1. Patchew
  2. EDK2
  3. [edk2-devel] [PATCH v1 0/4] Don't require self-signed PK in setup mode
  4. View patch

[edk2-devel] [PATCH v1 3/4] ArmVirtPkg: require self-signed PK when secure boot is enabled

Jan Bobek via groups.io posted 4 patches 3 years ago
[edk2-devel] [PATCH v1 3/4] ArmVirtPkg: require self-signed PK when secure boot is enabled
Posted by Jan Bobek via groups.io 3 years ago 
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2506

In all DSC files that define SECURE_BOOT_ENABLE, opt-in into requiring
self-signed PK when SECURE_BOOT_ENABLE is TRUE.

Cc: Ard Biesheuvel <ardb+tianocore@kernel.org>
Cc: Leif Lindholm <quic_llindhol@quicinc.com>
Cc: Sami Mujawar <sami.mujawar@arm.com>
Cc: Gerd Hoffmann <kraxel@redhat.com>
Signed-off-by: Jan Bobek <jbobek@nvidia.com>
---
 ArmVirtPkg/ArmVirtCloudHv.dsc    | 4 ++++
 ArmVirtPkg/ArmVirtQemu.dsc       | 4 ++++
 ArmVirtPkg/ArmVirtQemuKernel.dsc | 4 ++++
 3 files changed, 12 insertions(+)

diff --git a/ArmVirtPkg/ArmVirtCloudHv.dsc b/ArmVirtPkg/ArmVirtCloudHv.dsc
index 7ca7a391d9cf..dc33936d6f03 100644
--- a/ArmVirtPkg/ArmVirtCloudHv.dsc
+++ b/ArmVirtPkg/ArmVirtCloudHv.dsc
@@ -85,6 +85,10 @@ [PcdsFeatureFlag.common]
 
   gEfiMdeModulePkgTokenSpaceGuid.PcdTurnOffUsbLegacySupport|TRUE
 
+!if $(SECURE_BOOT_ENABLE) == TRUE
+  gEfiMdeModulePkgTokenSpaceGuid.PcdRequireSelfSignedPk|TRUE
+!endif
+
 [PcdsFixedAtBuild.common]
 !if $(ARCH) == AARCH64
   gArmTokenSpaceGuid.PcdVFPEnabled|1
diff --git a/ArmVirtPkg/ArmVirtQemu.dsc b/ArmVirtPkg/ArmVirtQemu.dsc
index 0f1c6395488a..31fd0e5279ab 100644
--- a/ArmVirtPkg/ArmVirtQemu.dsc
+++ b/ArmVirtPkg/ArmVirtQemu.dsc
@@ -145,6 +145,10 @@ [PcdsFeatureFlag.common]
 
   gArmVirtTokenSpaceGuid.PcdTpm2SupportEnabled|$(TPM2_ENABLE)
 
+!if $(SECURE_BOOT_ENABLE) == TRUE
+  gEfiMdeModulePkgTokenSpaceGuid.PcdRequireSelfSignedPk|TRUE
+!endif
+
 [PcdsFixedAtBuild.common]
 !if $(ARCH) == AARCH64
   gArmTokenSpaceGuid.PcdVFPEnabled|1
diff --git a/ArmVirtPkg/ArmVirtQemuKernel.dsc b/ArmVirtPkg/ArmVirtQemuKernel.dsc
index 807c85d48285..1e0f06c91137 100644
--- a/ArmVirtPkg/ArmVirtQemuKernel.dsc
+++ b/ArmVirtPkg/ArmVirtQemuKernel.dsc
@@ -114,6 +114,10 @@ [PcdsFeatureFlag.common]
 
   gEfiMdeModulePkgTokenSpaceGuid.PcdTurnOffUsbLegacySupport|TRUE
 
+!if $(SECURE_BOOT_ENABLE) == TRUE
+  gEfiMdeModulePkgTokenSpaceGuid.PcdRequireSelfSignedPk|TRUE
+!endif
+
 [PcdsFixedAtBuild.common]
 !if $(ARCH) == AARCH64
   gArmTokenSpaceGuid.PcdVFPEnabled|1
-- 
2.30.2



-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#98947): https://edk2.groups.io/g/devel/message/98947
Mute This Topic: https://groups.io/mt/96412384/1787277
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org]
-=-=-=-=-=-=-=-=-=-=-=-
Re: [edk2-devel] [PATCH v1 3/4] ArmVirtPkg: require self-signed PK when secure boot is enabled
Posted by Ard Biesheuvel 3 years ago 
On Fri, 20 Jan 2023 at 23:59, Jan Bobek <jbobek@nvidia.com> wrote:
>
> REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2506
>
> In all DSC files that define SECURE_BOOT_ENABLE, opt-in into requiring
> self-signed PK when SECURE_BOOT_ENABLE is TRUE.
>
> Cc: Ard Biesheuvel <ardb+tianocore@kernel.org>
> Cc: Leif Lindholm <quic_llindhol@quicinc.com>
> Cc: Sami Mujawar <sami.mujawar@arm.com>
> Cc: Gerd Hoffmann <kraxel@redhat.com>
> Signed-off-by: Jan Bobek <jbobek@nvidia.com>

I have no problems with this patch, but I wonder if we need it. I
suppose this is intended to retain the previous behavior, but i don't
think that makes sense at all. Secure boot support in ArmVirtPkg is
not production quality in any case, and self-signed PKs are rather
pointless too, so I think we should just go with the new default
behavior of allowing unsigned PKs.


> ---
>  ArmVirtPkg/ArmVirtCloudHv.dsc    | 4 ++++
>  ArmVirtPkg/ArmVirtQemu.dsc       | 4 ++++
>  ArmVirtPkg/ArmVirtQemuKernel.dsc | 4 ++++
>  3 files changed, 12 insertions(+)
>
> diff --git a/ArmVirtPkg/ArmVirtCloudHv.dsc b/ArmVirtPkg/ArmVirtCloudHv.dsc
> index 7ca7a391d9cf..dc33936d6f03 100644
> --- a/ArmVirtPkg/ArmVirtCloudHv.dsc
> +++ b/ArmVirtPkg/ArmVirtCloudHv.dsc
> @@ -85,6 +85,10 @@ [PcdsFeatureFlag.common]
>
>    gEfiMdeModulePkgTokenSpaceGuid.PcdTurnOffUsbLegacySupport|TRUE
>
> +!if $(SECURE_BOOT_ENABLE) == TRUE
> +  gEfiMdeModulePkgTokenSpaceGuid.PcdRequireSelfSignedPk|TRUE
> +!endif
> +
>  [PcdsFixedAtBuild.common]
>  !if $(ARCH) == AARCH64
>    gArmTokenSpaceGuid.PcdVFPEnabled|1
> diff --git a/ArmVirtPkg/ArmVirtQemu.dsc b/ArmVirtPkg/ArmVirtQemu.dsc
> index 0f1c6395488a..31fd0e5279ab 100644
> --- a/ArmVirtPkg/ArmVirtQemu.dsc
> +++ b/ArmVirtPkg/ArmVirtQemu.dsc
> @@ -145,6 +145,10 @@ [PcdsFeatureFlag.common]
>
>    gArmVirtTokenSpaceGuid.PcdTpm2SupportEnabled|$(TPM2_ENABLE)
>
> +!if $(SECURE_BOOT_ENABLE) == TRUE
> +  gEfiMdeModulePkgTokenSpaceGuid.PcdRequireSelfSignedPk|TRUE
> +!endif
> +
>  [PcdsFixedAtBuild.common]
>  !if $(ARCH) == AARCH64
>    gArmTokenSpaceGuid.PcdVFPEnabled|1
> diff --git a/ArmVirtPkg/ArmVirtQemuKernel.dsc b/ArmVirtPkg/ArmVirtQemuKernel.dsc
> index 807c85d48285..1e0f06c91137 100644
> --- a/ArmVirtPkg/ArmVirtQemuKernel.dsc
> +++ b/ArmVirtPkg/ArmVirtQemuKernel.dsc
> @@ -114,6 +114,10 @@ [PcdsFeatureFlag.common]
>
>    gEfiMdeModulePkgTokenSpaceGuid.PcdTurnOffUsbLegacySupport|TRUE
>
> +!if $(SECURE_BOOT_ENABLE) == TRUE
> +  gEfiMdeModulePkgTokenSpaceGuid.PcdRequireSelfSignedPk|TRUE
> +!endif
> +
>  [PcdsFixedAtBuild.common]
>  !if $(ARCH) == AARCH64
>    gArmTokenSpaceGuid.PcdVFPEnabled|1
> --
> 2.30.2
>


-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#99556): https://edk2.groups.io/g/devel/message/99556
Mute This Topic: https://groups.io/mt/96412384/1787277
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org]
-=-=-=-=-=-=-=-=-=-=-=-
Re: [edk2-devel] [PATCH v1 3/4] ArmVirtPkg: require self-signed PK when secure boot is enabled
Posted by Gerd Hoffmann 3 years ago 
On Fri, Feb 03, 2023 at 11:49:07AM +0100, Ard Biesheuvel wrote:
> On Fri, 20 Jan 2023 at 23:59, Jan Bobek <jbobek@nvidia.com> wrote:
> >
> > REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2506
> >
> > In all DSC files that define SECURE_BOOT_ENABLE, opt-in into requiring
> > self-signed PK when SECURE_BOOT_ENABLE is TRUE.
> >
> > Cc: Ard Biesheuvel <ardb+tianocore@kernel.org>
> > Cc: Leif Lindholm <quic_llindhol@quicinc.com>
> > Cc: Sami Mujawar <sami.mujawar@arm.com>
> > Cc: Gerd Hoffmann <kraxel@redhat.com>
> > Signed-off-by: Jan Bobek <jbobek@nvidia.com>
> 
> I have no problems with this patch, but I wonder if we need it. I
> suppose this is intended to retain the previous behavior, but i don't
> think that makes sense at all. Secure boot support in ArmVirtPkg is
> not production quality in any case, and self-signed PKs are rather
> pointless too, so I think we should just go with the new default
> behavior of allowing unsigned PKs.

Hmm, reading this (and the bugzilla entry) I'm wondering what the point
in requiring a self-signed PK is.  I can't think of a case where this
brings a benefit.  Shouldn't we just relax the requirement everywhere,
especially given that this is what the spec asks for?

take care,
  Gerd



-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#99565): https://edk2.groups.io/g/devel/message/99565
Mute This Topic: https://groups.io/mt/96412384/1787277
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org]
-=-=-=-=-=-=-=-=-=-=-=-
Re: [edk2-devel] [PATCH v1 3/4] ArmVirtPkg: require self-signed PK when secure boot is enabled
Posted by Yao, Jiewen 3 years ago 
That is fine. This patch is just to maintain the compatibility.

Feel free to drop it, if you think it is not needed for this platform.

I can merge rest patches at first.

