Troubleshooting Secure Boot VMs

There are various reasons why you cannot start or connect to a running VM with secure boot enabled.

This page explains how to verify and troubleshoot a VM with secure boot enabled.

This page is not exhaustive. The problem you are experiencing may not be listed on this page.

Symptoms

  • A VM starts but the OS does not seem to boot.

  • A VM is in the running state but does not seem to be responding correctly.

  • Accessing the VM is impossible.

Investigation

Viewing the Output Console of a VM

To help you determine the issue with a VM, we recommend to first view the console output. It can detect problems or system errors.

You can use the Viewing the Console Output of a VM procedure or the following example:

Request sample
$ osc-cli api ReadConsoleOutput --VmId i-123456789 | jq -r '.ConsoleOutput' | base64 -d

Where:

  • osc-cli api ReadConsoleOutput --VmId i-123456789 corresponds to the OUTSCALE API method to view the output console of the specified VM.

  • jq -r '.ConsoleOutput' extracts the console output from the response.

  • base64 -d allows to decode the Base64-encoded string.

Solutions

Depending on the response of the console output, we recommend different solutions.

Access Denied

In the console output, the response can show Access Denied on one or more a specific files. This means the files are not signed.

Response sample: Access Denied
BdsDxe: loading Boot0002 "Rocky Linux" from HD(1,GPT,39D4CE0B-8CC4-4B71-BFC7-DF0C0A16FA48,0x800,0x31800)/\file-example.efi
BdsDxe: failed to load Boot0002 "Rocky Linux" from HD(1,GPT,39D4CE0B-8CC4-4B71-BFC7-DF0C0A16FA48,0x800,0x31800)/\file-example.efi: Access Denied
BdsDxe: loading Boot0001 "UEFI Misc Device" from PciRoot(0x0)/Pci(0x2,0x1)/Pci(0x0,0x0)
BdsDxe: starting Boot0001 "UEFI Misc Device" from PciRoot(0x0)/Pci(0x2,0x1)/Pci(0x0,0x0)
LoadImage failed: Access Denied
Device path: "PciRoot(0)/Pci(0x2,0x1)/Pci(0x0,0x0)/HD(1,GPT,39D4CE0B-8CC4-4B71-BFC7-DF0C0A16FA48)/\file-example.efi"
02 01 0C 00 D0 41 03 0A 00 00 00 00 01 01 06 00
01 02 01 01 06 00 00 00 04 01 2A 00 01 00 00 00
00 08 00 00 00 00 00 00 00 18 03 00 00 00 00 00
0B CE D4 39 C4 8C 71 4B BF C7 DF 0C 0A 16 FA 48
02 02 04 04 32 00 5C 00 45 00 46 00 49 00 5C 00
72 00 6F 00 63 00 6B 00 79 00 5C 00 73 00 68 00
69 00 6D 00 78 00 36 00 34 00 2E 00 65 00 66 00
69 00 00 00 7F FF 04 00

Solution 1: Force Stop the VM

If the OS has not started, stopping the VM is not enough to relaunch it.

You need to force stop the VM. For more information, see About VM Lifecycle.

To force stop a VM, use the OUTSCALE API StopVms method as follows:

Request sample
$ osc-cli api StopVms --profile "default" \
  --VmIds '["i-12345678"]'
  --ForceStop true

Solution 2: Fix Signatures

In the case you customized the keys involved in secure boot, you can disable secure boot to correct the signatures. Then, you can enable secure boot back. For more information, see Enabling or Disabling Secure Boot.

OUTSCALE does not provide support if you customized the keys involved in secure boot. You can refer to the Arch Linux Secure Boot documentation for help.

UEFI Incompatibility

In the console output, the response can show No bootable option or device was found. This means the VM has started with an OS incompatible with UEFI.

Response sample: OS not compatible with UEFI
Dxe: failed to load Boot0001 "UEFI Misc Device" from PciRoot(0x0)/Pci(0x2,0x1)/Pci(0x0,0x0): Not Found
BdsDxe: No bootable option or device was found.
BdsDxe: Press any key to enter the Boot Manager Menu.

Solution: Creating a new VM

If the OS is incompatible with UEFI, you need to terminate the VM because the boot mode cannot be modified. For more information, see Terminating VMs.

You can create a new VM with a boot mode compatible with UEFI. For more information, see About Boot Modes and Enabling or Disabling Secure Boot.

Related Pages

Export to PDF