libvirt/docs/kbase/secureboot.rst

===========
Secure Boot
===========

.. contents::

Quick configuration
===================

If you have libvirt 8.6.0 or newer, when creating a new VM you can
ask for Secure Boot to be enabled with

::

  <os firmware='efi'>
    <firmware>
      <feature enabled='yes' name='secure-boot'/>
      <feature enabled='yes' name='enrolled-keys'/>
    </firmware>
  </os>

and for it to be disabled with either

::

  <os firmware='efi'>
    <firmware>
      <feature enabled='no' name='secure-boot'/>
    </firmware>
  </os>

or

::

  <os firmware='efi'>
    <firmware>
      <feature enabled='yes' name='secure-boot'/>
      <feature enabled='no' name='enrolled-keys'/>
    </firmware>
  </os>

The first configuration will cause unsigned guest operating systems
to be rejected, while the remaining two will allow running them. See
below for a more detailed explanation of how each knob affects the
firmware selection process.


Older libvirt versions
======================

If your libvirt version is older than 8.6.0 but newer than 7.2.0,
then enabling Secure Boot requires a slightly more verbose XML
snippet:

::

  <os firmware='efi'>
    <loader secure='yes'/>
    <firmware>
      <feature enabled='yes' name='secure-boot'/>
      <feature enabled='yes' name='enrolled-keys'/>
    </firmware>
  </os>

Versions older than 7.2.0 require manually providing all information
about the firmware and are not covered here. Please refer to `the
relevant documentation
<../formatdomain.html#operating-system-booting>`__ for details.


Changing an existing VM
=======================

When a VM is defined, libvirt will pick the firmware that best
satisfies the provided criteria and record this information for use
on subsequent boots. The resulting XML configuration will look like
this:

::

  <os firmware='efi'>
    <firmware>
      <feature enabled='yes' name='enrolled-keys'/>
      <feature enabled='yes' name='secure-boot'/>
    </firmware>
    <loader readonly='yes' secure='yes' type='pflash'>/usr/share/edk2/ovmf/OVMF_CODE.secboot.fd</loader>
    <nvram template='/usr/share/edk2/ovmf/OVMF_VARS.secboot.fd'>/var/lib/libvirt/qemu/nvram/vm_VARS.fd</nvram>
  </os>

In order to force libvirt to repeat the firmware autoselection
process, it's necessary to remove the ``<loader>`` and ``<nvram>``
elements. Failure to do so will likely result in an error.

Note that updating the XML configuration as described above is
**not** enough to change the Secure Boot status: the NVRAM file
associated with the VM has to be regenerated from its template as
well.

In order to do that, update the XML and then start the VM with

::

  $ virsh start vm --reset-nvram

This option is only available starting with libvirt 8.1.0, so if your
version of libvirt is older than that you will have to delete the
NVRAM file manually before starting the VM.

Most guest operating systems will be able to cope with the NVRAM file
being reinitialized, but in some cases the VM will be unable to boot
after the change.


Additional information
======================

There are two parts to enabling Secure Boot: the firmware supporting
the feature, and it being active.

Most host operating systems ship a build of EDKII (the open source
EFI implementation used for QEMU VMs) that supports the Secure Boot
feature, but simply using such a build will not result in unsigned
guest operating systems being rejected: for that to happen, keys that
can be used to validate the operating system signature need to be
provided as well.

Asking for the ``enrolled-keys`` firmware feature to be enabled will
cause libvirt to initialize the NVRAM file associated with the VM
from a template that contains a suitable set of keys. These keys
being present will cause the firmware to enforce the Secure Boot
signing requirements.

The opposite configuration, where the feature is explicitly disabled,
will result in no keys being present in the NVRAM file. Unable to
verify signatures, the firmware will allow even unsigned operating
systems to run.

If running unsigned code is desired, it's also possible to ask for
the ``secure-boot`` feature to be disabled, which will cause libvirt
to pick a build of EDKII that doesn't have Secure Boot support at
all.

The main difference between using a build of EDKII that has Secure
Boot support but without keys enrolled and one that doesn't have
Secure Boot support at all is that, with the former, you could enroll
your own keys and securely run an operating system that you've built
and signed yourself. If you are only planning to run existing,
off-the-shelf operating system images, then the two configurations
are functionally equivalent.
docs: Add kbase page for Secure Boot Provide simple recipes for the most common high-level tasks. Signed-off-by: Andrea Bolognani <abologna@redhat.com> Reviewed-by: Michal Privoznik <mprivozn@redhat.com> 2022-06-22 10:08:04 +00:00			`===========`
			`Secure Boot`
			`===========`

			`.. contents::`

			`Quick configuration`
			`===================`

			`If you have libvirt 8.6.0 or newer, when creating a new VM you can`
			`ask for Secure Boot to be enabled with`

			`::`

			`<os firmware='efi'>`
			`<firmware>`
kbase: Always explicitly enable secure-boot firmware feature It should be enough to enable or disable the enrolled-keys feature to control whether Secure Boot is enforced, but there's a slight complication: many distro packages for edk2 include, in addition to general purpose firmware images, builds that are targeting the Confidential Computing use case. For those, the firmware descriptor will not advertise the enrolled-keys feature, which will technically make them suitable for satisfying a configuration such as <os firmware='efi'> <firmware> <feature state='off' name='enrolled-keys'/> </firmware> </os> In practice, users will expect the general purpose build to be used in this case. Explicitly asking for the secure-boot feature to be enabled achieves that result at the cost of some slight additional verbosity. Signed-off-by: Andrea Bolognani <abologna@redhat.com> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> 2022-08-03 16:07:12 +00:00			`<feature enabled='yes' name='secure-boot'/>`
docs: Add kbase page for Secure Boot Provide simple recipes for the most common high-level tasks. Signed-off-by: Andrea Bolognani <abologna@redhat.com> Reviewed-by: Michal Privoznik <mprivozn@redhat.com> 2022-06-22 10:08:04 +00:00			`<feature enabled='yes' name='enrolled-keys'/>`
			`</firmware>`
			`</os>`

kbase: Document how to disable Secure Boot entirely In most cases, disabling the secure-boot or the enrolled-keys firmware feature will achieve the same result: allowing an unsigned operating system to run. Right now we're only documenting the latter configuration. Add the former as well, and explain the difference between the two. Signed-off-by: Andrea Bolognani <abologna@redhat.com> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> 2022-08-04 08:43:09 +00:00			`and for it to be disabled with either`

			`::`

			`<os firmware='efi'>`
			`<firmware>`
			`<feature enabled='no' name='secure-boot'/>`
			`</firmware>`
			`</os>`

			`or`
docs: Add kbase page for Secure Boot Provide simple recipes for the most common high-level tasks. Signed-off-by: Andrea Bolognani <abologna@redhat.com> Reviewed-by: Michal Privoznik <mprivozn@redhat.com> 2022-06-22 10:08:04 +00:00
			`::`

			`<os firmware='efi'>`
			`<firmware>`
kbase: Always explicitly enable secure-boot firmware feature It should be enough to enable or disable the enrolled-keys feature to control whether Secure Boot is enforced, but there's a slight complication: many distro packages for edk2 include, in addition to general purpose firmware images, builds that are targeting the Confidential Computing use case. For those, the firmware descriptor will not advertise the enrolled-keys feature, which will technically make them suitable for satisfying a configuration such as <os firmware='efi'> <firmware> <feature state='off' name='enrolled-keys'/> </firmware> </os> In practice, users will expect the general purpose build to be used in this case. Explicitly asking for the secure-boot feature to be enabled achieves that result at the cost of some slight additional verbosity. Signed-off-by: Andrea Bolognani <abologna@redhat.com> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> 2022-08-03 16:07:12 +00:00			`<feature enabled='yes' name='secure-boot'/>`
docs: Add kbase page for Secure Boot Provide simple recipes for the most common high-level tasks. Signed-off-by: Andrea Bolognani <abologna@redhat.com> Reviewed-by: Michal Privoznik <mprivozn@redhat.com> 2022-06-22 10:08:04 +00:00			`<feature enabled='no' name='enrolled-keys'/>`
			`</firmware>`
			`</os>`

kbase: Document how to disable Secure Boot entirely In most cases, disabling the secure-boot or the enrolled-keys firmware feature will achieve the same result: allowing an unsigned operating system to run. Right now we're only documenting the latter configuration. Add the former as well, and explain the difference between the two. Signed-off-by: Andrea Bolognani <abologna@redhat.com> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> 2022-08-04 08:43:09 +00:00			`The first configuration will cause unsigned guest operating systems`
			`to be rejected, while the remaining two will allow running them. See`
			`below for a more detailed explanation of how each knob affects the`
			`firmware selection process.`
docs: Add kbase page for Secure Boot Provide simple recipes for the most common high-level tasks. Signed-off-by: Andrea Bolognani <abologna@redhat.com> Reviewed-by: Michal Privoznik <mprivozn@redhat.com> 2022-06-22 10:08:04 +00:00

			`Older libvirt versions`
			`======================`

			`If your libvirt version is older than 8.6.0 but newer than 7.2.0,`
			`then enabling Secure Boot requires a slightly more verbose XML`
			`snippet:`

			`::`

			`<os firmware='efi'>`
			`<loader secure='yes'/>`
			`<firmware>`
kbase: Always explicitly enable secure-boot firmware feature It should be enough to enable or disable the enrolled-keys feature to control whether Secure Boot is enforced, but there's a slight complication: many distro packages for edk2 include, in addition to general purpose firmware images, builds that are targeting the Confidential Computing use case. For those, the firmware descriptor will not advertise the enrolled-keys feature, which will technically make them suitable for satisfying a configuration such as <os firmware='efi'> <firmware> <feature state='off' name='enrolled-keys'/> </firmware> </os> In practice, users will expect the general purpose build to be used in this case. Explicitly asking for the secure-boot feature to be enabled achieves that result at the cost of some slight additional verbosity. Signed-off-by: Andrea Bolognani <abologna@redhat.com> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> 2022-08-03 16:07:12 +00:00			`<feature enabled='yes' name='secure-boot'/>`
docs: Add kbase page for Secure Boot Provide simple recipes for the most common high-level tasks. Signed-off-by: Andrea Bolognani <abologna@redhat.com> Reviewed-by: Michal Privoznik <mprivozn@redhat.com> 2022-06-22 10:08:04 +00:00			`<feature enabled='yes' name='enrolled-keys'/>`
			`</firmware>`
			`</os>`

			`Versions older than 7.2.0 require manually providing all information`
Fix spelling Signed-off-by: Tim Wiederhake <twiederh@redhat.com> 2022-07-04 08:07:47 +00:00			about the firmware and are not covered here. Please refer to `the
docs: Add kbase page for Secure Boot Provide simple recipes for the most common high-level tasks. Signed-off-by: Andrea Bolognani <abologna@redhat.com> Reviewed-by: Michal Privoznik <mprivozn@redhat.com> 2022-06-22 10:08:04 +00:00			`relevant documentation`
			<../formatdomain.html#operating-system-booting>`__ for details.


			`Changing an existing VM`
			`=======================`

kbase: More info on firmware change for existing VMs The need to remove the <loader> and <nvram> elements in order to make the firmware autoselection process kick in again is not exactly intuitive, so document it explicitly. Signed-off-by: Andrea Bolognani <abologna@redhat.com> Reviewed-by: Ján Tomko <jtomko@redhat.com> 2023-11-16 16:01:44 +00:00			`When a VM is defined, libvirt will pick the firmware that best`
			`satisfies the provided criteria and record this information for use`
			`on subsequent boots. The resulting XML configuration will look like`
			`this:`