> -----Original Message-----
> From: Ard Biesheuvel <ardb@kernel.org>
> Sent: Friday, February 3, 2023 6:49 PM
> To: Jan Bobek <jbobek@nvidia.com>
> Cc: devel@edk2.groups.io; Laszlo Ersek <lersek@redhat.com>; Yao, Jiewen
> <jiewen.yao@intel.com>; Ard Biesheuvel <ardb+tianocore@kernel.org>; Leif
> Lindholm <quic_llindhol@quicinc.com>; Sami Mujawar
> <sami.mujawar@arm.com>; Gerd Hoffmann <kraxel@redhat.com>
> Subject: Re: [PATCH v1 3/4] ArmVirtPkg: require self-signed PK when secure boot
> is enabled
> 
> On Fri, 20 Jan 2023 at 23:59, Jan Bobek <jbobek@nvidia.com> wrote:
> >
> > REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2506
> >
> > In all DSC files that define SECURE_BOOT_ENABLE, opt-in into requiring
> > self-signed PK when SECURE_BOOT_ENABLE is TRUE.
> >
> > Cc: Ard Biesheuvel <ardb+tianocore@kernel.org>
> > Cc: Leif Lindholm <quic_llindhol@quicinc.com>
> > Cc: Sami Mujawar <sami.mujawar@arm.com>
> > Cc: Gerd Hoffmann <kraxel@redhat.com>
> > Signed-off-by: Jan Bobek <jbobek@nvidia.com>
> 
> I have no problems with this patch, but I wonder if we need it. I
> suppose this is intended to retain the previous behavior, but i don't
> think that makes sense at all. Secure boot support in ArmVirtPkg is
> not production quality in any case, and self-signed PKs are rather
> pointless too, so I think we should just go with the new default
> behavior of allowing unsigned PKs.
> 
> 
> > ---
> >  ArmVirtPkg/ArmVirtCloudHv.dsc    | 4 ++++
> >  ArmVirtPkg/ArmVirtQemu.dsc       | 4 ++++
> >  ArmVirtPkg/ArmVirtQemuKernel.dsc | 4 ++++
> >  3 files changed, 12 insertions(+)
> >
> > diff --git a/ArmVirtPkg/ArmVirtCloudHv.dsc b/ArmVirtPkg/ArmVirtCloudHv.dsc
> > index 7ca7a391d9cf..dc33936d6f03 100644
> > --- a/ArmVirtPkg/ArmVirtCloudHv.dsc
> > +++ b/ArmVirtPkg/ArmVirtCloudHv.dsc
> > @@ -85,6 +85,10 @@ [PcdsFeatureFlag.common]
> >
> >    gEfiMdeModulePkgTokenSpaceGuid.PcdTurnOffUsbLegacySupport|TRUE
> >
> > +!if $(SECURE_BOOT_ENABLE) == TRUE
> > +  gEfiMdeModulePkgTokenSpaceGuid.PcdRequireSelfSignedPk|TRUE
> > +!endif
> > +
> >  [PcdsFixedAtBuild.common]
> >  !if $(ARCH) == AARCH64
> >    gArmTokenSpaceGuid.PcdVFPEnabled|1
> > diff --git a/ArmVirtPkg/ArmVirtQemu.dsc b/ArmVirtPkg/ArmVirtQemu.dsc
> > index 0f1c6395488a..31fd0e5279ab 100644
> > --- a/ArmVirtPkg/ArmVirtQemu.dsc
> > +++ b/ArmVirtPkg/ArmVirtQemu.dsc
> > @@ -145,6 +145,10 @@ [PcdsFeatureFlag.common]
> >
> >    gArmVirtTokenSpaceGuid.PcdTpm2SupportEnabled|$(TPM2_ENABLE)
> >
> > +!if $(SECURE_BOOT_ENABLE) == TRUE
> > +  gEfiMdeModulePkgTokenSpaceGuid.PcdRequireSelfSignedPk|TRUE
> > +!endif
> > +
> >  [PcdsFixedAtBuild.common]
> >  !if $(ARCH) == AARCH64
> >    gArmTokenSpaceGuid.PcdVFPEnabled|1
> > diff --git a/ArmVirtPkg/ArmVirtQemuKernel.dsc
> b/ArmVirtPkg/ArmVirtQemuKernel.dsc
> > index 807c85d48285..1e0f06c91137 100644
> > --- a/ArmVirtPkg/ArmVirtQemuKernel.dsc
> > +++ b/ArmVirtPkg/ArmVirtQemuKernel.dsc
> > @@ -114,6 +114,10 @@ [PcdsFeatureFlag.common]
> >
> >    gEfiMdeModulePkgTokenSpaceGuid.PcdTurnOffUsbLegacySupport|TRUE
> >
> > +!if $(SECURE_BOOT_ENABLE) == TRUE
> > +  gEfiMdeModulePkgTokenSpaceGuid.PcdRequireSelfSignedPk|TRUE
> > +!endif
> > +
> >  [PcdsFixedAtBuild.common]
> >  !if $(ARCH) == AARCH64
> >    gArmTokenSpaceGuid.PcdVFPEnabled|1
> > --
> > 2.30.2
> >


