RE: Enabling UEFI secure Boot on ACS 4.17.2 KVM+Ubuntu

2023-03-21 Thread Gary Dixon 
Hi Joan

You have to update the host entries in the database manually unfortunately as 
4.17.2 with KVM hosts doesn't pick up the uefi config - it’s a known issue 
apparently.

Also even if you manage to get this working - you won't be able to live migrate 
uefi enabled VM's - ACS will state its not supported in the logs.

We're waiting to update ACS to the latest version and update the KVM hosts to 
Ubuntu 22.04 as apparently uefi has much better support.

Also bear in mind that you will need MS signed virtio drivers for Secure Boot 
enabled Windows VM's as the virtio drivers will be blocked if they are not 
signed by Microsoft

BR

Gary



Gary Dixon
Senior Technical Consultant
T:  +44 161 537 4990
E:  v...@quadris-support.com
W: www.quadris.co.uk
The information contained in this e-mail from Quadris may be confidential and 
privileged for the private use of the named recipient.  The contents of this 
e-mail may not necessarily represent the official views of Quadris.  If you 
have received this information in error you must not copy, distribute or take 
any action or reliance on its contents.  Please destroy any hard copies and 
delete this message.
-Original Message-
From: Joan g 
Sent: Tuesday, March 21, 2023 1:11 PM
To: users@cloudstack.apache.org
Subject: Enabling UEFI secure Boot on ACS 4.17.2 KVM+Ubuntu

 Hello,

I am trying to deploy a Windows machine with Secure boot. But its getting 
failed with message " Cannot deploy to specified host as host does n't support 
uefi vm deployment, returning."

OVMF is already installed in KVM node and uefi.properties are updated with 
below details:

===
guest.nvram.template.secure=/usr/share/OVMF/OVMF_VARS.fd
guest.nvram.template.legacy=/usr/share/OVMF/OVMF_VARS.fd
guest.loader.secure=/usr/share/OVMF/OVMF_CODE.secboot.fd
guest.loader.legacy=/usr/share/OVMF/OVMF_CODE.fd
guest.nvram.path=/var/lib/libvirt/qemu/nvram/
===


After restarting the cloudstack-agent in host, still the Database table not 
getting updated

-
mysql> select * from host_details where name like '%uefi%';
Empty set (0.00 sec)
-

Can someone advice what I am missing here?

Regards
Jg

Re: Enabling UEFI secure Boot on ACS 4.17.2 KVM+Ubuntu

2023-03-21 Thread Kiran Chavala 
Hi



Could you please add the following configuration in  /etc/libvirt/qemu.conf

nvram = ["/usr/share/OVMF/OVMF_CODE.secboot.fd:/usr/share/OVMF/OVMF_VARS.fd"]


restart the cloudstack agent and libvirtd services


I have not tried on Ubuntu, The uefi feature works fine with KVM+Centos/ 8


In the database could you please check the following query

select * from host_details where name="host.uefi.enable";

You can also refer to the following issues

https://github.com/apache/cloudstack/pull/3638

https://github.com/apache/cloudstack/issues/4238


Regards
Kiran



From: Joan g 
Sent: 21 March 2023 18:41
To: users@cloudstack.apache.org 
Subject: Enabling UEFI secure Boot on ACS 4.17.2 KVM+Ubuntu

Hello,

I am trying to deploy a Windows machine with Secure boot. But its getting
failed with message " Cannot deploy to specified host as host does n't
support uefi vm deployment, returning."

OVMF is already installed in KVM node and uefi.properties are updated with
below details:

===
guest.nvram.template.secure=/usr/share/OVMF/OVMF_VARS.fd
guest.nvram.template.legacy=/usr/share/OVMF/OVMF_VARS.fd
guest.loader.secure=/usr/share/OVMF/OVMF_CODE.secboot.fd
guest.loader.legacy=/usr/share/OVMF/OVMF_CODE.fd
guest.nvram.path=/var/lib/libvirt/qemu/nvram/
===


After restarting the cloudstack-agent in host, still the Database table not
getting updated

-
mysql> select * from host_details where name like '%uefi%';
Empty set (0.00 sec)
-

Can someone advice what I am missing here?

Regards
Jg