Date
1 - 4 of 4
running lastest OVMF(secure boot+smm) with stock QEMU ( Ubintu 20.04)
alys <alys-work@...>
Hello All.
I am playing with OVMF and want to run lastest Ubuntu 20.04 ISO disk, booting it securely from OVMF.
I've got lastest edk2 repository, and have it built with options for secure_boot and smm, and without it.
then i tried to run OVMF_CODE.fd and OVMF_VARS.fd (for unsecured and no smm build) under QEMU. and everything was fine. it normally started Ubuntu installation.
next, i tried to run the same for SEC_BOOT+smm, but qemu said - graphics not initialized.
OK. may be i've built something wrong, and I tried to run OVMF from stock ubuntu 20.04 package(sec_boot+smm)
after few experiments I found needed options to run in successfully.
this is an options script to run QEMU.
*********************************
opts="-machine q35,smm=on,accel=kvm -m 2048"
opts="$opts -global driver=cfi.pflash01,property=secure,value=on"
#add two flashes
opts="$opts -drive file=OVMF_CODE.secboot.fd,if=pflash,format=raw,unit=0,readonly=on"
opts="$opts -drive file=OVMF_VARS.ms.fd,if=pflash,format=raw,unit=1,readonly=off"
##virtual fat disk - where to unstall Ubuntu
opts="$opts -hda fat:rw:hda_"
##virtual cdrom with ubuntu installation
opts="$opts -drive file=ubuntu.iso,media=cdrom"
##disable net
opts="$opts -net none"
## to avoid warning that something is not supperted
opts="$opts -cpu host"
##would not run without it!!! if the build has smm support!!!
##at least for me
opts="$opts -global ICH9-LPC.disable_s3=1"
opts="$opts -boot menu=on"
############################
qemu-system-x86_64 $opts
*********************************
and this script normally starts my Ubuntu stock OVMF. and because OVMF_VARS.ms.fd from there already
has all needed keys inside, I enjoy the Ubuntu installation started in secured boot mode.
But though i can run stock ovmf, I still cannot start ovmf, which I've built manually...
it normally starts ovmf, which I've built with secured boot enabled, but without smm.
so, facts - stock ovmf (from Ubuntu packet) has been started normally by my script in QEMU.
build from lastest git starts normally, only if there is no SMM support, but SECURED_BOOT support is on.
But I need to start lastest OVMF with secured boot and smm support.
All advises appreciated.
Thank you. Alex.
I am playing with OVMF and want to run lastest Ubuntu 20.04 ISO disk, booting it securely from OVMF.
I've got lastest edk2 repository, and have it built with options for secure_boot and smm, and without it.
then i tried to run OVMF_CODE.fd and OVMF_VARS.fd (for unsecured and no smm build) under QEMU. and everything was fine. it normally started Ubuntu installation.
next, i tried to run the same for SEC_BOOT+smm, but qemu said - graphics not initialized.
OK. may be i've built something wrong, and I tried to run OVMF from stock ubuntu 20.04 package(sec_boot+smm)
after few experiments I found needed options to run in successfully.
this is an options script to run QEMU.
*********************************
opts="-machine q35,smm=on,accel=kvm -m 2048"
opts="$opts -global driver=cfi.pflash01,property=secure,value=on"
#add two flashes
opts="$opts -drive file=OVMF_CODE.secboot.fd,if=pflash,format=raw,unit=0,readonly=on"
opts="$opts -drive file=OVMF_VARS.ms.fd,if=pflash,format=raw,unit=1,readonly=off"
##virtual fat disk - where to unstall Ubuntu
opts="$opts -hda fat:rw:hda_"
##virtual cdrom with ubuntu installation
opts="$opts -drive file=ubuntu.iso,media=cdrom"
##disable net
opts="$opts -net none"
## to avoid warning that something is not supperted
opts="$opts -cpu host"
##would not run without it!!! if the build has smm support!!!
##at least for me
opts="$opts -global ICH9-LPC.disable_s3=1"
opts="$opts -boot menu=on"
############################
qemu-system-x86_64 $opts
*********************************
and this script normally starts my Ubuntu stock OVMF. and because OVMF_VARS.ms.fd from there already
has all needed keys inside, I enjoy the Ubuntu installation started in secured boot mode.
