On Mon, Apr 15, 2024 at 03:30:32PM +0200, Gerd Hoffmann wrote: > Hi, > > > > Options I see: > > > > > > (a) Stop using direct kernel boot, let virt-install & other tools > > > create vfat boot media with shim+kernel+initrd instead. > > > > > > (b) Enroll the distro signing keys in the efi variable store, so > > > booting the kernel without shim.efi works. > > > > > > (c) Add support for loading shim to qemu (and ovmf), for example > > > with a new '-shim' command line option which stores shim.efi > > > in some new fw_cfg file. > > > > The problem with this is that now virt-install has to actually > > find the correct a shim.efi binary. It is already somewhat hard > > to find a suitable kerenl+initrd binary, and AFAIK, the places > > where we get these binaries don't have shim.efi alongside. > > > > eg for RHEL/Fedora we grab kernel+initrd from the pxeboot dir: > > > > > > https://fedora.mirrorservice.org/fedora/linux/development/rawhide/Everything/x86_64/os/images/pxeboot/ > > shim is > https://fedora.mirrorservice.org/fedora/linux/development/rawhide/Everything/x86_64/os/EFI/BOOT/BOOTX64.EFI > > > In various forums we have discussed adding the secureboot > > certs to the libosinfo database, so that we can have a > > customized EFI varstore with minimized certs, even for the > > ISO / HDD boot scenario. > > Well. It's not that easy unfortunately. At least the "minimized certs" > part. shim often is signed with the microsoft keys only, so you can't > drop that without rendering the install.iso unbootable. > > Only adding the distro certs without removing the microsoft certs works > of course.
In that scenario libosinfo would report that the given OS requires both the microsoft & $distro certs to be enrolled. Only if shim were signed by the $distro certs, would libosifo omit reporting the microsoft certs. Basically libosinfo would have to report whatever set of 'n' certs are required to make boot work. With regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|