Enable UEFI on KVM hosts (by default), and configure with some default settings

[sureshanaparti]

Description

This PR enables UEFI on KVM hosts (by default), and configure with some default settings.

Types of changes

• Breaking change (fix or feature that would cause existing functionality to change)
• New feature (non-breaking change which adds functionality)
• Bug fix (non-breaking change which fixes an issue)
• Enhancement (improves an existing feature and functionality)
• Cleanup (Code refactoring and cleanup, that may add test cases)
• Build/CI
• Test (unit or integration test code)

Feature/Enhancement Scale or Bug Severity

Feature/Enhancement Scale

• Major
• Minor

Bug Severity

• BLOCKER
• Critical
• Major
• Minor
• Trivial

Screenshots (if appropriate):

How Has This Been Tested?

Verified the UEFI packages and settings at /etc/cloudstack/agent/uefi.properties in ol8/ol9/debian12.

KVM Host / Agent (OL8):

[root@ol8-kvm1 ~]# yum list installed | grep -i swtpm
Invalid configuration value: failovermethod=priority in /etc/yum.repos.d/epel.repo; Configuration: OptionBinding with id "failovermethod" does not exist
swtpm.x86_64                                      0.7.0-1.20211109gitb79fd91.module+el8.6.0+20659+3dcf7c70     @ol8_appstream     
swtpm-libs.x86_64                                 0.7.0-1.20211109gitb79fd91.module+el8.6.0+20659+3dcf7c70     @ol8_appstream     
swtpm-tools.x86_64                                0.7.0-1.20211109gitb79fd91.module+el8.6.0+20659+3dcf7c70     @ol8_appstream     
[root@ol8-kvm1 ~]# yum list installed | grep -i edk2-ovmf
Invalid configuration value: failovermethod=priority in /etc/yum.repos.d/epel.repo; Configuration: OptionBinding with id "failovermethod" does not exist
edk2-ovmf.noarch                                  20220126gitbb1bba3d77-13.el8_10.8                            @ol8_appstream     
[root@-ol8-kvm1 ~]#
[root@ol8-kvm1 ~]# cat /etc/cloudstack/agent/uefi.properties 
# Licensed to the Apache Software Foundation (ASF) under one
# or more contributor license agreements.  See the NOTICE file
# distributed with this work for additional information
# regarding copyright ownership.  The ASF licenses this file
# to you under the Apache License, Version 2.0 (the
# "License"); you may not use this file except in compliance
# with the License.  You may obtain a copy of the License at
#
#   http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing,
# software distributed under the License is distributed on an
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
# KIND, either express or implied.  See the License for the
# specific language governing permissions and limitations
# under the License.

# Configuration file for UEFI

guest.nvram.template.legacy=/usr/share/edk2/ovmf/OVMF_VARS.fd
guest.loader.legacy=/usr/share/edk2/ovmf/OVMF_CODE.cc.fd
guest.nvram.template.secure=/usr/share/edk2/ovmf/OVMF_VARS.secboot.fd
guest.loader.secure=/usr/share/edk2/ovmf/OVMF_CODE.secboot.fd
guest.nvram.path=/var/lib/libvirt/qemu/nvram/
[root@ol8-kvm1 ~]#
[root@ol8-kvm1 ~]# cd /usr/share/edk2/ovmf/
[root@ol8-kvm1 ovmf]# ls -lrt
total 11676
-rw-r--r--. 1 root root 2594816 Aug 26 08:45 UefiShell.iso
-rw-r--r--. 1 root root  949568 Aug 26 08:45 Shell.efi
-rw-r--r--. 1 root root  540672 Aug 26 08:45 OVMF_VARS.secboot.fd
-rw-r--r--. 1 root root  540672 Aug 26 08:45 OVMF_VARS.fd
-rw-r--r--. 1 root root 3653632 Aug 26 08:45 OVMF_CODE.secboot.fd
-rw-r--r--. 1 root root 3653632 Aug 26 08:45 OVMF_CODE.cc.fd
-rw-r--r--. 1 root root   19264 Aug 26 08:45 EnrollDefaultKeys.efi
[root@ol8-kvm1 ovmf]#

