On Fri, 16 Feb 2024 15:57:13 +0100 Heinrich Schuchardt <heinrich.schucha...@canonical.com> wrote: > Package: u-boot-qemu > Version: 2024.01+dfsg-1 > Severity: normal > > debian/patches/qemu/efi-secure-boot.patch is not a good approach to > enabling secure boot with U-Boot. Variables entered via the command line > containing the security database will be stored on file but will not be > loaded into U-Boot on the next boot. > > If you want a version of U-Boot that supports secure boot properly, use > CONFIG_EFI_VARIABLES_PRESEED=y and provide a file with the security > database which will be built into U-Boot. tools/efivar.py can be used to > build that file. > > Separate U-Boot binaries for secure and non-secure would have to be > provided. > > Existing EDK II packages provide secure boot. Hence I suggest to simply > drop patch debian/patches/qemu/efi-secure-boot.patch.
This doesn't make any sense. If you want to embed a key database you can certainly do that, but you have to rebuild from sources anyway, so it has nothing to do with packaging and binaries available in Debian. The current configuration is very useful and works. If you don't want to use it, that's fine, simply don't load keys from the console, it's a no-op then, it doesn't have any impact unless the appropriate commands are ran at boot, so I don't see why it should be removed. -- Kind regards, Luca Boccassi
signature.asc
Description: This is a digitally signed message part
