Skip to content

fix(core): fix VMs with EFIWithSecureBoot bootloader failing to start when configured with more than 12 vCPUs #1916

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
fl64 wants to merge 8 commits into
base: main
Choose a base branch
from
Open

fix(core): fix VMs with EFIWithSecureBoot bootloader failing to start when configured with more than 12 vCPUs #1916

fl64 wants to merge 8 commits into from

Conversation

@fl64
Copy link
Member

@fl64 fl64 commented Jan 25, 2026
edited
Loading

Description

Fix VMs with EFIWithSecureBoot bootloader failing to start when configured with more than 12 vCPUs.

  • Enable persistent NVRAM for SecureBoot VMs
  • Increase EDK2 limits to support up to 128 vCPUs

Why do we need it, and what problem does it solve?

VMs with SecureBoot were stuck in an infinite reboot loop or showing black screen when using more than ~12 cores.

What is the expected result?

VMs with bootloader: EFIWithSecureBoot boot successfully with any number of cores (up to 128).

Checklist

  • The code is covered by unit tests.
  • e2e tests passed.
  • Documentation updated according to the changes.
  • Changes were tested in the Kubernetes cluster manually.

Changelog entries

section: core
type: fix
summary: fix VMs with `EFIWithSecureBoot` bootloader failing to start when configured with more than 12 vCPUs.

@fl64
fix(core): fix ovmf sb flags
3a8a947 
Signed-off-by: Pavel Tishkov <[email protected]>
fl64 added 6 commits January 25, 2026 21:57
@fl64
fix(core): try 2
ffad7e9 
Signed-off-by: Pavel Tishkov <[email protected]>
@fl64
fix(core): enable debug
d88d3ef 
Signed-off-by: Pavel Tishkov <[email protected]>
@fl64
fix(core): fix
8395477 
Signed-off-by: Pavel Tishkov <[email protected]>
@fl64
fix(core): fix
94646ad 
Signed-off-by: Pavel Tishkov <[email protected]>
@fl64
fix(core): smm sync timeout
ea6fbec 
Signed-off-by: Pavel Tishkov <[email protected]>
@fl64
fix(core): disable debug
5a30d8c 
Signed-off-by: Pavel Tishkov <[email protected]>
@fl64 fl64 changed the title fix(core): fix ovmf sb flags fix(core): fix VMs with EFIWithSecureBoot bootloader failing to start when configured with more than 12 vCPUs Jan 26, 2026
@fl64 fl64 added this to the v1.5.0 milestone Jan 26, 2026
@fl64 fl64 marked this pull request as ready for review January 26, 2026 12:51
@fl64 fl64 added the e2e/run Run e2e test on cluster of PR author label Jan 27, 2026
@deckhouse-BOaTswain
Copy link
Contributor

deckhouse-BOaTswain commented Jan 27, 2026
edited
Loading

Workflow has started.
Follow the progress here: Workflow Run

The target step completed with status: failure.

@deckhouse-BOaTswain deckhouse-BOaTswain removed the e2e/run Run e2e test on cluster of PR author label Jan 27, 2026
diafour
diafour reviewed Jan 27, 2026
View reviewed changes
images/edk2/build.sh Outdated
Comment on lines 103 to 106
# CC_FLAGS="${CC_FLAGS} -b DEBUG" # TEMP: enable debug to see OVMF errors in serial

CC_FLAGS="${CC_FLAGS} --cmd-len=65536"
CC_FLAGS="${CC_FLAGS} -D DEBUG_ON_SERIAL_PORT=TRUE" # TEMP: output debug to serial console
Copy link
Member

@diafour diafour Jan 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

-D DEBUG_ON_SERIAL_PORT=TRUE — is it work without -b DEBUG?

Also, these 2 new settings are commented with "TEMP" — do we need them in main?

Copy link
Member Author

@fl64 fl64 Jan 27, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I left it on purpose so that, if necessary, it could be quickly build with a debug build. But if such points are obvious, then you can remove them.

Copy link
Member

@diafour diafour Jan 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It is not obvious what to change to build with debug output =)

Copy link
Member

@diafour diafour Jan 27, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we need to enable debug build with -b DEBUG to enable output on serial port, or -D DEBUG_ON_SERIAL_PORT is enough and there is a runtime option for more verbose output for RELEASE build? Or we need rebuild ovmf to get verbose log on serial port? (I remember that ovmf rebuild may take ~40min).

Copy link
Member Author

@fl64 fl64 Jan 28, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just put DEBUG instead of RELEASE )

@fl64
fix
0742540 
Signed-off-by: Pavel Tishkov <[email protected]>
@fl64 fl64 requested a review from diafour January 29, 2026 09:33
@fl64 fl64 added e2e/user/universal-itengineer e2e/run Run e2e test on cluster of PR author labels Jan 29, 2026
@deckhouse-BOaTswain deckhouse-BOaTswain removed the e2e/run Run e2e test on cluster of PR author label Jan 29, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Isteb4k Isteb4k Awaiting requested review from Isteb4k Isteb4k is a code owner

@yaroslavborbat yaroslavborbat Awaiting requested review from yaroslavborbat yaroslavborbat is a code owner

@universal-itengineer universal-itengineer Awaiting requested review from universal-itengineer universal-itengineer is a code owner

@nevermarine nevermarine Awaiting requested review from nevermarine nevermarine is a code owner

@diafour diafour Awaiting requested review from diafour

At least 1 approving review is required to merge this pull request.

Assignees

@fl64 fl64

Labels

e2e/user/universal-itengineer

Projects

None yet

Milestone

v1.5.0

Development

Successfully merging this pull request may close these issues.

4 participants

@fl64 @deckhouse-BOaTswain @diafour