[mirror_edk2.git] / OvmfPkg / README

\r
=== OVMF OVERVIEW ===\r
\r
The Open Virtual Machine Firmware (OVMF) project aims\r
to support firmware for Virtual Machines using the edk2\r
code base.  More information can be found at:\r
\r
http://www.tianocore.org/ovmf/\r
\r
=== STATUS ===\r
\r
Current capabilities:\r
* IA32 and X64 architectures\r
* QEMU (0.10.0 or later)\r
  - Video, keyboard, IDE, CD-ROM, serial\r
  - Runs UEFI shell\r
  - Optional NIC support.  Requires QEMU (0.12.2 or later)\r
* UEFI Linux boots\r
* UEFI Windows 8 boots\r
* UEFI Windows 7 & Windows 2008 Server boot (see important notes below!)\r
\r
=== FUTURE PLANS ===\r
\r
* Test/Stabilize UEFI Self-Certification Tests (SCT) results\r
\r
=== BUILDING OVMF ===\r
\r
Pre-requisites:\r
* Build environment capable of build the edk2 MdeModulePkg.\r
* A properly configured ASL compiler:\r
  - Intel ASL compiler: Available from http://www.acpica.org\r
  - Microsoft ASL compiler: Available from http://www.acpi.info\r
* NASM: http://www.nasm.us/\r
\r
Update Conf/target.txt ACTIVE_PLATFORM for OVMF:\r
                             PEI arch   DXE arch   UEFI interfaces\r
* OvmfPkg/OvmfPkgIa32.dsc      IA32       IA32           IA32\r
* OvmfPkg/OvmfPkgIa32X64.dsc   IA32       X64            X64\r
* OvmfPkg/OvmfPkgX64.dsc       X64        X64            X64\r
\r
Update Conf/target.txt TARGET_ARCH based on the .dsc file:\r
                             TARGET_ARCH\r
* OvmfPkg/OvmfPkgIa32.dsc     IA32\r
* OvmfPkg/OvmfPkgIa32X64.dsc  IA32 X64\r
* OvmfPkg/OvmfPkgX64.dsc      X64\r
\r
Following the edk2 build process, you will find the OVMF binaries\r
under the $WORKSPACE/Build/*/*/FV directory.  The actual path will\r
depend on how your build is configured.  You can expect to find\r
these binary outputs:\r
* OVMF.FD\r
  - Please note!  This filename has changed.  Older releases used OVMF.Fv.\r
* OvmfVideo.rom\r
  - This file is not built separately any longer, starting with svn r13520.\r
\r
More information on building OVMF can be found at:\r
\r
https://github.com/tianocore/tianocore.github.io/wiki/How%20to%20build%20OVMF\r
\r
=== RUNNING OVMF on QEMU ===\r
\r
* QEMU 0.12.2 or later is required.\r
* Be sure to use qemu-system-x86_64, if you are using and X64 firmware.\r
  (qemu-system-x86_64 works for the IA32 firmware as well, of course.)\r
* Use OVMF for QEMU firmware (3 options available)\r
  - Option 1: QEMU 1.6 or newer; Use QEMU -pflash parameter\r
    * QEMU/OVMF will use emulated flash, and fully support UEFI variables\r
    * Run qemu with: -pflash path/to/OVMF.fd\r
    * Note that this option is required for running SecureBoot-enabled builds\r
      (-D SECURE_BOOT_ENABLE).\r
  - Option 2: Use QEMU -bios parameter\r
    * Note that UEFI variables will be partially emulated, and non-volatile\r
      variables may lose their contents after a reboot\r
    * Run qemu with: -bios path/to/OVMF.fd\r
  - Option 3: Use QEMU -L parameter\r
    * Note that UEFI variables will be partially emulated, and non-volatile\r
      variables may lose their contents after a reboot\r
    * Either copy, rename or symlink OVMF.fd => bios.bin\r
    * Use the QEMU -L parameter to specify the directory where the bios.bin\r
      file is located.\r
* The EFI shell is built into OVMF builds at this time, so it should\r
  run automatically if a UEFI boot application is not found on the\r
  removable media.\r
* On Linux, newer version of QEMU may enable KVM feature, and this might\r
  cause OVMF to fail to boot.  The QEMU '-no-kvm' may allow OVMF to boot.\r
* Capturing OVMF debug messages on qemu:\r
  - The default OVMF build writes debug messages to IO port 0x402.  The\r
    following qemu command line options save them in the file called\r
    debug.log: '-debugcon file:debug.log -global isa-debugcon.iobase=0x402'.\r
  - It is possible to revert to the original behavior, when debug messages were\r
    written to the emulated serial port (potentially intermixing OVMF debug\r
    output with UEFI serial console output).  For this the\r
    '-D DEBUG_ON_SERIAL_PORT' option has to be passed to the build command (see\r
    the next section), and in order to capture the serial output qemu needs to\r
    be started with eg. '-serial file:serial.log'.\r
  - Debug messages fall into several categories.  Logged vs. suppressed\r
    categories are controlled at OVMF build time by the\r
    'gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel' bitmask (an UINT32\r
    value) in the selected .dsc file.  Individual bits of this bitmask are\r
    defined in <MdePkg/Include/Library/DebugLib.h>.  One non-default bit (with\r
    some performance impact) that is frequently set for debugging is 0x00400000\r
    (DEBUG_VERBOSE).\r
  - The RELEASE build target ('-b RELEASE' build option, see below) disables\r
    all debug messages.  The default build target is DEBUG.\r
\r
=== Build Scripts ===\r
