qemu: Enable secure boot
In qemu, enabling this feature boils down to adding the following
onto the command line:
-global driver=cfi.pflash01,property=secure,value=on
However, there are some constraints resulting from the
implementation. For instance, System Management Mode (SMM) is
required to be enabled, the machine type must be q35-2.4 or
later, and the guest should be x86_64. While technically it is
possible to have 32 bit guests with secure boot, some non-trivial
CPU flags tuning is required (for instance lm and nx flags must
be prohibited). Given complexity of our CPU driver, this is not
trivial. Therefore I've chosen to forbid 32 bit guests for now.
If there's ever need, we can refine the check later.
Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
2016-07-13 09:33:52 +00:00
|
|
|
LC_ALL=C \
|
|
|
|
PATH=/bin \
|
2019-03-06 12:29:01 +00:00
|
|
|
HOME=/tmp/lib/domain--1-test-bios \
|
qemu: Enable secure boot
In qemu, enabling this feature boils down to adding the following
onto the command line:
-global driver=cfi.pflash01,property=secure,value=on
However, there are some constraints resulting from the
implementation. For instance, System Management Mode (SMM) is
required to be enabled, the machine type must be q35-2.4 or
later, and the guest should be x86_64. While technically it is
possible to have 32 bit guests with secure boot, some non-trivial
CPU flags tuning is required (for instance lm and nx flags must
be prohibited). Given complexity of our CPU driver, this is not
trivial. Therefore I've chosen to forbid 32 bit guests for now.
If there's ever need, we can refine the check later.
Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
2016-07-13 09:33:52 +00:00
|
|
|
USER=test \
|
|
|
|
LOGNAME=test \
|
2019-03-08 11:15:07 +00:00
|
|
|
XDG_DATA_HOME=/tmp/lib/domain--1-test-bios/.local/share \
|
|
|
|
XDG_CACHE_HOME=/tmp/lib/domain--1-test-bios/.cache \
|
|
|
|
XDG_CONFIG_HOME=/tmp/lib/domain--1-test-bios/.config \
|
qemu: Enable secure boot
In qemu, enabling this feature boils down to adding the following
onto the command line:
-global driver=cfi.pflash01,property=secure,value=on
However, there are some constraints resulting from the
implementation. For instance, System Management Mode (SMM) is
required to be enabled, the machine type must be q35-2.4 or
later, and the guest should be x86_64. While technically it is
possible to have 32 bit guests with secure boot, some non-trivial
CPU flags tuning is required (for instance lm and nx flags must
be prohibited). Given complexity of our CPU driver, this is not
trivial. Therefore I've chosen to forbid 32 bit guests for now.
If there's ever need, we can refine the check later.
Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
2016-07-13 09:33:52 +00:00
|
|
|
QEMU_AUDIO_DRV=none \
|
2017-04-06 16:19:48 +00:00
|
|
|
/usr/bin/qemu-system-x86_64 \
|
2021-08-10 14:39:38 +00:00
|
|
|
-name guest=test-bios,debug-threads=on \
|
qemu: Enable secure boot
In qemu, enabling this feature boils down to adding the following
onto the command line:
-global driver=cfi.pflash01,property=secure,value=on
However, there are some constraints resulting from the
implementation. For instance, System Management Mode (SMM) is
required to be enabled, the machine type must be q35-2.4 or
later, and the guest should be x86_64. While technically it is
possible to have 32 bit guests with secure boot, some non-trivial
CPU flags tuning is required (for instance lm and nx flags must
be prohibited). Given complexity of our CPU driver, this is not
trivial. Therefore I've chosen to forbid 32 bit guests for now.
If there's ever need, we can refine the check later.
Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
2016-07-13 09:33:52 +00:00
|
|
|
-S \
|
2021-09-21 15:50:00 +00:00
|
|
|
-object secret,id=masterKey0,format=raw,file=/tmp/lib/domain--1-test-bios/master-key.aes \
|
2018-03-29 10:51:55 +00:00
|
|
|
-machine pc-q35-2.5,accel=tcg,usb=off,smm=on,dump-guest-core=off \
|
qemu: Enable secure boot
In qemu, enabling this feature boils down to adding the following
onto the command line:
-global driver=cfi.pflash01,property=secure,value=on
However, there are some constraints resulting from the
implementation. For instance, System Management Mode (SMM) is
required to be enabled, the machine type must be q35-2.4 or
later, and the guest should be x86_64. While technically it is
possible to have 32 bit guests with secure boot, some non-trivial
CPU flags tuning is required (for instance lm and nx flags must
be prohibited). Given complexity of our CPU driver, this is not
trivial. Therefore I've chosen to forbid 32 bit guests for now.
If there's ever need, we can refine the check later.
Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
2016-07-13 09:33:52 +00:00
|
|
|
-global driver=cfi.pflash01,property=secure,value=on \
|
2021-03-31 08:46:36 +00:00
|
|
|
-drive file=/usr/share/OVMF/OVMF_CODE.secboot.fd,if=pflash,format=raw,unit=0,readonly=on \
|
qemu: Enable secure boot
In qemu, enabling this feature boils down to adding the following
onto the command line:
-global driver=cfi.pflash01,property=secure,value=on
However, there are some constraints resulting from the
implementation. For instance, System Management Mode (SMM) is
required to be enabled, the machine type must be q35-2.4 or
later, and the guest should be x86_64. While technically it is
possible to have 32 bit guests with secure boot, some non-trivial
CPU flags tuning is required (for instance lm and nx flags must
be prohibited). Given complexity of our CPU driver, this is not
trivial. Therefore I've chosen to forbid 32 bit guests for now.
