[Bug 1882671] Re: unbalanced UEFI TPL manipulations in iPXE with DOWNLOAD_PROTO_HTTPS enabled

Per comment #32, fixed in upstream iPXE commit 2ae5d4338, setting ticket status for iPXE to "Fix Committed". ** Changed in: ipxe Status: New => Fix Committed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu.

[Bug 1882671] Re: unbalanced UEFI TPL manipulations in iPXE with DOWNLOAD_PROTO_HTTPS enabled

This bug was fixed in the package ipxe - 1.0.0+git-20190109.133f4c4-0ubuntu3.2 --- ipxe (1.0.0+git-20190109.133f4c4-0ubuntu3.2) focal; urgency=medium * Revert the changes of the non released version 1.0.0+git-20190109.133f4c4-0ubuntu3.1 as there is a less impactful fix more

[Bug 1882671] Re: unbalanced UEFI TPL manipulations in iPXE with DOWNLOAD_PROTO_HTTPS enabled

Testing the actual case: $ dpkg -S /usr/lib/ipxe/qemu/efi-e1000.rom ipxe-qemu: /usr/lib/ipxe/qemu/efi-e1000.rom root@f-ipxe:~# apt-cache policy ipxe-qemu ipxe-qemu: Installed: 1.0.0+git-20190109.133f4c4-0ubuntu3.2 Candidate: 1.0.0+git-20190109.133f4c4-0ubuntu3.2 Version table: ***

[Bug 1882671] Re: unbalanced UEFI TPL manipulations in iPXE with DOWNLOAD_PROTO_HTTPS enabled

Hello Vladislav, or anyone else affected, Accepted ipxe into focal-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/ipxe/1.0.0+git-20190109.133f4c4-0ubuntu3.2 in a few hours, and then in the -proposed repository. Please help us by testing this new

[Bug 1882671] Re: unbalanced UEFI TPL manipulations in iPXE with DOWNLOAD_PROTO_HTTPS enabled

Fix uploaded for SRU to focal-unapproved. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1882671 Title: unbalanced UEFI TPL manipulations in iPXE with DOWNLOAD_PROTO_HTTPS enabled To manage

[Bug 1882671] Re: unbalanced UEFI TPL manipulations in iPXE with DOWNLOAD_PROTO_HTTPS enabled

This bug was fixed in the package ipxe - 1.0.0+git-20190125.36a4c85-5ubuntu2 --- ipxe (1.0.0+git-20190125.36a4c85-5ubuntu2) groovy; urgency=medium * d/p/lp-1882671-efi-Raise-TPL-during-driver-entry-point.patch: fix the formerly avoided efi TPL issues (LP: #1882671) --

[Bug 1882671] Re: unbalanced UEFI TPL manipulations in iPXE with DOWNLOAD_PROTO_HTTPS enabled

** Tags removed: block-proposed block-proposed-focal verification-needed verification-needed-focal ** Tags added: verification-failed verification-failed-focal -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu.

[Bug 1882671] Re: unbalanced UEFI TPL manipulations in iPXE with DOWNLOAD_PROTO_HTTPS enabled

** Merge proposal linked: https://code.launchpad.net/~paelzer/ubuntu/+source/ipxe/+git/ipxe/+merge/387531 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1882671 Title: unbalanced UEFI TPL

[Bug 1882671] Re: unbalanced UEFI TPL manipulations in iPXE with DOWNLOAD_PROTO_HTTPS enabled

** Merge proposal linked: https://code.launchpad.net/~paelzer/ubuntu/+source/ipxe/+git/ipxe/+merge/387521 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1882671 Title: unbalanced UEFI TPL

[Bug 1882671] Re: unbalanced UEFI TPL manipulations in iPXE with DOWNLOAD_PROTO_HTTPS enabled

fix as URL => https://github.com/ipxe/ipxe/commit/2ae5d4338661b65c63eb5cb1a96e5b803fe7d620 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1882671 Title: unbalanced UEFI TPL manipulations in iPXE

[Bug 1882671] Re: unbalanced UEFI TPL manipulations in iPXE with DOWNLOAD_PROTO_HTTPS enabled

I saw your update on refresh - yeah despite feeling sort of safe on the change as-is this fix seems even better for an SRU. Let me get that into groovy (there the packaging change made sense, no need to turn that back). And from there SRU it to Focal. Thank you Michael and Lazlo for the work

[Bug 1882671] Re: unbalanced UEFI TPL manipulations in iPXE with DOWNLOAD_PROTO_HTTPS enabled

/usr/share/OVMF/OVMF_CODE.fd /var/lib/uvtool/libvirt/images/bionic.VARS.fd makes it run eif ovmf EFI like -drive file=/usr/share/OVMF/OVMF_CODE.fd,if=pflash,format=raw,unit=0,readonly=on -drive file=/var/lib/uvtool/libvirt/images/bionic.VARS.fd,if=pflash,format=raw,unit=1 Still mgriates

[Bug 1882671] Re: unbalanced UEFI TPL manipulations in iPXE with DOWNLOAD_PROTO_HTTPS enabled

Hi Michael, thank you for the fix, and for mentioning it here. I didn't ignore your comment 32 when I was writing what would become comments 33 and 34 -- I think we must have been writing our comments in parallel, and I simply didn't see yours. Christian, now you should be able to resolve this LP

[Bug 1882671] Re: unbalanced UEFI TPL manipulations in iPXE with DOWNLOAD_PROTO_HTTPS enabled

Regression tests completed, no issues migrating in/out of updates nor between releases due to changing sizes (That mostly covers the non EFI roms thou). I want to also do some more manual tests with EFI guests in that regard. -- You received this bug notification because you are a member of

[Bug 1882671] Re: unbalanced UEFI TPL manipulations in iPXE with DOWNLOAD_PROTO_HTTPS enabled

Sorry about the malformed table in comment 33 -- that's not my doing. I laid it out correctly; Launchpad messed it up by squeezing whitespace. Here it is again, using dots rather than spaces. Ubuntu.release..edk2.HTTPS.enabled..iPXE.HTTPS.enabled..iPXE.TPL.regression

[Bug 1882671] Re: unbalanced UEFI TPL manipulations in iPXE with DOWNLOAD_PROTO_HTTPS enabled

Hello Christian, For *some* form of UEFI HTTPS boot, you have to enable *at least one* of the {edk2, iPXE} HTTPS stacks. I'm unfamiliar with the Ubuntu releases, but my understanding is the following: Ubuntu release edk2 HTTPS enabled iPXE HTTPS enabled iPXE TPL regression --

[Bug 1882671] Re: unbalanced UEFI TPL manipulations in iPXE with DOWNLOAD_PROTO_HTTPS enabled

The TPL manipulation issue in iPXE is fixed as of commit http://github.com/ipxe/ipxe/commit/2ae5d4338 Building an iPXE ROM with HTTPS enabled will now initialise with no problems in qemu. Michael -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed

[Bug 1882671] Re: unbalanced UEFI TPL manipulations in iPXE with DOWNLOAD_PROTO_HTTPS enabled

Test #3: * Extra Test: HTTPS boot a uEFI guest with the efi roms from ipxe-qemu with old/new ipxe-qmeu code. This shall ensure that OVMF can really take over as-is or if we need bug 1883114 before we can do so. Details TBD when I'm doing these tests I created a q35 guest in libvirt

[Bug 1882671] Re: unbalanced UEFI TPL manipulations in iPXE with DOWNLOAD_PROTO_HTTPS enabled

Test #2 * We pad the rom sizes to be sure, but never the less double check migrations between Bionic <-> Focal (known to break on size changes) Manual size check (can be seen in build log): OK: efi-e1000e.rom is exactly 524288 bytes as expected ... Seems ok, a regression test doing cross

