cockpit-machines
cockpit-machines copied to clipboard
cockpit-project
Importing a virtual machine and selecting UEFI boot enables Secure Boot, with no option to disable it
Apologies for any errors in this issue, it's past 2am here.
- Download https://github.com/home-assistant/operating-system/releases/download/10.5/haos_ova-10.5.qcow2.xz
- Decompress it
- Import it into Cockpit
- Select UEFI (this image does not appear to support BIOS boot)
- Start the VM
the EFI shell starts and you get access denied if you try to manually start GRUB.
https://discuss.linuxcontainers.org/t/lxd-3-21-vm-efi-boot-error/6917 and others suggest this is an issue with Secure Boot.
If I try virsh edit --domain home-assistant I can see the following
<os firmware='efi'>
<type arch='x86_64' machine='pc-q35-8.0'>hvm</type>
<firmware>
<feature enabled='yes' name='enrolled-keys'/>
<feature enabled='yes' name='secure-boot'/>
</firmware>
<loader readonly='yes' secure='yes' type='pflash'>/usr/share/OVMF/OVMF_CODE_4M.ms.fd</loader>
<nvram template='/usr/share/OVMF/OVMF_VARS_4M.ms.fd'>/home/voltagex/.config/libvirt/qemu/nvram/home-assistant_VARS.fd</nvram>
<boot dev='hd'/>
</os>
If I remove those feature keys, I get an error along the lines of operation failed: Unable to find any firmware to satisfy 'efi'
I'm on Debian Testing.
dpkg --list | grep -E "(cockpit|virt|qemu)"
ii cockpit 300.1-1 all Web Console for Linux servers
ii cockpit-bridge 300.1-1 amd64 Cockpit bridge server-side component
ii cockpit-machines 298-1 all Cockpit user interface for virtual machines
ii cockpit-packagekit 300.1-1 all Cockpit user interface for apps and package updates
ii cockpit-podman 76-1 all Cockpit component for Podman containers
ii cockpit-storaged 300.1-1 all Cockpit user interface for storage
ii cockpit-system 300.1-1 all Cockpit admin interface for a system
ii cockpit-ws 300.1-1 amd64 Cockpit Web Service
ii gir1.2-libvirt-glib-1.0:amd64 4.0.0-3 amd64 GObject introspection files for the libvirt-glib library
ii ipxe-qemu 1.0.0+git-20190125.36a4c85-5.1 all PXE boot firmware - ROM images for qemu
ii libvirglrenderer1:amd64 0.10.4-1 amd64 virtual GPU for KVM virtualization
ii libvirt-clients 9.7.0-1 amd64 Programs for the libvirt library
ii libvirt-daemon 9.7.0-1 amd64 Virtualization daemon
ii libvirt-daemon-config-network 9.7.0-1 all Libvirt daemon configuration files (default network)
ii libvirt-daemon-config-nwfilter 9.7.0-1 all Libvirt daemon configuration files (default network filters)
ii libvirt-daemon-driver-lxc 9.7.0-1 amd64 Virtualization daemon LXC connection driver
ii libvirt-daemon-driver-qemu 9.7.0-1 amd64 Virtualization daemon QEMU connection driver
ii libvirt-daemon-driver-vbox 9.7.0-1 amd64 Virtualization daemon VirtualBox connection driver
ii libvirt-daemon-driver-xen 9.7.0-1 amd64 Virtualization daemon Xen connection driver
ii libvirt-daemon-system 9.7.0-1 amd64 Libvirt daemon configuration files
ii libvirt-daemon-system-systemd 9.7.0-1 all Libvirt daemon configuration files (systemd)
ii libvirt-dbus 1.4.1-3 amd64 libvirt D-Bus API bindings
ii libvirt-glib-1.0-0:amd64 4.0.0-3 amd64 libvirt GLib and GObject mapping library
ii libvirt-glib-1.0-data 4.0.0-3 all Common files for libvirt GLib library
ii libvirt-l10n 9.7.0-1 all localization for the libvirt library
ii libvirt0:amd64 9.7.0-1 amd64 library for interfacing with different virtualization systems
ii ovmf 2023.05-1 all UEFI firmware for 64-bit x86 virtual machines
ii python3-libvirt 9.7.0-1 amd64 libvirt Python 3 bindings
ii qemu-block-extra 1:8.0.4+dfsg-3+b1 amd64 extra block backend modules for qemu-system and qemu-utils
ii qemu-efi 2023.05-1 all transitional dummy package
ii qemu-efi-aarch64 2023.05-1 all UEFI firmware for 64-bit ARM virtual machines
ii qemu-system-common 1:8.0.4+dfsg-3+b1 amd64 QEMU full system emulation binaries (common files)
ii qemu-system-data 1:8.0.4+dfsg-3 all QEMU full system emulation (data files)
ii qemu-system-gui 1:8.0.4+dfsg-3+b1 amd64 QEMU full system emulation binaries (user interface and audio support)
ii qemu-system-x86 1:8.0.4+dfsg-3+b1 amd64 QEMU full system emulation binaries (x86)
ii qemu-utils 1:8.0.4+dfsg-3+b1 amd64 QEMU utilities
ii virt-manager 1:4.1.0-3 all desktop application for managing virtual machines
ii virt-viewer 11.0-3 amd64 Displaying the graphical console of a virtual machine
ii virtinst 1:4.1.0-3 all utilities to create and edit virtual machines
https://gitlab.com/libvirt/libvirt/-/blob/master/src/qemu/qemu_firmware.c#L1857 - the error message was improved recently.
