Skip to content

Sovereign Boot Wizard shows empty bootloader #1735

New issue
New issue
Open
Open
Sovereign Boot Wizard shows empty bootloader#1735
Labels
SovereignBootIssues related to Sovereign Boot and Sovereign Boot Provisioning WizardbugSomething isn't workingfirmwareneeds reviewqemu_q35QEMU Q35
@m-iwanicki

Description

@m-iwanicki
m-iwanicki
opened on Jan 9, 2026

Component

Dasharo firmware

Device

QEMU Q35 Emulator

Dasharo version

1.0.0

Dasharo Tools Suite version

No response

Test case ID

No response

Brief summary

Sovereign Boot Wizard shows empty bootloader entry.

How reproducible

100%

How to reproduce

  1. Create empty disk on which you'll install Ubuntu: dd if=/dev/zero of=ubuntu.img bs=1 count=0 seek=50G
  2. Use qemu-run.sh script to run QEMU with Ubuntu installer and empty disk: QEMU_FW_FILE=qemu_q35_sovereign-boot-v1.0.0.rom HDD2_PATH=~/Downloads/ubuntu-24.04.2-live-server-amd64.iso HDD_PATH=ubuntu.img scripts/ci/qemu-run.sh graphic os
  3. Exit/skip provisioning wizard
  4. Install Ubuntu
  5. After rebooting enter sovereign provisioning wizard. First bootloader should be empty

Same thing happens after entering provisioning wizard when trying to boot undecided image (default Ubuntu bootentry). After you skip it/exit, you'll enter provisioning wizard again, and this time it's correct bootloader:

/------------------------------------------------------------------------------\
|                     Sovereign Boot Provisioning Wizard                       |
\------------------------------------------------------------------------------/

   You see this window because the system attempted to
   boot an untrusted image.

   Description: Ubuntu (on QEMU HARDDISK)
   Hardware path:
   PciRoot(0x0)/Pci(0x1F,0x2)/Sata(0x0,0xFFFF,0x0)/HD(1
   ,GPT,B212FE56-64FA-4C8D-B163-23C614A2CCE4,0x800,0x21
   9800)
   File path: \EFI\ubuntu\shimx64.efi

   Certificate fingerprint (SHA-256):
   9589B8C95168F79243F61922FAA5990DE0A4866DE928736FED65
   8EA7BFF1A5E2
   !!! Certificate belongs to Microsoft !!!

Expected behavior

Bootloader information filled with information in Sovereign Boot Provisioning Wizard.

Actual behavior

   A new bootloader/key has been detected.

   Description:
   Hardware path:
   File path:

   Image hash (SHA-256):

   !!! Image is unsigned !!!

   Do you want to trust this key/image and continue
   booting?

 > Do NOT trust, next bootloader

Screenshots

No response

Additional context

Most likely culprit, at least in my opinion is first bootloader entry (you can't even enter this option):

Image Image

Solutions you've tried

No response

Metadata

Metadata

Assignees

No one assigned

    Labels

    SovereignBootIssues related to Sovereign Boot and Sovereign Boot Provisioning WizardbugSomething isn't workingfirmwareneeds reviewqemu_q35QEMU Q35

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions