VirtualBox

source: vbox/trunk/src/VBox/Devices/EFI/FirmwareNew/OvmfPkg/RUNTIME_CONFIG.md@ 108794

Last change on this file since 108794 was 108794, checked in by vboxsync, 2 weeks ago

Devices/EFI/FirmwareNew: Merge edk2-stable202502 from the vendor branch and make it build for the important platforms, bugref:4643
  • Property svn:eol-style set to native
File size: 6.8 KB
Line 
1# OVMF runtime configuration
2
3Some aspects of OVMF can be configured from the host, mostly by adding
4firmware config files using the qemu command line option `-fw_cfg`.
5The official namespace prefix for edk2 is `opt/org.tianocore/` which
6is used by most options. Some options are elsewhere for historical
7reasons.
8
9
10## TLS: etc/edk2/https/cacerts
11
12This is a list of root CA certificates which the firmware should
13accept when talking to TLS servers, stored in EFI signature database
14format. Fedora and CentOS provide a copy of the host root CA database
15(which is used by openssl & friends too) in the correct format. Using
16that is as simple as:
17
18```
19qemu-system-x86_64 \
20 -fw_cfg name=etc/edk2/https/cacerts,file=/etc/pki/ca-trust/extracted/edk2/cacerts.bin
21```
22
23For a more strict configuration where only one or very few servers are
24allowed (instead of pretty much any https server on the public
25internet) you can use the `virt-fw-sigdb` utility from the
26[virt-firmware project](https://gitlab.com/kraxel/virt-firmware) to
27create a database with only these server certificates:
28
29```
30GUID=$(uuidgen)
31virt-fw-sigdb -o mycerts.esl \
32 --add-cert ${GUID} /etc/pki/tls/certs/${server1}.crt \
33 --add-cert ${GUID} /etc/pki/tls/certs/${server2}.crt
34qemu-system-x86_64 \
35 -fw_cfg name=etc/edk2/https/cacerts,file=mycerts.esl
36```
37
38
39## TLS: etc/edk2/https/ciphers
40
41Configres the allowed TLS chiper suites. Using the host's system
42configuration works this way:
43
44```
45qemu-system-x86_64 \
46 -object tls-cipher-suites,id=mysuite0,priority=@SYSTEM \
47 -fw_cfg name=etc/edk2/https/ciphers,gen_id=mysuite0
48```
49
50
51## Network: opt/org.tianocore/IPv4Support
52
53As the name suggests, this enables/disables IPv4 support. Default:
54enabled. Usage:
55
56```
57qemu-system-x86_64 -fw_cfg name=opt/org.tianocore/IPv4Support,string=no
58```
59
60## Network: opt/org.tianocore/IPv6Support
61
62Same for IPv6.
63
64
65## Network: opt/org.tianocore/IPv4PXESupport
66
67This enables/disables PXE network boot over IPv4. This does not
68affect HTTP boot. Default: enabled. Usage:
69
70```
71qemu-system-x86_64 -fw_cfg name=opt/org.tianocore/IPv4PXESupport,string=no
72```
73
74
75## Network: opt/org.tianocore/IPv6PXESupport
76
77Same for IPv6.
78
79
80## Network: opt/org.tianocore/VirtioNetSupport
81
82This enables/disables the edk2 driver for virtio net devices.
83Default: enabled. Usage:
84
85```
86qemu-system-x86_64 -fw_cfg name=opt/org.tianocore/VirtioNetSupport,string=no
87```
88
89
90## Network: opt/org.tianocore/ISCSISupport
91
92This enables/disables the edk2 driver for iSCSI.
93Default: disabled. Usage:
94
95```
96qemu-system-x86_64 -fw_cfg name=opt/org.tianocore/ISCSISupport,string=yes
97```
98
99
100## Security: opt/ovmf/PcdSetNxForStack
101
102Set stack pages as not executable in page tables. Usage:
103
104```
105qemu-system-x86_64 -fw_cfg name=opt/ovmf/PcdSetNxForStack,string=yes
106```
107
108
109## Security: opt/org.tianocore/UninstallMemAttrProtocol
110
111Do not provide the `EFI_MEMORY_ATTRIBUTE_PROTOCOL` protocol. This is
112a workaround for a bug in shim version 15.6. Usage:
113
114```
115qemu-system-x86_64 -fw_cfg name=opt/org.tianocore/UninstallMemAttrProtocol,string=yes
116```
117
118
119## Shell: opt/org.tianocore/EFIShellSupport
120
121This enables/disables the EFI shell.
122Default: enabled. Usage:
123
124```
125qemu-system-x86_64 -fw_cfg name=opt/org.tianocore/EFIShellSupport,string=no
126```
127
128
129## Security: opt/org.tianocore/EnableLegacyLoader
130
131OVMF can load linux kernels in two ways:
132
