On Mon, Apr 15, 2024 at 03:30:32PM +0200, Gerd Hoffmann wrote:
> Hi,
>
> > > Options I see:
> > >
> > > (a) Stop using direct kernel boot, let virt-install & other tools
> > > create vfat boot media with shim+kernel+initrd instead.
> > >
> > > (b) Enroll the distro signing keys in
Hi,
> > Options I see:
> >
> > (a) Stop using direct kernel boot, let virt-install & other tools
> > create vfat boot media with shim+kernel+initrd instead.
> >
> > (b) Enroll the distro signing keys in the efi variable store, so
> > booting the kernel without shim.efi works.
On Wed, Apr 10, 2024 at 12:35:13PM +0200, Gerd Hoffmann wrote:
> On Wed, Apr 10, 2024 at 03:26:29AM -0400, Michael S. Tsirkin wrote:
> > On Wed, Apr 10, 2024 at 09:21:26AM +0200, Gerd Hoffmann wrote:
> > > If the binary loaded via -kernel is *not* a linux kernel (in which
> > > case protocol ==
> > > Options I see:
> > >
> > > (a) Stop using direct kernel boot, let virt-install & other tools
> > > create vfat boot media with shim+kernel+initrd instead.
> > >
> > > (b) Enroll the distro signing keys in the efi variable store, so
> > > booting the kernel without shim.efi
On Wed, Apr 10, 2024 at 07:10:22AM -0400, Michael S. Tsirkin wrote:
> On Wed, Apr 10, 2024 at 12:35:13PM +0200, Gerd Hoffmann wrote:
> > On Wed, Apr 10, 2024 at 03:26:29AM -0400, Michael S. Tsirkin wrote:
> > > On Wed, Apr 10, 2024 at 09:21:26AM +0200, Gerd Hoffmann wrote:
> > > > If the binary
On Wed, Apr 10, 2024 at 12:35:13PM +0200, Gerd Hoffmann wrote:
> On Wed, Apr 10, 2024 at 03:26:29AM -0400, Michael S. Tsirkin wrote:
> > On Wed, Apr 10, 2024 at 09:21:26AM +0200, Gerd Hoffmann wrote:
> > > If the binary loaded via -kernel is *not* a linux kernel (in which
> > > case protocol ==
On Wed, Apr 10, 2024 at 03:26:29AM -0400, Michael S. Tsirkin wrote:
> On Wed, Apr 10, 2024 at 09:21:26AM +0200, Gerd Hoffmann wrote:
> > If the binary loaded via -kernel is *not* a linux kernel (in which
> > case protocol == 0), do not patch the linux kernel header fields.
> >
> > It's (a)
On Wed, Apr 10, 2024 at 09:21:26AM +0200, Gerd Hoffmann wrote:
> If the binary loaded via -kernel is *not* a linux kernel (in which
> case protocol == 0), do not patch the linux kernel header fields.
>
> It's (a) pointless and (b) might break binaries by random patching
> and (c) changes the
If the binary loaded via -kernel is *not* a linux kernel (in which
case protocol == 0), do not patch the linux kernel header fields.
It's (a) pointless and (b) might break binaries by random patching
and (c) changes the binary hash which in turn breaks secure boot
verification.
Background: OVMF