Help needed in building UEFI qcow2 images

Help needed in building UEFI qcow2 images

[Pavan Kumar Aravapalli]

[-- Attachment #1: Type: text/plain, Size: 1046 bytes --]

Hi,


[re-posting the question]


I am looking for information/documentation which helps me in enabling UEFI boot to the existing (KVM)VM template. I am trying for CentOS 6.5(64-bit) no GUI 64-bit (KVM) template.



I found some images available over https://www.kraxel.org/repos/images/ with fedora os, but I am looking for uefi enabled Cent OS template. It would be helpfull if any documentation or steps provided for the same.



Regards,

Pavan.
DISCLAIMER
==========
This e-mail may contain privileged and confidential information which is the property of Accelerite, a Persistent Systems business. It is intended only for the use of the individual or entity to which it is addressed. If you are not the intended recipient, you are not authorized to read, retain, copy, print, distribute or use this message. If you have received this communication in error, please notify the sender and delete all copies of this message. Accelerite, a Persistent Systems business does not accept any liability for virus infected mails.

[-- Attachment #2: Type: text/html, Size: 2788 bytes --]

Re: Help needed in building UEFI qcow2 images

[Tomas Pilar (tpilar)]

[-- Attachment #1.1: Type: text/plain, Size: 1954 bytes --]

Hi Pavan,

I am currently playing around with setting up a OVMF based test framework myself. You likely need to tell qemu to use OVMF as it's firmware. I attach my current working libvirt XML file for creating UEFI VMs (diskless) - note the <loader> and the <nvram> elements within the <os> element.

You want to add a disk sourced from the qcow image and that should work.

Cheers,
Tom

From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of Pavan Kumar Aravapalli
Sent: 22 May 2019 12:02
To: Devel EDK2 <devel@edk2.groups.io>
Subject: [edk2-devel] Help needed in building UEFI qcow2 images


Hi,



[re-posting the question]



I am looking for information/documentation which helps me in enabling UEFI boot to the existing (KVM)VM template. I am trying for CentOS 6.5(64-bit) no GUI 64-bit (KVM) template.





I found some images available over https://www.kraxel.org/repos/images/<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.kraxel.org_repos_images_&d=DwMFAw&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=SzAVyxtJHZm7PriTfxFyvkqqZ_OgUqnNtgjrlf7jVU4&m=txzCgRJWkEmPJeuUxTWCEaTYpYEUWr6BmgcbVIpvuI0&s=VNfaavLgc8f7brJsIT2rTlp9QzZRyNUOTsp7rqTHK6E&e=> with fedora os, but I am looking for uefi enabled Cent OS template. It would be helpfull if any documentation or steps provided for the same.




Regards,

Pavan.
DISCLAIMER
==========
This e-mail may contain privileged and confidential information which is the property of Accelerite, a Persistent Systems business. It is intended only for the use of the individual or entity to which it is addressed. If you are not the intended recipient, you are not authorized to read, retain, copy, print, distribute or use this message. If you have received this communication in error, please notify the sender and delete all copies of this message. Accelerite, a Persistent Systems business does not accept any liability for virus infected mails.


[-- Attachment #1.2: Type: text/html, Size: 6134 bytes --]

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: kvm.xml --]
[-- Type: text/xml; name="kvm.xml", Size: 2658 bytes --]

<domain type='kvm' id='5'>
  <name>Qemu Test</name>
  <uuid>6a92c8c3-c6b4-4b57-a164-0a9917eeaf19</uuid>
  <memory unit='KiB'>2097152</memory>
  <currentMemory unit='KiB'>2097152</currentMemory>
  <vcpu placement='static'>2</vcpu>
  <resource>
    <partition>/machine</partition>
  </resource>
  <os>
    <type arch='x86_64'>hvm</type>
    <bootmenu enable='yes' timeout='3000'/>
    <loader readonly='yes' secure='no' type='pflash'>/tmp/ovmf-test/OVMF_CODE.fd</loader>
    <nvram template='/tmp/ovmf-test/OVMF_VARS.fd'>/tmp/ovmf-test/OVMF_VARS2.fd</nvram>
  </os>
  <features>
    <acpi/>
    <apic/>
  </features>
  <cpu mode='custom' match='exact' check='full'>
    <model fallback='forbid'>Skylake-Server-IBRS</model>
    <feature policy='require' name='hypervisor'/>
    <feature policy='disable' name='arat'/>
  </cpu>
  <clock offset='utc'>
    <timer name='rtc' tickpolicy='catchup'/>
    <timer name='pit' tickpolicy='delay'/>
    <timer name='hpet' present='no'/>
  </clock>
  <on_poweroff>preserve</on_poweroff>
  <on_reboot>restart</on_reboot>
  <on_crash>preserve</on_crash>
  <pm>
    <suspend-to-mem enabled='no'/>
    <suspend-to-disk enabled='no'/>
  </pm>
  <devices>
    <emulator>/usr/libexec/qemu-kvm</emulator>
    <controller type='pci' index='0' model='pci-root'>
      <alias name='pci.0'/>
    </controller>
    <hostdev mode='subsystem' type='pci' managed='yes'>
      <source>
        [ADDRESS]
      </source>
    </hostdev>
    <serial type='file'>
      <source path='/tmp/ovmf-test/serial0.log'/>
      <target port='0' />
      <alias name='serial0'/>
    </serial>
    <serial type='file'>
      <source path='/tmp/ovmf-test/serial1.log'/>
      <target port='1' />
      <alias name='serial1'/>
    </serial>
    <input type='mouse' bus='ps2'>
      <alias name='input1'/>
    </input>
    <input type='keyboard' bus='ps2'>
      <alias name='input2'/>
    </input>
    <graphics type='spice' port='5900' autoport='yes' listen='127.0.0.1'>
      <listen type='address' address='127.0.0.1'/>
      <image compression='off'/>
    </graphics>
    <video>
      <model type='qxl' ram='65536' vram='65536' vgamem='16384' heads='1' primary='yes'/>
      <alias name='video0'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x0'/>
    </video>
    <rng model='virtio'>
      <backend model='random'>/dev/urandom</backend>
      <alias name='rng0'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x09' function='0x0'/>
    </rng>
  </devices>
  <seclabel type='dynamic' model='dac' relabel='yes'>
    <label>+107:+107</label>
    <imagelabel>+107:+107</imagelabel>
  </seclabel>
</domain>

Re: [edk2-devel] Help needed in building UEFI qcow2 images

[Andrew Fish]

[-- Attachment #1: Type: text/plain, Size: 2318 bytes --]

Tom,

Looks like the mailing list stripped your attachment. 

Thanks,

Andrew Fish

> On May 22, 2019, at 4:19 AM, Tomas Pilar (tpilar) <tpilar@solarflare.com> wrote:
> 
> Hi Pavan,
>
> I am currently playing around with setting up a OVMF based test framework myself. You likely need to tell qemu to use OVMF as it’s firmware. I attach my current working libvirt XML file for creating UEFI VMs (diskless) – note the <loader> and the <nvram> elements within the <os> element.
>
> You want to add a disk sourced from the qcow image and that should work.
>
> Cheers,
> Tom
>
> From: devel@edk2.groups.io <mailto:devel@edk2.groups.io> <devel@edk2.groups.io <mailto:devel@edk2.groups.io>> On Behalf Of Pavan Kumar Aravapalli
> Sent: 22 May 2019 12:02
> To: Devel EDK2 <devel@edk2.groups.io <mailto:devel@edk2.groups.io>>
> Subject: [edk2-devel] Help needed in building UEFI qcow2 images
>
> Hi, 
> 
>
> 
> [re-posting the question]
> 
>
> 
> I am looking for information/documentation which helps me in enabling UEFI boot to the existing (KVM)VM template. I am trying for CentOS 6.5(64-bit) no GUI 64-bit (KVM) template. 
> 
>
> 
>
> 
> I found some images available over https://www.kraxel.org/repos/images/ <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.kraxel.org_repos_images_&d=DwMFAw&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=SzAVyxtJHZm7PriTfxFyvkqqZ_OgUqnNtgjrlf7jVU4&m=txzCgRJWkEmPJeuUxTWCEaTYpYEUWr6BmgcbVIpvuI0&s=VNfaavLgc8f7brJsIT2rTlp9QzZRyNUOTsp7rqTHK6E&e=> with fedora os, but I am looking for uefi enabled Cent OS template. It would be helpfull if any documentation or steps provided for the same.
> 
>
>
> 
> Regards, 
> 
> Pavan.
> 
> DISCLAIMER
> ==========
> This e-mail may contain privileged and confidential information which is the property of Accelerite, a Persistent Systems business. It is intended only for the use of the individual or entity to which it is addressed. If you are not the intended recipient, you are not authorized to read, retain, copy, print, distribute or use this message. If you have received this communication in error, please notify the sender and delete all copies of this message. Accelerite, a Persistent Systems business does not accept any liability for virus infected mails.
> 
> <kvm.xml>


[-- Attachment #2: Type: text/html, Size: 7363 bytes --]

Re: [edk2-devel] Help needed in building UEFI qcow2 images

[Tomas Pilar (tpilar)]

[-- Attachment #1: Type: text/html, Size: 14770 bytes --]

Re: [edk2-devel] Help needed in building UEFI qcow2 images

[Andrew Fish]

[-- Attachment #1: Type: text/plain, Size: 5367 bytes --]

It should work Stephano is going to take a look. 