\r
On systems with the bash shell you can use OvmfPkg/build.sh to simplify\r
building and running OVMF.\r
\r
So, for example, to build + run OVMF X64:\r
$ OvmfPkg/build.sh -a X64\r
$ OvmfPkg/build.sh -a X64 qemu\r
\r
And to run a 64-bit UEFI bootable ISO image:\r
$ OvmfPkg/build.sh -a X64 qemu -cdrom /path/to/disk-image.iso\r
\r
To build a 32-bit OVMF without debug messages using GCC 4.8:\r
$ OvmfPkg/build.sh -a IA32 -b RELEASE -t GCC48\r
\r
=== SMM support ===\r
\r
Requirements:\r
* SMM support requires QEMU 2.5.\r
* The minimum required QEMU machine type is "pc-q35-2.5".\r
* SMM with KVM requires Linux 4.4 (host).\r
\r
OVMF is capable of utilizing SMM if the underlying QEMU or KVM hypervisor\r
emulates SMM. SMM is put to use in the S3 suspend and resume infrastructure,\r
and in the UEFI variable driver stack. The purpose is (virtual) hardware\r
separation between the runtime guest OS and the firmware (OVMF), with the\r
intent to make Secure Boot actually secure, by preventing the runtime guest OS\r
from tampering with the variable store and S3 areas.\r
\r
For SMM support, OVMF must be built with the "-D SMM_REQUIRE" option. The\r
resultant firmware binary will check if QEMU actually provides SMM emulation;\r
if it doesn't, then OVMF will log an error and trigger an assertion failure\r
during boot (even in RELEASE builds). Both the naming of the flag (SMM_REQUIRE,\r
instead of SMM_ENABLE), and this behavior are consistent with the goal\r
described above: this is supposed to be a security feature, and fallbacks are\r
not allowed. Similarly, a pflash-backed variable store is a requirement.\r
\r
QEMU should be started with the options listed below (in addition to any other\r
guest-specific flags). The command line should be gradually composed from the\r
hints below. '\' is used to extend the command line to multiple lines, and '^'\r
can be used on Windows.\r
\r
* QEMU binary and options specific to 32-bit guests:\r
\r
  $ qemu-system-i386 -cpu coreduo,-nx \\r
\r
  or\r
\r
  $ qemu-system-x86_64 -cpu <MODEL>,-lm,-nx \\r
\r
* QEMU binary for running 64-bit guests (no particular options):\r
\r
  $ qemu-system-x86_64 \\r
\r
* Flags common to all SMM scenarios (only the Q35 machine type is supported):\r
\r
  -machine q35,smm=on,accel=(tcg|kvm) \\r
  -m ... \\r
  -smp ... \\r
  -global driver=cfi.pflash01,property=secure,value=on \\r
  -drive if=pflash,format=raw,unit=0,file=OVMF_CODE.fd,readonly=on \\r
  -drive if=pflash,format=raw,unit=1,file=copy_of_OVMF_VARS.fd \\r
\r
* In order to disable S3, add:\r
\r
  -global ICH9-LPC.disable_s3=1 \\r
\r
=== Network Support ===\r
\r
OVMF provides a UEFI network stack by default. Its lowest level driver is the\r
NIC driver, higher levels are generic. In order to make DHCP, PXE Boot, and eg.\r
socket test utilities from the StdLib edk2 package work, (1) qemu has to be\r
configured to emulate a NIC, (2) a matching UEFI NIC driver must be available\r
when OVMF boots.\r
\r
(If a NIC is configured for the virtual machine, and -- dependent on boot order\r
-- PXE booting is attempted, but no DHCP server responds to OVMF's DHCP\r
DISCOVER message at startup, the boot process may take approx. 3 seconds\r
longer.)\r
\r
* For each NIC emulated by qemu, a GPLv2 licensed UEFI driver is available from\r
  the iPXE project. The qemu source distribution, starting with version 1.5,\r
  contains prebuilt binaries of these drivers (and of course allows one to\r
  rebuild them from source as well). This is the recommended set of drivers.\r
\r
* Use the qemu -netdev and -device options, or the legacy -net option, to\r
  enable NIC support: <http://wiki.qemu.org/Documentation/Networking>.\r
\r
* For a qemu >= 1.5 binary running *without* any "-M machine" option where\r
  "machine" would identify a < qemu-1.5 configuration (for example: "-M\r
  pc-i440fx-1.4" or "-M pc-0.13"), the iPXE drivers are automatically available\r
  to and configured for OVMF in the default qemu installation.\r
\r
* For a qemu binary in [0.13, 1.5), or a qemu >= 1.5 binary with an "-M\r
  machine" option where "machine" selects a < qemu-1.5 configuration:\r
\r
  - download a >= 1.5.0-rc1 source tarball from <http://wiki.qemu.org/Download>,\r
\r
  - extract the following iPXE driver files from the tarball and install them\r
    in a location that is accessible to qemu processes (this may depend on your\r
    SELinux configuration, for example):\r
\r
    qemu-VERSION/pc-bios/efi-e1000.rom\r
    qemu-VERSION/pc-bios/efi-ne2k_pci.rom\r
    qemu-VERSION/pc-bios/efi-pcnet.rom\r
    qemu-VERSION/pc-bios/efi-rtl8139.rom\r
    qemu-VERSION/pc-bios/efi-virtio.rom\r
\r
  - extend the NIC's -device option on the qemu command line with a matching\r
    "romfile=" optarg:\r
\r
    -device e1000,...,romfile=/full/path/to/efi-e1000.rom\r
    -device ne2k_pci,...,romfile=/full/path/to/efi-ne2k_pci.rom\r
