WARNING Using --osinfo generic, VM performance may suffer. Specify an accurate OS for optimal results.
Starting install...
ERROR firmware feature 'enrolled-keys' cannot be enabled when firmware feature 'secure-boot' is disabled
Domain installation does not appear to have been successful.
If it was, you can restart your domain by running:
virsh --connect qemu:///system start hass
otherwise, please restart your installation.
Does anyone have any idea on how to resolve this? Thank you!
I don’t use virt-install (I use virt-manager), but I don’t mind digging a little to try and help out. It could be that libvirt has changed (read-further below).
In virt-manager, you have to specify a uefi boot file to use, and for HA, specifically one that doesn’t use secure boot. The file has a name like OVMF_blah-blah.
In HA’s docs for virt-install, it doesn’t mention this file, it just says set the boot to ‘uefi’.
Looking at this link, it appears that for virt-install, when setting the boot to ‘uefi’ it tries to auto-determine what OMVF file to use.
That link, plus this link specific to Tubleweed seems to me to suggest that libvirt has recently changed things so when you specify ‘uefi’, it now grabs a secure boot file whereas before it had picked a non-secure boot file.
In my case, virt-manager created an XML entry: <loader readonly="yes" type="pflash">/usr/share/OVMF/OVMF_CODE.fd</loader>
So seems to me that virt-install needs something similar.
I don’t know the exact syntax, but the man page seems to suggest something like: --boot loader=/.../OVMF_CODE.fd,loader.readonly=yes,loader.type=pflash,nvram.tem‐ plate=/.../OVMF_VARS.fd,loader_secure=no
where “/…/” is the directory containing these two file.