17. Miscellaneous

17.1. Error Report

In case of errors or technical questions, you may generate an error report which will collect various system informations. This error can be sent to the acontis technical support for further investigation.

Run the following command to create the error report:

hv_gen_error_report

17.2. KVM Guests with SecureBoot

17.2.1. UEFI and Legacy BIOS

17.2.2. UEFI

17.2.2.1. What is SecureBoot

Secure Boot is an interface between UEFI and Operating System. When SecureBoot is activated, it prevents the loading of unsigned boot loaders or drivers

Read More: https://en.wikipedia.org/wiki/Unified_Extensible_Firmware_Interface

17.2.2.2. Preparing keys for SecureBoot

The key thing in SecureBoot is a platform key (Platform). It establishes relationship between a platform owner and a platform firmware. PK is a self-generated certificated owned by OEM.

Another important key is a KEK key. This key is obtained from an OS manufacturer (for ex. Microsoft) and is used to establish trust relationship between the firmware and OS.

Generating the platform key:

openssl req -newkey rsa:2048 -nodes -keyout PKpriv.key -x509 -days 365 -out PK.crt
Generating a 2048 bit RSA private key
....+++
.+++
writing new private key to 'PKpriv.key'
-----
You are about to be asked to enter information that will be incorporated into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:DE
State or Province Name (full name) [Some-State]:Bayern
Locality Name (eg, city) []:Munic
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Beer Inc
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []: BayernBeer
Email Address []:

OVMF supports keys in DER format only. So we need to convert t:

openssl x509 -in PK.crt -outform der -out PK.der

Download Key Exchange Key (KEK): MicCorKEKCA2011_2011-06-24.crt https://go.microsoft.com/fwlink/p/?linkid=321185

Download Signature Database (allows Windows to boot): MicWinProPCA2011_2011-10-19.crt https://go.microsoft.com/fwlink/?LinkId=321192

Download Microsoft signer for third party UEFI binaries via DevCenter: MicCorUEFCA2011_2011-06-27.crt https://go.microsoft.com/fwlink/p/?LinkID=321194

17.2.2.3. Building OVMF with SecureBoot support

By default, OVMF is built without SecureBoot support.

So it is recommended to fetch this project from its repository and build OVMF yourselves.

Install required packages:

sudo apt-get install build-essential git uuid-dev iasl nasm –y
sudo apt-get install iasl -y

git clone git://github.com/tianocore/edk2.git
cd edk2

Prepare build tools:

git submodule update –init
make -C BaseTools
.edksetup.sh
make -C ./BaseTools
export EDK_TOOLS_PATH=/home/rte/edk2/BaseTools
.edksetup.sh BaseTools

Edit Conf/target.txt:

ACTIVE_PLATFORM = OvmfPkg/OvmfPkgX64.dsc
TARGET_ARCH = X64
TOOL_CHAIN_TAG = GCC5

Build OVMF with SecureBoot support:

OvmfPkg/build.sh \\
    -a IA32 -a X64 \\
    -D SMM_REQUIRE -D SECURE_BOOT_ENABLE \\
    -D FD_SIZE_2MB -D EXCLUDE_SHELL_FROM_FD

Binaries can be found in the Build directory.

17.2.2.4. Embedding SecureBoot keys to OVMF

Create a OVMF-SecureBoot directory and copy Build/OvmfX64/DEBUG_GCC5/FV/OVMF_CODE.fd and Build/OvmfX64/DEBUG_GCC5/FV/OVMF_VARS.fd to this directory.

Create a hda subdirectory and copy all generated and downloaded keys to this subdirectory.

Run qemu:

cd OVMF-SecureBoot
qemu-system-x86_64 -L . \\
    -drive if=pflash,format=raw,readonly,file=OVMF_CODE.fd \\
    -drive if=pflash,format=raw,file=OVMF_VARS.fd \\
    -hda fat:hda \\
    -net none

After booting you get to a UEFI shell. Type exit.

  1. Go to Device Manager / Secure Boot Configuration / Secure Boot Mode and change from Standard Mode to Custom Mode.

  2. PK Options / Enroll PK / Enroll PK Using File and choose PK.der

  3. KEK Options / Enroll KEK / Enroll KEK Using File and choose MicCorKEKCA2011_2011-06-24.crt

  4. DB Options / Enroll Signature / Enroll Signature Using File and choose MicWinProPCA2011_2011-10-19.crt

  5. Repeat last step and choose MicCorUEFCA2011_2011-06-27.crt

The Secure Boot Mode should be Enabled now.

Exit from BIOS, shutdown the machine.