How to install a windows guest in qemu/kvm with secure boot enabled
I have figured out how to do that and I would like to share the process.
It mainly consists of two steps, obtaining the keys and inserting it into ovmf firmware.
Obtaining the key
Generate Platform Key
PK can be generated by openssh. use the following command to sign your own PK. Note that PKpriv.key is the private key and you should preserve it carefully.
$ openssl req -newkey rsa:2048 -nodes -keyout PKpriv.key -x509 -days 365 -out PK.crt
$ openssl x509 -in PK.crt -outform der -out PK.der
Download KEK and DB
You need to download KEK and DB from Microsoft Database:
- Microsoft Corporation KEK CA 2011
- Microsoft Windows Production CA 2011
Insert UEFI keys
Make an img file in fat32 form containing the keys
$ dd if=/dev/zero of=keys.img bs=4M
$ mkfs.vfat keys.img
# losetup /dev/loopX keys.img
# mount /dev/loopX /mnt
# cp PK.der /mnt/PK.der
# cp MicCorKEKCA2011_2011-06-24.crt /mnt/KEK.crt
# cp MicWinProPCA2011_2011-10-19.crt /mnt/DB.crt
# umount /dev/loopX
# losetup -d /dev/loopX
Insert the keys
Start a virtual machine with the img file as a storage device. Enter UEFI configuration menu and Go to secure boot configuration (Device Manager / Secure Boot Configuration / Secure Boot Mode) and change from “Standard Mode” to “Custom Mode”. After change to “Custom Mode”, “Custom Secure Boot Options” will show up, click and enter. PK Options / Enroll PK / Enroll PK Using File and do the same for KEK and DB. ommit Changes and Exit
After import PK, KEK and DB, the secure boot state is now “Enabled”.
References
- https://projectacrn.github.io/1.6/tutorials/waag-secure-boot.html
- https://www.linux.org/threads/create-img-files.11174/