Bug 35918 - Prepare UCS installer for UEFI Secure Boot
Prepare UCS installer for UEFI Secure Boot
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: UCS Installer
UCS 4.0
Other Linux
: P5 enhancement (vote)
: UCS 4.0
Assigned To: Sönke Schwardt-Krummrich
Janek Walkenhorst
: interim-3
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2014-09-12 09:46 CEST by Stefan Gohmann
Modified: 2014-11-26 06:55 CET (History)
2 users (show)

See Also:
What kind of report is it?: ---
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Ticket number:
Bug group (optional):
Max CVSS v3 score:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Stefan Gohmann univentionstaff 2014-09-12 09:46:38 CEST
Once we have built the new shim we should check if we need to adjust the installer or the installation DVD.
Comment 1 Philipp Hahn univentionstaff 2014-11-04 11:24:08 CET
The current UCS-4.0-0 DVD no longer boots with QEMU using OVMF.fd

Lat working DVD: ucs_4.0-0-20141030-161355-dvd-amd64.log
First broken DVD: ucs_4.0-0-20141030-170619-dvd-amd64.log

Difference is only in the later using debian-cd_3.1.13.7.201410301638, which add the following extra messages:

> Ign http://192.168.0.10 ucs_4.0-0/all/ Release.gpg
> Ign http://192.168.0.10 ucs_4.0-0/amd64/ Release.gpg
> Ign http://192.168.0.10 ucs_4.0-0/all/ Release
> Ign http://192.168.0.10 ucs_4.0-0/amd64/ Release
> Ign http://192.168.0.10 ucs_4.0-0/all/ Packages/DiffIndex
> Ign http://192.168.0.10 ucs_4.0-0/amd64/ Packages/DiffIndex
> Hit http://192.168.0.10 ucs_4.0-0/all/ Packages
> Ign http://192.168.0.10 ucs_4.0-0/all/ Translation-en
> Hit http://192.168.0.10 ucs_4.0-0/amd64/ Packages
> Ign http://192.168.0.10 ucs_4.0-0/amd64/ Translation-en
> Reading package lists...
> WARNING: The following packages cannot be authenticated!
>   shim-signed
> Authentication warning overridden.
> Get:1 Downloading shim-signed 1.1-1-0.7-5.12.201410301649 [440 kB]
> Fetched 440 kB in 0s (18.1 MB/s)
> WARNING: The following packages cannot be authenticated!
>   grub-efi-amd64-signed
> Authentication warning overridden.
> Get:1 Downloading grub-efi-amd64-signed 1.1-1-2.00-18.11.201410291851 [702 kB]
> Fetched 702 kB in 0s (16.0 MB/s)
> Disk full

The VM no longer boots and either stops with some UEFI paths being shown, or:
>  "no device connected"
Comment 2 Philipp Hahn univentionstaff 2014-11-05 09:52:24 CET
ucs_4.0-0-20141104-194152-dvd-amd64.iso still fails:
> Booting in insecure mode
> error: variable `prefix´ isn´t set.
> error: no device connected.
> error: no device connected.

The following minimal command works and starts GRUB:
qemu-system-x86_64 \
-machine pc,accel=kvm \
-sdl \
-m 1G \
-hda /var/lib/libvirt/images/installer_uefi2_sda.qcow2 \
-cdrom /var/univention/buildsystem2/isotests/ucs_4.0-0-latest-amd64.iso \
-pflash /usr/share/ovmf/OVMF.fd \
-snapshot

The libvirt generated command does NOT work (# added by me to make it work on the command-line):
$ echo 'allow br0' > /usr/local/etc/qemu/bridge.conf
$ /usr/local/bin/qemu-system-x86_64 \
-enable-kvm \
# -S \
-M pc-i440fx-2.0 \
-enable-kvm \
-m 4096 \
-smp 2,sockets=2,cores=1,threads=1 \
-name installer_uefi2 \
-uuid 39c95210-248f-706c-d33d-69b08fc3263d \
-nodefconfig \
-nodefaults \
-chardev socket,id=charmonitor,path=/var/lib/libvirt/qemu/installer_uefi2.monitor,server,nowait \
-mon chardev=charmonitor,id=monitor,mode=control \
-rtc base=utc \
-no-shutdown \
-device piix3-usb-uhci,id=usb,bus=pci.0,addr=0x1.0x2 \
-drive file=/var/lib/libvirt/images/installer_uefi2_sda.qcow2,if=none,id=drive-ide0-0-0,format=qcow2,cache=unsafe \
-device ide-hd,bus=ide.0,unit=0,drive=drive-ide0-0-0,id=ide0-0-0,bootindex=2 \
-drive file=/var/univention/buildsystem2/isotests/ucs_4.0-0-latest-amd64.iso,if=none,id=drive-ide0-0-1,readonly=on,format=raw \
-device ide-cd,bus=ide.0,unit=1,drive=drive-ide0-0-1,id=ide0-0-1,bootindex=1 \
# -netdev tap,fd=21,id=hostnet0,vhost=on,vhostfd=23 \
-netdev tap,helper=/usr/local/libexec/qemu-bridge-helper,id=hostnet0,vhost=on \
#BREAKS# -device usb-tablet,id=input0 \
-sdl # -vnc 0.0.0.0:1 \
-k de \
-vga cirrus \
-device virtio-balloon-pci,id=balloon0,bus=pci.0,addr=0x4 \
-pflash /var/lib/libvirt/images/uefi_OVMF.fd \
-snapshot

If I remove the USB-Tablet it works!
Comment 3 Sönke Schwardt-Krummrich univentionstaff 2014-11-10 14:18:57 CET
Signed shim and signed grub are now used during UEFI boot.
Comment 4 Janek Walkenhorst univentionstaff 2014-11-11 12:29:03 CET
UEFI SecureBoot only installation works.

Please add a Changelog entry.
Comment 5 Stefan Gohmann univentionstaff 2014-11-11 12:31:33 CET
(In reply to Janek Walkenhorst from comment #4)
> UEFI SecureBoot only installation works.
> 
> Please add a Changelog entry.

r55642
Comment 6 Stefan Gohmann univentionstaff 2014-11-26 06:55:25 CET
UCS 4.0-0 has been released:
 http://docs.univention.de/release-notes-4.0-0-en.html
 http://docs.univention.de/release-notes-4.0-0-de.html

If this error occurs again, please use "Clone This Bug".