* Help needed in building UEFI qcow2 images @ 2019-05-22 11:02 Pavan Kumar Aravapalli 2019-05-22 11:19 ` Tomas Pilar (tpilar) 0 siblings, 1 reply; 16+ messages in thread From: Pavan Kumar Aravapalli @ 2019-05-22 11:02 UTC (permalink / raw) To: devel@edk2.groups.io [-- Attachment #1: Type: text/plain, Size: 1046 bytes --] Hi, [re-posting the question] I am looking for information/documentation which helps me in enabling UEFI boot to the existing (KVM)VM template. I am trying for CentOS 6.5(64-bit) no GUI 64-bit (KVM) template. I found some images available over https://www.kraxel.org/repos/images/ with fedora os, but I am looking for uefi enabled Cent OS template. It would be helpfull if any documentation or steps provided for the same. Regards, Pavan. DISCLAIMER ========== This e-mail may contain privileged and confidential information which is the property of Accelerite, a Persistent Systems business. It is intended only for the use of the individual or entity to which it is addressed. If you are not the intended recipient, you are not authorized to read, retain, copy, print, distribute or use this message. If you have received this communication in error, please notify the sender and delete all copies of this message. Accelerite, a Persistent Systems business does not accept any liability for virus infected mails. [-- Attachment #2: Type: text/html, Size: 2788 bytes --] ^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: Help needed in building UEFI qcow2 images 2019-05-22 11:02 Help needed in building UEFI qcow2 images Pavan Kumar Aravapalli @ 2019-05-22 11:19 ` Tomas Pilar (tpilar) 2019-05-22 15:58 ` [edk2-devel] " Andrew Fish 2019-06-03 19:21 ` Pavan Kumar Aravapalli 0 siblings, 2 replies; 16+ messages in thread From: Tomas Pilar (tpilar) @ 2019-05-22 11:19 UTC (permalink / raw) To: Devel EDK2, pavankumar_a@accelerite.com [-- Attachment #1.1: Type: text/plain, Size: 1954 bytes --] Hi Pavan, I am currently playing around with setting up a OVMF based test framework myself. You likely need to tell qemu to use OVMF as it's firmware. I attach my current working libvirt XML file for creating UEFI VMs (diskless) - note the <loader> and the <nvram> elements within the <os> element. You want to add a disk sourced from the qcow image and that should work. Cheers, Tom From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of Pavan Kumar Aravapalli Sent: 22 May 2019 12:02 To: Devel EDK2 <devel@edk2.groups.io> Subject: [edk2-devel] Help needed in building UEFI qcow2 images Hi, [re-posting the question] I am looking for information/documentation which helps me in enabling UEFI boot to the existing (KVM)VM template. I am trying for CentOS 6.5(64-bit) no GUI 64-bit (KVM) template. I found some images available over https://www.kraxel.org/repos/images/<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.kraxel.org_repos_images_&d=DwMFAw&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=SzAVyxtJHZm7PriTfxFyvkqqZ_OgUqnNtgjrlf7jVU4&m=txzCgRJWkEmPJeuUxTWCEaTYpYEUWr6BmgcbVIpvuI0&s=VNfaavLgc8f7brJsIT2rTlp9QzZRyNUOTsp7rqTHK6E&e=> with fedora os, but I am looking for uefi enabled Cent OS template. It would be helpfull if any documentation or steps provided for the same. Regards, Pavan. DISCLAIMER ========== This e-mail may contain privileged and confidential information which is the property of Accelerite, a Persistent Systems business. It is intended only for the use of the individual or entity to which it is addressed. If you are not the intended recipient, you are not authorized to read, retain, copy, print, distribute or use this message. If you have received this communication in error, please notify the sender and delete all copies of this message. Accelerite, a Persistent Systems business does not accept any liability for virus infected mails. [-- Attachment #1.2: Type: text/html, Size: 6134 bytes --] [-- Warning: decoded text below may be mangled, UTF-8 assumed --] [-- Attachment #2: kvm.xml --] [-- Type: text/xml; name="kvm.xml", Size: 2658 bytes --] <domain type='kvm' id='5'> <name>Qemu Test</name> <uuid>6a92c8c3-c6b4-4b57-a164-0a9917eeaf19</uuid> <memory unit='KiB'>2097152</memory> <currentMemory unit='KiB'>2097152</currentMemory> <vcpu placement='static'>2</vcpu> <resource> <partition>/machine</partition> </resource> <os> <type arch='x86_64'>hvm</type> <bootmenu enable='yes' timeout='3000'/> <loader readonly='yes' secure='no' type='pflash'>/tmp/ovmf-test/OVMF_CODE.fd</loader> <nvram template='/tmp/ovmf-test/OVMF_VARS.fd'>/tmp/ovmf-test/OVMF_VARS2.fd</nvram> </os> <features> <acpi/> <apic/> </features> <cpu mode='custom' match='exact' check='full'> <model fallback='forbid'>Skylake-Server-IBRS</model> <feature policy='require' name='hypervisor'/> <feature policy='disable' name='arat'/> </cpu> <clock offset='utc'> <timer name='rtc' tickpolicy='catchup'/> <timer name='pit' tickpolicy='delay'/> <timer name='hpet' present='no'/> </clock> <on_poweroff>preserve</on_poweroff> <on_reboot>restart</on_reboot> <on_crash>preserve</on_crash> <pm> <suspend-to-mem enabled='no'/> <suspend-to-disk enabled='no'/> </pm> <devices> <emulator>/usr/libexec/qemu-kvm</emulator> <controller type='pci' index='0' model='pci-root'> <alias name='pci.0'/> </controller> <hostdev mode='subsystem' type='pci' managed='yes'> <source> [ADDRESS] </source> </hostdev> <serial type='file'> <source path='/tmp/ovmf-test/serial0.log'/> <target port='0' /> <alias name='serial0'/> </serial> <serial type='file'> <source path='/tmp/ovmf-test/serial1.log'/> <target port='1' /> <alias name='serial1'/> </serial> <input type='mouse' bus='ps2'> <alias name='input1'/> </input> <input type='keyboard' bus='ps2'> <alias name='input2'/> </input> <graphics type='spice' port='5900' autoport='yes' listen='127.0.0.1'> <listen type='address' address='127.0.0.1'/> <image compression='off'/> </graphics> <video> <model type='qxl' ram='65536' vram='65536' vgamem='16384' heads='1' primary='yes'/> <alias name='video0'/> <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x0'/> </video> <rng model='virtio'> <backend model='random'>/dev/urandom</backend> <alias name='rng0'/> <address type='pci' domain='0x0000' bus='0x00' slot='0x09' function='0x0'/> </rng> </devices> <seclabel type='dynamic' model='dac' relabel='yes'> <label>+107:+107</label> <imagelabel>+107:+107</imagelabel> </seclabel> </domain> ^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: [edk2-devel] Help needed in building UEFI qcow2 images 2019-05-22 11:19 ` Tomas Pilar (tpilar) @ 2019-05-22 15:58 ` Andrew Fish 2019-05-22 16:57 ` Tomas Pilar (tpilar) 2019-05-22 19:05 ` Laszlo Ersek 2019-06-03 19:21 ` Pavan Kumar Aravapalli 1 sibling, 2 replies; 16+ messages in thread From: Andrew Fish @ 2019-05-22 15:58 UTC (permalink / raw) To: devel, Tomas Pilar (tpilar) [-- Attachment #1: Type: text/plain, Size: 2318 bytes --] Tom, Looks like the mailing list stripped your attachment. Thanks, Andrew Fish > On May 22, 2019, at 4:19 AM, Tomas Pilar (tpilar) <tpilar@solarflare.com> wrote: > > Hi Pavan, > > I am currently playing around with setting up a OVMF based test framework myself. You likely need to tell qemu to use OVMF as it’s firmware. I attach my current working libvirt XML file for creating UEFI VMs (diskless) – note the <loader> and the <nvram> elements within the <os> element. > > You want to add a disk sourced from the qcow image and that should work. > > Cheers, > Tom > > From: devel@edk2.groups.io <mailto:devel@edk2.groups.io> <devel@edk2.groups.io <mailto:devel@edk2.groups.io>> On Behalf Of Pavan Kumar Aravapalli > Sent: 22 May 2019 12:02 > To: Devel EDK2 <devel@edk2.groups.io <mailto:devel@edk2.groups.io>> > Subject: [edk2-devel] Help needed in building UEFI qcow2 images > > Hi, > > > > [re-posting the question] > > > > I am looking for information/documentation which helps me in enabling UEFI boot to the existing (KVM)VM template. I am trying for CentOS 6.5(64-bit) no GUI 64-bit (KVM) template. > > > > > > I found some images available over https://www.kraxel.org/repos/images/ <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.kraxel.org_repos_images_&d=DwMFAw&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=SzAVyxtJHZm7PriTfxFyvkqqZ_OgUqnNtgjrlf7jVU4&m=txzCgRJWkEmPJeuUxTWCEaTYpYEUWr6BmgcbVIpvuI0&s=VNfaavLgc8f7brJsIT2rTlp9QzZRyNUOTsp7rqTHK6E&e=> with fedora os, but I am looking for uefi enabled Cent OS template. It would be helpfull if any documentation or steps provided for the same. > > > > > Regards, > > Pavan. > > DISCLAIMER > ========== > This e-mail may contain privileged and confidential information which is the property of Accelerite, a Persistent Systems business. It is intended only for the use of the individual or entity to which it is addressed. If you are not the intended recipient, you are not authorized to read, retain, copy, print, distribute or use this message. If you have received this communication in error, please notify the sender and delete all copies of this message. Accelerite, a Persistent Systems business does not accept any liability for virus infected mails. > > <kvm.xml> [-- Attachment #2: Type: text/html, Size: 7363 bytes --] ^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: [edk2-devel] Help needed in building UEFI qcow2 images 2019-05-22 15:58 ` [edk2-devel] " Andrew Fish @ 2019-05-22 16:57 ` Tomas Pilar (tpilar) 2019-05-22 17:05 ` Andrew Fish 2019-05-22 19:05 ` Laszlo Ersek 1 sibling, 1 reply; 16+ messages in thread From: Tomas Pilar (tpilar) @ 2019-05-22 16:57 UTC (permalink / raw) To: devel, afish [-- Attachment #1: Type: text/html, Size: 14770 bytes --] ^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: [edk2-devel] Help needed in building UEFI qcow2 images 2019-05-22 16:57 ` Tomas Pilar (tpilar) @ 2019-05-22 17:05 ` Andrew Fish 0 siblings, 0 replies; 16+ messages in thread From: Andrew Fish @ 2019-05-22 17:05 UTC (permalink / raw) To: Tomas Pilar (tpilar), Stephano Cetola; +Cc: devel [-- Attachment #1: Type: text/plain, Size: 5367 bytes --] It should work Stephano is going to take a look. Thanks, Andrew Fish > On May 22, 2019, at 9:57 AM, Tomas Pilar (tpilar) <tpilar@solarflare.com> wrote: > > Thanks Andrew, > > I thought that groups.io is supposed to allow attachments? > > Anyway snippet below: > > ---- > > <domain type='kvm' id='5'> > <name>Qemu Test</name> > <uuid>6a92c8c3-c6b4-4b57-a164-0a9917eeaf19</uuid> > <memory unit='KiB'>2097152</memory> > <currentMemory unit='KiB'>2097152</currentMemory> > <vcpu placement='static'>2</vcpu> > <resource> > <partition>/machine</partition> > </resource> > <os> > <type arch='x86_64'>hvm</type> > <bootmenu enable='yes' timeout='3000'/> > <loader readonly='yes' secure='no' type='pflash'>/tmp/ovmf-test/OVMF_CODE.fd</loader> > <nvram template='/tmp/ovmf-test/OVMF_VARS.fd'>/tmp/ovmf-test/OVMF_VARS2.fd</nvram> > </os> > <features> > <acpi/> > <apic/> > </features> > <clock offset='utc'> > <timer name='rtc' tickpolicy='catchup'/> > <timer name='pit' tickpolicy='delay'/> > <timer name='hpet' present='no'/> > </clock> > <on_poweroff>preserve</on_poweroff> > <on_reboot>restart</on_reboot> > <on_crash>preserve</on_crash> > <pm> > <suspend-to-mem enabled='no'/> > <suspend-to-disk enabled='no'/> > </pm> > <devices> > <emulator>/usr/libexec/qemu-kvm</emulator> > <controller type='pci' index='0' model='pci-root'> > <alias name='pci.0'/> > </controller> > <hostdev mode='subsystem' type='pci' managed='yes'> > <source> > [ADDRESS] > </source> > </hostdev> > <serial type='file'> > <source path='/tmp/ovmf-test/serial0.log'/> > <target port='0' /> > <alias name='serial0'/> > </serial> > <serial type='file'> > <source path='/tmp/ovmf-test/serial1.log'/> > <target port='1' /> > <alias name='serial1'/> > </serial> > <input type='mouse' bus='ps2'> > <alias name='input1'/> > </input> > <input type='keyboard' bus='ps2'> > <alias name='input2'/> > </input> > <graphics type='spice' port='5900' autoport='yes' listen='127.0.0.1'> > <listen type='address' address='127.0.0.1'/> > <image compression='off'/> > </graphics> > <video> > <model type='qxl' ram='65536' vram='65536' vgamem='16384' heads='1' primary='yes'/> > <alias name='video0'/> > <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x0'/> > </video> > <rng model='virtio'> > <backend model='random'>/dev/urandom</backend> > <alias name='rng0'/> > <address type='pci' domain='0x0000' bus='0x00' slot='0x09' function='0x0'/> > </rng> > </devices> > </domain> > > -- > > On 22/05/2019 16:58, Andrew Fish via Groups.Io wrote: >> Tom, >> >> Looks like the mailing list stripped your attachment. >> >> Thanks, >> >> Andrew Fish >> >>> On May 22, 2019, at 4:19 AM, Tomas Pilar (tpilar) <tpilar@solarflare.com <mailto:tpilar@solarflare.com>> wrote: >>> >>> Hi Pavan, >>> >>> I am currently playing around with setting up a OVMF based test framework myself. You likely need to tell qemu to use OVMF as it’s firmware. I attach my current working libvirt XML file for creating UEFI VMs (diskless) – note the <loader> and the <nvram> elements within the <os> element. >>> >>> You want to add a disk sourced from the qcow image and that should work. >>> >>> Cheers, >>> Tom >>> >>> From: devel@edk2.groups.io <mailto:devel@edk2.groups.io> <devel@edk2.groups.io <mailto:devel@edk2.groups.io>> On Behalf Of Pavan Kumar Aravapalli >>> Sent: 22 May 2019 12:02 >>> To: Devel EDK2 <devel@edk2.groups.io <mailto:devel@edk2.groups.io>> >>> Subject: [edk2-devel] Help needed in building UEFI qcow2 images >>> >>> Hi, >>> >>> >>> >>> [re-posting the question] >>> >>> >>> >>> I am looking for information/documentation which helps me in enabling UEFI boot to the existing (KVM)VM template. I am trying for CentOS 6.5(64-bit) no GUI 64-bit (KVM) template. >>> >>> >>> >>> >>> >>> I found some images available over https://www.kraxel.org/repos/images/ <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.kraxel.org_repos_images_&d=DwMFAw&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=SzAVyxtJHZm7PriTfxFyvkqqZ_OgUqnNtgjrlf7jVU4&m=txzCgRJWkEmPJeuUxTWCEaTYpYEUWr6BmgcbVIpvuI0&s=VNfaavLgc8f7brJsIT2rTlp9QzZRyNUOTsp7rqTHK6E&e=> with fedora os, but I am looking for uefi enabled Cent OS template. It would be helpfull if any documentation or steps provided for the same. >>> >>> >>> >>> >>> Regards, >>> >>> Pavan. >>> >>> DISCLAIMER >>> ========== >>> This e-mail may contain privileged and confidential information which is the property of Accelerite, a Persistent Systems business. It is intended only for the use of the individual or entity to which it is addressed. If you are not the intended recipient, you are not authorized to read, retain, copy, print, distribute or use this message. If you have received this communication in error, please notify the sender and delete all copies of this message. Accelerite, a Persistent Systems business does not accept any liability for virus infected mails. >>> <kvm.xml> >> >> > [-- Attachment #2: Type: text/html, Size: 16017 bytes --] ^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: [edk2-devel] Help needed in building UEFI qcow2 images 2019-05-22 15:58 ` [edk2-devel] " Andrew Fish 2019-05-22 16:57 ` Tomas Pilar (tpilar) @ 2019-05-22 19:05 ` Laszlo Ersek 2019-05-22 19:10 ` Andrew Fish 1 sibling, 1 reply; 16+ messages in thread From: Laszlo Ersek @ 2019-05-22 19:05 UTC (permalink / raw) To: devel, afish, Tomas Pilar (tpilar) On 05/22/19 17:58, Andrew Fish via Groups.Io wrote: > Tom, > > Looks like the mailing list stripped your attachment. I got the attachment OK, and I also see it in both mail archives: https://edk2.groups.io/g/devel/message/41228 http://mid.mail-archive.com/ed4cfca6710b43f78ea5d6d05a87b676@ukex01.SolarFlarecom.com Thanks, Laszlo ^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: [edk2-devel] Help needed in building UEFI qcow2 images 2019-05-22 19:05 ` Laszlo Ersek @ 2019-05-22 19:10 ` Andrew Fish 2019-05-23 13:45 ` Laszlo Ersek 0 siblings, 1 reply; 16+ messages in thread From: Andrew Fish @ 2019-05-22 19:10 UTC (permalink / raw) To: devel, Laszlo Ersek; +Cc: Tomas Pilar (tpilar) [-- Attachment #1: Type: text/plain, Size: 1090 bytes --] Laszlo, Sorry I got the attachment too. It was just scrolled off the screen after the boiler plate. Groups.io <http://groups.io/> Links: You receive all messages sent to this group. View/Reply Online (#41228) <https://edk2.groups.io/g/devel/message/41228> | | Mute This Topic <https://groups.io/mt/31718606/1755084> | New Topic <https://edk2.groups.io/g/devel/post> Your Subscription <https://edk2.groups.io/g/devel/editsub/1755084> | Contact Group Owner <mailto:devel+owner@edk2.groups.io> | Unsubscribe <https://edk2.groups.io/g/devel/unsub> [afish@apple.com <mailto:afish@apple.com>] Sorry for the waste of time. Thanks, Andrew Fish > On May 22, 2019, at 12:05 PM, Laszlo Ersek <lersek@redhat.com> wrote: > > On 05/22/19 17:58, Andrew Fish via Groups.Io wrote: >> Tom, >> >> Looks like the mailing list stripped your attachment. > > I got the attachment OK, and I also see it in both mail archives: > > https://edk2.groups.io/g/devel/message/41228 > > http://mid.mail-archive.com/ed4cfca6710b43f78ea5d6d05a87b676@ukex01.SolarFlarecom.com > > Thanks, > Laszlo > > > [-- Attachment #2: Type: text/html, Size: 2611 bytes --] ^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: [edk2-devel] Help needed in building UEFI qcow2 images 2019-05-22 19:10 ` Andrew Fish @ 2019-05-23 13:45 ` Laszlo Ersek 0 siblings, 0 replies; 16+ messages in thread From: Laszlo Ersek @ 2019-05-23 13:45 UTC (permalink / raw) To: devel, afish; +Cc: Tomas Pilar (tpilar) On 05/22/19 21:10, Andrew Fish via Groups.Io wrote: > Laszlo, > > Sorry I got the attachment too. It was just scrolled off the screen after the boiler plate. > > > Groups.io <http://groups.io/> Links: > You receive all messages sent to this group. > > View/Reply Online (#41228) <https://edk2.groups.io/g/devel/message/41228> | | Mute This Topic <https://groups.io/mt/31718606/1755084> | New Topic <https://edk2.groups.io/g/devel/post> > > Your Subscription <https://edk2.groups.io/g/devel/editsub/1755084> | Contact Group Owner <mailto:devel+owner@edk2.groups.io> | Unsubscribe <https://edk2.groups.io/g/devel/unsub> [afish@apple.com <mailto:afish@apple.com>] > > > Sorry for the waste of time. No, I think this is justified (mild) criticism on that large banner at the end of reflected messages. I noticed the attachment immediately only because my MUA (ThunderBird) displays such outside of the scrollable email body, in two places actually (in the "threaded subjects" pane at the top, and in the attachment pane at the bottom). I'd prefer if the whole "-=-=-=-=-=-=-=-=-=-=-=-" footer disappeared from reflected messages, and groups.io just implemented message-id-based search. (There were two other aggravating factors: the original "DISCLAIMER" at the end of the original posting, retained in the context, and top-posting in the response to the original email.) To be honest -- where I'm completely lost on occasion is "modern" websites. From the recent past: the "hamburger icon" on StackOverflow, which users have to click in order to pull up the Log Out option, takes the cake. There are even StackOverflow threads about logging out of StackOverflow, I kid you not: https://meta.stackoverflow.com/questions/294881/how-does-one-logout-from-stack-overflow https://meta.stackoverflow.com/questions/254109/how-can-i-log-out-from-stack-overflow Thanks, Laszlo ^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: [edk2-devel] Help needed in building UEFI qcow2 images 2019-05-22 11:19 ` Tomas Pilar (tpilar) 2019-05-22 15:58 ` [edk2-devel] " Andrew Fish @ 2019-06-03 19:21 ` Pavan Kumar Aravapalli 2019-06-04 10:49 ` Laszlo Ersek 1 sibling, 1 reply; 16+ messages in thread From: Pavan Kumar Aravapalli @ 2019-06-03 19:21 UTC (permalink / raw) To: Tomas Pilar, devel [-- Attachment #1.1: Type: text/plain, Size: 8940 bytes --] On Wed, May 22, 2019 at 04:19 AM, Tomas Pilar (tpilar) wrote: > > > > Hi Pavan, > > > > > > > > I am currently playing around with setting up a OVMF based test framework > myself. You likely need to tell qemu to use OVMF as it’s firmware. I > attach my current working libvirt XML file for creating UEFI VMs > (diskless) – note the <loader> and the <nvram> elements within the <os> > element. > > > > > > > > You want to add a disk sourced from the qcow image and that should work. > > > > > > > > Cheers, > > > > Tom > > > > > > > > *From:* devel@edk2.groups.io <devel@edk2.groups.io> *On Behalf Of* Pavan > Kumar Aravapalli > *Sent:* 22 May 2019 12:02 > *To:* Devel EDK2 <devel@edk2.groups.io> > *Subject:* [edk2-devel] Help needed in building UEFI qcow2 images > > > > > > > > > Hi, > > > > > > > > [re-posting the question] > > > > > > > > I am looking for information/documentation which helps me in enabling UEFI > boot to the existing (KVM)VM template. I am trying for CentOS 6.5(64-bit) > no GUI 64-bit (KVM) template. > > > > > > > > > > > > I found some images available over https://www.kraxel.org/repos/images/ ( > https://urldefense.proofpoint.com/v2/url?u=https-3A__www.kraxel.org_repos_images_&d=DwMFAw&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=SzAVyxtJHZm7PriTfxFyvkqqZ_OgUqnNtgjrlf7jVU4&m=txzCgRJWkEmPJeuUxTWCEaTYpYEUWr6BmgcbVIpvuI0&s=VNfaavLgc8f7brJsIT2rTlp9QzZRyNUOTsp7rqTHK6E&e= > ) with fedora os, but I am looking for uefi enabled Cent OS template. It > would be helpfull if any documentation or steps provided for the same. > > > > > > > > > > > > Regards, > > > > Pavan. > > > > > DISCLAIMER > ========== > This e-mail may contain privileged and confidential information which is > the property of Accelerite, a Persistent Systems business. It is intended > only for the use of the individual or entity to which it is addressed. If > you are not the intended recipient, you are not authorized to read, > retain, copy, print, distribute or use this message. If you have received > this communication in error, please notify the sender and delete all > copies of this message. Accelerite, a Persistent Systems business does not > accept any liability for virus infected mails. > > > > > > > Hi Tomas, Thanks for your response, I have already found a way to boot a Guest VM to boot using image https://www.kraxel.org/repos/images/fedora-29-efi-systemd-x86_64.qcow2.xz. I have attached the domain dump xml file with this mail attachment[normal-vm.xml]. And Sorry for the lengthy message for the following , Let me write up all my questions here . It would be more helpful if you can point me to fix or resolve the following. Actually i am struggling to done below two items * We have CentOS flavoured qcow2 image which is used to boot Guest VM's in Apache CloudStack. We are trying to enable these CentOS qcow2 images with UEFI support. I found '.EFI' file inside fedora-29-efi-systemd-x86_64.qcow2.xz ( https://www.kraxel.org/repos/images/fedora-29-efi-systemd-x86_64.qcow2.xz ) image. How can i do the same thing for CentOS images. * I have been struggling