OVMF: Difference between revisions
m (fix typo in Gerd's name) |
(Gerd's packages now enable win2k8r2sp1 to work out of the box) |
||
Line 206: | Line 206: | ||
<li>'''Windows 8'''. In order to test Secure Boot, enroll the keys from [http://blog.hansenpartnership.com/the-microsoft-keys/ James Bottomley's blog], [http://msdn.microsoft.com/en-us/library/windows/desktop/hh847889.aspx start PowerShell as an administrator], then [http://communities.intel.com/community/vproexpert/blog/2012/06/26/microsoft-windows-8--enabling-secure-boot verify Secure Boot].</li> | <li>'''Windows 8'''. In order to test Secure Boot, enroll the keys from [http://blog.hansenpartnership.com/the-microsoft-keys/ James Bottomley's blog], [http://msdn.microsoft.com/en-us/library/windows/desktop/hh847889.aspx start PowerShell as an administrator], then [http://communities.intel.com/community/vproexpert/blog/2012/06/26/microsoft-windows-8--enabling-secure-boot verify Secure Boot].</li> | ||
<li>'''Windows Server 2012''', reportedly.</li> | <li>'''Windows Server 2012''', reportedly.</li> | ||
<li>'''Windows Server 2008 R2 SP1'''. This guest has a bug (it requires VGA BIOS support even when booted by UEFI firmware). Thankfully, David Woodhouse and Kevin O'Connor implemented a Compatibility Support Module (CSM) for SeaBIOS. Some out-of-tree patches (as of now) are needed for OVMF from http://git.infradead.org/users/dwmw2/edk2.git/; | <li>'''Windows Server 2008 R2 SP1'''. This guest has a bug (it requires VGA BIOS support even when booted by UEFI firmware). Thankfully, David Woodhouse and Kevin O'Connor implemented a Compatibility Support Module (CSM) for SeaBIOS. Some out-of-tree patches (as of now) are needed for OVMF from http://git.infradead.org/users/dwmw2/edk2.git/; they are included in Gerd's packages and this guest boots fine with them.</li> | ||
</ul> | </ul> |
Revision as of 07:33, 20 June 2013
Intro
OVMF "is a project to enable UEFI support for Virtual Machines". This page tries to give yet another mini-howto about playing with OVMF boot firmware in qemu-kvm virtual machines plus libvirt, deferring heavily to the TianoCore upstream wiki. Do mercilessly edit any inaccuracies or wrong statements.
This page is written as of edk2 svn rev 14423 (virtio-blk, virtio-scsi and virtio-net are supported, and several guests can be booted with, and recognize secure boot). For using OVMF directly with the qemu command line, refer to the README; this page tries to detail OVMF usage under (RHEL-6.4) libvirt.
The recommended way for testing OVMF is installing Gerd Hoffmann's RPM packages from his repo at http://www.kraxel.org/repos/, using yum. (The package to install is edk2.git-ovmf-x64
; yum will pull in several dependencies from the repo.)
The firmware images are located in the /usr/share/edk2.git/ovmf-x64
directory. OVMF-pure-efi.fd
is a "pure UEFI" image, while OVMF-with-csm.fd
includes the Compatibility Support Module (CSM) build of SeaBIOS. bios.bin
is a symlink to the latter. Both images support Secure Boot.
Building from source
Clone either the main SVN repository (git svn recommended) or one of the git mirrors listed in the TianoCore wiki.
Frequent rebuilds
For developers it is recommended to create a branch called base_config
or something similar off the master branch (in the git svn or plain git clone), capture the config steps described here in commits (including setting up a reasonable .gitignore
file), and keep rebasing base_config
after git svn rebase --use-log-author
/ git pull
commands. Fork/rebase your own development branches off/to base_config
.
The very first time you build the tree, and after git clean -fdx
commands, you must (re)build BaseTools with make -C "$EDK_TOOLS_PATH"
. (You're going to have that variable set in your environment after sourcing edksetup.sh
in the root project dir; see the TianoCore Wiki again.)
One-off builds
OvmfPkg/build.sh
takes care of BaseTools, configuration (according to command line options) and the main build. One potentially useful option is -n THREADNUMBER
, which enables parallel make.
-D FLAG
options control optional build features/aspects; among other things, verbosity of OVMF's debug log. Consult OvmfPkg/build.sh
, OvmfPkg/README
, the OvmfPkg/*.dsc
and OvmfPkg/*.fdf
files, and Gerd's SRPMs.
Using the firmware image with libvirt
The boot firmware is set in the domain XML file under the /domain/os/loader
element.
