From mboxrd@z Thu Jan 1 00:00:00 1970 Authentication-Results: mx.groups.io; dkim=missing; spf=pass (domain: redhat.com, ip: 209.132.183.28, mailfrom: lersek@redhat.com) Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by groups.io with SMTP; Tue, 04 Jun 2019 03:49:46 -0700 Received: from smtp.corp.redhat.com (int-mx08.intmail.prod.int.phx2.redhat.com [10.5.11.23]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id DB4513082B5A; Tue, 4 Jun 2019 10:49:39 +0000 (UTC) Received: from lacos-laptop-7.usersys.redhat.com (ovpn-120-40.rdu2.redhat.com [10.10.120.40]) by smtp.corp.redhat.com (Postfix) with ESMTP id 087F72B5AE; Tue, 4 Jun 2019 10:49:38 +0000 (UTC) Subject: Re: [edk2-devel] Help needed in building UEFI qcow2 images To: devel@edk2.groups.io, pavankumar_a@accelerite.com, "Tomas Pilar (tpilar)" References: <13789.1559589696810523451@groups.io> From: "Laszlo Ersek" Message-ID: <88960f45-42c4-3420-e33a-880a55960e48@redhat.com> Date: Tue, 4 Jun 2019 12:49:38 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.9.1 MIME-Version: 1.0 In-Reply-To: <13789.1559589696810523451@groups.io> X-Scanned-By: MIMEDefang 2.84 on 10.5.11.23 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.45]); Tue, 04 Jun 2019 10:49:44 +0000 (UTC) Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit Pavan, On 06/03/19 21:21, Pavan Kumar Aravapalli wrote: > * We have CentOS flavoured qcow2 image which is used to boot Guest > VM's in Apache CloudStack. We are trying to enable these CentOS > qcow2 images with UEFI support. I told you weeks ago to take this question to the CentOS mailing list. https://edk2.groups.io/g/devel/message/40531 Have you done that? Also, what prevents you from installing a CentOS guest in UEFI mode from scratch, and using the resultant disk image as a template? Anyway, I guess I'm going to send them a separate message, and CC you. > * I have been struggling to secure boot Guest VM using UEFI. I have > enclosed my secure boot domain dumpxml [secure-vm.xml]with this mail > too. When i try to boot with this xml i am ended up with an > Exception. I have attached the error screen shot too . You are using Gerd's "OVMF_CODE-pure-efi.fd" firmware binary. That binary is not built with -D SECURE_BOOT_ENABLE. Therefore the Secure Boot related standard UEFI variables are not available (the Secure Boot feature is missing altogether). That's the reason EnrollDefaultKeys.efi fails to find the SetupMode variable. You've mentioned that your host environment is CentOS 7.6. Here's what you should do: - Install the latest OVMF package available in that CentOS release. (I think it should be "OVMF-20180508-3.gitee3198e672e2.el7_6.1.noarch.rpm" at the moment.) - You already have "qemu-kvm-ev" installed, good. - If your libvirt domain currently has a variable store file under "/var/lib/libvirt/qemu/nvram/", then delete that file (the domain should be powered off first). - Edit your domain XML as follows (only relevant elements quoted): hvm /usr/share/OVMF/OVMF_CODE.secboot.fd /usr/libexec/qemu-kvm - When you next launch this domain, the domain's private varstore file (under "/var/lib/libvirt/qemu/nvram/") will be re-created from the template specified ("/usr/share/OVMF/OVMF_VARS.secboot.fd"). The Secure Boot operational mode will be enabled at once, and you will not have to run EnrollDefaultKeys.efi manually. Hope this helps, Laszlo