RE: UEFI on KVM silently becomes BIOS mode

[Piotr Pisz]

Hi Pieter,

 

I run it in CentOS 8:

 

Cloudstack:

 

<name>i-4-46-VM</name>

<uuid>e9c33f2d-7237-4cc1-b466-5d85a04ed549</uuid>

<description>Other PV Virtio-SCSI (64-bit)</description>

<cpu mode='host-model'><model fallback='allow'></model><feature 
policy='require' name='vmx'/><feature policy='require' name='vme'/><feature 
policy='require' name='smx'/></cpu><sysinfo type='smbios'>

<system>

<entry name='manufacturer'>Apache Software Foundation</entry>

<entry name='product'>CloudStack KVM Hypervisor</entry>

<entry name='uuid'>e9c33f2d-7237-4cc1-b466-5d85a04ed549</entry>

</system>

</sysinfo>

<os>

<type  arch='x86_64' machine='q35'>hvm</type>

<nvram 
template='/usr/share/edk2/ovmf/OVMF_VARS.fd'>/var/lib/libvirt/qemu/nvram/e9c33f2d-7237-4cc1-b466-5d85a04ed549.fd</nvram><boot
 dev='cdrom'/>

<boot dev='hd'/>

<smbios mode='sysinfo'/>

</os>

 

Virsh dump:

 

  <sysinfo type='smbios'>

   <system>

      <entry name='manufacturer'>Apache Software Foundation</entry>

      <entry name='product'>CloudStack KVM Hypervisor</entry>

      <entry name='uuid'>e9c33f2d-7237-4cc1-b466-5d85a04ed549</entry>

    </system>

  </sysinfo>

  <os>

    <type arch='x86_64' machine='pc-q35-rhel8.2.0'>hvm</type>

    <boot dev='cdrom'/>

    <boot dev='hd'/>

    <smbios mode='sysinfo'/>

  </os>

 

Regards,

Piotr

 

 

From: Pieter Harvey <pieter.har...@icloud.com.INVALID> 
Sent: Friday, December 17, 2021 5:46 PM
To: Pieter Harvey <pieter.har...@icloud.com>
Cc: "users@cloudstack.apache.org" <users@cloudstack.apache.org>
Subject: Re: UEFI on KVM silently becomes BIOS mode

 

Hi Piotr,

 

Is there any way to get this debug info (or xml dump) from CloudStack, what it 
is creating versus what ends up in virsh? 

 

I think I have configured everything correctly

1. cloudstack uefi enabled in database for host (host.uefi.enable)

2. host agent has uefi.properties with all paths configured (snippet below 
based Ubuntu 20.04.3)

3. instance is configured for UEFI (tried both legacy and secure boot)

 

uefi.properties

==========

guest.nvram.template.secure=/usr/share/OVMF/OVMF_VARS.fd

guest.nvram.template.legacy=/usr/share/OVMF/OVMF_VARS.fd

guest.loader.secure=/usr/share/OVMF/OVMF_CODE.secboot.fd

guest.loader.legacy=/usr/share/OVMF/OVMF_CODE.fd

guest.nvram.path=/var/lib/libvirt/qemu/nvram/

 

sudo ls -lh /usr/share/OVMF/

====================

-rw-r--r-- 1 root root 1.9M Sep 20 13:11 OVMF_CODE.fd

lrwxrwxrwx 1 root root   20 Sep 20 13:11 OVMF_CODE.ms.fd -> OVMF_CODE.secboot.fd

-rw-r--r-- 1 root root 1.9M Sep 20 13:11 OVMF_CODE.secboot.fd

-rw-r--r-- 1 root root 128K Sep 20 13:11 OVMF_VARS.fd

-rw-r--r-- 1 root root 128K Sep 20 13:11 OVMF_VARS.ms.fd

-rw-r--r-- 1 root root 128K Sep 20 13:11 OVMF_VARS.snakeoil.fd

 

syslog

=====

java[47841]: INFO  [kvm.resource.LibvirtComputingResource] (main:) (logid:) 
uefi.properties file found at /etc/cloudstack/agent/uefi.properties 

java[47841]: INFO  [kvm.resource.LibvirtComputingResource] (main:) (logid:) 
guest.nvram.template.legacy = /usr/share/OVMF/OVMF_VARS.fd

java[47841]: INFO  [kvm.resource.LibvirtComputingResource] (main:) (logid:) 
guest.loader.legacy = /usr/share/OVMF/OVMF_CODE.fd

java[47841]: INFO  [kvm.resource.LibvirtComputingResource] (main:) (logid:) 
guest.nvram.template.secure = /usr/share/OVMF/OVMF_VARS.fd

java[47841]: INFO  [kvm.resource.LibvirtComputingResource] (main:) (logid:) 
guest.loader.secure =/usr/share/OVMF/OVMF_CODE.secboot.fd

java[47841]: INFO  [kvm.resource.LibvirtComputingResource] (main:) (logid:) 
guest.nvram.path = /var/lib/libvirt/qemu/nvram/

 

 

-

Pieter

 

On 17 Dec 2021, at 16:15, Piotr Pisz <pi...@piszki.pl <mailto:pi...@piszki.pl> 
> wrote:

 

 

Hi Pieter,

 

 

 

I have just checked, everything works as expected, maybe you have something 
wrongly configured, check according to this:

 

 

 

https://lab.piszki.pl/cloudstack-vm-with-vtpm-and-secure-boot-uefi/

 

 

 

Regards,

 

Piotr

 

 

 

 

 

From: Pieter Harvey <pieter.har...@icloud.com.INVALID 
<mailto:pieter.har...@icloud.com.INVALID> > 

Sent: Friday, December 17, 2021 4:11 PM

To: "users@cloudstack.apache.org <mailto:users@cloudstack.apache.org> " 
<users@cloudstack.apache.org <mailto:users@cloudstack.apache.org> >

Subject: UEFI on KVM silently becomes BIOS mode

 

 

 

Hello,

 

 

 

Maybe it's something wrong with CloudStack, maybe it's my brain but I have an 
issue regarding UEFI on CloudStack (4.16) + KVM (Ubuntu 20.04)

 

 

 

1. CloudStack Compute node is running, and can boot machines configured as UEFI 
in the GUI (secure or legacy).

 

 

 

2. When the machine is booted, I check the virsh xml config on the host and 
noticed that the machine is still in BIOS mode, even though CloudStack "thinks" 
it has deployed a fresh UEFI enabled instance.

 

 

 

I have configured uefi.properties on the agent and the host is UEFI enabled in 
CloudStack but this is the config snippet of a deployed machine

 

 

 

<os>

 

<type arch='x86_64' machine='pc-q35-4.2'>hvm</type>

 

<boot dev='cdrom'/>

 

<boot dev='hd'/>

 

<smbios mode='sysinfo'/>

 

</os>

 

 

 

However what I am expecting to see is: 

 

 

 

<os firmware="efi">

 

<type arch='x86_64' machine='pc-q35-4.2'>hvm</type>

 

<loader secure="yes"/>

 

<boot dev='cdrom'/>

 

<boot dev='hd'/>

 

<smbios mode='sysinfo'/>

 

</os>

 

 

 

So CloudStack has changed the default machine type from 440fx to q35 but no 
mention of UEFI or secureboot options in the output XML.

 

 

 

Any tips to get UEFI and possibly secure boot fully working?

 

 

 

- 

 

Pieter