[Bug 1882671] Re: unbalanced UEFI TPL manipulations in iPXE with DOWNLOAD_PROTO_HTTPS enabled

Test #1: * Test the attached OVMF that triggers the bug: qemu-system-x86_64 -enable-kvm -monitor stdio -drive if=pflash,snapshot=on,format=raw,file=OVMF-14c7ed8b51f6-DEBUG-enabled.fd -global e1000.romfile=/usr/lib/ipxe/qemu/efi-e1000.rom -debugcon file:debug.log -global

[Bug 1882671] Re: unbalanced UEFI TPL manipulations in iPXE with DOWNLOAD_PROTO_HTTPS enabled

Hello Vladislav, or anyone else affected, Accepted ipxe into focal-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/ipxe/1.0.0+git-20190109.133f4c4-0ubuntu3.1 in a few hours, and then in the -proposed repository. Please help us by testing this new

[Bug 1882671] Re: unbalanced UEFI TPL manipulations in iPXE with DOWNLOAD_PROTO_HTTPS enabled

We will need quite some time to ensure this isn't breaking things. The merge proposal was reviewed and I'll upload to Focal-unapproved now. The intention is to not have me testing in advance and then having a short time in -proposed. Instead I think for this case it will be helpful to have it in

[Bug 1882671] Re: unbalanced UEFI TPL manipulations in iPXE with DOWNLOAD_PROTO_HTTPS enabled

I have prepared a merge proposals and PPA test builds for Focal/Eoan E-MP => https://code.launchpad.net/~paelzer/ubuntu/+source/ipxe/+git/ipxe/+merge/386647 E-PPA => https://launchpad.net/~ci-train-ppa-service/+archive/ubuntu/4126/+packages F-MP =>

[Bug 1882671] Re: unbalanced UEFI TPL manipulations in iPXE with DOWNLOAD_PROTO_HTTPS enabled

** Merge proposal linked: https://code.launchpad.net/~paelzer/ubuntu/+source/ipxe/+git/ipxe/+merge/386647 ** Merge proposal linked: https://code.launchpad.net/~paelzer/ubuntu/+source/ipxe/+git/ipxe/+merge/386648 -- You received this bug notification because you are a member of Ubuntu

[Bug 1882671] Re: unbalanced UEFI TPL manipulations in iPXE with DOWNLOAD_PROTO_HTTPS enabled

** Description changed: [Impact] - * Booting some OVMF through the efi roms in our ipxe-qemu package triggers -a bad ordering of TPL manipulations and eventually gets the boot stuck. +  * Booting some OVMF through the efi roms in our ipxe-qemu package triggers +    a bad ordering of TPL

[Bug 1882671] Re: unbalanced UEFI TPL manipulations in iPXE with DOWNLOAD_PROTO_HTTPS enabled

This bug was fixed in the package ipxe - 1.0.0+git-20190125.36a4c85-5ubuntu1 --- ipxe (1.0.0+git-20190125.36a4c85-5ubuntu1) groovy; urgency=medium * Merge with Debian unstable (LP: #1884758). Remaining changes: - Split grub integration from ipxe->grub-ipxe. - d/control:

[Bug 1882671] Re: unbalanced UEFI TPL manipulations in iPXE with DOWNLOAD_PROTO_HTTPS enabled

Thanks Lazlo, I'll keep the legacy roms as CONFIG=qemu then. I didn't plan to change this on an SRU anyway, but going forward I wanted to adapt this to be correct. Hearing that in RH you also used CONFIG=qemu covering *both* is kind of re-assuring to keep it like that for now. -- You received

[Bug 1882671] Re: unbalanced UEFI TPL manipulations in iPXE with DOWNLOAD_PROTO_HTTPS enabled

Christian, > But it seems for legacy roms like 82540em.rom CONFIG=qemu being set or not > doesn't make a > difference. (1) That's my understanding as well; from the following original iPXE commits anyway: - a15c0d7e868a ("[efi] Allow user experience to be downgraded", 2015-07-22), -

