Bug 1666705
| Summary: | There is no NIC in Windows guest only using edk2 Secure Boot | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 8 | Reporter: | Michael <choma> | ||||
| Component: | virtio-win | Assignee: | Amnon Ilan <ailan> | ||||
| Status: | CLOSED NOTABUG | QA Contact: | Virtualization Bugs <virt-bugs> | ||||
| Severity: | urgent | Docs Contact: | |||||
| Priority: | urgent | ||||||
| Version: | 8.0 | CC: | berrange, chayang, choma, crobinso, ghammer, juzhang, kraxel, lersek, lijin, michen, pbonzini, philmd, rbalakri, ribarry, vrozenfe, xfu | ||||
| Target Milestone: | rc | ||||||
| Target Release: | 8.0 | ||||||
| Hardware: | x86_64 | ||||||
| OS: | Linux | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2019-01-17 12:43:36 UTC | Type: | Bug | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Attachments: |
|
||||||
Hi Michael, I'm fairly sure that you were using an incorrectly signed (cross-signed) build of virtio-win (e.g. Fedora or upstream). Please refer to bug 1376048 for background. In my most recent testing -- for unrelated bug 1661147 --, I used "virtio-win-1.9.6-6.el8" and "spice-qxl-wddm-dod-0.18-1". Everything worked fine. Please refer to: - https://bugzilla.redhat.com/show_bug.cgi?id=1661147#c15 - https://bugzilla.redhat.com/show_bug.cgi?id=1661147#c16 Please re-test with the latest *RHEL8* virtio-win build. (You didn't specify your current virtio-win version/release in comment 0.) If it still fails, please attach the NIC error message, and the NIC event log, from Device Manager. Thanks. Moving the BZ to the virtio-win component for further triage. (In reply to Laszlo Ersek from comment #1) > Hi Michael, > > I'm fairly sure that you were using an incorrectly signed (cross-signed) > build of virtio-win (e.g. Fedora or upstream). Please refer to bug 1376048 > for background. > > In my most recent testing -- for unrelated bug 1661147 --, I used > "virtio-win-1.9.6-6.el8" and "spice-qxl-wddm-dod-0.18-1". Everything worked > fine. Please refer to: > - https://bugzilla.redhat.com/show_bug.cgi?id=1661147#c15 > - https://bugzilla.redhat.com/show_bug.cgi?id=1661147#c16 > > Please re-test with the latest *RHEL8* virtio-win build. (You didn't specify > your current virtio-win version/release in comment 0.) > > If it still fails, please attach the NIC error message, and the NIC event > log, from Device Manager. Thanks. > > Moving the BZ to the virtio-win component for further triage. Hi Laszlo: Thank you for your reply. I was incorrect using virtio-win-prewhql for the driver. Thus the guest can not load the NIC. When I changed to virtio-win, the guest and NIC work well. However, in my understanding, if virtio-win-prewhql is unsigned drive and NIC can not be loaded when using Secure Boot, the DISK should **not** be loaded as well. But I can successful Sceure Boot win2016 and win10-1607 using virtio-win-prewhql. Only miss the NIC. I am a little bit confuse for that. Anyway, Thank you for your time again. Feel free for close this BUG as NOTBUG. (In reply to Michael from comment #3) > (In reply to Laszlo Ersek from comment #1) > > Hi Michael, > > > > I'm fairly sure that you were using an incorrectly signed (cross-signed) > > build of virtio-win (e.g. Fedora or upstream). Please refer to bug 1376048 > > for background. > > > > In my most recent testing -- for unrelated bug 1661147 --, I used > > "virtio-win-1.9.6-6.el8" and "spice-qxl-wddm-dod-0.18-1". Everything worked > > fine. Please refer to: > > - https://bugzilla.redhat.com/show_bug.cgi?id=1661147#c15 > > - https://bugzilla.redhat.com/show_bug.cgi?id=1661147#c16 > > > > Please re-test with the latest *RHEL8* virtio-win build. (You didn't specify > > your current virtio-win version/release in comment 