> On 9 Apr 2025, at 11:51 AM, Gerd Hoffman <kra...@redhat.com> wrote:
>
> Hi,
>
>>> The chicken-and-egg problem arises if you go for hashing and want embed
>>> the igvm file in the UKI.
>>
>> I don't really see how signing the IGVM file for secure boot helps anything.
>
> It doesn't help indeed. This comes from the original idea by Alex to
> simply add a firmware image to the UKI. In that case the firmware is
> covered by the signature / hash, even though it is not needed. Quite
> the contrary, it complicates things when we want ship db/dbx in the
> firmware image.
>
> So most likely the firmware will not be part of the main UKI. Options
> for alternatives are using UKI add-ons,
But add-ons are also subjected to signature verification. How does not using
the main UKI help?
> or simply ship a plain igvm
> file. Details need to be sorted out (but they don't matter for the
> vmfwupdate interface design).
>
>> Do you need the UEFI_APPLICATION that uses the vmfwupdate interface to
>> be signed for secure boot? Seems unnecessary.
>
> Agree.
>
> take care,
> Gerd
>
