Installing HA OS 12.2 in a virtualized KVM (virtual manager) using rasperry PI 5 and Rasperry pi OS not working

vmariniferreira · April 23, 2024, 4:43am

I´m trying to get the best of both worlds using my new Rapi5 for HA and also other usages.

Using Rapi5 just for HA would be and overkill and besides that I use RemotePC to acess my Pi remotely, as It´s under a network that does not accept incoming calls and RemotePC solves this for me. RemotePC has a version for Rasperry PI OS but not for HA.

Under HA installation instructions I see it should be supported because there is a linux installation section that describes the configuration in order to use virtual Manager to run HA OS under it.

I´ve followed the steps but it seems I cannot get a non secure boot firmware from the current version of virtual manager installed so I´d like to know how to boot HA OS using secure boot or, if not possible, how to disable secure boot in a Rapi5 in order to thet HA OS running. I´ve tried different linux machines configuration in virtualmanager, such as generic linux 2022/2020, gentoo linux, and even Ubuntu 16, but all this machine configurations come with secure boot enabled…

Any ideas?

francisp · April 23, 2024, 4:50am

Maybe you can take some tips from

hahuzar · April 23, 2024, 6:04am

I haven’t read through HA install tips, but I noticed that in recent setups with QEMU/libvirtd/KVM, the firmware in the VM defaults to secure boot. So you need to go into UEFI firmware settings and disable secure boot. This is Debian 12, I assume you run RPiOS64 Bookworm on your Pi5, so that is same version.

wmaker · April 23, 2024, 1:17pm

Just to confirm, are you talking about step 6 which says:
“Under customization select Overview > Firmware > UEFI x86_64: …. Make sure to select a non-secureboot version of OVMF (does not contain the word secure, secboot, etc.), e.g., /usr/share/edk2/ovmf/OVMF_CODE.fd.”

vmariniferreira · April 23, 2024, 3:37pm

Exactly, the problem is that this step 6 is directed towards Generic Linux for Intel and the Rapi5 OS as it´s arm64 based has different naming conventions. For instance, instead of OVMF prefix the firmware prefix starts wi AAVMF… I cannot find a AAVMF file that would support a non-secureboot version…

vmariniferreira · April 23, 2024, 3:45pm

The problema is that besides having the OS version difference the processor architecture is different as well. I´ve just realised that the image provided in the HA site (https://github.com/home-assistant/operating-system/releases/download/12.2/haos_ova-12.2.qcow2.xz) is probably a Intel 86_x64 image so it should not run in a arch64 arquitecture (Rapi5 arm processor).

Probably I was able to overcome the secure boot because the initial message “security violation” disappeared when I used a old machine type in virt-manager and changed the security boot parameter and disabled it, but I thought it didn´t work.

Probably it worked and now my problema is to get or make a qcow2 image based on arm64… Anyone knows how to solve this issue?

Looking at HA´s rasperry pi instalattion instructions it does not talk about using a hypervisor like virt-manager and the image is built in rasperry pi image builder…

francisp · April 23, 2024, 4:11pm

Yes, you need https://github.com/home-assistant/operating-system/releases/download/12.2/haos_generic-aarch64-12.2.qcow2.xz for a Pi 5

hahuzar · April 23, 2024, 7:11pm

For ARM, things might not be correct. I remember on RPiOS Bullseye, those UEFI firmware files simply weren’t installed automatically, they might even be missing from the Debian repo. I used also Opensuse Tumbleweed at that time, there everything was there in the correct way. I actually copied the AAVMF files from Tumbleweed to RPiOS in order to get VMs running. Now in Bookworm, files should be there, but it might be that you need to extra install some Debian package for it, I don’t remember anymore.

EDIT:
Now is see they are in Debian package: qemu-efi-aarch64

# dpkg -L  qemu-efi-aarch64
/.
/usr
/usr/share
/usr/share/AAVMF
/usr/share/AAVMF/AAVMF_CODE.fd
/usr/share/AAVMF/AAVMF_VARS.fd
/usr/share/AAVMF/AAVMF_VARS.ms.fd
/usr/share/AAVMF/AAVMF_VARS.snakeoil.fd
/usr/share/doc
/usr/share/doc/qemu-efi-aarch64
/usr/share/doc/qemu-efi-aarch64/README.Debian
/usr/share/doc/qemu-efi-aarch64/changelog.Debian.gz
/usr/share/doc/qemu-efi-aarch64/copyright
/usr/share/qemu
/usr/share/qemu/firmware
/usr/share/qemu/firmware/40-edk2-aarch64-secure-enrolled.json
/usr/share/qemu/firmware/50-edk2-aarch64-secure.json
/usr/share/qemu/firmware/60-edk2-aarch64.json
/usr/share/qemu-efi-aarch64
/usr/share/qemu-efi-aarch64/PkKek-1-snakeoil.key
/usr/share/qemu-efi-aarch64/PkKek-1-snakeoil.pem
/usr/share/qemu-efi-aarch64/QEMU_EFI.fd
/usr/share/AAVMF/AAVMF_CODE.ms.fd
/usr/share/AAVMF/AAVMF_CODE.snakeoil.fd

This is part of the VM XML file I run HA in:

...
  <os firmware="efi">
    <type arch="aarch64" machine="virt-7.2">hvm</type>
    <firmware>
      <feature enabled="no" name="enrolled-keys"/>
      <feature enabled="no" name="secure-boot"/>
    </firmware>
    <nvram>/var/lib/libvirt/qemu/nvram/harmos_VARS.fd</nvram>
...

vmariniferreira · April 24, 2024, 2:00am

Yes, the solution was very simple but I had to look lots of different threads so I´m summarizing here a step by step procedure in order to get a Rasperry PI5 (bookworm 64 bit OS) running HA OS 12.2 inside a virtual manager KVM

1o) install virtual manager:
sudo apt install virt-manager

2o) Download HA OS for arm64bit arquitecture:

This is the link for the 12.2 version, but you can browse github for the version you want:

https://github.com/home-assistant/operating-system/releases/download/12.2/haos_generic-aarch64-12.2.qcow2.xz

NOTE: This is the trick, it is not mentioned in the HA linux installation page. There, implicitily, it assumes that you´re running an intel/amd (x86_64) arquitecture so the qcow2 files provided are for intel not arm arquitecture and the configuration of virtual manager refers just to x86 and x86_64 platforms. It took me 2 days to figure out that.

In othe words DON´T USE the image provided in the HA Linux installation page for Rasperry PI installations, use the link above.

3o) launch virtual machine manager (GUI) and create a machine

Basically select the import disk image option and use all the default options(virt type KVM, architecture aarch64, machine type virt)

Click forward and select the aarch64-12.2.qcow2 that you´ve previously decompressed in a suitable path

selecting generic linux 2022 as the operating system you are installing.

Select the Bridge for networking (beyond the scope of this post, but HA will boot even without networking configured which can show you´ve sucessfully installed in the VM)

You me let the default UEFI firmware but there is a trick. The first time you run the virtual machine it´s not going to boot. It´s going to show “security violation”. This is due the secure boot being enabled and HA does not support that. The workaround is very easy. Just press enter, this will take you to the Firmware setup (When I was young it was called BIOS setup kkkkkk).

There you go to device manager and disable secure boot and restart.

The magic will happen!!, HA OS will boot and after a while the root login will appear. This workaround has to be done just once, the VM persist the new firmware setup. There is an option which is look for a already non-secure boot UEFI firmware for aarch64. It would take me time for that and the workaround takes 30 seconds and done.

That´s it, you got HA installed. It took me some hours to figure out how to setup a bridge and get it used by HA network but I think this is beyond the scope of this post, there are a lot of posts and youtube videos regarding bridges and Debian