Branch: refs/heads/master
Home: https://github.com/tianocore/edk2
Commit: d2cbaefc082294eadaa30a3d5f0fa8ba264a574a
https://github.com/tianocore/edk2/commit/d2cbaefc082294eadaa30a3d5f0fa8ba264a574a
Author: Gerd Hoffmann <[email protected]>
Date: 2025-12-11 (Thu, 11 Dec 2025)
Changed paths:
M OvmfPkg/Library/X86QemuLoadImageLib/X86QemuLoadImageLib.c
M OvmfPkg/RUNTIME_CONFIG.md
Log Message:
-----------
OvmfPkg/X86QemuLoadImageLib: flip default for EnableLegacyLoader to false
What happened since commit 1549bf11cc94 ("OvmfPkg/X86QemuLoadImageLib:
make legacy loader configurable.") ?
First, qemu 10.0 has been released, which brings support for the -shim
command line option so direct kernel boot with secure boot works.
Second, support has been added to libvirt (version v11.2.0 and newer).
Third, we got a bunch of linux distro releases. Latest debian, ubuntu
and fedora releases all have new enough edk2+qemu+libvirt packages to
support direct kernel boot with shim.efi loading and proper secure boot
verification.
Lastly, the edk2 security advisory GHSA-6pp6-cm5h-86g5 and CVE-2025-2296
have been published.
Time for the next step in tightening the screws: Flip the default for
the EnableLegacyLoader config option from true to false. Also update
the documentation accordingly.
The documentation for the config option is here:
https://github.com/tianocore/edk2/blob/master/OvmfPkg/RUNTIME_CONFIG.md#user-content-security-optorgtianocoreenablelegacyloader
Upcoming final step, in a year or two: remove the legacy loader from the
code base (drop X86QemuLoadImageLib, migrade all users to use
GenericQemuLoadImageLib instead).
Signed-off-by: Gerd Hoffmann <[email protected]>
To unsubscribe from these emails, change your notification settings at
https://github.com/tianocore/edk2/settings/notifications
_______________________________________________
edk2-commits mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/edk2-commits
