How can I disable secure boot using virt-install cli?

Andrea Bolognani abologna at redhat.com
Wed Aug 3 16:00:30 UTC 2022 

On Wed, Aug 03, 2022 at 01:17:33PM +0800, Lucas Liu wrote:
> Hello all:
>
> I am looking for a way to disable secure boot for UEFI guests:
> In 3.2.0 I use the command blow to achieve it:
>
> # virt-install --name GuestOne --location #URL --machine q35 --vcpus=2
> --memory 4096 --file-size=20 --boot uefi --boot
> nvram.template=/usr/share/edk2/ovmf/OVMF_VARS.fd
>
> However, in 4.0.0 I cannot get the same result for this cmd
>
> Expect VM is booted with secureboot disabled. But the actual result is the
> VM is booted with secureboot enabled.
>
> # mokutil --sb-state
> SecureBoot enabled
>
> ...
> <os>
>     <type arch='x86_64' machine='pc-q35-rhel9.0.0'>hvm</type>
>     <loader readonly='yes' secure='no'
> type='pflash'>/usr/share/edk2/ovmf/OVMF_CODE.secboot.fd</loader>
>     <nvram
> template='/usr/share/edk2/ovmf/OVMF_VARS.secboot.fd'>/var/lib/libvirt/qemu/nvram/rhel9_VARS.fd</nvram>
>     <boot dev='hd'/>
>   </os>
> ...
>
> It seems it still creates guests with
> "/usr/share/edk2/ovmf/OVMF_VARS.secboot.fd" as the nvram template.

This should do what you want:

  --boot uefi,firmware.feature0.name=enrolled-keys,firmware.feature0.enabled=no,firmware.feature1.name=secure-boot,firmware.feature1.enabled=yes

A bit of a mouthful, I know :) The equivalent XML snippet would be

  <os firmware='efi'>
    <firmware>
      <feature enabled='no' name='enrolled-keys'/>
      <feature enabled='yes' name='secure-boot'/>
    </firmware>
  </os>

See https://libvirt.org/kbase/secureboot.html for additional
information.

Note that asking for the 'secure-boot' feature to be enabled should
not be necessary, but if you don't specify that your VM will, at
least on Fedora, end up using the OVMF_CODE.cc.fd build intended for
Confidential Computing instead of the general purpose one. Things
might work regardless, but it's probably safer to use
OVMF_VARS.secboot.fd instead. I'll update the kbase entry to include
this information shortly.

-- 
Andrea Bolognani / Red Hat / Virtualization

More information about the virt-tools-list mailing list