Re: [edk2-devel] reg : UEFI Secure Boot is stuck with Black Screen

["Laszlo Ersek" <lersek@redhat.com>]

Hi Pavan,

On 04/25/19 12:37, Pavan Kumar Aravapalli wrote:
> Hi
> 
> I am new to this and  i am trying to perform Windows Server 2016 [Guest VM] UEFI secure boot mode on KVM(Hypervisor) Host using edk2.git-ovmf-x64-0-20190308.1017.g0eccea3fbe.noarch.I am looking for support documents which helps me in assessing the same.
> 
> 
> Environment Details
> 
> KVM Host  :RHEL 7.3
> 
> Guest VM : Windows Server 2016
> 
> Qemu Version :  qemu-kvm-ev-2.9.0-16.el7_4.13.1

This environment appears a bit mixed-up to me. Here's why:

- the "edk2.git" package is neither from RHEL nor from CentOS. It's from
<https://www.kraxel.org/repos>.

- you list the KVM host as RHEL 7.3, but your QEMU version is from
CentOS -- what's more, the version number in the RPM indicates it is a
package from 7.4 Z-Stream.

If you have access to RHEL7 (or CentOS), I'd suggest using everything
from RHEL-7.6 (or equivalent CentOS).

[...]

> Libvirt Domain XML
> 
> <domain type='kvm' id='23'>

(Side hint: when using "virsh dumpxml" on an active domain, it's usually
good to include "--inactive". Runtime details just muddy the picture,
most of the time.)

> 
>   <name>wus</name>
> 
>   <uuid>97777f3a-089c-4dae-b192-070a5c676084</uuid>
> 
>   <memory unit='KiB'>2097152</memory>
> 
>   <currentMemory unit='KiB'>2097152</currentMemory>
> 
>   <vcpu placement='static'>2</vcpu>
> 
>   <resource>
> 
>     <partition>/machine</partition>
> 
>   </resource>
> 
>   <os>
> 
>     <type arch='x86_64' machine='pc-q35-rhel7.4.0'>hvm</type>
> 
>     <loader readonly='yes' secure='yes' type='pflash'>/usr/share/OVMF/OVMF_CODE.secboot.fd</loader>

The domain XML looks OK thus far, but this firmware binary is certainly
not from "edk2.git-ovmf-x64-0-20190308.1017.g0eccea3fbe.noarch". It's
from an "OVMF" RPM.

> 
>     <nvram template='/usr/share/OVMF/OVMF_VARS.secboot.fd'>/var/lib/libvirt/qemu/nvram/wus_VARS.fd</nvram>

Regarding the domain XML, this looks good again.

And now I can also tell that you are using
"OVMF-20180508-2.gitee3198e672e2.el7.noarch" from RHEL-7.6 (or later),
because we added the "/usr/share/OVMF/OVMF_VARS.secboot.fd" varstore
template under <https://bugzilla.redhat.com/show_bug.cgi?id=1561128>.

> 
>     <bootmenu enable='no'/>
> 
>   </os>
> 
>   <features>
> 
>     <acpi/>
> 
>     <apic/>
> 
>     <smm state='on'/>

Looks good too.

>   </features>
>
>   <cpu mode='custom' match='exact' check='full'>
>
>     <model fallback='forbid'>Penryn</model>
>

Yes, I'm fairly sure this is the problem.

Presumably, you chose the Penryn VCPU model because your host CPU is a
Penryn too.

Unfortunately, that physical CPU does not support EPT (nested paging),
and KVM currently fails to emulate SMM on Intel CPUs without nested
paging (EPT). And, the OVMF image we ship in RHEL7 requires SMM.

Please refer to the following RHBZ comment:

  https://bugzilla.redhat.com/show_bug.cgi?id=1531373#c2

and that RHBZ is a duplicate of the host kernel issue

  https://bugzilla.redhat.com/show_bug.cgi?id=1348092

Your domain XML looks good to me, otherwise (i.e., apart from
Penryn).Thus, I suggest retrying

(a) on an Intel host that has "ept" in "/proc/cpuinfo", or

(b) on an AMD host.

(IIRC, KVM doesn't need nested paging for SMM emulation on AMD, although
nested paging certainly helps with performance on AMD too -- look for
"npt" in "/proc/cpuinfo" on AMD).

Don't forget to refresh the VCPU model in the domain XML too.

Thanks,
Laszlo