[libvirt PATCH] kbase: Always explicitly enable secure-boot firmware feature
Daniel P. Berrangé
berrange at redhat.com
Wed Aug 3 16:29:15 UTC 2022
On Wed, Aug 03, 2022 at 06:15:24PM +0200, Andrea Bolognani wrote:
> It should be enough to enable or disable the enrolled-keys feature
> to control whether Secure Boot is enforced, but there's a slight
> complication: many distro packages for edk2 include, in addition
> to general purpose firmware images, builds that are targeting the
> Confidential Computing use case.
>
> For those, the firmware descriptor will not advertise the
> enrolled-keys feature, which will technically make them suitable
> for satisfying a configuration such as
>
> <os firmware='efi'>
> <firmware>
> <feature state='off' name='enrolled-keys'/>
> </firmware>
> </os>
>
> In practice, users will expect the general purpose build to be
> used in this case. Explicitly asking for the secure-boot feature
> to be enabled achieves that result at the cost of some slight
> additional verbosity.
>
> Signed-off-by: Andrea Bolognani <abologna at redhat.com>
> ---
> docs/kbase/secureboot.rst | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/docs/kbase/secureboot.rst b/docs/kbase/secureboot.rst
> index 8f151c1f2a..5fa59ad5e2 100644
> --- a/docs/kbase/secureboot.rst
> +++ b/docs/kbase/secureboot.rst
> @@ -14,6 +14,7 @@ ask for Secure Boot to be enabled with
>
> <os firmware='efi'>
> <firmware>
> + <feature enabled='yes' name='secure-boot'/>
> <feature enabled='yes' name='enrolled-keys'/>
> </firmware>
> </os>
> @@ -24,6 +25,7 @@ and for it to be disabled with
>
> <os firmware='efi'>
> <firmware>
> + <feature enabled='yes' name='secure-boot'/>
> <feature enabled='no' name='enrolled-keys'/>
> </firmware>
> </os>
If we want secureboot disabled, this looks wrong. It just enables
secureboot, but without any keys. We need enabled=no to ask for
a firmware without SecureBoot at all.
> @@ -44,6 +46,7 @@ snippet:
> <os firmware='efi'>
> <loader secure='yes'/>
> <firmware>
> + <feature enabled='yes' name='secure-boot'/>
> <feature enabled='yes' name='enrolled-keys'/>
> </firmware>
> </os>
> --
> 2.37.1
>
With regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
More information about the libvir-list
mailing list