Neither virt-manager
nor virt-install
seem to expose this XML node on RHEL-6.4. The following list of commands is one workaround. The EMULATOR
bit is discussed later -- it is useful to have a wrapper script in place, between libvirt and qemu, to add custom options.
# "configuration" NAME=set_guest_name_here INSTALL_ISO=/full/path/to/install/iso DRIVER_ISO=/full/path/to/virtio/driver/iso EMULATOR=/full/path/to/emulator LOADER=/full/path/to/OVMF.fd # create a domain XML template for guest installation: # - 4 VCPUs, 4G RAM # - virtio target disk, 25 GB in size # - first IDE CD-ROM has install disk # - second IDE CD-ROM has virtio driver disk # (should only be necessary for proprietary guests without built-in drivers) TARGET_DISK=/var/lib/libvirt/images/"$NAME".img virt-install \ --connect=qemu:///system \ --name=$NAME \ --ram=4096 \ --arch=x86_64 \ --machine=rhel6.4.0 \ --vcpus=4 \ --boot=cdrom,hd \ --disk=path=$TARGET_DISK,size=25,bus=virtio,format=qcow2 \ --disk=path=$INSTALL_ISO,device=cdrom,bus=ide,perms=ro,format=raw \ --disk=path=$DRIVER_ISO,device=cdrom,bus=ide,perms=ro,format=raw \ --print-step=1 \ | xmlstarlet ed -u /domain/devices/emulator -v $EMULATOR \ -s /domain/os -t elem -n loader -v $LOADER \ >template.xml # Import the template to libvirt virsh define template.xml # Now customize the guest further with "virsh edit" or inside virt-manager, # then start the installation.
For a virtio-scsi disk, apply the following changes:
- in the
TARGET_DISK
specification, replacebus=virtio
withbus=scsi
, - append the following options to the
xmlstarlet
command line:-s /domain/devices -t elem -n controller -v '' \ -s /domain/devices/controller -t attr -n type -v scsi \ -s /domain/devices/controller -t attr -n model -v virtio-scsi \
qemu wrapper script under libvirt
Libvirt (and its frontends, eg. virsh and virt-manager) provide a convenient way to manage virtual machines. However some qemu command line options are not directly exposed (at least not on a RHEL-6.4 host) that would prove useful otherwise. A script that wraps qemu and plays the emulator role for libvirt allows extra flexibility. On the other side of the coin, it may introduce extra confusion, so use with care.
The full path to the wrapper script is specified in the /domain/devices/emulator
element of the libvirt guest XML.
On an SELinux enabled system, the script's context should be set to that of the wrapped emulator binary. See chcon --reference
.
(Needless to say, never use a wrapper script in production.)
An example script follows.
#!/bin/bash set -e -C -u # Operating modes: # - AD_HOC: use local OVMF & SeaVGABIOS build, ignore iPXE roms, # - AD_HOC_IPXE: same, but make use of ad-hoc iPXE roms, # - KRAXEL_RPMS: use Kraxel's RPMs whole-sale MODE=KRAXEL_RPMS # Location of ad-hoc ROMs. AD_HOC_PATH=/home/virt-images # Root installation directory of Kraxel's RPMs. KRAXEL_PATH=/usr/share/edk2.git/ovmf-x64 # Whether to load extra SMBIOS tables. SMBIOS_EXTRA=0 # Argument array constructed for qemu-kvm. NEW_ARGS=() append() { for I in "$@"; do NEW_ARGS[${#NEW_ARGS[@]}]=$I done } # -vga cirrus found in AD_HOC* modes AD_HOC_CIRRUS=0 # -name XXX found; XXX saved in $NAME NAME= # previous argument processed LAST= for ARG in "$@"; do if [ x-vga = x"$LAST" ] && [ cirrus = "$ARG" ] \ && ([ AD_HOC = "$MODE" ] || [ AD_HOC_IPXE = "$MODE" ]); then AD_HOC_CIRRUS=1 append "$ARG" elif [ x-device = x"$LAST" ] && [ AD_HOC_IPXE = "$MODE" ]; then case "$ARG" in (e1000*) append "$ARG,romfile=$AD_HOC_PATH/efi-roms/efi-e1000.rom" ;; (ne2k_pci*) append "$ARG,romfile=$AD_HOC_PATH/efi-roms/efi-ne2k_pci.rom" ;; (pcnet*) append "$ARG,romfile=$AD_HOC_PATH/efi-roms/efi-pcnet.rom" ;; (rtl8139*) append "$ARG,romfile=$AD_HOC_PATH/efi-roms/efi-rtl8139.rom" ;; (virtio-net-pci*) append "$ARG,romfile=$AD_HOC_PATH/efi-roms/efi-virtio.rom" ;; (*) append "$ARG" ;; esac elif [ x-bios = x"$LAST" ] && [ KRAXEL_RPMS = "$MODE" ]; then append "$KRAXEL_PATH/bios.bin" -L "$KRAXEL_PATH" elif [ x-name = x"$LAST" ]; then NAME=$ARG append "$ARG" else append "$ARG" fi LAST=$ARG done if [ -n "$NAME" ]; then append -debugcon file:/tmp/"$NAME".debug -global isa-debugcon.iobase=0x402 \ -global PIIX4_PM.disable_s3=0 -global PIIX4_PM.disable_s4=0 if [ 0 -ne $SMBIOS_EXTRA ]; then append -smbios file=$AD_HOC_PATH/smbios/type3 fi if [[ x"$NAME" = xovmf.win2k8* ]] && [ 0 -ne $AD_HOC_CIRRUS ]; then append -global cirrus-vga.romfile=$AD_HOC_PATH/vgabios-cirrus.csm.bin fi fi exec /usr/libexec/qemu-kvm "${NEW_ARGS[@]}"
This particular script accounts for libvirt invoking the emulator in two forms. XML validation after virsh edit
seems to invoke the emulator for verification purposes only, without the -name
option. In this case no debug file should be created / rewritten, plus other static options are useless. When libvirt starts the guest, the -name
option is present, the script constructs the logfile's name from the corresponding option-argument, and adds some extra static options.
In more detail, the script supports three "operating modes".
- The
KRAXEL_RPMS
mode is the recommended one for qemu-1.5+. This mode overrides the/domain/os/loader
element of the guest XML, and uses the OVMF firmware and any other required files from Gerd's package. Notably, EFI drivers for the emulated / virtio NICs from the iPXE project will be available in the guest as option ROMs. - The
AD_HOC
mode serves development purposes. It disables any iPXE NIC drivers on qemu versions under 1.5 (so that the built-in VirtioNetDxe driver can be tested), lets/domain/os/loader
(= custom OVMF build) take effect, and specifies a custom SeaVGABIOS binary for Windows 2008 R2 guests (based on their name). The Windows 2008 R2 guest is discussed below some more. - The
AD_HOC_IPXE
mode is the same, a development helper, except it gives priority to custom iPXE NIC drivers. (ConsultOvmfPkg/README
for networking options.)
The static options enable S3/S4 in RHEL-6.4 qemu, and set the location of OVMF's debug log.
On an SELinux enabled system, a new instance of the same guest will be seclabelled differently from the previous instance, and will fail to overwrite the debug log produced by the previous instance. This could be worked around perhaps by reconfiguring libvirt's labelling practices for the guest, or changing the SELinux profile, or (horribile dictu) flipping SELinux to permissive. Removing the debug file manually before starting the next instance of the guest is simplest.
Tested guest OS'en
- Fedora 18 (XFCE spin tested). When Fedora 18 was released, it co-operated with, and recognized Secure Boot. However some time later the signature verification algorithm changed in TianoCore, and currently OVMF doesn't accept the signatures on Fedora 18 shim. (Fedora 18 works fine on top of OVMF otherwise, when Secure Boot is disabled.)
- Fedora 19 (XFCE spin tested). It supports Secure Boot on current OVMF. See Red Hat Bugzilla 963361 comment 9 and subsequent comments for the setup. In order to transfer certificates from host to guest (for key enrollment), it is recommended to prepare a disk image with a libguestfs utility, like
guestfish
orguestmount
, and attach it to the virtual machine. - RHEL-6.3 and RHEL-6.4. The
grub-efi
releases in these RHEL-6 minor releases don't support booting from a virtio-blk disk. Virtio-scsi is supported however (see libvirt XML configuration above). Grub-efi in a future RHEL-6 minor release should hopefully support virtio-blk as well, see Red Hat Bugzilla 916016. - Windows 8. In order to test Secure Boot, enroll the keys from James Bottomley's blog, start PowerShell as an administrator, then verify Secure Boot.
- Windows Server 2012, reportedly.
- Windows Server 2008 R2 SP1. This guest has a bug (it requires VGA BIOS support even when booted by UEFI firmware). Thankfully, David Woodhouse and Kevin O'Connor implemented a Compatibility Support Module (CSM) for SeaBIOS. Some out-of-tree patches (as of now) are needed for OVMF from http://git.infradead.org/users/dwmw2/edk2.git/; they are included in Gerd's packages and this guest boots fine with them.