Thanks,

Andrew Fish

> On May 22, 2019, at 9:57 AM, Tomas Pilar (tpilar) <tpilar@solarflare.com> wrote:
> 
> Thanks Andrew,
> 
> I thought that groups.io is supposed to allow attachments?
> 
> Anyway snippet below:
> 
> ----
> 
> <domain type='kvm' id='5'>
>   <name>Qemu Test</name>
>   <uuid>6a92c8c3-c6b4-4b57-a164-0a9917eeaf19</uuid>
>   <memory unit='KiB'>2097152</memory>
>   <currentMemory unit='KiB'>2097152</currentMemory>
>   <vcpu placement='static'>2</vcpu>
>   <resource>
>     <partition>/machine</partition>
>   </resource>
>   <os>
>     <type arch='x86_64'>hvm</type>
>     <bootmenu enable='yes' timeout='3000'/>
>     <loader readonly='yes' secure='no' type='pflash'>/tmp/ovmf-test/OVMF_CODE.fd</loader>
>     <nvram template='/tmp/ovmf-test/OVMF_VARS.fd'>/tmp/ovmf-test/OVMF_VARS2.fd</nvram>
>   </os>
>   <features>
>     <acpi/>
>     <apic/>
>   </features>
>   <clock offset='utc'>
>     <timer name='rtc' tickpolicy='catchup'/>
>     <timer name='pit' tickpolicy='delay'/>
>     <timer name='hpet' present='no'/>
>   </clock>
>   <on_poweroff>preserve</on_poweroff>
>   <on_reboot>restart</on_reboot>
>   <on_crash>preserve</on_crash>
>   <pm>
>     <suspend-to-mem enabled='no'/>
>     <suspend-to-disk enabled='no'/>
>   </pm>
>   <devices>
>     <emulator>/usr/libexec/qemu-kvm</emulator>
>     <controller type='pci' index='0' model='pci-root'>
>       <alias name='pci.0'/>
>     </controller>
>     <hostdev mode='subsystem' type='pci' managed='yes'>
>       <source>
>         [ADDRESS]
>       </source>
>     </hostdev>
>     <serial type='file'>
>       <source path='/tmp/ovmf-test/serial0.log'/>
>       <target port='0' />
>       <alias name='serial0'/>
>     </serial>
>     <serial type='file'>
>       <source path='/tmp/ovmf-test/serial1.log'/>
>       <target port='1' />
>       <alias name='serial1'/>
>     </serial>
>     <input type='mouse' bus='ps2'>
>       <alias name='input1'/>
>     </input>
>     <input type='keyboard' bus='ps2'>
>       <alias name='input2'/>
>     </input>
>     <graphics type='spice' port='5900' autoport='yes' listen='127.0.0.1'>
>       <listen type='address' address='127.0.0.1'/>
>       <image compression='off'/>
>     </graphics>
>     <video>
>       <model type='qxl' ram='65536' vram='65536' vgamem='16384' heads='1' primary='yes'/>
>       <alias name='video0'/>
>       <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x0'/>
>     </video>
>     <rng model='virtio'>
>       <backend model='random'>/dev/urandom</backend>
>       <alias name='rng0'/>
>       <address type='pci' domain='0x0000' bus='0x00' slot='0x09' function='0x0'/>
>     </rng>
>   </devices>
> </domain>
> 
> --
> 
> On 22/05/2019 16:58, Andrew Fish via Groups.Io wrote:
>> Tom,
>> 
>> Looks like the mailing list stripped your attachment. 
>> 
>> Thanks,
>> 
>> Andrew Fish
>> 
>>> On May 22, 2019, at 4:19 AM, Tomas Pilar (tpilar) <tpilar@solarflare.com <mailto:tpilar@solarflare.com>> wrote:
>>> 
>>> Hi Pavan,
>>>
>>> I am currently playing around with setting up a OVMF based test framework myself. You likely need to tell qemu to use OVMF as it’s firmware. I attach my current working libvirt XML file for creating UEFI VMs (diskless) – note the <loader> and the <nvram> elements within the <os> element.
>>>
>>> You want to add a disk sourced from the qcow image and that should work.
>>>
>>> Cheers,
>>> Tom
>>>
>>> From: devel@edk2.groups.io <mailto:devel@edk2.groups.io> <devel@edk2.groups.io <mailto:devel@edk2.groups.io>> On Behalf Of Pavan Kumar Aravapalli
>>> Sent: 22 May 2019 12:02
>>> To: Devel EDK2 <devel@edk2.groups.io <mailto:devel@edk2.groups.io>>
>>> Subject: [edk2-devel] Help needed in building UEFI qcow2 images
>>>
>>> Hi, 
>>> 
>>>
>>> 
>>> [re-posting the question]
>>> 
>>>
>>> 
>>> I am looking for information/documentation which helps me in enabling UEFI boot to the existing (KVM)VM template. I am trying for CentOS 6.5(64-bit) no GUI 64-bit (KVM) template. 
>>> 
>>>
>>> 
>>>
>>> 
>>> I found some images available over https://www.kraxel.org/repos/images/ <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.kraxel.org_repos_images_&d=DwMFAw&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=SzAVyxtJHZm7PriTfxFyvkqqZ_OgUqnNtgjrlf7jVU4&m=txzCgRJWkEmPJeuUxTWCEaTYpYEUWr6BmgcbVIpvuI0&s=VNfaavLgc8f7brJsIT2rTlp9QzZRyNUOTsp7rqTHK6E&e=> with fedora os, but I am looking for uefi enabled Cent OS template. It would be helpfull if any documentation or steps provided for the same.
>>> 
>>>
>>>
>>> 
>>> Regards, 
>>> 
>>> Pavan.
>>> 
>>> DISCLAIMER
>>> ==========
>>> This e-mail may contain privileged and confidential information which is the property of Accelerite, a Persistent Systems business. It is intended only for the use of the individual or entity to which it is addressed. If you are not the intended recipient, you are not authorized to read, retain, copy, print, distribute or use this message. If you have received this communication in error, please notify the sender and delete all copies of this message. Accelerite, a Persistent Systems business does not accept any liability for virus infected mails.
>>> <kvm.xml>
>> 
>> 
> 


[-- Attachment #2: Type: text/html, Size: 16017 bytes --]

Re: [edk2-devel] Help needed in building UEFI qcow2 images

[Laszlo Ersek]

On 05/22/19 17:58, Andrew Fish via Groups.Io wrote:
> Tom,
> 
> Looks like the mailing list stripped your attachment. 

I got the attachment OK, and I also see it in both mail archives:

https://edk2.groups.io/g/devel/message/41228

http://mid.mail-archive.com/ed4cfca6710b43f78ea5d6d05a87b676@ukex01.SolarFlarecom.com

Thanks,
Laszlo

Re: [edk2-devel] Help needed in building UEFI qcow2 images

[Andrew Fish]

[-- Attachment #1: Type: text/plain, Size: 1090 bytes --]

Laszlo,

Sorry I got the attachment too. It was just scrolled off the screen after the boiler plate. 


Groups.io <http://groups.io/> Links:
You receive all messages sent to this group.

View/Reply Online (#41228) <https://edk2.groups.io/g/devel/message/41228> | | Mute This Topic <https://groups.io/mt/31718606/1755084> | New Topic <https://edk2.groups.io/g/devel/post>

Your Subscription <https://edk2.groups.io/g/devel/editsub/1755084> | Contact Group Owner <mailto:devel+owner@edk2.groups.io> | Unsubscribe <https://edk2.groups.io/g/devel/unsub> [afish@apple.com <mailto:afish@apple.com>]


Sorry for the waste of time.

Thanks,

Andrew Fish

> On May 22, 2019, at 12:05 PM, Laszlo Ersek <lersek@redhat.com> wrote:
> 
> On 05/22/19 17:58, Andrew Fish via Groups.Io wrote:
>> Tom,
>> 
>> Looks like the mailing list stripped your attachment. 
> 
> I got the attachment OK, and I also see it in both mail archives:
> 
> https://edk2.groups.io/g/devel/message/41228
> 
> http://mid.mail-archive.com/ed4cfca6710b43f78ea5d6d05a87b676@ukex01.SolarFlarecom.com
> 
> Thanks,
> Laszlo
> 
> 
> 


[-- Attachment #2: Type: text/html, Size: 2611 bytes --]

Re: [edk2-devel] Help needed in building UEFI qcow2 images

[Laszlo Ersek]

On 05/22/19 21:10, Andrew Fish via Groups.Io wrote:
> Laszlo,
> 
> Sorry I got the attachment too. It was just scrolled off the screen after the boiler plate. 
> 
> 
> Groups.io <http://groups.io/> Links:
> You receive all messages sent to this group.
> 
> View/Reply Online (#41228) <https://edk2.groups.io/g/devel/message/41228> | | Mute This Topic <https://groups.io/mt/31718606/1755084> | New Topic <https://edk2.groups.io/g/devel/post>
> 
> Your Subscription <https://edk2.groups.io/g/devel/editsub/1755084> | Contact Group Owner <mailto:devel+owner@edk2.groups.io> | Unsubscribe <https://edk2.groups.io/g/devel/unsub> [afish@apple.com <mailto:afish@apple.com>]
> 
> 
> Sorry for the waste of time.

No, I think this is justified (mild) criticism on that large banner at
the end of reflected messages. I noticed the attachment immediately only
because my MUA (ThunderBird) displays such outside of the scrollable
email body, in two places actually (in the "threaded subjects" pane at
the top, and in the attachment pane at the bottom). I'd prefer if the
whole "-=-=-=-=-=-=-=-=-=-=-=-" footer disappeared from reflected
messages, and groups.io just implemented message-id-based search.

(There were two other aggravating factors: the original "DISCLAIMER" at
the end of the original posting, retained in the context, and
top-posting in the response to the original email.)

To be honest -- where I'm completely lost on occasion is "modern"
websites. From the recent past: the "hamburger icon" on StackOverflow,
which users have to click in order to pull up the Log Out option, takes
the cake. There are even StackOverflow threads about logging out of
StackOverflow, I kid you not:

https://meta.stackoverflow.com/questions/294881/how-does-one-logout-from-stack-overflow

https://meta.stackoverflow.com/questions/254109/how-can-i-log-out-from-stack-overflow

Thanks,
Laszlo

Re: [edk2-devel] Help needed in building UEFI qcow2 images

[Pavan Kumar Aravapalli]

[-- Attachment #1.1: Type: text/plain, Size: 8940 bytes --]

On Wed, May 22, 2019 at 04:19 AM, Tomas Pilar (tpilar) wrote:

> 
> 
> 
> Hi Pavan,
> 
> 
> 
> 
> 
> 
> 
> I am currently playing around with setting up a OVMF based test framework
> myself. You likely need to tell qemu to use OVMF as it’s firmware. I
> attach my current working libvirt XML file for creating UEFI VMs
> (diskless) – note the <loader> and the <nvram> elements within the <os>
> element.
> 
> 
> 
> 
> 
> 
> 
> You want to add a disk sourced from the qcow image and that should work.
> 
> 
> 
> 
> 
> 
> 
> Cheers,
> 
> 
> 
> Tom
> 
> 
> 
> 
> 
> 
> 
> *From:* devel@edk2.groups.io <devel@edk2.groups.io> *On Behalf Of* Pavan
> Kumar Aravapalli
> *Sent:* 22 May 2019 12:02
> *To:* Devel EDK2 <devel@edk2.groups.io>
> *Subject:* [edk2-devel] Help needed in building UEFI qcow2 images
> 
> 
> 
> 
> 
> 
> 
> 
> Hi,
> 
> 
> 
> 
> 
> 
> 
> [re-posting the question]
> 
> 
> 
> 
> 
> 
> 
> I am looking for information/documentation which helps me in enabling UEFI
> boot to the existing (KVM)VM template. I am trying for CentOS 6.5(64-bit)
> no GUI 64-bit (KVM) template.
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> I found some images available over https://www.kraxel.org/repos/images/ (
> https://urldefense.proofpoint.com/v2/url?u=https-3A__www.kraxel.org_repos_images_&d=DwMFAw&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=SzAVyxtJHZm7PriTfxFyvkqqZ_OgUqnNtgjrlf7jVU4&m=txzCgRJWkEmPJeuUxTWCEaTYpYEUWr6BmgcbVIpvuI0&s=VNfaavLgc8f7brJsIT2rTlp9QzZRyNUOTsp7rqTHK6E&e=
> ) with fedora os, but I am looking for uefi enabled Cent OS template. It
> would be helpfull if any documentation or steps provided for the same.
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> Regards,
> 
> 
> 
> Pavan.
> 
> 
> 
> 
> DISCLAIMER
> ==========
> This e-mail may contain privileged and confidential information which is
> the property of Accelerite, a Persistent Systems business. It is intended
> only for the use of the individual or entity to which it is addressed. If
> you are not the intended recipient, you are not authorized to read,
> retain, copy, print, distribute or use this message. If you have received
> this communication in error, please notify the sender and delete all
> copies of this message. Accelerite, a Persistent Systems business does not
> accept any liability for virus infected mails.
> 
> 
> 
> 
> 
> 
> 

Hi Tomas,

Thanks for your response, I have already found  a way to boot a Guest VM to boot using image https://www.kraxel.org/repos/images/fedora-29-efi-systemd-x86_64.qcow2.xz.
I have attached the domain dump xml file with this mail attachment[normal-vm.xml].

And Sorry for the lengthy message for the following , Let me write up all my questions here . It would be more helpful if you can point me to fix or resolve the following.

Actually i am struggling to done below two items
* We have CentOS flavoured qcow2 image which is used to boot Guest VM's in Apache CloudStack. We are trying to enable these CentOS qcow2 images with UEFI support.  I found '.EFI' file inside fedora-29-efi-systemd-x86_64.qcow2.xz ( https://www.kraxel.org/repos/images/fedora-29-efi-systemd-x86_64.qcow2.xz ) image. How can i do the same thing for CentOS images.
* I have been struggling to secure boot Guest VM using UEFI.  I have enclosed my secure boot domain dumpxml [secure-vm.xml]with this mail too. When i try to boot with this xml i am  ended up with an Exception . I have attached the error screen shot too .

