[libvirt] On the content of 'nvram' section in /etc/libvirt/qemu.conf
Kashyap Chamarthy
kchamart at redhat.com
Wed Apr 17 13:44:33 UTC 2019
On Tue, Apr 16, 2019 at 05:07:30PM -0400, Cole Robinson wrote:
> On 4/16/19 12:50 PM, Kashyap Chamarthy wrote:
[...]
> > There is the /usr/share/edk2/ovmf/OVMF_VARS.secboot.fd file (which comes
> > with the default UEFI keys enrolled).
> >
> > So, the mapping of OVMF binary to VARS file in the earlier mentioned
> > 'nvram' section should have been:
> >
> > /usr/share/OVMF/OVMF_CODE.secboot.fd:/usr/share/edk2/ovmf/OVMF_VARS.secboot.fd
> >
> > Yes?
> >
>
> Unfortunately the qemu.conf comment is not authoritatize. I believe
> that's the default value hardcoded in libvirt, but it can also be
> changed with a build time flag, which we do for fedora. The spec file
> has this change:
>
> %if 0%{?fedora}
> # Nightly edk2.git-ovmf-x64
>
> LOADERS="/usr/share/edk2.git/ovmf-x64/OVMF_CODE-pure-efi.fd:/usr/share/edk2.git/ovmf-x64/OVMF_VARS-pure-efi.fd"
> # Nightly edk2.git-ovmf-ia32
>
> LOADERS="$LOADERS:/usr/share/edk2.git/ovmf-ia32/OVMF_CODE-pure-efi.fd:/usr/share/edk2.git/ovmf-ia32/OVMF_VARS-pure-efi.fd"
> # Nightly edk2.git-aarch64
>
> LOADERS="$LOADERS:/usr/share/edk2.git/aarch64/QEMU_EFI-pflash.raw:/usr/share/edk2.git/aarch64/vars-template-pflash.raw"
> # Nightly edk2.git-arm
>
> LOADERS="$LOADERS:/usr/share/edk2.git/arm/QEMU_EFI-pflash.raw:/usr/share/edk2.git/arm/vars-template-pflash.raw"
>
> # Fedora edk2-ovmf
>
> LOADERS="$LOADERS:/usr/share/edk2/ovmf/OVMF_CODE.fd:/usr/share/edk2/ovmf/OVMF_VARS.fd"
> # Fedora edk2-ovmf-ia32
>
> LOADERS="$LOADERS:/usr/share/edk2/ovmf-ia32/OVMF_CODE.fd:/usr/share/edk2/ovmf-ia32/OVMF_VARS.fd"
> # Fedora edk2-aarch64
>
> LOADERS="$LOADERS:/usr/share/edk2/aarch64/QEMU_EFI-pflash.raw:/usr/share/edk2/aarch64/vars-template-pflash.raw"
> # Fedora edk2-arm
>
> LOADERS="$LOADERS:/usr/share/edk2/arm/QEMU_EFI-pflash.raw:/usr/share/edk2/arm/vars-template-pflash.raw"
> %define arg_loader_nvram --with-loader-nvram="$LOADERS"
> %endif
>
> So that's 8 pairs that we look for in fedora.
Hmm, we should keep the comments in sync. Because unsuspecting users of
management tools get confused :-( I'll see if I can send a patch to
clean it up, if Michal or others already doesn't beat me to it.
> That default commented out
> value is probably what we use on RHEL with standard RHEL packaging
Even for RHEL it's wrong :-) Because RHEL only ships the OVMF binary
and its corresponding variable store ("VARS") file that are Secure
Boot-ready "out-of-the-box" (because it comes with UEFI keys enrolled in
it). Which are the following:
/usr/share/OVMF/OVMF_CODE.secboot.fd
/usr/share/OVMF/OVMF_VARS.secboot.fd
--
/kashyap
More information about the libvir-list
mailing list