Pavan, On 06/03/19 21:21, Pavan Kumar Aravapalli wrote:
> * We have CentOS flavoured qcow2 image which is used to boot Guest > VM's in Apache CloudStack. We are trying to enable these CentOS > qcow2 images with UEFI support. I told you weeks ago to take this question to the CentOS mailing list. https://edk2.groups.io/g/devel/message/40531 Have you done that? Also, what prevents you from installing a CentOS guest in UEFI mode from scratch, and using the resultant disk image as a template? Anyway, I guess I'm going to send them a separate message, and CC you. > * I have been struggling to secure boot Guest VM using UEFI. I have > enclosed my secure boot domain dumpxml [secure-vm.xml]with this mail > too. When i try to boot with this xml i am ended up with an > Exception. I have attached the error screen shot too . You are using Gerd's "OVMF_CODE-pure-efi.fd" firmware binary. That binary is not built with -D SECURE_BOOT_ENABLE. Therefore the Secure Boot related standard UEFI variables are not available (the Secure Boot feature is missing altogether). That's the reason EnrollDefaultKeys.efi fails to find the SetupMode variable. You've mentioned that your host environment is CentOS 7.6. Here's what you should do: - Install the latest OVMF package available in that CentOS release. (I think it should be "OVMF-20180508-3.gitee3198e672e2.el7_6.1.noarch.rpm" at the moment.) - You already have "qemu-kvm-ev" installed, good. - If your libvirt domain currently has a variable store file under "/var/lib/libvirt/qemu/nvram/", then delete that file (the domain should be powered off first). - Edit your domain XML as follows (only relevant elements quoted): <domain type='kvm'> <os> <type arch='x86_64' machine='pc-q35-rhel7.6.0'>hvm</type> <loader readonly='yes' secure='yes' type='pflash'>/usr/share/OVMF/OVMF_CODE.secboot.fd</loader> <nvram template='/usr/share/OVMF/OVMF_VARS.secboot.fd'/> </os> <features> <smm state='on'/> </features> <devices> <emulator>/usr/libexec/qemu-kvm</emulator> </devices> </domain> - When you next launch this domain, the domain's private varstore file (under "/var/lib/libvirt/qemu/nvram/") will be re-created from the template specified ("/usr/share/OVMF/OVMF_VARS.secboot.fd"). The Secure Boot operational mode will be enabled at once, and you will not have to run EnrollDefaultKeys.efi manually. Hope this helps, Laszlo -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#41858): https://edk2.groups.io/g/devel/message/41858 Mute This Topic: https://groups.io/mt/31718606/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
