Importing a virtual machine and selecting UEFI boot enables Secure Boot, with no option to disable it

[voltagex]

Apologies for any errors in this issue, it's past 2am here.

• Download https://github.com/home-assistant/operating-system/releases/download/10.5/haos_ova-10.5.qcow2.xz
• Decompress it
• Import it into Cockpit
• Select UEFI (this image does not appear to support BIOS boot)
• Start the VM

the EFI shell starts and you get access denied if you try to manually start GRUB.

https://discuss.linuxcontainers.org/t/lxd-3-21-vm-efi-boot-error/6917 and others suggest this is an issue with Secure Boot.

If I try virsh edit --domain home-assistant I can see the following

  <os firmware='efi'>
    <type arch='x86_64' machine='pc-q35-8.0'>hvm</type>
    <firmware>
      <feature enabled='yes' name='enrolled-keys'/>
      <feature enabled='yes' name='secure-boot'/>
    </firmware>
    <loader readonly='yes' secure='yes' type='pflash'>/usr/share/OVMF/OVMF_CODE_4M.ms.fd</loader>
    <nvram template='/usr/share/OVMF/OVMF_VARS_4M.ms.fd'>/home/voltagex/.config/libvirt/qemu/nvram/home-assistant_VARS.fd</nvram>
    <boot dev='hd'/>
  </os>

If I remove those feature keys, I get an error along the lines of operation failed: Unable to find any firmware to satisfy 'efi'

I'm on Debian Testing.

dpkg --list | grep -E "(cockpit|virt|qemu)"
ii  cockpit                              300.1-1                           all          Web Console for Linux servers
ii  cockpit-bridge                       300.1-1                           amd64        Cockpit bridge server-side component
ii  cockpit-machines                     298-1                             all          Cockpit user interface for virtual machines
ii  cockpit-packagekit                   300.1-1                           all          Cockpit user interface for apps and package updates
ii  cockpit-podman                       76-1                              all          Cockpit component for Podman containers
ii  cockpit-storaged                     300.1-1                           all          Cockpit user interface for storage
ii  cockpit-system                       300.1-1                           all          Cockpit admin interface for a system
ii  cockpit-ws                           300.1-1                           amd64        Cockpit Web Service
ii  gir1.2-libvirt-glib-1.0:amd64        4.0.0-3                           amd64        GObject introspection files for the libvirt-glib library
ii  ipxe-qemu                            1.0.0+git-20190125.36a4c85-5.1    all          PXE boot firmware - ROM images for qemu
ii  libvirglrenderer1:amd64              0.10.4-1                          amd64        virtual GPU for KVM virtualization
ii  libvirt-clients                      9.7.0-1                           amd64        Programs for the libvirt library
ii  libvirt-daemon                       9.7.0-1                           amd64        Virtualization daemon
ii  libvirt-daemon-config-network        9.7.0-1                           all          Libvirt daemon configuration files (default network)
ii  libvirt-daemon-config-nwfilter       9.7.0-1                           all          Libvirt daemon configuration files (default network filters)
ii  libvirt-daemon-driver-lxc            9.7.0-1                           amd64        Virtualization daemon LXC connection driver
ii  libvirt-daemon-driver-qemu           9.7.0-1                           amd64        Virtualization daemon QEMU connection driver
ii  libvirt-daemon-driver-vbox           9.7.0-1                           amd64        Virtualization daemon VirtualBox connection driver
ii  libvirt-daemon-driver-xen            9.7.0-1                           amd64        Virtualization daemon Xen connection driver
ii  libvirt-daemon-system                9.7.0-1                           amd64        Libvirt daemon configuration files
ii  libvirt-daemon-system-systemd        9.7.0-1                           all          Libvirt daemon configuration files (systemd)
ii  libvirt-dbus                         1.4.1-3                           amd64        libvirt D-Bus API bindings
ii  libvirt-glib-1.0-0:amd64             4.0.0-3                           amd64        libvirt GLib and GObject mapping library
ii  libvirt-glib-1.0-data                4.0.0-3                           all          Common files for libvirt GLib library
ii  libvirt-l10n                         9.7.0-1                           all          localization for the libvirt library
ii  libvirt0:amd64                       9.7.0-1                           amd64        library for interfacing with different virtualization systems
ii  ovmf                                 2023.05-1                         all          UEFI firmware for 64-bit x86 virtual machines
ii  python3-libvirt                      9.7.0-1                           amd64        libvirt Python 3 bindings
ii  qemu-block-extra                     1:8.0.4+dfsg-3+b1                 amd64        extra block backend modules for qemu-system and qemu-utils
ii  qemu-efi                             2023.05-1                         all          transitional dummy package
ii  qemu-efi-aarch64                     2023.05-1                         all          UEFI firmware for 64-bit ARM virtual machines
ii  qemu-system-common                   1:8.0.4+dfsg-3+b1                 amd64        QEMU full system emulation binaries (common files)
ii  qemu-system-data                     1:8.0.4+dfsg-3                    all          QEMU full system emulation (data files)
ii  qemu-system-gui                      1:8.0.4+dfsg-3+b1                 amd64        QEMU full system emulation binaries (user interface and audio support)
ii  qemu-system-x86                      1:8.0.4+dfsg-3+b1                 amd64        QEMU full system emulation binaries (x86)
ii  qemu-utils                           1:8.0.4+dfsg-3+b1                 amd64        QEMU utilities
ii  virt-manager                         1:4.1.0-3                         all          desktop application for managing virtual machines
ii  virt-viewer                          11.0-3                            amd64        Displaying the graphical console of a virtual machine
ii  virtinst                             1:4.1.0-3                         all          utilities to create and edit virtual machines

[voltagex]

https://gitlab.com/libvirt/libvirt/-/blob/master/src/qemu/qemu_firmware.c#L1857 - the error message was improved recently.

