Re: ecrypting image file breaks efi/boot of the guest/Ubuntu - ?

[lejeczek <peljasz@xxxxxxxxxxx>]

On 11/04/2023 09:13, Peter Krempa wrote:
> On Sat, Apr 08, 2023 at 11:25:18 +0200, lejeczek wrote:
> > Hi guys.
> >
> > I've have a guest and that guest differs from all other guest by:
> >
> >    <os>
> >      <type arch='x86_64' machine='pc-q35-rhel9.0.0'>hvm</type>
> >      <loader readonly='yes' secure='yes'
> > type='pflash'>/usr/share/edk2/ovmf/OVMF_CODE.secboot.fd</loader>
> > <nvram>/var/lib/libvirt/qemu/nvram/ubusrv1_VARS.fd</nvram>
> >      <boot dev='hd'/>
> >      <bootmenu enable='yes'/>
> >    </os>
> >
> > whereas everything else has:
> >
> >    <os>
> >      <type arch='x86_64' machine='pc-q35-rhel9.0.0'>hvm</type>
> >      <boot dev='hd'/>
> >      <boot dev='cdrom'/>
> >      <bootmenu enable='yes'/>
> >    </os>
> >
> > Now, that different guest fails - as the only one - to start, to boot after
> > its qcow2 image was luks-encrypted.
> > Guest starts but says that:
> >
> > BdsDxe: failed to load Boot0001 "Uefi Misc Device" from PciRoot
> > (0x0)/Pci(0x2,0x3)/Pci(0x0,0x0): Not found
> >
> > revert back to original, non-encrypted qcow2 image and all works a ok.
> Please attach either the full XML or at least the disk part for *both*
> the case where it doesn't work and where it does work.
<domain type='kvm'>
  <name>ubusrv1</name>
  <metadata>
    <libosinfo:libosinfo 
xmlns:libosinfo="http://libosinfo.org/xmlns/libvirt/domain/1.0";>
      <libosinfo:os id="http://ubuntu.com/ubuntu/22.04"/>
    </libosinfo:libosinfo>
  </metadata>
  <memory unit='GiB'>4</memory>
  <currentMemory unit='GiB'>4</currentMemory>
  <vcpu placement='auto' cpuset='2'>2</vcpu>
  <numatune>
    <memory mode='strict' placement='auto'/>
  </numatune>
  <os>
    <type arch='x86_64' machine='pc-q35-rhel9.0.0'>hvm</type>
    <loader readonly='yes' secure='yes' 
type='pflash'>/usr/share/edk2/ovmf/OVMF_CODE.secboot.fd</loader>
<nvram>/var/lib/libvirt/qemu/nvram/ubusrv1_VARS.fd</nvram>
    <boot dev='hd'/>
    <bootmenu enable='yes'/>
  </os>
  <features>
    <acpi/>
    <apic/>
    <vmport state='off'/>
    <smm state='on'/>
  </features>
  <cpu mode='custom' match='exact' check='partial'>
    <model fallback='forbid'>EPYC-Rome</model>
    <feature policy='require' name='ibpb'/>
    <feature policy='require' name='ssbd'/>
    <feature policy='require' name='virt-ssbd'/>
    <feature policy='require' name='x2apic'/>
    <feature policy='require' name='hypervisor'/>
    <feature policy='require' name='xsave'/>
    <feature policy='disable' name='svm'/>
    <feature policy='require' name='topoext'/>
    <feature policy='disable' name='npt'/>
    <feature policy='disable' name='nrip-save'/>
  </cpu>
  <clock offset='utc'>
    <timer name='rtc' tickpolicy='catchup'/>
    <timer name='pit' tickpolicy='delay'/>
    <timer name='hpet' present='no'/>
  </clock>
  <on_poweroff>destroy</on_poweroff>
  <on_reboot>restart</on_reboot>
  <on_crash>destroy</on_crash>
  <pm>
    <suspend-to-mem enabled='no'/>
    <suspend-to-disk enabled='no'/>
  </pm>
  <devices>
    <emulator>/usr/libexec/qemu-kvm</emulator>
    <disk type='file' device='disk'>
      <driver name='qemu' type='qcow2' cache='none' 
discard='unmap'/>
      <source file='/00-VMs/ubusrv1.qcow2'/>
      <target dev='vda' bus='virtio'/>
      <address type='pci' domain='0x0000' bus='0x04' 
slot='0x00' function='0x0'/>
    </disk>
...

When I add encryption to <disk> & use encrypted qcow2 then 
VM fails as I described.

many thanks, L.