In the following, we will show how to setup a QEMU Virtual Machine with a Secure Boot Enabled UEFI BIOS. This makes for a perfect UEFI Development Environment.
Keywords: UEFI, BIOS, QEMU
The instructions below have been tested on a UBuntu 13.10 installations. Instructions will have to be adapted for other systems. The instructions have been written down from memory and they may contain errors. Unless otherwise noted with, no root priviledges are necessary, if everything is installed properly.
The easiest way to experiment with a UEFI BIOS is to use a QEMU virtual machine. An extra benefit is that we can also enable Secure Boot and enroll our own Platform Key to test any Secure Boot development we may be doing. First install QEMU simply by issuing:
$ sudo apt-get install qemu
You can run a simple virtual machine using the following commands. To create a 32 bit machine, issue:
$ qemu-system-i386
To create a 64 bit machine, issue:
$ qemu-system-x86_64
Most UEFI machines are 64 bit based and use a 64 bit UEFI BIOS. The following instructions assume this is what needs to be built, for 32 bit, please adapt the instructions.
These machines by default use a standard MBR BIOS. As the next step, we need to build a custom BIOS. How to build this BIOS using EDK2 (EFI Development Kit) is shown here. If you want to enable Secure Boot, especially look at the Secure Boot section at the end.
Once the BIOS has been built create the following directory structure (the following assumes the current directory is empty and is where the machine should be run:
$ mkdir -p bios $ cd bios $ ln -sf ${EDK2_HOME}/Build/OvmfX64/${TOOL_CHAIN}/FV/OVMF.fd bios.bin $ cd .. $ mkdir hda $ cp ${EDK2_HOME}/Build/MdeModule/${TOOL_CHAIN}/X64/HelloWorld.efi hda $ qemu-system-x86_64 -L bios -hda fat:hda -m 1024
Command line options explained:
For more details, please refer to the manual pages.
If everything was built successfully, the machine should boot into its built-in EFI shell. Now you can execute HelloWorld.efi and it should display Hello World. Unless you need Secure Boot, you are done.
If you have built the UEFI BIOS with Secure Boot enabled, start up a virtual machine as above, and exit the UEFI shell by typing EXIT. Now you should be in the BIOS menu. Select Device Manager and you should come to a screen that offers the menu option "Secure Boot Configuration".
We need to configure several keys:
For an explanation of those, please have a look at the UEFI specification.