> > > Options I see: > > > > > > (a) Stop using direct kernel boot, let virt-install & other tools > > > create vfat boot media with shim+kernel+initrd instead. > > > > > > (b) Enroll the distro signing keys in the efi variable store, so > > > booting the kernel without shim.efi works. > > > > > > (c) Add support for loading shim to qemu (and ovmf), for example > > > with a new '-shim' command line option which stores shim.efi > > > in some new fw_cfg file. > > > > > > (b) + (c) both require a fix for the patching issue. The options > > > I see here are: > > > > > > (A) Move the patching from qemu to the linuxboot option rom. > > > Strictly speaking it belongs there anyway. It doesn't look > > > that easy though, for qemu it is easier to gather all > > > information needed ... > > > > > > (B) Provide both patched and unpatched setup header, so the > > > guest can choose what it needs. > > > > > > (C) When implementing (c) above we can piggyback on the -shim > > > switch and skip patching in case it is present. > > > > > > (D) Add a flag to skip the patching. > > > > > > Comments? Other/better ideas? > > > > > > take care, > > > Gerd > > > > So if you didn't decide whether to do b or c then I guess D is > > easiest and covers both cases? > > Easiest if you look at qemu only. Adding a new config option adds > burdens elsewhere though. Users and the management stack have to > learn to use the new option. > > Both (A) and (B) work automatically and can be combined with both (b) > and (c). (B) is probably much easier to implement, drawback is it > requires an firmware update too.
Sneak preview for (c) + (B) is here: https://git.kraxel.org/cgit/qemu/log/?h=sirius/direct-secure-boot (well, almost, instead of unpatched setup header it exposes an unpatched kernel binary). Currently looking at the ovmf side of things to make sure the idea actually works before posting patches to the list. take care, Gerd
