lejeczek
2023-Apr-14 11:39 UTC
ecrypting image file breaks efi/boot of the guest/Ubuntu - ?
On 11/04/2023 09:13, Peter Krempa wrote:> On Sat, Apr 08, 2023 at 11:25:18 +0200, lejeczek wrote: >> Hi guys. >> >> I've have a guest and that guest differs from all other guest by: >> >> ? <os> >> ??? <type arch='x86_64' machine='pc-q35-rhel9.0.0'>hvm</type> >> ??? <loader readonly='yes' secure='yes' >> type='pflash'>/usr/share/edk2/ovmf/OVMF_CODE.secboot.fd</loader> >> <nvram>/var/lib/libvirt/qemu/nvram/ubusrv1_VARS.fd</nvram> >> ??? <boot dev='hd'/> >> ??? <bootmenu enable='yes'/> >> ? </os> >> >> whereas everything else has: >> >> ? <os> >> ??? <type arch='x86_64' machine='pc-q35-rhel9.0.0'>hvm</type> >> ??? <boot dev='hd'/> >> ??? <boot dev='cdrom'/> >> ??? <bootmenu enable='yes'/> >> ? </os> >> >> Now, that different guest fails - as the only one - to start, to boot after >> its qcow2 image was luks-encrypted. >> Guest starts but says that: >> >> BdsDxe: failed to load Boot0001 "Uefi Misc Device" from PciRoot >> (0x0)/Pci(0x2,0x3)/Pci(0x0,0x0): Not found >> >> revert back to original, non-encrypted qcow2 image and all works a ok. > Please attach either the full XML or at least the disk part for *both* > the case where it doesn't work and where it does work. ><domain type='kvm'> ? <name>ubusrv1</name> ? <metadata> ??? <libosinfo:libosinfo xmlns:libosinfo="http://libosinfo.org/xmlns/libvirt/domain/1.0"> ????? <libosinfo:os id="http://ubuntu.com/ubuntu/22.04"/> ??? </libosinfo:libosinfo> ? </metadata> ? <memory unit='GiB'>4</memory> ? <currentMemory unit='GiB'>4</currentMemory> ? <vcpu placement='auto' cpuset='2'>2</vcpu> ? <numatune> ??? <memory mode='strict' placement='auto'/> ? </numatune> ? <os> ??? <type arch='x86_64' machine='pc-q35-rhel9.0.0'>hvm</type> ??? <loader readonly='yes' secure='yes' type='pflash'>/usr/share/edk2/ovmf/OVMF_CODE.secboot.fd</loader> <nvram>/var/lib/libvirt/qemu/nvram/ubusrv1_VARS.fd</nvram> ??? <boot dev='hd'/> ??? <bootmenu enable='yes'/> ? </os> ? <features> ??? <acpi/> ??? <apic/> ??? <vmport state='off'/> ??? <smm state='on'/> ? </features> ? <cpu mode='custom' match='exact' check='partial'> ??? <model fallback='forbid'>EPYC-Rome</model> ??? <feature policy='require' name='ibpb'/> ??? <feature policy='require' name='ssbd'/> ??? <feature policy='require' name='virt-ssbd'/> ??? <feature policy='require' name='x2apic'/> ??? <feature policy='require' name='hypervisor'/> ??? <feature policy='require' name='xsave'/> ??? <feature policy='disable' name='svm'/> ??? <feature policy='require' name='topoext'/> ??? <feature policy='disable' name='npt'/> ??? <feature policy='disable' name='nrip-save'/> ? </cpu> ? <clock offset='utc'> ??? <timer name='rtc' tickpolicy='catchup'/> ??? <timer name='pit' tickpolicy='delay'/> ??? <timer name='hpet' present='no'/> ? </clock> ? <on_poweroff>destroy</on_poweroff> ? <on_reboot>restart</on_reboot> ? <on_crash>destroy</on_crash> ? <pm> ??? <suspend-to-mem enabled='no'/> ??? <suspend-to-disk enabled='no'/> ? </pm> ? <devices> ??? <emulator>/usr/libexec/qemu-kvm</emulator> ??? <disk type='file' device='disk'> ????? <driver name='qemu' type='qcow2' cache='none' discard='unmap'/> ????? <source file='/00-VMs/ubusrv1.qcow2'/> ????? <target dev='vda' bus='virtio'/> ????? <address type='pci' domain='0x0000' bus='0x04' slot='0x00' function='0x0'/> ??? </disk> ... When I add encryption to <disk> & use encrypted qcow2 then VM fails as I described. many thanks, L.
Peter Krempa
2023-Apr-14 11:57 UTC
ecrypting image file breaks efi/boot of the guest/Ubuntu - ?
On Fri, Apr 14, 2023 at 13:39:17 +0200, lejeczek wrote:> > > On 11/04/2023 09:13, Peter Krempa wrote: > > On Sat, Apr 08, 2023 at 11:25:18 +0200, lejeczek wrote: > > > Hi guys. > > > > > > I've have a guest and that guest differs from all other guest by: > > > > > > ? <os> > > > ??? <type arch='x86_64' machine='pc-q35-rhel9.0.0'>hvm</type> > > > ??? <loader readonly='yes' secure='yes' > > > type='pflash'>/usr/share/edk2/ovmf/OVMF_CODE.secboot.fd</loader> > > > <nvram>/var/lib/libvirt/qemu/nvram/ubusrv1_VARS.fd</nvram> > > > ??? <boot dev='hd'/> > > > ??? <bootmenu enable='yes'/> > > > ? </os> > > > > > > whereas everything else has: > > > > > > ? <os> > > > ??? <type arch='x86_64' machine='pc-q35-rhel9.0.0'>hvm</type> > > > ??? <boot dev='hd'/> > > > ??? <boot dev='cdrom'/> > > > ??? <bootmenu enable='yes'/> > > > ? </os> > > > > > > Now, that different guest fails - as the only one - to start, to boot after > > > its qcow2 image was luks-encrypted. > > > Guest starts but says that: > > > > > > BdsDxe: failed to load Boot0001 "Uefi Misc Device" from PciRoot > > > (0x0)/Pci(0x2,0x3)/Pci(0x0,0x0): Not found > > > > > > revert back to original, non-encrypted qcow2 image and all works a ok. > > Please attach either the full XML or at least the disk part for *both* > > the case where it doesn't work and where it does work.[...]> ? <devices> > ??? <emulator>/usr/libexec/qemu-kvm</emulator> > ??? <disk type='file' device='disk'> > ????? <driver name='qemu' type='qcow2' cache='none' discard='unmap'/> > ????? <source file='/00-VMs/ubusrv1.qcow2'/> > ????? <target dev='vda' bus='virtio'/> > ????? <address type='pci' domain='0x0000' bus='0x04' slot='0x00' > function='0x0'/> > ??? </disk> > ... > > When I add encryption to <disk> & use encrypted qcow2 then VM fails as I > described.I specifically asked for '*both*' XMLs. The working one. And the non-working one.
Possibly Parallel Threads
- ecrypting image file breaks efi/boot of the guest/Ubuntu - ?
- ecrypting image file breaks efi/boot of the guest/Ubuntu - ?
- ecrypting image file breaks efi/boot of the guest/Ubuntu - ?
- Re-enable grub boot in UEFI (Windows took over it)
- [PATCH] v2v: Use OVMF secure boot file (RHBZ#1367615).