[Bug 2022312] Re: Adding IA32 to X64 pkg, because secure boot is not working on Focal
Mauricio Faria de Oliveira
2022312 at bugs.launchpad.net
Sat Jan 13 20:16:34 UTC 2024
Tests 1/2:
Enable QEMU q35 machine type and UEFI firmware:
$ openstack image set --property hw_machine_type=q35 --property hw_firmware_type=uefi jammy
Secure Boot: disabled
---------------------
The patch does not regress VMs _without_ Secure Boot, and does not
change the libvirt XML.
Before: works
$ openstack server create --image jammy --flavor m1.small
--network private test-jammy
$ openstack console log show test-jammy | grep -e '^BdsDxe' -e secureboot: -e login:
BdsDxe: starting Boot0001 "UEFI Misc Device" from PciRoot(0x0)/Pci(0x1,0x1)/Pci(0x0,0x0)
[ 0.000000] secureboot: Secure boot disabled
[ 0.027148] secureboot: Secure boot disabled
test-jammy login: [...]
After/Config=False: still work
$ openstack server create --image jammy --flavor m1.small
--network private test-jammy
$ openstack console log show test-jammy | grep -e '^BdsDxe' -e secureboot: -e login:
BdsDxe: starting Boot0001 "UEFI Misc Device" from PciRoot(0x0)/Pci(0x1,0x1)/Pci(0x0,0x0)
[ 0.000000] secureboot: Secure boot disabled
[ 0.026675] secureboot: Secure boot disabled
test-jammy login: [...]
After/Config=True: still work
@ /etc/nova/nova.conf
[DEFAULT]
ubuntu_libvirt_uefi_secboot_disable_s3=True
$ openstack server create --image jammy --flavor m1.small
--network private test-jammy
$ openstack console log show test-jammy | grep -e '^BdsDxe' -e secureboot: -e login:
BdsDxe: starting Boot0001 "UEFI Misc Device" from PciRoot(0x0)/Pci(0x1,0x1)/Pci(0x0,0x0)
[ 0.000000] secureboot: Secure boot disabled
[ 0.028423] secureboot: Secure boot disabled
test-jammy login: [...]
XML comparison (normalized for UUID/MAC/IP/TAP/DATETIME/etc):
$ diff -U0 test-jammy.xml.secboot-disabled.before test-jammy.xml.secboot-disabled.after.config-false
$
$ diff -U0 test-jammy.xml.secboot-disabled.before test-jammy.xml.secboot-disabled.after.config-true
$
--
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to Ubuntu Cloud Archive.
https://bugs.launchpad.net/bugs/2022312
Title:
Adding IA32 to X64 pkg, because secure boot is not working on Focal
Status in Ubuntu Cloud Archive:
New
Status in Ubuntu Cloud Archive yoga series:
New
Status in edk2 package in Ubuntu:
Fix Released
Status in edk2 source package in Focal:
In Progress
Status in edk2 source package in Jammy:
Fix Released
Bug description:
[Impact]
In Focal, secureboot is not working ( black screen right after
instance is started )
[Test Case]
0. juju bundle for focal-yoga openstack env
- https://pastebin.ubuntu.com/p/G38JwXMX5G/
1. create custom image with cirros
- openstack image create --container-format bare --disk-format qcow2 --file cirros-0.5.1-x86_64-disk.img cirros
2. set image properties.
- $ openstack image set --property hw_machine_type=q35 --property hw_firmware_type=uefi --property os_secure_boot=required cirros
3. In focal, create instance, and enable secureboot
4. start instance.
5. you just can see only blackscreen.
[Where problems could occur]
Secureboot may have issue.
[Others]
For Jammy, it is ok
instance xml
- https://pastebin.ubuntu.com/p/MnK6nx3vwy/
#ADDED
Testing
1. Prepared cirros and cirros2 image
2. only set secure boot parameters to cirros image
3. launch instances
- instance with cirros image
- instance with cirros2 image
4. test result
- booting cirros instance doesn't work(black screen) with original OVMF_CODE_4M.secboot.fd
- booting cirros instance does work(shows uefi prompt) with patched OVMF_CODE_4M.secboot.fd
- booting cirros2 instance either cases.
To manage notifications about this bug go to:
https://bugs.launchpad.net/cloud-archive/+bug/2022312/+subscriptions
More information about the Ubuntu-openstack-bugs
mailing list