[Bug 2022312] Re: Adding IA32 to X64 pkg, because secure boot is not working on Focal
Mauricio Faria de Oliveira
2022312 at bugs.launchpad.net
Sat Jan 13 20:16:53 UTC 2024
Tests 2/2:
Enable Secure Boot:
$ openstack image set --property os_secure_boot=required jammy
Secure Boot: enabled
--------------------
The patch improves VMs _with_ Secure Boot (and only changes the libvirt
XML) _if_ the option is enabled.
Before: fails
$ openstack server create --image jammy --flavor m1.small
--network private test-jammy
$ openstack console log show test-jammy
$
$ juju ssh nova-compute/0 'top -b -n 5 1 | grep qemu-system-x86'
115025 libvirt+ 20 0 2487320 55596 21724 S 93.8 1.4 0:57.67 qemu-system-x86
115025 libvirt+ 20 0 2487320 55596 21724 S 99.3 1.4 1:00.66 qemu-system-x86
115025 libvirt+ 20 0 2487320 55596 21724 S 99.7 1.4 1:03.65 qemu-system-x86
115025 libvirt+ 20 0 2487320 55596 21724 S 99.3 1.4 1:06.64 qemu-system-x86
115025 libvirt+ 20 0 2487320 55596 21724 S 100.0 1.4 1:09.65 qemu-system-x86
After/Config=False: still fail
$ openstack server create --image jammy --flavor m1.small
--network private test-jammy
$ openstack console log show test-jammy
$
$ juju ssh nova-compute/0 'top -b -n 5 1 | grep qemu-system-x86'
117028 libvirt+ 20 0 2487328 55684 21840 S 100.0 1.4 0:38.41 qemu-system-x86
117028 libvirt+ 20 0 2487328 55684 21840 S 99.3 1.4 0:41.40 qemu-system-x86
117028 libvirt+ 20 0 2487328 55684 21840 S 99.3 1.4 0:44.39 qemu-system-x86
117028 libvirt+ 20 0 2487328 55684 21840 S 100.0 1.4 0:47.39 qemu-system-x86
117028 libvirt+ 20 0 2487328 55684 21840 S 100.0 1.4 0:50.40 qemu-system-x86
After/Config=True: IT WORKS!
@ /etc/nova/nova.conf
[DEFAULT]
ubuntu_libvirt_uefi_secboot_disable_s3=True
$ openstack server create --image jammy --flavor m1.small
--network private test-jammy
$ openstack console log show test-jammy | grep -e '^BdsDxe' -e secureboot: -e login:
BdsDxe: starting Boot0003 "ubuntu" from HD(15,GPT,BC341E7F-34EE-4AAE-A937-2FE87A0792CB,0x2800,0x35000)/\EFI\ubuntu\shimx64.efi
[ 0.000000] secureboot: Secure boot enabled
[ 0.028329] secureboot: Secure boot enabled
test-jammy login: [...]
XML comparison (normalized for UUID/MAC/IP/TAP/DATETIME/etc):
$ diff -U0 test-jammy.xml.secboot-enabled.before test-jammy.xml.secboot-enabled.after.config-false
$
$ diff -U0 test-jammy.xml.secboot-enabled.before test-jammy.xml.secboot-enabled.after.config-true
...
+ <pm>
+ <suspend-to-mem enabled='no'/>
+ </pm>
...
XML comparison between Secure Boot disabled (before) and Secure Boot
enabled (after/config=true):
$ diff -U0 test-jammy.xml.sb-no.before test-jammy.xml.sb-yes.after.conf-yes
...
@@ -49,2 +49,2 @@
- <loader readonly='yes' secure='no' type='pflash'>/usr/share/OVMF/OVMF_CODE_4M.fd</loader>
- <nvram template='/usr/share/OVMF/OVMF_VARS_4M.fd'>/var/lib/libvirt/qemu/nvram/<<INSTANCE>>_VARS.fd</nvram>
+ <loader readonly='yes' secure='yes' type='pflash'>/usr/share/OVMF/OVMF_CODE_4M.ms.fd</loader>
+ <nvram template='/usr/share/OVMF/OVMF_VARS_4M.ms.fd'>/var/lib/libvirt/qemu/nvram/<<INSTANCE>>_VARS.fd</nvram>
@@ -56,0 +57 @@
+ <smm state='on'/>
@@ -91,0 +93,3 @@
+ <pm>
+ <suspend-to-mem enabled='no'/>
+ </pm>
--
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to Ubuntu Cloud Archive.
https://bugs.launchpad.net/bugs/2022312
Title:
Adding IA32 to X64 pkg, because secure boot is not working on Focal
Status in Ubuntu Cloud Archive:
New
Status in Ubuntu Cloud Archive yoga series:
New
Status in edk2 package in Ubuntu:
Fix Released
Status in edk2 source package in Focal:
In Progress
Status in edk2 source package in Jammy:
Fix Released
Bug description:
[Impact]
In Focal, secureboot is not working ( black screen right after
instance is started )
[Test Case]
0. juju bundle for focal-yoga openstack env
- https://pastebin.ubuntu.com/p/G38JwXMX5G/
1. create custom image with cirros
- openstack image create --container-format bare --disk-format qcow2 --file cirros-0.5.1-x86_64-disk.img cirros
2. set image properties.
- $ openstack image set --property hw_machine_type=q35 --property hw_firmware_type=uefi --property os_secure_boot=required cirros
3. In focal, create instance, and enable secureboot
4. start instance.
5. you just can see only blackscreen.
[Where problems could occur]
Secureboot may have issue.
[Others]
For Jammy, it is ok
instance xml
- https://pastebin.ubuntu.com/p/MnK6nx3vwy/
#ADDED
Testing
1. Prepared cirros and cirros2 image
2. only set secure boot parameters to cirros image
3. launch instances
- instance with cirros image
- instance with cirros2 image
4. test result
- booting cirros instance doesn't work(black screen) with original OVMF_CODE_4M.secboot.fd
- booting cirros instance does work(shows uefi prompt) with patched OVMF_CODE_4M.secboot.fd
- booting cirros2 instance either cases.
To manage notifications about this bug go to:
https://bugs.launchpad.net/cloud-archive/+bug/2022312/+subscriptions
More information about the Ubuntu-openstack-bugs
mailing list