to secure boot Guest VM using UEFI. I have enclosed my secure boot domain dumpxml [secure-vm.xml]with this mail too. When i try to boot with this xml i am ended up with an Exception . I have attached the error screen shot too . I don't know, what could be wrong in Environment. here is my Host Environment details [root@localhost ~]# cat /etc/redhat-release CentOS Linux release 7.6.1810 (Core) [root@localhost ~]# /usr/libexec/qemu-kvm --machine help Supported machines are: pc RHEL 7.6.0 PC (i440FX + PIIX, 1996) (alias of pc-i440fx-rhel7.6.0) pc-i440fx-rhel7.6.0 RHEL 7.6.0 PC (i440FX + PIIX, 1996) (default) pc-i440fx-rhel7.5.0 RHEL 7.5.0 PC (i440FX + PIIX, 1996) pc-i440fx-rhel7.4.0 RHEL 7.4.0 PC (i440FX + PIIX, 1996) pc-i440fx-rhel7.3.0 RHEL 7.3.0 PC (i440FX + PIIX, 1996) pc-i440fx-rhel7.2.0 RHEL 7.2.0 PC (i440FX + PIIX, 1996) pc-i440fx-rhel7.1.0 RHEL 7.1.0 PC (i440FX + PIIX, 1996) pc-i440fx-rhel7.0.0 RHEL 7.0.0 PC (i440FX + PIIX, 1996) rhel6.6.0 RHEL 6.6.0 PC rhel6.5.0 RHEL 6.5.0 PC rhel6.4.0 RHEL 6.4.0 PC rhel6.3.0 RHEL 6.3.0 PC rhel6.2.0 RHEL 6.2.0 PC rhel6.1.0 RHEL 6.1.0 PC rhel6.0.0 RHEL 6.0.0 PC q35 RHEL-7.6.0 PC (Q35 + ICH9, 2009) (alias of pc-q35-rhel7.6.0) pc-q35-rhel7.6.0 RHEL-7.6.0 PC (Q35 + ICH9, 2009) pc-q35-rhel7.5.0 RHEL-7.5.0 PC (Q35 + ICH9, 2009) pc-q35-rhel7.4.0 RHEL-7.4.0 PC (Q35 + ICH9, 2009) pc-q35-rhel7.3.0 RHEL-7.3.0 PC (Q35 + ICH9, 2009) none empty machine [root@localhost ~]# rpm -qa | grep qemu qemu-img-ev-2.12.0-18.el7_6.5.1.x86_64 centos-release-qemu-ev-1.0-4.el7.centos.noarch qemu-kvm-common-ev-2.12.0-18.el7_6.5.1.x86_64 libvirt-daemon-driver-qemu-4.5.0-10.el7_6.10.x86_64 ipxe-roms-qemu-20170123-1.git4e85b27.el7_4.1.noarch qemu-kvm-ev-2.12.0-18.el7_6.5.1.x86_64 [root@localhost ~]# cat /proc/cpuinfo | grep ept fpu_exception : yes flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe syscall nx rdtscp lm constant_tsc arch_perfmon pebs bts rep_good nopl xtopology nonstop_tsc aperfmperf eagerfpu pni pclmulqdq dtes64 monitor ds_cpl vmx smx est tm2 ssse3 cx16 xtpr pdcm pcid sse4_1 sse4_2 x2apic popcnt tsc_deadline_timer aes xsave avx lahf_lm epb ssbd ibrs ibpb stibp tpr_shadow vnmi flexpriority ept vpid xsaveopt dtherm ida arat pln pts spec_ctrl intel_stibp flush_l1d fpu_exception : yes flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe syscall nx rdtscp lm constant_tsc arch_perfmon pebs bts rep_good nopl xtopology nonstop_tsc aperfmperf eagerfpu pni pclmulqdq dtes64 monitor ds_cpl vmx smx est tm2 ssse3 cx16 xtpr pdcm pcid sse4_1 sse4_2 x2apic popcnt tsc_deadline_timer aes xsave avx lahf_lm epb ssbd ibrs ibpb stibp tpr_shadow vnmi flexpriority ept vpid xsaveopt dtherm ida arat pln pts spec_ctrl intel_stibp flush_l1d fpu_exception : yes flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe syscall nx rdtscp lm constant_tsc arch_perfmon pebs bts rep_good nopl xtopology nonstop_tsc aperfmperf eagerfpu pni pclmulqdq dtes64 monitor ds_cpl vmx smx est tm2 ssse3 cx16 xtpr pdcm pcid sse4_1 sse4_2 x2apic popcnt tsc_deadline_timer aes xsave avx lahf_lm epb ssbd ibrs ibpb stibp tpr_shadow vnmi flexpriority ept vpid xsaveopt dtherm ida arat pln pts spec_ctrl intel_stibp flush_l1d fpu_exception : yes flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe syscall nx rdtscp lm constant_tsc arch_perfmon pebs bts rep_good nopl xtopology nonstop_tsc aperfmperf eagerfpu pni pclmulqdq dtes64 monitor ds_cpl vmx smx est tm2 ssse3 cx16 xtpr pdcm pcid sse4_1 sse4_2 x2apic popcnt tsc_deadline_timer aes xsave avx lahf_lm epb ssbd ibrs ibpb stibp tpr_shadow vnmi flexpriority ept vpid xsaveopt dtherm ida arat pln pts spec_ctrl intel_stibp flush_l1d [root@localhost ~]# rpm -qa | grep libvirt libvirt-client-4.5.0-10.el7_6.10.x86_64 libvirt-daemon-driver-nwfilter-4.5.0-10.el7_6.10.x86_64 libvirt-daemon-driver-nodedev-4.5.0-10.el7_6.10.x86_64 libvirt-daemon-driver-storage-scsi-4.5.0-10.el7_6.10.x86_64 libvirt-daemon-driver-storage-iscsi-4.5.0-10.el7_6.10.x86_64 libvirt-daemon-kvm-4.5.0-10.el7_6.10.x86_64 libvirt-bash-completion-4.5.0-10.el7_6.10.x86_64 libvirt-libs-4.5.0-10.el7_6.10.x86_64 libvirt-daemon-4.5.0-10.el7_6.10.x86_64 libvirt-daemon-driver-network-4.5.0-10.el7_6.10.x86_64 libvirt-daemon-driver-qemu-4.5.0-10.el7_6.10.x86_64 libvirt-daemon-driver-interface-4.5.0-10.el7_6.10.x86_64 libvirt-daemon-config-nwfilter-4.5.0-10.el7_6.10.x86_64 libvirt-daemon-config-network-4.5.0-10.el7_6.10.x86_64 libvirt-daemon-driver-storage-disk-4.5.0-10.el7_6.10.x86_64 libvirt-daemon-driver-storage-rbd-4.5.0-10.el7_6.10.x86_64 libvirt-daemon-driver-storage-logical-4.5.0-10.el7_6.10.x86_64 libvirt-daemon-driver-storage-4.5.0-10.el7_6.10.x86_64 libvirt-python-4.5.0-1.el7.x86_64 libvirt-daemon-driver-storage-core-4.5.0-10.el7_6.10.x86_64 libvirt-daemon-driver-secret-4.5.0-10.el7_6.10.x86_64 libvirt-daemon-driver-lxc-4.5.0-10.el7_6.10.x86_64 libvirt-daemon-driver-storage-mpath-4.5.0-10.el7_6.10.x86_64 libvirt-daemon-driver-storage-gluster-4.5.0-10.el7_6.10.x86_64 libvirt-4.5.0-10.el7_6.10.x86_64 Regards, Pavan. [-- Attachment #1.2: Type: text/html, Size: 12736 bytes --] [-- Warning: decoded text below may be mangled, UTF-8 assumed --] [-- Attachment #2: normal-vm.xml --] [-- Type: text/xml; name="normal-vm.xml", Size: 7657 bytes --] <domain type='kvm' id='9'> <name>norvm</name> <uuid>8aa8de9e-4ebf-4ef0-91ef-a8c3e809a60e</uuid> <metadata> <libosinfo:libosinfo xmlns:libosinfo="http://libosinfo.org/xmlns/libvirt/domain/1.0"> <libosinfo:os id="http://fedoraproject.org/fedora/29"/> </libosinfo:libosinfo> </metadata> <memory unit='KiB'>2097152</memory> <currentMemory unit='KiB'>2097152</currentMemory> <vcpu placement='static'>1</vcpu> <resource> <partition>/machine</partition> </resource> <os> <type arch='x86_64' machine='pc-q35-rhel7.6.0'>hvm</type> <loader readonly='yes' type='pflash'>/usr/share/edk2.git/ovmf-x64/OVMF_CODE-pure-efi.fd</loader> <nvram>/var/lib/libvirt/qemu/nvram/norvm_VARS.fd</nvram> <boot dev='hd'/> </os> <features> <acpi/> <apic/> <vmport state='off'/> </features> <cpu mode='custom' match='exact' check='full'> <model fallback='forbid'>SandyBridge-IBRS</model> <vendor>Intel</vendor> <feature policy='require' name='vme'/> <feature policy='require' name='ss'/> <feature policy='require' name='pcid'/> <feature policy='require' name='hypervisor'/> <feature policy='require' name='arat'/> <feature policy='require' name='tsc_adjust'/> <feature policy='require' name='stibp'/> <feature policy='require' name='ssbd'/> <feature policy='require' name='xsaveopt'/> </cpu> <clock offset='utc'> <timer name='rtc' tickpolicy='catchup'/> <timer name='pit' tickpolicy='delay'/> <timer name='hpet' present='no'/> </clock> <on_poweroff>destroy</on_poweroff> <on_reboot>restart</on_reboot> <on_crash>destroy</on_crash> <pm> <suspend-to-mem enabled='no'/> <suspend-to-disk enabled='no'/> </pm> <devices> <emulator>/usr/libexec/qemu-kvm</emulator> <disk type='file' device='disk'> <driver name='qemu' type='qcow2'/> <source file='/var/lib/libvirt/images/norvm.qcow2'/> <backingStore/> <target dev='vda' bus='virtio'/> <alias name='virtio-disk0'/> <address type='pci' domain='0x0000' bus='0x04' slot='0x00' function='0x0'/> </disk> <controller type='usb' index='0' model='qemu-xhci' ports='15'> <alias name='usb'/> <address type='pci' domain='0x0000' bus='0x02' slot='0x00' function='0x0'/> </controller> <controller type='sata' index='0'> <alias name='ide'/> <address type='pci' domain='0x0000' bus='0x00' slot='0x1f' function='0x2'/> </controller> <controller type='pci' index='0' model='pcie-root'> <alias name='pcie.0'/> </controller> <controller type='pci' index='1' model='pcie-root-port'> <model name='pcie-root-port'/> <target chassis='1' port='0x10'/> <alias