reg : UEFI Secure Boot is stuck with Black Screen

reg : UEFI Secure Boot is stuck with Black Screen

[Pavan Kumar Aravapalli]

[-- Attachment #1.1: Type: text/plain, Size: 9512 bytes --]

Hi

I am new to this and  i am trying to perform Windows Server 2016 [Guest VM] UEFI secure boot mode on KVM(Hypervisor) Host using edk2.git-ovmf-x64-0-20190308.1017.g0eccea3fbe.noarch.I am looking for support documents which helps me in assessing the same.


Environment Details

KVM Host  :RHEL 7.3

Guest VM : Windows Server 2016

Qemu Version :  qemu-kvm-ev-2.9.0-16.el7_4.13.1

[root@rhel-02 ~]# /usr/libexec/qemu-kvm --machine help

Supported machines are:

pc                   RHEL 7.4.0 PC (i440FX + PIIX, 1996) (alias of pc-i440fx-rhel7.4.0)

pc-i440fx-rhel7.4.0  RHEL 7.4.0 PC (i440FX + PIIX, 1996) (default)

pc-i440fx-rhel7.3.0  RHEL 7.3.0 PC (i440FX + PIIX, 1996)

pc-i440fx-rhel7.2.0  RHEL 7.2.0 PC (i440FX + PIIX, 1996)

pc-i440fx-rhel7.1.0  RHEL 7.1.0 PC (i440FX + PIIX, 1996)

pc-i440fx-rhel7.0.0  RHEL 7.0.0 PC (i440FX + PIIX, 1996)

rhel6.6.0            RHEL 6.6.0 PC

rhel6.5.0            RHEL 6.5.0 PC

rhel6.4.0            RHEL 6.4.0 PC

rhel6.3.0            RHEL 6.3.0 PC

rhel6.2.0            RHEL 6.2.0 PC

rhel6.1.0            RHEL 6.1.0 PC

rhel6.0.0            RHEL 6.0.0 PC

q35                  RHEL-7.4.0 PC (Q35 + ICH9, 2009) (alias of pc-q35-rhel7.4.0)

pc-q35-rhel7.4.0     RHEL-7.4.0 PC (Q35 + ICH9, 2009)

pc-q35-rhel7.3.0     RHEL-7.3.0 PC (Q35 + ICH9, 2009)

none                 empty machine


Libvirt Domain XML

<domain type='kvm' id='23'>

  <name>wus</name>

  <uuid>97777f3a-089c-4dae-b192-070a5c676084</uuid>

  <memory unit='KiB'>2097152</memory>

  <currentMemory unit='KiB'>2097152</currentMemory>

  <vcpu placement='static'>2</vcpu>

  <resource>

    <partition>/machine</partition>

  </resource>

  <os>

    <type arch='x86_64' machine='pc-q35-rhel7.4.0'>hvm</type>

    <loader readonly='yes' secure='yes' type='pflash'>/usr/share/OVMF/OVMF_CODE.secboot.fd</loader>

    <nvram template='/usr/share/OVMF/OVMF_VARS.secboot.fd'>/var/lib/libvirt/qemu/nvram/wus_VARS.fd</nvram>

    <bootmenu enable='no'/>

  </os>

  <features>

    <acpi/>

    <apic/>

    <smm state='on'/>

  </features>

  <cpu mode='custom' match='exact' check='full'>

    <model fallback='forbid'>Penryn</model>

    <feature policy='require' name='vme'/>

    <feature policy='require' name='x2apic'/>

    <feature policy='require' name='hypervisor'/>

  </cpu>

  <clock offset='localtime'>

    <timer name='rtc' tickpolicy='catchup'/>

    <timer name='pit' tickpolicy='delay'/>

    <timer name='hpet' present='no'/>

    <timer name='hypervclock' present='yes'/>

  </clock>

  <on_poweroff>destroy</on_poweroff>

  <on_reboot>restart</on_reboot>

  <on_crash>destroy</on_crash>

  <pm>

    <suspend-to-mem enabled='no'/>

    <suspend-to-disk enabled='no'/>

  </pm>

  <devices>

    <emulator>/usr/libexec/qemu-kvm</emulator>

    <disk type='file' device='disk'>

      <driver name='qemu' type='qcow2'/>

      <source file='/mnt/5b34383e-db2f-363f-b9b1-a1e6adfb1543/win2k16-uefi-secureboot.qcow2'/>