[Bug 1882671] Re: unbalanced UEFI TPL manipulations in iPXE with DOWNLOAD_PROTO_HTTPS enabled

I beg your pardon Lazlo, but one more question on CONFIG=qemu. Since it was introduced config=QEMU was exported for efi and legacy roms. But it seems for legacy roms like 82540em.rom CONFIG=qemu being set or not doesn't make a difference. I I just look at src/config/qemu/* vs src/config/ there

[Bug 1882671] Re: unbalanced UEFI TPL manipulations in iPXE with DOWNLOAD_PROTO_HTTPS enabled

** Description changed: - The version of QEMU (4.2.0) packaged for Ubuntu 20.04 hangs indefinitely - at boot if an OVMF bios is used. This happens ONLY with qemu-system- - x86_64. qemu-system-i386 works fine with the latest ia32 OVMF bios. + [Impact] + + * Booting some OVMF through the efi roms

[Bug 1882671] Re: unbalanced UEFI TPL manipulations in iPXE with DOWNLOAD_PROTO_HTTPS enabled

Following [1] I was building my test OVMF as guided by Lazlo. That way I was able to use the combined e1000 EFI of the Ubuntu packages vs the debug OVMF build. Using that I can confirm the behavior (Bionic working, Focal failing). $ qemu-system-x86_64 -enable-kvm -monitor stdio -drive

[Bug 1882671] Re: unbalanced UEFI TPL manipulations in iPXE with DOWNLOAD_PROTO_HTTPS enabled

I used qemu-system-x86_64 \ -enable-kvm \ -monitor stdio \ -drive if=pflash,snapshot=on,format=raw,file=OVMF.fd \ -global e1000.romfile=82540em.combined.rom \ -debugcon file:debug.log \ -global isa-debugcon.iobase=0x402 where "OVMF.fd" was built from edk2 at then-master (14c7ed8b51f6

[Bug 1882671] Re: unbalanced UEFI TPL manipulations in iPXE with DOWNLOAD_PROTO_HTTPS enabled

Thank you Lazlo, going forward that is the process that I have it execute then. On the SRU I'll "only" disable HTTPS on EFI roms and we can take a look if nothing else stops working but this case here would be fixed. -- One question thou - asking for help to be able to make this an SRU at soem

[Bug 1882671] Re: unbalanced UEFI TPL manipulations in iPXE with DOWNLOAD_PROTO_HTTPS enabled

** Merge proposal linked: https://code.launchpad.net/~paelzer/ubuntu/+source/ipxe/+git/ipxe/+merge/386372 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1882671 Title: unbalanced UEFI TPL

[Bug 1882671] Re: unbalanced UEFI TPL manipulations in iPXE with DOWNLOAD_PROTO_HTTPS enabled

Christian, what you describe seems to be exactly what I propose. Namely: - build "82540em.rom" with HTTPS enabled, - build "82540em.efirom" with CONFIG=qemu, and HTTPS disabled, - create a combined option ROM image from the above two, using "catrom.pl". Thanks Laszlo -- You received this bug

[Bug 1882671] Re: unbalanced UEFI TPL manipulations in iPXE with DOWNLOAD_PROTO_HTTPS enabled

@Lazlo - are combined roms breaking your suggestion to "just disable https in efi roms"? In the build for the efi roms it uses this at some point: src/util/catrom.pl src/bin-i386-pcbios/82540em.rom src/bin-x86_64-efi/82540em.efirom > src/bin-combined/82540em.efirom So the *efi* file in

[Bug 1882671] Re: unbalanced UEFI TPL manipulations in iPXE with DOWNLOAD_PROTO_HTTPS enabled

Note: the bisection result of d8c500b7945e ("[efi] Drop to TPL_APPLICATION when gathering entropy" is in <=133f4c4 but > fbe8c52d which means for Ubuntu releases that would be affected >=Disco. ** Also affects: ipxe (Ubuntu Focal) Importance: Undecided Status: New ** Also affects: ipxe