name='pci.1'/> <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x0' multifunction='on'/> </controller> <controller type='pci' index='2' model='pcie-root-port'> <model name='pcie-root-port'/> <target chassis='2' port='0x11'/> <alias name='pci.2'/> <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x1'/> </controller> <controller type='pci' index='3' model='pcie-root-port'> <model name='pcie-root-port'/> <target chassis='3' port='0x12'/> <alias name='pci.3'/> <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x2'/> </controller> <controller type='pci' index='4' model='pcie-root-port'> <model name='pcie-root-port'/> <target chassis='4' port='0x13'/> <alias name='pci.4'/> <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x3'/> </controller> <controller type='pci' index='5' model='pcie-root-port'> <model name='pcie-root-port'/> <target chassis='5' port='0x14'/> <alias name='pci.5'/> <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x4'/> </controller> <controller type='pci' index='6' model='pcie-root-port'> <model name='pcie-root-port'/> <target chassis='6' port='0x15'/> <alias name='pci.6'/> <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x5'/> </controller> <controller type='pci' index='7' model='pcie-root-port'> <model name='pcie-root-port'/> <target chassis='7' port='0x16'/> <alias name='pci.7'/> <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x6'/> </controller> <controller type='virtio-serial' index='0'> <alias name='virtio-serial0'/> <address type='pci' domain='0x0000' bus='0x03' slot='0x00' function='0x0'/> </controller> <interface type='network'> <mac address='52:54:00:94:db:2e'/> <source network='default' bridge='virbr0'/> <target dev='vnet1'/> <model type='virtio'/> <alias name='net0'/> <address type='pci' domain='0x0000' bus='0x01' slot='0x00' function='0x0'/> </interface> <serial type='pty'> <source path='/dev/pts/2'/> <target type='isa-serial' port='0'> <model name='isa-serial'/> </target> <alias name='serial0'/> </serial> <console type='pty' tty='/dev/pts/2'> <source path='/dev/pts/2'/> <target type='serial' port='0'/> <alias name='serial0'/> </console> <channel type='unix'> <source mode='bind' path='/var/lib/libvirt/qemu/channel/target/domain-9-norvm/org.qemu.guest_agent.0'/> <target type='virtio' name='org.qemu.guest_agent.0' state='disconnected'/> <alias name='channel0'/> <address type='virtio-serial' controller='0' bus='0' port='1'/> </channel> <channel type='spicevmc'> <target type='virtio' name='com.redhat.spice.0' state='disconnected'/> <alias name='channel1'/> <address type='virtio-serial' controller='0' bus='0' port='2'/> </channel> <input type='tablet' bus='usb'> <alias name='input0'/> <address type='usb' bus='0' port='1'/> </input> <input type='mouse' bus='ps2'> <alias name='input1'/> </input> <input type='keyboard' bus='ps2'> <alias name='input2'/> </input> <graphics type='vnc' port='5901' autoport='yes' listen='10.147.28.44' keymap='en-us'> <listen type='address' address='10.147.28.44'/> </graphics> <sound model='ich9'> <alias name='sound0'/> <address type='pci' domain='0x0000' bus='0x00' slot='0x1b' function='0x0'/> </sound> <video> <model type='qxl' ram='65536' vram='65536' vgamem='16384' heads='1' primary='yes'/> <alias name='video0'/> <address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x0'/> </video> <redirdev bus='usb' type='spicevmc'> <alias name='redir0'/> <address type='usb' bus='0' port='2'/> </redirdev> <redirdev bus='usb' type='spicevmc'> <alias name='redir1'/> <address type='usb' bus='0' port='3'/> </redirdev> <memballoon model='virtio'> <alias name='balloon0'/> <address type='pci' domain='0x0000' bus='0x05' slot='0x00' function='0x0'/> </memballoon> <rng model='virtio'> <backend model='random'>/dev/urandom</backend> <alias name='rng0'/> <address type='pci' domain='0x0000' bus='0x06' slot='0x00' function='0x0'/> </rng> </devices> <seclabel type='dynamic' model='selinux' relabel='yes'> <label>system_u:system_r:svirt_t:s0:c388,c745</label> <imagelabel>system_u:object_r:svirt_image_t:s0:c388,c745</imagelabel> </seclabel> <seclabel type='dynamic' model='dac' relabel='yes'> <label>+107:+107</label> <imagelabel>+107:+107</imagelabel> </seclabel> </domain> [-- Warning: decoded text below may be mangled, UTF-8 assumed --] [-- Attachment #3: secure-vm.xml --] [-- Type: text/xml; name="secure-vm.xml", Size: 7754 bytes --] <domain type='kvm' id='10'> <name>secvm</name> <uuid>4b8006aa-e814-4a5d-955d-b74feea4c441</uuid> <metadata> <libosinfo:libosinfo xmlns:libosinfo="http://libosinfo.org/xmlns/libvirt/domain/1.0"> <libosinfo:os id="http://fedoraproject.org/fedora/29"/> </libosinfo:libosinfo> </metadata> <memory unit='KiB'>2097152</memory> <currentMemory unit='KiB'>2097152</currentMemory> <vcpu placement='static'>1</vcpu> <resource> <partition>/machine</partition> </resource> <os> <type arch='x86_64' machine='pc-q35-rhel7.6.0'>hvm</type> <loader readonly='yes' secure='yes' type='pflash'>/usr/share/edk2.git/ovmf-x64/OVMF_CODE-pure-efi.fd</loader> <nvram>/var/lib/libvirt/qemu/nvram/norvm_VARS.fd</nvram> <boot dev='hd'/> </os> <features> <acpi/> <apic/> <vmport state='off'/> <smm state='on'/> </features> <cpu mode='custom' match='exact' check='full'> <model fallback='forbid'>SandyBridge-IBRS</model> <vendor>Intel</vendor> <feature policy='require' name='vme'/> <feature policy='require' name='ss'/> <feature policy='require' name='pcid'/> <feature policy='require' name='hypervisor'/> <feature policy='require' name='arat'/> <feature policy='require' name='tsc_adjust'/> <feature policy='require' name='stibp'/> <feature policy='require' name='ssbd'/> <feature policy='require' name='xsaveopt'/> </cpu> <clock offset='utc'> <timer name='rtc' tickpolicy='catchup'/> <timer name='pit' tickpolicy='delay'/> <timer name='hpet' present='no'/> </clock> <on_poweroff>destroy</on_poweroff> <on_reboot>restart</on_reboot> <on_crash>destroy</on_crash> <pm> <suspend-to-mem enabled='no'/> <suspend-to-disk enabled='no'/> </pm> <devices> <emulator>/usr/libexec/qemu-kvm</emulator> <disk type='file' device='disk'> <driver name='qemu' type='qcow2'/> <source file='/var/lib/libvirt/images/sec-boot.qcow2'/> <backingStore/> <target dev='sda' bus='sata'/> <alias name='sata0-0-0'/> <address type='drive' controller='0' bus='0' target='0' unit='0'/> </disk> <disk type='file' device='cdrom'> <driver name='qemu' type='raw'/> <source file='/var/lib/libvirt/images/UefiShell-ovmf.iso'/> <backingStore/> <target dev='sdb' bus='sata'/> <readonly/> <alias name='sata0-0-1'/> <address type='drive' controller='0' bus='0' target='0' unit='1'/> </disk> <controller type='usb' index='0' model='qemu-xhci' ports='15'> <alias name='usb'/> <address type='pci' domain='0x0000' bus='0x02' slot='0x00' function='0x0'/> </controller> <controller type='sata' index='0'> <alias name='ide'/> <address type='pci' domain='0x0000' bus='0x00' slot='0x1f' function='0x2'/> </controller> <controller type='pci' index='0' model='pcie-root'> <alias name='pcie.0'/> </controller> <controller type='pci' index='1' model='pcie-root-port'> <model name='pcie-root-port'/> <target chassis='1' port='0x10'/> <alias name='pci.1'/> <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x0' multifunction='on'/> </controller> <controller type='pci' index='2' model='pcie-root-port'> <model name='pcie-root-port'/> <target chassis='2' port='0x11'/> <alias name='pci.2'/> <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x1'/> </controller> <controller type='pci' index='3' model='pcie-root-port'> <model name='pcie-root-port'/> <target chassis='3' port='0x12'/> <alias name='pci.3'/> <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x2'/> </controller> <controller