Much work has gone into iPXE over several months that improves its compatibility with UEFI in general and with OVMF on QEMU in particular. Now that we have SMM / SMRAM based variables, we might advise, with a straight face, some users to enroll the Microsoft (and possibly other) keys, and always run with secure boot enabled.
At the moment this would prevent the execution of iPXE option ROMs (NIC drivers), because they are unsigned. This series changes OVMF's verification policy for option ROM images, from 0x04 (DENY_EXECUTE_ON_SECURITY_VIOLATION) to 0x00 (ALWAYS_EXECUTE). In English it means "always trust option ROMs". It would be nice if we could separate "unsigned" from "explicitly blacklisted" (dbx); but DxeImageVerificationLib doesn't seem to support that at the moment. More thoughts on this in patch #2. Cc: Paolo Bonzini <[email protected]> Cc: Fu Siyuan <[email protected]> Cc: Gerd Hoffmann <[email protected]> Cc: Jordan Justen <[email protected]> Cc: Chao Zhang <[email protected]> Thanks Laszlo Laszlo Ersek (2): OvmfPkg: inherit Image Verification Policy defaults from SecurityPkg OvmfPkg: execute option ROM images regardless of Secure Boot OvmfPkg/OvmfPkgIa32.dsc | 5 +---- OvmfPkg/OvmfPkgIa32X64.dsc | 5 +---- OvmfPkg/OvmfPkgX64.dsc | 5 +---- 3 files changed, 3 insertions(+), 12 deletions(-) -- 1.8.3.1 _______________________________________________ edk2-devel mailing list [email protected] https://lists.01.org/mailman/listinfo/edk2-devel