    -device pcnet,...,romfile=/full/path/to/efi-pcnet.rom\r
    -device rtl8139,...,romfile=/full/path/to/efi-rtl8139.rom\r
    -device virtio-net-pci,...,romfile=/full/path/to/efi-virtio.rom\r
\r
* Independently of the iPXE NIC drivers, the default OVMF build provides a\r
  basic virtio-net driver, located in OvmfPkg/VirtioNetDxe.\r
\r
* Also independently of the iPXE NIC drivers, Intel's proprietary E1000 NIC\r
  driver (from the BootUtil distribution) can be embedded in the OVMF image at\r
  build time:\r
\r
  - Download BootUtil:\r
    - Navigate to\r
      https://downloadcenter.intel.com/download/19186/Ethernet-Intel-Ethernet-Connections-Boot-Utility-Preboot-Images-and-EFI-Drivers\r
    - Click the download link for "PREBOOT.EXE".\r
    - Accept the Intel Software License Agreement that appears.\r
    - Unzip "PREBOOT.EXE" into a separate directory (this works with the\r
      "unzip" utility on platforms different from Windows as well).\r
    - Copy the "APPS/EFI/EFIx64/E3522X2.EFI" driver binary to\r
      "Intel3.5/EFIX64/E3522X2.EFI" in your WORKSPACE.\r
    - Intel have stopped distributing an IA32 driver binary (which used to\r
      match the filename pattern "E35??E2.EFI"), thus this method will only\r
      work for the IA32X64 and X64 builds of OVMF.\r
\r
  - Include the driver in OVMF during the build:\r
    - Add "-D E1000_ENABLE" to your build command (only when building\r
      "OvmfPkg/OvmfPkgIa32X64.dsc" or "OvmfPkg/OvmfPkgX64.dsc").\r
    - For example: "build -D E1000_ENABLE".\r
\r
* When a matching iPXE driver is configured for a NIC as described above, it\r
  takes priority over other drivers that could possibly drive the card too:\r
\r
                         | e1000  ne2k_pci  pcnet  rtl8139  virtio-net-pci\r
    ---------------------+------------------------------------------------\r
    iPXE                 |   x       x        x       x           x\r
    VirtioNetDxe         |                                        x\r
    Intel BootUtil (X64) |   x\r
\r
=== HTTPS Boot ===\r
\r
HTTPS Boot is an alternative solution to PXE. It replaces the tftp server\r
with a HTTPS server so the firmware can download the images through a trusted\r
and encrypted connection.\r
\r
* To enable HTTPS Boot, you have to build OVMF with -D HTTP_BOOT_ENABLE and\r
  -D TLS_ENABLE. The former brings in the HTTP stack from NetworkPkg while\r
  the latter enables TLS support in both NetworkPkg and CryptoPkg.\r
\r
* By default, there is no trusted certificate. The user has to import the\r
  certificates either manually with "Tls Auth Configuration" utility in the\r
  firmware UI or through the fw_cfg entry, etc/edk2/https/cacerts.\r
\r
  -fw_cfg name=etc/edk2/https/cacerts,file=<certdb>\r
\r
  The blob for etc/edk2/https/cacerts has to be in the format of Signature\r
  Database(*1). You can use p11-kit(*2) or efisiglit(*3) to create the\r
  certificate list.\r
\r
  If you want to create the certificate list based on the CA certificates\r
  in your local host, p11-kit will be a good choice. Here is the command to\r
  create the list:\r
\r
  p11-kit extract --format=edk2-cacerts --filter=ca-anchors \\r
    --overwrite --purpose=server-auth <certdb>\r
\r
  If you only want to import one certificate, efisiglist is the tool for you:\r
\r
  efisiglist -a <cert file> -o <certdb>\r
\r
  Please note that the certificate has to be in the DER format.\r
\r
  You can also append a certificate to the existing list with the following\r
  command:\r
\r
  efisiglist -i <old certdb> -a <cert file> -o <new certdb>\r
\r
  NOTE: You may need the patch to make efisiglist generate the correct header.\r
  (https://github.com/rhboot/pesign/pull/40)\r
\r
* Besides the trusted certificates, it's also possible to configure the trusted\r
  cipher suites for HTTPS through another fw_cfg entry: etc/edk2/https/ciphers.\r
\r
  -fw_cfg name=etc/edk2/https/ciphers,file=<cipher suites>\r
\r
  OVMF expects a binary UINT16 array which comprises the cipher suites HEX\r
  IDs(*4). If the cipher suite list is given, OVMF will choose the cipher\r
  suite from the intersection of the given list and the built-in cipher\r
  suites. Otherwise, OVMF just chooses whatever proper cipher suites from the\r
  built-in ones.\r
\r
  While the tool(*5) to create the cipher suite array is still under\r
  development, the array can be generated with the following script:\r
\r
  export LC_ALL=C\r
  openssl ciphers -V \\r
  | sed -r -n \\r
     -e 's/^ *0x([0-9A-F]{2}),0x([0-9A-F]{2}) - .*$/\\\\x\1 \\\\x\2/p' \\r
  | xargs -r -- printf -- '%b' > ciphers.bin\r
\r
  This script creates ciphers.bin that contains all the cipher suite IDs\r
  supported by openssl according to the local host configuration.\r
\r
  You may want to enable only a limited set of cipher suites. Then, you\r
  should check the validity of your list first:\r
\r
  openssl ciphers -V <cipher list>\r
\r
