After using OpenBSD as the main OS for 2-3 years I wanted to give Qubes OS another shot, but I still wanted to have Qube with full desktop experience of OpenBSD.
So here is my configuration of how I set up my OpenBSD qube with full 1080p resolution, and with audio and usb support. This config allows me (and possibly you) to use OpenBSD qube in full screen (desktop like experience) using gop, which is not available in OpenBSD Qube using SeaBIOS.
Before we can do anything, we need to fix uefi enabled HVMs. As of 4.2, Qubes comes shipped with ovmf binaries that are not compatible with xen. Starting with edk2-stable202108, ovmf developers removed Xen support and moved it to the OvmfXen.
Qubes does not include those binaries compatible with xen, and instead, 4.2 is currently built with binaries from ovmf-edk package that does not support xen.
This causes uefi enabled HVMs on 4.2 to get stuck on Guest has not initialized the display (yet).
To fix that, we need to add compatible binaries ourselves by installing edk2-ovmf-xen package. Luckily for us, it is available in fedora 37 repo. So in dom0, type the following:
$ sudo qubes-dom0-update edk2-ovmf-xen
/usr/share/edk2/xen/.
Next, we should replace the old ovmf.bin in /usr/libexec/xen/boot/ with the new ovmf.bin file from /usr/share/edk2/xen/. But before that, we should copy the existing ovmf.bin before replacing it (just in case).
$ sudo cp /usr/libexec/xen/boot/ovmf.bin /usr/libexec/xen/boot/ovmf.bin.old
$ sudo cp /usr/share/edk2/xen/OVMF.bin /usr/libexec/xen/boot/ovmf.bin
Now, all uefi enabled HVMs should work.
Note: This change will not affect any other qube, only HVMs with uefi feature enabled.
First, we need to download the installation image for OpenBSD.
Go to OpenBSD's snapshot directory, and download installX.iso, SHA256 and SHA256.sig files. Where 'X' represents the version number.
We won't be using the current version of OpenBSD, which is 7.4. Instead, we are going to use snapshots. Why? Because snapshot .iso images include EFI boot loaders that allow them to boot on EFI machines (no more hacky USB installs. yay!). More info about that on mailing list
We need to check if the downloaded installX.iso file is valid. To do so, we need signify, and signify-openbsd-keys packages. To install them, in the terminal of your appvm type the following (I'll be using debian based appvms):
$ sudo apt install signify-openbsd signify-openbsd-keys
Now that we have downloaded all of the required tools, we need to verify the installation image. This can be done with the following two lines:
$ sha256sum -c --ignore-missing SHA256
$ signify-openbsd -Cp /usr/share/signify-openbsd-keys/openbsd-x-base.pub -x SHA256.sig installX.iso
(Skip this if you are using appvm based on debian-12. openbsd-signify-keys package is out of date and it does not contain recent keys)
Output for the first command should be minirootX.iso: OK, and for the second command it should be Signature Verified
minirootX.iso: OK
Go to Menu > Qube Manager > select "New Qube"
When a "Boot openbsd-vm from device" dialog shows up, choose your installX.iso file and click ok. Then we need to halt the qube by either killing it from "Qubes Manager" or by typing "reboot" when OpenBSDs bootloader prompt shows up.
Audio and usb can be enabled using the following two commands in dom0:
$ qvm-features openbsd-vm audio-model ac97
$ qvm-features openbsd-vm stubdom-qrexec 1
$ qvm-features openbsd-vm uefi 1
We need to modify libvirt configuration for this qube, as xbf driver causes kernel panic on OpenBSD when booting under UEFI. This will make disks show as SATA disks instead of IDE disks when xbf driver is not loaded.
First, we need to make /etc/qubes/templates/libvirt/xen/by-name/ if it does not exist. In dom0 type:
$ sudo mkdir -p /etc/qubes/templates/libvirt/xen/by-name/
Then we need to copy the main config template (This copy will be used only when running vm named openbsd-vm):
$ sudo cp /usr/share/qubes/templates/libvirt/xen.xml /etc/qubes/templates/libvirt/xen/by-name/openbsd-vm.xml
Then find the following text (~line 123):
<disk type="block" device="{{ device.devtype }}">
<driver name="phy" />
<source dev="{{ device.path }}" />
{% if device.name == 'root' %}
<target dev="xvda" />
{% elif device.name == 'private' %}
<target dev="xvdb" />
{% elif device.name == 'volatile' %}
<target dev="xvdc" />
{% elif device.name == 'kernel' %}
<target dev="xvdd" />
{% else %}
<target dev="xvd{{dd[counter.i]}}" />
{% if counter.update({'i': counter.i + 1}) %}{% endif %}
{% endif %}
{% if not device.rw %}
<readonly />
{% endif %}
{% if device.domain %}
<backenddomain name="{{ device.domain }}" />
{% endif %}
<script path="/etc/xen/scripts/qubes-block" />
</disk>
And change it to this:
<disk type="block" device="{{ device.devtype }}">
<driver name="phy" />
<source dev="{{ device.path }}" />
{% if device.name == 'root' %}
<target dev="sda" />
{% elif device.name == 'private' %}
<target dev="sdb" />
{% elif device.name == 'volatile' %}
<target dev="sdc" />
{% elif device.name == 'kernel' %}
<target dev="sdd" />
{% else %}
<target dev="sd{{dd[counter.i]}}" />
{% if counter.update({'i': counter.i + 1}) %}{% endif %}
{% endif %}
{% if not device.rw %}
<readonly />
{% endif %}
{% if device.domain %}
<backenddomain name="{{ device.domain }}" />
{% endif %}
<script path="/etc/xen/scripts/qubes-block" />
</disk>
I won't explain how to install OpenBSD here. You're gonna need to do that by yourself. But I will show the basic configuration that needs be to done so you can have a bootable system with proper resolution.
