UEFI SecureBoot Comes To QEMU-KVM
Early support for UEFI SecureBoot is now available via qemu-kvm for messing with this troublesome technology in a virtualized world.
Before running for the hills thinking this is another attempt to thwart Linux by pushing UEFI SecureBoot into virtualized environments, this isn't the case. This early SecureBoot support in qemu-kvm comes from the Linux kernel community. In fact it's from James Bottomley, a well known kernel developer working in conjunction with the Linux Foundation.
The Linux Foundation Technical Advisory Board has been trying to get UEFI SecureBoot in qemu-kvm since real hardware relying upon this "secure" technology is still difficult to find until Windows 8 begins shipping. Bottomley built an Intel Tianocore boot system with the openSUSE Build System, discovered a gnu-efi bug, and made some other SecureBoot-related accomplishments for the benefit of Linux.
Bottomley goes on to say:
If you missed it, see what Ubuntu is doing to handle UEFI SecureBoot and the SecureBoot saga continuing.
Before running for the hills thinking this is another attempt to thwart Linux by pushing UEFI SecureBoot into virtualized environments, this isn't the case. This early SecureBoot support in qemu-kvm comes from the Linux kernel community. In fact it's from James Bottomley, a well known kernel developer working in conjunction with the Linux Foundation.
The Linux Foundation Technical Advisory Board has been trying to get UEFI SecureBoot in qemu-kvm since real hardware relying upon this "secure" technology is still difficult to find until Windows 8 begins shipping. Bottomley built an Intel Tianocore boot system with the openSUSE Build System, discovered a gnu-efi bug, and made some other SecureBoot-related accomplishments for the benefit of Linux.
Bottomley goes on to say:
The current state is that I've managed to lock down the secure boot virtual platform with my own PK and KEK and verified that I can generate signed efi binaries that will run on it (and that it will refuse to run unsigned efi binaries). Finally I've demonstrated that I can sign elilo.efi (this has to be built specially because of the bug in gnu-efi) and have it boot an unsigned linux kernel when the platform is in secure mode (I've booted up to an initrd root prompt).Find out more in this kernel mailing list message.
I'm releasing this now because interest in UEFI Secure Boot is rising, particularly amongst the Linux Distributions which don't have access to UEFI secure boot hardware, so having a virtual platform should allow them to experiment with coming up with their own solutions.
If you missed it, see what Ubuntu is doing to handle UEFI SecureBoot and the SecureBoot saga continuing.
17 Comments