|
 |
588c1d |
From f44c6ec970413843214f52d5523ee8cf277b0150 Mon Sep 17 00:00:00 2001
|
|
|
588c1d |
From: Andrea Bolognani <abologna@redhat.com>
|
|
|
588c1d |
Date: Mon, 12 Dec 2022 19:38:22 +0100
|
|
|
588c1d |
Subject: [PATCH] virt-install: Document Secure Boot setups
|
|
|
588c1d |
|
|
|
588c1d |
Provide ready to use recipes for explicitly enabling and
|
|
|
588c1d |
explicitly disabling Secure Boot, as well as a pointer to
|
|
|
588c1d |
the more extensive information found on the libvirt website.
|
|
|
588c1d |
|
|
|
588c1d |
Setting loader_secure=yes is only one part of a proper Secure
|
|
|
588c1d |
Boot setup, so stop documenting it in the section about manual
|
|
|
588c1d |
firmware selection to avoid confusion.
|
|
|
588c1d |
|
|
|
588c1d |
https://bugzilla.redhat.com/show_bug.cgi?id=2112154
|
|
|
588c1d |
https://bugzilla.redhat.com/show_bug.cgi?id=2149971
|
|
|
588c1d |
|
|
|
588c1d |
Signed-off-by: Andrea Bolognani <abologna@redhat.com>
|
|
|
588c1d |
(cherry picked from commit 33ff193ee9fcfdb74f95d946a1b93239a1a12a61)
|
|
|
588c1d |
|
|
|
588c1d |
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2112154
|
|
|
588c1d |
|
|
|
588c1d |
Signed-off-by: Jonathon Jongsma <jjongsma@redhat.com>
|
|
|
588c1d |
---
|
|
|
588c1d |
man/virt-install.rst | 17 +++++++++++++++--
|
|
|
588c1d |
1 file changed, 15 insertions(+), 2 deletions(-)
|
|
|
588c1d |
|
|
|
588c1d |
diff --git a/man/virt-install.rst b/man/virt-install.rst
|
|
|
588c1d |
index 684f22655..a0df73280 100644
|
|
|
588c1d |
--- a/man/virt-install.rst
|
|
|
588c1d |
+++ b/man/virt-install.rst
|
|
|
588c1d |
@@ -957,13 +957,26 @@ Some examples:
|
|
|
588c1d |
via domcapabilities XML, so this will likely only work if using properly
|
|
|
588c1d |
configured distro packages. This is the recommended UEFI setup.
|
|
|
588c1d |
|
|
|
588c1d |
+``--boot uefi,firmware.feature0.name=secure-boot,firmware.feature0.enabled=yes,firmware.feature1.name=enrolled-keys,firmware.feature1.enabled=yes``
|
|
|
588c1d |
+ Configure the VM to boot from UEFI with Secure Boot support enabled.
|
|
|
588c1d |
+ Only signed operating systems will be able to boot with this configuration.
|
|
|
588c1d |
+
|
|
|
588c1d |
+``--boot uefi,firmware.feature0.name=secure-boot,firmware.feature0.enabled=no``
|
|
|
588c1d |
+ Configure the VM to boot from UEFI with Secure Boot support disabled.
|
|
|
588c1d |
+ This configuration allows both signed and unsigned operating systems to
|
|
|
588c1d |
+ run.
|
|
|
588c1d |
+
|
|
|
588c1d |
+ Additional information about the ``secure-boot`` and
|
|
|
588c1d |
+ ``enrolled-keys`` firmware features and how they can be used to
|
|
|
588c1d |
+ influence firmware selection is available at
|
|
|
588c1d |
+ https://libvirt.org/kbase/secureboot.html
|
|
|
588c1d |
+
|
|
|
588c1d |
``--boot loader=/.../OVMF_CODE.fd,loader.readonly=yes,loader.type=pflash,nvram.template=/.../OVMF_VARS.fd,loader_secure=no``
|
|
|
588c1d |
Specify that the virtual machine use the custom OVMF binary as boot firmware,
|
|
|
588c1d |
mapped as a virtual flash chip. In addition, request that libvirt instantiate
|
|
|
588c1d |
the VM-specific UEFI varstore from the custom "/.../OVMF_VARS.fd" varstore
|
|
|
588c1d |
template. This setup is not recommended, and should only be used if
|
|
|
588c1d |
- --boot uefi doesn't know about your UEFI binaries. If your UEFI firmware
|
|
|
588c1d |
- supports Secure boot feature you can enable it via loader_secure.
|
|
|
588c1d |
+ --boot uefi doesn't know about your UEFI binaries.
|
|
|
588c1d |
|
|
|
588c1d |
Use --boot=? to see a list of all available sub options.
|
|
|
588c1d |
Complete details at https://libvirt.org/formatdomain.html#elementsOS
|
|
|
588c1d |
--
|
|
|
588c1d |
2.39.1
|
|
|
588c1d |
|