Guest UEFI Secure Boot on XCP-ng
-
I confirm that installing this patch alone is not enough, also tried rebooting both the OS and XCP-NG.
Even after the the update the patch failes to install with error code 0x800f0922.
I've not tried enabling Secure Boot since it will probably cause issues with the installed guest drivers. -
@stormi Do we have any timing or plans on getting the XCP guest drivers signed properly? This would be essential to ever being able to break fully away from citrix tools. Is there another thread tracking that progress and technical roadblocks?
-
We are making progress on getting our EV certificates.
-
@olivierlambert @stormi Here's a good link for persistent disablement of driver signature checking on Windows using bcdedit https://blog.pcrisk.com/windows/12194-how-to-disable-driver-signature-enforcement that may help those above wanting to use the XCP-ng drivers. If for some reason that doesn't work, they can, of course, use the signed Citrix drivers as a stopgap measure.
-
@xcp-ng-justgreat The issue I ran into was that bcdedit can't modify testsigning when secure boot is enabled, and setting testsigning before enabling secure boot resulted in an issue I can't quite recall, but I think it was a broken boot.
-
@beshleman Have Vates fixed the problem with Secure Boot issue Yet
-
@noship Which issue are you talking about exactly?
-
@stormi Installation of MS KB4535680 is failing for us as well as many others. To be clear, we have not downloaded the latest patches mentioned in XOA. Will simply installing the latest ca-certificates (dated Sept 14, 2021) and updated grub-efi (dated June 29, 2021) along with the other updates such as xcp-ng-release-config 8.2.0-8 fix this or do we have to manually make changes mentioned above as well?
I expect having Windows reboot into UEFI and configuring the UEFI to attempt secure boot will be necessary no matter what. Meeting with a software vendor later today and they may ask why MS KB4535680 is not installed.
-
@rjt You still need varstored-tools and uefistored from the testing repository.
-
Guest UEFI Secure Boot looks like a great guide. Everyone needs to read the "Boothole and fallouts" section.
-
I don't think you can imagine the amout of time @beshleman and myself spent on it ^^'
-
The release of this feature to everyone will come soon, so it's time for the last testing sprint on UEFI and Secure Boot.
See https://xcp-ng.org/forum/topic/5492/xcp-ng-8-2-1-maintenance-update-ready-for-testing for how to update to the latest. If you had installed test packages from this thread, you can update to the testing 8.2.1 packages without changing anything to the procedure.
@ASUSEagle and @JurgenDM, and everyone else: if you still have a way to reproduce the issue where even with updated packages the installation of update KB4535680 would fail unless you'd enable Secure Boot on the VM (which should not be necessary), I'm interested in trying to find a way to reproduce and analyze that with you.
-
@stormi SB not working for me with 8.2.1 and Windows 2016. I have not tested SB before on this VM.
FAILED_TO_START_EMULATOR(OpaqueRef:f93634e8-f7af-4213-b940-131471a773f5, varstored, Daemon exited unexpectedly)I also tried booting Ubuntu 20.04 with SB and it failed too. I would swear that it worked before with the SB option on (may be it did nothing).
FAILED_TO_START_EMULATOR(OpaqueRef:64891f0c-1d38-4d64-9b82-435759c9d552, varstored, Daemon exited unexpectedly) -
@andrew Can you get the output of /var/log/daemon.log around the time of the failure?
Does your pool have certificates installed as described in https://xcp-ng.org/docs/guides.html#guest-uefi-secure-boot ?
-
@stormi Nope.... my mistake. Now ubuntu 20.04 and Windows 2016 boot with UEFI Secure Boot enabled.
# secureboot-certs install No arguments provided to command install, default arguments will be used: - PK: default - KEK: default - db: default - dbx: latest Downloading https://www.microsoft.com/pkiops/certs/MicCorKEKCA2011_2011-06-24.crt... Downloading https://www.microsoft.com/pkiops/certs/MicCorUEFCA2011_2011-06-27.crt... Downloading https://www.microsoft.com/pkiops/certs/MicWinProPCA2011_2011-10-19.crt... Downloading https://uefi.org/sites/default/files/resources/dbxupdate_x64.bin... Successfully installed certificates to the XAPI DB for pool.