I don't know, what could be wrong in Environment.  here is my Host Environment details

[root@localhost ~]# cat /etc/redhat-release
CentOS Linux release 7.6.1810 (Core)

[root@localhost ~]# /usr/libexec/qemu-kvm --machine help
Supported machines are:
pc                   RHEL 7.6.0 PC (i440FX + PIIX, 1996) (alias of pc-i440fx-rhel7.6.0)
pc-i440fx-rhel7.6.0  RHEL 7.6.0 PC (i440FX + PIIX, 1996) (default)
pc-i440fx-rhel7.5.0  RHEL 7.5.0 PC (i440FX + PIIX, 1996)
pc-i440fx-rhel7.4.0  RHEL 7.4.0 PC (i440FX + PIIX, 1996)
pc-i440fx-rhel7.3.0  RHEL 7.3.0 PC (i440FX + PIIX, 1996)
pc-i440fx-rhel7.2.0  RHEL 7.2.0 PC (i440FX + PIIX, 1996)
pc-i440fx-rhel7.1.0  RHEL 7.1.0 PC (i440FX + PIIX, 1996)
pc-i440fx-rhel7.0.0  RHEL 7.0.0 PC (i440FX + PIIX, 1996)
rhel6.6.0            RHEL 6.6.0 PC
rhel6.5.0            RHEL 6.5.0 PC
rhel6.4.0            RHEL 6.4.0 PC
rhel6.3.0            RHEL 6.3.0 PC
rhel6.2.0            RHEL 6.2.0 PC
rhel6.1.0            RHEL 6.1.0 PC
rhel6.0.0            RHEL 6.0.0 PC
q35                  RHEL-7.6.0 PC (Q35 + ICH9, 2009) (alias of pc-q35-rhel7.6.0)
pc-q35-rhel7.6.0     RHEL-7.6.0 PC (Q35 + ICH9, 2009)
pc-q35-rhel7.5.0     RHEL-7.5.0 PC (Q35 + ICH9, 2009)
pc-q35-rhel7.4.0     RHEL-7.4.0 PC (Q35 + ICH9, 2009)
pc-q35-rhel7.3.0     RHEL-7.3.0 PC (Q35 + ICH9, 2009)
none                 empty machine

[root@localhost ~]# rpm -qa | grep qemu
qemu-img-ev-2.12.0-18.el7_6.5.1.x86_64
centos-release-qemu-ev-1.0-4.el7.centos.noarch
qemu-kvm-common-ev-2.12.0-18.el7_6.5.1.x86_64
libvirt-daemon-driver-qemu-4.5.0-10.el7_6.10.x86_64
ipxe-roms-qemu-20170123-1.git4e85b27.el7_4.1.noarch
qemu-kvm-ev-2.12.0-18.el7_6.5.1.x86_64

[root@localhost ~]# cat /proc/cpuinfo | grep ept
fpu_exception : yes
flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe syscall nx rdtscp lm constant_tsc arch_perfmon pebs bts rep_good nopl xtopology nonstop_tsc aperfmperf eagerfpu pni pclmulqdq dtes64 monitor ds_cpl vmx smx est tm2 ssse3 cx16 xtpr pdcm pcid sse4_1 sse4_2 x2apic popcnt tsc_deadline_timer aes xsave avx lahf_lm epb ssbd ibrs ibpb stibp tpr_shadow vnmi flexpriority ept vpid xsaveopt dtherm ida arat pln pts spec_ctrl intel_stibp flush_l1d
fpu_exception : yes
flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe syscall nx rdtscp lm constant_tsc arch_perfmon pebs bts rep_good nopl xtopology nonstop_tsc aperfmperf eagerfpu pni pclmulqdq dtes64 monitor ds_cpl vmx smx est tm2 ssse3 cx16 xtpr pdcm pcid sse4_1 sse4_2 x2apic popcnt tsc_deadline_timer aes xsave avx lahf_lm epb ssbd ibrs ibpb stibp tpr_shadow vnmi flexpriority ept vpid xsaveopt dtherm ida arat pln pts spec_ctrl intel_stibp flush_l1d
fpu_exception : yes
flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe syscall nx rdtscp lm constant_tsc arch_perfmon pebs bts rep_good nopl xtopology nonstop_tsc aperfmperf eagerfpu pni pclmulqdq dtes64 monitor ds_cpl vmx smx est tm2 ssse3 cx16 xtpr pdcm pcid sse4_1 sse4_2 x2apic popcnt tsc_deadline_timer aes xsave avx lahf_lm epb ssbd ibrs ibpb stibp tpr_shadow vnmi flexpriority ept vpid xsaveopt dtherm ida arat pln pts spec_ctrl intel_stibp flush_l1d
fpu_exception : yes
flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe syscall nx rdtscp lm constant_tsc arch_perfmon pebs bts rep_good nopl xtopology nonstop_tsc aperfmperf eagerfpu pni pclmulqdq dtes64 monitor ds_cpl vmx smx est tm2 ssse3 cx16 xtpr pdcm pcid sse4_1 sse4_2 x2apic popcnt tsc_deadline_timer aes xsave avx lahf_lm epb ssbd ibrs ibpb stibp tpr_shadow vnmi flexpriority ept vpid xsaveopt dtherm ida arat pln pts spec_ctrl intel_stibp flush_l1d

[root@localhost ~]# rpm -qa | grep libvirt
libvirt-client-4.5.0-10.el7_6.10.x86_64
libvirt-daemon-driver-nwfilter-4.5.0-10.el7_6.10.x86_64
libvirt-daemon-driver-nodedev-4.5.0-10.el7_6.10.x86_64
libvirt-daemon-driver-storage-scsi-4.5.0-10.el7_6.10.x86_64
libvirt-daemon-driver-storage-iscsi-4.5.0-10.el7_6.10.x86_64
libvirt-daemon-kvm-4.5.0-10.el7_6.10.x86_64
libvirt-bash-completion-4.5.0-10.el7_6.10.x86_64
libvirt-libs-4.5.0-10.el7_6.10.x86_64
libvirt-daemon-4.5.0-10.el7_6.10.x86_64
libvirt-daemon-driver-network-4.5.0-10.el7_6.10.x86_64
libvirt-daemon-driver-qemu-4.5.0-10.el7_6.10.x86_64
libvirt-daemon-driver-interface-4.5.0-10.el7_6.10.x86_64
libvirt-daemon-config-nwfilter-4.5.0-10.el7_6.10.x86_64
libvirt-daemon-config-network-4.5.0-10.el7_6.10.x86_64
libvirt-daemon-driver-storage-disk-4.5.0-10.el7_6.10.x86_64
libvirt-daemon-driver-storage-rbd-4.5.0-10.el7_6.10.x86_64
libvirt-daemon-driver-storage-logical-4.5.0-10.el7_6.10.x86_64
libvirt-daemon-driver-storage-4.5.0-10.el7_6.10.x86_64
libvirt-python-4.5.0-1.el7.x86_64
libvirt-daemon-driver-storage-core-4.5.0-10.el7_6.10.x86_64
libvirt-daemon-driver-secret-4.5.0-10.el7_6.10.x86_64
libvirt-daemon-driver-lxc-4.5.0-10.el7_6.10.x86_64
libvirt-daemon-driver-storage-mpath-4.5.0-10.el7_6.10.x86_64
libvirt-daemon-driver-storage-gluster-4.5.0-10.el7_6.10.x86_64
libvirt-4.5.0-10.el7_6.10.x86_64

Regards,
Pavan.

[-- Attachment #1.2: Type: text/html, Size: 12736 bytes --]

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: normal-vm.xml --]
[-- Type: text/xml; name="normal-vm.xml", Size: 7657 bytes --]

