FreeBSD Bugzilla – Attachment 162599 Details for
Bug 203986
[patch] devel/gnu-efi: Update to 3.0.3
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
qemu/UEFI howto
secureboot.txt (text/plain), 2.54 KB, created by
Edward Tomasz Napierala
on 2015-10-30 14:09:52 UTC
(
hide
)
Description:
qemu/UEFI howto
Filename:
MIME Type:
Creator:
Edward Tomasz Napierala
Created:
2015-10-30 14:09:52 UTC
Size:
2.54 KB
patch
obsolete
>Instructions to boot FreeBSD with UEFI Secure Boot under QEMU: > > 1. Install QEMU: > > pkg install qemu-devel > > 2. Get UEFI firmware image capable of Secure Boot: > > fetch http://people.canonical.com/~jamie/ovmf/bios.bin > > 3. Install the shim, as root: > > cd /usr/ports/sysutils/shim && make install > > 4. Generate the keys: > > ./uefikeys example > > 5. Get things signed using the keys: > > ./uefisign -c example.pem -k example.key -o loader.signed /boot/loader.efi > ./uefisign -c example.pem -k example.key -o boot1.signed /boot/boot1.efi > ./uefisign -c example.pem -k example.key -o shim.signed /usr/local/lib/shim/shim.efi > > 6. Prepare the disk image: > > truncate -s1g hda.img > mdconfig -u 0 hda.img > gpart create -s GPT md0 > gpart add -t efi -s 128m md0 > gpart add -t freebsd-ufs md0 > newfs_msdos /dev/md0p1 > newfs /dev/md0p2 > mount -t msdosfs /dev/md0p1 /mnt > mkdir /mnt/efi/boot > cp shim.signed /mnt/efi/boot/bootx64.efi > cp boot1.signed /mnt/efi/boot/boot1.efi > umount /mnt > mount /dev/md0p2 /mnt > mkdir /mnt/boot > cp loader.signed /mnt/boot > umount /mnt > mdconfig -du 0 > > 7. Start qemu: > > qemu-system-x86_64 -bios ./bios.bin -hda hda.img > > 8. Wait until you see TianoCore logo at the center of the screen; press Esc > and wait. > > 9. Using arrow keys and Enter go to "Device Manager", then "Secure Boot > Configuration". If you don't see this - you have UEFI image without > Secure Boot support. Choose "Secure Boot Mode", change it to "Custom Mode". > >10. Go to "Custom Secure Boot Options", then "PK Options", "Enroll PK", > "Enroll PK Using File", "NO VOLUME LABEL <some other stuff>", then > navigate to your *.cer file and press Enter. Then "Commit Changes and Exit". > >11. Go to "Secure Boot Configuration" again, "Custom Secure Boot Options", > "DB Options", "Enroll Signature", "Enroll Signature Using File", > "NO VOLUME LABEL <some other stuff>", navigate to your *.cer file, the > same as before, and press Enter. Go down to "Commit Changes and Exit"; > leave "Signature GUID" empty. > > Note that this one - DB - is the one that's used for executable signature > verification. The other - PK - is just for enabling Secure Boot. > >12. Press Esc until you're back to main menu; choose "Boot Manager", then > "EFI Internal Shell". > >13. In shell - press Enter to skip countdown, then type "fs0:", without quotes. > From now on, it's just like MS-DOS. > >Note that UEFI Secure Boot Configuration (steps 6-8) needs to be peformed every >time qemu is restarted; those settings are not saved anywhere. >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=162599">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Actions:
View
Attachments on
bug 203986
:
162396
|
162397
| 162599