On Tue, Jun 07, 2022 at 02:57:17PM -0600, Jim Fehlig wrote: > Hi All, > > I received a bug report (private, sorry) about inability to "deploy uefi > virtual machine with secureboot enabled on aarch64 kvm host". Indeed the > qemu driver has some checks that would prohibit using secure boot with > aarch64 virt machines, e.g. BTW, by chance I found an interesting info about aarch64 secureboot from Debian https://wiki.debian.org/SecureBoot "Debian no longer supports UEFI Secure Boot on arm64 systems, as of May 2021. Shim and other EFI programs have always been difficult to build on arm64, compared to x86 platforms. Binutils for amd64 and i386 includes explicit support for creating programs in the PE/COFF binary format that EFI uses, but this has never been added for arm64. In the past, shim developers added some local hacks into the shim package to generate a mostly-compliant PE/COFF EFI binary without this toolchain support, and that seemed to be sufficient for use. Everything seemed to work. However, during the development and testing phase of shim 15.3 and 15.4, we found found significant issues with this approach. New security features needed in shim (SBAT) showed up severe problems with the lack of proper toolchain support. See https://github.com/rhboot/shim/issues/366 for more details. The old hacks around binutils are no longer sustainable. " Having said that I find Fedora does still buld shim 15.4 for aarch64. We only exclude 32-bit, and I think RHEL does the same. Whether anyone's tested SecureBoot on aarch64 in Fedora/RHEL though, I'm not so sure. With regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|