type='pci' index='4' model='pcie-root-port'> <model name='pcie-root-port'/> <target chassis='4' port='0x13'/> <alias name='pci.4'/> <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x3'/> </controller> <controller type='pci' index='5' model='pcie-root-port'> <model name='pcie-root-port'/> <target chassis='5' port='0x14'/> <alias name='pci.5'/> <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x4'/> </controller> <controller type='pci' index='6' model='pcie-root-port'> <model name='pcie-root-port'/> <target chassis='6' port='0x15'/> <alias name='pci.6'/> <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x5'/> </controller> <controller type='virtio-serial' index='0'> <alias name='virtio-serial0'/> <address type='pci' domain='0x0000' bus='0x03' slot='0x00' function='0x0'/> </controller> <interface type='network'> <mac address='52:54:00:43:b6:64'/> <source network='default' bridge='virbr0'/> <target dev='vnet0'/> <model type='virtio'/> <alias name='net0'/> <address type='pci' domain='0x0000' bus='0x01' slot='0x00' function='0x0'/> </interface> <serial type='pty'> <source path='/dev/pts/1'/> <target type='isa-serial' port='0'> <model name='isa-serial'/> </target> <alias name='serial0'/> </serial> <console type='pty' tty='/dev/pts/1'> <source path='/dev/pts/1'/> <target type='serial' port='0'/> <alias name='serial0'/> </console> <channel type='unix'> <source mode='bind' path='/var/lib/libvirt/qemu/channel/target/domain-10-secvm/org.qemu.guest_agent.0'/> <target type='virtio' name='org.qemu.guest_agent.0' state='disconnected'/> <alias name='channel0'/> <address type='virtio-serial' controller='0' bus='0' port='1'/> </channel> <channel type='spicevmc'> <target type='virtio' name='com.redhat.spice.0' state='disconnected'/> <alias name='channel1'/> <address type='virtio-serial' controller='0' bus='0' port='2'/> </channel> <input type='tablet' bus='usb'> <alias name='input0'/> <address type='usb' bus='0' port='1'/> </input> <input type='mouse' bus='ps2'> <alias name='input1'/> </input> <input type='keyboard' bus='ps2'> <alias name='input2'/> </input> <graphics type='vnc' port='5900' autoport='yes' listen='10.147.28.44' keymap='en-us'> <listen type='address' address='10.147.28.44'/> </graphics> <sound model='ich9'> <alias name='sound0'/> <address type='pci' domain='0x0000' bus='0x00' slot='0x1b' function='0x0'/> </sound> <video> <model type='qxl' ram='65536' vram='65536' vgamem='16384' heads='1' primary='yes'/> <alias name='video0'/> <address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x0'/> </video> <redirdev bus='usb' type='spicevmc'> <alias name='redir0'/> <address type='usb' bus='0' port='2'/> </redirdev> <redirdev bus='usb' type='spicevmc'> <alias name='redir1'/> <address type='usb' bus='0' port='3'/> </redirdev> <memballoon model='virtio'> <alias name='balloon0'/> <address type='pci' domain='0x0000' bus='0x04' slot='0x00' function='0x0'/> </memballoon> <rng model='virtio'> <backend model='random'>/dev/urandom</backend> <alias name='rng0'/> <address type='pci' domain='0x0000' bus='0x05' slot='0x00' function='0x0'/> </rng> </devices> <seclabel type='dynamic' model='selinux' relabel='yes'> <label>system_u:system_r:svirt_t:s0:c188,c430</label> <imagelabel>system_u:object_r:svirt_image_t:s0:c188,c430</imagelabel> </seclabel> <seclabel type='dynamic' model='dac' relabel='yes'> <label>+107:+107</label> <imagelabel>+107:+107</imagelabel> </seclabel> </domain> [-- Attachment #4: error.png --] [-- Type: image/png, Size: 494165 bytes --] ^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: [edk2-devel] Help needed in building UEFI qcow2 images 2019-06-03 19:21 ` Pavan Kumar Aravapalli @ 2019-06-04 10:49 ` Laszlo Ersek 2019-06-04 11:28 ` Pavan Kumar Aravapalli 0 siblings, 1 reply; 16+ messages in thread From: Laszlo Ersek @ 2019-06-04 10:49 UTC (permalink / raw) To: devel, pavankumar_a, Tomas Pilar (tpilar) Pavan, On 06/03/19 21:21, Pavan Kumar Aravapalli wrote: > * We have CentOS flavoured qcow2 image which is used to boot Guest > VM's in Apache CloudStack. We are trying to enable these CentOS > qcow2 images with UEFI support. I told you weeks ago to take this question to the CentOS mailing list. https://edk2.groups.io/g/devel/message/40531 Have you done that? Also, what prevents you from installing a CentOS guest in UEFI mode from scratch, and using the resultant disk image as a template? Anyway, I guess I'm going to send them a separate message, and CC you. > * I have been struggling to secure boot Guest VM using UEFI. I have > enclosed my secure boot domain dumpxml [secure-vm.xml]with this mail > too. When i try to boot with this xml i am ended up with an > Exception. I have attached the error screen shot too . You are using Gerd's "OVMF_CODE-pure-efi.fd" firmware binary. That binary is not built with -D SECURE_BOOT_ENABLE. Therefore the Secure Boot related standard UEFI variables are not available (the Secure Boot feature is missing altogether). That's the reason EnrollDefaultKeys.efi fails to find the SetupMode variable. You've mentioned that your host environment is CentOS 7.6. Here's what you should do: - Install the latest OVMF package available in that CentOS release. (I think it should be "OVMF-20180508-3.gitee3198e672e2.el7_6.1.noarch.rpm" at the moment.) - You already have "qemu-kvm-ev" installed, good. - If your libvirt domain currently has a variable store file under "/var/lib/libvirt/qemu/nvram/", then delete that file (the domain should be powered off first). - Edit your domain XML as follows (only relevant elements quoted): <domain type='kvm'> <os> <type arch='x86_64' machine='pc-q35-rhel7.6.0'>hvm</type> <loader readonly='yes' secure='yes' type='pflash'>/usr/share/OVMF/OVMF_CODE.secboot.fd</loader> <nvram template='/usr/share/OVMF/OVMF_VARS.secboot.fd'/> </os> <features> <smm state='on'/> </features> <devices> <emulator>/usr/libexec/qemu-kvm</emulator> </devices> </domain> - When you next launch this domain, the domain's private varstore file (under "/var/lib/libvirt/qemu/nvram/") will be re-created from the template specified ("/usr/share/OVMF/OVMF_VARS.secboot.fd"). The Secure Boot operational mode will be enabled at once, and you will not have to run EnrollDefaultKeys.efi manually. Hope this helps, Laszlo ^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: [edk2-devel] Help needed in building UEFI qcow2 images 2019-06-04 10:49 ` Laszlo Ersek @ 2019-06-04 11:28 ` Pavan Kumar Aravapalli 2019-06-04 16:10 ` Laszlo Ersek 0 siblings, 1 reply; 16+ messages in thread From: Pavan Kumar Aravapalli @ 2019-06-04 11:28 UTC (permalink / raw) To: Laszlo Ersek, devel [-- Attachment #1.1: Type: text/plain, Size: 915 bytes --] Hi Laszlo, Thank you for your quick response, and apologies for the your pervious mail thread which i could not observed as I only monitor the mail [ pavankumar_a@accelerite.com ]inbox. And I am not receiving mail reply's to my inbox even though i have subscribed to devel group. Here after i will proceed with web console https://edk2.groups.io ( https://edk2.groups.io/ ) for tracking info. as you suggested, I have done the dom xml changes you suggested in previous mail that * Dom XML Changes for OVMF loader stuff * deleted existing varstore file /var/lib/libvirt/qemu/nvram/ I am unable to boot the VM saying that there is no bootable device to boot , attached the screen shot with this thread for the same. I have been using image https://www.kraxel.org/repos/images/fedora-28-efi-systemd-x86_64.qcow2.xz for Guest VM Boot. Please suggest me if i missed out some thing. Regards, Pavan. [-- Attachment #1.2: Type: text/html, Size: 1165 