Secureboot is broken on patched EDK2 #30
Comments
|
When you pick It will add the Now there is no |
So like this? <os>
<type arch="x86_64" machine="pc-q35-9.1">hvm</type>
<loader readonly="yes" secure="yes" type="pflash">/usr/local/share/edk2/x64/OVMF_CODE.edk2-stable202411.secboot.fd</loader>
<nvram>/var/lib/libvirt/qemu/nvram/Windows11_VARS.fd</nvram>
</os>
The closest unpatched one I have is the highlighted one in the screenshot, but it still by default adds the EFI line, but secureboot has no issues working on that one. It's when I try to use the patched one it blocks out secureboot, even after I manually modified it to how yours looks. |
|
Update: I tried building from source without the patch and came to the same result, to where secure boot was grayed out. I then did a bit of research and it looks like secure boot keys need to be generated added into the EDK2 build. I'm gonna try that and hope it works. |
|
@Scrut1ny Can you please include the Microsoft UEFI secureboot keys, most importantly the platform key, in your EDK build script when you update it? Cause IDK man.. I'm at a complete loss. I've tried building EDK2 with the Microsoft certs, but that never built correctly, I've tried downloading them from their github repo and setting up secureboot with them, but with those for some reason windows won't boot because the bootloader says access denied even though they are directly from Microsoft. I've even tried extracting them from the prebuilt EDKs that come with my distro, only for the same result. I'm at a complete loss. If you have a way of fixing this please let me know. Also for the record, this is the repo I tried getting the certs from: Microsoft Secureboot Objects |
So I wanted to reset my Windows VM due to clutter (It already uses the patched EDK and QEMU, as well as the provided XML base template), so I attached the ISO and tried to install again, only to be presented with the Windows 11 compatibility error. I boot into the boot menu of the VM, and why I try to enable secureboot, I cant because for some reason it is grayed out completely. I can't toggle it.
I tried making a brand new VM without the xml changes, and I kept it as default as possible, where the only thing I did was select
customize before installand in the Q35/UEFI dropdown selected the custom patched .secboot.fd file, and got the same result. secureboot was grayed out. I then tried to remake that test VM, but this time instead selecting the stock OVMF.secboot.fd file, and on that one secureboot was not only not grayed out, but also enabled by default.Here is the firmware section in my main VM's XML using the QEMU and EDK2 patches:
Here is my testing VM with patched QEMU and patched EDK:
Here is my testing VM using patched QEMU, but unpatched EDK, where secureboot works:
Using patched EDK, completely unable to select
/usr/local/share/edk2/x64/OVMF_CODE.edk2-stable202411.secboot.fd:Unpatched EDK
/usr/share/edk2/ovmf/OVMF_CODE.secboot.fd:I put the issue through GPT and this is what it said. Don't know how correct it is, but I'll throw it out there:
The text was updated successfully, but these errors were encountered: