Package: qemu-efi-aarch64
Version: 2025.02-8+deb13u1
Severity: important
Hi,
We're trying to enable secure boot on VMS on an Ampere server (so, arm64),
using OpenStack. Our server is a Supermicro ARS-211M-NR which uses a R13SPD
motherboard. The CPU is reported by lscpu as AmpereOne(R) A192-32X (which
has 192 cores).
For this to work, we need libvirt to report the secure boot capability of
the system. We installed the latest qemu-efi-aarch64. Unfortunately, for
libvirt, it needs the requires-smm features flag, which isn't in the .json
configuration file.
/usr/share/qemu/firmware/40-edk2-aarch64-secure-enrolled.json contains:
"features": [
"enrolled-keys",
"secure-boot",
"verbose-static"
]
but it needs to have:
"features": [
"enrolled-keys",
"requires-smm",
"secure-boot",
"verbose-static"
]
With the added "requires-smm" flag, we really get:
# virsh domcapabilities --machine virt | grep -A3 secure
<enum name='secure'>
<value>yes</value>
<value>no</value>
</enum>
(previously, the <value>yes</value> was absent).
Please fix the default .json file like we did above.
Now, after this, OpenStack automatically adds the compute node trait:
COMPUTE_SECURITY_UEFI_SECURE_BOOT
which is what we expected. We are now one step futher, except we get:
error : qemuValidateDomainDefBoot:718 : unsupported configuration: Secure
boot is supported with q35 machine types only
We're not sure yet how to address this last issue, and would happily accept
advice. My understand is that the q35 moduel is only for x86, so maybe we need
to change the hardware machine type. But to what value? "virt" maybe?
Cheers,
Thomas Goirand (zigo)
