Guest UEFI Secure Boot on XCP-ng
apz last edited by
Feedback is welcome on the docs too: is it clear how to enable SB for VMs on XCP-ng?
Some test feedback:
Documentation was clear enough to get it right on the first try.
Tested on a WS 2019 virtual that has the KB4535680 issue, after enabling SB the updates installed without problems and a test clone of the virtual is now running isolated for a longer period test.
I'm having issues with a Windows Server 2019 VM. I am running XCP-ng 8.2 with Xen Orchestra. After enabling secure boot the VM boots to Windows Recovery and will not boot to Windows Server. The VM will boot fine with secure boot off. These are the steps I followed is there something I am missing?
# yum update uefistored varstored-tools --enablerepo=xcp-ng-testing # secureboot-certs install default default default latest # varstore-sb-state d4960d10-e6dc-4bf7-daf4-5684c66cdb9e setup
I then enabled secure boot through Xen Orchestra and started the VM.
There appears to be some problem with a driver signatures. The VM would not boot into safe mode but I was able to get it to boot by disabling driver signature enforcement. I've run sigverif.exe and it show all drivers are signed so I'm not sure what to do from here.
Also I forgot to mention earlier, the VM is set for UEFI firmware and is running the XCP guest tools. This is an existing VM that was setup with secure boot off I'm trying to turn it on so I can install KB4535680.
@asuseagle I realize that I forgot to mention it at the beginning of this thread: the guest drivers from XCP-ng are indeed signed in a way that does not please Windows when driver signature enforcement is on, which happens automatically when SB is enabled.
How did you disable driver signature enforcement? This would be a useful trick until we can provide new signed drivers (in progress).
This is an existing VM that was setup with secure boot off I'm trying to turn it on so I can install KB4535680.
I don't think you need to enable SB in order to be able to install KB4535680. In any case, it should not fail anymore.
I disabled it through advanced boot options. It does not persist through a restart so it has to be set every time the VM boots. The VM also took significantly longer to restart. It sits at the firmware splash screen for 30 minutes to an hour then boots the rest of the way in about a minute like normal. While sitting at the splash screen CPU0 utilization is hover around 90% while CPU1-3 are at 0%, memory is showing max at the 16GB I've assigned, and disk throughput is at 2-3 MiB(r) after an initial spike of 28 MiB(r).
These are the steps I took to boot with driver signature enforcement disabled:
- Once secure boot has been enabled, I start the VM. The VM fails to start Windows and boots to Windows Recovery.
- On the Windows Recovery screen I select "Troubleshoot".
- Then I select "Startup Settings", this brings up the "Advanced Boot Options" screen.
- I then key down and select "Disable Driver Signature Enforcement"
Once I've selected "Disable Driver Signature Enforcement" the VM restarts and hangs at the firmware splash screen as I described above before finally booting to Windows.
I didn't think I would have needed secure boot to install KB4535680 either but for some reason it would fail to install until I turned secure boot on. Thanks for the info on the guest drivers, I'll have to keep an eye out for when the signed drivers are released.
I confirm that installing this patch alone is not enough, also tried rebooting both the OS and XCP-NG.
Even after the the update the patch failes to install with error code 0x800f0922.
I've not tried enabling Secure Boot since it will probably cause issues with the installed guest drivers.
@stormi Do we have any timing or plans on getting the XCP guest drivers signed properly? This would be essential to ever being able to break fully away from citrix tools. Is there another thread tracking that progress and technical roadblocks?
We are making progress on getting our EV certificates.
@olivierlambert @stormi Here's a good link for persistent disablement of driver signature checking on Windows using bcdedit https://blog.pcrisk.com/windows/12194-how-to-disable-driver-signature-enforcement that may help those above wanting to use the XCP-ng drivers. If for some reason that doesn't work, they can, of course, use the signed Citrix drivers as a stopgap measure.
@xcp-ng-justgreat The issue I ran into was that bcdedit can't modify testsigning when secure boot is enabled, and setting testsigning before enabling secure boot resulted in an issue I can't quite recall, but I think it was a broken boot.
@beshleman Have Vates fixed the problem with Secure Boot issue Yet
@noship Which issue are you talking about exactly?
@stormi Installation of MS KB4535680 is failing for us as well as many others. To be clear, we have not downloaded the latest patches mentioned in XOA. Will simply installing the latest ca-certificates (dated Sept 14, 2021) and updated grub-efi (dated June 29, 2021) along with the other updates such as xcp-ng-release-config 8.2.0-8 fix this or do we have to manually make changes mentioned above as well?
I expect having Windows reboot into UEFI and configuring the UEFI to attempt secure boot will be necessary no matter what. Meeting with a software vendor later today and they may ask why MS KB4535680 is not installed.
@rjt You still need varstored-tools and uefistored from the testing repository.
Guest UEFI Secure Boot looks like a great guide. Everyone needs to read the "Boothole and fallouts" section.
I don't think you can imagine the amout of time @beshleman and myself spent on it ^^'