<domain type='kvm' id='9'>
  <name>norvm</name>
  <uuid>8aa8de9e-4ebf-4ef0-91ef-a8c3e809a60e</uuid>
  <metadata>
    <libosinfo:libosinfo xmlns:libosinfo="http://libosinfo.org/xmlns/libvirt/domain/1.0">
      <libosinfo:os id="http://fedoraproject.org/fedora/29"/>
    </libosinfo:libosinfo>
  </metadata>
  <memory unit='KiB'>2097152</memory>
  <currentMemory unit='KiB'>2097152</currentMemory>
  <vcpu placement='static'>1</vcpu>
  <resource>
    <partition>/machine</partition>
  </resource>
  <os>
    <type arch='x86_64' machine='pc-q35-rhel7.6.0'>hvm</type>
    <loader readonly='yes' type='pflash'>/usr/share/edk2.git/ovmf-x64/OVMF_CODE-pure-efi.fd</loader>
    <nvram>/var/lib/libvirt/qemu/nvram/norvm_VARS.fd</nvram>
    <boot dev='hd'/>
  </os>
  <features>
    <acpi/>
    <apic/>
    <vmport state='off'/>
  </features>
  <cpu mode='custom' match='exact' check='full'>
    <model fallback='forbid'>SandyBridge-IBRS</model>
    <vendor>Intel</vendor>
    <feature policy='require' name='vme'/>
    <feature policy='require' name='ss'/>
    <feature policy='require' name='pcid'/>
    <feature policy='require' name='hypervisor'/>
    <feature policy='require' name='arat'/>
    <feature policy='require' name='tsc_adjust'/>
    <feature policy='require' name='stibp'/>
    <feature policy='require' name='ssbd'/>
    <feature policy='require' name='xsaveopt'/>
  </cpu>
  <clock offset='utc'>
    <timer name='rtc' tickpolicy='catchup'/>
    <timer name='pit' tickpolicy='delay'/>
    <timer name='hpet' present='no'/>
  </clock>
  <on_poweroff>destroy</on_poweroff>
  <on_reboot>restart</on_reboot>
  <on_crash>destroy</on_crash>
  <pm>
    <suspend-to-mem enabled='no'/>
    <suspend-to-disk enabled='no'/>
  </pm>
  <devices>
    <emulator>/usr/libexec/qemu-kvm</emulator>
    <disk type='file' device='disk'>
      <driver name='qemu' type='qcow2'/>
      <source file='/var/lib/libvirt/images/norvm.qcow2'/>
      <backingStore/>
      <target dev='vda' bus='virtio'/>
      <alias name='virtio-disk0'/>
      <address type='pci' domain='0x0000' bus='0x04' slot='0x00' function='0x0'/>
    </disk>
    <controller type='usb' index='0' model='qemu-xhci' ports='15'>
      <alias name='usb'/>
      <address type='pci' domain='0x0000' bus='0x02' slot='0x00' function='0x0'/>
    </controller>
    <controller type='sata' index='0'>
      <alias name='ide'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x1f' function='0x2'/>
    </controller>
    <controller type='pci' index='0' model='pcie-root'>
      <alias name='pcie.0'/>
    </controller>
    <controller type='pci' index='1' model='pcie-root-port'>
      <model name='pcie-root-port'/>
      <target chassis='1' port='0x10'/>
      <alias name='pci.1'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x0' multifunction='on'/>
    </controller>
    <controller type='pci' index='2' model='pcie-root-port'>
      <model name='pcie-root-port'/>
      <target chassis='2' port='0x11'/>
      <alias name='pci.2'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x1'/>
    </controller>
    <controller type='pci' index='3' model='pcie-root-port'>
      <model name='pcie-root-port'/>
      <target chassis='3' port='0x12'/>
      <alias name='pci.3'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x2'/>
    </controller>
    <controller type='pci' index='4' model='pcie-root-port'>
      <model name='pcie-root-port'/>
      <target chassis='4' port='0x13'/>
      <alias name='pci.4'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x3'/>
    </controller>
    <controller type='pci' index='5' model='pcie-root-port'>
      <model name='pcie-root-port'/>
      <target chassis='5' port='0x14'/>
      <alias name='pci.5'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x4'/>
    </controller>
    <controller type='pci' index='6' model='pcie-root-port'>
      <model name='pcie-root-port'/>
      <target chassis='6' port='0x15'/>
      <alias name='pci.6'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x5'/>
    </controller>
    <controller type='pci' index='7' model='pcie-root-port'>
      <model name='pcie-root-port'/>
      <target chassis='7' port='0x16'/>
      <alias name='pci.7'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x6'/>
    </controller>
    <controller type='virtio-serial' index='0'>
      <alias name='virtio-serial0'/>
      <address type='pci' domain='0x0000' bus='0x03' slot='0x00' function='0x0'/>
    </controller>
    <interface type='network'>
      <mac address='52:54:00:94:db:2e'/>
      <source network='default' bridge='virbr0'/>
      <target dev='vnet1'/>
      <model type='virtio'/>
      <alias name='net0'/>
      <address type='pci' domain='0x0000' bus='0x01' slot='0x00' function='0x0'/>
    </interface>
    <serial type='pty'>
      <source path='/dev/pts/2'/>
      <target type='isa-serial' port='0'>
        <model name='isa-serial'/>
      </target>
      <alias name='serial0'/>
    </serial>
    <console type='pty' tty='/dev/pts/2'>
      <source path='/dev/pts/2'/>
      <target type='serial' port='0'/>
      <alias name='serial0'/>
    </console>
    <channel type='unix'>
      <source mode='bind' path='/var/lib/libvirt/qemu/channel/target/domain-9-norvm/org.qemu.guest_agent.0'/>
      <target type='virtio' name='org.qemu.guest_agent.0' state='disconnected'/>
      <alias name='channel0'/>
      <address type='virtio-serial' controller='0' bus='0' port='1'/>
    </channel>
    <channel type='spicevmc'>
      <target type='virtio' name='com.redhat.spice.0' state='disconnected'/>
      <alias name='channel1'/>
      <address type='virtio-serial' controller='0' bus='0' port='2'/>
    </channel>
    <input type='tablet' bus='usb'>
      <alias name='input0'/>
      <address type='usb' bus='0' port='1'/>
    </input>
    <input type='mouse' bus='ps2'>
      <alias name='input1'/>
    </input>
    <input type='keyboard' bus='ps2'>
      <alias name='input2'/>
    </input>
    <graphics type='vnc' port='5901' autoport='yes' listen='10.147.28.44' keymap='en-us'>
      <listen type='address' address='10.147.28.44'/>
    </graphics>
    <sound model='ich9'>
      <alias name='sound0'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x1b' function='0x0'/>
    </sound>
    <video>
      <model type='qxl' ram='65536' vram='65536' vgamem='16384' heads='1' primary='yes'/>
      <alias name='video0'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x0'/>
    </video>
    <redirdev bus='usb' type='spicevmc'>
      <alias name='redir0'/>
      <address type='usb' bus='0' port='2'/>
    </redirdev>
    <redirdev bus='usb' type='spicevmc'>
      <alias name='redir1'/>
      <address type='usb' bus='0' port='3'/>
    </redirdev>
    <memballoon model='virtio'>
      <alias name='balloon0'/>
      <address type='pci' domain='0x0000' bus='0x05' slot='0x00' function='0x0'/>
    </memballoon>
    <rng model='virtio'>
      <backend model='random'>/dev/urandom</backend>
      <alias name='rng0'/>
      <address type='pci' domain='0x0000' bus='0x06' slot='0x00' function='0x0'/>
    </rng>
  </devices>
  <seclabel type='dynamic' model='selinux' relabel='yes'>
    <label>system_u:system_r:svirt_t:s0:c388,c745</label>
    <imagelabel>system_u:object_r:svirt_image_t:s0:c388,c745</imagelabel>
  </seclabel>
  <seclabel type='dynamic' model='dac' relabel='yes'>
    <label>+107:+107</label>
    <imagelabel>+107:+107</imagelabel>
  </seclabel>
</domain>

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #3: secure-vm.xml --]
[-- Type: text/xml; name="secure-vm.xml", Size: 7754 bytes --]

