMF.

I've got lastest edk2 repository, and have it built with
options for secure_boot and smm, and without it.

then i tried to run OVMF_CODE.fd and OVMF_VARS.fd (for
unsecured and no smm build) under QEMU. and everything was
fine. it normally started Ubuntu installation.

next, i tried to run the same for SEC_BOOT+smm, but qemu
said - graphics not initialized.
hey Alex,

This sounds like LP: #1903681:
https://launchpad.net/ubuntu/+source/edk2/2020.11-1

Try an Ubuntu build of 2020.11-1 or newer.

-dann

OK. may be i've built something wrong, and I tried to run
OVMF from stock ubuntu 20.04 package(sec_boot+smm)

after few experiments I found needed options to run in successfully.

this is an options script to run QEMU.

*********************************

opts="-machine q35,smm=on,accel=kvm -m 2048"

opts="$opts -global driver=cfi.pflash01,property=secure,value=on"

#add two flashes
opts="$opts -drive file=OVMF_CODE.secboot.fd,if=pflash,format=raw,unit=0,readonly=on"
opts="$opts -drive file=OVMF_VARS.ms.fd,if=pflash,format=raw,unit=1,readonly=off"

##virtual fat disk - where to unstall Ubuntu
opts="$opts -hda fat:rw:hda_"

##virtual cdrom with ubuntu installation
opts="$opts -drive file=ubuntu.iso,media=cdrom"

##disable net
opts="$opts -net none"

## to avoid warning that something is not supperted
opts="$opts -cpu host"

##would not run without it!!! if the build has smm support!!!
##at least for me
opts="$opts -global ICH9-LPC.disable_s3=1"

opts="$opts -boot menu=on"
############################
qemu-system-x86_64 $opts
*********************************

and this script normally starts my Ubuntu stock OVMF. and
because OVMF_VARS.ms.fd from there already

has all needed keys inside, I enjoy the Ubuntu
installation started in secured boot mode.


But though i can run stock ovmf, I still cannot start
ovmf, which I've built manually...

it normally starts ovmf, which I've built with secured
boot enabled, but without smm.


so, facts - stock ovmf (from Ubuntu packet) has been
started normally by my script in QEMU.

build from lastest git starts normally, only if there is
no SMM support, but SECURED_BOOT support is on.

But I need to start lastest OVMF with secured boot and smm support.

All advises appreciated.

Thank you. Alex.








Join discuss@edk2.groups.io to automatically receive all group messages.