Windows 11 ISO does not boot with UEFI (OVMF) in KVM hosts

[jeanvetorello]

problem

Hello,

I am trying to deploy a Windows 11 VM on Apache CloudStack (KVM hypervisor) using UEFI boot with OVMF.
However, the VM does not boot from the ISO. The TianoCore (OVMF) firmware screen appears, I select the CD-ROM option, but it immediately returns to the boot menu instead of loading the Windows installer.

virsh dumpxml i-2-102-VM | grep -A5 loader

<loader readonly='yes' secure='yes' type='pflash'>/usr/share/OVMF/OVMF_CODE_4M.secboot.fd</loader>
<nvram template='/usr/share/OVMF/OVMF_VARS_4M.ms.fd'>/var/lib/libvirt/qemu/nvram/72901cf3-b926-4771-91db-839c4863a52d.fd</nvram>
<boot dev='cdrom'/>
<boot dev='hd'/>
<smbios mode='sysinfo'/>

virsh dumpxml i-2-102-VM | grep -A5 tpm

<tpm model='tpm-tis'>
  <backend type='emulator' version='2.0'/>
  <alias name='tpm0'/>
</tpm>
<graphics type='vnc' port='5903' autoport='yes' listen='192.168.1.15'>
  <listen type='address' address='192.168.1.15'/>
</graphics>
<audio id='1' type='none'/>
<video>

versions

Ubuntu 24.04 LTSUbuntu 24.04.3 LTS
CloudStack 4.21.0.0
cloudstack-agent 4.21.0.0
QEMU emulator version 8.2.2
virsh 10.0.0

ovmf 2024.02-2ubuntu0.4

ls -l /usr/share/OVMF/
total 8720
-rw-r--r-- 1 root root 3653632 Jun 4 03:51 OVMF_CODE_4M.fd
lrwxrwxrwx 1 root root 23 Jun 4 03:51 OVMF_CODE_4M.ms.fd -> OVMF_CODE_4M.secboot.fd
-rw-r--r-- 1 root root 3653632 Jun 4 03:51 OVMF_CODE_4M.secboot.fd
lrwxrwxrwx 1 root root 23 Jun 4 03:51 OVMF_CODE_4M.snakeoil.fd -> OVMF_CODE_4M.secboot.fd
-rw-r--r-- 1 root root 540672 Jun 4 03:51 OVMF_VARS_4M.fd
-rw-r--r-- 1 root root 540672 Jun 4 03:51 OVMF_VARS_4M.ms.fd
-rw-r--r-- 1 root root 540672 Jun 4 03:51 OVMF_VARS_4M.snakeoil.fd

The steps to reproduce the bug

1.Install CloudStack agent with ovmf package on Ubuntu 24.04 host.
2.Configure /etc/cloudstack/agent/uefi.properties:

guest.nvram.template.secure=/usr/share/OVMF/OVMF_VARS_4M.ms.fd
guest.nvram.template.legacy=/usr/share/OVMF/OVMF_VARS_4M.fd
guest.nvram.path=/var/lib/libvirt/qemu/nvram/
guest.loader.secure=/usr/share/OVMF/OVMF_CODE_4M.secboot.fd
guest.loader.legacy=/usr/share/OVMF/OVMF_CODE_4M.fd

3.Register a Windows 11 ISO in secondary storage.

4. Create a VM with:
   virtual.tpm.version
   2.0
   virtual.tpm.model
   tpm-tis
   UEFI
   SECURE
   Firmware: OVMF (with TPM 2.0)

5. Global Settings
   enable.additional.vm.configuration true
   allow.additional.vm.configuration.list.kvm devices,tpm,backend

6. Start the VM.
   ...

What to do about it?

No response

[boring-cyborg]

Thanks for opening your first issue here! Be sure to follow the issue template!

[weizhouapache]

@jeanvetorello
it looks like the vm is not booted from ISO

can you retry and press space or other key in the screen "Press any key to boot from CD or DVD " ?

[weizhouapache]

oh, this might be related to #11512

[jeanvetorello]

oh, this might be related to #11512

Thanks for pointing me to this issue. From what I can see, #11512 is about the inability to retrieve the VM UUID inside Windows using wmic (especially on AMD hosts), which happens after the OS has already booted.

In my case, the problem occurs during boot/install of Windows 11 with UEFI Secure Boot and TPM 2.0 enabled — the VM never gets past the initial boot stage. So it looks unrelated to the UUID/WMIC problem described in #11512.

@jeanvetorello it looks like the vm is not booted from ISO

can you retry and press space or other key in the screen "Press any key to boot from CD or DVD " ?

Yes, I already tried pressing keys at the “Press any key to boot from CD or DVD” prompt.
When I do that, the VM just stays on the Tianocore (UEFI) screen and then goes back to the same prompt again. It never proceeds with the installation.

[weizhouapache]

@jeanvetorello
I am able to reproduce the issue when install Windows 11 24H2 on Ubuntu 24.04. It works fine on Rocky 8

4.20 has provided a new vm setting: guest.cpu.mode. when I set it to host-passthrough, the Windows VM can be booted on Ubuntu 24.04 as well