133 * modern: load them as EFI binary, let the linux kernel's EFI stub
134 handle initrd loading, exiting boot services etc.
135 * legacy: load kernel + initrd directly, patch kernel setup header
136 with initrd location, ...
137
138OVMF will try the modern way first, in case of a failure fallback to
139the legacy method. The legacy loader will not do secure boot
140verification though. Disabling the legacy loader using this option
141will plug that hole. It will also break booting prehistoric kernels
142without EFI stub. If you are using kernels that old secure boot
143support is the least of your problems though ...
144
145The linux kernel is typically signed by the distro secure boot keys
146and is verified by the distro `shim.efi` binary. qemu release 10.0
147(ETA ~ March 2025) will get support for passing the shim binary
148(additionally to kernel + initrd) to the firmware, so the usual secure
149boot verification can work with direct kernel load too.
150
151For now the legacy loader is enabled by default. Once the new qemu
152release is available in most linux distros the defaut will be flipped
153to disabled.
154
155Usage (qemu 10.0+):
156
157```
158qemu-system-x86_64 \
159 -shim /boot/efi/EFI/${distro}/shimx64.efi \
160 -kernel /path/to/kernel \
161 -initrd /path/to/initamfs \
162 -append "kernel command line" \
163 -fw_cfg name=opt/org.tianocore/EnableLegacyLoader,string=no
164```
165
166
167## Platform: opt/org.tianocore/X-Cpuhp-Bugcheck-Override
168
169On some older qemu versions CPU hotplug support was broken. OVMF
170detects that and will by default log an error message and stop. When
171setting this option OVMF will continue despite qemu being buggy. It
172is only safe to set that option if you do not use CPU hotplug. Usage:
173
174```
175qemu-system-x86_64 -fw_cfg name=opt/org.tianocore/X-Cpuhp-Bugcheck-Override,string=yes
176```
177
178
179## Platform: opt/ovmf/X-PciMmio64Mb
180
181Historically OVMF has by default used 32GB of address space for the
18264-bit PCI MMIO window. This option can be used to change that size.
183
184Recent OVMF versions have started to use a larger MMIO window by
185default, with the actual size depending on the address space size
186supported by the CPU. With this the default configuration should
187cover alot more use cases and it should be rather rare that this
188option must be used to enlarge the MMIO window.
189
190Usage example (128GB / 131072 MB):
191
192```
193qemu-system-x86_64 -fw_cfg name=opt/ovmf/X-PciMmio64Mb,string=131072
194```
195
196
197## Platform: physical address space bits
198
199OVMF will check the supported physical address space bits (via CPUID)
200when creating the address space layout. OVMF will use the complete
201available address space and place the 64-bit PCI MMIO window near the
202top of the address space.
203
204The `host-phys-bits-limit` property of the `-cpu` option can be used
205to reduce the address space used by OVMF.
206
207Usage:
208```
209qemu-system-x86_64 -cpu ${name},host-phys-bits=on,host-phys-bits-limit=42
210```
211
212
213## Platform: opt/org.tianocore/PagingLevel
214
215Configure the number of paging levels (4 or 5) OVMF will use. Four
216paging levels are better for compatibility, not all OSes can handle
2175-level paging being active at ExitBootServices time. Five paging
218levels are better for huge VMs, the address space managed by OVMF can
219be larger.
220
221Default: Use 5-level paging in case more than 1TB of memory is
222present, 4-level paging otherwise.
223
224Usage:
225```
226qemu-system-x86_64 -fw_cfg name=opt/org.tianocore/PagingLevel,string=5
227```
228
229
230## Other: opt/org.tianocore/UsbStorageSupport
231
232This enables/disables the edk2 driver for USB storage devices.
233Default: enabled. Usage:
234
235```
236qemu-system-x86_64 -fw_cfg name=opt/org.tianocore/UsbStorageSupport,string=yes
237```
238
239
Note: See TracBrowser for help on using the repository browser.

© 2025 Oracle Support Privacy / Do Not Sell My Info Terms of Use Trademark Policy Automated Access Etiquette