Package: ovmf
Version: 2022.11-6
Severity: important
After upgrading to Debian 12.x (from 11.x), some of my VMs are not booting
anymore. It looks like the ovmf crashes even before loading the shim/bootloader
from the virtual disk. The problem is somehow related to combination of:
AMD-SEV + TPM (swtpm) and number of vCPUs configured for the quest OS.
I found a workaround to boot the problematic VMs, more precisely any (one)
change from the list below allows to boot a VM:
- downgrade the ovmf to version ovmf_2020.11-2+deb11u1_all.deb (from bullseye)
- reduce the number of vCPUs to 6 or less (>6 does not work)
- remove the swtpm from the guest configuration
- disable the AMD-SEV functionality
After some testing, I am pretty sure that the problem is NOT related to:
- qemu-system-x86 version (both bookworm = 7.2+dfsg-7 and bookworm-backports =
8.0.4+dfsg-1~bpo12+1 are affected)
- kernel version (both bookworm = 6.1.38-4 and bookworm-backports =
6.4.4-3~bpo12+1 are affected)
- CPU configuration for the guest VM (tried multiple different configurations,
and the result is the same)
and it looks like the issue is present also in the current debian testing (ovmf
2023.05-1) - the only working version is ovmf_2020.11-2+deb11u1_all.deb (from
bullseye).
The problematic libvirt XML (with reboot loop):
<domain type='kvm'>
<name>test</name>
<uuid>MY_UUID</uuid>
<genid></genid>
<title>test VM</title>
<memory dumpCore='off' unit='KiB'>16777216</memory>
<currentMemory unit='KiB'>16777216</currentMemory>
<memoryBacking>
<locked/>
</memoryBacking>
<vcpu placement='static'>8</vcpu>
<os firmware='efi'>
<type arch='x86_64' machine='pc-q35-8.0'>hvm</type>
<loader secure='yes'/>
<nvram>/var/lib/libvirt/qemu/nvram/test_VARS.fd</nvram>
</os>
<features>
<acpi/>
<apic/>
</features>
<cpu mode='custom' match='exact' check='none'>
<model fallback='forbid'>qemu64</model>
</cpu>
<clock offset='utc'/>
<on_poweroff>destroy</on_poweroff>
<on_reboot>restart</on_reboot>
<on_crash>destroy</on_crash>
<devices>
<emulator>/usr/bin/kvm</emulator>
<disk type='block' device='disk' model='virtio'>
<driver name='qemu' type='raw' cache='none' io='native'/>
<source dev='/dev/storage/test-swap'/>
<target dev='vda' bus='virtio'/>
<address type='pci' domain='0x0000' bus='0x05' slot='0x00'
function='0x0'/>
</disk>
<disk type='block' device='disk' model='virtio'>
<driver name='qemu' type='raw' cache='none' io='native'/>
<source dev='/dev/storage/test-root'/>
<target dev='vdb' bus='virtio'/>
<boot order='1'/>
<address type='pci' domain='0x0000' bus='0x06' slot='0x00'
function='0x0'/>
</disk>
<controller type='usb' index='0' model='qemu-xhci'>
<address type='pci' domain='0x0000' bus='0x01' slot='0x00'
function='0x0'/>
</controller>
<controller type='sata' index='0'>
<address type='pci' domain='0x0000' bus='0x00' slot='0x1f'
function='0x2'/>
</controller>
<controller type='pci' index='0' model='pcie-root'/>
<controller type='pci' index='1' model='pcie-root-port'>
<model name='pcie-root-port'/>
<target chassis='1' port='0x10'/>
<address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x0'
multifunction='on'/>
</controller>
<controller type='pci' index='2' model='pcie-root-port'>
<model name='pcie-root-port'/>
<target chassis='2' port='0x11'/>
<address type='pci' domain='0x0000' bus='0x00' slot='0x02'
function='0x1'/>
</controller>
<controller type='pci' index='3' model='pcie-root-port'>
<model name='pcie-root-port'/>
<target chassis='3' port='0x12'/>
<address type='pci' domain='0x0000' bus='0x00' slot='0x02'
function='0x2'/>
</controller>
<controller type='pci' index='4' model='pcie-root-port'>
<model name='pcie-root-port'/>
<target chassis='4' port='0x13'/>
<address type='pci' domain='0x0000' bus='0x00' slot='0x02'
function='0x3'/>
</controller>
<controller type='pci' index='5' model='pcie-root-port'>
<model name='pcie-root-port'/>
<target chassis='5' port='0x14'/>
<address type='pci' domain='0x0000' bus='0x00' slot='0x02'
function='0x4'/>
</controller>
<controller type='pci' index='6' model='pcie-root-port'>
<model name='pcie-root-port'/>
<target chassis='6' port='0x15'/>
<address type='pci' domain='0x0000' bus='0x00' slot='0x02'
function='0x5'/>
</controller>
<interface type='bridge'>
<mac type='static'/>
<source bridge='dmzbr0'/>
<model type='virtio'/>
<address type='pci' domain='0x0000' bus='0x02' slot='0x00'
function='0x0'/>
</interface>
<input type='keyboard' bus='ps2'/>
<input type='mouse' bus='ps2'/>
<tpm model='tpm-tis'>
<backend type='emulator' version='2.0'>
<encryption secret='MY_UUID'/>
</backend>
</tpm>
<graphics type='vnc' port='5901' autoport='no' listen='127.0.0.1'
sharePolicy='force-shared'>
<listen type='address' address='127.0.0.1'/>
</graphics>
<audio id='1' type='none'/>
<video>
<model type='virtio' heads='1' primary='yes'/>
<address type='pci' domain='0x0000' bus='0x00' slot='0x01'
function='0x0'/>
</video>
<memballoon model='none'/>
</devices>
<launchSecurity type='sev'>
<cbitpos>47</cbitpos>
<reducedPhysBits>1</reducedPhysBits>
<policy>0x0033</policy>
</launchSecurity>
</domain>
The same XML works after any of the following changes:
- reducing the vcpu number, for example:
<vcpu placement='static'>6</vcpu>
- removing the swtpm definition:
<tpm model='tpm-tis'>
<backend type='emulator' version='2.0'>
<encryption secret='MY_UUID'/>
</backend>
</tpm>
- removing the AMD-SEV definition (which disables the AMD-SEV functionality):
<launchSecurity type='sev'>
<cbitpos>47</cbitpos>
<reducedPhysBits>1</reducedPhysBits>
<policy>0x0033</policy>
</launchSecurity>
- dowgrading the ovmf to ovmf_2020.11-2+deb11u1_all.deb (from bullseye),
without any change in the XML
There is no any warning/error log in the corresponding
/var/log/libvirt/qemu/test.log, dmesg or /var/log/syslog ...
-- System Information:
Debian Release: 12.1
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 6.4.0-0.deb12.2-amd64 (SMP w/48 CPU threads; PREEMPT)
GNU C Library: libc-bin 2.36-9+deb12u1
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