MS (OL8):

mysql> SELECT * FROM host_details WHERE name LIKE '%uefi%';
+----+---------+------------------+-------+
| id | host_id | name             | value |
+----+---------+------------------+-------+
| 13 |       1 | host.uefi.enable | true  |
+----+---------+------------------+-------+
1 row in set (0.00 sec)

KVM Host / Agent (Debian12):

root@debian12-kvm1:/etc/cloudstack/agent# dpkg -l | grep ovmf
ii  ovmf                                 2022.11-6+deb12u2               all          UEFI firmware for 64-bit x86 virtual machines
root@debian12-kvm1:/etc/cloudstack/agent#
root@debian12-kvm1:/etc/cloudstack/agent# dpkg -l | grep swtpm
ii  swtpm                                0.7.1-1.3                       amd64        Libtpms-based TPM emulator
ii  swtpm-libs:amd64                     0.7.1-1.3                       amd64        Common libraries for TPM emulators
ii  swtpm-tools                          0.7.1-1.3                       amd64        Tools for the TPM emulator
root@debian12-kvm1:/etc/cloudstack/agent#
root@debian12-kvm1:/etc/cloudstack/agent# cat uefi.properties 
# Licensed to the Apache Software Foundation (ASF) under one
# or more contributor license agreements.  See the NOTICE file
# distributed with this work for additional information
# regarding copyright ownership.  The ASF licenses this file
# to you under the Apache License, Version 2.0 (the
# "License"); you may not use this file except in compliance
# with the License.  You may obtain a copy of the License at
#
#   http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing,
# software distributed under the License is distributed on an
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
# KIND, either express or implied.  See the License for the
# specific language governing permissions and limitations
# under the License.

# Configuration file for UEFI

guest.nvram.template.legacy=/usr/share/OVMF/OVMF_VARS_4M.fd
guest.loader.legacy=/usr/share/OVMF/OVMF_CODE_4M.fd
guest.nvram.template.secure=/usr/share/OVMF/OVMF_VARS_4M.ms.fd
guest.loader.secure=/usr/share/OVMF/OVMF_CODE_4M.secboot.fd
guest.nvram.path=/var/lib/libvirt/qemu/nvram/
root@debian12-kvm1:/etc/cloudstack/agent# 
root@debian12-kvm1:/etc/cloudstack/agent# cd /usr/share/OVMF
root@debian12-kvm1:/usr/share/OVMF# ls -lrt
total 12816
-rw-r--r-- 1 root root  131072 Nov  5  2024 OVMF_VARS.ms.fd
-rw-r--r-- 1 root root  131072 Nov  5  2024 OVMF_VARS.fd
-rw-r--r-- 1 root root  540672 Nov  5  2024 OVMF_VARS_4M.snakeoil.fd
-rw-r--r-- 1 root root  540672 Nov  5  2024 OVMF_VARS_4M.ms.fd
-rw-r--r-- 1 root root  540672 Nov  5  2024 OVMF_VARS_4M.fd
-rw-r--r-- 1 root root 1966080 Nov  5  2024 OVMF_CODE.secboot.fd
lrwxrwxrwx 1 root root      20 Nov  5  2024 OVMF_CODE.ms.fd -> OVMF_CODE.secboot.fd
-rw-r--r-- 1 root root 1966080 Nov  5  2024 OVMF_CODE.fd
lrwxrwxrwx 1 root root      23 Nov  5  2024 OVMF_CODE_4M.snakeoil.fd -> OVMF_CODE_4M.secboot.fd
-rw-r--r-- 1 root root 3653632 Nov  5  2024 OVMF_CODE_4M.secboot.fd
lrwxrwxrwx 1 root root      23 Nov  5  2024 OVMF_CODE_4M.ms.fd -> OVMF_CODE_4M.secboot.fd
-rw-r--r-- 1 root root 3653632 Nov  5  2024 OVMF_CODE_4M.fd
root@debian12-kvm1:/usr/share/OVMF# 

MS (Debian12):

mysql> SELECT * FROM host_details WHERE name LIKE '%uefi%';
+----+---------+------------------+-------+
| id | host_id | name             | value |
+----+---------+------------------+-------+
| 13 |       1 | host.uefi.enable | true  |
+----+---------+------------------+-------+
1 row in set (0.00 sec)

mysql>

How did you try to break this feature and the system with this change?

