Experiencing Secure Boot in a Virtual Environment

Preview

In this article, we are going to build an environment that allow us to experience some features in relation with Secure Boot. The main reason to train on a virtual environment while playing with tricky commands, is that you can break anything you want. If bad things happen, re install a virtual environment in less than 5 min !

If you are asking yourself, why you should follow this article, the answer is : VirtualBox doesn't implement Secure Boot.

if you do not have yet an iso to run, download it while you follow this article

Contents

Prerequisite

In order to reproduce the following steps, you will have to boot on a Linux system and you will need root access for some commands.

We suppose that you have some knowledge in using git or package manager on your system.

Virt-manager

When you can't deal with VirtualBox or VMWare because both software do not implement features as SecureBoot, you need to find a solution to bypass this issue.

For us, this solution is called QEMU KVM. We can manage virtual environment based on QEMU KVM with virt-manager or by using a great toolbox providing some CLI programs as

  • virt-install
  • virt-viewer
  • virt-ls
  • ...

QEMU KVM work in pairs with libvirt, which is a library for management of virtual solutions.

Installation

First check if you have the libvirt package, if its not yet install it should be available via package manager.

Then I advise you to download virt-manager https://virt-manager.org/.

# yum install virt-manager (Fedora)
# apt-get install virt-manager (Debian)
# emerge virt-manager (Gentoo)
# pkg_add virt-manager (OpenBSD)

The CLI tools like virt-install can be installed separately from package manager.

OVMF

At this point you should be able to launch a minimal virtual system, but there is a few more steps to accomplish before you get a secure boot.

If the package is already on your machine, it should be located at /usr/share/edk2/ovmf, else you can refer to the Tianocore repo at https://github.com/tianocore/edk2/tree/master/OvmfPkg .

When you are in the directory you may have the following files :

[pfontaine@precision ovmf]$ ls -l
total 6840
-rw-r--r--. 1 root root   17344 10 nov.  09:11 EnrollDefaultKeys.efi
-rw-r--r--. 1 root root 1966080 10 nov.  09:01 OVMF_CODE.fd
-rw-r--r--. 1 root root 1966080 10 nov.  09:11 OVMF_CODE.secboot.fd
-rw-r--r--. 1 root root  131072 10 nov.  09:01 OVMF_VARS.fd
-rw-r--r--. 1 root root  131072 10 nov.  09:11 OVMF_VARS.secboot.fd
-rw-r--r--. 1 root root  937792 10 nov.  09:11 Shell.efi
-rw-r--r--. 1 qemu qemu 1849344 10 nov.  09:11 UefiShell.iso

QEMU

At this step we're getting closer to the final step, we need here to configure QEMU and tell him to use OVMF_CODE.secboot.fd !

So to accomplish that you will edit the qemu configuration file.

{vim|nano} /etc/libvirt/qemu.conf # you may use sudo

and find the option for Location of master nvram file to write

nvram = [
   "/usr/share/OVMF/OVMF_CODE.secboot.fd:/usr/share/OVMF/OVMF_VARS.fd"
]

To apply the modification run

sudo systemctl restart libvirtd

Setup and create your virtual machine

The following command will set up a virtual machine with some basics configuration that you may change.

There is some more configuration to build something more complexe, but actually you will find your machine in the graphic interface of virtual-manager and this program will let you manage more stuff as network, virtual CPU, memory ...

sudo virt-install \
    --name secboot_os \   
    --ram 2048 --disk size=20 \   
    --boot uefi \   
    --location ./CentOS-7-x86_64-DVD-1810.iso

And after ?

If you want to have an access to efi shell you will have to boot /usr/share/edk2/ovmf/UefiShell.iso on your virtual machine.

Press escape when you see the splash screen 'Tianocore'.

Sources

[1] https://fedoraproject.org/wiki/Using_UEFI_with_QEMU

[2] http://www.linux-kvm.org/downloads/lersek/ovmf-whitepaper-c770f8c.txt

[3] https://virt-manager.org/

[4] https://wiki.debian.org/KVM

[5] https://wiki.debian.org/libvirt