[Bug 2022312] Re: Adding IA32 to X64 pkg, because secure boot is not working on Focal

Mauricio Faria de Oliveira 2022312 at bugs.launchpad.net
Sat Jan 13 20:14:57 UTC 2024 

I think the behavior should be opt-in because there may be existing VMs
that are working (e.g., user installed other/custom UEFI/OVMF build [2],
which is not supported, but it worked), that by now have S3 enabled,
and might observe differences or even issues (?) with S3 disabled.

Thus, I propose adding a nova config option for libvirt workarounds
(this is official upstream for downstream use [3]; e.g., Ubuntu [4])
and have it emit the 'pm/suspend-to-mem' libvirt XML tags if enabled
_and_ the UEFI loader declares it `requires-smm` (ie, for Secure Boot).

It worked successfully in an UCA Focal-Yoga openstack deployment.

I'll attach the debdiff and test results in another comment, and
ask for reviews.

** Bug watch added: bugzilla.tianocore.org/ #3064
   https://bugzilla.tianocore.org/show_bug.cgi?id=3064

-- 
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to Ubuntu Cloud Archive.
https://bugs.launchpad.net/bugs/2022312

Title:
  Adding IA32 to X64 pkg, because secure boot is not working on Focal

Status in Ubuntu Cloud Archive:
  New
Status in Ubuntu Cloud Archive yoga series:
  New
Status in edk2 package in Ubuntu:
  Fix Released
Status in edk2 source package in Focal:
  In Progress
Status in edk2 source package in Jammy:
  Fix Released

Bug description:
  [Impact]

  In Focal, secureboot is not working ( black screen right after
  instance is started )

  [Test Case]
  0. juju bundle for focal-yoga openstack env
  - https://pastebin.ubuntu.com/p/G38JwXMX5G/
  1. create custom image with cirros
  - openstack image create --container-format bare --disk-format qcow2 --file cirros-0.5.1-x86_64-disk.img cirros
  2. set image properties.
  - $ openstack image set --property hw_machine_type=q35 --property hw_firmware_type=uefi --property os_secure_boot=required cirros
  3. In focal, create instance, and enable secureboot
  4. start instance.
  5. you just can see only blackscreen.

  [Where problems could occur]
  Secureboot may have issue.

  [Others]
  For Jammy, it is ok

  instance xml
  - https://pastebin.ubuntu.com/p/MnK6nx3vwy/

  #ADDED
  Testing
  1. Prepared cirros and cirros2 image
  2. only set secure boot parameters to cirros image
  3. launch instances
  - instance with cirros image
  - instance with cirros2 image
  4. test result
  - booting cirros instance doesn't work(black screen) with original OVMF_CODE_4M.secboot.fd
  - booting cirros instance does work(shows uefi prompt) with patched OVMF_CODE_4M.secboot.fd
  - booting cirros2 instance either cases.

To manage notifications about this bug go to:
https://bugs.launchpad.net/cloud-archive/+bug/2022312/+subscriptions

More information about the Ubuntu-openstack-bugs mailing list