Make a Windows VM secure boot

In preparation for Windows 11, I’ve converted a Windows 10 VM to GPT and UEFI. The TianoCore firmware does not let me enable secure boot. I’m obviously missing something. The only detailed instructions I’ve been able to find are very Debian-specific. I need help doing that in a Rocky Linux 8 host.

I suppose the first question is, “Does the host itself have to be running in secure boot?” That’s going to be a deal breaker, since I need a couple of kernel modules from EPEL, and those taint the kernel.

Secure boot on the host is not required to run secure boot on the vm. What you will need is a specific package and minor changes to the VM configuration to enable secure boot for the VM.

dnf install edk2-ovmf

It’s likely you already have the above. For the VM itself, there is a specific configuration area you’ve likely seen. Here’s an example of one of my older VM configs, using virsh edit <vm_name>.

  <os>
    <type arch='x86_64' machine='pc-q35-rhel9.4.0'>hvm</type>
    <loader readonly='yes' secure='yes' type='pflash'>/usr/share/edk2/ovmf/OVMF_CODE.secboot.fd</loader>
    <nvram>/var/lib/libvirt/qemu/nvram/xmpp01.angelsofclockwork.net_VARS.fd</nvram>
    <boot dev='hd'/>
    <bootmenu enable='no'/>
  </os>

The loader tag is the one you’re likely looking for. It should point to the secboot file with those settings preferably set (secure='yes' being the obvious required one). You should be able to get secure boot after that.

I know you mentioned 8, but in Rocky Linux 9, there’s an additional section that is added/needed. Here it is just in case.

    <firmware>
      <feature enabled='yes' name='enrolled-keys'/>
      <feature enabled='yes' name='secure-boot'/>
    </firmware>

Hope this helps.

Thanks much for that. When I try to add that “secure=‘yes’”, virsh edit complains:
error: unsupported configuration: Secure boot requires SMM feature enabled
Failed. Try again? [y,n,i,f,?]:
In the <feature> section I had to add:
<smm state='on'/>
That made virsh edit happy, but TianoCore is still showing “Current Secure Boot State Disabled” and won’t let me change it.
Any ideas about what I might be missing now?

It is possible to sign modules yourself: https://www.ibm.com/docs/en/linux-on-systems?topic=linuxone-using-your-own-keys
For example, the dkms (from EPEL) signs the modules it builds.
The kernel-devel has the sign-file binary.

Alas, like IBM points out, if you start to sign modules, then you have to redo it for each updated version.

Well, it looks like secure boot is a non-issue. The Windows 10 VM just offered the Windows 11 upgrade, and I accepted. (Yes, I can always revert to a saved disk image.) The upgrade went through without a hitch – no complaints about secure boot, and no insistance on having a Microsoft account. The upgraded VM appears to run fine. I’ve reverted the XML file to remove the “secure=‘yes’” and “smm state=‘on’”. All appears well, and a couple of Windows updates completed successfully.

So, now I just have to learn about de-bloating and locking down Windows 11, but that’s a task for another channel.

Thanks to all.

While OP has solved their problem, I’ve noticed that Cockpit on Rocky 9 automatically enables secure boot on UEFI VMs even when it’s disabled on the host. I’ve bumped into that when running EVE-NG in a VM.

You could start with hidden scheduled tasks, but is there any point?

Being closed source, having a split brain API and needing a licence and activation makes me wonder if it has any future at all, compared with free and open source FOSS operating systems?