  If all the cipher suites in your list map to the proper HEX IDs, go ahead\r
  to modify the script and execute it:\r
\r
  export LC_ALL=C\r
  openssl ciphers -V <cipher list> \\r
  | sed -r -n \\r
     -e 's/^ *0x([0-9A-F]{2}),0x([0-9A-F]{2}) - .*$/\\\\x\1 \\\\x\2/p' \\r
  | xargs -r -- printf -- '%b' > ciphers.bin\r
\r
* In the future (after release 2.12), QEMU should populate both above fw_cfg\r
  files automatically from the local host configuration, and enable the user\r
  to override either with dedicated options or properties.\r
\r
(*1) See "31.4.1 Signature Database" in UEFI specification 2.7 errata A.\r
(*2) p11-kit: https://github.com/p11-glue/p11-kit/\r
(*3) efisiglist: https://github.com/rhboot/pesign/blob/master/src/efisiglist.c\r
(*4) https://wiki.mozilla.org/Security/Server_Side_TLS#Cipher_names_correspondence_table\r
(*5) update-crypto-policies: https://gitlab.com/redhat-crypto/fedora-crypto-policies\r
\r
=== OVMF Flash Layout ===\r
\r
Like all current IA32/X64 system designs, OVMF's firmware device (rom/flash)\r
appears in QEMU's physical address space just below 4GB (0x100000000).\r
\r
OVMF supports building a 1MB, 2MB or 4MB flash image (see the DSC files for the\r
FD_SIZE_1MB, FD_SIZE_2MB, FD_SIZE_4MB build defines). The base address for the\r
1MB image in QEMU physical memory is 0xfff00000. The base address for the 2MB\r
image is 0xffe00000. The base address for the 4MB image is 0xffc00000.\r
\r
Using the 1MB or 2MB image, the layout of the firmware device in memory looks\r
like:\r
\r
+--------------------------------------- 4GB (0x100000000)\r
| VTF0 (16-bit reset code) and OVMF SEC\r
| (SECFV, 208KB/0x34000)\r
+--------------------------------------- varies based on flash size\r
|\r
| Compressed main firmware image\r
| (FVMAIN_COMPACT)\r
|\r
+--------------------------------------- base + 0x20000\r
| Fault-tolerant write (FTW)\r
| Spare blocks (64KB/0x10000)\r
+--------------------------------------- base + 0x10000\r
| FTW Work block (4KB/0x1000)\r
+--------------------------------------- base + 0x0f000\r
| Event log area (4KB/0x1000)\r
+--------------------------------------- base + 0x0e000\r
| Non-volatile variable storage\r
| area (56KB/0xe000)\r
+--------------------------------------- base address\r
\r
Using the 4MB image, the layout of the firmware device in memory looks like:\r
\r
+--------------------------------------- base + 0x400000 (4GB/0x100000000)\r
| VTF0 (16-bit reset code) and OVMF SEC\r
| (SECFV, 208KB/0x34000)\r
+--------------------------------------- base + 0x3cc000\r
|\r
| Compressed main firmware image\r
| (FVMAIN_COMPACT, 3360KB/0x348000)\r
|\r
+--------------------------------------- base + 0x84000\r
| Fault-tolerant write (FTW)\r
| Spare blocks (264KB/0x42000)\r
+--------------------------------------- base + 0x42000\r
| FTW Work block (4KB/0x1000)\r
+--------------------------------------- base + 0x41000\r
| Event log area (4KB/0x1000)\r
+--------------------------------------- base + 0x40000\r
| Non-volatile variable storage\r
| area (256KB/0x40000)\r
+--------------------------------------- base address (0xffc00000)\r
\r
The code in SECFV locates FVMAIN_COMPACT, and decompresses the\r
main firmware (MAINFV) into RAM memory at address 0x800000. The\r
remaining OVMF firmware then uses this decompressed firmware\r
volume image.\r
\r
=== UEFI Windows 7 & Windows 2008 Server ===\r
\r
* One of the '-vga std' and '-vga qxl' QEMU options should be used.\r
* Only one video mode, 1024x768x32, is supported at OS runtime.\r
* The '-vga qxl' QEMU option is recommended. After booting the installed\r
  guest OS, select the video card in Device Manager, and upgrade its driver\r
  to the QXL XDDM one. Download location:\r
  <http://www.spice-space.org/download.html>, Guest | Windows binaries.\r
  This enables further resolutions at OS runtime, and provides S3\r
  (suspend/resume) capability.\r
Commit	Line	Data
49ba9447	1	\r
	2	=== OVMF OVERVIEW ===\r
	3	\r
	4	The Open Virtual Machine Firmware (OVMF) project aims\r
	5	to support firmware for Virtual Machines using the edk2\r
	6	code base. More information can be found at:\r
	7	\r
9a426abc	8	http://www.tianocore.org/ovmf/\r
49ba9447	9	\r
	10	=== STATUS ===\r
	11	\r
49ba9447	12	Current capabilities:\r
49ba9447	13	* IA32 and X64 architectures\r
73f4a1c0	14	* QEMU (0.10.0 or later)\r
49ba9447	15	- Video, keyboard, IDE, CD-ROM, serial\r
49ba9447	16	- Runs UEFI shell\r
7416f4eb	17	- Optional NIC support. Requires QEMU (0.12.2 or later)\r
73f4a1c0	18	* UEFI Linux boots\r
73f4a1c0	19	* UEFI Windows 8 boots\r
90803342	20	* UEFI Windows 7 & Windows 2008 Server boot (see important notes below!)\r
49ba9447	21	\r
	22	=== FUTURE PLANS ===\r
	23	\r
49ba9447	24	* Test/Stabilize UEFI Self-Certification Tests (SCT) results\r
49ba9447	25	\r
37e97c51	26	=== BUILDING OVMF ===\r
	27	\r
	28	Pre-requisites:\r
	29	* Build environment capable of build the edk2 MdeModulePkg.\r
