[libvirt PATCH] kbase: Always explicitly enable secure-boot firmware feature

Daniel P. Berrangé berrange at redhat.com
Wed Aug 3 16:29:15 UTC 2022 

On Wed, Aug 03, 2022 at 06:15:24PM +0200, Andrea Bolognani wrote:
> It should be enough to enable or disable the enrolled-keys feature
> to control whether Secure Boot is enforced, but there's a slight
> complication: many distro packages for edk2 include, in addition
> to general purpose firmware images, builds that are targeting the
> Confidential Computing use case.
> 
> For those, the firmware descriptor will not advertise the
> enrolled-keys feature, which will technically make them suitable
> for satisfying a configuration such as
> 
>   <os firmware='efi'>
>     <firmware>
>       <feature state='off' name='enrolled-keys'/>
>     </firmware>
>   </os>
> 
> In practice, users will expect the general purpose build to be
> used in this case. Explicitly asking for the secure-boot feature
> to be enabled achieves that result at the cost of some slight
> additional verbosity.
> 
> Signed-off-by: Andrea Bolognani <abologna at redhat.com>
> ---
>  docs/kbase/secureboot.rst | 3 +++
>  1 file changed, 3 insertions(+)
> 
> diff --git a/docs/kbase/secureboot.rst b/docs/kbase/secureboot.rst
> index 8f151c1f2a..5fa59ad5e2 100644
> --- a/docs/kbase/secureboot.rst
> +++ b/docs/kbase/secureboot.rst
> @@ -14,6 +14,7 @@ ask for Secure Boot to be enabled with
>  
>    <os firmware='efi'>
>      <firmware>
> +      <feature enabled='yes' name='secure-boot'/>
>        <feature enabled='yes' name='enrolled-keys'/>
>      </firmware>
>    </os>
> @@ -24,6 +25,7 @@ and for it to be disabled with
>  
>    <os firmware='efi'>
>      <firmware>
> +      <feature enabled='yes' name='secure-boot'/>
>        <feature enabled='no' name='enrolled-keys'/>
>      </firmware>
>    </os>

If we want secureboot disabled, this looks wrong. It just enables
secureboot, but without any keys.  We need enabled=no to ask for
a firmware without SecureBoot at all.

> @@ -44,6 +46,7 @@ snippet:
>    <os firmware='efi'>
>      <loader secure='yes'/>
>      <firmware>
> +      <feature enabled='yes' name='secure-boot'/>
>        <feature enabled='yes' name='enrolled-keys'/>
>      </firmware>
>    </os>



> -- 
> 2.37.1
> 

With regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|

More information about the libvir-list mailing list