      <backingStore/>

      <target dev='vda' bus='virtio'/>

      <boot order='2'/>

      <alias name='virtio-disk0'/>

      <address type='pci' domain='0x0000' bus='0x03' slot='0x00' function='0x0'/>

    </disk>

    <disk type='file' device='cdrom'>

      <driver name='qemu' type='raw'/>

      <source file='/root/UefiShell-ovmf.iso'/>

      <backingStore/>

      <target dev='sdc' bus='scsi'/>

      <readonly/>

      <boot order='1'/>

      <alias name='scsi0-0-0-2'/>

      <address type='drive' controller='0' bus='0' target='0' unit='2'/>

    </disk>

    <controller type='usb' index='0' model='ich9-ehci1'>

      <alias name='usb'/>

      <address type='pci' domain='0x0000' bus='0x00' slot='0x1d' function='0x7'/>

    </controller>

    <controller type='usb' index='0' model='ich9-uhci1'>

      <alias name='usb'/>

      <master startport='0'/>

      <address type='pci' domain='0x0000' bus='0x00' slot='0x1d' function='0x0' multifunction='on'/>

    </controller>

    <controller type='usb' index='0' model='ich9-uhci2'>

      <alias name='usb'/>

      <master startport='2'/>

      <address type='pci' domain='0x0000' bus='0x00' slot='0x1d' function='0x1'/>

    </controller>

    <controller type='usb' index='0' model='ich9-uhci3'>

      <alias name='usb'/>

      <master startport='4'/>

      <address type='pci' domain='0x0000' bus='0x00' slot='0x1d' function='0x2'/>

    </controller>

    <controller type='sata' index='0'>

      <alias name='ide'/>

      <address type='pci' domain='0x0000' bus='0x00' slot='0x1f' function='0x2'/>

    </controller>

    <controller type='pci' index='0' model='pcie-root'>

      <alias name='pcie.0'/>

    </controller>

    <controller type='pci' index='1' model='dmi-to-pci-bridge'>

      <model name='i82801b11-bridge'/>

      <alias name='pci.1'/>

      <address type='pci' domain='0x0000' bus='0x00' slot='0x1e' function='0x0'/>

    </controller>

    <controller type='pci' index='2' model='pci-bridge'>

      <model name='pci-bridge'/>

      <target chassisNr='2'/>

      <alias name='pci.2'/>

      <address type='pci' domain='0x0000' bus='0x01' slot='0x00' function='0x0'/>

    </controller>

    <controller type='pci' index='3' model='pcie-root-port'>

      <model name='pcie-root-port'/>

      <target chassis='3' port='0x8'/>

      <alias name='pci.3'/>

      <address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x0' multifunction='on'/>

    </controller>

    <controller type='pci' index='4' model='pcie-root-port'>

      <model name='pcie-root-port'/>

      <target chassis='4' port='0x9'/>

      <alias name='pci.4'/>

      <address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x1'/>

    </controller>

    <controller type='pci' index='5' model='pcie-root-port'>

      <model name='pcie-root-port'/>

      <target chassis='5' port='0xa'/>

      <alias name='pci.5'/>

      <address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x2'/>

    </controller>

    <controller type='pci' index='6' model='pcie-root-port'>

      <model name='pcie-root-port'/>

      <target chassis='6' port='0xb'/>

      <alias name='pci.6'/>

      <address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x3'/>

    </controller>

    <controller type='scsi' index='0' model='virtio-scsi'>

      <alias name='scsi0'/>

      <address type='pci' domain='0x0000' bus='0x06' slot='0x00' function='0x0'/>

    </controller>

    <interface type='bridge'>

      <mac address='52:54:00:ac:0d:af'/>

      <source bridge='cloudbr0'/>

      <target dev='vnet1'/>

      <model type='rtl8139'/>

      <alias name='net0'/>

      <address type='pci' domain='0x0000' bus='0x02' slot='0x01' function='0x0'/>

    </interface>

    <serial type='pty'>

      <source path='/dev/pts/3'/>

      <target type='isa-serial' port='0'>

        <model name='isa-serial'/>

      </target>

      <alias name='serial0'/>

    </serial>

    <console type='pty' tty='/dev/pts/3'>

      <source path='/dev/pts/3'/>

      <target type='serial' port='0'/>

      <alias name='serial0'/>

    </console>

    <input type='mouse' bus='ps2'>

      <alias name='input0'/>

    </input>

    <input type='keyboard' bus='ps2'>

      <alias name='input1'/>

    </input>

    <input type='tablet' bus='usb'>

      <alias name='input2'/>

      <address type='usb' bus='0' port='1'/>

    </input>

    <graphics type='vnc' port='5901' autoport='yes' listen='10.112.0.82'>

      <listen type='address' address='10.112.0.82'/>

    </graphics>

    <video>

      <model type='virtio' heads='1' primary='yes'/>

      <alias name='video0'/>

      <address type='pci' domain='0x0000' bus='0x05' slot='0x00' function='0x0'/>

    </video>

    <memballoon model='virtio'>

      <alias name='balloon0'/>

      <address type='pci' domain='0x0000' bus='0x04' slot='0x00' function='0x0'/>

    </memballoon>

  </devices>

  <seclabel type='dynamic' model='dac' relabel='yes'>

    <label>+0:+0</label>

    <imagelabel>+0:+0</imagelabel>

  </seclabel>

</domain>




Unfortunately i am unable to boot VM using with this config. I don't know what mistake with dom xml file. When i try to connect vnc server for the VM console it's stuck with "Guest has not initiated the display(yet)"

 I am looking for support documents which helps me in assessing the same. I could n't find step by step documentation available over the web. Please help me.

[cid:82cdd0dd-a868-4393-a53d-665df214c34c]

Thanks in Advance.

Regards,

Pavan.

DISCLAIMER
==========
This e-mail may contain privileged and confidential information which is the property of Accelerite, a Persistent Systems business. It is intended only for the use of the individual or entity to which it is addressed. If you are not the intended recipient, you are not authorized to read, retain, copy, print, distribute or use this message. If you have received this communication in error, please notify the sender and delete all copies of this message. Accelerite, a Persistent Systems business does not accept any liability for virus infected mails.

[-- Attachment #1.2: Type: text/html, Size: 57074 bytes --]

[-- Attachment #2: pastedImage.png --]
[-- Type: image/png, Size: 14490 bytes --]

Re: [edk2-devel] reg : UEFI Secure Boot is stuck with Black Screen

[Laszlo Ersek]

Hi Pavan,

On 04/25/19 12:37, Pavan Kumar Aravapalli wrote:
> Hi
> 
> I am new to this and  i am trying to perform Windows Server 2016 [Guest VM] UEFI secure boot mode on KVM(Hypervisor) Host using edk2.git-ovmf-x64-0-20190308.1017.g0eccea3fbe.noarch.I am looking for support documents which helps me in assessing the same.
> 
> 
> Environment Details
> 
> KVM Host  :RHEL 7.3
> 
> Guest VM : Windows Server 2016
> 
> Qemu Version :  qemu-kvm-ev-2.9.0-16.el7_4.13.1

This environment appears a bit mixed-up to me. Here's why:

- the "edk2.git" package is neither from RHEL nor from CentOS. It's from
<https://www.kraxel.org/repos>.

- you list the KVM host as RHEL 7.3, but your QEMU version is from
CentOS -- what's more, the version number in the RPM indicates it is a
package from 7.4 Z-Stream.

If you have access to RHEL7 (or CentOS), I'd suggest using everything
from RHEL-7.6 (or equivalent CentOS).

[...]

> Libvirt Domain XML
> 
> <domain type='kvm' id='23'>

(Side hint: when using "virsh dumpxml" on an active domain, it's usually
good to include "--inactive". Runtime details just muddy the picture,
most of the time.)

> 
>   <name>wus</name>
> 
>   <uuid>97777f3a-089c-4dae-b192-070a5c676084</uuid>
> 
>   <memory unit='KiB'>2097152</memory>
> 
>   <currentMemory unit='KiB'>2097152</currentMemory>
> 
>   <vcpu placement='static'>2</vcpu>
> 
>   <resource>
> 
>     <partition>/machine</partition>
> 
>   </resource>
> 
>   <os>
> 
>     <type arch='x86_64' machine='pc-q35-rhel7.4.0'>hvm</type>
> 
>     <loader readonly='yes' secure='yes' type='pflash'>/usr/share/OVMF/OVMF_CODE.secboot.fd</loader>

The domain XML looks OK thus far, but this firmware binary is certainly
not from "edk2.git-ovmf-x64-0-20190308.1017.g0eccea3fbe.noarch". It's
from an "OVMF" RPM.

> 
>     <nvram template='/usr/share/OVMF/OVMF_VARS.secboot.fd'>/var/lib/libvirt/qemu/nvram/wus_VARS.fd</nvram>

Regarding the domain XML, this looks good again.

And now I can also tell that you are using
"OVMF-20180508-2.gitee3198e672e2.el7.noarch" from RHEL-7.6 (or later),
because we added the "/usr/share/OVMF/OVMF_VARS.secboot.fd" varstore
template under <https://bugzilla.redhat.com/show_bug.cgi?id=1561128>.

> 
>     <bootmenu enable='no'/>
> 
>   </os>
> 
>   <features>
> 
>     <acpi/>
> 
>     <apic/>
> 
>     <smm state='on'/>

Looks good too.

>   </features>
>
>   <cpu mode='custom' match='exact' check='full'>
>
>     <model fallback='forbid'>Penryn</model>
>

Yes, I'm fairly sure this is the problem.

Presumably, you chose the Penryn VCPU model because your host CPU is a
Penryn too.

Unfortunately, that physical CPU does not support EPT (nested paging),
and KVM currently fails to emulate SMM on Intel CPUs without nested
paging (EPT). And, the OVMF image we ship in RHEL7 requires SMM.

Please refer to the following RHBZ comment:

  https://bugzilla.redhat.com/show_bug.cgi?id=1531373#c2

and that RHBZ is a duplicate of the host kernel issue

  https://bugzilla.redhat.com/show_bug.cgi?id=1348092

Your domain XML looks good to me, otherwise (i.e., apart from
Penryn).Thus, I suggest retrying

(a) on an Intel host that has "ept" in "/proc/cpuinfo", or

(b) on an AMD host.

(IIRC, KVM doesn't need nested paging for SMM emulation on AMD, although
nested paging certainly helps with performance on AMD too -- look for
"npt" in "/proc/cpuinfo" on AMD).

Don't forget to refresh the VCPU model in the domain XML too.

Thanks,
Laszlo

Re: [edk2-devel] reg : UEFI Secure Boot is stuck with Black Screen

[pavankumar_a]

[-- Attachment #1: Type: text/plain, Size: 175 bytes --]

On Fri, Apr 26, 2019 at 02:26 PM, Laszlo Ersek wrote:

> 
> CPUs without nested
> paging (EPT)

Thanks Laszlo for you detailed explanation, will try and let you know.

