Skip to content

Instantly share code, notes, and snippets.

@ret2src

ret2src/arch_cockpit_enable_secure_boot.md

Last active June 18, 2023 12:39
Show Gist options
  • Save ret2src/3b8754f4c6982925e143d3b11d6f5509 to your computer and use it in GitHub Desktop.
Save ret2src/3b8754f4c6982925e143d3b11d6f5509 to your computer and use it in GitHub Desktop.
Download ZIP
How to Enable Secure Boot in Red Hat Cockpit on Arch Linux
Raw
arch_cockpit_enable_secure_boot.md

How to Enable Secure Boot in Red Hat Cockpit on Arch Linux

I recently tried Red Hat Cockpit for the first time, because I wanted a more modern alternative to Virtual Machine Manager.

Since I'm on Arch Linux, I had to do some extra tweaking to get everything to work, but in the end I got a working Windows 10 VM with Secure Boot enabled - great!

After following the setup instructions for KVM, QEMU and libvirt on the Arch Wiki I installed cockpit as well as cockpit-machines and made sure that my user was a member of the libvirt group.

Next, I started the core services:

sudo systemctl start cockpit
sudo systemctl start libvirtd

Afterwards, I had to manually start some libvirtd services, such as:

sudo systemctl start virtstoraged
sudo systemctl start virtinterfaced
sudo systemctl start virtnetworkd
sudo systemctl start virtnodedevd

You can automatically start them at boot with:

for service in virtstoraged virtinterfaced virtnetworkd virtnodedevd; do sudo systemctl enable --now "$service"; done

I'm not sure if there are any other libvirtd services that also need to be started, but with the above I was able to install and run a Windows 10 VM from an ISO. If you run into some error message, first make sure that the respective service referenced in the error message is started.

For example, the error message

Error creating pool: Could not define storage pool: Failed to connect socket to '/var/run/libvirt/virtstoraged-sock': No such file or directory

indicated that I had to start virtstoraged and try again.

At this point, you should be able to install, run, and use a Windows 10 VM.

However, since I wanted to enable Secure Boot (and Arch doesn't include the Microsoft keys in their OVMF package), I had to do some extra tweaking borrowing some Debian binaries I knew were working:

  1. Download the ovmf package from https://packages.debian.org/bookworm/ovmf
  2. Extract the contents of the *.deb and copy the CODE and VARS files to /usr/share/edk2/x64/
  3. Copy the firmware files from the *.deb to /usr/share/qemu/firmware/ and adapt the paths in 40-edk2-x86_64-secure-enrolled.json to point to the CODE and VARS files on your system (different distros use different paths)
  4. Restart libvirtd

Next, install swtpm so that we can add a virtual TPM to the VM.

Finally, edit the XML definition of your VM:

sudo virsh edit win10-enterprise
[...]
  <os firmware='efi'>
    <type arch='x86_64' machine='pc-q35-8.0'>hvm</type>
    <firmware>
      <feature enabled='yes' name='enrolled-keys'/>
      <feature enabled='yes' name='secure-boot'/>
    </firmware>
    <loader readonly='yes' secure='yes' type='pflash'>/usr/share/edk2/x64/OVMF_CODE_4M.ms.fd</loader>
    <nvram template='/usr/share/edk2/x64/OVMF_VARS_4M.ms.fd'>/var/lib/libvirt/qemu/nvram/win10-enterprise_VARS.fd</nvram>
  </os>
[...]
  <devices>
    [...]
    <tpm model='tpm-tis'>
      <backend type='emulator' version='2.0'/>
    </tpm>
  </devices>

If you're able to save the file without a warning, things are looking good.

Make sure to replace your VARS file with the template, otherwise you won't be able to enable Secure Boot; in my case it was:

sudo cp /usr/share/edk2/x64/OVMF_VARS_4M.ms.fd /var/lib/libvirt/qemu/nvram/win10-enterprise_VARS.fd

Try to boot your VM and press ESC during boot to enable Secure Boot in the firmware.

This should be it. Happy hacking!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment