Some questions regarding firmware handling in the qemu driver

[Daniel P. Berrangé]

On Tue, Jun 07, 2022 at 02:57:17PM -0600, Jim Fehlig wrote:
> Hi All,
> 
> I received a bug report (private, sorry) about inability to "deploy uefi
> virtual machine with secureboot enabled on aarch64 kvm host". Indeed the
> qemu driver has some checks that would prohibit using secure boot with
> aarch64 virt machines, e.g.

BTW, by chance I found an interesting info about aarch64 secureboot
from Debian

  https://wiki.debian.org/SecureBoot

 "Debian no longer supports UEFI Secure Boot on arm64 systems, 
  as of May 2021.

  Shim and other EFI programs have always been difficult to build
  on arm64, compared to x86 platforms. Binutils for amd64 and i386
  includes explicit support for creating programs in the PE/COFF
  binary format that EFI uses, but this has never been added for
  arm64.

  In the past, shim developers added some local hacks into the shim
  package to generate a mostly-compliant PE/COFF EFI binary without
  this toolchain support, and that seemed to be sufficient for use.
  Everything seemed to work. However, during the development and 
  testing phase of shim 15.3 and 15.4, we found found significant
  issues with this approach. New security features needed in shim
  (SBAT) showed up severe problems with the lack of proper toolchain
  support. See https://github.com/rhboot/shim/issues/366 for more
  details. The old hacks around binutils are no longer sustainable. "


Having said that I find Fedora does still buld shim 15.4 for
aarch64. We only exclude 32-bit, and I think RHEL does the
same.  Whether anyone's tested SecureBoot on aarch64 in
Fedora/RHEL though, I'm not so sure.

With regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|