Feature pages are design documents that developers have created while collaborating on oVirt.

Most of them are outdated, but provide historical design context.

They are not user documentation and should not be treated as such.

Documentation is available here.

Secure boot NVRAM data persistence

Summary

This feature allows retaining Secure Boot NVRAM data across VM restarts.

Owner

  • Name: Milan Zamazal
  • Email: mzamazal@redhat.com

Description

Secure boot non-volatile memory may contain keys inserted there by the guest OS. They are used for validation of the software components loaded during boot. In order to perform such a validation, the recently stored keys must be available also on the next VM start. This feature adds the required functionality.

All the problems, security considerations, limitations, and implementation options are very similar to TPM data persistence. The implementation is also almost the same. This feature page discusses only significant differences to TPM.

Unlike TPM, where libvirt and QEMU use external software to provide TPM emulation, NVRAM data is handled directly by libvirt and QEMU.

Prerequisites

There are no special prerequisites for this feature.

User Experience

NVRAM data is stored whenever UEFI SecureBoot firmware is enabled for the given VM. It could be stored also for UEFI without SecureBoot, but since there can be some limitations initially (e.g. preventing snapshots with memory) it’s better not to put unneeded restrictions on all UEFI VMs.

If the firmware is changed to a different type than UEFI SecureBoot, contingent NVRAM data is deleted from the Engine database.

NVRAM data is stored only for VMs run from oVirt. When VMs originating from external systems are imported their secure boot data is not imported.

Testing

It’s the same as for TPM data persistence. Note that unlike TPM, there is no special device created.