Bugzilla – Bug 1217422
Firmware descriptor files do not advertise secure-boot
Last modified: 2024-03-21 06:26:16 UTC
According to the qemu documentation [1], firmwares with enrolled-keys also have secure-boot enabled. However, the qemu-ovmf-x86_64 package contains several firmware descriptor files with 'enrolled-keys' feature advertised but not 'secure-boot' /usr/share/qemu/firmware/60-ovmf-x86_64-2m-ms.json /usr/share/qemu/firmware/60-ovmf-x86_64-2m-opensuse.json /usr/share/qemu/firmware/60-ovmf-x86_64-2m-suse.json /usr/share/qemu/firmware/60-ovmf-x86_64-ms.json /usr/share/qemu/firmware/60-ovmf-x86_64-opensuse.json /usr/share/qemu/firmware/60-ovmf-x86_64-suse.json This confuses the libvirt firmware autoselection logic, causing it to select a firmware with secure-boot enabled even when the user has requested a firmware with it disabled. E.g. the following virt-install command causes libvirt to select a firmware with secure boot enabled virt-install --virt-type kvm --name hpc-node-01 --memory 4096 --network bridge=br0 --graphics vnc --disk none --osinfo sle15sp5 --boot firmware=efi,firmware.feature0.name=secure-boot,firmware.feature0.enabled=no Adding 'secure-boot' to the 'features' list of the above firmware descriptor files causes libvirt to select an appropriate firmware. [1] https://gitlab.com/qemu-project/qemu/-/blob/master/docs/interop/firmware.json?ref_type=heads
Joey, what is your opinion on adding 'secure-boot' to the 'features' list of the firmware descriptor files that also contain 'enrolled-keys'?
(In reply to James Fehlig from comment #1) > Joey, what is your opinion on adding 'secure-boot' to the 'features' list of > the firmware descriptor files that also contain 'enrolled-keys'? I can run non-smm ovmf by the following libvirt xml setting after adding secure-boot feature: <os firmware='efi'> <type arch='x86_64' machine='pc-q35-7.1'>hvm</type> <firmware> <feature enabled='yes' name='enrolled-keys'/> <feature enabled='yes' name='secure-boot'/> </firmware> <loader readonly='yes' secure='no' type='pflash'>/usr/share/qemu/ovmf-x86_64-ms-code.bin</loader> <nvram template='/usr/share/qemu/ovmf-x86_64-ms-vars.bin'>/var/lib/libvirt/qemu/nvram/opensuseTW_VARS.fd</nvram> <boot dev='hd'/> </os> As the above xml, the secure is set to 'no' because no requires-smm feature. I will add 'secure-boot' feature to json for those non-smm ovmf. But user should aware that the secure-boot is NOT real _secure_ without SMM support.
The change is waiting to be merged to openSUSE:Factory: https://build.opensuse.org/request/show/1155808
(In reply to Joey Lee from comment #3) > The change is waiting to be merged to openSUSE:Factory: > > https://build.opensuse.org/request/show/1155808 The change be sent to 15-SP6 for waiting to be merged: https://build.suse.de/request/show/323715
(In reply to Joey Lee from comment #2) > I will add 'secure-boot' feature to json for those non-smm ovmf. But user > should aware that the secure-boot is NOT real _secure_ without SMM support. Yes, agree. The firmware interop doc also makes note of it # @secure-boot: The firmware implements the software interfaces for UEFI # Secure Boot, as defined in the UEFI specification. Note # that without @requires-smm, guest code running with # kernel privileges can undermine the security of Secure # Boot.
(In reply to Joey Lee from comment #4) > (In reply to Joey Lee from comment #3) > > The change is waiting to be merged to openSUSE:Factory: > > > > https://build.opensuse.org/request/show/1155808 > > The change be sent to 15-SP6 for waiting to be merged: > https://build.suse.de/request/show/323715 The change also be merged to 15-SP6. Set fixed.