You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardexpand all lines: docs/guides/guest-UEFI-Secure-Boot.md
+29-1
Original file line number
Diff line number
Diff line change
@@ -4,6 +4,30 @@ How to configure UEFI Secure boot?
4
4
5
5
Enabling UEFI Secure Boot for guests ensures that XCP-ng VMs will only execute trusted binaries at boot. In practice, these are the binaries released by the operating system (OS) vendor for the OS running in the VM (Microsoft Windows, Debian, RHEL, Alpine, etc.).
6
6
7
+
## Upcoming changes in Secure Boot
8
+
9
+
The default Secure Boot keys in XCP-ng are changing.
10
+
11
+
Previously, XCP-ng only shipped with the PK included by default; Secure Boot databases had to be installed using `secureboot-certs`.
12
+
13
+
New versions of XCP-ng `varstored` (from version **TODO** and newer) now comes with a complete set of Secure Boot databases (PK/KEK/db/dbx) by default, meaning that guest Secure Boot will now work without needing further pool configuration.
14
+
15
+
### What this change means for you
16
+
17
+
You will not be affected in most cases.
18
+
19
+
* Existing VMs will not be affected unless you use the ["Propagate certificates"](#propagate-pool-certificates-to-a-vm) feature in Xen Orchestra (which has always had the effect of resetting VM Secure Boot variables to that of the pool).
20
+
* If you followed our previous guides and used `secureboot-certs install` to install the default Secure Boot databases into your pool, these databases will not be changed.
21
+
22
+
The only VMs affected by these changes are those with Secure Boot enabled but without custom Secure Boot databases. Previously, these VMs will execute all UEFI binaries even with Secure Boot enabled (due to an empty dbx variable); however, going forward, revoked UEFI binaries (e.g. from an outdated media) will no longer boot on such VMs with Secure Boot enabled.
23
+
24
+
To continue booting outdated media on these VMs, you can either:
25
+
26
+
- Disable Secure Boot;
27
+
- Or erase the VM's dbx variable with the command `varstore-rm <vm uuid> d719b2cb-3d3a-4596-a3bc-dad00e67656f dbx`
28
+
29
+
Once your VM has completed installing, it should be able to manage its own Secure Boot variables (db/dbx) via its update mechanism.
30
+
7
31
## Requirements
8
32
9
33
* XCP-ng >= 8.2.1.
@@ -17,7 +41,7 @@ Until we can re-sign XCP-ng's PV drivers for Windows, you will need the PV drive
17
41
18
42
Note: it's not necessary that the XCP-ng host boots in UEFI mode for Secure Boot to be enabled on VMs.
19
43
20
-
## Quick Start
44
+
## Quick Start (8.2.1 and 8.3 with varstored < **TODO**)
21
45
22
46
We believe that reading this guide will provide you with useful knowledge about the way Guest Secure Boot is handled in XCP-ng, and let you avoid mistakes.
23
47
@@ -91,6 +115,10 @@ For custom certificates (advanced use), see [Install Custom UEFI Certificates](#
91
115
92
116
### Install the Default UEFI Certificates
93
117
118
+
:::info
119
+
This procedure is not necessary if you're using varstored **TODO** and newer.
120
+
:::
121
+
94
122
`secureboot-certs` supports installing a default set of certificates across the pool.
95
123
96
124
Except the `PK` key which is already provided by XCP-ng, all certificates are downloaded from official sources (`microsoft.com` and `uefi.org`).
0 commit comments