[-- Attachment #2: Type: text/html, Size: 247 bytes --]

Re: [edk2-devel] reg : UEFI Secure Boot is stuck with Black Screen

[pavankumar_a]

[-- Attachment #1: Type: text/plain, Size: 1977 bytes --]

On Thu, May 2, 2019 at 03:11 AM, <pavankumar_a@persistent.co.in> wrote:

> 
> Hi Laszlo,

As you suggested in the in-line mail I have found a machine which supports EPT technology in our lab environment. And to maintain a homogeneous KVM Host environment used qemu-kvm packages which comes with the default repo.The thing is that by default qemu-kvm is not supporting q35 machine type .This is the reason earlier we went for Cent OS packages so that qemu-kvm can support  q35 chipset for Guest VM. Can you suggest me on the same , if i wanted to perform with RHEL 7.6 how can i proceed. 

[root@ACP-CP-RH7-PA01 ~]# cat /proc/cpuinfo | grep ept

fpu_exc *ept* ion : yes

flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe syscall nx rdtscp lm constant_tsc arch_perfmon pebs bts rep_good nopl xtopology nonstop_tsc aperfmperf eagerfpu pni pclmulqdq dtes64 monitor ds_cpl vmx smx est tm2 ssse3 cx16 xtpr pdcm pcid sse4_1 sse4_2 x2apic popcnt tsc_deadline_timer aes xsave avx lahf_lm epb ssbd ibrs ibpb stibp tpr_shadow vnmi flexpriority *ept* vpid xsaveopt dtherm ida arat pln pts spec_ctrl intel_stibp flush_l1d

[root@ACP-CP-RH7-PA01 ~]# rpm -qa | grep qemu-kvm 

*qemu-kvm* -1.5.3-160.el7_6.1.x86_64

*qemu-kvm* -common-1.5.3-160.el7_6.1.x86_64

[root@ACP-CP-RH7-PA01 ~]# /usr/libexec/qemu-kvm --machine help

Supported machines are:

none               empty machine

pc                 RHEL 7.0.0 PC (i440FX + PIIX, 1996) (alias of pc-i440fx-rhel7.0.0)

pc-i440fx-rhel7.0.0 RHEL 7.0.0 PC (i440FX + PIIX, 1996) (default)

rhel6.6.0           RHEL 6.6.0 PC

rhel6.5.0           RHEL 6.5.0 PC

rhel6.4.0           RHEL 6.4.0 PC

rhel6.3.0           RHEL 6.3.0 PC

rhel6.2.0           RHEL 6.2.0 PC

rhel6.1.0           RHEL 6.1.0 PC

 

rhel6.0.0           RHEL 6.0.0 PC

Thanks in Advance.

[-- Attachment #2: Type: text/html, Size: 3866 bytes --]

Re: [edk2-devel] reg : UEFI Secure Boot is stuck with Black Screen

[Laszlo Ersek]

On 05/07/19 06:59, pavankumar_a@persistent.co.in wrote:
> On Thu, May 2, 2019 at 03:11 AM, <pavankumar_a@persistent.co.in>
> wrote:
> 
>> 
>> Hi Laszlo,
> 
> As you suggested in the in-line mail I have found a machine which
> supports EPT technology in our lab environment. And to maintain a
> homogeneous KVM Host environment used qemu-kvm packages which comes
> with the default repo.The thing is that by default qemu-kvm is not
> supporting q35 machine type .This is the reason earlier we went for
> Cent OS packages so that qemu-kvm can support  q35 chipset for Guest
> VM. Can you suggest me on the same , if i wanted to perform with RHEL
> 7.6 how can i proceed.

(Given that you asked earlier off-list as well, and that I happened to
answer there first, I think I won't repeat the answer here. The answer
is not related to upstream edk2 development anyway; it has to do with RH
products / RHEL packages. I would have been fine with answering here
only, but now it's not really useful to duplicate that info, which is
strictly speaking off-topic.

I'm posting this short note just to tell the list that I didn't ignore
the question.)

Thanks
Laszlo