<domain type='kvm' id='10'>
  <name>secvm</name>
  <uuid>4b8006aa-e814-4a5d-955d-b74feea4c441</uuid>
  <metadata>
    <libosinfo:libosinfo xmlns:libosinfo="http://libosinfo.org/xmlns/libvirt/domain/1.0">
      <libosinfo:os id="http://fedoraproject.org/fedora/29"/>
    </libosinfo:libosinfo>
  </metadata>
  <memory unit='KiB'>2097152</memory>
  <currentMemory unit='KiB'>2097152</currentMemory>
  <vcpu placement='static'>1</vcpu>
  <resource>
    <partition>/machine</partition>
  </resource>
  <os>
    <type arch='x86_64' machine='pc-q35-rhel7.6.0'>hvm</type>
    <loader readonly='yes' secure='yes' type='pflash'>/usr/share/edk2.git/ovmf-x64/OVMF_CODE-pure-efi.fd</loader>
    <nvram>/var/lib/libvirt/qemu/nvram/norvm_VARS.fd</nvram>
    <boot dev='hd'/>
  </os>
  <features>
    <acpi/>
    <apic/>
    <vmport state='off'/>
    <smm state='on'/>
  </features>
  <cpu mode='custom' match='exact' check='full'>
    <model fallback='forbid'>SandyBridge-IBRS</model>
    <vendor>Intel</vendor>
    <feature policy='require' name='vme'/>
    <feature policy='require' name='ss'/>
    <feature policy='require' name='pcid'/>
    <feature policy='require' name='hypervisor'/>
    <feature policy='require' name='arat'/>
    <feature policy='require' name='tsc_adjust'/>
    <feature policy='require' name='stibp'/>
    <feature policy='require' name='ssbd'/>
    <feature policy='require' name='xsaveopt'/>
  </cpu>
  <clock offset='utc'>
    <timer name='rtc' tickpolicy='catchup'/>
    <timer name='pit' tickpolicy='delay'/>
    <timer name='hpet' present='no'/>
  </clock>
  <on_poweroff>destroy</on_poweroff>
  <on_reboot>restart</on_reboot>
  <on_crash>destroy</on_crash>
  <pm>
    <suspend-to-mem enabled='no'/>
    <suspend-to-disk enabled='no'/>
  </pm>
  <devices>
    <emulator>/usr/libexec/qemu-kvm</emulator>
    <disk type='file' device='disk'>
      <driver name='qemu' type='qcow2'/>
      <source file='/var/lib/libvirt/images/sec-boot.qcow2'/>
      <backingStore/>
      <target dev='sda' bus='sata'/>
      <alias name='sata0-0-0'/>
      <address type='drive' controller='0' bus='0' target='0' unit='0'/>
    </disk>
    <disk type='file' device='cdrom'>
      <driver name='qemu' type='raw'/>
      <source file='/var/lib/libvirt/images/UefiShell-ovmf.iso'/>
      <backingStore/>
      <target dev='sdb' bus='sata'/>
      <readonly/>
      <alias name='sata0-0-1'/>
      <address type='drive' controller='0' bus='0' target='0' unit='1'/>
    </disk>
    <controller type='usb' index='0' model='qemu-xhci' ports='15'>
      <alias name='usb'/>
      <address type='pci' domain='0x0000' bus='0x02' slot='0x00' function='0x0'/>
    </controller>
    <controller type='sata' index='0'>
      <alias name='ide'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x1f' function='0x2'/>
    </controller>
    <controller type='pci' index='0' model='pcie-root'>
      <alias name='pcie.0'/>
    </controller>
    <controller type='pci' index='1' model='pcie-root-port'>
      <model name='pcie-root-port'/>
      <target chassis='1' port='0x10'/>
      <alias name='pci.1'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x0' multifunction='on'/>
    </controller>
    <controller type='pci' index='2' model='pcie-root-port'>
      <model name='pcie-root-port'/>
      <target chassis='2' port='0x11'/>
      <alias name='pci.2'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x1'/>
    </controller>
    <controller type='pci' index='3' model='pcie-root-port'>
      <model name='pcie-root-port'/>
      <target chassis='3' port='0x12'/>
      <alias name='pci.3'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x2'/>
    </controller>
    <controller type='pci' index='4' model='pcie-root-port'>
      <model name='pcie-root-port'/>
      <target chassis='4' port='0x13'/>
      <alias name='pci.4'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x3'/>
    </controller>
    <controller type='pci' index='5' model='pcie-root-port'>
      <model name='pcie-root-port'/>
      <target chassis='5' port='0x14'/>
      <alias name='pci.5'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x4'/>
    </controller>
    <controller type='pci' index='6' model='pcie-root-port'>
      <model name='pcie-root-port'/>
      <target chassis='6' port='0x15'/>
      <alias name='pci.6'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x5'/>
    </controller>
    <controller type='virtio-serial' index='0'>
      <alias name='virtio-serial0'/>
      <address type='pci' domain='0x0000' bus='0x03' slot='0x00' function='0x0'/>
    </controller>
    <interface type='network'>
      <mac address='52:54:00:43:b6:64'/>
      <source network='default' bridge='virbr0'/>
      <target dev='vnet0'/>
      <model type='virtio'/>
      <alias name='net0'/>
      <address type='pci' domain='0x0000' bus='0x01' slot='0x00' function='0x0'/>
    </interface>
    <serial type='pty'>
      <source path='/dev/pts/1'/>
      <target type='isa-serial' port='0'>
        <model name='isa-serial'/>
      </target>
      <alias name='serial0'/>
    </serial>
    <console type='pty' tty='/dev/pts/1'>
      <source path='/dev/pts/1'/>
      <target type='serial' port='0'/>
      <alias name='serial0'/>
    </console>
    <channel type='unix'>
      <source mode='bind' path='/var/lib/libvirt/qemu/channel/target/domain-10-secvm/org.qemu.guest_agent.0'/>
      <target type='virtio' name='org.qemu.guest_agent.0' state='disconnected'/>
      <alias name='channel0'/>
      <address type='virtio-serial' controller='0' bus='0' port='1'/>
    </channel>
    <channel type='spicevmc'>
      <target type='virtio' name='com.redhat.spice.0' state='disconnected'/>
      <alias name='channel1'/>
      <address type='virtio-serial' controller='0' bus='0' port='2'/>
    </channel>
    <input type='tablet' bus='usb'>
      <alias name='input0'/>
      <address type='usb' bus='0' port='1'/>
    </input>
    <input type='mouse' bus='ps2'>
      <alias name='input1'/>
    </input>
    <input type='keyboard' bus='ps2'>
      <alias name='input2'/>
    </input>
    <graphics type='vnc' port='5900' autoport='yes' listen='10.147.28.44' keymap='en-us'>
      <listen type='address' address='10.147.28.44'/>
    </graphics>
    <sound model='ich9'>
      <alias name='sound0'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x1b' function='0x0'/>
    </sound>
    <video>
      <model type='qxl' ram='65536' vram='65536' vgamem='16384' heads='1' primary='yes'/>
      <alias name='video0'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x0'/>
    </video>
    <redirdev bus='usb' type='spicevmc'>
      <alias name='redir0'/>
      <address type='usb' bus='0' port='2'/>
    </redirdev>
    <redirdev bus='usb' type='spicevmc'>
      <alias name='redir1'/>
      <address type='usb' bus='0' port='3'/>
    </redirdev>
    <memballoon model='virtio'>
      <alias name='balloon0'/>
      <address type='pci' domain='0x0000' bus='0x04' slot='0x00' function='0x0'/>
    </memballoon>
    <rng model='virtio'>
      <backend model='random'>/dev/urandom</backend>
      <alias name='rng0'/>
      <address type='pci' domain='0x0000' bus='0x05' slot='0x00' function='0x0'/>
    </rng>
  </devices>
  <seclabel type='dynamic' model='selinux' relabel='yes'>
    <label>system_u:system_r:svirt_t:s0:c188,c430</label>
    <imagelabel>system_u:object_r:svirt_image_t:s0:c188,c430</imagelabel>
  </seclabel>
  <seclabel type='dynamic' model='dac' relabel='yes'>
    <label>+107:+107</label>
    <imagelabel>+107:+107</imagelabel>
  </seclabel>
</domain>

[-- Attachment #4: error.png --]
[-- Type: image/png, Size: 494165 bytes --]

Re: [edk2-devel] Help needed in building UEFI qcow2 images

[Laszlo Ersek]

Pavan,

On 06/03/19 21:21, Pavan Kumar Aravapalli wrote:

> * We have CentOS flavoured qcow2 image which is used to boot Guest
>   VM's in Apache CloudStack. We are trying to enable these CentOS
>   qcow2 images with UEFI support.

I told you weeks ago to take this question to the CentOS mailing list.

https://edk2.groups.io/g/devel/message/40531

Have you done that?

Also, what prevents you from installing a CentOS guest in UEFI mode from
scratch, and using the resultant disk image as a template?

Anyway, I guess I'm going to send them a separate message, and CC you.


> * I have been struggling to secure boot Guest VM using UEFI.  I have
>   enclosed my secure boot domain dumpxml [secure-vm.xml]with this mail
>   too. When i try to boot with this xml i am  ended up with an
>   Exception. I have attached the error screen shot too .

You are using Gerd's "OVMF_CODE-pure-efi.fd" firmware binary. That
binary is not built with -D SECURE_BOOT_ENABLE. Therefore the Secure
Boot related standard UEFI variables are not available (the Secure Boot
feature is missing altogether). That's the reason EnrollDefaultKeys.efi
fails to find the SetupMode variable.


You've mentioned that your host environment is CentOS 7.6. Here's what
you should do:

- Install the latest OVMF package available in that CentOS release. (I
  think it should be
  "OVMF-20180508-3.gitee3198e672e2.el7_6.1.noarch.rpm" at the moment.)

- You already have "qemu-kvm-ev" installed, good.

- If your libvirt domain currently has a variable store file under
  "/var/lib/libvirt/qemu/nvram/", then delete that file (the domain
  should be powered off first).