bytes --] [-- Warning: decoded text below may be mangled, UTF-8 assumed --] [-- Attachment #2: secvm-2.xml --] [-- Type: text/xml; name="secvm-2.xml", Size: 7788 bytes --] <domain type='kvm' id='25'> <name>secvm</name> <uuid>4b8006aa-e814-4a5d-955d-b74feea4c441</uuid> <metadata> <libosinfo:libosinfo xmlns:libosinfo="http://libosinfo.org/xmlns/libvirt/domain/1.0"> <libosinfo:os id="http://fedoraproject.org/fedora/29"/> </libosinfo:libosinfo> </metadata> <memory unit='KiB'>2097152</memory> <currentMemory unit='KiB'>2097152</currentMemory> <vcpu placement='static'>1</vcpu> <resource> <partition>/machine</partition> </resource> <os> <type arch='x86_64' machine='pc-q35-rhel7.6.0'>hvm</type> <loader readonly='yes' secure='yes' type='pflash'>/usr/share/OVMF/OVMF_CODE.secboot.fd</loader> <nvram template='/usr/share/OVMF/OVMF_VARS.secboot.fd'>/var/lib/libvirt/qemu/nvram/secvm_VARS.fd</nvram> <boot dev='hd'/> </os> <features> <acpi/> <apic/> <vmport state='off'/> <smm state='on'/> </features> <cpu mode='custom' match='exact' check='full'> <model fallback='forbid'>SandyBridge-IBRS</model> <vendor>Intel</vendor> <feature policy='require' name='vme'/> <feature policy='require' name='ss'/> <feature policy='require' name='pcid'/> <feature policy='require' name='hypervisor'/> <feature policy='require' name='arat'/> <feature policy='require' name='tsc_adjust'/> <feature policy='require' name='stibp'/> <feature policy='require' name='ssbd'/> <feature policy='require' name='xsaveopt'/> </cpu> <clock offset='utc'> <timer name='rtc' tickpolicy='catchup'/> <timer name='pit' tickpolicy='delay'/> <timer name='hpet' present='no'/> </clock> <on_poweroff>destroy</on_poweroff> <on_reboot>restart</on_reboot> <on_crash>destroy</on_crash> <pm> <suspend-to-mem enabled='no'/> <suspend-to-disk enabled='no'/> </pm> <devices> <emulator>/usr/libexec/qemu-kvm</emulator> <disk type='file' device='disk'> <driver name='qemu' type='qcow2'/> <source file='/var/lib/libvirt/images/sec-boot.qcow2'/> <backingStore/> <target dev='sda' bus='sata'/> <alias name='sata0-0-0'/> <address type='drive' controller='0' bus='0' target='0' unit='0'/> </disk> <disk type='file' device='cdrom'> <driver name='qemu' type='raw'/> <source file='/usr/share/edk2.git/ovmf-x64/UefiShell.iso'/> <backingStore/> <target dev='sdb' bus='sata'/> <readonly/> <alias name='sata0-0-1'/> <address type='drive' controller='0' bus='0' target='0' unit='1'/> </disk> <controller type='usb' index='0' model='qemu-xhci' ports='15'> <alias name='usb'/> <address type='pci' domain='0x0000' bus='0x02' slot='0x00' function='0x0'/> </controller> <controller type='sata' index='0'> <alias name='ide'/> <address type='pci' domain='0x0000' bus='0x00' slot='0x1f' function='0x2'/> </controller> <controller type='pci' index='0' model='pcie-root'> <alias name='pcie.0'/> </controller> <controller type='pci' index='1' model='pcie-root-port'> <model name='pcie-root-port'/> <target chassis='1' port='0x10'/> <alias name='pci.1'/> <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x0' multifunction='on'/> </controller> <controller type='pci' index='2' model='pcie-root-port'> <model name='pcie-root-port'/> <target chassis='2' port='0x11'/> <alias name='pci.2'/> <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x1'/> </controller> <controller type='pci' index='3' model='pcie-root-port'> <model name='pcie-root-port'/> <target chassis='3' port='0x12'/> <alias name='pci.3'/> <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x2'/> </controller> <controller type='pci' index='4' model='pcie-root-port'> <model name='pcie-root-port'/> <target chassis='4' port='0x13'/> <alias name='pci.4'/> <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x3'/> </controller> <controller type='pci' index='5' model='pcie-root-port'> <model name='pcie-root-port'/> <target chassis='5' port='0x14'/> <alias name='pci.5'/> <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x4'/> </controller> <controller type='pci' index='6' model='pcie-root-port'> <model name='pcie-root-port'/> <target chassis='6' port='0x15'/> <alias name='pci.6'/> <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x5'/> </controller> <controller type='virtio-serial' index='0'> <alias name='virtio-serial0'/> <address type='pci' domain='0x0000' bus='0x03' slot='0x00' function='0x0'/> </controller> <interface type='network'> <mac address='52:54:00:43:b6:64'/> <source network='default' bridge='virbr0'/> <target dev='vnet0'/> <model type='virtio'/> <alias name='net0'/> <address type='pci' domain='0x0000' bus='0x01' slot='0x00' function='0x0'/> </interface> <serial type='pty'> <source path='/dev/pts/1'/> <target type='isa-serial' port='0'> <model name='isa-serial'/> </target> <alias name='serial0'/> </serial> <console type='pty' tty='/dev/pts/1'> <source path='/dev/pts/1'/> <target type='serial' port='0'/> <alias name='serial0'/> </console> <channel type='unix'> <source mode='bind' path='/var/lib/libvirt/qemu/channel/target/domain-25-secvm/org.qemu.guest_agent.0'/> <target type='virtio' name='org.qemu.guest_agent.0' state='disconnected'/> <alias name='channel0'/> <address type='virtio-serial' controller='0' bus='0' port='1'/> </channel> <channel type='spicevmc'> <target type='virtio' name='com.redhat.spice.0' state='disconnected'/> <alias name='channel1'/> <address type='virtio-serial' controller='0' bus='0' port='2'/> </channel> <input type='tablet' bus='usb'> <alias name='input0'/> <address type='usb' bus='0' port='1'/> </input> <input type='mouse' bus='ps2'> <alias name='input1'/> </input> <input type='keyboard' bus='ps2'> <alias name='input2'/> </input> <graphics type='vnc' port='5900' autoport='yes' listen='10.147.28.44' keymap='en-us'> <listen type='address' address='10.147.28.44'/> </graphics> <sound model='ich9'> <alias name='sound0'/> <address type='pci' domain='0x0000' bus='0x00' slot='0x1b' function='0x0'/> </sound> <video> <model type='qxl' ram='65536' vram='65536' vgamem='16384' heads='1' primary='yes'/> <alias name='video0'/> <address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x0'/> </video> <redirdev bus='usb' type='spicevmc'> <alias name='redir0'/> <address type='usb' bus='0' port='2'/> </redirdev> <redirdev bus='usb' type='spicevmc'> <alias name='redir1'/> <address type='usb' bus='0' port='3'/> </redirdev> <memballoon model='virtio'> <alias name='balloon0'/> <address type='pci' domain='0x0000' bus='0x04' slot='0x00' function='0x0'/> </memballoon> <rng model='virtio'> <backend model='random'>/dev/urandom</backend> <alias name='rng0'/> <address type='pci' domain='0x0000' bus='0x05' slot='0x00' function='0x0'/> </rng> </devices> <seclabel type='dynamic' model='selinux' relabel='yes'> <label>system_u:system_r:svirt_t:s0:c110,c924</label> <imagelabel>system_u:object_r:svirt_image_t:s0:c110,c924</imagelabel> </seclabel> <seclabel type='dynamic' model='dac' relabel='yes'> <label>+107:+107</label> <imagelabel>+107:+107</imagelabel> </seclabel> </domain> [-- Attachment #3: Screenshot 2019-06-04 at 4.56.10 PM.png --] [-- Type: image/png, Size: 226308 bytes --] ^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: [edk2-devel] Help needed in building UEFI qcow2 images 2019-06-04 11:28 ` Pavan Kumar Aravapalli @ 2019-06-04 16:10 ` Laszlo Ersek 2019-06-05 5:49 ` Gerd Hoffmann 2019-06-05 18:19 ` Pavan Kumar Aravapalli 0 siblings, 2 replies; 16+ messages in thread From: Laszlo Ersek @ 2019-06-04 16:10 UTC (permalink / raw) To: Pavan Kumar Aravapalli, devel; +Cc: Gerd Hoffmann (+Gerd) On 06/04/19 13:28, Pavan Kumar Aravapalli wrote: > Hi Laszlo, > > Thank you for your quick response, and apologies for the your pervious mail thread which i could not observed as I only monitor the mail [ pavankumar_a@accelerite.com ]inbox. And I am not receiving mail reply's to my inbox even though i have subscribed to devel group. Here after i will proceed with web console https://edk2.groups.io ( https://edk2.groups.io/ ) for tracking info. > > as you suggested, I have done the dom xml changes you suggested in previous mail that > > * Dom XML Changes for OVMF loader stuff > * deleted existing varstore file /var/lib/libvirt/qemu/nvram/ > > I am unable to boot the VM saying that there is no bootable device to boot , attached the screen shot with this thread for the same. I have been using image https://www.kraxel.org/repos/images/fedora-28-efi-systemd-x86_64.qcow2.xz for Guest VM Boot. Please suggest me if i missed out some thing. When you import a pre-made disk image like this, with a UEFI OS installation on it, but without any Boot#### and BootOrder UEFI variables in the domain's variable store, that amounts to an installed UEFI system losing its Boot#### and BootOrder variables. The UEFI spec covers this case; a great writeup can be found at <https://blog.uncooperative.org/blog/2014/02/06/the-efi-system-partition/>. However: you're using a systemd-related UEFI boot loader, and I have no clue whether it implements the above-referenced "fallback" behavior. For now, I would suggest trying the shim+grub2 variant, and even Fedora 29 rather than Fedora 28: "fedora-29-efi-grub2-x86_64.qcow2.xz". If it still doesn't work, then you can modify your domain XML as follows, for saving a firmware debug log (note that the xmlns:qemu attribute (namespace definition) in the root element is important): <domain type='kvm' xmlns:qemu='http://libvirt.org/schemas/domain/qemu/1.0'> <qemu:commandline> <qemu:arg value='-global'/> <qemu:arg value='isa-debugcon.iobase=0x402'/> <qemu:arg value='-debugcon'/> <qemu:arg value='file:/tmp/secvm.log'/> </qemu:commandline> </domain> The file "/tmp/secvm.log" will contain the OVMF debug log. Additionally, I'd suggest removing the <boot dev='hd'/> element, and adding the following <boot order='1'/> instead: <disk type='file' device='disk'> ... <source file='/var/lib/libvirt/images/sec-boot.qcow2'/> ... <boot order='1'/> </disk> ... I guess it's also possible that the UEFI boot loader in the disk image that you've tried isn't properly signed, against the certificates enrolled in "/usr/share/OVMF/OVMF_VARS.secboot.fd". If that's the case, the OVMF debug log will show it. Thanks, Laszlo ^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: [edk2-devel] Help needed in building UEFI qcow2 images 2019-06-04 16:10 ` Laszlo Ersek @ 2019-06-05 5:49 ` Gerd Hoffmann 2019-06-07 9:13 ` Pavan Kumar Aravapalli 2019-06-05 18:19 ` Pavan Kumar Aravapalli 1 sibling, 1 reply; 16+ messages in thread From: Gerd Hoffmann @ 2019-06-05 5:49 UTC (permalink / raw) To: Laszlo Ersek; +Cc: Pavan Kumar Aravapalli, devel Hi, > However: you're using a systemd-related UEFI boot loader, and I have > no clue whether it implements the above-referenced "fallback" > behavior. For now, I would suggest trying the shim+grub2 variant, and > even Fedora 29 rather than Fedora 28: > "fedora-29-efi-grub2-x86_64.qcow2.xz". I can boot the images just fine with empty vars. Just noticed that the systemd image has a lowercase efi directory, so the fallback bootloader path is "efi/BOOT/BOOTX64.EFI" not "EFI/BOOT/BOOTX64.EFI". Possibly that is the root cause for the problem. In theory it should not, FAT is case-insensitive after all, but who knows ... > ... I guess it's also possible that the UEFI boot loader in the disk > image that you've tried isn't properly signed, against the > certificates enrolled in "/usr/share/OVMF/OVMF_VARS.secboot.fd". If > that's the case, the OVMF debug log will show it. Oh, in secure boot mode. The systemd images don't use shim, so that most likely isn't going to fly due to bootloader being unsigned. The grub2 variants should work. Never actually tested that though. cheers, Gerd ^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: [edk2-devel] Help needed in building UEFI qcow2 images 2019-06-05 5:49 ` Gerd Hoffmann @ 2019-06-07 9:13 ` Pavan Kumar Aravapalli 0 siblings, 0 replies; 16+ messages in thread From: Pavan Kumar Aravapalli @ 2019-06-07 9:13 UTC (permalink / raw) To: Gerd Hoffmann, devel [-- Attachment #1: Type: text/plain, Size: 220 bytes --] Gerd, I understand that you are mentioning about systemd image don't use shim, Where can we get consolidated information about supporting matrix. Please provide me useful link if any available. Regards, Pavan. [-- Attachment #2: Type: text/html, Size: 268 bytes --] ^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: [edk2-devel] Help needed in building UEFI qcow2 images 2019-06-04 16:10 ` Laszlo Ersek 2019-06-05 5:49 ` Gerd Hoffmann @ 2019-06-05 18:19 ` Pavan Kumar Aravapalli 2019-06-06 7:43 ` Laszlo Ersek 1 sibling, 1 reply; 16+ messages in thread From: Pavan Kumar Aravapalli @ 2019-06-05 18:19 UTC (permalink / raw) To: Laszlo Ersek, devel [-- Attachment #1.1: Type: text/plain, Size: 559 bytes --] Laszlo, Finally...! I am successfully able to boot guest vm in secure mode, attached the screenshot for the same. Secure boot works fine with out enforcing keys from UefiShell.iso, As suggested i have used the image fedora-29-efi-grub2-x86_64.qcow2.xz. However i have learnt many new things from these conversations. A big 'Thanks to you' for your support and resolving my questionaries. Though I am yet to learn many things about 'UEFI' and it's different specification this will be good motivation for me to proceed with further. Regards, Pavan. [-- Attachment #1.2: Type: text/html, Size: 669 bytes --] [-- Attachment #2: Screenshot 2019-06-05 at 11.31.29 PM.png --] [-- Type: image/png, Size: 452348 bytes --] ^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: [edk2-devel] Help needed in building UEFI qcow2 images 2019-06-05 18:19 ` Pavan Kumar Aravapalli @ 2019-06-06 7:43 ` Laszlo Ersek 0 siblings, 0 replies; 16+ messages in thread From: Laszlo Ersek @ 2019-06-06 7:43 UTC (permalink / raw) To: Pavan Kumar Aravapalli; +Cc: devel, Gerd Hoffmann Hi Pavan, On 06/05/19 20:19, Pavan Kumar Aravapalli wrote: > Laszlo, > > Finally...! I am successfully able to boot guest vm in secure mode, attached the screenshot for the same. Secure boot works fine with out enforcing keys from UefiShell.iso, As suggested i have used the image fedora-29-efi-grub2-x86_64.qcow2.xz. However i have learnt many new things from these conversations. A big 'Thanks to you' for your support and resolving my questionaries. > > Though I am yet to learn many things about 'UEFI' and it's different specification this will be good motivation for me to proceed with further. Cool, thanks for reporting back :) Laszlo ^ permalink raw reply [flat|nested] 16+ messages in thread
end of thread, other threads:[~2019-06-07 9:13 UTC | newest] Thread overview: 16+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2019-05-22 11:02 Help needed in building UEFI qcow2 images Pavan Kumar Aravapalli 2019-05-22 11:19 ` Tomas Pilar (tpilar) 2019-05-22 15:58 ` [edk2-devel] " Andrew Fish 2019-05-22 16:57 ` Tomas Pilar (tpilar) 2019-05-22 17:05 ` Andrew Fish 2019-05-22 19:05 ` Laszlo Ersek 2019-05-22 19:10 ` Andrew Fish 2019-05-23 13:45 ` Laszlo Ersek 2019-06-03 19:21 ` Pavan Kumar Aravapalli 2019-06-04 10:49 ` Laszlo Ersek 2019-06-04 11:28 ` Pavan Kumar Aravapalli 2019-06-04 16:10 ` Laszlo Ersek 2019-06-05 5:49 ` Gerd Hoffmann 2019-06-07 9:13 ` Pavan Kumar Aravapalli 2019-06-05 18:19 ` Pavan Kumar Aravapalli 2019-06-06 7:43 ` Laszlo Ersek
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox