Hi there
I see that although VMware and VBOX can't do it (they can use UEFI) it seems HYPER-V CAN create a level 2 (type 2) VM which can enable secure boot.
I want to have a go with this on a W2012 Server HOST. Anything special needed for setting up the VM -- want to run a W10 VM where I have the serial number - and I've got a W8 enterprise system too I can use.
Will the same HYPER-V system work on a W10 Host.
Cheers
jimbo
If you set up a type 2 machine you tick Enable secure bootin the firmware tab of settings.
Works on Windows 10 also.
In case you are interested (I was looking at your other posts) in Hyper-V the firmware is always user mode so you can add whatever keys you want to allow VM to boot in secure mode (assuming it supports it). TechNet Blogs
Hi there
Thanks for the info.
However if one can enter any key it rather IMO defeats the whole process !!!!. Presumably IMO the whole point of protected boot is to ONLY allow the OS'es with the requisite key to boot. Otherwise it's a waste of time !!!.
Seems also Guest non Windows OS'es won't work either then as part of the security is maintained on the HOST.
Cheers
jimbo
It depends whether you are talking about booting a VM or not.
What MS has suggested recently (although details are still unclear) is to remove the restriction that OEMs must deliver the ability to turn off secure boot on new devices if they want the "designed for Windows" logo. This would mean that if you bought such hardware you could be tied into whatever operating systems they see fit (if and only if the OEM decided to do that). Previously MS said the ability to turn off secure boot was required. That is your host.
With a VM there are 2 layers - your host and the guest. Assuming you have booted your host you can then define valid keys to allow your guest to run (assuming your guest supports secure boot) as the firmware (seen by the guest) is in user space on the host. By default the host keys will be passed to the guest but you can add more if you want.
Long and short, for VM's it doesn't (currently) make any difference. For bare metal it is only interesting if you were to buy a new Windows 10 machine where the OEM has decided to restrict secure boot (as is currently the case if you buy a phone) and you wanted to boot something not on the their list. As such devices don't exist yet and MS may change their mind it is a little pointless to discuss that side of it.
I have never tried Secure Boot on Hyper-V. Theoretically it should work with Windows 8 and later or Windows Server 2012 and later guests. I have and have had a lot of 2nd generation virtual machines which makes secure boot possible, but as normal Windows 8 or 10 second generation vm fails to boot when the option is selected ("EFI SCSI Device failed secure boot verification"), I always untick the box in vm settings.
This is one Hyper-V guestion I am totally unable to answer due lack of experience. I read what Adam already posted and have unfortunately nothing to add. Please post about your findings, I at least would be very interested to hear how it went.
Hi there
Am travelling tomorrow (Brussels ==>home) but when I get back I'll have a play with it over the weekend if I have enough time.
Seems an interesting concept of "securing" a VM - however I really want to try if any old key will work and if it's simple to change these. If the user can change these then as I said before it seems a waste of time. By user in this case I mean someone who has access to the HOST HYPER-V machine not the VM.
I'll probably create a Vanilla VM -- with nothing apart from the default Ms applications and have a play. I think I'll run it first on a W2012 server Host as I know that system is working correctly. W10 might just be to "new" to play with this.
Cheers
jimbo
If you create a new type 2 VM in Hyper-V then secure boot is the default. I just installed 9841 Server (latest version I could find) and it works fine (my host is 10041 Pro).
I also migrated an Arch installation from VBox (converted the disk to vhdx) and it will not boot with secure boot but whether this is because of the migration or the secure boot I don't know yet. According to their Wiki you can self-sign certificates for secure boot but I've not tried yet as it seems a lot of effort for no benefit I can think of to be honest.