Bug#1064269: marked as done (gnome-boxes: Disable Secure Boot to allow booting unsigned)

Sat, 01 Feb 2025 19:33:17 -0800 

Your message dated Sat, 1 Feb 2025 22:30:45 -0500
with message-id 
<CAD+GYvy7ggBBwMxTjZk87QCebhUB=dp8qic0oe5elgkxgfz...@mail.gmail.com>
and subject line Re: gnome-boxes: Disable Secure Boot to allow booting unsigned
has caused the Debian Bug report #1064269,
regarding gnome-boxes: Disable Secure Boot to allow booting unsigned
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
1064269: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1064269
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message --- 
Package: gnome-boxes
Version: 45.0-1
Severity: normal

Dear Maintainer,
If I attempt to create a GNOME OS guest I end up on the edkII console.
If inhte console I try to boot the EFI (in FS0: be it bootx64.efi in
\EFI\BOOT or systemd-bootx64.efi in EFI\systemd) I get a "Command Error
Status: Access Denied" error.

I got he clue it might be secure boot related by 
https://forum.proxmox.com/threads/vm-always-going-into-uefi-interactive-shell.119215/

I also learned that the install was fine with the flatpak, so I compared
the VM configurations for GNOME OS:

Debian gome-boxes 45:
  <os firmware="efi">
    <type arch="x86_64" machine="pc-q35-8.0">hvm</type>
    <firmware>
      <feature enabled="yes" name="enrolled-keys"/>
      <feature enabled="yes" name="secure-boot"/>
    </firmware>
    <loader readonly="yes" secure="yes" 
type="pflash">/usr/share/OVMF/OVMF_CODE_4M.ms.fd</loader>
    <nvram 
template="/usr/share/OVMF/OVMF_VARS_4M.ms.fd">/home/prahal/.config/libvirt/qemu/nvram/gnomenightly_VARS.fd</nvram>
    <boot dev="cdrom"/>
    <boot dev="hd"/>
    <bootmenu enable="yes"/>
  </os>
  <features>
    <acpi/>                 
    <apic/>
    <smm state="on"/>                     
  </features> >

Flatpak gnome-boxes 44:
  <os firmware="efi">
    <type arch="x86_64" machine="pc-q35-7.2">hvm</type>
    <boot dev="cdrom"/>
    <boot dev="hd"/>
    <bootmenu enable="yes"/>
  </os>
  <features>
    <acpi/>
    <apic/>
  </features>


Grepping where this secure-boot feature comes from, I ended up on:
/usr/share/qemu/firmware/40-edk2-x86_64-secure-enrolled.json

Scrambling the target (for example, replacing in "machines", "pc-q35-*"
by "pc-q35xxx-*") in this file to avoid its settings being added to
(all?) the  guest VM I now can install "GNOME OS Nightly x86_64" (ie
edk2 boots into the installer and the installer proceeds).

This might well be an ovmf bug.
Still, as I don' know if gnome-boxes or qemu have flags to avoid ovmf
bringing in this secure-boot for all guest setups, I start up the stack.


Cheers,
Alban

-- System Information:
Debian Release: trixie/sid
  APT prefers testing-debug
  APT policy: (500, 'testing-debug'), (500, 'stable-updates'), (500, 
'stable-security'), (500, 'stable-debug'), (500, 'oldstable-debug'), (500, 
'testing'), (500, 'stable'), (90, 'unstable-debug'), (90, 'unstable'), (1, 
'experimental-debug'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 6.5.0+ (SMP w/4 CPU threads; PREEMPT)
Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages gnome-boxes depends on:
ii  dconf-gsettings-backend [gsettings-backend]  0.40.0-4
ii  genisoimage                                  9:1.1.11-3.4
ii  libarchive13                                 3.6.2-1
ii  libc6                                        2.37-8
ii  libcairo2                                    1.17.8-3
ii  libgdk-pixbuf-2.0-0                          2.42.10+dfsg-1+b1
ii  libglib2.0-0                                 2.78.0-1
ii  libgtk-3-0                                   3.24.38-5
ii  libgudev-1.0-0                               238-2
ii  libhandy-1-0                                 1.8.2-2
ii  libosinfo-1.0-0                              1.10.0-2
ii  libosinfo-bin                                1.10.0-2
ii  libsoup-3.0-0                                3.4.3-1
ii  libspice-client-glib-2.0-8                   0.42-2
ii  libspice-client-gtk-3.0-5                    0.42-2
ii  libusb-1.0-0                                 2:1.0.26-1
ii  libvirt-clients                              9.7.0-1
ii  libvirt-daemon                               9.7.0-1
ii  libvirt-glib-1.0-0                           4.0.0-3
ii  libwebkit2gtk-4.1-0                          2.40.5-1
ii  libxml2                                      2.9.14+dfsg-1.3
ii  tracker                                      3.6.0-1
ii  user-session-migration                       0.4.1

Versions of packages gnome-boxes recommends:
ii  qemu-system-x86  1:8.0.4+dfsg-3+b1

Versions of packages gnome-boxes suggests:
ii  gnome-connections  45~rc-1

-- no debconf information

--- End Message ---
--- Begin Message --- 
Version: 45.0-3

--- End Message ---

Reply via email to