[voltagex]

I don't think this is entirely a cockpit-machines issue, but it can definitely be improved by adding more configuration options to the UI

On Rawhide, I can get things working but I still need to modify the XML.

https://gist.github.com/voltagex/5623bf3e2123aad3243f4efd9b11d116

[voltagex]

I guess I'm just debugging for myself at this point.

After enabling log_outputs="1:file:/var/log/libvirtd-debug.log" in /etc/libvirt/libvirtd.conf, I can see the following:

2023-10-01 07:32:38.410+0000: 47214: debug : qemuFirmwareMatchDomain:1208 : No matching path in '/usr/share/qemu/firmware/40-edk2-aarch64-secure-enrolled.json'
2023-10-01 07:32:38.410+0000: 47214: debug : qemuFirmwareMatchDomain:1284 : User refused Enrolled keys, firmware '/usr/share/qemu/firmware/40-edk2-x86_64-secure-enrolled.json' has them
2023-10-01 07:32:38.410+0000: 47214: debug : qemuFirmwareMatchDomain:1208 : No matching path in '/usr/share/qemu/firmware/50-edk2-aarch64-secure.json'
2023-10-01 07:32:38.410+0000: 47214: debug : qemuFirmwareMatchDomain:1208 : No matching path in '/usr/share/qemu/firmware/50-edk2-ovmf-4m-qcow2-x64-nosb.json'
2023-10-01 07:32:38.410+0000: 47214: debug : qemuFirmwareMatchDomain:1208 : No matching path in '/usr/share/qemu/firmware/50-edk2-x86_64-secure.json'
2023-10-01 07:32:38.410+0000: 47214: debug : qemuFirmwareMatchDomain:1208 : No matching path in '/usr/share/qemu/firmware/60-edk2-aarch64.json'
2023-10-01 07:32:38.410+0000: 47214: debug : qemuFirmwareMatchDomain:1208 : No matching path in '/usr/share/qemu/firmware/60-edk2-x86_64.json'
2023-10-01 07:32:38.410+0000: 47214: error : qemuFirmwareFillDomain:1856 : operation failed: Unable to find any firmware to satisfy 'efi'

[garrett]

Details pages do have an information card that does show BIOS / EFI, and there's already a way to edit some of the other values, so I think it's straightforward from a UI perspective.

It'd open up a modal with radios to switch between them.

(Note: There's a redesign planned where this area of the page will change. But this info will still be there in the redesign.)

[rstat1]

If you're editing the XML to disable Secure Boot, on the following line

<loader readonly='yes' secure='yes' type='pflash'>/usr/share/OVMF/OVMF_CODE_4M.ms.fd</loader>

you also have change secure='yes' to secure='no' to fully disable Secure Boot.

Unless I'm not looking in the right place, there is no way to change this from the cockpit side.

[baxterworks]

@rstat1 which led to https://gitlab.com/libvirt/libvirt/-/issues/544, yes.

Thanks though.

[voltagex]

Just adding a couple more things here so I don't forget:

I am re-testing on Fedora 39.

Downloading & decompressing https://github.com/home-assistant/operating-system/releases/download/11.3/haos_ova-11.3.qcow2.xz

Let's say I go through the import workflow - the list of OSes here is different for import vs new!

Perhaps there could be some options here along the lines of Generic Linux, UEFI secure-boot and Generic Linux, UEFI

Hit import & edit so I can change BIOS to UEFI (this screen doesn't note that this is your last chance to do this)

Interestingly with whatever combination of firmware exists on this system, I get the following screen instead of the shell this time:

virsh edit --domain homeassistant-test shows the following configuration

 <os firmware='efi'>
    <type arch='x86_64' machine='pc-q35-8.1'>hvm</type>
    <firmware>
      <feature enabled='yes' name='enrolled-keys'/>
      <feature enabled='yes' name='secure-boot'/>
    </firmware>
    <loader readonly='yes' secure='yes' type='pflash' format='qcow2'>/usr/share/edk2/ovmf/OVMF_CODE_4M.secboot.qcow2</loader>
    <nvram template='/usr/share/edk2/ovmf/OVMF_VARS_4M.secboot.qcow2' format='qcow2'>/home/voltagex/.config/libvirt/qemu/nvram/homeassistant-test_VARS.qcow2</nvram>
    <boot dev='hd'/>
  </os>

Flipping the enrolled-keys and secure-boot feature to 'no', along with loader secure='no' leads to the error that I reported to libvirt - error: operation failed: Unable to find any firmware to satisfy 'efi' - I realise this is not a cockpit-machines issue.

[Xelaph]

Hi, I've been struggling with the same issue as you and I discovered a way to fix it. You should also edit the and lines to read the following:

<firmware>
      <feature enabled='no' name='enrolled-keys'/>
      <feature enabled='no' name='secure-boot'/>
</firmware>
<loader readonly='yes' type'=pflash' format='qcow2'>/usr/share/edk2/ovmf/OVMF_CODE_4M.qcow2<loader>
<nvram template='/usr/share/edk2/ovmf/OVMF_VARS_4M.qcow2' format='qcow2'>/home/voltagex/.config/libvirt/qemu/nvram/homeassistant-test_VARS.qcow2</nvram>```

This configuration worked for me on Fedora 39

[HVR88]

You can also press "any key" to enter the boot manager in the VM and then enter Device Manager (first option) and disable secure boot from the "Secure Boot Configutation" which is the third option.