- Edit your domain XML as follows (only relevant elements quoted):

  <domain type='kvm'>
    <os>
      <type arch='x86_64' machine='pc-q35-rhel7.6.0'>hvm</type>
      <loader readonly='yes' secure='yes' type='pflash'>/usr/share/OVMF/OVMF_CODE.secboot.fd</loader>
      <nvram template='/usr/share/OVMF/OVMF_VARS.secboot.fd'/>
    </os>
    <features>
      <smm state='on'/>
    </features>
    <devices>
      <emulator>/usr/libexec/qemu-kvm</emulator>
    </devices>
  </domain>

- When you next launch this domain, the domain's private varstore file
  (under "/var/lib/libvirt/qemu/nvram/") will be re-created from the
  template specified ("/usr/share/OVMF/OVMF_VARS.secboot.fd"). The
  Secure Boot operational mode will be enabled at once, and you will not
  have to run EnrollDefaultKeys.efi manually.

Hope this helps,
Laszlo

Re: [edk2-devel] Help needed in building UEFI qcow2 images

[Pavan Kumar Aravapalli]

[-- Attachment #1.1: Type: text/plain, Size: 915 bytes --]

Hi Laszlo,

Thank you for your quick response, and apologies for the your pervious mail thread which i could not observed as I only monitor the mail [ pavankumar_a@accelerite.com ]inbox. And I am not receiving mail reply's to my inbox even though i have subscribed to devel group. Here after i will proceed with web console https://edk2.groups.io ( https://edk2.groups.io/ ) for tracking info.

as you suggested, I have done the dom xml changes you suggested in previous mail that

* Dom XML Changes for OVMF loader stuff
* deleted existing  varstore file /var/lib/libvirt/qemu/nvram/

I am unable to boot the VM saying that there is no bootable device to boot , attached the screen shot with this thread for the same. I have been using  image https://www.kraxel.org/repos/images/fedora-28-efi-systemd-x86_64.qcow2.xz for Guest VM Boot. Please suggest me if i missed out some thing.

Regards,
Pavan.

[-- Attachment #1.2: Type: text/html, Size: 1165 bytes --]

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: secvm-2.xml --]
[-- Type: text/xml; name="secvm-2.xml", Size: 7788 bytes --]

<domain type='kvm' id='25'>
  <name>secvm</name>
  <uuid>4b8006aa-e814-4a5d-955d-b74feea4c441</uuid>
  <metadata>
    <libosinfo:libosinfo xmlns:libosinfo="http://libosinfo.org/xmlns/libvirt/domain/1.0">
      <libosinfo:os id="http://fedoraproject.org/fedora/29"/>
    </libosinfo:libosinfo>
  </metadata>
  <memory unit='KiB'>2097152</memory>
  <currentMemory unit='KiB'>2097152</currentMemory>
  <vcpu placement='static'>1</vcpu>
  <resource>
    <partition>/machine</partition>
  </resource>
  <os>
    <type arch='x86_64' machine='pc-q35-rhel7.6.0'>hvm</type>
    <loader readonly='yes' secure='yes' type='pflash'>/usr/share/OVMF/OVMF_CODE.secboot.fd</loader>
    <nvram template='/usr/share/OVMF/OVMF_VARS.secboot.fd'>/var/lib/libvirt/qemu/nvram/secvm_VARS.fd</nvram>
    <boot dev='hd'/>
  </os>
  <features>
    <acpi/>
    <apic/>
    <vmport state='off'/>
    <smm state='on'/>
  </features>
  <cpu mode='custom' match='exact' check='full'>
    <model fallback='forbid'>SandyBridge-IBRS</model>
    <vendor>Intel</vendor>
    <feature policy='require' name='vme'/>
    <feature policy='require' name='ss'/>
    <feature policy='require' name='pcid'/>
    <feature policy='require' name='hypervisor'/>
    <feature policy='require' name='arat'/>
    <feature policy='require' name='tsc_adjust'/>
    <feature policy='require' name='stibp'/>
    <feature policy='require' name='ssbd'/>
    <feature policy='require' name='xsaveopt'/>
  </cpu>
  <clock offset='utc'>
    <timer name='rtc' tickpolicy='catchup'/>
    <timer name='pit' tickpolicy='delay'/>
    <timer name='hpet' present='no'/>
  </clock>
  <on_poweroff>destroy</on_poweroff>
  <on_reboot>restart</on_reboot>
  <on_crash>destroy</on_crash>
  <pm>
    <suspend-to-mem enabled='no'/>
    <suspend-to-disk enabled='no'/>
  </pm>
  <devices>
    <emulator>/usr/libexec/qemu-kvm</emulator>
    <disk type='file' device='disk'>
      <driver name='qemu' type='qcow2'/>
      <source file='/var/lib/libvirt/images/sec-boot.qcow2'/>
      <backingStore/>
      <target dev='sda' bus='sata'/>
      <alias name='sata0-0-0'/>
      <address type='drive' controller='0' bus='0' target='0' unit='0'/>
    </disk>
    <disk type='file' device='cdrom'>
      <driver name='qemu' type='raw'/>
      <source file='/usr/share/edk2.git/ovmf-x64/UefiShell.iso'/>
      <backingStore/>
      <target dev='sdb' bus='sata'/>
      <readonly/>
      <alias name='sata0-0-1'/>
      <address type='drive' controller='0' bus='0' target='0' unit='1'/>
    </disk>
    <controller type='usb' index='0' model='qemu-xhci' ports='15'>
      <alias name='usb'/>
      <address type='pci' domain='0x0000' bus='0x02' slot='0x00' function='0x0'/>
    </controller>
    <controller type='sata' index='0'>
      <alias name='ide'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x1f' function='0x2'/>
    </controller>
    <controller type='pci' index='0' model='pcie-root'>
      <alias name='pcie.0'/>
    </controller>
    <controller type='pci' index='1' model='pcie-root-port'>
      <model name='pcie-root-port'/>
      <target chassis='1' port='0x10'/>
      <alias name='pci.1'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x0' multifunction='on'/>
    </controller>
    <controller type='pci' index='2' model='pcie-root-port'>
      <model name='pcie-root-port'/>
      <target chassis='2' port='0x11'/>
      <alias name='pci.2'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x1'/>
    </controller>
    <controller type='pci' index='3' model='pcie-root-port'>
      <model name='pcie-root-port'/>
      <target chassis='3' port='0x12'/>
      <alias name='pci.3'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x2'/>
    </controller>
    <controller type='pci' index='4' model='pcie-root-port'>
      <model name='pcie-root-port'/>
      <target chassis='4' port='0x13'/>
      <alias name='pci.4'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x3'/>
    </controller>
    <controller type='pci' index='5' model='pcie-root-port'>
      <model name='pcie-root-port'/>
      <target chassis='5' port='0x14'/>
      <alias name='pci.5'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x4'/>
    </controller>
    <controller type='pci' index='6' model='pcie-root-port'>
      <model name='pcie-root-port'/>
      <target chassis='6' port='0x15'/>
      <alias name='pci.6'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x5'/>
    </controller>
    <controller type='virtio-serial' index='0'>
      <alias name='virtio-serial0'/>
      <address type='pci' domain='0x0000' bus='0x03' slot='0x00' function='0x0'/>
    </controller>
    <interface type='network'>
      <mac address='52:54:00:43:b6:64'/>
      <source network='default' bridge='virbr0'/>
      <target dev='vnet0'/>
      <model type='virtio'/>
      <alias name='net0'/>
      <address type='pci' domain='0x0000' bus='0x01' slot='0x00' function='0x0'/>
    </interface>
    <serial type='pty'>
      <source path='/dev/pts/1'/>
      <target type='isa-serial' port='0'>
        <model name='isa-serial'/>
      </target>
      <alias name='serial0'/>
    </serial>
    <console type='pty' tty='/dev/pts/1'>
      <source path='/dev/pts/1'/>
      <target type='serial' port='0'/>
      <alias name='serial0'/>
    </console>
    <channel type='unix'>
      <source mode='bind' path='/var/lib/libvirt/qemu/channel/target/domain-25-secvm/org.qemu.guest_agent.0'/>
      <target type='virtio' name='org.qemu.guest_agent.0' state='disconnected'/>
      <alias name='channel0'/>
      <address type='virtio-serial' controller='0' bus='0' port='1'/>
    </channel>
    <channel type='spicevmc'>
      <target type='virtio' name='com.redhat.spice.0' state='disconnected'/>
      <alias name='channel1'/>
      <address type='virtio-serial' controller='0' bus='0' port='2'/>
    </channel>
    <input type='tablet' bus='usb'>
      <alias name='input0'/>
      <address type='usb' bus='0' port='1'/>
    </input>
    <input type='mouse' bus='ps2'>
      <alias name='input1'/>
    </input>
    <input type='keyboard' bus='ps2'>
      <alias name='input2'/>
    </input>
    <graphics type='vnc' port='5900' autoport='yes' listen='10.147.28.44' keymap='en-us'>
      <listen type='address' address='10.147.28.44'/>
    </graphics>
    <sound model='ich9'>
      <alias name='sound0'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x1b' function='0x0'/>
    </sound>
    <video>
      <model type='qxl' ram='65536' vram='65536' vgamem='16384' heads='1' primary='yes'/>
      <alias name='video0'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x0'/>
    </video>
    <redirdev bus='usb' type='spicevmc'>
      <alias name='redir0'/>
      <address type='usb' bus='0' port='2'/>
    </redirdev>
    <redirdev bus='usb' type='spicevmc'>
      <alias name='redir1'/>
      <address type='usb' bus='0' port='3'/>
    </redirdev>
    <memballoon model='virtio'>
      <alias name='balloon0'/>
      <address type='pci' domain='0x0000' bus='0x04' slot='0x00' function='0x0'/>
    </memballoon>
    <rng model='virtio'>
      <backend model='random'>/dev/urandom</backend>
      <alias name='rng0'/>
      <address type='pci' domain='0x0000' bus='0x05' slot='0x00' function='0x0'/>
    </rng>
  </devices>
  <seclabel type='dynamic' model='selinux' relabel='yes'>
    <label>system_u:system_r:svirt_t:s0:c110,c924</label>
    <imagelabel>system_u:object_r:svirt_image_t:s0:c110,c924</imagelabel>
  </seclabel>
  <seclabel type='dynamic' model='dac' relabel='yes'>
    <label>+107:+107</label>
    <imagelabel>+107:+107</imagelabel>
  </seclabel>
</domain>

