Re: [libvirt PATCH] kbase: Always explicitly enable secure-boot firmware feature

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Thu, Aug 04, 2022 at 03:32:32AM -0500, Andrea Bolognani wrote:
> On Wed, Aug 03, 2022 at 05:29:15PM +0100, Daniel P. Berrangé wrote:
> > On Wed, Aug 03, 2022 at 06:15:24PM +0200, Andrea Bolognani wrote:
> > >    <os firmware='efi'>
> > >      <firmware>
> > > +      <feature enabled='yes' name='secure-boot'/>
> > >        <feature enabled='no' name='enrolled-keys'/>
> > >      </firmware>
> > >    </os>
> >
> > If we want secureboot disabled, this looks wrong. It just enables
> > secureboot, but without any keys.  We need enabled=no to ask for
> > a firmware without SecureBoot at all.
> 
> Mh. From a practical standpoint, the scenarios
> 
>   * firmware has secure boot support but there are no enrolled keys
>   * firmware doesn't have secure boot support
> 
> are pretty much equivalent: either way, unsigned code will be allowed
> to run.

Yes & no - one allows you to enroll custom keys, the other doesn't
allow it. For most people that distinction doesn't matter but it is
a significant difference.

I don't mind documenting both, but we should explain why we are
illustrating two different mechanisms, as when the question is
"how to I disable secureboot" an answer saying "secure_boot enabled=yes"
simply looks wrong.


With regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|




[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]

  Powered by Linux