[sureshanaparti]

@blueorangutan package

[Copilot]

Pull Request Overview

Enables UEFI support on KVM hosts by default with appropriate configuration settings across multiple system components.

• Adds UEFI configuration properties for legacy and secure boot modes with OVMF firmware paths
• Integrates UEFI properties files into system VM agents and console proxy components
• Updates packaging dependencies to include required OVMF and swtpm packages

Reviewed Changes

Copilot reviewed 7 out of 7 changed files in this pull request and generated no comments.

Show a summary per file

File	Description
agent/conf/uefi.properties.in	Defines UEFI configuration properties with template placeholders for firmware paths
packaging/el8/replace.properties	Sets OVMF firmware file paths for CentOS/RHEL 8 systems
packaging/debian/replace.properties	Sets OVMF firmware file paths for Debian-based systems
packaging/el8/cloud.spec	Adds edk2-ovmf and swtpm package dependencies for RPM builds
debian/control	Adds ovmf and swtpm package dependencies for Debian builds
pom.xml	Excludes uefi.properties from license header checks
systemvm/systemvm-agent-descriptor.xml	Includes uefi.properties in system VM agent configuration

---

_{Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.}

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 3.58%. Comparing base (0e8b0b8) to head (f3a46de).
⚠️ Report is 11 commits behind head on main.

❗ There is a different number of reports uploaded between BASE (0e8b0b8) and HEAD (f3a46de). Click for more details.

HEAD has 1 upload less than BASE

Flag	BASE (0e8b0b8)	HEAD (f3a46de)
unittests	1	0

Additional details and impacted files

@@              Coverage Diff              @@
##               main   #11740       +/-   ##
=============================================
- Coverage     17.55%    3.58%   -13.97%     
=============================================
  Files          5908      445     -5463     
  Lines        528799    37526   -491273     
  Branches      64580     6901    -57679     
=============================================
- Hits          92806     1346    -91460     
+ Misses       425555    36016   -389539     
+ Partials      10438      164    -10274     

Flag	Coverage Δ
uitests	3.58% <ø> (ø)
unittests	?

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[sureshanaparti]

@blueorangutan package

[blueorangutan]

@sureshanaparti a [SL] Jenkins job has been kicked to build packages. It will be bundled with KVM, XenServer and VMware SystemVM templates. I'll keep you posted as I make progress.

[blueorangutan]

Packaging result [SF]: ✔️ el8 ✔️ el9 ✔️ el10 ✔️ debian ✔️ suse15. SL-JID 15193

[weizhouapache]

code lgtm

checked the settings on ol8 and u24

[daviftorres]

Hey @sureshanaparti ,

I am having problem with Snapshots of Windows guest instances because they require UEFI.

Apparently, libvirt can't do Instance Snapshots when using UEFI. The workaround is to do the Volume Snapshot (or a full backup using the NAS Backup plugin). See https://utcc.utoronto.ca/~cks/space/blog/linux/LibvirtUEFISnapshots

Have you consider this condition?

[sureshanaparti]

Hey @sureshanaparti ,

I am having problem with Snapshots of Windows guest instances because they require UEFI.

Apparently, libvirt can't do Instance Snapshots when using UEFI. The workaround is to do the Volume Snapshot (or a full backup using the NAS Backup plugin). See https://utcc.utoronto.ca/~cks/space/blog/linux/LibvirtUEFISnapshots

Have you consider this condition?

will check it @daviftorres

[sureshanaparti]

@blueorangutan package

[blueorangutan]

@sureshanaparti a [SL] Jenkins job has been kicked to build packages. It will be bundled with KVM, XenServer and VMware SystemVM templates. I'll keep you posted as I make progress.

[blueorangutan]

Packaging result [SF]: ✔️ el8 ✔️ el9 ✔️ el10 ✔️ debian ✔️ suse15. SL-JID 15298

[weizhouapache]

Hey @sureshanaparti ,

I am having problem with Snapshots of Windows guest instances because they require UEFI.

