Dasharo
Sovereign Boot hangs after installing Ubuntu or Debian
Component
Dasharo firmware
Device
QEMU Q35 Emulator
Dasharo version
RC4
Dasharo Tools Suite version
No response
Test case ID
No response
Brief summary
Sovereign Boot Provisioning Wizard hangs when trying to add keys after installing Debian or Ubuntu
How reproducible
100%
How to reproduce
-
Download Debian or Ubuntu installer (I tried with
debian-12.6.0-amd64-netinst.isoandubuntu-24.04.2-live-server-amd64.iso) -
Create empty file on which we will install OS
dd if=/dev/zero of=ubuntu.img bs=1 count=0 seek=30G -
Run QEMU. Add
.isoas removable USB device. I have used modified run-qemu.sh script--- run-qemu.sh 2025-10-08 11:04:00.081968269 +0200 +++ run-qemu.sh 2025-10-30 10:00:08.751108098 +0100 @@ -152,4 +152,3 @@ OVMF=( - "-drive" "if=pflash,format=raw,readonly=on,file=/usr/share/OVMF/OVMF_CODE.${SECBOOT}fd" - "-drive" "if=pflash,format=raw,file=${OVMF_VARS}" + "-drive" "if=pflash,format=raw,file=/path/to/qemu_q35_sovereign-boot-rc4.rom" ) @@ -175,3 +174,3 @@ -netdev user,id=vmnic,hostfwd=tcp::"${PORT}"-:22 \ - -m "$MEM" -smp "$CPU" -M q35 "${KVM[@]}" "${TPM_ARGS[@]}" \ + -m "$MEM" -smp "$CPU" -M q35,smm=on "${KVM[@]}" "${TPM_ARGS[@]}" \ $NO_GRAPHIC "${USB[@]}" "${POSITIONAL_ARGS[@]}"command to run this modified script:
./run-qemu.sh -e -m 4G -u ~/Downloads/ubuntu-24.04.2-live-server-amd64.iso ubuntu.imgYou can also use below command:
qemu-system-x86_64 -serial mon:stdio -global ICH9-LPC.disable_s3=1 \ -drive if=pflash,format=raw,file=/tmp/qemu_q35_sovereign-boot-rc4.rom -device virtio-net,netdev=vmnic -netdev user,id=vmnic,hostfwd=tcp::5222-:22 \ -m 4G -smp 4 -M q35,smm=on -enable-kvm -device usb-ehci,id=ehci \ -drive file=ubuntu.img,if=ide,format=raw -
Skip SB provisioning (
Exit), boot into installer and install OS (minimal install) -
After installing and rebooting choose Sovereign Boot when asked about setting up UEFI Secure Boot
Expected behavior
List of bootloaders to use with SB
Actual behavior
BIOS hangs
Screenshots
No response
Additional context
After that, it always hangs on the same step even if you run QEMU again but instead of passing ubuntu.img you pass dts.img (containing DTS). When using clean rom with DTS:
./run-qemu.sh -e -m 4G dts.img
provisioning wizard works:
/------------------------------------------------------------------------------\
| Sovereign Boot Provisioning Wizard |
\------------------------------------------------------------------------------/
A new bootloader/key has been detected.
Description: Dasharo Tools Suite (on QEMU HARDDISK)
Hardware path:
PciRoot(0x0)/Pci(0x1F,0x2)/Sata(0x0,0xFFFF,0x0)/HD(1
,MBR,0x076C4A2A,0x800,0xF12C)
File path: \EFI\DTS\grubx64.efi
Using it again with ubuntu.img results in the same hang but going back to DTS again works so it's possible OS installation broke something?
Also during Debian installation there was output on serial from shim or GRUB:
Failed to set MokListXRT: Out of Resources
Could not create MokListXRT: Out of Resources
Solutions you've tried
No response
Failed to set MokListXRT: Out of Resources
Could not create MokListXRT: Out of Resources
Could be something related to the size of NVRAM. Depending on how many certs/images are trusted or untrusted, the DB/DBX gets bigger. Also, the TPM log area can quickly run out of space, but I believe I have fixed it by increasing the log size.
The QEMU params may matter as well. I used quite a lot of them with swtpm, virt rand etc. Some of them are the key to get the Sovereign Wizard working in emulated environment. The command you have provided in the issue summary is probably too limited.
I am not experiencing any issues with Ubuntu. Please note that your list of QEMU parameters is insufficient to properly utilize Sovereign Boot Wizard. I am basically using this script: https://github.com/Dasharo/open-source-firmware-validation/blob/develop/scripts/ci/qemu-run.sh
Yoru parameters are at least missing RNG, which is requried to generate keys.
Regarding the Debian shim problem, this is what I get with debug build:
UpdateVariable failed: Out of flash space
Failed to set MokListXRT: Out of Resources
Could not create MokListXRT: Out of Resources
So basically it is a manifestation of this issue: https://github.com/Dasharo/dasharo-issues/issues/1691 where there is not enough space for variables in flash. Not really related to Sovereign Boot.
Your parameters are at least missing RNG, which is requried to generate keys.
I'm pretty sure it worked when running DTS:
B/----------------------------------------------------------------\
CE98| INFO |
|----------------------------------------------------------------|
Do y| Are you sure you want to trust the following |
boot| Image hash (SHA-256): |
| !!! Image is unsigned !!! |
[ Do|E6ABF8615C60953E8BD6C37643478AB5F3C4091EF1075FB94BF4CE982745E802|
[ Tr| |
[ Tr| [ Yes ] [ No ] |
[ Sk\----------------------------------------------------------------/
/-------------------------------------------------\
| |
| Sovereign Boot provisioning successful. |
|The Wizard will now boot the selected bootloader.|
| |
\-------------------------------------------------/
error: shim_lock protocol not found.
Press any key to continue...
I am basically using this script: https://github.com/Dasharo/open-source-firmware-validation/blob/develop/scripts/ci/qemu-run.sh
Unfortunately but it still gets stuck after installing Debian. Commands used to run QEMU:
QEMU_FW_FILE=qemu_q35_sovereign.rom HDD2_PATH=~/Downloads/debian-12.6.0-amd64-netinst.iso HDD_PATH=debian.img scripts/ci/qemu-run.sh graphic os
Edit:
Same thing after installing Ubuntu 24.04 (ubuntu-24.04.2-live-server-amd64.iso).