Hi Pavan, On 04/25/19 12:37, Pavan Kumar Aravapalli wrote: > Hi > > I am new to this and i am trying to perform Windows Server 2016 [Guest VM] > UEFI secure boot mode on KVM(Hypervisor) Host using > edk2.git-ovmf-x64-0-20190308.1017.g0eccea3fbe.noarch.I am looking for support > documents which helps me in assessing the same. > > > Environment Details > > KVM Host :RHEL 7.3 > > Guest VM : Windows Server 2016 > > Qemu Version : qemu-kvm-ev-2.9.0-16.el7_4.13.1
This environment appears a bit mixed-up to me. Here's why: - the "edk2.git" package is neither from RHEL nor from CentOS. It's from <https://www.kraxel.org/repos>. - you list the KVM host as RHEL 7.3, but your QEMU version is from CentOS -- what's more, the version number in the RPM indicates it is a package from 7.4 Z-Stream. If you have access to RHEL7 (or CentOS), I'd suggest using everything from RHEL-7.6 (or equivalent CentOS). [...] > Libvirt Domain XML > > <domain type='kvm' id='23'> (Side hint: when using "virsh dumpxml" on an active domain, it's usually good to include "--inactive". Runtime details just muddy the picture, most of the time.) > > <name>wus</name> > > <uuid>97777f3a-089c-4dae-b192-070a5c676084</uuid> > > <memory unit='KiB'>2097152</memory> > > <currentMemory unit='KiB'>2097152</currentMemory> > > <vcpu placement='static'>2</vcpu> > > <resource> > > <partition>/machine</partition> > > </resource> > > <os> > > <type arch='x86_64' machine='pc-q35-rhel7.4.0'>hvm</type> > > <loader readonly='yes' secure='yes' > type='pflash'>/usr/share/OVMF/OVMF_CODE.secboot.fd</loader> The domain XML looks OK thus far, but this firmware binary is certainly not from "edk2.git-ovmf-x64-0-20190308.1017.g0eccea3fbe.noarch". It's from an "OVMF" RPM. > > <nvram > template='/usr/share/OVMF/OVMF_VARS.secboot.fd'>/var/lib/libvirt/qemu/nvram/wus_VARS.fd</nvram> Regarding the domain XML, this looks good again. And now I can also tell that you are using "OVMF-20180508-2.gitee3198e672e2.el7.noarch" from RHEL-7.6 (or later), because we added the "/usr/share/OVMF/OVMF_VARS.secboot.fd" varstore template under <https://bugzilla.redhat.com/show_bug.cgi?id=1561128>. > > <bootmenu enable='no'/> > > </os> > > <features> > > <acpi/> > > <apic/> > > <smm state='on'/> Looks good too. > </features> > > <cpu mode='custom' match='exact' check='full'> > > <model fallback='forbid'>Penryn</model> > Yes, I'm fairly sure this is the problem. Presumably, you chose the Penryn VCPU model because your host CPU is a Penryn too. Unfortunately, that physical CPU does not support EPT (nested paging), and KVM currently fails to emulate SMM on Intel CPUs without nested paging (EPT). And, the OVMF image we ship in RHEL7 requires SMM. Please refer to the following RHBZ comment: https://bugzilla.redhat.com/show_bug.cgi?id=1531373#c2 and that RHBZ is a duplicate of the host kernel issue https://bugzilla.redhat.com/show_bug.cgi?id=1348092 Your domain XML looks good to me, otherwise (i.e., apart from Penryn).Thus, I suggest retrying (a) on an Intel host that has "ept" in "/proc/cpuinfo", or (b) on an AMD host. (IIRC, KVM doesn't need nested paging for SMM emulation on AMD, although nested paging certainly helps with performance on AMD too -- look for "npt" in "/proc/cpuinfo" on AMD). Don't forget to refresh the VCPU model in the domain XML too. Thanks, Laszlo -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#39667): https://edk2.groups.io/g/devel/message/39667 Mute This Topic: https://groups.io/mt/31342849/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
