Uploaded image for project: 'OpenShift Virtualization'
  1. OpenShift Virtualization
  2. CNV-50452

Setting secureBoot to false does not disable it on VM with VMCP

XMLWordPrintable

    • 0.42
    • False
    • Hide

      None

      Show
      None
    • False
    • None
    • ---
    • ---
    • High
    • None

      Description of problem:

      Disable SecureBoot for a VM in the YAML does not work, its enabled.
This happens if the VM has a VMCP that sets it to enabled.
Cannot override the VMCP setting

      Version-Release number of selected component (if applicable):

      4.17.0

      How reproducible:

      Always

      Steps to Reproduce:

      Have a VM with it disabled

      # oc get vm windows11 -o yaml | yq '.spec.template.spec.domain.firmware'
bootloader:
  efi:
    secureBoot: false

      Actual results:

      # oc rsh virt-launcher-windows11-f42rt virsh dumpxml 1 --xpath '//domain//os'
Authorization not available. Check if polkit service is running or see debug message for more information.
<os>
  <type arch="x86_64" machine="pc-q35-rhel9.4.0">hvm</type>
  <loader readonly="yes" secure="yes" type="pflash">/usr/share/OVMF/OVMF_CODE.secboot.fd</loader>
  <nvram template="/usr/share/OVMF/OVMF_VARS.secboot.fd">/var/run/kubevirt-private/libvirt/qemu/nvram/windows11_VARS.fd</nvram>
  <boot dev="hd"/>
  <smbios mode="sysinfo"/>
</os>

      Expected results:

      Disabled

      Additional info:

      Guest OS also detected SecureBoot enabled.

              sgott@redhat.com Stuart Gott
              rhn-support-gveitmic Germano Veit Michel
              Vasiliy Sibirskiy Vasiliy Sibirskiy
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

                Created:
                Updated: