How to install a windows guest in qemu/kvm with secure boot enabled

I have figured out how to do that and I would like to share the process.

It mainly consists of two steps, obtaining the keys and inserting it into ovmf firmware.

Obtaining the key

Generate Platform Key

PK can be generated by openssh. use the following command to sign your own PK. Note that PKpriv.key is the private key and you should preserve it carefully.

$ openssl req -newkey rsa:2048 -nodes -keyout PKpriv.key -x509 -days 365 -out PK.crt
$ openssl x509 -in PK.crt -outform der -out PK.der

Download KEK and DB

You need to download KEK and DB from Microsoft Database:

Microsoft Corporation KEK CA 2011
Microsoft Windows Production CA 2011

Insert UEFI keys

Make an img file in fat32 form containing the keys

$ dd if=/dev/zero of=keys.img bs=4M
$ mkfs.vfat keys.img
# losetup /dev/loopX keys.img
# mount /dev/loopX /mnt
# cp PK.der /mnt/PK.der
# cp MicCorKEKCA2011_2011-06-24.crt /mnt/KEK.crt
# cp MicWinProPCA2011_2011-10-19.crt /mnt/DB.crt
# umount /dev/loopX
# losetup -d /dev/loopX

Insert the keys

Start a virtual machine with the img file as a storage device. Enter UEFI configuration menu and Go to secure boot configuration (Device Manager / Secure Boot Configuration / Secure Boot Mode) and change from “Standard Mode” to “Custom Mode”. After change to “Custom Mode”, “Custom Secure Boot Options” will show up, click and enter. PK Options / Enroll PK / Enroll PK Using File and do the same for KEK and DB. ommit Changes and Exit

After import PK, KEK and DB, the secure boot state is now “Enabled”.