yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1960758] Re: UEFI libvirt servers can't boot on Ubuntu 20.04 hypervisors with Ussuri/Victoria

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Mauricio Faria de Oliveira <1960758@xxxxxxxxxxxxxxxxxx>
Date: Wed, 14 Sep 2022 13:51:51 -0000
Reply-to: Bug 1960758 <1960758@xxxxxxxxxxxxxxxxxx>
Sender: noreply@xxxxxxxxxxxxx

This turned out not to be needed in practice; marking as Won't Fix.

** Changed in: nova/ussuri
       Status: Confirmed => Invalid

** Changed in: nova/victoria
       Status: In Progress => Invalid

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1960758

Title:
  UEFI libvirt servers can't boot on Ubuntu 20.04 hypervisors with
  Ussuri/Victoria

Status in OpenStack Compute (nova):
  Invalid
Status in OpenStack Compute (nova) ussuri series:
  Invalid
Status in OpenStack Compute (nova) victoria series:
  Invalid

Bug description:
  Description:
  ===

  Currently, setting hw_firwmare_type=uefi might create
  _unbootable_ servers on 20.04 hypervisors with Ussuri
  and Victoria (Wallaby and later are OK).

  This might hit other distros w/ OVMF_CODE.secboot.fd.

  We should not use the Secure Boot firmware on the 'pc'
  machine type, as 'q35' is _required_ by OVMF firmware
  if SMM feature is built (usually the case, to actually
  secure the SB feature). 
  [See comment #6 for research and #7 for test evidence.]

  Steps to Reproduce:
  ===

  $ openstack image set --property hw_firmware_type=uefi $IMAGE
  $ openstack server create --image $IMAGE --flavor $FLAVOR --network $NETWORK uefi-server

  Expected Result:
  ===

  The server's libvirt XML uses UEFI _without_ Secure Boot.

          <loader readonly='yes'
  type='pflash'>/usr/share/OVMF/OVMF_CODE.fd</loader>

  Guest boots, and console log confirms UEFI mode:

          $ openstack console log show srv | grep -i -e efi -e bios
          ...
          Creating boot entry "Boot0003" with label "ubuntu" for file "\EFI\ubuntu\shimx64.efi"
          ...
          [    0.000000] efi: EFI v2.70 by EDK II
          [    0.000000] efi:  SMBIOS=0x7fbcd000  ACPI=0x7fbfa000  ACPI
          2.0=0x7fbfa014  MEMATTR=0x7eb30018
          [    0.000000] SMBIOS 2.8 present.
          [    0.000000] DMI: OpenStack Foundation OpenStack Nova, BIOS 0.0.0 02/06/2015
          ...

  Actual Result:
  ===

  The server's libvirt XML uses UEFI _with_ Secure Boot.

          <loader readonly='yes'
  type='pflash'>/usr/share/OVMF/OVMF_CODE.secboot.fd</loader>

  Guest doesn't boot; empty console log; qemu-kvm looping at 100% CPU.

          $ openstack console log show srv | grep -i -e efi -e bios
          $ openstack console log show srv | wc -l
          0

          $ juju run --app nova-compute 'top -b -d1 -n5 | grep qemu'
            67205 libvirt+  ... 100.0   1.4   1:18.35 qemu-sy+
            67205 libvirt+  ... 100.0   1.4   1:19.36 qemu-sy+
            67205 libvirt+  ...  99.0   1.4   1:20.36 qemu-sy+
            67205 libvirt+  ... 101.0   1.4   1:21.37 qemu-sy+
            67205 libvirt+  ... 100.0   1.4   1:22.38 qemu-sy+

  Environment:
  ===

  - Hypervisor running Ubuntu 20.04 LTS (Focal)
  - Nova from Ussuri (Ubuntu Archive) or Victoria (Cloud Archive).

To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1960758/+subscriptions

References

[Bug 1960758] [NEW] UEFI guests can't boot on Ubuntu 20.04 with Ussuri/Victoria
From: Mauricio Faria de Oliveira, 2022-02-13