66325870	30	* A properly configured ASL compiler:\r
	31	- Intel ASL compiler: Available from http://www.acpica.org\r
	32	- Microsoft ASL compiler: Available from http://www.acpi.info\r
497cbb53	33	* NASM: http://www.nasm.us/\r
37e97c51	34	\r
	35	Update Conf/target.txt ACTIVE_PLATFORM for OVMF:\r
	36	PEI arch DXE arch UEFI interfaces\r
	37	* OvmfPkg/OvmfPkgIa32.dsc IA32 IA32 IA32\r
	38	* OvmfPkg/OvmfPkgIa32X64.dsc IA32 X64 X64\r
	39	* OvmfPkg/OvmfPkgX64.dsc X64 X64 X64\r
	40	\r
2dae09a5	41	Update Conf/target.txt TARGET_ARCH based on the .dsc file:\r
	42	TARGET_ARCH\r
	43	* OvmfPkg/OvmfPkgIa32.dsc IA32\r
	44	* OvmfPkg/OvmfPkgIa32X64.dsc IA32 X64\r
	45	* OvmfPkg/OvmfPkgX64.dsc X64\r
	46	\r
	47	Following the edk2 build process, you will find the OVMF binaries\r
	48	under the $WORKSPACE/Build///FV directory. The actual path will\r
	49	depend on how your build is configured. You can expect to find\r
	50	these binary outputs:\r
7416f4eb	51	* OVMF.FD\r
66325870	52	- Please note! This filename has changed. Older releases used OVMF.Fv.\r
922f593a	53	* OvmfVideo.rom\r
e79095b7	54	- This file is not built separately any longer, starting with svn r13520.\r
2dae09a5	55	\r
2dae09a5	56	More information on building OVMF can be found at:\r
c315da0a	57	\r
9a426abc	58	https://github.com/tianocore/tianocore.github.io/wiki/How%20to%20build%20OVMF\r
37e97c51	59	\r
	60	=== RUNNING OVMF on QEMU ===\r
	61	\r
210c880f	62	* QEMU 0.12.2 or later is required.\r
37e97c51	63	* Be sure to use qemu-system-x86_64, if you are using and X64 firmware.\r
37e97c51	64	(qemu-system-x86_64 works for the IA32 firmware as well, of course.)\r
210c880f JJ	65	* Use OVMF for QEMU firmware (3 options available)\r
	66	- Option 1: QEMU 1.6 or newer; Use QEMU -pflash parameter\r
	67	* QEMU/OVMF will use emulated flash, and fully support UEFI variables\r
	68	* Run qemu with: -pflash path/to/OVMF.fd\r
8714a631 LE	69	* Note that this option is required for running SecureBoot-enabled builds\r
8714a631 LE	70	(-D SECURE_BOOT_ENABLE).\r
210c880f JJ	71	- Option 2: Use QEMU -bios parameter\r
	72	* Note that UEFI variables will be partially emulated, and non-volatile\r
	73	variables may lose their contents after a reboot\r
	74	* Run qemu with: -bios path/to/OVMF.fd\r
	75	- Option 3: Use QEMU -L parameter\r
	76	* Note that UEFI variables will be partially emulated, and non-volatile\r
	77	variables may lose their contents after a reboot\r
	78	* Either copy, rename or symlink OVMF.fd => bios.bin\r
	79	* Use the QEMU -L parameter to specify the directory where the bios.bin\r
	80	file is located.\r
37e97c51	81	* The EFI shell is built into OVMF builds at this time, so it should\r
	82	run automatically if a UEFI boot application is not found on the\r
	83	removable media.\r
aed8e2ec	84	* On Linux, newer version of QEMU may enable KVM feature, and this might\r
aed8e2ec	85	cause OVMF to fail to boot. The QEMU '-no-kvm' may allow OVMF to boot.\r
bf23b44d	86	* Capturing OVMF debug messages on qemu:\r
	87	- The default OVMF build writes debug messages to IO port 0x402. The\r
	88	following qemu command line options save them in the file called\r
	89	debug.log: '-debugcon file:debug.log -global isa-debugcon.iobase=0x402'.\r
	90	- It is possible to revert to the original behavior, when debug messages were\r
	91	written to the emulated serial port (potentially intermixing OVMF debug\r
	92	output with UEFI serial console output). For this the\r
	93	'-D DEBUG_ON_SERIAL_PORT' option has to be passed to the build command (see\r
	94	the next section), and in order to capture the serial output qemu needs to\r
	95	be started with eg. '-serial file:serial.log'.\r
	96	- Debug messages fall into several categories. Logged vs. suppressed\r
	97	categories are controlled at OVMF build time by the\r
	98	'gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel' bitmask (an UINT32\r
	99	value) in the selected .dsc file. Individual bits of this bitmask are\r
	100	defined in <MdePkg/Include/Library/DebugLib.h>. One non-default bit (with\r
	101	some performance impact) that is frequently set for debugging is 0x00400000\r
	102	(DEBUG_VERBOSE).\r
	103	- The RELEASE build target ('-b RELEASE' build option, see below) disables\r
	104	all debug messages. The default build target is DEBUG.\r
5a9745b9	105	\r
	106	=== Build Scripts ===\r
	107	\r
66325870	108	On systems with the bash shell you can use OvmfPkg/build.sh to simplify\r
66325870	109	building and running OVMF.\r
5a9745b9	110	\r
5a9745b9	111	So, for example, to build + run OVMF X64:\r
66325870	112	$ OvmfPkg/build.sh -a X64\r
66325870	113	$ OvmfPkg/build.sh -a X64 qemu\r
5a9745b9	114	\r
5a9745b9	115	And to run a 64-bit UEFI bootable ISO image:\r
66325870	116	$ OvmfPkg/build.sh -a X64 qemu -cdrom /path/to/disk-image.iso\r
66325870	117	\r
8d7cdfae LE	118	To build a 32-bit OVMF without debug messages using GCC 4.8:\r
8d7cdfae LE	119	$ OvmfPkg/build.sh -a IA32 -b RELEASE -t GCC48\r
5a9745b9	120	\r
5e04f4b7 LE	121	=== SMM support ===\r
	122	\r
	123	Requirements:\r
	124	* SMM support requires QEMU 2.5.\r
	125	* The minimum required QEMU machine type is "pc-q35-2.5".\r
	126	* SMM with KVM requires Linux 4.4 (host).\r
	127	\r
	128	OVMF is capable of utilizing SMM if the underlying QEMU or KVM hypervisor\r
	129	emulates SMM. SMM is put to use in the S3 suspend and resume infrastructure,\r
	130	and in the UEFI variable driver stack. The purpose is (virtual) hardware\r
	131	separation between the runtime guest OS and the firmware (OVMF), with the\r
	132	intent to make Secure Boot actually secure, by preventing the runtime guest OS\r
	133	from tampering with the variable store and S3 areas.\r
	134	\r
	135	For SMM support, OVMF must be built with the "-D SMM_REQUIRE" option. The\r
	136	resultant firmware binary will check if QEMU actually provides SMM emulation;\r
	137	if it doesn't, then OVMF will log an error and trigger an assertion failure\r
	138	during boot (even in RELEASE builds). Both the naming of the flag (SMM_REQUIRE,\r
	139	instead of SMM_ENABLE), and this behavior are consistent with the goal\r
	140	described above: this is supposed to be a security feature, and fallbacks are\r
	141	not allowed. Similarly, a pflash-backed variable store is a requirement.\r
	142	\r
	143	QEMU should be started with the options listed below (in addition to any other\r
	144	guest-specific flags). The command line should be gradually composed from the\r
	145	hints below. '\' is used to extend the command line to multiple lines, and '^'\r
	146	can be used on Windows.\r
	147	\r
	148	* QEMU binary and options specific to 32-bit guests:\r
	149	\r
	150	$ qemu-system-i386 -cpu coreduo,-nx \\r
	151	\r
	152	or\r
	153	\r
	154	$ qemu-system-x86_64 -cpu <MODEL>,-lm,-nx \\r
	155	\r
	156	* QEMU binary for running 64-bit guests (no particular options):\r
	157	\r
	158	$ qemu-system-x86_64 \\r
	159	\r
	160	* Flags common to all SMM scenarios (only the Q35 machine type is supported):\r
	161	\r
	162	-machine q35,smm=on,accel=(tcg\|kvm) \\r
	163	-m ... \\r
	164	-smp ... \\r
	165	-global driver=cfi.pflash01,property=secure,value=on \\r
	166	-drive if=pflash,format=raw,unit=0,file=OVMF_CODE.fd,readonly=on \\r
	167	-drive if=pflash,format=raw,unit=1,file=copy_of_OVMF_VARS.fd \\r
	168	\r
	169	* In order to disable S3, add:\r
	170	\r
	171	-global ICH9-LPC.disable_s3=1 \\r
	172	\r
aed8e2ec	173	=== Network Support ===\r
aed8e2ec	174	\r
7a1f5947 LE	175	OVMF provides a UEFI network stack by default. Its lowest level driver is the\r
	176	NIC driver, higher levels are generic. In order to make DHCP, PXE Boot, and eg.\r
	177	socket test utilities from the StdLib edk2 package work, (1) qemu has to be\r
	178	configured to emulate a NIC, (2) a matching UEFI NIC driver must be available\r
	179	when OVMF boots.\r
7628b0f5	180	\r
	181	(If a NIC is configured for the virtual machine, and -- dependent on boot order\r
	182	-- PXE booting is attempted, but no DHCP server responds to OVMF's DHCP\r
	183	DISCOVER message at startup, the boot process may take approx. 3 seconds\r
	184	longer.)\r
	185	\r
	186	* For each NIC emulated by qemu, a GPLv2 licensed UEFI driver is available from\r
	187	the iPXE project. The qemu source distribution, starting with version 1.5,\r
	188	contains prebuilt binaries of these drivers (and of course allows one to\r
7a1f5947	189	rebuild them from source as well). This is the recommended set of drivers.\r
7628b0f5	190	\r
	191	* Use the qemu -netdev and -device options, or the legacy -net option, to\r
	192	enable NIC support: <http://wiki.qemu.org/Documentation/Networking>.\r
	193	\r
	194	* For a qemu >= 1.5 binary running without any "-M machine" option where\r
	195	"machine" would identify a < qemu-1.5 configuration (for example: "-M\r
7a1f5947 LE	196	pc-i440fx-1.4" or "-M pc-0.13"), the iPXE drivers are automatically available\r
7a1f5947 LE	197	to and configured for OVMF in the default qemu installation.\r
7628b0f5	198	\r
	199	* For a qemu binary in [0.13, 1.5), or a qemu >= 1.5 binary with an "-M\r
	200	machine" option where "machine" selects a < qemu-1.5 configuration:\r
	201	\r
	202	- download a >= 1.5.0-rc1 source tarball from <http://wiki.qemu.org/Download>,\r
	203	\r
7a1f5947 LE	204	- extract the following iPXE driver files from the tarball and install them\r
7a1f5947 LE	205	in a location that is accessible to qemu processes (this may depend on your\r
7628b0f5	206	SELinux configuration, for example):\r
	207	\r
	208	qemu-VERSION/pc-bios/efi-e1000.rom\r
	209	qemu-VERSION/pc-bios/efi-ne2k_pci.rom\r
	210	qemu-VERSION/pc-bios/efi-pcnet.rom\r
	211	qemu-VERSION/pc-bios/efi-rtl8139.rom\r
	212	qemu-VERSION/pc-bios/efi-virtio.rom\r
	213	\r
	214	- extend the NIC's -device option on the qemu command line with a matching\r
	215	"romfile=" optarg:\r
	216	\r
	217	-device e1000,...,romfile=/full/path/to/efi-e1000.rom\r
	218	-device ne2k_pci,...,romfile=/full/path/to/efi-ne2k_pci.rom\r
	219	-device pcnet,...,romfile=/full/path/to/efi-pcnet.rom\r
	220	-device rtl8139,...,romfile=/full/path/to/efi-rtl8139.rom\r
	221	-device virtio-net-pci,...,romfile=/full/path/to/efi-virtio.rom\r
	222	\r
7a1f5947 LE	223	* Independently of the iPXE NIC drivers, the default OVMF build provides a\r
	224	basic virtio-net driver, located in OvmfPkg/VirtioNetDxe.\r
	225	\r
	226	* Also independently of the iPXE NIC drivers, Intel's proprietary E1000 NIC\r
253d81c7 LE	227	driver (from the BootUtil distribution) can be embedded in the OVMF image at\r
	228	build time:\r
	229	\r
	230	- Download BootUtil:\r
	231	- Navigate to\r
	232	https://downloadcenter.intel.com/download/19186/Ethernet-Intel-Ethernet-Connections-Boot-Utility-Preboot-Images-and-EFI-Drivers\r
	233	- Click the download link for "PREBOOT.EXE".\r
	234	- Accept the Intel Software License Agreement that appears.\r
	235	- Unzip "PREBOOT.EXE" into a separate directory (this works with the\r
	236	"unzip" utility on platforms different from Windows as well).\r
	237	- Copy the "APPS/EFI/EFIx64/E3522X2.EFI" driver binary to\r
	238	"Intel3.5/EFIX64/E3522X2.EFI" in your WORKSPACE.\r
	239	- Intel have stopped distributing an IA32 driver binary (which used to\r
	240	match the filename pattern "E35??E2.EFI"), thus this method will only\r
	241	work for the IA32X64 and X64 builds of OVMF.\r
7628b0f5	242	\r
7628b0f5	243	- Include the driver in OVMF during the build:\r
253d81c7 LE	244	- Add "-D E1000_ENABLE" to your build command (only when building\r
253d81c7 LE	245	"OvmfPkg/OvmfPkgIa32X64.dsc" or "OvmfPkg/OvmfPkgX64.dsc").\r
e3dca185	246	- For example: "build -D E1000_ENABLE".\r
aed8e2ec	247	\r
7a1f5947 LE	248	* When a matching iPXE driver is configured for a NIC as described above, it\r
	249	takes priority over other drivers that could possibly drive the card too:\r
	250	\r
253d81c7 LE	251	\| e1000 ne2k_pci pcnet rtl8139 virtio-net-pci\r
	252	---------------------+------------------------------------------------\r
	253	iPXE \| x x x x x\r
	254	VirtioNetDxe \| x\r
	255	Intel BootUtil (X64) \| x\r
7a1f5947	256	\r
d3180516 GL	257	=== HTTPS Boot ===\r
	258	\r
	259	HTTPS Boot is an alternative solution to PXE. It replaces the tftp server\r
	260	with a HTTPS server so the firmware can download the images through a trusted\r
	261	and encrypted connection.\r
	262	\r
	263	* To enable HTTPS Boot, you have to build OVMF with -D HTTP_BOOT_ENABLE and\r
	264	-D TLS_ENABLE. The former brings in the HTTP stack from NetworkPkg while\r
	265	the latter enables TLS support in both NetworkPkg and CryptoPkg.\r
	266	\r
	267	* By default, there is no trusted certificate. The user has to import the\r
	268	certificates either manually with "Tls Auth Configuration" utility in the\r
	269	firmware UI or through the fw_cfg entry, etc/edk2/https/cacerts.\r
	270	\r
	271	-fw_cfg name=etc/edk2/https/cacerts,file=<certdb>\r
	272	\r
	273	The blob for etc/edk2/https/cacerts has to be in the format of Signature\r
	274	Database(1). You can use p11-kit(2) or efisiglit(*3) to create the\r
	275	certificate list.\r
	276	\r
	277	If you want to create the certificate list based on the CA certificates\r
	278	in your local host, p11-kit will be a good choice. Here is the command to\r
	279	create the list:\r
	280	\r
	281	p11-kit extract --format=edk2-cacerts --filter=ca-anchors \\r
	282	--overwrite --purpose=server-auth <certdb>\r
	283	\r
	284	If you only want to import one certificate, efisiglist is the tool for you:\r
	285	\r
	286	efisiglist -a <cert file> -o <certdb>\r
	287	\r
	288	Please note that the certificate has to be in the DER format.\r
	289	\r
	290	You can also append a certificate to the existing list with the following\r
	291	command:\r
	292	\r
	293	efisiglist -i <old certdb> -a <cert file> -o <new certdb>\r
	294	\r
	295	NOTE: You may need the patch to make efisiglist generate the correct header.\r
	296	(https://github.com/rhboot/pesign/pull/40)\r
	297	\r
	298	* Besides the trusted certificates, it's also possible to configure the trusted\r
	299	cipher suites for HTTPS through another fw_cfg entry: etc/edk2/https/ciphers.\r
	300	\r
	301	-fw_cfg name=etc/edk2/https/ciphers,file=<cipher suites>\r
	302	\r
	303	OVMF expects a binary UINT16 array which comprises the cipher suites HEX\r
	304	IDs(*4). If the cipher suite list is given, OVMF will choose the cipher\r
	305	suite from the intersection of the given list and the built-in cipher\r
	306	suites. Otherwise, OVMF just chooses whatever proper cipher suites from the\r
	307	built-in ones.\r
	308	\r
	309	While the tool(*5) to create the cipher suite array is still under\r
	310	development, the array can be generated with the following script:\r
	311	\r
	312	export LC_ALL=C\r
	313	openssl ciphers -V \\r
	314	\| sed -r -n \\r
