[Bug 2022312] Re: Adding IA32 to X64 pkg, because secure boot is not working on Focal

Christian Ehrhardt  2022312 at bugs.launchpad.net
Mon Jan 15 08:06:22 UTC 2024 

Thank you Mauricio, thanks for your ping to review the situation ...

AFAICS In his comment #25 DannF was leaning towards solution #2 of
comment #20 but solution #1 seemed ok as well.

I personally like if multiple things are resolved in a similar way as that is less surprising, and by making it a pure opt-in the risk isn't only low but sort of almost zero.
So IMHO you have taken an already trodden and safer path, which is great.

I'm +0.98 already

You'd get another 0.01 by an ask if we know if this is working well for the users that are affected by this. Your tests show that it "works", what I mean is that that we should avoid releasing this only to end up with people stating "But I can't change my nova.conf". Has anyone made sure this will not block this? 
(Gladly solutions #1 and #2 are not mutually exclusive, we can go for #2 now and worst case still consider #1 later)

And yet another +0.01 via a thought that came to my mind about upgrade
compatibility. If we add this to Nova in focal it will make it react to
ubuntu_libvirt_uefi_secboot_disable_s3 config option. Once such a user
upgrades to Jammy, will it break, will it silently be ignored but
working the same way, will it need a patch to jammy and later to handle
such upgrades well?

-- 
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to Ubuntu Cloud Archive.
https://bugs.launchpad.net/bugs/2022312

Title:
  Adding IA32 to X64 pkg, because secure boot is not working on Focal

Status in Ubuntu Cloud Archive:
  Invalid
Status in Ubuntu Cloud Archive yoga series:
  Confirmed
Status in edk2 package in Ubuntu:
  Fix Released
Status in edk2 source package in Focal:
  In Progress
Status in edk2 source package in Jammy:
  Fix Released

Bug description:
  [Impact]

  In Focal, secureboot is not working ( black screen right after
  instance is started )

  [Test Case]
  0. juju bundle for focal-yoga openstack env
  - https://pastebin.ubuntu.com/p/G38JwXMX5G/
  1. create custom image with cirros
  - openstack image create --container-format bare --disk-format qcow2 --file cirros-0.5.1-x86_64-disk.img cirros
  2. set image properties.
  - $ openstack image set --property hw_machine_type=q35 --property hw_firmware_type=uefi --property os_secure_boot=required cirros
  3. In focal, create instance, and enable secureboot
  4. start instance.
  5. you just can see only blackscreen.

  [Where problems could occur]
  Secureboot may have issue.

  [Others]
  For Jammy, it is ok

  instance xml
  - https://pastebin.ubuntu.com/p/MnK6nx3vwy/

  #ADDED
  Testing
  1. Prepared cirros and cirros2 image
  2. only set secure boot parameters to cirros image
  3. launch instances
  - instance with cirros image
  - instance with cirros2 image
  4. test result
  - booting cirros instance doesn't work(black screen) with original OVMF_CODE_4M.secboot.fd
  - booting cirros instance does work(shows uefi prompt) with patched OVMF_CODE_4M.secboot.fd
  - booting cirros2 instance either cases.

To manage notifications about this bug go to:
https://bugs.launchpad.net/cloud-archive/+bug/2022312/+subscriptions

More information about the Ubuntu-openstack-bugs mailing list