On Fri, Jun 16, 2023 at 12:51:55AM +0400, Joursoir wrote: > +cc to maintainers > > On Sat, 3 Jun 2023 01:44:40 +0400 > "Joursoir" <c...@joursoir.net> wrote: > > > Add the new section for Secure Boot. > > > > Signed-off-by: Alexander Goncharov <c...@joursoir.net> > > --- > > OvmfPkg/README | 36 ++++++++++++++++++++++++++++++++++++ > > 1 file changed, 36 insertions(+) > > > > diff --git a/OvmfPkg/README b/OvmfPkg/README > > index 0a408abf01..e106e19818 100644 > > --- a/OvmfPkg/README > > +++ b/OvmfPkg/README > > @@ -120,6 +120,42 @@ $ OvmfPkg/build.sh -a X64 qemu -cdrom > > /path/to/disk-image.iso To build a 32-bit OVMF without debug messages > > using GCC 4.8: $ OvmfPkg/build.sh -a IA32 -b RELEASE -t GCC48 > > > > +=== Secure Boot === > > + > > +Secure Boot is a security feature that ensures only trusted and > > digitally +signed software is allowed to run during the boot process. > > + > > +* In order to support Secure Boot, OVMF must be built with the > > + "-D SECURE_BOOT_ENABLE" option.
Also note that you need either a read-only varstore or SMM support, otherwise it is trivial to bypass secure boot by writing directly to flash varstore. > > +* By default, OVMF is not shipped with any SecureBoot keys installed. > > The user > > + need to install them with "Secure Boot Configuration" utility in > > the firmware > > + UI, or enroll the default UEFI keys using the > > OvmfPkg/EnrollDefaultKeys app. + Alternatively use https://gitlab.com/kraxel/virt-firmware take care, Gerd -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#106167): https://edk2.groups.io/g/devel/message/106167 Mute This Topic: https://groups.io/mt/99337916/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
