Do SecureBoot is supported on 32 bit guest systems?

This is for discussing general topics about how to use VirtualBox.
Post Reply
piggyz
Posts: 70
Joined: 13. Feb 2013, 12:28

Do SecureBoot is supported on 32 bit guest systems?

Post by piggyz »

SecureBoot is fine in 64 bit guests.

Do is supported in 32 bitguests too? Becouse I'm unable to make it work. Apparently it is enabled, in practice do not load UEFI 32 bit correctly installed systems.

If you go in UEFI shell and manually you try to load, for example, grubia32.efi, it will do nothing. If you do the same in a correctly configured X64 system it will load the boot loader.

I said secure boot, then I could say UEFI support becouse if you just enable UEFI and not secure boot, you can't boot a guest system in my experience.
mpack
Site Moderator
Posts: 39156
Joined: 4. Sep 2008, 17:09
Primary OS: MS Windows 10
VBox Version: PUEL
Guest OSses: Mostly XP

Re: Do SecureBoot is supported on 32 bit guest systems?

Post by mpack »

That depends on the guest OS, not on VirtualBox: the EFI BIOS provides a secure boot feature, guests may or may not use it or be compatible with it. The bittedness has no relevance that I know of. The guest OS being 32bit does not change the processor or the BIOS on the motherboard. All the bittedness changes is how much RAM an app running in that OS can access in a single allocation when using a flat addressing mode.
piggyz
Posts: 70
Joined: 13. Feb 2013, 12:28

Re: Do SecureBoot is supported on 32 bit guest systems?

Post by piggyz »

mpack wrote:That depends on the guest OS, not on VirtualBox: the EFI BIOS provides a secure boot feature, guests may or may not use it or be compatible with it. The bittedness has no relevance that I know of. The guest OS being 32bit does not change the processor or the BIOS on the motherboard. All the bittedness changes is how much RAM an app running in that OS can access in a single allocation when using a flat addressing mode.
Yep, then here we are discussing "virtual" motherboard and "virtual" and "virtual" implementation of a UEFI bios in a virtual environment. Hence the question.

BTW, in all my 64 bit "virtual" system all this work perfectly fine, so it is very well implemented by Virtualbox. I ask about 32 bit becouse it seems I do have some problems with it. Maybe just my fault.
piggyz
Posts: 70
Joined: 13. Feb 2013, 12:28

Re: Do SecureBoot is supported on 32 bit guest systems?

Post by piggyz »

After a lot of research, I think I found the problem related with the 32 bit UEFI Linux guests OS do not boot from Virtualbox 7.0.2 using bootia32.efi.

I think the Virtualbox implementation of the UEFI bios is 64 bit (like it should be in the UEFI specs) and so it is incompatible with IA32.

This is also confirmed in my opinion by the fact neither i686 ISO images boot from virtual UEFI guest bios in Virtualbox.

Probably the reason about this is this UEFI implementation is pure UEFI and do not have like many real bios the CSM module built in and so it can't run legacy bios not uefi fixed, optical or whatever disks, even if partitioned with GPT.

If someone have an idea about this, maybe a developer or something, could confirm or deny my guess? How can I check the bios type of UEFI implementation in Virtualbox? Do exist an option to turn on the UEFI CSM emulation if it exist in the virtual code?

This is really a little problem considering 32 bit OSs are now pretty much gone, then I do have some virtualbox guests in 32 bit and I would convert them from legacy to UEFI (for secure boot reason) then now I think it's like impossible becouse of this missing CSM support.
fth0
Volunteer
Posts: 5661
Joined: 14. Feb 2019, 03:06
Primary OS: Mac OS X other
VBox Version: PUEL
Guest OSses: Linux, Windows 10, ...
Location: Germany

Re: Do SecureBoot is supported on 32 bit guest systems?

Post by fth0 »

The VirtualBox UEFI BIOS is available in 64-bit and 32-bit versions. The choice is usually made automatically, dependent on the configured guest OS type and version (General > Basic > Type|Version) (*). Alternatively, it can be manually selected via VBoxManage modifyvm "VM name" --firmware bios|efi|efi32|efi64, where efi stands for the automatic selection of architecture (bitness).

There is no CSM available, because VirtualBox also provides its legacy BIOS.

Secure Boot is supposed to work in 64-bit and 32-bit.

(*) In the past, I've seen a totally different issue where changing of the guest OS type after the VM creation didn't fully work as expected. So make sure to set it correctly from the beginning. ;)
Last edited by fth0 on 10. Nov 2022, 19:19, edited 1 time in total.
mpack
Site Moderator
Posts: 39156
Joined: 4. Sep 2008, 17:09
Primary OS: MS Windows 10
VBox Version: PUEL
Guest OSses: Mostly XP

Re: Do SecureBoot is supported on 32 bit guest systems?

