RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1691661 - livemedia-creator doesn't work in UEFI mode
Summary: livemedia-creator doesn't work in UEFI mode
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: lorax
Version: 8.0
Hardware: x86_64
OS: Linux
medium
medium
Target Milestone: rc
: 8.0
Assignee: Brian Lane
QA Contact: Release Test Team
Eliane Ramos Pereira
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-03-22 07:55 UTC by Renaud Métrich
Modified: 2020-11-14 12:58 UTC (History)
5 users (show)

Fixed In Version: lorax-28.14.27-1.el8
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-11-05 20:42:41 UTC
Type: Bug
Target Upstream Version:
Embargoed:
pm-rhel: mirror+

Attachments (Terms of Use)
qemu patch (2.86 KB, patch)
2019-03-22 17:54 UTC, Brian Lane 		no flags Details | Diff
View All


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2019:3328 0 None None None 2019-11-05 20:43:12 UTC

Description Renaud Métrich 2019-03-22 07:55:23 UTC 
Description of problem:

When trying to create an image in UEFI mode ("--virt-uefi" flag), livemedia-create doesn't work for several reasons:
- it fails to find the OVMF firmware
- after fixing the OVMF firmware filename, it spawns qemu-kvm with invalid flags causing the VM to spin on the CPU


Version-Release number of selected component (if applicable):

lorax-28.14.23-1.el8.x86_64


How reproducible:

Always


Steps to Reproduce:
1. Execute livemedia-creator

 # livemedia-creator --make-disk --ks=/root/rhel7-minimal.ks --iso=/root/rhel-server-7.6-x86_64-boot.iso --image-name=rhel76efi.img --virt-uefi


Additional info:

Issues happen with Upstream lorax also.
Comment 3 Brian Lane 2019-03-22 17:54:28 UTC 
Created attachment 1547041 [details]
qemu patch

Found the patch.
Comment 4 Brian Lane 2019-03-22 17:56:21 UTC 
Oh, and I just noticed your cmdline is using a rhel7 iso, that is not supported. It *may* work but there is no guarantee.
Comment 5 Brian Lane 2019-03-22 21:34:38 UTC 
rhel8-branch PR for this - https://github.com/weldr/lorax/pull/658
Comment 6 Laszlo Ersek 2019-03-23 11:11:33 UTC 
Hi,

(In reply to Brian Lane from comment #5)
> rhel8-branch PR for this - https://github.com/weldr/lorax/pull/658

I've now checked
<https://github.com/weldr/lorax/pull/658/commits/c4342f8f83c9f41b48b57624d42378db82de1fb2>.
It looks good to me, I'd just like to highlight a fact that may not be
obvious.

"OVMF_CODE.secboot.fd" is the firmware executable. We do not provide
"OVMF_CODE.fd" for the reasons I described to Renaud in email.
Therefore, unconditionally using "OVMF_CODE.secboot.fd", with the
related QEMU flags, is correct in the patch.

"OVMF_VARS.secboot.fd" is a variable store template file. The method the
actual variable store file (a temporary file) is created from the
template is correct (in the pre-patch code already). This is where I'd
like to mention "OVMF_VARS.fd" -- because we still ship "OVMF_VARS.fd".
Let me explan why:

- "OVMF_VARS.secboot.fd" is a variable store template that has the
  Microsoft certificates pre-enrolled, and the Secure Boot operational
  mode pre-enabled. Therefore, if you create the varstore file from this
  template, then the virtual UEFI firmware will only boot such OS boot
  loaders that are appropriately signed. For example, it will boot all
  released Windows OSes from the Windows 8 family upward, it will boot
  all Fedora GA and RHEL GA releases, and so on. It will reject Beta
  builds of RHEL however -- for example.

- "OVMF_VARS.fd" is a variable store template that is logically empty.
  It has no certificates enrolled and the SB operational mode is not
  enabled. Therefore, if you create the varstore file from this
  template, the virtual firmware will accept & launch all UEFI OS boot
  loaders, without SB verification.

Both use cases are valid (that's why we provide both varstore templates,
to accompany the sole "OVMF_CODE.secboot.fd" firmware executable); it
depends on the user / utility which varstore template is the right
choice, for creating the varstore file.

See bug 1561128 for more details.

--*--

By the way: we are implementing automatic UEFI firmware selection in
qemu, edk2, and libvirt. This feature is supposed to eliminate the
"traditional" need for applications launching QEMU with UEFI firmware to
open-code the firmware binary and varstore template pathnames.

- https://bugzilla.redhat.com/show_bug.cgi?id=1546084
- https://bugzilla.redhat.com/show_bug.cgi?id=1600230
- https://bugzilla.redhat.com/show_bug.cgi?id=1564270
Comment 7 Brian Lane 2019-03-25 17:16:01 UTC 
Thanks for the clarification. I think it's best to use the one with the pre-enrolled keys unless someone can thing of a good reason not to -- not to mention it works, so why not use it :)

I'm looking forward to automatic firmware selection, that'll make things simpler and more reliable.
Comment 15 errata-xmlrpc 2019-11-05 20:42:41 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:3328
Note You need to log in before you can comment on or make changes to this bug.