On Thu, Aug 04, 2022 at 12:16:41PM +0200, Andrea Bolognani wrote: > It should be enough to enable or disable the enrolled-keys feature > to control whether Secure Boot is enforced, but there's a slight > complication: many distro packages for edk2 include, in addition > to general purpose firmware images, builds that are targeting the > Confidential Computing use case. > > For those, the firmware descriptor will not advertise the > enrolled-keys feature, which will technically make them suitable > for satisfying a configuration such as > > <os firmware='efi'> > <firmware> > <feature state='off' name='enrolled-keys'/> > </firmware> > </os> > > In practice, users will expect the general purpose build to be > used in this case. Explicitly asking for the secure-boot feature > to be enabled achieves that result at the cost of some slight > additional verbosity. > > Signed-off-by: Andrea Bolognani <abologna@xxxxxxxxxx> > --- > docs/kbase/secureboot.rst | 3 +++ > 1 file changed, 3 insertions(+) Reviewed-by: Daniel P. Berrangé <berrange@xxxxxxxxxx> With regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
