Until Kashyap finds the time to add more details a copy&paste certainly is better than keeping this out of the context here.
[15:12] <kashyap> Hi, folks. [15:12] <kashyap> Who can help make this small change to the edk2 package: https://bugs.launchpad.net/ubuntu/+source/edk2/+bug/1836859 [15:12] <ubottu> Launchpad bug 1836859 in edk2 (Ubuntu) "RFE: Ship the firmware "descriptor files" as part of the 'ovmf' package" [Undecided,New] [15:12] <kashyap> The current maintainer seems to be away on PTO. [15:13] <kashyap> And I don't know Ubuntu enough to 'query' for other maintainers. (I come from Fedora land :-)) [15:13] <kashyap> It requires someone vaguely familiar with QEMU (and EDK2/OVMF). [15:21] <cpaelzer> kashyap: IMHO we have time to wait for dannf [15:21] <cpaelzer> kashyap: this is a feature tied qemu 4.1 which means Ubuntu 20.04 [15:21] <cpaelzer> I tihnk rushing something into edk2 now will gain us nothing but probably problems [15:22] <kashyap> cpaelzer: Hmm. I'm coming here and pestering because I'll be away on PTO (from 06-Aug to 23-Aug). And Nova could use it [15:22] <cpaelzer> kashyap: but could it use it without any related commit in qemu? [15:22] <kashyap> cpaelzer: Note that is not strictly tied to QEMU 4.1 -- you can still use them with older QEMU versions. [15:22] <cpaelzer> I haven't checked the details, only have seen that it came with 4.1 (in the bundled rom release) [15:22] <kashyap> cpaelzer: If you have libvirt 5.3 or above, then you can use them with older QEMU [15:23] <cpaelzer> kashyap: can one "benefit" from it without qemu 4.1 [15:23] <cpaelzer> we are on libvirt 5.4 already [15:23] <cpaelzer> and I have talked with Dannf before his PTO [15:23] <kashyap> cpaelzer: Good question :-) I'm doing this to be able to test Nova's Secure Boot spec in the OpenStack Gate: http://specs.openstack.org/openstack/nova-specs/specs/train/approved/allow-secure-boot-for-qemu-kvm-guests.html [15:24] <kashyap> cpaelzer: If you see the JSON files: they simply describe the features of the EDK2 binaries that you ship in Ubuntu. [15:25] <cpaelzer> yeah [15:25] <cpaelzer> but doesn't that mean that you can already test it right now manually? [15:25] <kashyap> cpaelzer: libvirt 5.3 or above will read them, and then will auto-add the relevant bits if you want Secure Boot [15:25] <cpaelzer> by dropping matching json files in place (manually) and see if things work [15:25] <cpaelzer> if they do add it to the bug which will help dannf to ensure what is placed will be the correct content [15:25] <kashyap> cpaelzer: Oh, sure. But just trying to set things in motion while I still have the motivation :-) [15:26] <cpaelzer> I absolutely appreciate that part of it :-) [15:26] <cpaelzer> and I now undertsnad why you are in a hurry (your PTO timing) [15:27] <cpaelzer> in motion things are already, since we both reached dannf and he acknoledged to do it after he is back [15:27] <kashyap> cpaelzer: As we speak, I'm harassing the QEMU packager on #qemu, asking what he meant in his comment at the end of a similar request: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=932269 [15:27] <ubottu> Debian bug 932269 in ovmf "Ship the firmware "descriptor files" as part of the 'ovmf' package" [Normal,Open] [15:27] <kashyap> cpaelzer: Hehe, sorry, I should've made my motivation clearer. [15:28] <kashyap> cpaelzer: Okido. Just wanted to check in here, as things tend to fall through the cracks, as everyone is busy :-) [15:28] <cpaelzer> kashyap: this is a curcular dependencyas dannf is the maintainer [15:28] <cpaelzer> mjt as well, but he is more the qemu than the edk2 maintainer (usually) [15:29] <kashyap> Right, I just asked 'mjt' on #qemu. Will check later [15:29] <kashyap> cpaelzer: Also, I hope Ubuntu is now shipping a "variables files" (VARS) with default UEFI keys (from MS) installed [15:30] <cpaelzer> kashyap: /usr/share/OVMF/OVMF_VARS.ms.fd [15:30] <kashyap> If you're not aware; disregard my remark -- that's a detail 'dannf' knows -- I described to him a few weeks ago on #debian-qemu (on OFTC) [15:31] <kashyap> cpaelzer: Ah-ha, the 'ms' is presumable with MS keys. It can't be anything else [15:31] <kashyap> Last I checked I knew that Ubuntu was shipping the script we wrote to enroll the MS keys. (Noticed in the tarball here: https://launchpad.net/ubuntu/+source/edk2/0~20190309.89910a39-1ubuntu1) [15:32] <kashyap> So all good there. [15:32] <cpaelzer> kashyap: this was from 0~20190606.20d2e5a1-1ubuntu2 [15:32] <cpaelzer> kashyap: give your test a try by manually placing the json files [15:32] <kashyap> cpaelzer: Noted, on the version. [15:33] <cpaelzer> kashyap: and if it works with the libvirt 5.4 that is in Eoan (maybe with modifications to the json files) update the bug on edk2 to let dannf know that this makes sense for Eoan [15:33] <cpaelzer> he might (as I was) assume that this is only needed in 20.04 [15:33] <kashyap> cpaelzer: But ... note that: simply dropping in there doesn't _quite_ fly: as I don't know (unless I look in the code) if Ubuntu's EDK2 build differs in anyway than Fedora (the I'm familiar with) [15:33] <cpaelzer> the only differens seem to be paths right? [15:34] <kashyap> Because based on that you (the "mythical you") need to add or remove some lines from the "features" bit. [15:34] <kashyap> cpaelzer: That's what I'd expect, frankly [15:34] <kashyap> For example, see for Fedora, the "features' its EDK2's MS-signed binary (called: OVMF_CODE.secboot.fd) has are these: [15:34] <kashyap> + "features": [ [15:34] <kashyap> + "acpi-s3", [15:35] <kashyap> + "enrolled-keys", [15:35] <kashyap> + "requires-smm", [15:35] <kashyap> + "secure-boot", [15:35] <kashyap> + "verbose-dynamic" [15:35] <kashyap> --- [15:35] <kashyap> Now I don't know if they match 1-1 in Ubuntu. 97.83% yes, they _should_ match. [15:36] <cpaelzer> kashyap: which would be perfect to be outlined on the bug [15:36] <cpaelzer> even if you make assumptions you can provide this example from fedora and the link to the openstack usage of the feature and the result of your testing [15:36] <cpaelzer> I'm sure dannf will prefer to change a few features than to blindly guess adding something totally untested [15:37] <kashyap> Right, will do. Once I replenish my "yak trimming" quota :-) [15:37] <cpaelzer> hehe [15:37] <cpaelzer> kashyap: just trying to guide you to the progress that you poked this channel for :-) [15:38] <kashyap> Certainly; just joking, as you know. Much appreciated. [15:38] <cpaelzer> sure, np -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1836859 Title: RFE: Ship the firmware "descriptor files" as part of the 'ovmf' package To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/edk2/+bug/1836859/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