-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#99559): https://edk2.groups.io/g/devel/message/99559
Mute This Topic: https://groups.io/mt/96412384/1787277
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org]
-=-=-=-=-=-=-=-=-=-=-=-
Re: [edk2-devel] [PATCH v1 3/4] ArmVirtPkg: require self-signed PK when secure boot is enabled
Posted by Ard Biesheuvel 3 years ago 
On Fri, 3 Feb 2023 at 12:15, Yao, Jiewen <jiewen.yao@intel.com> wrote:
>
> That is fine. This patch is just to maintain the compatibility.
>
> Feel free to drop it, if you think it is not needed for this platform.
>
> I can merge rest patches at first.
>

OK, please go ahead.



> > -----Original Message-----
> > From: Ard Biesheuvel <ardb@kernel.org>
> > Sent: Friday, February 3, 2023 6:49 PM
> > To: Jan Bobek <jbobek@nvidia.com>
> > Cc: devel@edk2.groups.io; Laszlo Ersek <lersek@redhat.com>; Yao, Jiewen
> > <jiewen.yao@intel.com>; Ard Biesheuvel <ardb+tianocore@kernel.org>; Leif
> > Lindholm <quic_llindhol@quicinc.com>; Sami Mujawar
> > <sami.mujawar@arm.com>; Gerd Hoffmann <kraxel@redhat.com>
> > Subject: Re: [PATCH v1 3/4] ArmVirtPkg: require self-signed PK when secure boot
> > is enabled
> >
> > On Fri, 20 Jan 2023 at 23:59, Jan Bobek <jbobek@nvidia.com> wrote:
> > >
> > > REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2506
> > >
> > > In all DSC files that define SECURE_BOOT_ENABLE, opt-in into requiring
> > > self-signed PK when SECURE_BOOT_ENABLE is TRUE.
> > >
> > > Cc: Ard Biesheuvel <ardb+tianocore@kernel.org>
> > > Cc: Leif Lindholm <quic_llindhol@quicinc.com>
> > > Cc: Sami Mujawar <sami.mujawar@arm.com>
> > > Cc: Gerd Hoffmann <kraxel@redhat.com>
> > > Signed-off-by: Jan Bobek <jbobek@nvidia.com>
> >
> > I have no problems with this patch, but I wonder if we need it. I
> > suppose this is intended to retain the previous behavior, but i don't
> > think that makes sense at all. Secure boot support in ArmVirtPkg is
> > not production quality in any case, and self-signed PKs are rather
> > pointless too, so I think we should just go with the new default
