Hi, On 02/05/18 15:14, Dmitry Mityugov wrote: > Hi, > > Could you please let me know if it possible to automate changing keys in a > ..._VARS.fd when SecureBoot is enabled? I understand that I can go into the > UEFI shell and change them there manually, but I'm looking for a way to > add/replace/delete them from my program before a KVM VM is started. > > I've found an email in this list with a similar question, > https://lists.01.org/pipermail/edk2-devel/2017-August/012995.html , but I'm > not sure if the answer is still valid, or if any new possibilities have > arosen since then.
My (still valid) answer is here: http://mid.mail-archive.com/550860A1.9030904@redhat.com and here: http://mid.mail-archive.com/56461E2D.1090601@redhat.com and here: http://mid.mail-archive.com/a1eedec9-f1c2-049d-8bb4-b094c9626f8e@redhat.com > There are also some home-made editors for the vars, like > http://git.annexia.org/?p=virt-efivars.git;a=summary . Should I go this way > in my adventure? I'm unsure how frequently Rich maintains this project (I'm CC'ing him), but the approach in this project is generally workable, because it modifies the variable store *from within* the guest (the "appliance" in libguestfs lingo), using the UEFI runtime variable services. Summary: - if you try to modify the variable store file from the host side, with a custom utility that is independent of edk2, that's a bad idea. - Whereas, if you modify the variable store from within the guest, via the UEFI variable services (calling them from the UEFI shell, or from the guest operating system / a privileged guest OS process), that's a good idea. (This is what "virt-efivars" does.) Thanks, Laszlo _______________________________________________ edk2-devel mailing list edk2-devel@lists.01.org https://lists.01.org/mailman/listinfo/edk2-devel
