I currently have CentOS 8.4 running on real hardware with UEFI and GPT partitions, and decided to install Rocky 8.4 as a guest VM, so I could test it.
I was able to install it using virtsh and virt-install, and can connect to it and use it, but I was surprised to see that it’s not using UEFI, nor secure boot, and the disk label is ‘ms-dos’. I didn’t even know RHEL8 could run without UEFI.
So I’d like to delete the VM and then re-install it, but this time using UEFI, secure boot and GPT.
There is no secure boot yet, see here: Secure Boot Status - #3 by brian
For now, you have to disable secure boot in a VM. UEFI should work though. Since you are using KVM, then you would need to do something additional as in customise the VM config before install. Then under the overview tab in virt-manager change it to UEFI.
Alternatively, edit the /etc/libvirt/qemu/myvm.xml file, and look for something similar to this:
<os>
<type arch='x86_64' machine='pc-q35-4.2'>hvm</type>
<loader readonly='yes' type='pflash'>/usr/share/OVMF/OVMF_CODE.fd</loader>
<nvram>/var/lib/libvirt/qemu/nvram/rocky_VARS.fd</nvram>
<boot dev='hd'/>
</os>
this is what it looks like after I configured in in virt-manager, but if you aren’t using this, and are just using virsh, then you could edit the xml before booting it, or maybe you can find some virsh commands for setting the UEFI stuff. Obviously, depending on your system the location to the OVMF code for UEFI might be different.
EDIT:
You can do it this way if from the console: Using UEFI with QEMU - Fedora Project Wiki - by adding --boot uefi to virt-install command.
The virtualization platform presents “hardware” for the VM OS. KVM/libvirt has had virtual BIOS from start, but UEFI only a short time. The libvirt default is still “BIOS”. There is not much difference in practice for the use of VM.
Windows 11 is the only OS that I have heard not to support legacy BIOS mode. UEFI-only might be in the future, but not yet.
Regarding where it says “There is no secure boot yet”, does that mean even when installling Rocky to real hardware? If Rocky doesn’t work with secure boot yet, I’m interested to know why it can work on RHEL8 and CentOS8 “out of the box”?
Since RHEL8, I’ve been building everything with secure boot, e.g. having to sign kernel modules. It makes it harder for a rogue process to install a bad module.
Kernel and modules have to be signed with keys that certificates in UEFI accept. To get keys is a process that RHEL, CentOS, and AlmaLinux OS have already completed, and Rocky will soon.
Thanks for explaining the differences between Rocky, RHEL, CentOS and Alma. After a while when the keys are ready, does it mean we have to download new Rocky 8.4 ISO files, and they keys will be inside them?
Yes, see release notes.
Release notes make it clear that there will be a new ISO.
Things like this take time, but it will be hard to migrate all CentOS before the switch to Stream.
I was unable to get UEFI to work without secure boot. I did see the tiano core screen during boot up, but then it went into the BIOS screen over and over. I did notice on the CentOS 8.4 host that
/usr/share/OVMF/OVMF_CODE.fd
does not exist. I only have these two
/usr/share/OVMF/OVMF_CODE.secboot.fd
/usr/share/edk2/ovmf/OVMF_CODE.secboot.fd
I’ve found a bug report that appears to set out exactly what I’m seeing.
https://bugzilla.redhat.com/show_bug.cgi?id=1929357
It looks like they have done some commits upstream, but they have not made it into RHEL8.4 just yet.
As far as I can tell, this is only an issue if the gueset o/s does not support secure boot.