1. Security Guide for Oracle Exadata
  2. Security Features of Oracle Exadata Database Machine
  3. Restricting the Binaries Used to Boot the System
  4. Enabling KVM Guest Secure Boot

2.2.2 Enabling KVM Guest Secure Boot

Oracle Exadata System Software release 24.1.0 extends Secure Boot to Oracle Linux KVM guests.

KVM Guest Secure Boot leverages the UEFI boot framework in Oracle Linux KVM to restrict which binaries can boot the KVM guest. Exadata support for UEFI in KVM is introduced in Oracle Exadata System Software release 24.1.0. Consequently, KVM Guest Secure Boot is available only on new KVM guests starting with Oracle Exadata System Software release 24.1.0.

To use KVM Guest Secure Boot, you must enable UEFI booting in the system image underpinning the KVM guest. For example, if the KVM host is using a fresh system image (which has not been updated using patchmgr), you can run the following command on the KVM host to enable UEFI booting: 

# vm_maker --make-base-image --uefi-boot

After command completion, all new KVM guests will automatically use the UEFI boot framework in Oracle Linux KVM and have KVM Guest Secure Boot enabled. It is no longer possible to create a new guest without UEFI.

If the KVM host has been updated using patchmgr, then you must download and install a UEFI-enabled system image.

If required, you can disable KVM Guest Secure Boot on UEFI boot-enabled KVM guests in the following ways:

  • To disable KVM Guest Secure Boot on an existing UEFI boot-enabled KVM guest, run the following command on the KVM host: 

    # vm_maker --secure-boot disable --domain domain-name

    In the command, domain-name specifies the name of the existing KVM guest.

    After the command, KVM Guest Secure Boot will be disabled when the guest is rebooted.

  • To create a new KVM guest with KVM Guest Secure Boot disabled, run the vm_maker --start-domain command on the KVM host and include the --secure-boot disable option. For example: 

    # vm_maker --start-domain XML-config-file --secure-boot disable

    In the command, XML-config-file specifies the name of the XML configuration file for the new guest.

  • To disable KVM Guest Secure Boot on all new UEFI boot-enabled KVM guests, run the following command on the KVM host: 

    # vm_maker --secure-boot disable --system

    After running this command, all new UEFI boot-enabled KVM guests are created with KVM Guest Secure Boot disabled. This command does not affect existing guests.

To verify the boot configuration for a KVM guest, run the following command on the KVM host: 

# parted -s /EXAVMIMAGES/GuestImages/guest-name/System.img p

In the command, guest-name specifies the name of the KVM guest.

Examine the command output for one of the following flags, which indicates the boot configuration for the KVM guest:

  • efi: Indicates that the guest uses the UEFI boot framework in Oracle Linux KVM.

  • bios_grub: Indicates that the guest uses the non-UEFI virtual bios.

To verify the status of KVM Guest Secure Boot, run the following command in the KVM guest:

# mokutil --sb-state
SecureBoot enabled

Parent topic: Restricting the Binaries Used to Boot the System