But though i can run stock ovmf, I still cannot start ovmf, which I've built manually...
it normally starts ovmf, which I've built with secured boot enabled, but without smm.
so, facts - stock ovmf (from Ubuntu packet) has been started normally by my script in QEMU.
build from lastest git starts normally, only if there is no SMM support, but SECURED_BOOT support is on.
But I need to start lastest OVMF with secured boot and smm support.
All advises appreciated.
Thank you. Alex.
dann frazier
On Thu, Aug 12, 2021 at 09:49:10PM +0300, alys via groups.io wrote:
This sounds like LP: #1903681:
https://launchpad.net/ubuntu/+source/edk2/2020.11-1
Try an Ubuntu build of 2020.11-1 or newer.
-dann
Hello All.hey Alex,
I am playing with OVMF and want to run lastest Ubuntu
20.04 ISO disk, booting it securely from OVMF.
I've got lastest edk2 repository, and have it built with
options for secure_boot and smm, and without it.
then i tried to run OVMF_CODE.fd and OVMF_VARS.fd (for
unsecured and no smm build) under QEMU. and everything was
fine. it normally started Ubuntu installation.
next, i tried to run the same for SEC_BOOT+smm, but qemu
said - graphics not initialized.
This sounds like LP: #1903681:
https://launchpad.net/ubuntu/+source/edk2/2020.11-1
Try an Ubuntu build of 2020.11-1 or newer.
-dann
OK. may be i've built something wrong, and I tried to run
OVMF from stock ubuntu 20.04 package(sec_boot+smm)
after few experiments I found needed options to run in successfully.
this is an options script to run QEMU.
*********************************
opts="-machine q35,smm=on,accel=kvm -m 2048"
opts="$opts -global driver=cfi.pflash01,property=secure,value=on"
#add two flashes
opts="$opts -drive file=OVMF_CODE.secboot.fd,if=pflash,format=raw,unit=0,readonly=on"
opts="$opts -drive file=OVMF_VARS.ms.fd,if=pflash,format=raw,unit=1,readonly=off"
##virtual fat disk - where to unstall Ubuntu
opts="$opts -hda fat:rw:hda_"
##virtual cdrom with ubuntu installation
opts="$opts -drive file=ubuntu.iso,media=cdrom"
##disable net
opts="$opts -net none"
## to avoid warning that something is not supperted
opts="$opts -cpu host"
##would not run without it!!! if the build has smm support!!!
##at least for me
opts="$opts -global ICH9-LPC.disable_s3=1"
opts="$opts -boot menu=on"
############################
qemu-system-x86_64 $opts
*********************************
and this script normally starts my Ubuntu stock OVMF. and
because OVMF_VARS.ms.fd from there already
has all needed keys inside, I enjoy the Ubuntu
installation started in secured boot mode.
But though i can run stock ovmf, I still cannot start
ovmf, which I've built manually...
it normally starts ovmf, which I've built with secured
boot enabled, but without smm.
so, facts - stock ovmf (from Ubuntu packet) has been
started normally by my script in QEMU.
build from lastest git starts normally, only if there is
no SMM support, but SECURED_BOOT support is on.
But I need to start lastest OVMF with secured boot and smm support.
All advises appreciated.
Thank you. Alex.
alys.the.work@...
Dann, thank you for reply... but is was just my fault.
trying to run manually build OVMF, I used OVMF_VARS.ms.fd from ubuntu stock... and it seems they are different in format.
So when i replaced it with OVMF_VARS.fd generated during build, OVMF started smoothly.
i'm a newbie in this uefi questions...but may be there is must be a check of OVMF_CODE.fd is compatible with OVMF_VARS.fd?
else we see quite undefined behavior at start. - it says kinda - "graphics is not initialized" and hangs.
-alex
trying to run manually build OVMF, I used OVMF_VARS.ms.fd from ubuntu stock... and it seems they are different in format.
So when i replaced it with OVMF_VARS.fd generated during build, OVMF started smoothly.
i'm a newbie in this uefi questions...but may be there is must be a check of OVMF_CODE.fd is compatible with OVMF_VARS.fd?
else we see quite undefined behavior at start. - it says kinda - "graphics is not initialized" and hangs.
-alex