vm secure boot no longer working

Oct 18, 2016
8
0
1
48
Code:
> pveversion
pve-manager/4.3-3/557191d3 (running kernel: 4.4.19-1-pve)

We need to boot a Windows 10 VM with secure boot enabled.
Until now we've used the EFI Internal Shell to run LockDownMS.efi to enable secure boot for a Windows 10 guest.
With the recent updates which also enabled permanent EFI settings (nice!) this no longer works:

Code:
Shell> fs0:
FS0:\ LockDownMS.efi
No SetupMode variable ... is platform secure boot enabled?

Any hints?
 
well, we use a new version of the ovmf image
and according to those links:
https://fedoraproject.org/wiki/Using_UEFI_with_QEMU
https://ask.fedoraproject.org/en/question/86384/wiki-using-uefi-with-qemu/

the default ovmf image does not ship with secure boot enabled, and the only option is to
enable smm which is a compile time option, and works only with some restrictions (q35 machine type for instance)

there seems to be a guide in the first link with a UefiShell.iso, but you would have to extract this from a fedora install
and then i do not know if it works with windows or fedora only

edit:
also according to the second link, using secure boot with ovmf was not really secure at all
 
I've extracted the UefiShell.iso together with the included EnrollDefaultKeys.efi and got the following error:

Code:
FS0:\> EnrollDefaultKeys.efi
error: GetVariable("SetupMode", 8BE4DF61-93CA-11D2AA0D-00E098032B8C): Not Found

I don't care about security. It is about testing kernel mode drivers in the enforced Windows 10 environment which is only active if secure boot is enabled and this was working perfectly fine with the previous Proxmox versions.
 
mhmm... you could of course copy the old version of the image to your new installation, or use the fedora ones

we use
/usr/share/kvm/OVMF_CODE-pure-efi.fd
and
/usr/share/kvm/OVMF_VARS-pure-efi.fd

i can later this week try to enable smm in a build and upload it somewhere,
but if it only works then with q35 i don't think we will include it
 
I am having a look to see how easy it is to use an alternative UEFI binary with secure boot besies our own. Downloading the the Fedora package at the momment.
 
ok it looks like this:

as i said, smm has to be activated in the ovmf image
fedora does this, but provides a seperate image for this (OVMF_CODE.seboot.fd)

sadly this will not work with our qemu version currently, as we
disabled smm support because of stability issues [1]

even if we would have this, getting it to work is not so trivial as you need several additional
options for qemu [2] and it works only with q35

but you can go another route entirely, just use our old image [3] in the following way.
for each vm where you need this

set the vm to seabios (not OVMF)
copy the old OVMF image to a new place e.g. /tmp/ovmf-vm100.fd
do a
Code:
qm set <VMID> -args '-drive if=pflash,format=raw,file=/tmp/ovmf-vm100.fd'

now your old method should work again, and if you save the ovmf image for each vm
seperately and persistent, the settings should be saved

maybe migration/ha would work also, but you would have to copy the image to the exact
same location on each host (after you set your options), but warning, this is untested

[1] http://pve.proxmox.com/pipermail/pve-devel/2015-September/017486.html
[2] http://www.labbott.name/blog/2016/09/15/secure-ish-boot-with-qemu/
[3] https://git.proxmox.com/?p=pve-qemu...d;hb=e978929d317de55a1d58f706f5423dc6fca6babf
 
we updated the ovmf image that we ship (which is now built from upstream git)
previously, we used an image from gerd hoffmans repo for this, but did not update for some time
 
Apologies if this is breaking the forum rules but could someone provide a bit more information for rookies like myself on how would one open .efi files from the EFI Internal Shell? I've managed to get LockDownMS.efi from here but can't figure out how to open it/pass it to the EFI Internal Shell.
 
Last edited:
You simply copy these files to the EFI partition.

On Windows you can mount the EFI partition on e: by executing the following command from an administrative command prompt:

Code:
mountvol E: /S

After you've copied the file(s) you can unmount e: by executing:

Code:
mountvol E: /D
 
ok it looks like this:
copy the old OVMF image to a new place e.g. /tmp/ovmf-vm100.fd
Did I understand correctly, that with old OVMF image, Secure Boot can be enabled without SMM?
I need Secure Boot just for testing. From where old OVMF can be downloaded?
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!