Hi, > > The chicken-and-egg problem arises if you go for hashing and want embed > > the igvm file in the UKI. > > I don't really see how signing the IGVM file for secure boot helps anything.
It doesn't help indeed. This comes from the original idea by Alex to simply add a firmware image to the UKI. In that case the firmware is covered by the signature / hash, even though it is not needed. Quite the contrary, it complicates things when we want ship db/dbx in the firmware image. So most likely the firmware will not be part of the main UKI. Options for alternatives are using UKI add-ons, or simply ship a plain igvm file. Details need to be sorted out (but they don't matter for the vmfwupdate interface design). > Do you need the UEFI_APPLICATION that uses the vmfwupdate interface to > be signed for secure boot? Seems unnecessary. Agree. take care, Gerd