Apparently, libvirt can't do Instance Snapshots when using UEFI. The workaround is to do the Volume Snapshot (or a full backup using the NAS Backup plugin). See https://utcc.utoronto.ca/~cks/space/blog/linux/LibvirtUEFISnapshots

Have you consider this condition?

@daviftorres
instance snapshot with memory or without memory (disk-only) ?

btw: the issue does not block this PR as this only changes the KVM host setting, not vm settings

[DaanHoogland]

@sureshanaparti , ready to merge?

[sureshanaparti]

@sureshanaparti , ready to merge?

not yet @DaanHoogland , will update you.

[sureshanaparti]

@blueorangutan package

[blueorangutan]

@sureshanaparti a [SL] Jenkins job has been kicked to build packages. It will be bundled with KVM, XenServer and VMware SystemVM templates. I'll keep you posted as I make progress.

[blueorangutan]

Packaging result [SF]: ✖️ el8 ✖️ el9 ✔️ debian ✖️ suse15. SL-JID 15463

[sureshanaparti]

@blueorangutan package

[blueorangutan]

@sureshanaparti a [SL] Jenkins job has been kicked to build packages. It will be bundled with KVM, XenServer and VMware SystemVM templates. I'll keep you posted as I make progress.

[blueorangutan]

Packaging result [SF]: ✖️ el8 ✖️ el9 ✔️ debian ✖️ suse15. SL-JID 15472

[sureshanaparti]

@blueorangutan package

[blueorangutan]

@sureshanaparti a [SL] Jenkins job has been kicked to build packages. It will be bundled with KVM, XenServer and VMware SystemVM templates. I'll keep you posted as I make progress.

[blueorangutan]

Packaging result [SF]: ✖️ el8 ✖️ el9 ✔️ debian ✖️ suse15. SL-JID 15476

[sureshanaparti]

@blueorangutan package

[blueorangutan]

@sureshanaparti a [SL] Jenkins job has been kicked to build packages. It will be bundled with KVM, XenServer and VMware SystemVM templates. I'll keep you posted as I make progress.

[sureshanaparti]

@blueorangutan package

[blueorangutan]

@sureshanaparti a [SL] Jenkins job has been kicked to build packages. It will be bundled with KVM, XenServer and VMware SystemVM templates. I'll keep you posted as I make progress.

[blueorangutan]

Packaging result [SF]: ✔️ el8 ✔️ el9 ✔️ el10 ✖️ debian ✔️ suse15. SL-JID 15480

[sureshanaparti]

@blueorangutan test

[blueorangutan]

@sureshanaparti a [SL] Trillian-Jenkins test job (ol8 mgmt + kvm-ol8) has been kicked to run smoke tests

[sureshanaparti]

@sureshanaparti , ready to merge?

not yet @DaanHoogland , will update you.

@DaanHoogland this is ready after smoke tests

[rosi-shapeblue]

@blueorangutan package

[blueorangutan]

@rosi-shapeblue a [SL] Jenkins job has been kicked to build packages. It will be bundled with KVM, XenServer and VMware SystemVM templates. I'll keep you posted as I make progress.

[blueorangutan]

Packaging result [SF]: ✔️ el8 ✔️ el9 ✔️ el10 ✔️ debian ✔️ suse15. SL-JID 15491

[blueorangutan]

[SF] Trillian test result (tid-14704)
Environment: kvm-ol8 (x2), zone: Advanced Networking with Mgmt server ol8
Total time taken: 54303 seconds
Marvin logs: https://github.com/blueorangutan/acs-prs/releases/download/trillian/pr11740-t14704-kvm-ol8.zip
Smoke tests completed. 148 look OK, 1 have errors, 0 did not run
Only failed and skipped tests results shown below:

Test	Result	Time (s)	Test File
test_01_vpc_site2site_vpn_multiple_options	Failure	311.04	test_vpc_vpn.py
test_01_vpc_site2site_vpn	Failure	265.51	test_vpc_vpn.py