From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received-SPF: Pass (sender SPF authorized) identity=mailfrom; client-ip=66.187.233.73; helo=mx1.redhat.com; envelope-from=lersek@redhat.com; receiver=edk2-devel@lists.01.org Received: from mx1.redhat.com (mx3-rdu2.redhat.com [66.187.233.73]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id 307CF212B9A69 for ; Tue, 12 Jun 2018 11:14:28 -0700 (PDT) Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.rdu2.redhat.com [10.11.54.5]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 7B73F87A6D; Tue, 12 Jun 2018 18:14:27 +0000 (UTC) Received: from lacos-laptop-7.usersys.redhat.com (ovpn-120-239.rdu2.redhat.com [10.10.120.239]) by smtp.corp.redhat.com (Postfix) with ESMTP id 09C4E1018E; Tue, 12 Jun 2018 18:14:26 +0000 (UTC) To: Philipp Deppenwiese Cc: edk2-devel@lists.01.org References: <2660d487-aa83-e92c-c816-dd205470fea3@redhat.com> <6583409f-e15f-bc73-d16e-bb59be8f2a2c@gmail.com> From: Laszlo Ersek Message-ID: <4146cdc8-0812-4ee0-bb20-51883fbddbee@redhat.com> Date: Tue, 12 Jun 2018 20:14:26 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.7.0 MIME-Version: 1.0 In-Reply-To: <6583409f-e15f-bc73-d16e-bb59be8f2a2c@gmail.com> X-Scanned-By: MIMEDefang 2.79 on 10.11.54.5 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.1]); Tue, 12 Jun 2018 18:14:27 +0000 (UTC) X-Greylist: inspected by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.1]); Tue, 12 Jun 2018 18:14:27 +0000 (UTC) for IP:'10.11.54.5' DOMAIN:'int-mx05.intmail.prod.int.rdu2.redhat.com' HELO:'smtp.corp.redhat.com' FROM:'lersek@redhat.com' RCPT:'' Subject: Re: [OvmfPkg] Secure Boot issues X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.26 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 12 Jun 2018 18:14:28 -0000 Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 8bit On 06/12/18 16:51, Philipp Deppenwiese wrote: > Also Windows 10 in safe mode with secure boot works but not the > normal mode. > > We use the > 14393.0.160715-1616.RS1_RELEASE_CLIENTENTERPRISE_S_EVAL_X64 LTSB > release for testing. Interesting, this reminds me of the "new" driver signing requirements when Secure Boot is enabled. Something something about cross-signed drivers not being accepted by recent Windows 10 when SB is enabled. I could imagine that some of your native guest drivers (paravirt / virtio drivers) aren't "appropriately signed" (whatever that may mean), and then something crashes when windows *rejects* loading those drivers. In safe mode, I could imagine Windows doesn't even attempt to load those drivers. Really I'm just speculating here. In support of the speculation: https://docs.fedoraproject.org/quick-docs/en-US/creating-windows-virtual-machines-using-virtio-drivers.html """ Fedora VirtIO Drivers vs. RHEL VirtIO Drivers The RPMs in the virtio-win-stable repository are the same driver builds as what is shipped with Red Hat Enterprise Linux. All the Windows binaries are from builds done on Red Hat’s internal build system, which are generated using publicly available code. For more details about how the RPM and repo are built, see the README for this repo. The drivers are cryptographically signed with Red Hat’s vendor signature. However they are not signed with Microsoft’s WHQL signature. """ In addition, please see . Thanks Laszlo