Make test not booting for IncusOS

believerd · April 21, 2026, 3:55am

Hi,

I’ve been having some trouble testing the built image for IncusOS.

Machine that’s used to build is a Debian 13 VM running on IncusOS with nesting on.

Here’s the output I got after running make test:

user@vm:~/projects/incus-os$ make test
# Cleanup
incus delete -f test-incus-os || true
rm -f mkosi.output/IncusOS_boot_media.img
# Prepare the install media
cp mkosi.output/IncusOS_202604210134.raw mkosi.output/IncusOS_boot_media.img
dd if=test/seed.install.tar of=mkosi.output/IncusOS_boot_media.img seek=4196352 bs=512 conv=notrunc
20+0 records in
20+0 records out
10240 bytes (10 kB, 10 KiB) copied, 0.000144539 s, 70.8 MB/s
# Create the VM
incus init --empty --vm test-incus-os \
	-c security.secureboot=false \
	-c limits.cpu=4 \
	-c limits.memory=8GiB \
	-d root,size=50GiB
Creating test-incus-os
incus config device add test-incus-os vtpm tpm
Device vtpm added to test-incus-os
incus config device add test-incus-os boot-media disk source=$(pwd)/mkosi.output/IncusOS_boot_media.img io.bus=usb boot.priority=10 readonly=false
Device boot-media added to test-incus-os
# Wait for installation to complete
incus start test-incus-os --console
To detach from the console, press: <ctrl>+a q
BdsDxe: loading Boot0002 "UEFI QEMU QEMU USB HARDDRIVE 1-0000:00:01.0:00.6-4" from PciRoot(0x0)/Pci(0x1,0x0)/Pci(0x0,0x6)/USB(0x3,0x0)
BdsDxe: starting Boot0002 "UEFI QEMU QEMU USB HARDDRIVE 1-0000:00:01.0:00.6-4" from PciRoot(0x0)/Pci(0x1,0x0)/Pci(0x0,0x6)/USB(0x3,0x0)
Enrolling secure boot keys from directory: \loader\keys\auto
Custom Secure Boot keys successfully enrolled, rebooting the system now!
incus console test-incus-os
To detach from the console, press: <ctrl>+a q
BdsDxe: loading Boot0002 "UEFI QEMU QEMU USB HARDDRIVE 1-0000:00:01.0:00.6-4" from PciRoot(0x0)/Pci(0x1,0x0)/Pci(0x0,0x6)/USB(0x3,0x0)
BdsDxe: failed to load Boot0002 "UEFI QEMU QEMU USB HARDDRIVE 1-0000:00:01.0:00.6-4" from PciRoot(0x0)/Pci(0x1,0x0)/Pci(0x0,0x6)/USB(0x3,0x0): Access Denied -- rejected probably by Secure Boot
BdsDxe: failed to load Boot0003 "UEFI QEMU QEMU HARDDISK " from PciRoot(0x0)/Pci(0x1,0x1)/Pci(0x0,0x0)/Scsi(0x0,0x1): Not Found

>>Start PXE over IPv4.

It seems that I can’t boot into the system due to secure boot? However, I’ve checked the secure boot for test-incus-os and it’s disabled.

user@vm:~/projects/incus-os$ incus config get test-incus-os security.secureboot
false

osch · April 21, 2026, 4:36am

You need secure boot enabled for Incus OS, except you disabled it in you seed.

Suggest enable it and see if this changes the output.

believerd · April 21, 2026, 4:57am

I had the same output after changing security.secureboot to true in the Makefile.

osch · April 21, 2026, 5:25am

What Incus version are you testing against?

Just tested it against an older Incus 6.18 in a VM and there it doesn’t have an issue.

believerd · April 21, 2026, 6:04am

Host Incus OS version:

os_version: “202603311955”

Incus version inside the VM:

Client version: 6.23
Server version: 6.23

I’m building commit 25ebacc2871108ef9371b07bef17369933b823a7 which is the latest one I pulled yesterday.

osch · April 21, 2026, 12:31pm

Run a second test on a brand new installation where everything is installed from scratch.

Performed the following steps after basic installation of packages and Incus-os:

make clean
rm -rf certs
make generate-test-certs
make build
make test

Incus-OS started and installs without any errors. Version: IncusOS 202604211148

Think missing the first two steps might be not required but I’m used to perform a full cleanup before I rebuild.

gibmat · April 21, 2026, 9:27pm

Hmm, yes that’s a regression in building locally. A while back we reworked how the various SecureBoot certificates are baked into the final image, and the output you’re seeing is basically what happens when the VM tries to boot with an untrusted SecureBoot signature because the corresponding certificate isn’t present.

As @osch pointed out, running

make generate-test-certs
make
make test

should work as expected. (Generating the test certificates only needs to be done once.) This matches my normal development environment, so it’s pretty well tested.

I’ll see about fixing the Makefile logic to properly work with the default mkosi certificate if the full-blown test certificates aren’t generated before building.

believerd · April 22, 2026, 4:59am

Thank you both for your help!

I did the instruction you mentioned but I still got the same output. However, a clean install of debian vm seems to have resolved the problem.

I also tried make clean and rm -rf certs but it didn’t seem to help.

I was wondering what might have caused the problem?

The only difference that I can think of is that I installed incus directly from debian’s repo before changing it to zabbly’s. I also installed golang from debian’s repo which runs a version of 1.24 but changing it to golang’s offical one didn’t help either.

gibmat · May 1, 2026, 4:03pm

I’ve unified the generation of local test certificates in Makefile: Always generate a full set of test certificates · lxc/incus-os@a2fdc33 · GitHub. That also fixed an issue where the first build of incus-osd wouldn’t yet pickup the local test certificates which would lead to a similar error that you initially encountered.

You likely had a cached mkosi.{crt,key} present which had been generated by mkosi without being trusted properly. Glad that a clean start got things working for you.

Any Incus 6.x feature release or 6.0.x LTS release should work fine on the host-side; I’ve got development systems setup with both.