0.) > > > > If it still fails, please attach the NIC error message, and the NIC event > > log, from Device Manager. Thanks. > > > > Moving the BZ to the virtio-win component for further triage. > > > Hi Laszlo: > > Thank you for your reply. I was incorrect using virtio-win-prewhql for the > driver. Thus the guest can not load the NIC. When I changed to virtio-win, > the guest and NIC work well. > > However, in my understanding, if virtio-win-prewhql is unsigned drive and > NIC can not be loaded when using Secure Boot, the DISK should **not** be > loaded as well. But I can successful Sceure Boot win2016 and win10-1607 > using virtio-win-prewhql. Only miss the NIC. I am a little bit confuse for > that. > > Anyway, Thank you for your time again. Feel free for close this BUG as > NOTBUG. According to Microsoft (https://docs.microsoft.com/en-us/windows-hardware/drivers/install/kernel-mode-code-signing-policy--windows-vista-and-later-), when using a Secure Boot you should have a Microsoft Root Authority signed drivers (e.g. WHQL-ed). So I don't think this is a bug. Although I'm not sure why the storage driver loads in that case, and I couldn't find any exception from Microsoft regarding this type of drivers. Maybe they flex the rules in this case because Windows can't be loaded with it? (In reply to Michael from comment #3) > However, in my understanding, if virtio-win-prewhql is unsigned drive and > NIC can not be loaded when using Secure Boot, the DISK should **not** be > loaded as well. But I can successful Sceure Boot win2016 and win10-1607 > using virtio-win-prewhql. Only miss the NIC. I am a little bit confuse for > that. Yes, this is indeed confusing. I vaguely recall someone explaining that Windows accepts incorrectly signed drivers if they are necessary for booting. Such as the disk driver and the display driver (perhaps). The NIC is not used for booting however. Don't ask me how much sense this makes, it is simply what I recall from somewhere else :) |
Created attachment 1520990 [details] win2016-edk2.log Description of problem: There is no Network Interface Controller in Windows guest only enable edk2 Secure Boot. This issue appears both Win2016 and Win10. If I disabled the Secure Boot. Same Windows guest work well. If I changed to Linux guest, they all work well whatever enable secure boot or disable secure boot. Version-Release number of selected component (if applicable): kernel:4.18.0-60.el8.x86_64 qemu-kvm-3.1.0-4.module+el8+2681+819ab34d.x86_64 edk2-ovmf-20180508gitee3198e672e2-8.el8.noarch How reproducible: 100% Steps to Reproduce: 1. Install and boot Win10 or Win2016 guest. #/usr/libexec/qemu-kvm -enable-kvm -M q35 -cpu SandyBridge \ -nodefaults -smp 4,cores=2,threads=2,sockets=1 -m 4G -name win-OVMF \ -global driver=cfi.pflash01,property=secure,value=on \ -drive file=/usr/share/edk2/ovmf/OVMF_CODE.secboot.fd,if=pflash,format=raw,unit=0,readonly=on \ -drive file=/tmp/win-OVMF/OVMF_VARS.secboot.fd,if=pflash,format=raw,unit=1,readonly=off \ -debugcon file:/home/win-OVMF.log -global isa-debugcon.iobase=0x402 \ -vnc :3 -vga qxl -monitor stdio \ -drive file=OVMF-win2016-blk.qcow2,if=none,id=guest-img,format=qcow2,werror=stop,rerror=stop -device virtio-blk-pci,drive=guest-img,id=os-disk,bootindex=1 \ -netdev tap,id=hostnet0,vhost=on,script=/etc/qemu-ifup,downscript=/etc/qemu-ifdown -device virtio-net-pci,netdev=hostnet0,id=net0,mac=00:84:ed:01:00:09 \ -boot menu=on,splash-time=5000 2.check the NIC Actual results: There is no NIC in the guest. Expected results: NIC and network work well. Additional info: I did the regression test. The issue still there when using edk2-ovmf-20180508gitee3198e672e2-2.el8+979+4b3ec633.noarch [2018-07-10] The boot log is in the attachment.