qemu/kvm firmware option -- info on what these options are

Struggling with gentoo vm using qemu/kvm booting properly after configuration. A thread suggested changing qemu firmware in Virtual machine Manager. In opening the firmware tab of virt-mach-manager there are a dozen choices from bios, uefi and many flavors of uefi. I could not get a capture of the drop-down list. Some even nclude references to opensuse and suse. I can’t find any info as to what these alternatives refer to. Impossible to setup gentoo using each alternative. Would be a lifetime endeavor.

Anyone know of an info source for what these bios/uefi firmware alternatives reference?

thanks, tom kosvic

Did find some refs to these firmware choices in https://doc.opensuse.org/documentation/leap/virtualization/html/book-virtualization/cha-vt-installation.html
but not a complete description.

tom kosvic

The firmware files can be found in “/usr/share/qemu”.

There is some documentation in “/usr/share/doc/packages/qemu”.

The ones with “ms” as part of the name are UEFI firmware signed with the Microsoft key.

Those that have “opensuse” are signed with the opensuse key, and those that have “suse” as part of the name are signed with the suse key. You probably cannot use those for secure boot in anything that isn’t either suse or opensuse. The “ms” ones are more likely to work with other distros.

No, they are not “signed with”. Do not add to confusion around Secure Boot. They include (embed) corresponding certificates as PK and KEK and so trust binaries signed with keys of corresponding vendors.

You probably cannot use those for secure boot in anything that isn’t either suse or opensuse.

Not directly, but you always can go into UEFI setup and enroll certificate of other vendor or your own (which is basically what happens during RPM build - first common “empty” firmware image is created and then VM is launched which enrolls the certificates for each vendor). Of course in this case there is no point in starting with these specific images, you can just start with generic, “empty”, one.

And for a Windows guest with UEFI, always use one with “4m” in its name, as a few of the Windows updates require such a “large” uefi-nvram, otherwise they fail to install.