KVM 4M UEFI Firmware

[Migsi]

Hi everyone,

I recently encountered this issue, just after Microsoft published their update to the allowed/signed/whatever UEFI bootloader list: Every time the Windows 10 VM tries to install the update, it rolls it back after the reboot. I'm not sure what and how exactly it does on rollback, as the OS shouldn't be able to change firmware at that stage, but yeah, maybe this is just a way to hint the user about that something went wrong in the background. Anyway, recently I've also read about KVM guys defaulting to the 4M firmware image, to prevent UEFI update failures, as these cert lists become too long to store within the "old" 2M images. I can't tell anymore where exactly I've read about this switch in defaults, but a quick search revealed others describing just this issue, see e.g. https://github.com/tianocore/edk2/discussions/3221. So my question now is, how do I change the used UEFI image, if there even exists a 4M one already on a default TrueNAS Scale (Bluefin) install. The GUI obviously just leaves the choice between UEFI and BIOS, not giving any information about which UEFI image is going to be used...

Thank you all in advance and best regards!

 

[leeroy]

I'm running into the same scenario and not entirely sure how to take advantage of this update? https://ixsystems.atlassian.net/browse/NAS-119485

 

[dbarjim]

I am running into the same basic problem when I install MS Server 20222 and do all the updates then I get to an cumulative update and it installs for a few minutes and fails, this is when I create the VM with the UEFI, but if I create the VM with legacy bios it will accept all the updates. I would really like to have the UEFI for my vms. To me it seems like this is a Microsoft problem and recently I heard the same thing when people are creating VMs on Esxi 8 and it failes to complete the MS updates.
So the only workaround I know of it to create the VMs with legacy bios? Have others seen this same problem and if you are able to get past it or create VMs with UEFI, I would love to hear how you got past this problem. thanks Jim

 

[Wurstwasser]

Hi,
i had this problem since Truenas Scale 22.12.04.0 came out. I just upgraded to 22.12.1 and i think the GUI option for the OVMF_CODE_4M.fd is just missing. I was able to use the right UEFI bootloader by manually editing the vm_vm table entry in /data/freenas-v1.db and setting column 'bootloader_ovmf' to 'OVMF_CODE_4M.fd' for my Windows 11 VM.

 

[leeroy]

@Wurstwasser Something like the following?

Code:

sqlite> UPDATE vm_vm SET bootloader_ovmf = 'OVMF_CODE_4M.fd' WHERE name = 'MyVMName';

Is there any other table that is needed?

 

[leeroy]

@Wurstwasser I did just the above that works! I see our vm's already successfully installing updates again. I'm probably going to file a bug/feature request to get a UI selection added for this feature.

 

[leeroy]

Feature request here: https://ixsystems.atlassian.net/browse/NAS-120539

 

[Wurstwasser]

@Wurstwasser Something like the following?

Code:

sqlite> UPDATE vm_vm SET bootloader_ovmf = 'OVMF_CODE_4M.fd' WHERE name = 'MyVMName';

Is there any other table that is needed?

Yes, this is correct. I copied the whole db file to my PC first and searched it with DB Browser for SQLite and only altered this column for my VM.
I am not sure what happens to that entry if i try to edit the VM options in the GUI later though. There is a chance it could be overwritten again.

 

[Wurstwasser]

I also use a bit of hackery to get my self-compiled swtpm debian package to work with qemu, so i don't exactly have a clean Truenas Scale installation.

 

[KrisBee]

IIRC, libvirtd/KVM has been capable of UEFI secure boot since at least 2020 in various linux distros. AFAIK TrueNAS scale has never made use of the various OVMF options as described in the OVMF package. This is from a 22.02.4 install:

Code:

chris@scalevm1:~$ dpkg -L ovmf
/.
/usr
/usr/share
/usr/share/OVMF
/usr/share/OVMF/OVMF_CODE.fd
/usr/share/OVMF/OVMF_CODE.secboot.fd
/usr/share/OVMF/OVMF_CODE_4M.fd
/usr/share/OVMF/OVMF_CODE_4M.secboot.fd
/usr/share/OVMF/OVMF_VARS.fd
/usr/share/OVMF/OVMF_VARS.ms.fd
/usr/share/OVMF/OVMF_VARS_4M.fd
/usr/share/OVMF/OVMF_VARS_4M.ms.fd
/usr/share/OVMF/OVMF_VARS_4M.snakeoil.fd
/usr/share/doc
/usr/share/doc/ovmf
/usr/share/doc/ovmf/README.Debian
/usr/share/doc/ovmf/changelog.Debian.gz
/usr/share/doc/ovmf/copyright
/usr/share/ovmf
/usr/share/ovmf/OVMF.fd
/usr/share/ovmf/PkKek-1-snakeoil.key
/usr/share/ovmf/PkKek-1-snakeoil.pem
/usr/share/qemu
/usr/share/qemu/firmware
/usr/share/qemu/firmware/40-edk2-x86_64-secure-enrolled.json
/usr/share/qemu/firmware/50-edk2-x86_64-secure.json
/usr/share/qemu/firmware/60-edk2-x86_64.json
/usr/share/OVMF/OVMF_CODE.ms.fd
/usr/share/OVMF/OVMF_CODE_4M.ms.fd
/usr/share/qemu/OVMF.fd
chris@scalevm1:~$

See https://wiki.debian.org/SecureBoot/VirtualMachine

libvirtd/KVM capabilities are underutilised in TrueNAS SCALE

 

[KrisBee]

Just to add in 22.02.04 VMs are still created using the old machine type pc-i440fx-5.2 which is not capable ofUEFI secure boot. The later machine type q35 supports /usr/share/OVMF/OVMF_CODE_4M.ms.fd. What machine type is used for VMs in Bluefin?

 

[leeroy]

Yes, this is correct. I copied the whole db file to my PC first and searched it with DB Browser for SQLite and only altered this column for my VM.
I am not sure what happens to that entry if i try to edit the VM options in the GUI later though. There is a chance it could be overwritten again.

Thanks @Wurstwasser.

The jira was also updated with an alternative(maybe preferred) method as well.

Code:

service vm update id=1 bootloader_ovmf="OVMF_CODE.fd"

Thanks @KrisBee, I'll take a look at that debian wiki. I am a little nervous about making changes to TrueNAS to suite my needs to have an update come along and destroy my running VMs. I do hope secureboot and TPM emulation is supported natively/options in the UI soon.