First, boot openbsd-vm with installX.iso (Qubes Manager -> right click on openbsd-vm -> settings -> advanced -> "boot qube from CD-rom")
When you get to bootloader, type the following:
machine gop 22
boot -c
machine gop sets output of gop to specified mod/resolution (in our case, 1920x1080). Change this to number that represents resolution you want. see machine gop for all modes
boot -c causes the kernel to go into boot_config. Here we'll disable some stuff.
When in boot_config, type the following:
disable xbf
quit
disable xbf disables xbf driver that causes panic on boot.
quit continues the boot.
Now, continue with installation.
On the first boot, when we get to the bootloader screen, we need to repeat the previous steps.
machine gop 22
boot -c
disable xbf
quit
It should now boot.
(If for some reason, qube boots back into installation, in dom0 type: qvm-block detach openbsd-vm vm-name:loop0)
After we boot into the system, we need to make our changes permanent so we don't need to apply them every time we boot our qube. This can be done using config.
Open your terminal and switch to root using su. Then type:
# config -e -o /bsd.new /bsd
disable xbf
quit
And finally, we want to edit /etc/boot.conf so we can use that modified kernel and automatically set gop to specified mode.
machine gop 22
boot bsd.new
And, we're done!
qvm-features openbsd-vm audio-model ac97
qvm-features openbsd-vm stubdom-qrexec 1
Enable UEFI in OpenBSD qube
qvm-features openbsd-vm uefi 1
We need to modify libvirt configuration for this qube, as xbf driver causes kernel panic on OpenBSD when booting under UEFI. This will make disks to show as SATA disks instead of IDE disks when xbf driver is not loaded.
4.1. Copy default config file.
sudo cp /usr/share/qubes/templates/libvirt/xen.xml /etc/qubes/templates/libvirt/xen/by-name/openbsd-vm.xml
4.2. Modify below config segment in openbsd-vm.xml:
from this:
<disk type="block" device="{{ device.devtype }}">
<driver name="phy" />
<source dev="{{ device.path }}" />
{% if device.name == 'root' %}
<target dev="xvda" />
{% elif device.name == 'private' %}
<target dev="xvdb" />
{% elif device.name == 'volatile' %}
<target dev="xvdc" />
{% elif device.name == 'kernel' %}
<target dev="xvdd" />
{% else %}
<target dev="xvd{{dd[counter.i]}}" />
{% if counter.update({'i': counter.i + 1}) %}{% endif %}
{% endif %}
{% if not device.rw %}
<readonly />
{% endif %}
{% if device.domain %}
<backenddomain name="{{ device.domain }}" />
{% endif %}
</disk>
to this:
<disk type="block" device="{{ device.devtype }}">
<driver name="phy" />
<source dev="{{ device.path }}" />
{% if device.name == 'root' %}
<target dev="sda" bus="virtio" />
{% elif device.name == 'private' %}
<target dev="sdb" bus="virtio" />
{% elif device.name == 'volatile' %}
<target dev="sdc" bus="virtio" />
{% elif device.name == 'kernel' %}
<target dev="sdd" bus="virtio" />
{% else %}
<target dev="sd{{dd[counter.i]}}" bus="virtio" />
{% if counter.update({'i': counter.i + 1}) %}{% endif %}
{% endif %}
{% if not device.rw %}
<readonly />
{% endif %}
{% if device.domain %}
<backenddomain name="{{ device.domain }}" />
{% endif %}
</disk>
machine gop 22 -> sets output of gop to 1920x1080. Change this to number that
represents resolution you want. see `machine gop` for all modes
boot -c -> Enter boot_config
'disable xbf' then 'quit'.config -e -o /bsd.new /bsd command as root
10.1. Type disable xbf and then quit. This will generate new modified kernel with disabled xbf driver./etc/boot.conf:
machine gop 22
boot bsd.new
Thats it. You should now have Fully working OpenBSD Qube with working USB passthrough, audio and correct resolution for full screen usage.
Known problems: