quickemu
quickemu copied to clipboard
quickemu-project
2022-08 Security Update for Windows fails to install
Expected behaviour
Can install updates in Windows.
Actual behaviour
In both Windows 10 and 11 "2022-08 Security Update [...] (KB5012170)" fails to install despite retrys, running the troubleshooter, reboots and making new clean VMs and just trying to install updates.
Error occurs when installing the above mentioned update, just after "Installing 100%" is displayed.
As this is a security update, being unable to install it puts my VM out of compliance with corporate policies, which makes this problematic.
Full error tests from one of my win 10 VMs:
There were some problems installing updates, but we'll try again later. If you keep seeing this and want to search the web or contact support for information, this may help: (0x800f0922)
Update links to: https://support.microsoft.com/en-us/topic/kb5012170-security-update-for-secure-boot-dbx-august-9-2022-72ff5eed-25b4-47c7-be28-c42bd211bb15
Steps to reproduce the behaviour
Create new windows 10 or 11 VM. Install updates, rebooting as needed until error occurs.
Quickemu output
$ quickemu
Usage
quickemu --vm ubuntu.conf
You can also pass optional parameters
--braille : Enable braille support. Requires SDL.
--delete-disk : Delete the disk image and EFI variables
--delete-vm : Delete the entire VM and it's configuration
--display : Select display backend. 'sdl' (default), 'gtk', 'none', 'spice' or 'spice-app'
--fullscreen : Starts VM in full screen mode (Ctl+Alt+f to exit)
--ignore-msrs-always : Configure KVM to always ignore unhandled machine-specific registers
--screen <screen> : Use specified screen to determine the window size.
--shortcut : Create a desktop shortcut
--snapshot apply <tag> : Apply/restore a snapshot.
--snapshot create <tag> : Create a snapshot.
--snapshot delete <tag> : Delete a snapshot.
--snapshot info : Show disk/snapshot info.
--status-quo : Do not commit any changes to disk/snapshot.
--viewer <viewer> : Choose an alternative viewer. @Options: 'spicy' (default), 'remote-viewer', 'none'
--ssh-port <port> : Set ssh-port manually
--spice-port <port> : Set spice-port manually
--public-dir <path> : expose share directory. @Options: '' (default: xdg-user-dir PUBLICSHARE), '<directory>', 'none'
--monitor <type> : Set monitor connection type. @Options: 'socket' (default), 'telnet', 'none'
--monitor-telnet-host <ip/host> : Set telnet host for monitor. (default: 'localhost')
--monitor-telnet-port <port> : Set telnet port for monitor. (default: '4440')
--monitor-cmd <cmd> : Send command to monitor if available. (Example: system_powerdown)
--serial <type> : Set serial connection type. @Options: 'socket' (default), 'telnet', 'none'
--serial-telnet-host <ip/host> : Set telnet host for serial. (default: 'localhost')
--serial-telnet-port <port> : Set telnet port for serial. (default: '6660')
--keyboard <type> : Set keyboard. @Options: 'usb' (default), 'ps2', 'virtio'
--keyboard_layout <layout> : Set keyboard layout.
--mouse <type> : Set mouse. @Options: 'tablet' (default), 'ps2', 'usb', 'virtio'
--usb-controller <type> : Set usb-controller. @Options: 'ehci' (default), 'xhci', 'none'
--extra_args <arguments> : Pass additional arguments to qemu
--version : Print version
Template doesn't ask for it, but I have quickemu 4.1.
Linux Distribution & Kernel
LSB Version: core-11.1.0ubuntu4-noarch:printing-11.1.0ubuntu4-noarch:security-11.1.0ubuntu4-noarch
Distributor ID: Ubuntu
Description: Ubuntu 22.04.1 LTS
Release: 22.04
Codename: jammy
Linux Large-22 5.15.0-47-generic #51-Ubuntu SMP Thu Aug 11 07:51:15 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
Hello there 👋 Thanks for submitting your first issue to the Quickemu project 🐛 We'll try and take a look at your issue soon ⏲
In the meantime you might want to join the Wimpys World Discord 🗣 where we have a large community of Linux 🐧 enthusiasts and passionate open source developers 🧑💻
You might also be interested in following Wimpys World Twitch 📡 channel where Wimpy streams let's code video, including this project, several times a week. A back catalog of past live stream and other Linux related content is available on Wimpys World YouTube 📺 channel.
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
See these artilcles:
https://www.bleepingcomputer.com/news/security/windows-kb5012170-secure-boot-dbx-update-may-fail-with-0x800f0922-error/ https://eclypsium.com/2022/08/11/vulnerable-bootloaders-2022/
If the bootloader is not vulnerable the patch is not needed. If it is, that is a fix out of scope of this project I suspect.
It would be nice if we could get some confirmations on if other people do or do not have this issue with quickemu configured windows VMs. If they do, it might be worth trying for a work around or documenting the issue. If not, I'm glad its only me stuck with this, and is probably not worth caring about.
Tagging @diddledani for a consultation on this one.
Dani, have you seen this in your Clouds project? Do you think something can be changed in QEMU behaviour to workaround this failure to install the update?
@Craig-Macomber I have been able to reproduce with fresh downloads/installs of Windows 10 and 11 using Quickemu.
I had to recreate my Windows 11 VM and this time it does not seem to be impacted by this issue: everything worked flawlessly :). I'm not sure what changed (there has been at least one qemu update, and I had significant hardware changes, and maybe Windows changed something).
@flexiondotorg You might want to see if this still reproduces for you, and if not, close this issue.
I have noticed this behaviour a lot recently. It's particularly bad when there's multi-reboot needed, such as with the 22H2 I did the other week . This currently works for me:
When you have reached the end of the download & install phase, do a full normal shut down and make a snapshot. Big time saver if it doesn't go quite right .... then restart your VM in non-spice default sdl graphics mode & now press the 'restart now' button. If it's a small update, sometimes that's all that's needed. The latest virtio iso gives sdl mode some better screen resolution options btw, like 2560 for example. If you haven't installed the latest virtio, do that first.
For more complex, more resistant reboot sequences, you should press the escape key repeatedly during your restart. This will give you access to the Tiano bios. You can also try this if the your boot-up has frozen at the Tiano logo. If you end up with 'shell>' as a prompt then you should type 'exit' which should give you the bios that way.
Use your keyboard to select 'Boot Manager' and choose 'Misc Device' if it's showing, otherwise try Qemu harddisk. This should work, even for major upgrades.
So, did I understand this thread correctly, just to not care about installing this update?
@wmutschl Behind the scenes, I have been quietly working on a modified version quickemu.
https://github.com/TuxVinyards/quickemu-mod
I think this should help you and others with the Windows updating problems. Obviously, I would like my work to be successful. I think it is a move forward for the quickemu codebase & at this point I am inviting a few people to try the beta .
There have been a lot of changes with quickemu's Hypervisor instructions between versions 4.2 and 4.6. According to qemu docs, if you build a machine using one set, then it may deploy badly when given another. It works a bit like when you do a physical hdd/sdd swap on a physical Windows machine. Or doesn't work, to put it more aptly.
I have built a HyperVisor recipe selector into the settings section that you may want to experiment with. Please make sure to use the snapshot functions ...
Use the [d] boot option when doing upgrades. Make sure to shutdown and snapshot after the update has installed. Then & only then, load the machine up again & press the 'restart now' .
When it does do the restart, keep continually pressing the 'esc' till you get the Tiano core bios to show its menu. Then 'Boot manager' > 'misc-device' or 'qemu-harddisk' . Avoid 'Windows Boot manager'. That's when you get the blue screens.
Update 22 feb: Improved the UI and fixed a couple of bugs that somehow crept in
Let me know how you get on.