If there's ever need, we can refine the check later.
Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
2016-07-13 09:33:52 +00:00
|
|
|
-drive file=/usr/share/OVMF/OVMF_VARS.fd,if=pflash,format=raw,unit=1 \
|
|
|
|
-m 1024 \
|
2019-04-12 08:03:36 +00:00
|
|
|
-realtime mlock=off \
|
qemu: Enable secure boot
In qemu, enabling this feature boils down to adding the following
onto the command line:
-global driver=cfi.pflash01,property=secure,value=on
However, there are some constraints resulting from the
implementation. For instance, System Management Mode (SMM) is
required to be enabled, the machine type must be q35-2.4 or
later, and the guest should be x86_64. While technically it is
possible to have 32 bit guests with secure boot, some non-trivial
CPU flags tuning is required (for instance lm and nx flags must
be prohibited). Given complexity of our CPU driver, this is not
trivial. Therefore I've chosen to forbid 32 bit guests for now.
If there's ever need, we can refine the check later.
Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
2016-07-13 09:33:52 +00:00
|
|
|
-smp 1,sockets=1,cores=1,threads=1 \
|
|
|
|
-uuid 362d1fc1-df7d-193e-5c18-49a71bd1da66 \
|
2018-03-29 10:51:55 +00:00
|
|
|
-display none \
|
2018-03-29 10:51:55 +00:00
|
|
|
-no-user-config \
|
qemu: Enable secure boot
In qemu, enabling this feature boils down to adding the following
onto the command line:
-global driver=cfi.pflash01,property=secure,value=on
However, there are some constraints resulting from the
implementation. For instance, System Management Mode (SMM) is
required to be enabled, the machine type must be q35-2.4 or
later, and the guest should be x86_64. While technically it is
possible to have 32 bit guests with secure boot, some non-trivial
CPU flags tuning is required (for instance lm and nx flags must
be prohibited). Given complexity of our CPU driver, this is not
trivial. Therefore I've chosen to forbid 32 bit guests for now.
If there's ever need, we can refine the check later.
Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
2016-07-13 09:33:52 +00:00
|
|
|
-nodefaults \
|
2021-03-31 08:46:36 +00:00
|
|
|
-chardev socket,id=charmonitor,path=/tmp/lib/domain--1-test-bios/monitor.sock,server=on,wait=off \
|
2018-03-28 22:04:58 +00:00
|
|
|
-mon chardev=charmonitor,id=monitor,mode=control \
|
2018-03-29 10:51:55 +00:00
|
|
|
-rtc base=utc \
|
2018-03-29 10:51:55 +00:00
|
|
|
-no-shutdown \
|
2021-09-20 14:22:59 +00:00
|
|
|
-boot menu=on,strict=on \
|
qemu: Enable secure boot
In qemu, enabling this feature boils down to adding the following
onto the command line:
-global driver=cfi.pflash01,property=secure,value=on
However, there are some constraints resulting from the
implementation. For instance, System Management Mode (SMM) is
required to be enabled, the machine type must be q35-2.4 or
later, and the guest should be x86_64. While technically it is
possible to have 32 bit guests with secure boot, some non-trivial
CPU flags tuning is required (for instance lm and nx flags must
be prohibited). Given complexity of our CPU driver, this is not
trivial. Therefore I've chosen to forbid 32 bit guests for now.
If there's ever need, we can refine the check later.
Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
2016-07-13 09:33:52 +00:00
|
|
|
-device i82801b11-bridge,id=pci.1,bus=pcie.0,addr=0x1e \
|
|
|
|
-device pci-bridge,chassis_nr=2,id=pci.2,bus=pci.1,addr=0x0 \
|
2021-03-30 15:48:46 +00:00
|
|
|
-device ioh3420,port=0x8,chassis=3,id=pci.3,bus=pcie.0,addr=0x1 \
|
qemu: Enable secure boot
In qemu, enabling this feature boils down to adding the following
onto the command line:
-global driver=cfi.pflash01,property=secure,value=on
However, there are some constraints resulting from the
implementation. For instance, System Management Mode (SMM) is
required to be enabled, the machine type must be q35-2.4 or
later, and the guest should be x86_64. While technically it is
possible to have 32 bit guests with secure boot, some non-trivial
CPU flags tuning is required (for instance lm and nx flags must
be prohibited). Given complexity of our CPU driver, this is not
trivial. Therefore I've chosen to forbid 32 bit guests for now.
If there's ever need, we can refine the check later.
Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
2016-07-13 09:33:52 +00:00
|
|
|
-device virtio-scsi-pci,id=scsi0,bus=pci.2,addr=0x1 \
|
|
|
|
-drive file=/dev/HostVG/QEMUGuest1,format=raw,if=none,id=drive-scsi0-0-0-0 \
|
2021-03-31 08:46:36 +00:00
|
|
|
-device scsi-hd,bus=scsi0.0,channel=0,scsi-id=0,lun=0,drive=drive-scsi0-0-0-0,id=scsi0-0-0-0,bootindex=1 \
|
2021-08-10 15:07:10 +00:00
|
|
|
-device virtio-balloon-pci,id=balloon0,bus=pci.2,addr=0x2 \
|
|
|
|
-msg timestamp=on
|