Creating vm with UEFI secure boot fails - unable to find any master var store for loader

[jomrr]

System Information

Linux distribution

Fedora 36

Terraform version

Terraform v1.3.3 on linux_amd64

Provider and libvirt versions

terraform-provider-libvirt 0.7.0

---

Checklist

• [ ] Is your issue/contribution related with enabling some setting/option exposed by libvirt that the plugin does not yet support, or requires changing/extending the provider terraform schema?

  • [ ] Make sure you explain why this option is important to you, why it should be important to everyone. Describe your use-case with detail and provide examples where possible.
  • [ ] If it is a very special case, consider using the XSLT support in the provider to tweak the definition instead of opening an issue
  • [ ] Maintainers do not have expertise in every libvirt setting, so please, describe the feature and how it is used. Link to the appropriate documentation

• [x] Is it a bug or something that does not work as expected? Please make sure you fill the version information below:

Description of Issue/Question

When creating a simple vm with UEFI loader the following error occurs:

Error: error creating libvirt domain: Operation failed: unable to find any master var store for loader: /usr/share/edk2/ovmf/OVMF_CODE.secboot.fd

Setup

# main.tf
terraform {
  required_providers {
    libvirt = {
      source = "dmacvicar/libvirt"
    }
  }
}

provider "libvirt" {
  uri = "qemu:///system"
}

resource "libvirt_network" "test_network" {
    name = "test-network"
    mode = "nat"
    addresses = ["192.168.249.0/24"]
}

resource "libvirt_volume" "kernel_fedora" {
  source = "https://ftp.fau.de/fedora/linux/releases/36/Everything/x86_64/os/isolinux/vmlinuz"
  name   = "kernel-fedora"
  pool   = "default"
  format = "raw"
}

resource "libvirt_domain" "test_fedora" {
  name   = "test-fedora"
  memory = "8192"
  vcpu   = 4
  firmware = "/usr/share/edk2/ovmf/OVMF_CODE.secboot.fd"

  kernel = libvirt_volume.kernel_fedora.id

  qemu_agent = true

  console {
    type        = "pty"
    target_port = "0"
    target_type = "serial"
  }

  console {
    type        = "pty"
    target_type = "virtio"
    target_port = "1"
  }

  graphics {
    type        = "spice"
    listen_type = "address"
    autoport    = true
  }
}

Steps to Reproduce Issue

Shortened configuration of /etc/libvirt/qemu.conf, just added nvram config after first getting the error, the rest of the file is system default:

# Location of master nvram file
#
# This configuration option is obsolete. Libvirt will follow the
# QEMU firmware metadata specification to automatically locate
# firmware images. See docs/interop/firmware.json in the QEMU
# source tree. These metadata files are distributed alongside any
# firmware images intended for use with QEMU.
#
# NOTE: if ANY firmware metadata files are detected, this setting
# will be COMPLETELY IGNORED.
#
# ------------------------------------------
#
# When a domain is configured to use UEFI instead of standard
# BIOS it may use a separate storage for UEFI variables. If
# that's the case libvirt creates the variable store per domain
# using this master file as image. Each UEFI firmware can,
# however, have different variables store. Therefore the nvram is
# a list of strings when a single item is in form of:
#   ${PATH_TO_UEFI_FW}:${PATH_TO_UEFI_VARS}.
# Later, when libvirt creates per domain variable store, this list is
# searched for the master image. The UEFI firmware can be called
# differently for different guest architectures. For instance, it's OVMF
# for x86_64 and i686, but it's AAVMF for aarch64. The libvirt default
# follows this scheme.
#nvram = [
#   "/usr/share/OVMF/OVMF_CODE.fd:/usr/share/OVMF/OVMF_VARS.fd",
#   "/usr/share/OVMF/OVMF_CODE.secboot.fd:/usr/share/OVMF/OVMF_VARS.fd",
#   "/usr/share/AAVMF/AAVMF_CODE.fd:/usr/share/AAVMF/AAVMF_VARS.fd",
#   "/usr/share/AAVMF/AAVMF32_CODE.fd:/usr/share/AAVMF/AAVMF32_VARS.fd"
#]

nvram = [
    "/usr/share/edk2/ovmf/OVMF_CODE.fd:/usr/share/edk2/ovmf/OVMF_VARS.fd",
    "/usr/share/edk2/ovmf/OVMF_CODE.secboot.fd:/usr/share/edk2/ovmf/OVMF_VARS.secboot.fd"
]

terraform apply

---

Additional information:

SELinux is enforcing. Otherwise nothing special. Same error with SELinux in permissive mode.

[bhundven]

Ran into this same issue. I'm curious why it was closed "not planned"?