Created attachment 895499 [details] /sys/firmware/efi/efivars/db-d719b2cb-3d3a-4596-a3bc-dad00e67656f Description of problem: If you are trying to use a Microsoft Hyper-V 2012 R2 Generation 2 guest you will be unable to boot Fedora while secure mode is present. Version-Release number of selected component (if applicable): shim-0.7-1.fc20.x86_64 How reproducible: Reproducible every time. Steps to Reproduce: In Hyper-V Manager 2012 R2: 1. At the top right select New -> Virtual Machine. 2. Click Next. 3. Tick Generation 2. Click Next. 4. Type 2048 in the Startup memory box. Click Next. 5. Click Next. 6. Click Next. 7. Tick Install an operating system from a bootable image file and select Fedora-Live-Desktop-x86_64-20-1 . Click Next. 8. Click Finish. 9. Press the right mouse button over the newly created VM and select Start. 10. Double click the newly made VMs name so that the Virtual Machine Connection window appears. Actual results: A message saying: Hyper-V™ Boot Failed. EFI SCSI Device. Failed Secure Boot Verification. Boot Failed. EFI Network. Boot Failed. EFI SCSI Device. No Operating System was Loaded. Press a key to retry the boot sequence... Expected results: ISO to be booted. Additional info: If you press the right mouse button over the VM and go to Settings... Click on Firmware at the left and untick Enable Secure Boot at the right, Click OK, right mouse button on the VM and click Start. You will see Hyper-V™ Booting `Test this media & start Fedora Live' _ and will sit there indefinitely. In the extreme scenario, if you take the Fedora cloud image in a Generation 1 VM, update it, install various utilities, convert the disk from MBR to GPT using gdisk, create a FAT32 partition on the end with and EFI id, format the partition, mount it on /boot/efi, install grub2-efi and shim, run something like grub2-mkconfig -o /boot/efi/EFI/fedora/grub.cfg etc., hack up /boot/efi/EFI/fedora/grub.cfg so linux -> linuxefi etc, attach the disk to a Generation 2 VM and boot it then you will have a Fedora booting in a Hyper-V 2012 Generation 2 VM. However the moment you turn on Secure Boot you will no longer be able to boot the VM. The Ubuntu 14.04 ISO boots directly in a Generation 2 VM. Attaching /sys/firmware/efi/efivars/db-d719b2cb-3d3a-4596-a3bc-dad00e67656f .
Same thing is happening on Fedora 21. What's worse, if you turn Secure Boot off, it *still* doesn't boot! It comes up in a dracut recovery screen - can't find the devices or disks or something. I'll grab a screenshot and attach it in a few minutes.
Created attachment 959206 [details] Screenshot of failed boot - Fedora 21 Workstation Beta on Windows 8.1 Hyper-V
Just tried with Fedora 21 Workstation TC3 - still broken. Sigh - it's hard to call this a Fedora bug since the same ISO works fine in VirtualBox and Virtual Machine Manager. I don't have a secure boot box to test this on bare metal. My guess is that it works fine too.
A little more info: 1. If you create the Hyper-V machine generation 1, a Fedora 21 Workstation TC3 ISO will boot. Of course, you won't have EFI / Secure Boot with a Generation 1 machine, but at least you'll be able to make a Fedora VM! 2. I tried a CentOS net install CD with a generation 2 machine. It also refuses to work with EFI / Secure Boot, but it does boot up to the installer! There are a lot of problems with Hyper-V - it's hardly "point click and ship" on a laptop in a coffee shop. I'm going to do a blog post on running Project Atomic with it, but it's hardly user-friendly enough for non-geeks.
CC'ing some Red Hat and Microsoft Hyper-V folks.
(In reply to Sitsofe Wheeler from comment #5) > CC'ing some Red Hat and Microsoft Hyper-V folks. Thanks!!
Gen 2 VMs work correctly on many Distros today (Ubuntu, sles 12, RHEL7 etc.) Is the synthetic keyboard driver included in the initrd. On Gen2 firmware, we don't emulate the legacy keyboard.
(In reply to K. Y. Srinivasan from comment #7) > Gen 2 VMs work correctly on many Distros today (Ubuntu, sles 12, RHEL7 etc.) > Is the synthetic keyboard driver included in the initrd. On Gen2 firmware, > we don't emulate the legacy keyboard. If it works on RHEL7 shouldn't it work on a CentOS 7 netinstall CD? I got a failure with one of those in a Gen 1 machine. https://bugzilla.redhat.com/show_bug.cgi?id=1097772#c4
(In reply to M. Edward (Ed) Borasky from comment #8) > (In reply to K. Y. Srinivasan from comment #7) > > Gen 2 VMs work correctly on many Distros today (Ubuntu, sles 12, RHEL7 etc.) > > Is the synthetic keyboard driver included in the initrd. On Gen2 firmware, > > we don't emulate the legacy keyboard. > > If it works on RHEL7 shouldn't it work on a CentOS 7 netinstall CD? I got a > failure with one of those in a Gen 1 machine. > https://bugzilla.redhat.com/show_bug.cgi?id=1097772#c4 Oops - CentOS 7 netinstall failed in Gen 2 and worked in Gen 1. Sorry.
Have you tried installation from the media?
(In reply to K. Y. Srinivasan from comment #10) > Have you tried installation from the media? Not CentOS - Fedora 21 install works on Gen 1 however
Interestingly the Fedora-Server-DVD-x86_64-21.iso from: https://dl.fedoraproject.org/pub/alt/stage/21_RC5/Server/x86_64/iso/ boots into anaconda on a hyper v gen 2 VM with mouse and keyboard working but: https://dl.fedoraproject.org/pub/alt/stage/21_RC5/Workstation/x86_64/iso/ .. has a long pause at the Fedora boot logo then times out showing hv-gen2-error.png (attached). Keyboard input at the dracut:/# prompt after the timeout does not work. At any point attempting to send Action -> Ctrl+Alt+Delete generates a dialog message: "Could not send keys to the virtual machine. Interacting with the virtual machine's keyboard device failed." Could it be that the virtual keyboard driver mentioned in comment #7 is in the server initrd but not in the workstation initrd? It seems reasonable that a server would be more expected to be installed on HyperV than a workstation. In the time it's taken to write this I've successfully installed Fedora 21 Server onto a Gen2 HyperV VM on a Windows 8.1.1 host (i.e. EFI only).
Created attachment 965253 [details] Error shown after Workstation ISO timeout. This is what is shown on the VM console after the Fedora 21 Workstation eventually times out attempting to boot. Until this happens the white background of the Fedora boot logo "F" is stuck at around 80%.
Oh, Fedora Server only works with Secure Boot off. Definitely Gen 2 though.
I can confirm Carwyn's comment with the final release of Fedora 21 install media. Main Issue: When using a Generation 2 Hyper-V VM neither the Fedora 21 Server nor Workstation ISOs will boot if Secure Boot is enabled - the UEFI "BIOS" gives the result described in the Actual results of comment #1. Secondary Issue: If Secure Boot is disabled then the Fedora 21 Server ISO boots to a GUI. The Fedora 21 Workstation ISO also boots but does not respond to the keyboard and bails out with an error message of comment #13 (sending ctrl-alt-del didn't work for me either). Sadly it looks as if the serial console has gone away with Generation 2 VMs removing a useful debugging tool :-( Further, there seems to be no way of displaying the bootloader menu before the kernel starts (I tried holding down shift, alt, escape and tab but none of these had any effect). initrd0.img contains next to nothing in terms other than microcode and I couldn't find out what the kernel was configured with because there are no .config files lying around nor does scripts/extract-ikconfig vmlinuz0 work. Booting the Workstation ISO on a Gen 1 VM to bash and poking around shows /boot/config-3.17.4-301.fc21.x86_64 and looking in that shows CONFIG_HYPERV_KEYBOARD=m CONFIG_HYPERV_STORAGE=m My guess is that we have no legacy bus controllers and no way to install the enlightened modules that would access the controller we do have so we wind up dead in the water. But why does the Server image work? Let's try reassigning this to the anaconda package but I can't change the person this is assigned to though...
(In reply to Sitsofe Wheeler from comment #15) > Let's try reassigning this to the anaconda package No. If there's an issue with secure boot, then it could be a problem with the secure boot shim, or the signatures on the kernel, or the Hyper-V firmware itself. Don't just reassign bugs to any old component fishing for help.
I'd say secure mode is the lesser issue here. The bigger issue is that Fedora Workstation can't work in a HyperV Gen2 VM as the required drivers are missing. Whether the Fedora Workstation product owners consider this a bug or not is another matter. There are two workarounds as is stands: 1. Use a Gen 1 VM 2. Install the server product and "convert" although this isn't an officially supported path. Ownership wise this should belong to the Fedora Workstation product people. Arguably it's a design choice. What we don't know (here at least) is if this is accidental or deliberate.
Apologies David. Carwyn: I think we should leave this particular issue as purely "Can use secure boot with Gen2 Hyper-V" and spin off "Can't boot Workstation on Gen2 Hyper-V" into its own separate bug with a fresh start. There is the question of what component it should go under though...
