Enable TPM, Secure Boot in Ubuntu 25.10 QEMU/KVM Guests

Support and Help
1

This involves Guest OSes and QEMU/KVM VMs.

Host OS: Ubuntu 24.04 LTS, Secure Boot Enabled.

Guest OS: Ubuntu 25.10 Questing

Desktop Environment (if applicable): Vanilla Ubuntu (GNOME)

Problem Description:
I am doing tests with other components of 25.10 and, in turn, I want to be able to test Secure Boot functionality in order to properly test some Intune and other cloud-management systems for compliance, etc. on 25.10 systems.

However, despite the Guest OS being built to use the OVMF Secure Boot enabled boot images (which apparently seem to work for Windows systems) with the emulated TPM tooling, the system does not appear to detect Secure Boot as ‘enabled’, and it doesn’t seem that I can enable it in the QEMU environment.

Relevant System Information:
Ubuntu 25.10 is a virtual machine.

Has anyone ever seen such an issue and been able to enable Secure Boot for Ubuntu guests in QEMU/KVM environments? Or, does it just not work in QEMU/KVM environments?

2

Secure Boot does work with Ubuntu guests under QEMU/KVM, but only if the correct OVMF firmware and keys are used.

Make sure you are using the Secure Boot–enabled OVMF build (e.g. OVMF_CODE.secboot.fd) with a writable OVMF_VARS.fd file. Secure Boot may appear disabled if the keys are not properly enrolled in the firmware.

References:

Inside the guest, you can verify with:

mokutil --sb-state
3

I already do what the Debian and libvirt documentation say, setting the vars file and the proper OVMF build. This is part of the initial setup of Secure Boot and is how I know it works for Windows guests.

However, it does not work for Ubuntu guests even with virt-manager and proper configuration variables in the XML:

    <loader readonly="yes" secure="yes" type="pflash">/usr/share/OVMF/OVMF_CODE_4M.secboot.fd</loader>
    <nvram template="/usr/share/OVMF/OVMF_VARS_4M.fd">/var/lib/libvirt/qemu/nvram/ubuntu25.10_VARS.fd</nvram>

So, I need alternative chasing methods for this, because QEMU/KVM can already write to the variables file there, AND is already set to use the secboot code. Yet this does not work when testing inside the VM.

1 Like
4

Well, this is an interesting exercise and, touch wood, I’ve had a bit of success.

Host: Ubuntu 24.04.3 Gnome 46 (Wayland session) using Qemu/kvm
Guest: Ubuntu 25.10 Questing using default selection

Text output from the VM

testing@testing:~$ mokutil --sb-state
SecureBoot enabled
testing@testing:~$

VM firmware: OVMF/OVMF_CODE_4M.ms.fd (generally used for Windows 11)
TPM: TPM Device emulated

Host TPM and Secure Boot Disabled during VM installation
I enabled/disabled both in the Host OS with no discernible effect in the VM performance
VM Secure Boot state always reported enabled no matter if it was disabled in the Host

XML Overview 
<domain type="kvm">
  <name>ubuntu25.10</name>
  <uuid>9353aa00-a791-4a19-b802-08dbc44fe95d</uuid>
  <metadata>
    <libosinfo:libosinfo xmlns:libosinfo="http://libosinfo.org/xmlns/libvirt/domain/1.0">
      <libosinfo:os id="http://ubuntu.com/ubuntu/25.10"/>
    </libosinfo:libosinfo>
  </metadata>
  <memory unit="KiB">4194304</memory>
  <currentMemory unit="KiB">4194304</currentMemory>
  <vcpu placement="static">2</vcpu>
  <os firmware="efi">
    <type arch="x86_64" machine="pc-q35-8.2">hvm</type>
    <firmware>
      <feature enabled="yes" name="enrolled-keys"/>
      <feature enabled="yes" name="secure-boot"/>
    </firmware>
    <loader readonly="yes" secure="yes" type="pflash">/usr/share/OVMF/OVMF_CODE_4M.ms.fd</loader>
    <nvram template="/usr/share/OVMF/OVMF_VARS_4M.ms.fd">/var/lib/libvirt/qemu/nvram/ubuntu25.10_VARS.fd</nvram>
    <boot dev="hd"/>
  </os>
  <features>
    <acpi/>
    <apic/>
    <vmport state="off"/>
    <smm state="on"/>
  </features>
  <cpu mode="host-passthrough" check="none" migratable="on"/>
  <clock offset="utc">
    <timer name="rtc" tickpolicy="catchup"/>
    <timer name="pit" tickpolicy="delay"/>
    <timer name="hpet" present="no"/>
  </clock>
  <on_poweroff>destroy</on_poweroff>
  <on_reboot>restart</on_reboot>
  <on_crash>destroy</on_crash>
  <pm>
    <suspend-to-mem enabled="no"/>
    <suspend-to-disk enabled="no"/>
  </pm>
  <devices>
    <emulator>/usr/bin/qemu-system-x86_64</emulator>
    <disk type="file" device="disk">
      <driver name="qemu" type="qcow2" discard="unmap"/>
      <source file="/mntvm2/050ae769-1dec-4f1f-aa1f-2cf8b83cb3e6/ubuntu25.10"/>
      <target dev="vda" bus="virtio"/>
      <address type="pci" domain="0x0000" bus="0x04" slot="0x00" function="0x0"/>
    </disk>
    <disk type="file" device="cdrom">
      <driver name="qemu" type="raw"/>
      <target dev="sda" bus="sata"/>
      <readonly/>
      <address type="drive" controller="0" bus="0" target="0" unit="0"/>
    </disk>
    <controller type="usb" index="0" model="qemu-xhci" ports="15">
      <address type="pci" domain="0x0000" bus="0x02" slot="0x00" function="0x0"/>
    </controller>
    <controller type="pci" index="0" model="pcie-root"/>
    <controller type="pci" index="1" model="pcie-root-port">
      <model name="pcie-root-port"/>
      <target chassis="1" port="0x10"/>
      <address type="pci" domain="0x0000" bus="0x00" slot="0x02" function="0x0" multifunction="on"/>
    </controller>
    <controller type="pci" index="2" model="pcie-root-port">
      <model name="pcie-root-port"/>
      <target chassis="2" port="0x11"/>
      <address type="pci" domain="0x0000" bus="0x00" slot="0x02" function="0x1"/>
    </controller>
    <controller type="pci" index="3" model="pcie-root-port">
      <model name="pcie-root-port"/>
      <target chassis="3" port="0x12"/>
      <address type="pci" domain="0x0000" bus="0x00" slot="0x02" function="0x2"/>
    </controller>
    <controller type="pci" index="4" model="pcie-root-port">
      <model name="pcie-root-port"/>
      <target chassis="4" port="0x13"/>
      <address type="pci" domain="0x0000" bus="0x00" slot="0x02" function="0x3"/>
    </controller>
    <controller type="pci" index="5" model="pcie-root-port">
      <model name="pcie-root-port"/>
      <target chassis="5" port="0x14"/>
      <address type="pci" domain="0x0000" bus="0x00" slot="0x02" function="0x4"/>
    </controller>
    <controller type="pci" index="6" model="pcie-root-port">
      <model name="pcie-root-port"/>
      <target chassis="6" port="0x15"/>
      <address type="pci" domain="0x0000" bus="0x00" slot="0x02" function="0x5"/>
    </controller>
    <controller type="pci" index="7" model="pcie-root-port">
      <model name="pcie-root-port"/>
      <target chassis="7" port="0x16"/>
      <address type="pci" domain="0x0000" bus="0x00" slot="0x02" function="0x6"/>
    </controller>
    <controller type="pci" index="8" model="pcie-root-port">
      <model name="pcie-root-port"/>
      <target chassis="8" port="0x17"/>
      <address type="pci" domain="0x0000" bus="0x00" slot="0x02" function="0x7"/>
    </controller>
    <controller type="pci" index="9" model="pcie-root-port">
      <model name="pcie-root-port"/>
      <target chassis="9" port="0x18"/>
      <address type="pci" domain="0x0000" bus="0x00" slot="0x03" function="0x0" multifunction="on"/>
    </controller>
    <controller type="pci" index="10" model="pcie-root-port">
      <model name="pcie-root-port"/>
      <target chassis="10" port="0x19"/>
      <address type="pci" domain="0x0000" bus="0x00" slot="0x03" function="0x1"/>
    </controller>
    <controller type="pci" index="11" model="pcie-root-port">
      <model name="pcie-root-port"/>
      <target chassis="11" port="0x1a"/>
      <address type="pci" domain="0x0000" bus="0x00" slot="0x03" function="0x2"/>
    </controller>
    <controller type="pci" index="12" model="pcie-root-port">
      <model name="pcie-root-port"/>
      <target chassis="12" port="0x1b"/>
      <address type="pci" domain="0x0000" bus="0x00" slot="0x03" function="0x3"/>
    </controller>
    <controller type="pci" index="13" model="pcie-root-port">
      <model name="pcie-root-port"/>
      <target chassis="13" port="0x1c"/>
      <address type="pci" domain="0x0000" bus="0x00" slot="0x03" function="0x4"/>
    </controller>
    <controller type="pci" index="14" model="pcie-root-port">
      <model name="pcie-root-port"/>
      <target chassis="14" port="0x1d"/>
      <address type="pci" domain="0x0000" bus="0x00" slot="0x03" function="0x5"/>
    </controller>
    <controller type="sata" index="0">
      <address type="pci" domain="0x0000" bus="0x00" slot="0x1f" function="0x2"/>
    </controller>
    <controller type="virtio-serial" index="0">
      <address type="pci" domain="0x0000" bus="0x03" slot="0x00" function="0x0"/>
    </controller>
    <interface type="network">
      <mac address="52:54:00:3c:26:f3"/>
      <source network="default"/>
      <model type="virtio"/>
      <address type="pci" domain="0x0000" bus="0x01" slot="0x00" function="0x0"/>
    </interface>
    <serial type="pty">
      <target type="isa-serial" port="0">
        <model name="isa-serial"/>
      </target>
    </serial>
    <console type="pty">
      <target type="serial" port="0"/>
    </console>
    <channel type="unix">
      <target type="virtio" name="org.qemu.guest_agent.0"/>
      <address type="virtio-serial" controller="0" bus="0" port="1"/>
    </channel>
    <channel type="spicevmc">
      <target type="virtio" name="com.redhat.spice.0"/>
      <address type="virtio-serial" controller="0" bus="0" port="2"/>
    </channel>
    <input type="tablet" bus="usb">
      <address type="usb" bus="0" port="1"/>
    </input>
    <input type="mouse" bus="ps2"/>
    <input type="keyboard" bus="ps2"/>
    <tpm model="tpm-crb">
      <backend type="emulator" version="2.0"/>
    </tpm>
    <graphics type="spice" autoport="yes">
      <listen type="address"/>
      <image compression="off"/>
    </graphics>
    <sound model="ich9">
      <address type="pci" domain="0x0000" bus="0x00" slot="0x1b" function="0x0"/>
    </sound>
    <audio id="1" type="spice"/>
    <video>
      <model type="virtio" heads="1" primary="yes"/>
      <address type="pci" domain="0x0000" bus="0x00" slot="0x01" function="0x0"/>
    </video>
    <redirdev bus="usb" type="spicevmc">
      <address type="usb" bus="0" port="2"/>
    </redirdev>
    <redirdev bus="usb" type="spicevmc">
      <address type="usb" bus="0" port="3"/>
    </redirdev>
    <watchdog model="itco" action="reset"/>
    <memballoon model="virtio">
      <address type="pci" domain="0x0000" bus="0x05" slot="0x00" function="0x0"/>
    </memballoon>
    <rng model="virtio">
      <backend model="random">/dev/urandom</backend>
      <address type="pci" domain="0x0000" bus="0x06" slot="0x00" function="0x0"/>
    </rng>
  </devices>
</domain>

@teward
I also tried the OVMF/OVMF_CODE_4M.secboot.fd with the same Secure Boot failure
Can you try with OVMF/OVMF_CODE_4M.ms.fd?

5

Thanks for your input on it!

Running the OVMF_CODE_M4.ms.fd boot firmware worked perfectly! It shows Secure Boot Enabled!

That will allow me to do testing with agentic detection and compliance stuff related to Secure Boot detection and stuff.

That solves that problem (perhaps we need to have Ubuntu and Debian documentation updated
)

Interesting side note, and this may be intentional but for 25.10 and 26.04-dev this doesn’t work with “hardware-backed encryption” (with a notice of “Enhanced secure boot options cannot currently install third party drivers.”) - I’m expecting this because it’s emulated TPM, but it’s something that might be testable in the future there. Just a thought. :slight_smile:

1 Like
6

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.