[Bug 2022312] Re: Adding IA32 to X64 pkg, because secure boot is not working on Focal

Mauricio Faria de Oliveira 2022312 at bugs.launchpad.net
Sat Jan 13 20:14:43 UTC 2024 

I have reread this bug, the other bug 1903681, and EDK2 bug 3064 [1].

I agree with Christian's assessment in comment 11 and Dann's remark in comment 25.
That is, nova should set suspend-to-mem (disable_s3), but not by default (opt-in).

> The domain needs to have something like:
> <pm>
>   <suspend-to-mem enabled='no'/>
> </pm>
> 
> Then it should get the [b]it set, which is depending on the rest of the
> guest config then either ICH9-LPC.disable_s3=1 or PIIX4_PM.disable_s3=1.
> 
> So the entry above is something that nova could set on secure boot for focal-yoga
> to get the case working without chan[g]ing EDK2 or the qemu defaults (as we consider
> those two more regression risky).

and

> Patching Nova to do something atypical for focal feels like it would
carry more risk.

also, from [1]

> Brief summary: if you want S3 resume with SMM, then your PEI phase needs to be 32-bit
> (you need the IA32X64 build of OVMF -- "OvmfPkg/OvmfPkgIa32X64.dsc" -- if you want your DXE phase to be 64-bit). 
> If you don't care about S3 resume, then you can use the purely 64-bit build of OVMF even with SMM enabled
> (like you are building X64 now), but then you need to explicitly disable S3 support on the QEMU command line (see option (2)) above.

-- 
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to Ubuntu Cloud Archive.
https://bugs.launchpad.net/bugs/2022312

Title:
  Adding IA32 to X64 pkg, because secure boot is not working on Focal

Status in Ubuntu Cloud Archive:
  New
Status in Ubuntu Cloud Archive yoga series:
  New
Status in edk2 package in Ubuntu:
  Fix Released
Status in edk2 source package in Focal:
  In Progress
Status in edk2 source package in Jammy:
  Fix Released

Bug description:
  [Impact]

  In Focal, secureboot is not working ( black screen right after
  instance is started )

  [Test Case]
  0. juju bundle for focal-yoga openstack env
  - https://pastebin.ubuntu.com/p/G38JwXMX5G/
  1. create custom image with cirros
  - openstack image create --container-format bare --disk-format qcow2 --file cirros-0.5.1-x86_64-disk.img cirros
  2. set image properties.
  - $ openstack image set --property hw_machine_type=q35 --property hw_firmware_type=uefi --property os_secure_boot=required cirros
  3. In focal, create instance, and enable secureboot
  4. start instance.
  5. you just can see only blackscreen.

  [Where problems could occur]
  Secureboot may have issue.

  [Others]
  For Jammy, it is ok

  instance xml
  - https://pastebin.ubuntu.com/p/MnK6nx3vwy/

  #ADDED
  Testing
  1. Prepared cirros and cirros2 image
  2. only set secure boot parameters to cirros image
  3. launch instances
  - instance with cirros image
  - instance with cirros2 image
  4. test result
  - booting cirros instance doesn't work(black screen) with original OVMF_CODE_4M.secboot.fd
  - booting cirros instance does work(shows uefi prompt) with patched OVMF_CODE_4M.secboot.fd
  - booting cirros2 instance either cases.

To manage notifications about this bug go to:
https://bugs.launchpad.net/cloud-archive/+bug/2022312/+subscriptions

More information about the Ubuntu-openstack-bugs mailing list