Archlinux - 6.9.9-arch1-1 - Unable to locate a UEFI firmware

[Myhed]

Required information

version :

• Client 6.3
• Server 6.3

Incus info

```bash config: {} api_extensions: - storage_zfs_remove_snapshots - container_host_shutdown_timeout - container_stop_priority - container_syscall_filtering - auth_pki - container_last_used_at - etag - patch - usb_devices - https_allowed_credentials - image_compression_algorithm - directory_manipulation - container_cpu_time - storage_zfs_use_refquota - storage_lvm_mount_options - network - profile_usedby - container_push - container_exec_recording - certificate_update - container_exec_signal_handling - gpu_devices - container_image_properties - migration_progress - id_map - network_firewall_filtering - network_routes - storage - file_delete - file_append - network_dhcp_expiry - storage_lvm_vg_rename - storage_lvm_thinpool_rename - network_vlan - image_create_aliases - container_stateless_copy - container_only_migration - storage_zfs_clone_copy - unix_device_rename - storage_lvm_use_thinpool - storage_rsync_bwlimit - network_vxlan_interface - storage_btrfs_mount_options - entity_description - image_force_refresh - storage_lvm_lv_resizing - id_map_base - file_symlinks - container_push_target - network_vlan_physical - storage_images_delete - container_edit_metadata - container_snapshot_stateful_migration - storage_driver_ceph - storage_ceph_user_name - resource_limits - storage_volatile_initial_source - storage_ceph_force_osd_reuse - storage_block_filesystem_btrfs - resources - kernel_limits - storage_api_volume_rename - network_sriov - console - restrict_dev_incus - migration_pre_copy - infiniband - dev_incus_events - proxy - network_dhcp_gateway - file_get_symlink - network_leases - unix_device_hotplug - storage_api_local_volume_handling - operation_description - clustering - event_lifecycle - storage_api_remote_volume_handling - nvidia_runtime - container_mount_propagation - container_backup - dev_incus_images - container_local_cross_pool_handling - proxy_unix - proxy_udp - clustering_join - proxy_tcp_udp_multi_port_handling - network_state - proxy_unix_dac_properties - container_protection_delete - unix_priv_drop - pprof_http - proxy_haproxy_protocol - network_hwaddr - proxy_nat - network_nat_order - container_full - backup_compression - nvidia_runtime_config - storage_api_volume_snapshots - storage_unmapped - projects - network_vxlan_ttl - container_incremental_copy - usb_optional_vendorid - snapshot_scheduling - snapshot_schedule_aliases - container_copy_project - clustering_server_address - clustering_image_replication - container_protection_shift - snapshot_expiry - container_backup_override_pool - snapshot_expiry_creation - network_leases_location - resources_cpu_socket - resources_gpu - resources_numa - kernel_features - id_map_current - event_location - storage_api_remote_volume_snapshots - network_nat_address - container_nic_routes - cluster_internal_copy - seccomp_notify - lxc_features - container_nic_ipvlan - network_vlan_sriov - storage_cephfs - container_nic_ipfilter - resources_v2 - container_exec_user_group_cwd - container_syscall_intercept - container_disk_shift - storage_shifted - resources_infiniband - daemon_storage - instances - image_types - resources_disk_sata - clustering_roles - images_expiry - resources_network_firmware - backup_compression_algorithm - ceph_data_pool_name - container_syscall_intercept_mount - compression_squashfs - container_raw_mount - container_nic_routed - container_syscall_intercept_mount_fuse - container_disk_ceph - virtual-machines - image_profiles - clustering_architecture - resources_disk_id - storage_lvm_stripes - vm_boot_priority - unix_hotplug_devices - api_filtering - instance_nic_network - clustering_sizing - firewall_driver - projects_limits - container_syscall_intercept_hugetlbfs - limits_hugepages - container_nic_routed_gateway - projects_restrictions - custom_volume_snapshot_expiry - volume_snapshot_scheduling - trust_ca_certificates - snapshot_disk_usage - clustering_edit_roles - container_nic_routed_host_address - container_nic_ipvlan_gateway - resources_usb_pci - resources_cpu_threads_numa - resources_cpu_core_die - api_os - container_nic_routed_host_table - container_nic_ipvlan_host_table - container_nic_ipvlan_mode - resources_system - images_push_relay - network_dns_search - container_nic_routed_limits - instance_nic_bridged_vlan - network_state_bond_bridge - usedby_consistency - custom_block_volumes - clustering_failure_domains - resources_gpu_mdev - console_vga_type - projects_limits_disk - network_type_macvlan - network_type_sriov - container_syscall_intercept_bpf_devices - network_type_ovn - projects_networks - projects_networks_restricted_uplinks - custom_volume_backup - backup_override_name - storage_rsync_compression - network_type_physical - network_ovn_external_subnets - network_ovn_nat - network_ovn_external_routes_remove - tpm_device_type - storage_zfs_clone_copy_rebase - gpu_mdev - resources_pci_iommu - resources_network_usb - resources_disk_address - network_physical_ovn_ingress_mode - network_ovn_dhcp - network_physical_routes_anycast - projects_limits_instances - network_state_vlan - instance_nic_bridged_port_isolation - instance_bulk_state_change - network_gvrp - instance_pool_move - gpu_sriov - pci_device_type - storage_volume_state - network_acl - migration_stateful - disk_state_quota - storage_ceph_features - projects_compression - projects_images_remote_cache_expiry - certificate_project - network_ovn_acl - projects_images_auto_update - projects_restricted_cluster_target - images_default_architecture - network_ovn_acl_defaults - gpu_mig - project_usage - network_bridge_acl - warnings - projects_restricted_backups_and_snapshots - clustering_join_token - clustering_description - server_trusted_proxy - clustering_update_cert - storage_api_project - server_instance_driver_operational - server_supported_storage_drivers - event_lifecycle_requestor_address - resources_gpu_usb - clustering_evacuation - network_ovn_nat_address - network_bgp - network_forward - custom_volume_refresh - network_counters_errors_dropped - metrics - image_source_project - clustering_config - network_peer - linux_sysctl - network_dns - ovn_nic_acceleration - certificate_self_renewal - instance_project_move - storage_volume_project_move - cloud_init - network_dns_nat - database_leader - instance_all_projects - clustering_groups - ceph_rbd_du - instance_get_full - qemu_metrics - gpu_mig_uuid - event_project - clustering_evacuation_live - instance_allow_inconsistent_copy - network_state_ovn - storage_volume_api_filtering - image_restrictions - storage_zfs_export - network_dns_records - storage_zfs_reserve_space - network_acl_log - storage_zfs_blocksize - metrics_cpu_seconds - instance_snapshot_never - certificate_token - instance_nic_routed_neighbor_probe - event_hub - agent_nic_config - projects_restricted_intercept - metrics_authentication - images_target_project - images_all_projects - cluster_migration_inconsistent_copy - cluster_ovn_chassis - container_syscall_intercept_sched_setscheduler - storage_lvm_thinpool_metadata_size - storage_volume_state_total - instance_file_head - instances_nic_host_name - image_copy_profile - container_syscall_intercept_sysinfo - clustering_evacuation_mode - resources_pci_vpd - qemu_raw_conf - storage_cephfs_fscache - network_load_balancer - vsock_api - instance_ready_state - network_bgp_holdtime - storage_volumes_all_projects - metrics_memory_oom_total - storage_buckets - storage_buckets_create_credentials - metrics_cpu_effective_total - projects_networks_restricted_access - storage_buckets_local - loki - acme - internal_metrics - cluster_join_token_expiry - remote_token_expiry - init_preseed - storage_volumes_created_at - cpu_hotplug - projects_networks_zones - network_txqueuelen - cluster_member_state - instances_placement_scriptlet - storage_pool_source_wipe - zfs_block_mode - instance_generation_id - disk_io_cache - amd_sev - storage_pool_loop_resize - migration_vm_live - ovn_nic_nesting - oidc - network_ovn_l3only - ovn_nic_acceleration_vdpa - cluster_healing - instances_state_total - auth_user - security_csm - instances_rebuild - numa_cpu_placement - custom_volume_iso - network_allocations - zfs_delegate - storage_api_remote_volume_snapshot_copy - operations_get_query_all_projects - metadata_configuration - syslog_socket - event_lifecycle_name_and_project - instances_nic_limits_priority - disk_initial_volume_configuration - operation_wait - image_restriction_privileged - cluster_internal_custom_volume_copy - disk_io_bus - storage_cephfs_create_missing - instance_move_config - ovn_ssl_config - certificate_description - disk_io_bus_virtio_blk - loki_config_instance - instance_create_start - clustering_evacuation_stop_options - boot_host_shutdown_action - agent_config_drive - network_state_ovn_lr - image_template_permissions - storage_bucket_backup - storage_lvm_cluster - shared_custom_block_volumes - auth_tls_jwt - oidc_claim - device_usb_serial - numa_cpu_balanced - image_restriction_nesting - network_integrations - instance_memory_swap_bytes - network_bridge_external_create - network_zones_all_projects - storage_zfs_vdev - container_migration_stateful - profiles_all_projects - instances_scriptlet_get_instances - instances_scriptlet_get_cluster_members - instances_scriptlet_get_project - network_acl_stateless - instance_state_started_at - networks_all_projects - network_acls_all_projects - storage_buckets_all_projects - resources_load - instance_access - project_access - projects_force_delete - resources_cpu_flags - disk_io_bus_cache_filesystem - instance_oci api_status: stable api_version: "1.0" auth: trusted public: false auth_methods: - tls auth_user_name: naytchead auth_user_method: unix environment: addresses: [] architectures: - x86_64 - i686 certificate: | -----BEGIN CERTIFICATE----- MIICJTCCAaugAwIBAgIRAN1jve6YXvzPt9le2FYxIoUwCgYIKoZIzj0EAwMwPjEZ MBcGA1UEChMQTGludXggQ29udGFpbmVyczEhMB8GA1UEAwwYcm9vdEBuYXl0Y2hl YWQteHBzMTU5NTcwMB4XDTI0MDcxMzE4NDYzOVoXDTM0MDcxMTE4NDYzOVowPjEZ MBcGA1UEChMQTGludXggQ29udGFpbmVyczEhMB8GA1UEAwwYcm9vdEBuYXl0Y2hl YWQteHBzMTU5NTcwMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEx4IYr5sBIYyjU/O4 ygRbgv8EFuhlKXTvaytrmsgLKICjrBD8KVPDUmAmF2qTLeS/Hy9fQd9B7hNtF53Y a9raNzZarxHSV9rY3Vi8/5LLh6nDFlftQIOdYRtfVPaKg2xAo20wazAOBgNVHQ8B Af8EBAMCBaAwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIwADA2BgNV HREELzAtghNuYXl0Y2hlYWQteHBzMTU5NTcwhwR/AAABhxAAAAAAAAAAAAAAAAAA AAABMAoGCCqGSM49BAMDA2gAMGUCMQDHGgGe4Lhuk5FbixdEmtce+heolWDyC7SW x8YFCfUtEd30AAezJb+ZnslvOIQWjnoCMHjIqsiYSCVUMzwDc6vRxDXatQrvNLst PASUatDkbmWVxf5lxul8xnkmHmWpAsfjdg== -----END CERTIFICATE----- certificate_fingerprint: 7784d1f71a5d88df6235ef396e8dba573de64933196f471f2096f94177e4ba63 driver: lxc driver_version: 6.0.1 firewall: nftables kernel: Linux kernel_architecture: x86_64 kernel_features: idmapped_mounts: "true" netnsid_getifaddrs: "true" seccomp_listener: "true" seccomp_listener_continue: "true" uevent_injection: "true" unpriv_binfmt: "true" unpriv_fscaps: "true" kernel_version: 6.9.9-arch1-1 lxc_features: cgroup2: "true" core_scheduling: "true" devpts_fd: "true" idmapped_mounts_v2: "true" mount_injection_file: "true" network_gateway_device_route: "true" network_ipvlan: "true" network_l2proxy: "true" network_phys_macvlan_mtu: "true" network_veth_router: "true" pidfd: "true" seccomp_allow_deny_syntax: "true" seccomp_notify: "true" seccomp_proxy_send_notify_fd: "true" os_name: Archcraft os_version: "" project: default server: incus server_clustered: false server_event_mode: full-mesh server_name: naytchead-xps159570 server_pid: 1157 server_version: "6.3" storage: lvm storage_version: 2.03.24(2) (2024-05-16) / 1.02.198 (2024-05-16) / 4.48.0 storage_supported_drivers: - name: dir version: "1" remote: false - name: lvm version: 2.03.24(2) (2024-05-16) / 1.02.198 (2024-05-16) / 4.48.0 remote: false - name: lvmcluster version: 2.03.24(2) (2024-05-16) / 1.02.198 (2024-05-16) / 4.48.0 remote: true - name: btrfs version: 6.9.2 remote: false ```

Issue description

I cant initialize a vm with incus, it produce error from Qemu that is "Unable to locate a UEFI firmware", that is weird because i give it in env variable incus OVMF path edk2 where its located /usr/share/edk2/x64/.

note: When i create VM from qemu-kvm that error doesn't appear

[Unit]
Description=Incus Container Hypervisor
After=network-online.target lxcfs.service
Requires=network-online.target lxcfs.service incus.socket
Documentation=man:incusd(1)

[Service]
Environment=INCUS_OVMF_PATH=/usr/share/edk2/x64/
ExecStart=/usr/bin/incusd --group=incus-admin --logfile=/var/log/incus/incusd.log
ExecStartPost=/usr/bin/incusd waitready --timeout=600
ExecStop=/usr/bin/incusd shutdown
KillMode=process
TimeoutStartSec=600s
TimeoutStopSec=30s
Restart=on-failure
Delegate=yes
LimitNOFILE=1048576
LimitNPROC=infinity
LimitCORE=infinity
TasksMax=infinity

[Install]
WantedBy=multi-user.target

Steps to reproduce

• Install arch kernel 6.9.9-arch1-1
• Install incus
• Try to init empty VM like incus init win11vm --empty --vm

Information to attach

Daemon incusd log here

time="2024-07-14T13:58:08+02:00" level=warning msg="AppArmor support has been disabled because of lack of kernel support"
time="2024-07-14T13:58:08+02:00" level=warning msg=" - AppArmor support has been disabled, Disabled because of lack of kernel support"
time="2024-07-14T13:58:08+02:00" level=error msg="Unable to run feature checks during QEMU initialization: Unable to locate a UEFI firmware"
time="2024-07-14T13:58:08+02:00" level=warning msg="Instance type not operational" driver=qemu err="QEMU failed to run feature checks" type=virtual-machine

[stgraber]

The variable name has changed to INCUS_EDK2_PATH to use the architecture neutral name.

Try updating your unit and see if that fixes it.
There are more changes to the firmware tracking logic so it's possible that something else is causing issues.

[Myhed]

Okay,

i changed env variable incus to INCUS_EDK2_PATH with that command

sudo systemctl edit --full incus.service

then restart incus service, and now all be fine.

On incusd log we got that

time="2024-07-14T19:17:36+02:00" level=warning msg="AppArmor support has been disabled because of lack of kernel support"
time="2024-07-14T19:17:36+02:00" level=warning msg=" - AppArmor support has been disabled, Disabled because of lack of kernel support"

when i am doing incus init win11vm --empty --vm it works well and create my empty VM.

thank you so much @stgraber.

[stgraber]

Good, the apparmor message makes sense on a system which doesn't support it.

Sounds like you're back online.