I think I just solved this myself – in the qemu.conf file I see : #nvram = [ # "/usr/share/OVMF/OVMF_CODE.fd:/usr/share/OVMF/OVMF_VARS.fd", # "/usr/share/OVMF/OVMF_CODE.secboot.fd:/usr/share/OVMF/OVMF_VARS.fd", # "/usr/share/AAVMF/AAVMF_CODE.fd:/usr/share/AAVMF/AAVMF_VARS.fd", # "/usr/share/AAVMF/AAVMF32_CODE.fd:/usr/share/AAVMF/AAVMF32_VARS.fd", # "/usr/share/OVMF/OVMF_CODE.ms.fd:/usr/share/OVMF/OVMF_VARS.ms.fd" #]
So in Ubuntu 20.04 there is no reference to OVMF_VARS.secure.fd for the nvram template Gary Dixon Senior Technical Consultant T: +44 161 537 4990 E: v...@quadris-support.com W: www.quadris.co.uk The information contained in this e-mail from Quadris may be confidential and privileged for the private use of the named recipient. The contents of this e-mail may not necessarily represent the official views of Quadris. If you have received this information in error you must not copy, distribute or take any action or reliance on its contents. Please destroy any hard copies and delete this message. From: Gary Dixon <gary.di...@quadris.co.uk.INVALID> Sent: 19 January 2023 13:55 To: users@cloudstack.apache.org Subject: RE: KVM host UEFI allow guest UEFI Secure boot Thanks for all your quick responses On our Ubuntu 20.04 hosts it appears that the OVMF files are located in "/usr/share/OVMF/" directory - however the OVMF_VARS.secboot.fd file is not there ? : root@qcloud-s2-p1-c1-kvm4:~# ls -al /usr/share/OVMF/ total 4232 drwxr-xr-x 2 root root 4096 Mar 9 2022 . drwxr-xr-x 151 root root 4096 Apr 2 2022 .. -rw-r--r-- 1 root root 1966080 Sep 20 2021 OVMF_CODE.fd lrwxrwxrwx 1 root root 20 Sep 20 2021 OVMF_CODE.ms.fd -> OVMF_CODE.secboot.fd -rw-r--r-- 1 root root 1966080 Sep 20 2021 OVMF_CODE.secboot.fd -rw-r--r-- 1 root root 131072 Sep 20 2021 OVMF_VARS.fd -rw-r--r-- 1 root root 131072 Sep 20 2021 OVMF_VARS.ms.fd -rw-r--r-- 1 root root 131072 Sep 20 2021 OVMF_VARS.snakeoil.fd Is this needed in the uefi.properties config file ? BR Gary Gary Dixon Senior Technical Consultant T: +44 161 537 4990 E: v<tel:+44%207989717661>ms@quadris‑support.com W: www.quadris.co.uk<http://www.quadris.co.uk> [cid:image385073.png@E0A53755.B8760DA1] The information contained in this e-mail from Quadris may be confidential and privileged for the private use of the named recipient. The contents of this e-mail may not necessarily represent the official views of Quadris. If you have received this information in error you must not copy, distribute or take any action or reliance on its contents. Please destroy any hard copies and delete this message. -----Original Message----- From: vas...@gmx.de<mailto:vas...@gmx.de> <vas...@gmx.de<mailto:vas...@gmx.de>> Sent: 19 January 2023 13:42 To: users@cloudstack.apache.org<mailto:users@cloudstack.apache.org> Subject: Re: KVM host UEFI allow guest UEFI Secure boot Not the direct solution but maybe some bits of information for your further efforts: Overall description of the feature https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcwiki.apache.org%2Fconfluence%2Fdisplay%2FCLOUDSTACK%2FEnable%2BUEFI%2Bbooting%2Bfor%2BInstance&data=05%7C01%7CGary.Dixon%40quadris.co.uk%7C8057c1b2e3bd4f13beae08dafa231af3%7Cf1d6abf3d3b44894ae16db0fb93a96a2%7C0%7C0%7C638097325927612509%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=8Q5jWBGmCYA82hk6NmrVESq%2F%2BwkdzSKKn9MbJsPjA%2BM%3D&reserved=0 User guide + example to enable secure boot https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flab.piszki.pl%2Fcloudstack-vm-with-vtpm-and-secure-boot-uefi%2F&data=05%7C01%7CGary.Dixon%40quadris.co.uk%7C8057c1b2e3bd4f13beae08dafa231af3%7Cf1d6abf3d3b44894ae16db0fb93a96a2%7C0%7C0%7C638097325927612509%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=o312PhI9IqAYJEgn8dY4EQliP4p4W4Ry9iJ4XuKsSVA%3D&reserved=0 Gitlab - Issue with further informations on deploying that capability https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fapache%2Fcloudstack%2Fissues%2F4238&data=05%7C01%7CGary.Dixon%40quadris.co.uk%7C8057c1b2e3bd4f13beae08dafa231af3%7Cf1d6abf3d3b44894ae16db0fb93a96a2%7C0%7C0%7C638097325927612509%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=HDMzobnzON4SpjRT9VZFXNtvd7RMpVluNwjcF1TQDvo%3D&reserved=0 regards, Chris Am Do., 19. Jan. 2023 um 14:09 Uhr schrieb Gary Dixon <gary.di...@quadris.co.uk.invalid<mailto:gary.di...@quadris.co.uk.invalid>>: > Hi everyone > > > > CS : 4.15.2 > > Hypervisor: KVM > > OS: Ubuntu 20.04 > > > > Apologies if this has been discussed before. > > We have a requirement to create Windows server templates with UEFI > Secure boot enabled and in testing find that our instances are being > created with Legacy BIOS enabled. > > I checked our KVM hosts and they have the ovmf package installed – > however there is no uefi.properties file in the /etc/cloudstack/agent > directory > > How do I enable the KVM hosts to support Cloudstack guests with UEFI > Secure boot bios ? > > Also will this ‘break’ all current running VM’s that have the Legacy > BIOS enabled or will they still be able to run ? > > > > BR > > > > Gary > Gary Dixon > Senior Technical Consultant > T: +44 161 537 4990 > E: *v* > <+44%207989717661>ms@quadris‑support.com<mailto:ms@quadris%1esupport.com> > W: > https://eur01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.q > uadris.co.uk%2F&data=05%7C01%7CGary.Dixon%40quadris.co.uk%7C8057c1b2e3 > bd4f13beae08dafa231af3%7Cf1d6abf3d3b44894ae16db0fb93a96a2%7C0%7C0%7C63 > 8097325927612509%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV > 2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=M9uXGY9aAT > 4z8oYezjiqrFQ6%2FH9nDV4ZmDOXn6RxUB4%3D&reserved=0 > The information contained in this e-mail from Quadris may be > confidential and privileged for the private use of the named > recipient. The contents of this e-mail may not necessarily represent the > official views of Quadris. > If you have received this information in error you must not copy, > distribute or take any action or reliance on its contents. Please > destroy any hard copies and delete this message. >
