\r
Current capabilities:\r
* IA32 and X64 architectures\r
-* QEMU (0.10.0 or later)\r
+* QEMU (version 1.7.1 or later, with 1.7 or later machine types)\r
- Video, keyboard, IDE, CD-ROM, serial\r
- Runs UEFI shell\r
- - Optional NIC support. Requires QEMU (0.12.2 or later)\r
+ - Optional NIC support.\r
* UEFI Linux boots\r
* UEFI Windows 8 boots\r
* UEFI Windows 7 & Windows 2008 Server boot (see important notes below!)\r
\r
=== RUNNING OVMF on QEMU ===\r
\r
-* QEMU 0.12.2 or later is required.\r
-* Be sure to use qemu-system-x86_64, if you are using and X64 firmware.\r
+* Be sure to use qemu-system-x86_64, if you are using an X64 firmware.\r
(qemu-system-x86_64 works for the IA32 firmware as well, of course.)\r
* Use OVMF for QEMU firmware (3 options available)\r
- - Option 1: QEMU 1.6 or newer; Use QEMU -pflash parameter\r
+ - Option 1: Use QEMU -pflash parameter\r
* QEMU/OVMF will use emulated flash, and fully support UEFI variables\r
* Run qemu with: -pflash path/to/OVMF.fd\r
* Note that this option is required for running SecureBoot-enabled builds\r
longer.)\r
\r
* For each NIC emulated by qemu, a GPLv2 licensed UEFI driver is available from\r
- the iPXE project. The qemu source distribution, starting with version 1.5,\r
- contains prebuilt binaries of these drivers (and of course allows one to\r
- rebuild them from source as well). This is the recommended set of drivers.\r
+ the iPXE project. The qemu source distribution contains prebuilt binaries of\r
+ these drivers (and of course allows one to rebuild them from source as well).\r
+ This is the recommended set of drivers.\r
\r
* Use the qemu -netdev and -device options, or the legacy -net option, to\r
enable NIC support: <http://wiki.qemu.org/Documentation/Networking>.\r
\r
-* For a qemu >= 1.5 binary running *without* any "-M machine" option where\r
- "machine" would identify a < qemu-1.5 configuration (for example: "-M\r
- pc-i440fx-1.4" or "-M pc-0.13"), the iPXE drivers are automatically available\r
- to and configured for OVMF in the default qemu installation.\r
-\r
-* For a qemu binary in [0.13, 1.5), or a qemu >= 1.5 binary with an "-M\r
- machine" option where "machine" selects a < qemu-1.5 configuration:\r
-\r
- - download a >= 1.5.0-rc1 source tarball from <http://wiki.qemu.org/Download>,\r
-\r
- - extract the following iPXE driver files from the tarball and install them\r
- in a location that is accessible to qemu processes (this may depend on your\r
- SELinux configuration, for example):\r
-\r
- qemu-VERSION/pc-bios/efi-e1000.rom\r
- qemu-VERSION/pc-bios/efi-ne2k_pci.rom\r
- qemu-VERSION/pc-bios/efi-pcnet.rom\r
- qemu-VERSION/pc-bios/efi-rtl8139.rom\r
- qemu-VERSION/pc-bios/efi-virtio.rom\r
-\r
- - extend the NIC's -device option on the qemu command line with a matching\r
- "romfile=" optarg:\r
-\r
- -device e1000,...,romfile=/full/path/to/efi-e1000.rom\r
- -device ne2k_pci,...,romfile=/full/path/to/efi-ne2k_pci.rom\r
- -device pcnet,...,romfile=/full/path/to/efi-pcnet.rom\r
- -device rtl8139,...,romfile=/full/path/to/efi-rtl8139.rom\r
- -device virtio-net-pci,...,romfile=/full/path/to/efi-virtio.rom\r
+* The iPXE drivers are automatically available to and configured for OVMF in\r
+ the default qemu installation.\r
\r
* Independently of the iPXE NIC drivers, the default OVMF build provides a\r
basic virtio-net driver, located in OvmfPkg/VirtioNetDxe.\r
with a HTTPS server so the firmware can download the images through a trusted\r
and encrypted connection.\r
\r
-* To enable HTTPS Boot, you have to build OVMF with -D HTTP_BOOT_ENABLE and\r
- -D TLS_ENABLE. The former brings in the HTTP stack from NetworkPkg while\r
- the latter enables TLS support in both NetworkPkg and CryptoPkg.\r
+* To enable HTTPS Boot, you have to build OVMF with -D NETWORK_HTTP_BOOT_ENABLE\r
+ and -D NETWORK_TLS_ENABLE. The former brings in the HTTP stack from\r
+ NetworkPkg while the latter enables TLS support in both NetworkPkg and\r
+ CryptoPkg.\r
+\r
+ If you want to exclude the unsecured HTTP connection completely, OVMF has to\r
+ be built with -D NETWORK_ALLOW_HTTP_CONNECTIONS=FALSE so that only the HTTPS\r
+ connections will be accepted.\r
\r
* By default, there is no trusted certificate. The user has to import the\r
certificates either manually with "Tls Auth Configuration" utility in the\r
* Besides the trusted certificates, it's also possible to configure the trusted\r
cipher suites for HTTPS through another fw_cfg entry: etc/edk2/https/ciphers.\r
\r
- -fw_cfg name=etc/edk2/https/ciphers,file=<cipher suites>\r
-\r
OVMF expects a binary UINT16 array which comprises the cipher suites HEX\r
IDs(*4). If the cipher suite list is given, OVMF will choose the cipher\r
suite from the intersection of the given list and the built-in cipher\r
suites. Otherwise, OVMF just chooses whatever proper cipher suites from the\r
built-in ones.\r
\r
- While the tool(*5) to create the cipher suite array is still under\r
- development, the array can be generated with the following script:\r
+ - Using QEMU 5.2 or later, QEMU can expose the ordered list of permitted TLS\r
+ cipher suites from the host side to OVMF:\r
+\r
+ -object tls-cipher-suites,id=mysuite0,priority=@SYSTEM \\r
+ -fw_cfg name=etc/edk2/https/ciphers,gen_id=mysuite0\r
+\r
+ (Refer to the QEMU manual and to\r
+ <https://gnutls.org/manual/html_node/Priority-Strings.html> for more\r
+ information on the "priority" property.)\r
+\r
+ - Using QEMU 5.1 or earlier, the array has to be passed from a file:\r
+\r
+ -fw_cfg name=etc/edk2/https/ciphers,file=<cipher suites>\r
+\r
+ whose contents can be generated with the following script, for example:\r
\r
export LC_ALL=C\r
openssl ciphers -V \\r
-e 's/^ *0x([0-9A-F]{2}),0x([0-9A-F]{2}) - .*$/\\\\x\1 \\\\x\2/p' \\r
| xargs -r -- printf -- '%b' > ciphers.bin\r
\r
-* In the future (after release 2.12), QEMU should populate both above fw_cfg\r
- files automatically from the local host configuration, and enable the user\r
- to override either with dedicated options or properties.\r
-\r
(*1) See "31.4.1 Signature Database" in UEFI specification 2.7 errata A.\r
(*2) p11-kit: https://github.com/p11-glue/p11-kit/\r
(*3) efisiglist: https://github.com/rhboot/pesign/blob/master/src/efisiglist.c\r
(*4) https://wiki.mozilla.org/Security/Server_Side_TLS#Cipher_names_correspondence_table\r
-(*5) update-crypto-policies: https://gitlab.com/redhat-crypto/fedora-crypto-policies\r
\r
=== OVMF Flash Layout ===\r
\r
remaining OVMF firmware then uses this decompressed firmware\r
volume image.\r
\r
-=== UNIXGCC Debug ===\r
-\r
-If you build with the UNIXGCC toolchain, then debugging will be disabled\r
-due to larger image sizes being produced by the UNIXGCC toolchain. The\r
-first choice recommendation is to use GCC48 or newer instead.\r
-\r
-If you must use UNIXGCC, then you can override the build options for\r
-particular libraries and modules in the .dsc to re-enable debugging\r
-selectively. For example:\r
- [Components]\r
- OvmfPkg/Library/PlatformBootManagerLib/PlatformBootManagerLib.inf {\r
- <BuildOptions>\r
- GCC:*_*_*_CC_FLAGS = -UMDEPKG_NDEBUG\r
- }\r
- MdeModulePkg/Universal/BdsDxe/BdsDxe.inf {\r
- <BuildOptions>\r
- GCC:*_*_*_CC_FLAGS = -UMDEPKG_NDEBUG\r
- }\r
-\r
=== UEFI Windows 7 & Windows 2008 Server ===\r
\r
* One of the '-vga std' and '-vga qxl' QEMU options should be used.\r