On Thu, Apr 11, 2024 at 11:48:28AM +0200, Gerd Hoffmann wrote:
> Add a new "etc/boot/kernel" fw_cfg file, containing the kernel without
> the setup header patches. Intended use is booting in UEFI with secure
> boot enabled, where the setup header patching breaks secure boot
> verification.
>
> Needs OVMF changes too to be actually useful.
>
> Signed-off-by: Gerd Hoffmann <kra...@redhat.com>
So given we have this, do we still need patch 2?
> ---
> hw/i386/x86.c | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/hw/i386/x86.c b/hw/i386/x86.c
> index 6f75948b3021..6724e408e576 100644
> --- a/hw/i386/x86.c
> +++ b/hw/i386/x86.c
> @@ -1125,6 +1125,9 @@ void x86_load_linux(X86MachineState *x86ms,
> sev_load_ctx.setup_data = (char *)setup;
> sev_load_ctx.setup_size = setup_size;
>
> + /* kernel without setup header patches */
> + fw_cfg_add_file(fw_cfg, "etc/boot/kernel", kernel, kernel_size);
> +
> if (sev_enabled()) {
> sev_add_kernel_loader_hashes(&sev_load_ctx, &error_fatal);
> }
> --
> 2.44.0
