Arch Linux

Please read this before reporting a bug:

Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.

REPEAT: Do NOT report bugs for outdated packages!

FS#59465 - [ovmf] compile with secure boot feature

Attached to Project: Arch Linux
Opened by Frank (fau) - Friday, 27 July 2018, 15:58 GMT
Last edited by Eli Schwartz (eschwartz) - Sunday, 14 October 2018, 04:33 GMT
Task Type Feature Request
Category Packages: Extra
Status Closed
Assigned To Thomas B├Ąchler (brain0)
Anatol Pomozov (anatolik)
Architecture All
Severity Low
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 1
Private No



Turn on compile time flag "-D SECURE_BOOT_ENABLE" to enable secure boot feature. Example build instructions can be found here:,-KVM-and-libvirt

NOTE: Do not enable "-D SMM_REQUIRE" though! In my test build it made qemu failed to start. I don't know what the requirements are for SMM.

NOTE: Follow instructions as given in the edk2 git tree to include openssl as a submodule:

Having secure boot feature in ovmf would allow one to exercise secure boot and tools.

Additional info:
* package version(s)
This task depends upon

Closed by  Eli Schwartz (eschwartz)
Sunday, 14 October 2018, 04:33 GMT
Reason for closing:  Implemented
Additional comments about closing:  ovmf 1:r24601.6861765935-1
Comment by Anatol Pomozov (anatolik) - Wednesday, 01 August 2018, 20:20 GMT
Looking at the Fedora build script I see that they enable 3 flags for the secureboot feature: SECURE_BOOT_ENABLE SMM_REQUIRE EXCLUDE_SHELL_FROM_FD.

Would EXCLUDE_SHELL_FROM_FD be useful for us as well?
It is great to clarify why SMM_REQUIRE does not work.
Comment by Frank (fau) - Thursday, 02 August 2018, 04:42 GMT
I did not really try hard to find out why SMM_REQUIRE didn't work for me.

It might be that I started qemu with parameters not compatible with the SMM feature. I found some more info here:

I will have to try it again and see if that works for me.
Comment by Anatol Pomozov (anatolik) - Saturday, 25 August 2018, 02:51 GMT
Hi Frank had you chance to digg into it?

I am looking at the instructions you mentioned (,-KVM-and-libvirt) and it mentions following build parametes
Comment by Frank (fau) - Saturday, 25 August 2018, 03:25 GMT
Haven't had a look again at this. Will give it a try in the next days.
Comment by Anatol Pomozov (anatolik) - Saturday, 25 August 2018, 04:45 GMT
I see similar boot issue with -DSMM_REQUIRE. With this flag I see the boot hangs and QEMU eats 3 cores. Removing SMM_REQUIRE allows to compile working secure boot firmware.
Comment by Anatol Pomozov (anatolik) - Saturday, 25 August 2018, 04:49 GMT
Alright, I pushed a new ovmf package to [testing]. It enables secure boot, TPM2, IP6. Please check if it matches your needs.

It would be great to resolve the issue with SSM_REQUIRE as well.
Comment by Frank (fau) - Saturday, 25 August 2018, 04:54 GMT
Thanks, I'll try it tomorrow.

The README ( states a couple of things how to start qemu to get SMM to work with qemu.

I will also try it with SMM_REQUIRE again and following those instructions to see if it works then.

EDIT: typo
Comment by Frank (fau) - Saturday, 25 August 2018, 16:03 GMT
I tested ovmf form [testing] and secure boot works for me.

If you want you can close this now.

Comment by Frank (fau) - Sunday, 26 August 2018, 04:11 GMT

I further investigated why that SMM_REQUIRE doesn't work. I got it to work now and attached a patch for the PKGBUILD [testing].

You will notice in the patch: "-a IA32 -a X64 -p OvmfPkg/OvmfPkgIa32X64.dsc". I chose that config based on what is written here:,-KVM-and-libvirt#install-ovmf-from-source

QUOTE: We build the Ia32 (32-bit PEI and DXE) and Ia32X64 (32-bit PEI, 64-bit DXE) OVMF platforms because they support ACPI S3 suspend/resume and SMM at the same time. S3 is a demanding use case for the SMM infrastructure, therefore we should enable this combination.

QUOTE: The X64 build of OVMF does not support the same yet (UefiCpuPkg/Universal/Acpi/S3Resume2Pei forces OVMF to choose between S3 and SMM). Thankfully, the PEI bitness is entirely irrelevant to guest OSes, thus the Ia32X64 platform can be used identically, as far as OS-facing functionality is concerned.

So there's no harm using 32bit PEI/DXE on 64bit hosts (that's how I understand this).

If we build with "-a X64 -p OvmfPkg/OvmfPkgX64.dsc" then S3 suspend/resume has to be explicitly disabled on the qemu command line via "-global ICH9-LPC.disable_s3=1" otherwise qemu will hang.

Further, SMM_REQUIRE requires that qemu is started with the q35 machine type and other settings which are documented here:

To summarize it, you have to start qemu like this:
-machine type=q35,smm=on,accel=kvm
-global driver=cfi.pflash01,property=secure,value=on
-global ICH9-LPC.disable_s3=0
-drive if=pflash,format=raw,unit=0,file=${ovmf_code},readonly
-drive if=pflash,format=raw,unit=1,file=${ovmf_vars}

ovmf_code would be set to /usr/share/ovmf/x64/OVMF_CODE.fd
and ovm_var would be set to a copy of /usr/share/ovmf/x64/OVMF_VARS.fd.

I'm not sure what release is targeted in the PKGBUILD. May I suggest we target the latest stable release, here's the announcement:

I also tried to compile with the newest openssl lib but it fails for me so I guess we have to go with what openssl-1.1.0h as it is right now.
Comment by Frank (fau) - Sunday, 26 August 2018, 05:14 GMT
I cleaned up PKBUILD further and attached it.

It uses the latest stable release as announced here:

All options are activated, same as in the Fedora build.

I tested the build with qemu and secure boot works for me.

Comment by Anatol Pomozov (anatolik) - Monday, 27 August 2018, 20:25 GMT
Fedora builds 2 flavors of ovmf firmware files - one 64bit without secure boot support, another is 64x32 with secure boot support (files OVMF_CODE.fd and OVMF_CODE.secboot.fd). Is it something we want to follow? Or should we just have one unified firmware with secboot support by default?
Comment by Frank (fau) - Monday, 27 August 2018, 21:05 GMT
I think two flavors would be nice.

A build without SB (secure boot) is straightforward to use with qemu.

And a build with SB+SMM_REQUIRE would provide a full featured SB environment.

We could still opt for leaving out SMM_REQUIRE (due to the requirement it imposes on the qemu setup). However, now that we have confirmed it works with SMM_REQUIRE I'd include that.
Comment by Anatol Pomozov (anatolik) - Tuesday, 28 August 2018, 20:40 GMT
Introducing a new secureboot firmware file is a bigger change that I am willing to do now. I'll probably wait until there will be need from our users for SMM feature.

For now I am going to release fw with secureboot but without SMM support. And SMM request should go to a separate bug if needed.

Frank, are you OK with it?
Comment by Frank (fau) - Tuesday, 28 August 2018, 22:26 GMT
Sounds good to me.