Post by mpack »

Personally I don't see why UEFI would know or care about the bittedness of the code that runs after the boot manager has finished.
fth0
Volunteer
Posts: 5661
Joined: 14. Feb 2019, 03:06
Primary OS: Mac OS X other
VBox Version: PUEL
Guest OSses: Linux, Windows 10, ...
Location: Germany

Re: Do SecureBoot is supported on 32 bit guest systems?

Post by fth0 »

mpack wrote:I don't see why UEFI would know or care about the bittedness of the code that runs after the boot manager has finished.
Because the OS uses Runtime Services offered by the UEFI BIOS, for example the Get/SetTime() functions to access the RTC (Real-Time Clock), and function calls have different calling conventions (ABIs, Application Binary Interfaces) in 32-bit and 64-bit modes.

AFAIU, Windows OSes expect the UEFI Runtime Services to have the same architecture as the Windows OS. Linux OSes are more flexible in this respect.

To explain a bit regarding processor execution modes:

A legacy BIOS either stays in 16-bit real mode, or switches to 32-bit protected mode and again back to 16-bit real mode, and then it gives control to the OS dependent MBR code in 16-bit real mode.

A UEFI BIOS switches from 16-bit real mode to 32-bit protected mode and optionally to 64-bit long mode and gives control to the OS dependent boot code in the current mode.
mpack
Site Moderator
Posts: 39156
Joined: 4. Sep 2008, 17:09
Primary OS: MS Windows 10
VBox Version: PUEL
Guest OSses: Mostly XP

Re: Do SecureBoot is supported on 32 bit guest systems?

Post by mpack »

fth0 wrote: Because the OS uses Runtime Services offered by the UEFI BIOS, for example the Get/SetTime() functions to access the RTC (Real-Time Clock), and function calls have different calling conventions (ABIs, Application Binary Interfaces) in 32-bit and 64-bit modes.
You must know that's a weak response. An application is under no obligation to use the same calling convention on every call. That's why it's a convention and not a rule. Arranging to call into the BIOS with whatever convention the BIOS expects is a trivial non-problem.
fth0
Volunteer
Posts: 5661
Joined: 14. Feb 2019, 03:06
Primary OS: Mac OS X other
VBox Version: PUEL
Guest OSses: Linux, Windows 10, ...
Location: Germany

Re: Do SecureBoot is supported on 32 bit guest systems?

Post by fth0 »

mpack wrote:You must know that's a weak response.
I tend to disagree, but we could argue about that. ;)
mpack wrote:An application is under no obligation to use the same calling convention on every call.
I think the reality lies between "obligation" and "convention", because people feel obliged to comply with the convention:

In Intel/AMD 64-bit long mode, there is only one calling convention for Unix-like OSes (System V AMD64 ABI), and one calling convention for Windows OSes (Microsoft x64 calling convention), and the UEFI BIOS uses the latter. I'll admit that in Intel/AMD 32-bit protected mode, there are multiple calling conventions, but they are all different from the 64-bit ones.

Of course you could mix and match 64-bit code and 32-bit code, but you'd need a conversion layer for that. Windows allegedly does not have that. Linux on the other hand is forced to use conversion layers for the 2 natural combinations 64/64-bit and 32/32-bit (and deliberately uses two for the two crossover combinations) because of the ABI differences between the Windows and the Linux worlds.

Or have I misunderstood your argument?
piggyz
Posts: 70
Joined: 13. Feb 2013, 12:28

Re: Do SecureBoot is supported on 32 bit guest systems?

Post by piggyz »

fth0 wrote:The VirtualBox UEFI BIOS is available in 64-bit and 32-bit versions. The choice is usually made automatically, dependent on the configured guest OS type and version (General > Basic > Type|Version) (*). Alternatively, it can be manually selected via VBoxManage modifyvm "VM name" --firmware bios|efi|efi32|efi64, where efi stands for the automatic selection of architecture (bitness).

There is no CSM available, because VirtualBox also provides its legacy BIOS.

Secure Boot is supposed to work in 64-bit and 32-bit.

(*) In the past, I've seen a totally different issue where changing of the guest OS type after the VM creation didn't fully work as expected. So make sure to set it correctly from the beginning. ;)
Thank you very much for this VERY IMPORTANT inside!!! That was the trick:

VBoxManage modifyvm "VM name" --firmware bios|efi|efi32|efi64

where efi in my case should be efi32.

The simple selection of UEFI in the Basic options under GUI wasn't enough! It is not automatic based on the OS loaded.

I confirm, great and totally complete implementation of the UEFI specifications. It works perfectly ok under 32 bit OSs too.

