XCP-NG secure boot changes

I ran into a problem yesterday (that might have been a month old)… I have two old VMs installed on my lab and both of those were installed with secure boot turned on, I think they both stem from around September/October 2021. I updated XCP-NG twice in the last month or so, and during one of those they may have made secure boot actually work, or at least the keys changed.

Last month on Patch Tuesday, I update one of these VMs, but didn’t pay much attention when it rebooted. Yesterday I tried to get in to patch XCP-NG and could not make the host patch and reboot. While working on this I found I could not force a shutdown of the VM, could not get XO console for the VM and could not RDP into the VM. Ended up forcing power off on the server (it’s a lab so how much could break).

After powering host up and down a few times, gave up on it for a while. Ended up thinking about what might have changed and realized that I had built them with secure boot that never really worked and maybe now it was functional. Turned secure boot off in the advanced settings and I was able to start the old VMs. I’ll have to play with making new machines with secure boot selected to see if it is working since this will be part of Windows 11 requirements.

I had to follow this guide to resolve a similar / same issue I had: Guides | XCP-ng documentation

I only needed to do this command on each host:

secureboot-certs install

It does give me pause to run secure boot for anything, imagine walking into work and finding all of your VMs down because of a secure boot issue.

But thanks for the info, I’ll have to update the certs and turn secure boot back on.

After reading that, I’m wondering if an unsigned driver or module was loaded, like maybe the XCP-NG drivers overwrote the Citrix drivers. They say this is another way that a VM may not boot. I’ll have to look into this deeper and see if this might have been my issue.