Revision 5 as of 2012-11-20 20:10:49

Clear message

Testing Secure Boot (Draft)

Much of this is based on the UEFI work:

Testing infrastructure uses the security team's TestingEnvironment.


  1. Obtain an OVMF image capable of performing secure boot by either:
  2. Put the image somewhere outside of /usr/share for now (see LP: #1074207), eg ~/vms/ovmf

  3. Install Ubuntu using the secure boot capable UEFI OVMF firmware (downloaded as bios.bin):

    $ uvt new --loader=$HOME/vms/ovmf/bios.bin --with-ovmf-uefi quantal amd64 sb

    This can also be performed with a virt-install command:

    $ virt-install --connect=qemu:///system --name=sb-quantal-amd64 --arch=x86_64 --ram=768 \
    --disk=path=<path to>/sb-quantal-amd64.qcow2,size=8,format=qcow2,bus=ide,sparse=True \
    --virt-type=kvm --accelerate --hvm --cdrom=<path to>/quantal-desktop-amd64.iso \
    --os-type=linux --os-variant=generic26 --graphics=vnc --network=network=default,model=virtio \
    --video=cirrus --noreboot --boot=loader=$HOME/vms/ovmf/bios.bin

Both of the above commands creates the sb-quantal-amd64 machine. Note that when using uvt there is a limitation in that a preseeded ISO cannot be used. uvt will skip the postinstall phase and you will have to perform the install manually. You will know that you are using the OVMF EFI image if the machine comes up with 'Try Ubuntu' (ie, not the graphical install). Using the manual partitioner to create a 250M EFI partition as the first partition and then setting up a '/' and swap partition is known to work.


  • The installer doesn't reboot after install without pressing 'Enter'
  • On reboot and all boots, you must go into the efi config screen to boot from a file off the disk. Eg, from the main EFI configure screen:

     - Boot Maintenance Manager ->
       - Boot From File ->
         - NO VOLUME LABEL,[!PciRoot(0x0)/Pci(0x1,0x1)/Ata(Primary,Master,0x0)/HD(1,GPT,...)] ->
           - <EFI> ->
             - <ubuntu> ->
               - grubx64.efi
  • Because the postinstall isn't run via uvt, after install, you may want to:

    • sudo apt-get install openssh-server screen vim gnome-panel

    • Use ssh-copy-id to copy your key over

    • Optionally update sources.list for your mirror
  • When using uvt, the intial pristine snapshot is not created. After setting up, use uvt snapshot sb-quantal-amd64

  • Because the firmware needs to be able to interact with the hardware and is limited in what it supports, the following are used when using uvt:

    • IDE disks (ie, can't use virtio)
    • cirrus video driver
    Currently the virtio network driver is used-- if you want to try out PXE booting via EFI, this will likely also need to change.

See https://wiki.ubuntu.com/UEFI/OVMF for other ways of using the OVMF file.