qemu: Enable secure boot
In qemu, enabling this feature boils down to adding the following
onto the command line:
-global driver=cfi.pflash01,property=secure,value=on
However, there are some constraints resulting from the
implementation. For instance, System Management Mode (SMM) is
required to be enabled, the machine type must be q35-2.4 or
later, and the guest should be x86_64. While technically it is
possible to have 32 bit guests with secure boot, some non-trivial
CPU flags tuning is required (for instance lm and nx flags must
be prohibited). Given complexity of our CPU driver, this is not
trivial. Therefore I've chosen to forbid 32 bit guests for now.
If there's ever need, we can refine the check later.
Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
2016-07-13 11:33:52 +02:00
|
|
|
LC_ALL=C \
|
|
|
|
PATH=/bin \
|
2023-03-02 19:05:53 +01:00
|
|
|
HOME=/var/lib/libvirt/qemu/domain--1-guest \
|
qemu: Enable secure boot
In qemu, enabling this feature boils down to adding the following
onto the command line:
-global driver=cfi.pflash01,property=secure,value=on
However, there are some constraints resulting from the
implementation. For instance, System Management Mode (SMM) is
required to be enabled, the machine type must be q35-2.4 or
later, and the guest should be x86_64. While technically it is
possible to have 32 bit guests with secure boot, some non-trivial
CPU flags tuning is required (for instance lm and nx flags must
be prohibited). Given complexity of our CPU driver, this is not
trivial. Therefore I've chosen to forbid 32 bit guests for now.
If there's ever need, we can refine the check later.
Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
2016-07-13 11:33:52 +02:00
|
|
|
USER=test \
|
|
|
|
LOGNAME=test \
|
2023-03-02 19:05:53 +01:00
|
|
|
XDG_DATA_HOME=/var/lib/libvirt/qemu/domain--1-guest/.local/share \
|
|
|
|
XDG_CACHE_HOME=/var/lib/libvirt/qemu/domain--1-guest/.cache \
|
|
|
|
XDG_CONFIG_HOME=/var/lib/libvirt/qemu/domain--1-guest/.config \
|
2017-04-06 18:19:48 +02:00
|
|
|
/usr/bin/qemu-system-x86_64 \
|
2023-02-08 19:28:05 +01:00
|
|
|
-name guest=guest,debug-threads=on \
|
qemu: Enable secure boot
In qemu, enabling this feature boils down to adding the following
onto the command line:
-global driver=cfi.pflash01,property=secure,value=on
However, there are some constraints resulting from the
implementation. For instance, System Management Mode (SMM) is
required to be enabled, the machine type must be q35-2.4 or
later, and the guest should be x86_64. While technically it is
possible to have 32 bit guests with secure boot, some non-trivial
CPU flags tuning is required (for instance lm and nx flags must
be prohibited). Given complexity of our CPU driver, this is not
trivial. Therefore I've chosen to forbid 32 bit guests for now.
If there's ever need, we can refine the check later.
Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
2016-07-13 11:33:52 +02:00
|
|
|
-S \
|
2023-03-02 19:05:53 +01:00
|
|
|
-object '{"qom-type":"secret","id":"masterKey0","format":"raw","file":"/var/lib/libvirt/qemu/domain--1-guest/master-key.aes"}' \
|
2022-07-20 15:37:19 +02:00
|
|
|
-blockdev '{"driver":"file","filename":"/usr/share/OVMF/OVMF_CODE.secboot.fd","node-name":"libvirt-pflash0-storage","auto-read-only":true,"discard":"unmap"}' \
|
|
|
|
-blockdev '{"node-name":"libvirt-pflash0-format","read-only":true,"driver":"raw","file":"libvirt-pflash0-storage"}' \
|
2023-02-08 19:28:05 +01:00
|
|
|
-blockdev '{"driver":"file","filename":"/path/to/guest_VARS.fd","node-name":"libvirt-pflash1-storage","auto-read-only":true,"discard":"unmap"}' \
|
2022-07-20 15:37:19 +02:00
|
|
|
-blockdev '{"node-name":"libvirt-pflash1-format","read-only":false,"driver":"raw","file":"libvirt-pflash1-storage"}' \
|
2023-02-27 12:46:13 +01:00
|
|
|
-machine pc-q35-4.0,usb=off,smm=on,dump-guest-core=off,memory-backend=pc.ram,pflash0=libvirt-pflash0-format,pflash1=libvirt-pflash1-format,acpi=on \
|
2021-11-05 09:38:10 +01:00
|
|
|
-accel tcg \
|
2023-02-08 19:10:48 +01:00
|
|
|
-cpu qemu64 \
|
qemu: Enable secure boot
In qemu, enabling this feature boils down to adding the following
onto the command line:
-global driver=cfi.pflash01,property=secure,value=on
However, there are some constraints resulting from the
implementation. For instance, System Management Mode (SMM) is
required to be enabled, the machine type must be q35-2.4 or
later, and the guest should be x86_64. While technically it is
possible to have 32 bit guests with secure boot, some non-trivial
CPU flags tuning is required (for instance lm and nx flags must
be prohibited). Given complexity of our CPU driver, this is not
trivial. Therefore I've chosen to forbid 32 bit guests for now.