> > behavior of allowing unsigned PKs.
> >
> >
> > > ---
> > >  ArmVirtPkg/ArmVirtCloudHv.dsc    | 4 ++++
> > >  ArmVirtPkg/ArmVirtQemu.dsc       | 4 ++++
> > >  ArmVirtPkg/ArmVirtQemuKernel.dsc | 4 ++++
> > >  3 files changed, 12 insertions(+)
> > >
> > > diff --git a/ArmVirtPkg/ArmVirtCloudHv.dsc b/ArmVirtPkg/ArmVirtCloudHv.dsc
> > > index 7ca7a391d9cf..dc33936d6f03 100644
> > > --- a/ArmVirtPkg/ArmVirtCloudHv.dsc
> > > +++ b/ArmVirtPkg/ArmVirtCloudHv.dsc
> > > @@ -85,6 +85,10 @@ [PcdsFeatureFlag.common]
> > >
> > >    gEfiMdeModulePkgTokenSpaceGuid.PcdTurnOffUsbLegacySupport|TRUE
> > >
> > > +!if $(SECURE_BOOT_ENABLE) == TRUE
> > > +  gEfiMdeModulePkgTokenSpaceGuid.PcdRequireSelfSignedPk|TRUE
> > > +!endif
> > > +
> > >  [PcdsFixedAtBuild.common]
> > >  !if $(ARCH) == AARCH64
> > >    gArmTokenSpaceGuid.PcdVFPEnabled|1
> > > diff --git a/ArmVirtPkg/ArmVirtQemu.dsc b/ArmVirtPkg/ArmVirtQemu.dsc
> > > index 0f1c6395488a..31fd0e5279ab 100644
> > > --- a/ArmVirtPkg/ArmVirtQemu.dsc
> > > +++ b/ArmVirtPkg/ArmVirtQemu.dsc
> > > @@ -145,6 +145,10 @@ [PcdsFeatureFlag.common]
> > >
> > >    gArmVirtTokenSpaceGuid.PcdTpm2SupportEnabled|$(TPM2_ENABLE)
> > >
> > > +!if $(SECURE_BOOT_ENABLE) == TRUE
> > > +  gEfiMdeModulePkgTokenSpaceGuid.PcdRequireSelfSignedPk|TRUE
> > > +!endif
> > > +
> > >  [PcdsFixedAtBuild.common]
> > >  !if $(ARCH) == AARCH64
> > >    gArmTokenSpaceGuid.PcdVFPEnabled|1
> > > diff --git a/ArmVirtPkg/ArmVirtQemuKernel.dsc
> > b/ArmVirtPkg/ArmVirtQemuKernel.dsc
> > > index 807c85d48285..1e0f06c91137 100644
> > > --- a/ArmVirtPkg/ArmVirtQemuKernel.dsc
> > > +++ b/ArmVirtPkg/ArmVirtQemuKernel.dsc
> > > @@ -114,6 +114,10 @@ [PcdsFeatureFlag.common]
> > >
> > >    gEfiMdeModulePkgTokenSpaceGuid.PcdTurnOffUsbLegacySupport|TRUE
> > >
> > > +!if $(SECURE_BOOT_ENABLE) == TRUE
> > > +  gEfiMdeModulePkgTokenSpaceGuid.PcdRequireSelfSignedPk|TRUE
> > > +!endif
> > > +
> > >  [PcdsFixedAtBuild.common]
> > >  !if $(ARCH) == AARCH64
> > >    gArmTokenSpaceGuid.PcdVFPEnabled|1
> > > --
> > > 2.30.2
> > >


-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#99561): https://edk2.groups.io/g/devel/message/99561
Mute This Topic: https://groups.io/mt/96412384/1787277
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org]
-=-=-=-=-=-=-=-=-=-=-=-
Re: [edk2-devel] [PATCH v1 3/4] ArmVirtPkg: require self-signed PK when secure boot is enabled
Posted by Yao, Jiewen 3 years ago 
Could ArmVirtPkg maintainer(s) review this patch?

> -----Original Message-----
> From: Jan Bobek <jbobek@nvidia.com>
> Sent: Saturday, January 21, 2023 6:59 AM
> To: devel@edk2.groups.io
> Cc: Jan Bobek <jbobek@nvidia.com>; Laszlo Ersek <lersek@redhat.com>; Yao,
> Jiewen <jiewen.yao@intel.com>; Ard Biesheuvel <ardb+tianocore@kernel.org>;
> Leif Lindholm <quic_llindhol@quicinc.com>; Sami Mujawar
> <sami.mujawar@arm.com>; Gerd Hoffmann <kraxel@redhat.com>
> Subject: [PATCH v1 3/4] ArmVirtPkg: require self-signed PK when secure boot is
> enabled
> 
> REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2506
> 
> In all DSC files that define SECURE_BOOT_ENABLE, opt-in into requiring
> self-signed PK when SECURE_BOOT_ENABLE is TRUE.
> 
> Cc: Ard Biesheuvel <ardb+tianocore@kernel.org>
> Cc: Leif Lindholm <quic_llindhol@quicinc.com>
> Cc: Sami Mujawar <sami.mujawar@arm.com>
> Cc: Gerd Hoffmann <kraxel@redhat.com>
> Signed-off-by: Jan Bobek <jbobek@nvidia.com>
> ---
>  ArmVirtPkg/ArmVirtCloudHv.dsc    | 4 ++++
>  ArmVirtPkg/ArmVirtQemu.dsc       | 4 ++++
>  ArmVirtPkg/ArmVirtQemuKernel.dsc | 4 ++++
>  3 files changed, 12 insertions(+)
> 
> diff --git a/ArmVirtPkg/ArmVirtCloudHv.dsc b/ArmVirtPkg/ArmVirtCloudHv.dsc
> index 7ca7a391d9cf..dc33936d6f03 100644
> --- a/ArmVirtPkg/ArmVirtCloudHv.dsc
> +++ b/ArmVirtPkg/ArmVirtCloudHv.dsc
> @@ -85,6 +85,10 @@ [PcdsFeatureFlag.common]
> 
>    gEfiMdeModulePkgTokenSpaceGuid.PcdTurnOffUsbLegacySupport|TRUE
> 
> +!if $(SECURE_BOOT_ENABLE) == TRUE
> +  gEfiMdeModulePkgTokenSpaceGuid.PcdRequireSelfSignedPk|TRUE
> +!endif
> +
>  [PcdsFixedAtBuild.common]
>  !if $(ARCH) == AARCH64
>    gArmTokenSpaceGuid.PcdVFPEnabled|1
> diff --git a/ArmVirtPkg/ArmVirtQemu.dsc b/ArmVirtPkg/ArmVirtQemu.dsc
> index 0f1c6395488a..31fd0e5279ab 100644
> --- a/ArmVirtPkg/ArmVirtQemu.dsc
> +++ b/ArmVirtPkg/ArmVirtQemu.dsc
> @@ -145,6 +145,10 @@ [PcdsFeatureFlag.common]
> 
>    gArmVirtTokenSpaceGuid.PcdTpm2SupportEnabled|$(TPM2_ENABLE)
> 
> +!if $(SECURE_BOOT_ENABLE) == TRUE
> +  gEfiMdeModulePkgTokenSpaceGuid.PcdRequireSelfSignedPk|TRUE
> +!endif
> +
>  [PcdsFixedAtBuild.common]
>  !if $(ARCH) == AARCH64
>    gArmTokenSpaceGuid.PcdVFPEnabled|1
> diff --git a/ArmVirtPkg/ArmVirtQemuKernel.dsc
> b/ArmVirtPkg/ArmVirtQemuKernel.dsc
> index 807c85d48285..1e0f06c91137 100644
> --- a/ArmVirtPkg/ArmVirtQemuKernel.dsc
> +++ b/ArmVirtPkg/ArmVirtQemuKernel.dsc
> @@ -114,6 +114,10 @@ [PcdsFeatureFlag.common]
> 
>    gEfiMdeModulePkgTokenSpaceGuid.PcdTurnOffUsbLegacySupport|TRUE
> 
> +!if $(SECURE_BOOT_ENABLE) == TRUE
> +  gEfiMdeModulePkgTokenSpaceGuid.PcdRequireSelfSignedPk|TRUE
> +!endif
> +
>  [PcdsFixedAtBuild.common]
>  !if $(ARCH) == AARCH64
>    gArmTokenSpaceGuid.PcdVFPEnabled|1
> --
> 2.30.2



-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#99512): https://edk2.groups.io/g/devel/message/99512
Mute This Topic: https://groups.io/mt/96412384/1787277
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org]
-=-=-=-=-=-=-=-=-=-=-=-

Patchew 2.1-devel-b67e4c2

© 2016 - 2026 Red Hat, Inc.