			`::`

			`<os firmware='efi'>`
			`<firmware>`
			`<feature enabled='yes' name='enrolled-keys'/>`
			`<feature enabled='yes' name='secure-boot'/>`
			`</firmware>`
			`<loader readonly='yes' secure='yes' type='pflash'>/usr/share/edk2/ovmf/OVMF_CODE.secboot.fd</loader>`
			`<nvram template='/usr/share/edk2/ovmf/OVMF_VARS.secboot.fd'>/var/lib/libvirt/qemu/nvram/vm_VARS.fd</nvram>`
			`</os>`

			`In order to force libvirt to repeat the firmware autoselection`
			process, it's necessary to remove the ``<loader>`` and ``<nvram>``
			`elements. Failure to do so will likely result in an error.`

			`Note that updating the XML configuration as described above is`
			`not enough to change the Secure Boot status: the NVRAM file`
			`associated with the VM has to be regenerated from its template as`
			`well.`
docs: Add kbase page for Secure Boot Provide simple recipes for the most common high-level tasks. Signed-off-by: Andrea Bolognani <abologna@redhat.com> Reviewed-by: Michal Privoznik <mprivozn@redhat.com> 2022-06-22 10:08:04 +00:00
			`In order to do that, update the XML and then start the VM with`

			`::`

kbase: More info on firmware change for existing VMs The need to remove the <loader> and <nvram> elements in order to make the firmware autoselection process kick in again is not exactly intuitive, so document it explicitly. Signed-off-by: Andrea Bolognani <abologna@redhat.com> Reviewed-by: Ján Tomko <jtomko@redhat.com> 2023-11-16 16:01:44 +00:00			`$ virsh start vm --reset-nvram`
docs: Add kbase page for Secure Boot Provide simple recipes for the most common high-level tasks. Signed-off-by: Andrea Bolognani <abologna@redhat.com> Reviewed-by: Michal Privoznik <mprivozn@redhat.com> 2022-06-22 10:08:04 +00:00
			`This option is only available starting with libvirt 8.1.0, so if your`
			`version of libvirt is older than that you will have to delete the`
			`NVRAM file manually before starting the VM.`

			`Most guest operating systems will be able to cope with the NVRAM file`
			`being reinitialized, but in some cases the VM will be unable to boot`
			`after the change.`


			`Additional information`
			`======================`

			`There are two parts to enabling Secure Boot: the firmware supporting`
			`the feature, and it being active.`

			`Most host operating systems ship a build of EDKII (the open source`
			`EFI implementation used for QEMU VMs) that supports the Secure Boot`
			`feature, but simply using such a build will not result in unsigned`
			`guest operating systems being rejected: for that to happen, keys that`
			`can be used to validate the operating system signature need to be`
			`provided as well.`

			Asking for the ``enrolled-keys`` firmware feature to be enabled will
			`cause libvirt to initialize the NVRAM file associated with the VM`
			`from a template that contains a suitable set of keys. These keys`
			`being present will cause the firmware to enforce the Secure Boot`
			`signing requirements.`

			`The opposite configuration, where the feature is explicitly disabled,`
			`will result in no keys being present in the NVRAM file. Unable to`
			`verify signatures, the firmware will allow even unsigned operating`
			`systems to run.`
kbase: Document how to disable Secure Boot entirely In most cases, disabling the secure-boot or the enrolled-keys firmware feature will achieve the same result: allowing an unsigned operating system to run. Right now we're only documenting the latter configuration. Add the former as well, and explain the difference between the two. Signed-off-by: Andrea Bolognani <abologna@redhat.com> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> 2022-08-04 08:43:09 +00:00
			`If running unsigned code is desired, it's also possible to ask for`
			the ``secure-boot`` feature to be disabled, which will cause libvirt
			`to pick a build of EDKII that doesn't have Secure Boot support at`
			`all.`

			`The main difference between using a build of EDKII that has Secure`
			`Boot support but without keys enrolled and one that doesn't have`
			`Secure Boot support at all is that, with the former, you could enroll`
			`your own keys and securely run an operating system that you've built`
			`and signed yourself. If you are only planning to run existing,`
			`off-the-shelf operating system images, then the two configurations`
			`are functionally equivalent.`