	315	-e 's/^ 0x([0-9A-F]{2}),0x([0-9A-F]{2}) - .$/\\\\x\1 \\\\x\2/p' \\r
	316	\| xargs -r -- printf -- '%b' > ciphers.bin\r
	317	\r
	318	This script creates ciphers.bin that contains all the cipher suite IDs\r
	319	supported by openssl according to the local host configuration.\r
	320	\r
321	You may want to enable only a limited set of cipher suites. Then, you\r
322	should check the validity of your list first:\r
323	\r
324	openssl ciphers -V <cipher list>\r
325	\r
326	If all the cipher suites in your list map to the proper HEX IDs, go ahead\r
327	to modify the script and execute it:\r
328	\r
329	export LC_ALL=C\r
330	openssl ciphers -V <cipher list> \\r
331	\| sed -r -n \\r
332	-e 's/^ 0x([0-9A-F]{2}),0x([0-9A-F]{2}) - .$/\\\\x\1 \\\\x\2/p' \\r
333	\| xargs -r -- printf -- '%b' > ciphers.bin\r
334	\r
335	* In the future (after release 2.12), QEMU should populate both above fw_cfg\r
336	files automatically from the local host configuration, and enable the user\r
337	to override either with dedicated options or properties.\r
338	\r
339	(*1) See "31.4.1 Signature Database" in UEFI specification 2.7 errata A.\r
340	(*2) p11-kit: https://github.com/p11-glue/p11-kit/\r
341	(*3) efisiglist: https://github.com/rhboot/pesign/blob/master/src/efisiglist.c\r
342	(*4) https://wiki.mozilla.org/Security/Server_Side_TLS#Cipher_names_correspondence_table\r
343	(*5) update-crypto-policies: https://gitlab.com/redhat-crypto/fedora-crypto-policies\r
344	\r
e58e5bcd JJ	345	=== OVMF Flash Layout ===\r
e58e5bcd JJ	346	\r
f78c8bf2 LE	347	Like all current IA32/X64 system designs, OVMF's firmware device (rom/flash)\r
f78c8bf2 LE	348	appears in QEMU's physical address space just below 4GB (0x100000000).\r
e58e5bcd	349	\r
f78c8bf2 LE	350	OVMF supports building a 1MB, 2MB or 4MB flash image (see the DSC files for the\r
	351	FD_SIZE_1MB, FD_SIZE_2MB, FD_SIZE_4MB build defines). The base address for the\r
	352	1MB image in QEMU physical memory is 0xfff00000. The base address for the 2MB\r
	353	image is 0xffe00000. The base address for the 4MB image is 0xffc00000.\r
	354	\r
	355	Using the 1MB or 2MB image, the layout of the firmware device in memory looks\r
	356	like:\r
e58e5bcd JJ	357	\r
	358	+--------------------------------------- 4GB (0x100000000)\r
	359	\| VTF0 (16-bit reset code) and OVMF SEC\r
f78c8bf2	360	\| (SECFV, 208KB/0x34000)\r
e58e5bcd JJ	361	+--------------------------------------- varies based on flash size\r
	362	\|\r
	363	\| Compressed main firmware image\r
	364	\| (FVMAIN_COMPACT)\r
	365	\|\r
	366	+--------------------------------------- base + 0x20000\r
	367	\| Fault-tolerant write (FTW)\r
	368	\| Spare blocks (64KB/0x10000)\r
	369	+--------------------------------------- base + 0x10000\r
	370	\| FTW Work block (4KB/0x1000)\r
	371	+--------------------------------------- base + 0x0f000\r
	372	\| Event log area (4KB/0x1000)\r
	373	+--------------------------------------- base + 0x0e000\r
	374	\| Non-volatile variable storage\r
	375	\| area (56KB/0xe000)\r
	376	+--------------------------------------- base address\r
	377	\r
f78c8bf2 LE	378	Using the 4MB image, the layout of the firmware device in memory looks like:\r
	379	\r
	380	+--------------------------------------- base + 0x400000 (4GB/0x100000000)\r
	381	\| VTF0 (16-bit reset code) and OVMF SEC\r
	382	\| (SECFV, 208KB/0x34000)\r
	383	+--------------------------------------- base + 0x3cc000\r
	384	\|\r
	385	\| Compressed main firmware image\r
	386	\| (FVMAIN_COMPACT, 3360KB/0x348000)\r
	387	\|\r
	388	+--------------------------------------- base + 0x84000\r
	389	\| Fault-tolerant write (FTW)\r
	390	\| Spare blocks (264KB/0x42000)\r
	391	+--------------------------------------- base + 0x42000\r
	392	\| FTW Work block (4KB/0x1000)\r
	393	+--------------------------------------- base + 0x41000\r
	394	\| Event log area (4KB/0x1000)\r
	395	+--------------------------------------- base + 0x40000\r
	396	\| Non-volatile variable storage\r
	397	\| area (256KB/0x40000)\r
	398	+--------------------------------------- base address (0xffc00000)\r
e58e5bcd JJ	399	\r
	400	The code in SECFV locates FVMAIN_COMPACT, and decompresses the\r
	401	main firmware (MAINFV) into RAM memory at address 0x800000. The\r
	402	remaining OVMF firmware then uses this decompressed firmware\r
	403	volume image.\r
	404	\r
90803342 LE	405	=== UEFI Windows 7 & Windows 2008 Server ===\r
	406	\r
	407	* One of the '-vga std' and '-vga qxl' QEMU options should be used.\r
	408	* Only one video mode, 1024x768x32, is supported at OS runtime.\r
	409	* The '-vga qxl' QEMU option is recommended. After booting the installed\r
	410	guest OS, select the video card in Device Manager, and upgrade its driver\r
	411	to the QXL XDDM one. Download location:\r
	412	<http://www.spice-space.org/download.html>, Guest \| Windows binaries.\r
	413	This enables further resolutions at OS runtime, and provides S3\r
	414	(suspend/resume) capability.\r