Re: [edk2-devel] Help needed in building UEFI qcow2 images

["Laszlo Ersek" <lersek@redhat.com>]

Pavan,

On 06/03/19 21:21, Pavan Kumar Aravapalli wrote:

> * We have CentOS flavoured qcow2 image which is used to boot Guest
>   VM's in Apache CloudStack. We are trying to enable these CentOS
>   qcow2 images with UEFI support.

I told you weeks ago to take this question to the CentOS mailing list.

https://edk2.groups.io/g/devel/message/40531

Have you done that?

Also, what prevents you from installing a CentOS guest in UEFI mode from
scratch, and using the resultant disk image as a template?

Anyway, I guess I'm going to send them a separate message, and CC you.


> * I have been struggling to secure boot Guest VM using UEFI.  I have
>   enclosed my secure boot domain dumpxml [secure-vm.xml]with this mail
>   too. When i try to boot with this xml i am  ended up with an
>   Exception. I have attached the error screen shot too .

You are using Gerd's "OVMF_CODE-pure-efi.fd" firmware binary. That
binary is not built with -D SECURE_BOOT_ENABLE. Therefore the Secure
Boot related standard UEFI variables are not available (the Secure Boot
feature is missing altogether). That's the reason EnrollDefaultKeys.efi
fails to find the SetupMode variable.


You've mentioned that your host environment is CentOS 7.6. Here's what
you should do:

- Install the latest OVMF package available in that CentOS release. (I
  think it should be
  "OVMF-20180508-3.gitee3198e672e2.el7_6.1.noarch.rpm" at the moment.)

- You already have "qemu-kvm-ev" installed, good.

- If your libvirt domain currently has a variable store file under
  "/var/lib/libvirt/qemu/nvram/", then delete that file (the domain
  should be powered off first).

- Edit your domain XML as follows (only relevant elements quoted):

  <domain type='kvm'>
    <os>
      <type arch='x86_64' machine='pc-q35-rhel7.6.0'>hvm</type>
      <loader readonly='yes' secure='yes' type='pflash'>/usr/share/OVMF/OVMF_CODE.secboot.fd</loader>
      <nvram template='/usr/share/OVMF/OVMF_VARS.secboot.fd'/>
    </os>
    <features>
      <smm state='on'/>
    </features>
    <devices>
      <emulator>/usr/libexec/qemu-kvm</emulator>
    </devices>
  </domain>

- When you next launch this domain, the domain's private varstore file
  (under "/var/lib/libvirt/qemu/nvram/") will be re-created from the
  template specified ("/usr/share/OVMF/OVMF_VARS.secboot.fd"). The
  Secure Boot operational mode will be enabled at once, and you will not
  have to run EnrollDefaultKeys.efi manually.

Hope this helps,
Laszlo