[libvirt PATCH v2 1/2] kbase: Always explicitly enable secure-boot firmware feature
Daniel P. Berrangé
berrange at redhat.com
Thu Aug 4 10:57:39 UTC 2022
On Thu, Aug 04, 2022 at 12:16:41PM +0200, Andrea Bolognani wrote:
> It should be enough to enable or disable the enrolled-keys feature
> to control whether Secure Boot is enforced, but there's a slight
> complication: many distro packages for edk2 include, in addition
> to general purpose firmware images, builds that are targeting the
> Confidential Computing use case.
>
> For those, the firmware descriptor will not advertise the
> enrolled-keys feature, which will technically make them suitable
> for satisfying a configuration such as
>
> <os firmware='efi'>
> <firmware>
> <feature state='off' name='enrolled-keys'/>
> </firmware>
> </os>
>
> In practice, users will expect the general purpose build to be
> used in this case. Explicitly asking for the secure-boot feature
> to be enabled achieves that result at the cost of some slight
> additional verbosity.
>
> Signed-off-by: Andrea Bolognani <abologna at redhat.com>
> ---
> docs/kbase/secureboot.rst | 3 +++
> 1 file changed, 3 insertions(+)
Reviewed-by: Daniel P. Berrangé <berrange at redhat.com>
With regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
More information about the libvir-list
mailing list