On Thu, Jun 23, 2022 at 06:14:12PM +0200, Andrea Bolognani wrote: > The main motivation behind this series was making it as simple as > possible ("one click") to enable Secure Boot for a VM. Heads up, and sort-of follow-up to the recent secure boot and smm (x86) and tz (arm) discussion. We'll most likely get a new secure boot variant soon. This will not require smm, but it will also not support persistent variables. The underlying idea is to simply re-initialize the variable store from known-good ROM on each boot to compensate for the varstore not being protected against the guest OS tampering with it. Which of course implies some drawbacks: The guest can't add keys (via mokutil) for example, and turning off secure boot in firmware setup wouldn't work either. There are enough use cases (like just booting cloud images in secure boot mode) where this doesn't matter, so I consider this useful nevertheless, but maybe a separate feature flag like 'stateless-secure-boot' makes sense for that. Not sure yet how to package that up, best is probably as stateless image because that'll reduce the chances of getting it wrong, i.e. something like this: { "description": "OVMF with secure boot, no persistent vars", "interface-types": [ "uefi" ], "mapping": { "device": "flash", "mode": "stateless", "executable": { "filename": "/usr/share/edk2/ovmf/OVMF.secboot.fd", "format": "raw" } }, "targets": [ { "architecture": "x86_64", "machines": [ "pc-i440fx-*" "pc-q35-*" ] } ], "features": [ "secure-boot", "enrolled-keys", ] } The idea idea should work for aarch64 too and remove the trustzone support requirement. take care, Gerd