If there's ever need, we can refine the check later.
Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
2016-07-13 11:33:52 +02:00
|
|
|
-global driver=cfi.pflash01,property=secure,value=on \
|
|
|
|
-m 1024 \
|
2023-02-08 19:10:48 +01:00
|
|
|
-object '{"qom-type":"memory-backend-ram","id":"pc.ram","size":1073741824}' \
|
2022-02-10 12:57:26 +01:00
|
|
|
-overcommit mem-lock=off \
|
qemu: Enable secure boot
In qemu, enabling this feature boils down to adding the following
onto the command line:
-global driver=cfi.pflash01,property=secure,value=on
However, there are some constraints resulting from the
implementation. For instance, System Management Mode (SMM) is
required to be enabled, the machine type must be q35-2.4 or
later, and the guest should be x86_64. While technically it is
possible to have 32 bit guests with secure boot, some non-trivial
CPU flags tuning is required (for instance lm and nx flags must
be prohibited). Given complexity of our CPU driver, this is not
trivial. Therefore I've chosen to forbid 32 bit guests for now.
If there's ever need, we can refine the check later.
Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
2016-07-13 11:33:52 +02:00
|
|
|
-smp 1,sockets=1,cores=1,threads=1 \
|
2023-02-08 19:28:05 +01:00
|
|
|
-uuid 63840878-0deb-4095-97e6-fc444d9bc9fa \
|
2018-03-29 12:51:55 +02:00
|
|
|
-display none \
|
2018-03-29 12:51:55 +02:00
|
|
|
-no-user-config \
|
qemu: Enable secure boot
In qemu, enabling this feature boils down to adding the following
onto the command line:
-global driver=cfi.pflash01,property=secure,value=on
However, there are some constraints resulting from the
implementation. For instance, System Management Mode (SMM) is
required to be enabled, the machine type must be q35-2.4 or
later, and the guest should be x86_64. While technically it is
possible to have 32 bit guests with secure boot, some non-trivial
CPU flags tuning is required (for instance lm and nx flags must
be prohibited). Given complexity of our CPU driver, this is not
trivial. Therefore I've chosen to forbid 32 bit guests for now.
If there's ever need, we can refine the check later.
Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
2016-07-13 11:33:52 +02:00
|
|
|
-nodefaults \
|
2022-02-03 13:31:28 +01:00
|
|
|
-chardev socket,id=charmonitor,fd=1729,server=on,wait=off \
|
2018-03-29 00:04:58 +02:00
|
|
|
-mon chardev=charmonitor,id=monitor,mode=control \
|
2018-03-29 12:51:55 +02:00
|
|
|
-rtc base=utc \
|
2018-03-29 12:51:55 +02:00
|
|
|
-no-shutdown \
|
2022-06-09 15:02:19 +02:00
|
|
|
-boot strict=on \
|
2022-06-22 15:36:23 +02:00
|
|
|
-audiodev '{"id":"audio1","driver":"none"}' \
|
2023-01-20 11:22:22 +01:00
|
|
|
-global ICH9-LPC.noreboot=off \
|
|
|
|
-watchdog-action reset \
|
2023-02-08 19:10:48 +01:00
|
|
|
-sandbox on,obsolete=deny,elevateprivileges=deny,spawn=deny,resourcecontrol=deny \
|
2021-08-10 17:07:10 +02:00
|
|
|
-msg timestamp=on
|