Am 12.11.25 um 2:48 PM schrieb Fiona Ebner: > I did not go ahead with applying the edk2 patches yet, because I got a > question: Don't we want to enroll the Microsoft and distro keys for the > image? Debian upstream added TDX support just a few days ago and they > enroll the Microsoft and distro keys and even dropped the variant > without pre-enrolled keys [1] that was part of the initial merge. The > changes [0] include an "enroll_vendor" helper so we could use that and > get an OVMF_TDX_4M.ms.fd image. > > What do you think?
My proposal to add on top: > diff --git a/debian/pve-edk2-firmware-ovmf.install > b/debian/pve-edk2-firmware-ovmf.install > index 22186563bb..cd5313bb0d 100644 > --- a/debian/pve-edk2-firmware-ovmf.install > +++ b/debian/pve-edk2-firmware-ovmf.install > @@ -3,7 +3,7 @@ debian/ovmf-install/OVMF_VARS*.fd > /usr/share/pve-edk2-firmware > debian/ovmf-sev-install/OVMF_SEV_CODE*.fd /usr/share/pve-edk2-firmware > debian/ovmf-sev-install/OVMF_SEV_VARS*.fd /usr/share/pve-edk2-firmware > debian/ovmf-sev-install/OVMF_SEV_4M.fd /usr/share/pve-edk2-firmware > -debian/ovmf-tdx-install/OVMF_TDX_4M.fd /usr/share/pve-edk2-firmware > +debian/ovmf-tdx-install/OVMF_TDX_4M.ms.fd /usr/share/pve-edk2-firmware > debian/ovmf32-install/OVMF32_CODE*.fd /usr/share/pve-edk2-firmware > debian/ovmf32-install/OVMF32_VARS*.fd /usr/share/pve-edk2-firmware > debian/PkKek-1-snakeoil.* /usr/share/pve-edk2-firmware > diff --git a/debian/rules b/debian/rules > index 9def34d267..044071cf90 100755 > --- a/debian/rules > +++ b/debian/rules > @@ -95,8 +95,10 @@ OVMF_TDX_INSTALL_DIR = debian/ovmf-tdx-install > OVMF_TDX_BUILD_ROOT = Build/IntelTdx > OVMF_TDX_BUILD_DIR = $(OVMF_TDX_BUILD_ROOT)/$(BUILD_TYPE)_$(EDK2_TOOLCHAIN) (Note that I already split the above to follow commit "16bb13da3d debian/rules: Define *_BUILD_ROOT variables" that was picked up from Debian). > OVMF_TDX_SHELL = $(OVMF_TDX_BUILD_DIR)/X64/Shell.efi > +OVMF_TDX_ENROLL = $(OVMF_TDX_BUILD_DIR)/X64/EnrollDefaultKeys.efi > OVMF_TDX_BINARIES = $(OVMF_TDX_SHELL) > OVMF_TDX_IMAGES := $(addprefix $(OVMF_TDX_INSTALL_DIR)/,OVMF_TDX_4M.fd) > +OVMF_TDX_PREENROLLED_IMAGES := $(addprefix > $(OVMF_TDX_INSTALL_DIR)/,OVMF_TDX_4M.ms.fd) > > QEMU_EFI_BUILD_ROOT = Build/ArmVirtQemu-$(EDK2_HOST_ARCH) > QEMU_EFI_BUILD_DIR = $(QEMU_EFI_BUILD_ROOT)/$(BUILD_TYPE)_$(EDK2_TOOLCHAIN) > @@ -145,7 +147,7 @@ $(OVMF_SEV_BINARIES) $(OVMF_SEV_IMAGES): > debian/setup-build-stamp > cp $(OVMF_SEV_BUILD_DIR)/FV/OVMF.fd \ > $(OVMF_SEV_INSTALL_DIR)/OVMF_SEV_4M.fd > > -build-ovmf-tdx: $(OVMF_TDX_BINARIES) $(OVMF_TDX_IMAGES) > +build-ovmf-tdx: $(OVMF_TDX_BINARIES) $(OVMF_TDX_IMAGES) > $(OVMF_TDX_PREENROLLED_IMAGES) > $(OVMF_TDX_BINARIES) $(OVMF_TDX_IMAGES): debian/setup-build-stamp > rm -rf $(OVMF_TDX_INSTALL_DIR) > mkdir $(OVMF_TDX_INSTALL_DIR) > @@ -215,6 +217,9 @@ enroll_snakeoil = virt-fw-vars --input $(1) --output $(2) > \ > %/OVMF_VARS_4M.snakeoil.fd: %/OVMF_CODE_4M.fd %/OVMF_VARS_4M.fd > debian/PkKek-1-snakeoil.pem $(OVMF_ENROLL) $(OVMF_SHELL) > $(call enroll_snakeoil,$(OVMF_INSTALL_DIR)/OVMF_VARS_4M.fd,$@) > > +%/OVMF_TDX_4M.ms.fd: %/OVMF_TDX_4M.fd debian/PkKek-1-vendor.pem > $(OVMF_TDX_ENROLL) $(OVMF_TDX_SHELL) > + $(call enroll_vendor,$(OVMF_TDX_INSTALL_DIR)/OVMF_TDX_4M.fd,$@,amd64) > + > BaseTools/Bin/GccLto/liblto-aarch64.a: BaseTools/Bin/GccLto/liblto-aarch64.s > $($(EDK2_TOOLCHAIN)_AARCH64_PREFIX)gcc -c -fpic $< -o $@ > Let me know if this looks good to you or if you prefer something else :) Best Regards, Fiona _______________________________________________ pve-devel mailing list [email protected] https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
