On Thu, Nov 7, 2013 at 10:07 AM, Laszlo Ersek <[email protected]> wrote: > I also wanted to test secure boot (see if the enrolled keys survive a > cold reboot), but I noticed that this series doesn't disable the "load > variables from the NvVars file" functionality. > > I added the attached patch on top of this series, and this way the > enrolled keys seem to persist. I could fully secure-boot Fedora 19 on my > SVM host with it, even after a full VM shutdown. Do you think the patch > has merit?
I want to consider keeping this (NvVars loading) functionality. The reason being is that it was pointed out that some people like to distribute QEMU disk images pre-loaded with an OS. Therefore, this might be the only way that those disk images could also set the boot variables to point at the boot loader. I'm not sure this is the best idea though, so feel free to discuss further. An alternative idea would be for those disk images to simply supply \EFI\BOOT\BOOTXXXX.efi loaders though which we could try to load in the absence of boot vars. Unfortunately, actual NV vars in OVMF raises lots of questions of corner cases like this, and I'm not sure where we will end up. -Jordan ------------------------------------------------------------------------------ November Webinars for C, C++, Fortran Developers Accelerate application performance with scalable programming models. Explore techniques for threading, error checking, porting, and tuning. Get the most from the latest Intel processors and coprocessors. See abstracts and register http://pubads.g.doubleclick.net/gampad/clk?id=60136231&iu=/4140/ostg.clktrk _______________________________________________ edk2-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/edk2-devel
