Secure Boot VM issues (libvirt / SMM) | Secure boot requires SMM feature enabled

Imran Hussain ih at imranh.co.uk
Wed Jan 19 14:21:14 UTC 2022 

Hi,

Deployed Wallaby on Ubuntu 20.04 nodes. Having issues with libvirt XML 
being incorrect, I need the smm bit (<smm state='on'/>) and it isn't 
being added to the XML. Anyone seen this before? Or any ideas? More info 
below...

Error message:
: libvirt.libvirtError: unsupported configuration: Secure boot requires 
SMM feature enabled

Versions:
libvirt version: 6.0.0, package: 0ubuntu8.15
QEMU emulator version 4.2.1 (Debian 1:4.2-3ubuntu6.18)
Nova 23.1.1 (deployed via kolla, so 
kolla/ubuntu-source-nova-compute:wallaby is the image)
ovmf 0~20191122.bd85bf54-2ubuntu3.3

Context:
https://specs.openstack.org/openstack/nova-specs/specs/wallaby/implemented/allow-secure-boot-for-qemu-kvm-guests.html

Image metadata:

hw_firmware_type: uefi
hw_machine_type: q35
os_secure_boot: required
os_hidden: false

hw_disk_bus: scsi
hw_qemu_guest_agent: yes
hw_scsi_model: virtio-scsi
hw_video_model: virtio
os_require_quiesce: yes
os_secure_boot: required
os_hidden: false

XML snippets taken from nova-compute.log:
   <sysinfo type="smbios">
     <system>
       <entry name="manufacturer">OpenStack Foundation</entry>
       <entry name="product">OpenStack Nova</entry>
       <entry name="version">23.1.1</entry>
       <entry name="serial">2798e3fe-ffae-4c26-955b-ef150b849561</entry>
       <entry name="uuid">2798e3fe-ffae-4c26-955b-ef150b849561</entry>
       <entry name="family">Virtual Machine</entry>
     </system>
   </sysinfo>
   <os>
     <type machine="q35">hvm</type>
     <loader type="pflash" readonly="yes" 
secure="yes">/usr/share/OVMF/OVMF_CODE.ms.fd</loader>
     <nvram template="/usr/share/OVMF/OVMF_VARS.ms.fd"/>
     <boot dev="cdrom"/>
     <smbios mode="sysinfo"/>
   </os>
   <features>
     <acpi/>
     <apic/>
   </features>

Other info:
# cat /usr/share/qemu/firmware/40-edk2-x86_64-secure-enrolled.json
{
     "description": "UEFI firmware for x86_64, with Secure Boot and SMM, 
SB enabled, MS certs enrolled",
     "interface-types": [
         "uefi"
     ],
     "mapping": {
         "device": "flash",
         "executable": {
             "filename": "/usr/share/OVMF/OVMF_CODE.ms.fd",
             "format": "raw"
         },
         "nvram-template": {
             "filename": "/usr/share/OVMF/OVMF_VARS.ms.fd",
             "format": "raw"
         }
     },
     "targets": [
         {
             "architecture": "x86_64",
             "machines": [
                 "pc-q35-*"
             ]
         }
     ],
     "features": [
         "acpi-s3",
         "amd-sev",
         "enrolled-keys",
         "requires-smm",
         "secure-boot",
         "verbose-dynamic"
     ],
     "tags": [

     ]
}

More information about the openstack-discuss mailing list