From nobody Tue May 21 22:53:08 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 170.10.129.124 as permitted sender) client-ip=170.10.129.124; envelope-from=libvir-list-bounces@redhat.com; helo=us-smtp-delivery-124.mimecast.com; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.129.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1659543347; cv=none; d=zohomail.com; s=zohoarc; b=Fs8T5zGn9ZJMavE5fHf7h0Jr4hoGk+amx8JbtU1f/V82axNT4ES+//PknQ32oZwbes4rXJnDsXqVwL9Gy37ZOHUT9ja2S8io/dpXwx6SZya9Vd1dhqQrhCPJHZzewa6l5YraV95PgZ/28qDeRWwkRge3nlDeaz1tcZzk5QyTzmg= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1659543347; h=Content-Type:Content-Transfer-Encoding:Date:From:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Sender:Subject:To; bh=U+IFgI7VliEgXk7VS4ft5PuT7SKbsxu8ns3VeuJN/1w=; b=jwt1aJn+pzfPJ0Jxh0lu1zj/lFOAqDpHcz3CZYILnzN10rdMJh/zt7hMDY6Ezdk/LYIVPmDd4W1NcS/bMZG8LnN3wTcHOf6D1rTXnzJFMpcjScLCXGjtFHcdBnQepFYQeHFKZ4P21MSaZN21TWgHLqFlkWMf3mc+z86JE62XGCQ= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.129.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass header.from= (p=none dis=none) Return-Path: Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by mx.zohomail.com with SMTPS id 1659543347330825.2331343677745; Wed, 3 Aug 2022 09:15:47 -0700 (PDT) Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-171-2QLlRb6jOEC3sU6jUoOv9A-1; Wed, 03 Aug 2022 12:15:38 -0400 Received: from smtp.corp.redhat.com (int-mx07.intmail.prod.int.rdu2.redhat.com [10.11.54.7]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id D6264185A7BA; Wed, 3 Aug 2022 16:15:32 +0000 (UTC) Received: from mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com [10.30.29.100]) by smtp.corp.redhat.com (Postfix) with ESMTP id 29F861410F38; Wed, 3 Aug 2022 16:15:32 +0000 (UTC) Received: from mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (localhost [IPv6:::1]) by mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (Postfix) with ESMTP id EE89D1946A56; Wed, 3 Aug 2022 16:15:31 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.rdu2.redhat.com [10.11.54.4]) by mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (Postfix) with ESMTP id 24AC51946A4E for ; Wed, 3 Aug 2022 16:15:27 +0000 (UTC) Received: by smtp.corp.redhat.com (Postfix) id 1814F2026D4C; Wed, 3 Aug 2022 16:15:27 +0000 (UTC) Received: from harajuku.usersys.redhat.com (unknown [10.40.192.105]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 9453F2026985 for ; Wed, 3 Aug 2022 16:15:26 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1659543345; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=U+IFgI7VliEgXk7VS4ft5PuT7SKbsxu8ns3VeuJN/1w=; b=TC8SXZtoNc/6LUcfJPQlBye7qgdNFx1qGh9hVFrE1+BYNdP8fMpJtarkGhwP/2cg8/rn1D yFcmV+vcOaUl7Luybb0vfMbvoV0gFGCuycBnpILG7ewrH2yZFWl/EcAQM49Wsu55DcOGPB 6cOv/QNMY8e4JkoB0g3nrcvKJb7Duvo= X-MC-Unique: 2QLlRb6jOEC3sU6jUoOv9A-1 X-Original-To: libvir-list@listman.corp.redhat.com From: Andrea Bolognani To: libvir-list@redhat.com Subject: [libvirt PATCH] kbase: Always explicitly enable secure-boot firmware feature Date: Wed, 3 Aug 2022 18:15:24 +0200 Message-Id: <20220803161524.26107-1-abologna@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.78 on 10.11.54.4 X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: libvir-list-bounces@redhat.com Sender: "libvir-list" X-Scanned-By: MIMEDefang 2.85 on 10.11.54.7 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @redhat.com) X-ZM-MESSAGEID: 1659543348372100001 Content-Type: text/plain; charset="utf-8"; x-default="true" It should be enough to enable or disable the enrolled-keys feature to control whether Secure Boot is enforced, but there's a slight complication: many distro packages for edk2 include, in addition to general purpose firmware images, builds that are targeting the Confidential Computing use case. For those, the firmware descriptor will not advertise the enrolled-keys feature, which will technically make them suitable for satisfying a configuration such as In practice, users will expect the general purpose build to be used in this case. Explicitly asking for the secure-boot feature to be enabled achieves that result at the cost of some slight additional verbosity. Signed-off-by: Andrea Bolognani --- docs/kbase/secureboot.rst | 3 +++ 1 file changed, 3 insertions(+) diff --git a/docs/kbase/secureboot.rst b/docs/kbase/secureboot.rst index 8f151c1f2a..5fa59ad5e2 100644 --- a/docs/kbase/secureboot.rst +++ b/docs/kbase/secureboot.rst @@ -14,6 +14,7 @@ ask for Secure Boot to be enabled with =20 + @@ -24,6 +25,7 @@ and for it to be disabled with =20 + @@ -44,6 +46,7 @@ snippet: + --=20 2.37.1