2014/03/03: Building a UEFI Secure Boot Enabled Virtual Machine

In the following, we will show how to setup a QEMU Virtual Machine with a Secure Boot Enabled UEFI BIOS. This makes for a perfect UEFI Development Environment.

Keywords: UEFI, BIOS, QEMU

Introduction

The instructions below have been tested on a UBuntu 13.10 installations. Instructions will have to be adapted for other systems. The instructions have been written down from memory and they may contain errors. Unless otherwise noted with, no root priviledges are necessary, if everything is installed properly.

Installing QEMU

The easiest way to experiment with a UEFI BIOS is to use a QEMU virtual machine. An extra benefit is that we can also enable Secure Boot and enroll our own Platform Key to test any Secure Boot development we may be doing. First install QEMU simply by issuing:

$ sudo apt-get install qemu

You can run a simple virtual machine using the following commands. To create a 32 bit machine, issue:

$ qemu-system-i386

To create a 64 bit machine, issue:

$ qemu-system-x86_64

Building the UEFI BIOS

Most UEFI machines are 64 bit based and use a 64 bit UEFI BIOS. The following instructions assume this is what needs to be built, for 32 bit, please adapt the instructions.

These machines by default use a standard MBR BIOS. As the next step, we need to build a custom BIOS. How to build this BIOS using EDK2 (EFI Development Kit) is shown here. If you want to enable Secure Boot, especially look at the Secure Boot section at the end.

Once the BIOS has been built create the following directory structure (the following assumes the current directory is empty and is where the machine should be run:

$ mkdir -p bios
$ cd bios
$ ln -sf ${EDK2_HOME}/Build/OvmfX64/${TOOL_CHAIN}/FV/OVMF.fd bios.bin
$ cd ..
$ mkdir hda
$ cp ${EDK2_HOME}/Build/MdeModule/${TOOL_CHAIN}/X64/HelloWorld.efi hda
$ qemu-system-x86_64 -L bios -hda fat:hda -m 1024

Command line options explained:

-L bios: Sets the directory where the BIOS is located. When the machine starts up, it will complain about a missing vgabios-cirrus.bin and pxe-rtl8139.rom. They don't seem to be necessary with newer versions of EDK. For older versions, link vgabios-cirrus.bin to ${EDK2_HOME}/Build/OvmfX64/${TOOL_CHAIN}/FV/OvmfVideo.rom.fd. If you are perfectly unhappy, locate the two files in the standard QEMU distribution (locate vgabios-cirrus.bin) and link it from there.
-hda fat:hda: Instructs qemu to use the directory hda as hard drive. QEMU wil lbuild a virtual hard disk composed from the files in hda. This drive is read-only, making it read-write would most likely be more complex than beneficial.
-m 1024: allocate 1024MB for the virtual machine.

For more details, please refer to the manual pages.

If everything was built successfully, the machine should boot into its built-in EFI shell. Now you can execute HelloWorld.efi and it should display Hello World. Unless you need Secure Boot, you are done.

Enabling Secure Boot

If you have built the UEFI BIOS with Secure Boot enabled, start up a virtual machine as above, and exit the UEFI shell by typing EXIT. Now you should be in the BIOS menu. Select Device Manager and you should come to a screen that offers the menu option "Secure Boot Configuration".

We need to configure several keys:

Platform Key (PK): Establishes a trust relationship between the platform owner and the platform firmware.
Key Exchange Key(s) (KEK)

For an explanation of those, please have a look at the UEFI specification.

Thomas Gschwind