Bug#1052299: gnome-boxes: Cannot install "GNOME OS Nightly" - secure-boot set by ovmf while gnome os efi seems not signed
Alban Browaeys
prahal at yahoo.com
Wed Sep 20 04:56:24 BST 2023
Package: gnome-boxes
Version: 45.0-1
Severity: normal
Dear Maintainer,
If I attempt to create a GNOME OS guest I end up on the edkII console.
If inhte console I try to boot the EFI (in FS0: be it bootx64.efi in
\EFI\BOOT or systemd-bootx64.efi in EFI\systemd) I get a "Command Error
Status: Access Denied" error.
I got he clue it might be secure boot related by https://forum.proxmox.com/threads/vm-always-going-into-uefi-interactive-shell.119215/
I also learned that the install was fine with the flatpak, so I compared
the VM configurations for GNOME OS:
Debian gome-boxes 45:
<os firmware="efi">
<type arch="x86_64" machine="pc-q35-8.0">hvm</type>
<firmware>
<feature enabled="yes" name="enrolled-keys"/>
<feature enabled="yes" name="secure-boot"/>
</firmware>
<loader readonly="yes" secure="yes" type="pflash">/usr/share/OVMF/OVMF_CODE_4M.ms.fd</loader>
<nvram template="/usr/share/OVMF/OVMF_VARS_4M.ms.fd">/home/prahal/.config/libvirt/qemu/nvram/gnomenightly_VARS.fd</nvram>
<boot dev="cdrom"/>
<boot dev="hd"/>
<bootmenu enable="yes"/>
</os>
<features>
<acpi/>
<apic/>
<smm state="on"/>
</features> >
Flatpak gnome-boxes 44:
<os firmware="efi">
<type arch="x86_64" machine="pc-q35-7.2">hvm</type>
<boot dev="cdrom"/>
<boot dev="hd"/>
<bootmenu enable="yes"/>
</os>
<features>
<acpi/>
<apic/>
</features>
Grepping where this secure-boot feature comes from, I ended up on:
/usr/share/qemu/firmware/40-edk2-x86_64-secure-enrolled.json
Scrambling the target (for example, replacing in "machines", "pc-q35-*"
by "pc-q35xxx-*") in this file to avoid its settings being added to
(all?) the guest VM I now can install "GNOME OS Nightly x86_64" (ie
edk2 boots into the installer and the installer proceeds).
This might well be an ovmf bug.
Still, as I don' know if gnome-boxes or qemu have flags to avoid ovmf
bringing in this secure-boot for all guest setups, I start up the stack.
Cheers,
Alban
-- System Information:
Debian Release: trixie/sid
APT prefers testing-debug
APT policy: (500, 'testing-debug'), (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable-debug'), (500, 'oldstable-debug'), (500, 'testing'), (500, 'stable'), (90, 'unstable-debug'), (90, 'unstable'), (1, 'experimental-debug'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 6.5.0+ (SMP w/4 CPU threads; PREEMPT)
Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages gnome-boxes depends on:
ii dconf-gsettings-backend [gsettings-backend] 0.40.0-4
ii genisoimage 9:1.1.11-3.4
ii libarchive13 3.6.2-1
ii libc6 2.37-8
ii libcairo2 1.17.8-3
ii libgdk-pixbuf-2.0-0 2.42.10+dfsg-1+b1
ii libglib2.0-0 2.78.0-1
ii libgtk-3-0 3.24.38-5
ii libgudev-1.0-0 238-2
ii libhandy-1-0 1.8.2-2
ii libosinfo-1.0-0 1.10.0-2
ii libosinfo-bin 1.10.0-2
ii libsoup-3.0-0 3.4.3-1
ii libspice-client-glib-2.0-8 0.42-2
ii libspice-client-gtk-3.0-5 0.42-2
ii libusb-1.0-0 2:1.0.26-1
ii libvirt-clients 9.7.0-1
ii libvirt-daemon 9.7.0-1
ii libvirt-glib-1.0-0 4.0.0-3
ii libwebkit2gtk-4.1-0 2.40.5-1
ii libxml2 2.9.14+dfsg-1.3
ii tracker 3.6.0-1
ii user-session-migration 0.4.1
Versions of packages gnome-boxes recommends:
ii qemu-system-x86 1:8.0.4+dfsg-3+b1
Versions of packages gnome-boxes suggests:
ii gnome-connections 45~rc-1
-- no debconf information
More information about the pkg-gnome-maintainers
mailing list