Hi Daniel, On 08/02/2023 11:30, Daniel P. Berrangé wrote: > On Tue, Feb 07, 2023 at 08:41:16AM +0000, Dov Murik wrote: >> Recent feature to supply RNG seed to the guest kernel modifies the >> kernel command-line by adding extra data at its end; this breaks >> measured boot with SEV and OVMF, and possibly signed boot. > > I presume you mean whether it impacts SecureBoot when using > -kernel with OVMF, but without SEV ? > > IIRC, today OVMF ignores SecureBoot failures when using -kernel, > but we shouldn't make an assumption of that being the case on > the QEMU side. >
hmm, I'm not sure. James mentioned something about Fedora attempting to ship a unified signed kernel+cmdline+initrd package (and this RNG seed addition to the cmdline will interfere), but maybe I'm confusing other matters. -Dov
