From: Andrea Bolognani Date: Thu, 16 Nov 2023 16:01:44 +0000 (+0100) Subject: kbase: More info on firmware change for existing VMs X-Git-Tag: v9.10.0-rc1~72 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=b31380c7583d144380e3a3b7affccfefccff41f9;p=thirdparty%2Flibvirt.git kbase: More info on firmware change for existing VMs The need to remove the and elements in order to make the firmware autoselection process kick in again is not exactly intuitive, so document it explicitly. Signed-off-by: Andrea Bolognani Reviewed-by: Ján Tomko --- diff --git a/docs/kbase/secureboot.rst b/docs/kbase/secureboot.rst index 4340454a7b..6c22b08d22 100644 --- a/docs/kbase/secureboot.rst +++ b/docs/kbase/secureboot.rst @@ -72,16 +72,36 @@ relevant documentation Changing an existing VM ======================= -Once the VM has been created, updating the XML configuration as -described above is **not** enough to change the Secure Boot status: -the NVRAM file associated with the VM has to be regenerated from its -template as well. +When a VM is defined, libvirt will pick the firmware that best +satisfies the provided criteria and record this information for use +on subsequent boots. The resulting XML configuration will look like +this: + +:: + + + + + + + /usr/share/edk2/ovmf/OVMF_CODE.secboot.fd + /var/lib/libvirt/qemu/nvram/vm_VARS.fd + + +In order to force libvirt to repeat the firmware autoselection +process, it's necessary to remove the ```` and ```` +elements. Failure to do so will likely result in an error. + +Note that updating the XML configuration as described above is +**not** enough to change the Secure Boot status: the NVRAM file +associated with the VM has to be regenerated from its template as +well. In order to do that, update the XML and then start the VM with :: - $ virsh start $vm --reset-nvram + $ virsh start vm --reset-nvram This option is only available starting with libvirt 8.1.0, so if your version of libvirt is older than that you will have to delete the