[-- Attachment #3: Screenshot 2019-06-04 at 4.56.10 PM.png --]
[-- Type: image/png, Size: 226308 bytes --]

Re: [edk2-devel] Help needed in building UEFI qcow2 images

[Laszlo Ersek]

(+Gerd)

On 06/04/19 13:28, Pavan Kumar Aravapalli wrote:
> Hi Laszlo,
> 
> Thank you for your quick response, and apologies for the your pervious mail thread which i could not observed as I only monitor the mail [ pavankumar_a@accelerite.com ]inbox. And I am not receiving mail reply's to my inbox even though i have subscribed to devel group. Here after i will proceed with web console https://edk2.groups.io ( https://edk2.groups.io/ ) for tracking info.
> 
> as you suggested, I have done the dom xml changes you suggested in previous mail that
> 
> * Dom XML Changes for OVMF loader stuff
> * deleted existing  varstore file /var/lib/libvirt/qemu/nvram/
> 
> I am unable to boot the VM saying that there is no bootable device to boot , attached the screen shot with this thread for the same. I have been using  image https://www.kraxel.org/repos/images/fedora-28-efi-systemd-x86_64.qcow2.xz for Guest VM Boot. Please suggest me if i missed out some thing.

When you import a pre-made disk image like this, with a UEFI OS installation on it, but without any Boot#### and BootOrder UEFI variables in the domain's variable store, that amounts to an installed UEFI system losing its Boot#### and BootOrder variables.

The UEFI spec covers this case; a great writeup can be found at <https://blog.uncooperative.org/blog/2014/02/06/the-efi-system-partition/>.

However: you're using a systemd-related UEFI boot loader, and I have no clue whether it implements the above-referenced "fallback" behavior. For now, I would suggest trying the shim+grub2 variant, and even Fedora 29 rather than Fedora 28: "fedora-29-efi-grub2-x86_64.qcow2.xz".

If it still doesn't work, then you can modify your domain XML as follows, for saving a firmware debug log (note that the xmlns:qemu attribute (namespace definition) in the root element is important):

<domain type='kvm' xmlns:qemu='http://libvirt.org/schemas/domain/qemu/1.0'>
  <qemu:commandline>
    <qemu:arg value='-global'/>
    <qemu:arg value='isa-debugcon.iobase=0x402'/>
    <qemu:arg value='-debugcon'/>
    <qemu:arg value='file:/tmp/secvm.log'/>
  </qemu:commandline>   
</domain>

The file "/tmp/secvm.log" will contain the OVMF debug log.


Additionally, I'd suggest removing the <boot dev='hd'/> element, and adding the following <boot order='1'/> instead:

    <disk type='file' device='disk'>
      ...
      <source file='/var/lib/libvirt/images/sec-boot.qcow2'/>
      ...
      <boot order='1'/>  
    </disk>


... I guess it's also possible that the UEFI boot loader in the disk image that you've tried isn't properly signed, against the certificates enrolled in "/usr/share/OVMF/OVMF_VARS.secboot.fd". If that's the case, the OVMF debug log will show it.

Thanks,
Laszlo

Re: [edk2-devel] Help needed in building UEFI qcow2 images

[Gerd Hoffmann]

  Hi,

> However: you're using a systemd-related UEFI boot loader, and I have
> no clue whether it implements the above-referenced "fallback"
> behavior. For now, I would suggest trying the shim+grub2 variant, and
> even Fedora 29 rather than Fedora 28:
> "fedora-29-efi-grub2-x86_64.qcow2.xz".

I can boot the images just fine with empty vars.

Just noticed that the systemd image has a lowercase efi directory, so
the fallback bootloader path is "efi/BOOT/BOOTX64.EFI" not
"EFI/BOOT/BOOTX64.EFI".  Possibly that is the root cause for the
problem.  In theory it should not, FAT is case-insensitive after all,
but who knows ...

> ... I guess it's also possible that the UEFI boot loader in the disk
> image that you've tried isn't properly signed, against the
> certificates enrolled in "/usr/share/OVMF/OVMF_VARS.secboot.fd". If
> that's the case, the OVMF debug log will show it.

Oh, in secure boot mode.  The systemd images don't use shim, so that
most likely isn't going to fly due to bootloader being unsigned.  The
grub2 variants should work.  Never actually tested that though.  

cheers,
  Gerd

Re: [edk2-devel] Help needed in building UEFI qcow2 images

[Pavan Kumar Aravapalli]

[-- Attachment #1.1: Type: text/plain, Size: 559 bytes --]

Laszlo,

Finally...! I am successfully able to boot guest vm in secure mode, attached the screenshot for the same. Secure boot works fine with out enforcing keys from UefiShell.iso, As suggested i have used the image fedora-29-efi-grub2-x86_64.qcow2.xz. However i have learnt many new things from these conversations. A big 'Thanks to you' for your support and resolving my questionaries.

Though I am yet to learn many things about 'UEFI' and it's different specification this will be good motivation for me to proceed with further.

Regards,
Pavan.

[-- Attachment #1.2: Type: text/html, Size: 669 bytes --]

[-- Attachment #2: Screenshot 2019-06-05 at 11.31.29 PM.png --]
[-- Type: image/png, Size: 452348 bytes --]

Re: [edk2-devel] Help needed in building UEFI qcow2 images

[Laszlo Ersek]

Hi Pavan,

On 06/05/19 20:19, Pavan Kumar Aravapalli wrote:
> Laszlo,
> 
> Finally...! I am successfully able to boot guest vm in secure mode, attached the screenshot for the same. Secure boot works fine with out enforcing keys from UefiShell.iso, As suggested i have used the image fedora-29-efi-grub2-x86_64.qcow2.xz. However i have learnt many new things from these conversations. A big 'Thanks to you' for your support and resolving my questionaries.
> 
> Though I am yet to learn many things about 'UEFI' and it's different specification this will be good motivation for me to proceed with further.

Cool, thanks for reporting back :)

Laszlo

Re: [edk2-devel] Help needed in building UEFI qcow2 images

[Pavan Kumar Aravapalli]

[-- Attachment #1: Type: text/plain, Size: 220 bytes --]

Gerd,

I understand that you are mentioning about  systemd image don't use shim, Where can we get consolidated information about supporting matrix. Please provide me useful link if any available.

Regards,
Pavan.

[-- Attachment #2: Type: text/html, Size: 268 bytes --]