(In reply to Carwyn Edwards from comment #17) > I'd say secure mode is the lesser issue here. The bigger issue is that > Fedora Workstation can't work in a HyperV Gen2 VM as the required drivers > are missing. > > Whether the Fedora Workstation product owners consider this a bug or not is > another matter. There are two workarounds as is stands: > > 1. Use a Gen 1 VM > 2. Install the server product and "convert" although this isn't an > officially supported path. > > Ownership wise this should belong to the Fedora Workstation product people. > > Arguably it's a design choice. What we don't know (here at least) is if this > is accidental or deliberate. What packages provide the required drivers? I can add them easily to my remix!
With respect to the lack of keyboard driver on Gen2: It looks like Vaughan Cao of Oracle also spotted this and added a change to dracut (http://git.kernel.org/cgit/boot/dracut/dracut.git/commit/modules.d/90kernel-modules/module-setup.sh?id=7a3e1a0e4a86681fab3baf9662f2d40733876ea2 ) but unfortunately it doesn't look like it made it into Fedora 21 (my current dracut is dracut-038-32.git20141216.fc21.x86_64 and doesn't have the change).
I've spun of the non-secure boot portions of this issue into Bug 1192030 .
Reassigning this back to shim and reopening. pjones: Any ideas?
FWIW I've had length discussions on Twitter with Ben Armstrong of Microsoft about Hyper-V, especially cloud and Docker issues. https://twitter.com/VirtualPCGuy. In particular: @znmeb - Linux and Secure Boot is a whole different ball game. Windows 10 Hyper-V includes secure boot certificates for some Linux Distros. https://twitter.com/VirtualPCGuy/status/561433139839795200 So someone probably needs a Windows 10 Tech Preview on bare metal to test this - it may not be showing up in Windows 8.1 or Windows 8. I have a Windows 10 virtual machine but Hyper-V is disabled in virtual machines. :-(
The db file posted only includes the Windows root CA, not the Microsoft UEFI root CA. The only thing that Hyper-V will boot in secure mode is Windows. This is a Hyper-V issue, not anything that can be fixed in Fedora.
Hi, Regarding the ability to use secure boot for a Fedora 22 guest on Hyper-V, the following steps worked for me on Windows 10 Pro x64: 1. Create a new Gen 2 VM (I used 1024MB ram, external switch, 8GB hard disk); don't specify any ISO yet (don't start the VM) 2. Go to Settings -> SCSI Controller, and add a DVD drive; specify the netinst Workstation iso instead of the Live Workstation iso, to workaround #1192030 3. Go to Settings -> Firmware, and put the DVD drive at top of boot order. 4. Go to Settings -> Firmware, and check secure boot is enabled. 5. Follow the 'Linux secure boot' step here: https://technet.microsoft.com/en-us/library/dn765471.aspx#BKMK_linux 6. Now start the VM and complete the Fedora 22 setup; I used the 'standard' partitioning scheme (no LVM, simple ext4; separate EFI boot partition was automatically created) 7. During the setup I got "The following error occurred while installing the boot loader. The system will not be bootable. Would you like to ignore this and continue the installation? Failed to set new efi boot target. This is most likely a kernel or firmware bug." However, I selected 'yes' to continue, and the Fedora setup continued and completed. 8. Go to Settings -> SCSI Controller -> DVD Drive and remove the iso from the DVD drive 9. Now start the VM (it should boot from the hard disk); despite the error in step 7, the VM does boot successfully with secure boot enabled in the Hyper-V VM settings Attempting the above steps without step 5 prevents secure boot from working at step 6, so the step provided by Microsoft would appear to be required for secure boot to function. Thanks,
Created attachment 1065635 [details] Error during setup - failed to set new efi boot target
Alex: Thanks for the extra information! Looks like Windows 10+ and Windows Server 2016+ will be able to use secure boot on Hyper-V and Fedora with the MicrosoftUEFICertificateAuthority tweak you mentioned (sadly the SecureBootTemplate option doesn't exist on my Windows Server 2012 R2 install). It's probably worth spinning off your "failed to set new efi boot target. This is most likely a kernel or firmware bug." issue into it's own bug report though - that way it can be closed separately to this and if it is a firmware bug we can point Microsoft directly to that issue alone.
M. Edward (Ed) Borasky: I forgot to thank you for pointing out it might be possible to make secure boot work with Windows 10's Hyper-V (which is what Alex went on to demonstrate). FWIW: I've heard that Hyper-V 2016 will support exposing nested virtualization (http://www.thomasmaurer.ch/2015/05/hyper-v-vnext-is-going-to-support-nested-virtualization/ ) but that doesn't help you today. Matthew: Thanks for stating where the problem was. Hopefully anyone else running Hyper-V Generation 2 Fedora VM's will be able to use the information here to understand and workaround secure boot issues.