Now, where have you found this "insight"? Becouse reading carefully the manual online and offline didn't point me to the solution.

If exist I want such important document for other options related with other things too.

PS: also enabling SecureBoot option works like a charm once you got basic UEFI, obviously you have to sign everything and stuff.
fth0
Volunteer
Posts: 5661
Joined: 14. Feb 2019, 03:06
Primary OS: Mac OS X other
VBox Version: PUEL
Guest OSses: Linux, Windows 10, ...
Location: Germany

Re: Do SecureBoot is supported on 32 bit guest systems?

Post by fth0 »

piggyz wrote:Now, where have you found this "insight"?
Well, it's a combination of several sources: The VirtualBox User Manual told me that the Enable EFI checkbox corresponds to the bios and efi options and that there are the efi32 and efi64options. The VirtualBox source code told me that the efi option automatically chooses the UEFI BIOS variant on behalf of the configured guest OS type. And a chat with someone who knows told me about the CSM and Secure Boot bits.
piggyz wrote:If exist I want such important document for other options related with other things too.
The VirtualBox User Manual and the VirtualBox source code are freely available. For a real developer, the source code is the only valid documentation. :D
piggyz wrote:The simple selection of UEFI in the Basic options under GUI wasn't enough! It is not automatic based on the OS loaded.
fth0 wrote:The VirtualBox UEFI BIOS is available in 64-bit and 32-bit versions. The choice is usually made automatically, dependent on the configured guest OS type and version (General > Basic > Type|Version)
Do you see the difference? ;)
piggyz
Posts: 70
Joined: 13. Feb 2013, 12:28

Re: Do SecureBoot is supported on 32 bit guest systems?

Post by piggyz »

fth0 wrote:
piggyz wrote:
piggyz wrote:The simple selection of UEFI in the Basic options under GUI wasn't enough! It is not automatic based on the OS loaded.
fth0 wrote:The VirtualBox UEFI BIOS is available in 64-bit and 32-bit versions. The choice is usually made automatically, dependent on the configured guest OS type and version (General > Basic > Type|Version)
Do you see the difference? ;)
I don't understand, then after my experience I think they should just had a little check box under UEFI options in the GUI: bios type and let the user choose 32 bit and 64 bit, then maybe it is an effort not justifyed by the little relevance 32 bit OS have this days.

In my opinion the automatic selection based in the host type (32 bit) it is not enough becouse proved to me it doesn't work. After the original Gentoo machine, I converted to UEFI another 32 bit virtual install, a Mint one, and also in this case I had to manually apply the uefi32 instruction: if not machine was 32 bit and uefi type 64 bit.

You right about reading source code, then it shouldn't be necessary for learning apps' basic functions.
fth0
Volunteer
Posts: 5661
Joined: 14. Feb 2019, 03:06
Primary OS: Mac OS X other
VBox Version: PUEL
Guest OSses: Linux, Windows 10, ...
Location: Germany

Re: Do SecureBoot is supported on 32 bit guest systems?

Post by fth0 »

piggyz wrote:In my opinion the automatic selection based in the host type (32 bit)
There seems to be a misunderstanding here, or did you write "host" and meant "guest"?

When you create a VirtualBox VM, you choose a guest OS version in General > Basic > Version, thereby clearly saying that your guest OS will be a 64-bit or a 32-bit OS, and VirtualBox simply starts the VM with the matching UEFI BIOS. Note that VirtualBox cannot know what guest OS you're going to install at the time the UEFI BIOS is run, so it has to rely on the configuration being correct.
piggyz wrote:proved to me it doesn't work
Please provide a (zipped) VBox.log file from such a VM run.
piggyz
Posts: 70
Joined: 13. Feb 2013, 12:28

Re: Do SecureBoot is supported on 32 bit guest systems?

Post by piggyz »

fth0 wrote:
piggyz wrote:In my opinion the automatic selection based in the host type (32 bit)
There seems to be a misunderstanding here, or did you write "host" and meant "guest"?
Sorry for the mistype! I mean GUEST. No, the GUI seems not to be enough to get a uefi32 bios. Everything was correctly fine compiled in the GUI. Just the VBoxManage command fixed the problem.

BTW, I should open a bug report. Not only like I said before if you apply the simple UEFI checkbox in the GUI and your system is 32 bit it will not work in 32 bit mode (it stay 64), then if you for some reason after apply the VBoxManage command discussed above, using the GUI, u deselect UEFI bios to get Legacy, when you apply UEFI again it still defaults on 64 bit and so you got to reapply the VBoxManager command to get 32 bit again. Lucky it not delete the keys and the moks you applyed before, so after apply the VBoxManage command again everything is back like it was.

Still some little work to do on UEFI options in the bios.
Post Reply