I don't think this is entirely a cockpit-machines issue, but it can definitely be improved by adding more configuration options to the UI
On Rawhide, I can get things working but I still need to modify the XML.
https://gist.github.com/voltagex/5623bf3e2123aad3243f4efd9b11d116
I guess I'm just debugging for myself at this point.
After enabling log_outputs="1:file:/var/log/libvirtd-debug.log" in /etc/libvirt/libvirtd.conf, I can see the following:
2023-10-01 07:32:38.410+0000: 47214: debug : qemuFirmwareMatchDomain:1208 : No matching path in '/usr/share/qemu/firmware/40-edk2-aarch64-secure-enrolled.json'
2023-10-01 07:32:38.410+0000: 47214: debug : qemuFirmwareMatchDomain:1284 : User refused Enrolled keys, firmware '/usr/share/qemu/firmware/40-edk2-x86_64-secure-enrolled.json' has them
2023-10-01 07:32:38.410+0000: 47214: debug : qemuFirmwareMatchDomain:1208 : No matching path in '/usr/share/qemu/firmware/50-edk2-aarch64-secure.json'
2023-10-01 07:32:38.410+0000: 47214: debug : qemuFirmwareMatchDomain:1208 : No matching path in '/usr/share/qemu/firmware/50-edk2-ovmf-4m-qcow2-x64-nosb.json'
2023-10-01 07:32:38.410+0000: 47214: debug : qemuFirmwareMatchDomain:1208 : No matching path in '/usr/share/qemu/firmware/50-edk2-x86_64-secure.json'
2023-10-01 07:32:38.410+0000: 47214: debug : qemuFirmwareMatchDomain:1208 : No matching path in '/usr/share/qemu/firmware/60-edk2-aarch64.json'
2023-10-01 07:32:38.410+0000: 47214: debug : qemuFirmwareMatchDomain:1208 : No matching path in '/usr/share/qemu/firmware/60-edk2-x86_64.json'
2023-10-01 07:32:38.410+0000: 47214: error : qemuFirmwareFillDomain:1856 : operation failed: Unable to find any firmware to satisfy 'efi'
Details pages do have an information card that does show BIOS / EFI, and there's already a way to edit some of the other values, so I think it's straightforward from a UI perspective.
It'd open up a modal with radios to switch between them.
(Note: There's a redesign planned where this area of the page will change. But this info will still be there in the redesign.)
If you're editing the XML to disable Secure Boot, on the following line
<loader readonly='yes' secure='yes' type='pflash'>/usr/share/OVMF/OVMF_CODE_4M.ms.fd</loader>
you also have change secure='yes' to secure='no' to fully disable Secure Boot.
Unless I'm not looking in the right place, there is no way to change this from the cockpit side.
@rstat1 which led to https://gitlab.com/libvirt/libvirt/-/issues/544, yes.
Thanks though.
Just adding a couple more things here so I don't forget:
I am re-testing on Fedora 39.
Downloading & decompressing https://github.com/home-assistant/operating-system/releases/download/11.3/haos_ova-11.3.qcow2.xz
Let's say I go through the import workflow - the list of OSes here is different for import vs new!
Perhaps there could be some options here along the lines of Generic Linux, UEFI secure-boot and Generic Linux, UEFI
Hit import & edit so I can change BIOS to UEFI (this screen doesn't note that this is your last chance to do this)
Interestingly with whatever combination of firmware exists on this system, I get the following screen instead of the shell this time:
virsh edit --domain homeassistant-test shows the following configuration
<os firmware='efi'>
<type arch='x86_64' machine='pc-q35-8.1'>hvm</type>
<firmware>
<feature enabled='yes' name='enrolled-keys'/>
<feature enabled='yes' name='secure-boot'/>
</firmware>
<loader readonly='yes' secure='yes' type='pflash' format='qcow2'>/usr/share/edk2/ovmf/OVMF_CODE_4M.secboot.qcow2</loader>
<nvram template='/usr/share/edk2/ovmf/OVMF_VARS_4M.secboot.qcow2' format='qcow2'>/home/voltagex/.config/libvirt/qemu/nvram/homeassistant-test_VARS.qcow2</nvram>
<boot dev='hd'/>
</os>
Flipping the enrolled-keys and secure-boot feature to 'no', along with loader secure='no' leads to the error that I reported to libvirt - error: operation failed: Unable to find any firmware to satisfy 'efi' - I realise this is not a cockpit-machines issue.
Hi, I've been struggling with the same issue as you and I discovered a way to fix it. You should also edit the
<firmware>
<feature enabled='no' name='enrolled-keys'/>
<feature enabled='no' name='secure-boot'/>
</firmware>
<loader readonly='yes' type'=pflash' format='qcow2'>/usr/share/edk2/ovmf/OVMF_CODE_4M.qcow2<loader>
<nvram template='/usr/share/edk2/ovmf/OVMF_VARS_4M.qcow2' format='qcow2'>/home/voltagex/.config/libvirt/qemu/nvram/homeassistant-test_VARS.qcow2</nvram>```
This configuration worked for me on Fedora 39
You can also press "any key" to enter the boot manager in the VM and then enter Device Manager (first option) and disable secure boot from the "Secure Boot Configutation" which is the third option.
