Package: gnome-boxes Version: 45.0-1 Severity: normal Dear Maintainer, If I attempt to create a GNOME OS guest I end up on the edkII console. If inhte console I try to boot the EFI (in FS0: be it bootx64.efi in \EFI\BOOT or systemd-bootx64.efi in EFI\systemd) I get a "Command Error Status: Access Denied" error.
I got he clue it might be secure boot related by https://forum.proxmox.com/threads/vm-always-going-into-uefi-interactive-shell.119215/ I also learned that the install was fine with the flatpak, so I compared the VM configurations for GNOME OS: Debian gome-boxes 45: <os firmware="efi"> <type arch="x86_64" machine="pc-q35-8.0">hvm</type> <firmware> <feature enabled="yes" name="enrolled-keys"/> <feature enabled="yes" name="secure-boot"/> </firmware> <loader readonly="yes" secure="yes" type="pflash">/usr/share/OVMF/OVMF_CODE_4M.ms.fd</loader> <nvram template="/usr/share/OVMF/OVMF_VARS_4M.ms.fd">/home/prahal/.config/libvirt/qemu/nvram/gnomenightly_VARS.fd</nvram> <boot dev="cdrom"/> <boot dev="hd"/> <bootmenu enable="yes"/> </os> <features> <acpi/> <apic/> <smm state="on"/> </features> > Flatpak gnome-boxes 44: <os firmware="efi"> <type arch="x86_64" machine="pc-q35-7.2">hvm</type> <boot dev="cdrom"/> <boot dev="hd"/> <bootmenu enable="yes"/> </os> <features> <acpi/> <apic/> </features> Grepping where this secure-boot feature comes from, I ended up on: /usr/share/qemu/firmware/40-edk2-x86_64-secure-enrolled.json Scrambling the target (for example, replacing in "machines", "pc-q35-*" by "pc-q35xxx-*") in this file to avoid its settings being added to (all?) the guest VM I now can install "GNOME OS Nightly x86_64" (ie edk2 boots into the installer and the installer proceeds). This might well be an ovmf bug. Still, as I don' know if gnome-boxes or qemu have flags to avoid ovmf bringing in this secure-boot for all guest setups, I start up the stack. Cheers, Alban -- System Information: Debian Release: trixie/sid APT prefers testing-debug APT policy: (500, 'testing-debug'), (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable-debug'), (500, 'oldstable-debug'), (500, 'testing'), (500, 'stable'), (90, 'unstable-debug'), (90, 'unstable'), (1, 'experimental-debug'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 6.5.0+ (SMP w/4 CPU threads; PREEMPT) Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages gnome-boxes depends on: ii dconf-gsettings-backend [gsettings-backend] 0.40.0-4 ii genisoimage 9:1.1.11-3.4 ii libarchive13 3.6.2-1 ii libc6 2.37-8 ii libcairo2 1.17.8-3 ii libgdk-pixbuf-2.0-0 2.42.10+dfsg-1+b1 ii libglib2.0-0 2.78.0-1 ii libgtk-3-0 3.24.38-5 ii libgudev-1.0-0 238-2 ii libhandy-1-0 1.8.2-2 ii libosinfo-1.0-0 1.10.0-2 ii libosinfo-bin 1.10.0-2 ii libsoup-3.0-0 3.4.3-1 ii libspice-client-glib-2.0-8 0.42-2 ii libspice-client-gtk-3.0-5 0.42-2 ii libusb-1.0-0 2:1.0.26-1 ii libvirt-clients 9.7.0-1 ii libvirt-daemon 9.7.0-1 ii libvirt-glib-1.0-0 4.0.0-3 ii libwebkit2gtk-4.1-0 2.40.5-1 ii libxml2 2.9.14+dfsg-1.3 ii tracker 3.6.0-1 ii user-session-migration 0.4.1 Versions of packages gnome-boxes recommends: ii qemu-system-x86 1:8.0.4+dfsg-3+b1 Versions of packages gnome-boxes suggests: ii gnome-connections 45~rc-1 -- no debconf information