FS#75025 - [edk2-ovmf] [qemu] [linux] (Secure Boot) OVMF with -D SMM_REQUIRED triggers kvm error

Attached to Project: Arch Linux
Opened by Tom Yan (tom.ty89) - Saturday, 11 June 2022, 01:46 GMT
Last edited by Toolybird (Toolybird) - Monday, 11 July 2022, 08:18 GMT
Task Type Bug Report
Category Packages: Extra
Status Closed
Assigned To No-one
Architecture All
Severity Low
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 1
Private No

Details

Description:
Recently I have been trying to set up a SB-enabled VM and realize that it will simply stuck at "Guest has not initialized the display yet" if I used the SB-built of OVMF. If I use -M q35 (without adding ,smm=off to it) I get the following kvm error as well:

KVM internal error. Suberror: 1
extra data[0]: 0x0000000000000000
extra data[1]: 0x0000000000000030
extra data[2]: 0x0000000000000184
extra data[3]: 0x0000000000000000
extra data[4]: 0x0000000000000000
extra data[5]: 0x0000000000000000
emulation failure
RAX=0000000000000000 RBX=ffffffffffffffff RCX=0000000000000000 RDX=0000000000000000
RSI=00000000068ec798 RDI=0000000006f495f0 RBP=0000000006f31ea0 RSP=0000000006f31e18
R8 =0000000000000000 R9 =0000000003041001 R10=000000000000003a R11=0000000006f47e98
R12=0000000006f31e98 R13=0000000000000001 R14=000000008000f880 R15=000000008000f840
RIP=00000000000a0000 RFL=00010246 [---Z-P-] CPL=0 II=0 A20=1 SMM=0 HLT=0
ES =0030 0000000000000000 ffffffff 00c09300 DPL=0 DS [-WA]
CS =0038 0000000000000000 ffffffff 00a09b00 DPL=0 CS64 [-RA]
SS =0030 0000000000000000 ffffffff 00c09300 DPL=0 DS [-WA]
DS =0030 0000000000000000 ffffffff 00c09300 DPL=0 DS [-WA]
FS =0030 0000000000000000 ffffffff 00c09300 DPL=0 DS [-WA]
GS =0030 0000000000000000 ffffffff 00c09300 DPL=0 DS [-WA]
LDT=0000 0000000000000000 0000ffff 00008200 DPL=0 LDT
TR =0000 0000000000000000 0000ffff 00008b00 DPL=0 TSS64-busy
GDT= 00000000069e2000 00000047
IDT= 00000000065b7018 00000fff
CR0=80010033 CR2=0000000000000000 CR3=0000000006c01000 CR4=00000668
DR0=0000000000000000 DR1=0000000000000000 DR2=0000000000000000 DR3=0000000000000000
DR6=00000000ffff0ff0 DR7=0000000000000400
EFER=0000000000000d00
Code=00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 <00> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

I waited until the edk2 packages here are bumped to 202205 (and tested again) before filing this.

Then I took a look at the json and did some research. Apparently something called SMM is more or less needed by and hence enabled together with SB. Eventually I tried a build with `-D SMM_REQUIRED` removed from the PKGBUILD (at "smm_required" removed from the json, not sure if that even matters at all). Now I can boot through and see Secure Boot menu item in OVMF's UEFI settings (although apparently I need a VARS with the Microsoft ca/db/whatsoever to get it actually working).

I'm filing this here downstream as I have no idea if it's a bug / regression on any of the upstreams or if some build option/flag is missing in our qemu / kernel. Also perhaps we should at least build without `-D SMM_REQUIRED` for now?

I've filed a bug report on OVMF's upstream as well anyway: https://bugzilla.tianocore.org/show_bug.cgi?id=3947

Additional info:
* package version(s) edk2-ovmf 202205, linux 5.18.3, qemu 7.0.0
* config and/or log files etc.
* link to upstream bug report, if any

Steps to reproduce:
qemu-system-x86_64 -enable-kvm -M q35 --bios path/to/the/right/dot/fd
This task depends upon

Closed by  Toolybird (Toolybird)
Monday, 11 July 2022, 08:18 GMT
Reason for closing:  Not a bug
Comment by Tobias Powalowski (tpowa) - Monday, 13 June 2022, 13:12 GMT Comment by Tom Yan (tom.ty89) - Tuesday, 14 June 2022, 03:01 GMT
Hmm, apparently the issue only occurs if I use the `--bios` approach. As long as I use the pflash drive approach, it works. (Whether code and vars are in one single image and whether readonly=on is used on both of them do NOT matter. The two `-global`s do NOT help when I use `--bios` either.)
Comment by Tobias Powalowski (tpowa) - Tuesday, 14 June 2022, 08:29 GMT
It's tricky and you need the correct options. I would close this one, since this is not a packaging issue.
Comment by Toolybird (Toolybird) - Monday, 11 July 2022, 08:18 GMT
Yeah, this is all pretty well documented here [1], especially this bit in the SMM section:

"a pflash-backed variable store is a requirement"

I agree this is not a packaging issue.

[1] https://github.com/tianocore/edk2/blob/master/OvmfPkg/README

Loading...