XCP-ng

    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Groups

    Guest UEFI Secure Boot on XCP-ng

    Development
    12
    25
    6388
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      JurgenDM last edited by

      I confirm that installing this patch alone is not enough, also tried rebooting both the OS and XCP-NG.
      Even after the the update the patch failes to install with error code 0x800f0922.
      I've not tried enabling Secure Boot since it will probably cause issues with the installed guest drivers.

      1 Reply Last reply Reply Quote 0
      • O
        onyxfire @stormi last edited by

        @stormi Do we have any timing or plans on getting the XCP guest drivers signed properly? This would be essential to ever being able to break fully away from citrix tools. Is there another thread tracking that progress and technical roadblocks?

        1 Reply Last reply Reply Quote 0
        • olivierlambert
          olivierlambert Vates πŸͺ Co-Founder🦸 CEO πŸ§‘β€πŸ’Ό last edited by

          We are making progress on getting our EV certificates.

          X 1 Reply Last reply Reply Quote 1
          • X
            XCP-ng-JustGreat @olivierlambert last edited by XCP-ng-JustGreat

            @olivierlambert @stormi Here's a good link for persistent disablement of driver signature checking on Windows using bcdedit https://blog.pcrisk.com/windows/12194-how-to-disable-driver-signature-enforcement that may help those above wanting to use the XCP-ng drivers. If for some reason that doesn't work, they can, of course, use the signed Citrix drivers as a stopgap measure.

            beshleman 1 Reply Last reply Reply Quote 1
            • beshleman
              beshleman XCP-ng Team πŸš€ @XCP-ng-JustGreat last edited by beshleman

              @xcp-ng-justgreat The issue I ran into was that bcdedit can't modify testsigning when secure boot is enabled, and setting testsigning before enabling secure boot resulted in an issue I can't quite recall, but I think it was a broken boot.

              N 1 Reply Last reply Reply Quote 0
              • N
                noship @beshleman last edited by

                @beshleman Have Vates fixed the problem with Secure Boot issue Yet

                stormi 1 Reply Last reply Reply Quote 0
                • stormi
                  stormi Vates πŸͺ XCP-ng Team πŸš€ @noship last edited by

                  @noship Which issue are you talking about exactly?

                  R 1 Reply Last reply Reply Quote 0
                  • R
                    rjt @stormi last edited by

                    @stormi Installation of MS KB4535680 is failing for us as well as many others. To be clear, we have not downloaded the latest patches mentioned in XOA. Will simply installing the latest ca-certificates (dated Sept 14, 2021) and updated grub-efi (dated June 29, 2021) along with the other updates such as xcp-ng-release-config 8.2.0-8 fix this or do we have to manually make changes mentioned above as well?

                    I expect having Windows reboot into UEFI and configuring the UEFI to attempt secure boot will be necessary no matter what. Meeting with a software vendor later today and they may ask why MS KB4535680 is not installed.

                    stormi 1 Reply Last reply Reply Quote 0
                    • stormi
                      stormi Vates πŸͺ XCP-ng Team πŸš€ @rjt last edited by

                      @rjt You still need varstored-tools and uefistored from the testing repository.

                      R 1 Reply Last reply Reply Quote 1
                      • R
                        rjt @stormi last edited by

                        Guest UEFI Secure Boot looks like a great guide. Everyone needs to read the "Boothole and fallouts" section.

                        1 Reply Last reply Reply Quote 1
                        • stormi
                          stormi Vates πŸͺ XCP-ng Team πŸš€ last edited by

                          I don't think you can imagine the amout of time @beshleman and myself spent on it ^^'

                          1 Reply Last reply Reply Quote 1
                          • stormi
                            stormi Vates πŸͺ XCP-ng Team πŸš€ last edited by

                            The release of this feature to everyone will come soon, so it's time for the last testing sprint on UEFI and Secure Boot.

                            See https://xcp-ng.org/forum/topic/5492/xcp-ng-8-2-1-maintenance-update-ready-for-testing for how to update to the latest. If you had installed test packages from this thread, you can update to the testing 8.2.1 packages without changing anything to the procedure.

                            @ASUSEagle and @JurgenDM, and everyone else: if you still have a way to reproduce the issue where even with updated packages the installation of update KB4535680 would fail unless you'd enable Secure Boot on the VM (which should not be necessary), I'm interested in trying to find a way to reproduce and analyze that with you.

                            A 1 Reply Last reply Reply Quote 0
                            • A
                              Andrew Top contributor πŸ’ͺ @stormi last edited by

                              @stormi SB not working for me with 8.2.1 and Windows 2016. I have not tested SB before on this VM.

                              FAILED_TO_START_EMULATOR(OpaqueRef:f93634e8-f7af-4213-b940-131471a773f5, varstored, Daemon exited unexpectedly)
                              

                              I also tried booting Ubuntu 20.04 with SB and it failed too. I would swear that it worked before with the SB option on (may be it did nothing).

                              FAILED_TO_START_EMULATOR(OpaqueRef:64891f0c-1d38-4d64-9b82-435759c9d552, varstored, Daemon exited unexpectedly)
                              
                              stormi 1 Reply Last reply Reply Quote 0
                              • stormi
                                stormi Vates πŸͺ XCP-ng Team πŸš€ @Andrew last edited by

                                @andrew Can you get the output of /var/log/daemon.log around the time of the failure?

                                Does your pool have certificates installed as described in https://xcp-ng.org/docs/guides.html#guest-uefi-secure-boot ?

                                A 1 Reply Last reply Reply Quote 1
                                • A
                                  Andrew Top contributor πŸ’ͺ @stormi last edited by

                                  @stormi Nope.... my mistake. Now ubuntu 20.04 and Windows 2016 boot with UEFI Secure Boot enabled.

                                  # secureboot-certs install
                                  
                                  No arguments provided to command install, default arguments will be used:
                                  - PK: default
                                  - KEK: default
                                  - db: default
                                  - dbx: latest
                                  
                                  Downloading https://www.microsoft.com/pkiops/certs/MicCorKEKCA2011_2011-06-24.crt...
                                  Downloading https://www.microsoft.com/pkiops/certs/MicCorUEFCA2011_2011-06-27.crt...
                                  Downloading https://www.microsoft.com/pkiops/certs/MicWinProPCA2011_2011-10-19.crt...
                                  Downloading https://uefi.org/sites/default/files/resources/dbxupdate_x64.bin...
                                  Successfully installed certificates to the XAPI DB for pool.
                                  
                                  
                                  1 Reply Last reply Reply Quote 1
                                  • First post
                                    Last post