[Bug 1882671] Re: unbalanced UEFI TPL manipulations in iPXE with DOWNLOAD_PROTO_HTTPS enabled

The above was an FYI, but is should be fine as outlined by Lazlo this isn't needed as since ipxe 1.0.0+git-20180124.fbe8c52d-0ubuntu4 we use CONFIG=qemu and in comment #7 he explained that in this case "totally don't need (or even *use*) the iPXE HTTPS infrastructure (the entropy gathering that

[Bug 1882671] Re: unbalanced UEFI TPL manipulations in iPXE with DOWNLOAD_PROTO_HTTPS enabled

The recent edk2 builds have -DNETWORK_HTTP_BOOT_ENABLE=TRUE -DNETWORK_TLS_ENABLE Recent as in 2020.05-2 which means >=groovy. For the eventual SRU to Focal things are more complex as there -DNETWORK_TLS_ENABLE was missing. -- You received this bug notification because you are a member of Ubuntu

[Bug 1882671] Re: unbalanced UEFI TPL manipulations in iPXE with DOWNLOAD_PROTO_HTTPS enabled

@Lazlo thanks a lot for that awesome experience and guidance! Config is a bit odd in this package anyway from too many people touching it with different mindset and a lot of history. There is this from upstream source: src/config/general.h Which is patched to enable DOWNLOAD_PROTO_HTTPS via

[Bug 1882671] Re: unbalanced UEFI TPL manipulations in iPXE with DOWNLOAD_PROTO_HTTPS enabled

Christian, you can enable DOWNLOAD_PROTO_HTTPS in the traditional BIOS image built from iPXE, and disable it in the UEFI driver built from iPXE. You can still combine both drivers into a combined option ROM. For SeaBIOS guests, there's not going to be any change. For UEFI guests, see my

[Bug 1882671] Re: unbalanced UEFI TPL manipulations in iPXE with DOWNLOAD_PROTO_HTTPS enabled

Vlad, you could subscribe to ipxe-devel at , wait until it's confirmed (I think it's automatic, so no moderator approval is needed for subscribing), and then resend your message. You can even stay subscribed -- if you don't want to get the

[Bug 1882671] Re: unbalanced UEFI TPL manipulations in iPXE with DOWNLOAD_PROTO_HTTPS enabled

I was happy to contribute, Christian :-) I just wanted to add that after sending the e-mail to ipxe- de...@lists.ipxe, I received an automatic response explaining that my e-mail will have to be approved by a moderator because I'm not a member of that mailing list. I just hope that my e-mail won't

[Bug 1882671] Re: unbalanced UEFI TPL manipulations in iPXE with DOWNLOAD_PROTO_HTTPS enabled

Awesome debugging Lazlo and also a really well doen bug report Vladislav - thanks! As Ubutnu background DOWNLOAD_PROTO_HTTPS is enabled since quite a long time in Ubuntu since bug 1025239. I don't know if there are better ways nowadays that might allow to disable it in future versions of

[Bug 1882671] Re: unbalanced UEFI TPL manipulations in iPXE with DOWNLOAD_PROTO_HTTPS enabled

Thanks for the whole investigation, Laszlo. I sent an e-mail to ipxe-de...@lists.ipxe.org forwarding your analysis with a quick summary of mine on the top, indicating the probable first bad commit. Vlad -- You received this bug notification because you are a member of Ubuntu Bugs, which is

[Bug 1882671] Re: unbalanced UEFI TPL manipulations in iPXE with DOWNLOAD_PROTO_HTTPS enabled

** Summary changed: - qemu-system-x86_64 (ver 4.2) stuck at boot with OVMF bios + unbalanced UEFI TPL manipulations in iPXE with DOWNLOAD_PROTO_HTTPS enabled -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu.