This is now addressed in focal, so now let's discuss what we should do for eoan/bionic.
= eoan = At a high level the issue here is that cosmic/disco behaved a certain way, eoan's behavior changed, and we've now restored the cosmic/disco behavior in focal. Detail: the behavior change concerns what happens when you define a guest w/ a given fw loader and let libvirt choose a variable template. In cosmic and disco, the "secboot" loader would give you a Secure Boot-capable, but disabled, guest, and the "ms" loader would give you a Secure Boot-enabled guest w/ preloaded keys. In eoan, libvirt handed off this decision to edk2-provided descriptor files, and there the "secboot" loader started behaving like "ms" did, and the "ms" loader behavior was dropped. In focal, we've updated the descriptors to retore the cosmic/disco behavior, as that appears to be what was originally intended, and provides users with the most flexibility. So on one hand we could consider the existing eoan behavior a regression (vs. disco) and SRU a fix back. Or, we could leave eoan alone to avoid regressing anyone there, knowing that a focal upgrade will change that behavior. = bionic = Bionic is technically not impacted by this issue, as it had neither "secboot" nor "ms" ovmf images. However, we do have a class of users who are installing the focal version of ovmf in bionic to get Secure Boot guest support in an LTS. Back in bionic, the loader/variable template config was managed in libvirt config, and our default bionic config knows nothing of the "ms" flavor. We could make the lives of these users easier by (low priority) SRU'ing the "ms" config support back to libvirt in bionic, so this setup works by default. But then we risk a bionic->eoan regression unless we change eoan as well. We could also just decide that bionic users w/ focal ovmf should just modify their local config. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1864532 Title: Incorrect nvram template for secboot firmware To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/edk2/+bug/1864532/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
