On Thu, Aug 04, 2022 at 03:32:32AM -0500, Andrea Bolognani wrote:
On Wed, Aug 03, 2022 at 05:29:15PM +0100, Daniel P. Berrangé wrote:
On Wed, Aug 03, 2022 at 06:15:24PM +0200, Andrea Bolognani wrote:
<os firmware='efi'> <firmware> + <feature enabled='yes' name='secure-boot'/> <feature enabled='no' name='enrolled-keys'/> </firmware> </os>
If we want secureboot disabled, this looks wrong. It just enables secureboot, but without any keys. We need enabled=no to ask for a firmware without SecureBoot at all.
Mh. From a practical standpoint, the scenarios
* firmware has secure boot support but there are no enrolled keys * firmware doesn't have secure boot support
are pretty much equivalent: either way, unsigned code will be allowed to run.
Yes & no - one allows you to enroll custom keys, the other doesn't allow it. For most people that distinction doesn't matter but it is a significant difference. I don't mind documenting both, but we should explain why we are illustrating two different mechanisms, as when the question is "how to I disable secureboot" an answer saying "secure_boot enabled=yes" simply looks wrong. With regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|