Hi,
I’ve been having some trouble testing the built image for IncusOS.
Machine that’s used to build is a Debian 13 VM running on IncusOS with nesting on.
Here’s the output I got after running make test:
user@vm:~/projects/incus-os$ make test
# Cleanup
incus delete -f test-incus-os || true
rm -f mkosi.output/IncusOS_boot_media.img
# Prepare the install media
cp mkosi.output/IncusOS_202604210134.raw mkosi.output/IncusOS_boot_media.img
dd if=test/seed.install.tar of=mkosi.output/IncusOS_boot_media.img seek=4196352 bs=512 conv=notrunc
20+0 records in
20+0 records out
10240 bytes (10 kB, 10 KiB) copied, 0.000144539 s, 70.8 MB/s
# Create the VM
incus init --empty --vm test-incus-os \
-c security.secureboot=false \
-c limits.cpu=4 \
-c limits.memory=8GiB \
-d root,size=50GiB
Creating test-incus-os
incus config device add test-incus-os vtpm tpm
Device vtpm added to test-incus-os
incus config device add test-incus-os boot-media disk source=$(pwd)/mkosi.output/IncusOS_boot_media.img io.bus=usb boot.priority=10 readonly=false
Device boot-media added to test-incus-os
# Wait for installation to complete
incus start test-incus-os --console
To detach from the console, press: <ctrl>+a q
BdsDxe: loading Boot0002 "UEFI QEMU QEMU USB HARDDRIVE 1-0000:00:01.0:00.6-4" from PciRoot(0x0)/Pci(0x1,0x0)/Pci(0x0,0x6)/USB(0x3,0x0)
BdsDxe: starting Boot0002 "UEFI QEMU QEMU USB HARDDRIVE 1-0000:00:01.0:00.6-4" from PciRoot(0x0)/Pci(0x1,0x0)/Pci(0x0,0x6)/USB(0x3,0x0)
Enrolling secure boot keys from directory: \loader\keys\auto
Custom Secure Boot keys successfully enrolled, rebooting the system now!
incus console test-incus-os
To detach from the console, press: <ctrl>+a q
BdsDxe: loading Boot0002 "UEFI QEMU QEMU USB HARDDRIVE 1-0000:00:01.0:00.6-4" from PciRoot(0x0)/Pci(0x1,0x0)/Pci(0x0,0x6)/USB(0x3,0x0)
BdsDxe: failed to load Boot0002 "UEFI QEMU QEMU USB HARDDRIVE 1-0000:00:01.0:00.6-4" from PciRoot(0x0)/Pci(0x1,0x0)/Pci(0x0,0x6)/USB(0x3,0x0): Access Denied -- rejected probably by Secure Boot
BdsDxe: failed to load Boot0003 "UEFI QEMU QEMU HARDDISK " from PciRoot(0x0)/Pci(0x1,0x1)/Pci(0x0,0x0)/Scsi(0x0,0x1): Not Found
>>Start PXE over IPv4.
It seems that I can’t boot into the system due to secure boot? However, I’ve checked the secure boot for test-incus-os and it’s disabled.
user@vm:~/projects/incus-os$ incus config get test-incus-os security.secureboot
false
osch
April 21, 2026, 4:36am
2
You need secure boot enabled for Incus OS, except you disabled it in you seed.
Suggest enable it and see if this changes the output.
I had the same output after changing security.secureboot to true in the Makefile.
osch
April 21, 2026, 5:25am
4
What Incus version are you testing against?
Just tested it against an older Incus 6.18 in a VM and there it doesn’t have an issue.
Host Incus OS version:
os_version: “202603311955”
Incus version inside the VM:
Client version: 6.23
Server version: 6.23
I’m building commit 25ebacc2871108ef9371b07bef17369933b823a7 which is the latest one I pulled yesterday.
osch
April 21, 2026, 12:31pm
6
Run a second test on a brand new installation where everything is installed from scratch.
Performed the following steps after basic installation of packages and Incus-os:
make clean
rm -rf certs
make generate-test-certs
make build
make test
Incus-OS started and installs without any errors. Version: IncusOS 202604211148
Think missing the first two steps might be not required but I’m used to perform a full cleanup before I rebuild.
1 Like
gibmat
April 21, 2026, 9:27pm
7
Hmm, yes that’s a regression in building locally. A while back we reworked how the various SecureBoot certificates are baked into the final image, and the output you’re seeing is basically what happens when the VM tries to boot with an untrusted SecureBoot signature because the corresponding certificate isn’t present.
As @osch pointed out, running
make generate-test-certs
make
make test
should work as expected. (Generating the test certificates only needs to be done once.) This matches my normal development environment, so it’s pretty well tested.
I’ll see about fixing the Makefile logic to properly work with the default mkosi certificate if the full-blown test certificates aren’t generated before building.
1 Like
Thank you both for your help!
I did the instruction you mentioned but I still got the same output. However, a clean install of debian vm seems to have resolved the problem.
I also tried make clean and rm -rf certs but it didn’t seem to help.
I was wondering what might have caused the problem?
The only difference that I can think of is that I installed incus directly from debian’s repo before changing it to zabbly’s. I also installed golang from debian’s repo which runs a version of 1.24 but changing it to golang’s offical one didn’t help either.
