On Tue, Jun 07, 2022 at 02:57:17PM -0600, Jim Fehlig wrote:
Hi All,
I received a bug report (private, sorry) about inability to "deploy uefi
virtual machine with secureboot enabled on aarch64 kvm host". Indeed the
qemu driver has some checks that would prohibit using secure boot with
aarch64 virt machines, e.g.
BTW, by chance I found an interesting info about aarch64 secureboot
from Debian
https://wiki.debian.org/SecureBoot
"Debian no longer supports UEFI Secure Boot on arm64 systems,
as of May 2021.
Shim and other EFI programs have always been difficult to build
on arm64, compared to x86 platforms. Binutils for amd64 and i386
includes explicit support for creating programs in the PE/COFF
binary format that EFI uses, but this has never been added for
arm64.
In the past, shim developers added some local hacks into the shim
package to generate a mostly-compliant PE/COFF EFI binary without
this toolchain support, and that seemed to be sufficient for use.
Everything seemed to work. However, during the development and
testing phase of shim 15.3 and 15.4, we found found significant
issues with this approach. New security features needed in shim
(SBAT) showed up severe problems with the lack of proper toolchain
support. See
https://github.com/rhboot/shim/issues/366 for more
details. The old hacks around binutils are no longer sustainable. "
Having said that I find Fedora does still buld shim 15.4 for
aarch64. We only exclude 32-bit, and I think RHEL does the
same. Whether anyone's tested SecureBoot on aarch64 in
Fedora/RHEL though, I'm not so sure.
With regards,
Daniel
--
|:
https://berrange.com -o-
https://www.flickr.com/photos/dberrange :|
|:
https://libvirt.org -o-
https://fstop138.berrange.com :|
|:
https://entangle-photo.org -o-
https://www.instagram.com/dberrange :|