ovmf does not contain secureboot firmware

  • Open
  • quality assurance status badge
Details
One participant
  • Tomas Volf
Owner
unassigned
Submitted by
Tomas Volf
Severity
normal
T
T
Tomas Volf wrote on 6 Jan 14:45 +0100
(address . bug-guix@gnu.org)
ZZlZbUOr1BGtKJ0q@ws
Hello,

looking at the ovmf package, is seems that it does not contain files required
for secureboot. When I compare what Archlinux ships:

usr/share/edk2/ia32/OVMF.4m.fd
usr/share/edk2/ia32/OVMF.fd
usr/share/edk2/ia32/OVMF_CODE.4m.fd
usr/share/edk2/ia32/OVMF_CODE.csm.4m.fd
usr/share/edk2/ia32/OVMF_CODE.csm.fd
usr/share/edk2/ia32/OVMF_CODE.fd
usr/share/edk2/ia32/OVMF_CODE.secboot.4m.fd
usr/share/edk2/ia32/OVMF_CODE.secboot.fd
usr/share/edk2/ia32/OVMF_VARS.4m.fd
usr/share/edk2/ia32/OVMF_VARS.fd
usr/share/edk2/x64/
usr/share/edk2/x64/MICROVM.4m.fd
usr/share/edk2/x64/MICROVM.fd
usr/share/edk2/x64/OVMF.4m.fd
usr/share/edk2/x64/OVMF.fd
usr/share/edk2/x64/OVMF_CODE.4m.fd
usr/share/edk2/x64/OVMF_CODE.csm.4m.fd
usr/share/edk2/x64/OVMF_CODE.csm.fd
usr/share/edk2/x64/OVMF_CODE.fd
usr/share/edk2/x64/OVMF_CODE.secboot.4m.fd
usr/share/edk2/x64/OVMF_CODE.secboot.fd
usr/share/edk2/x64/OVMF_VARS.4m.fd
usr/share/edk2/x64/OVMF_VARS.fd

with what we do:

/gnu/store/nqv29p1kz1lwc6g3rifyi5mrapcx97wf-ovmf-202308/share/firmware/ovmf_code_ia32.bin
/gnu/store/nqv29p1kz1lwc6g3rifyi5mrapcx97wf-ovmf-202308/share/firmware/ovmf_code_x64.bin
/gnu/store/nqv29p1kz1lwc6g3rifyi5mrapcx97wf-ovmf-202308/share/firmware/ovmf_ia32.bin
/gnu/store/nqv29p1kz1lwc6g3rifyi5mrapcx97wf-ovmf-202308/share/firmware/ovmf_vars_ia32.bin
/gnu/store/nqv29p1kz1lwc6g3rifyi5mrapcx97wf-ovmf-202308/share/firmware/ovmf_vars_x64.bin
/gnu/store/nqv29p1kz1lwc6g3rifyi5mrapcx97wf-ovmf-202308/share/firmware/ovmf_x64.bin

There seem to be some files missing. The secboot would be useful, but the csm
might be as well.

I tried to make a patch to build multiple firmwares, however due to how other
packages inherit from it, it was quite messy. I wonder if having just a single
ovmf package would simplify things. The size bloat from merging them
seems... negligible. At least for the QEMU use case.

Have a nice day,
Tomas Volf

--
There are only two hard things in Computer Science:
cache invalidation, naming things and off-by-one errors.
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEt4NJs4wUfTYpiGikL7/ufbZ/wakFAmWZWW0ACgkQL7/ufbZ/
wamBTg/9GU5OHRT+tx+Eb6LKgsdWJtZYQ/N/5+UkKCUgQ7CLEbEkmEGnDVdXZUjo
2QnMTEgqnCVVDk2ipFjVEeJS9ln+X32rKdmSeIwMHhvjIAejpRg7rchaW0ZMiloz
vLSw3CEc23vc3kCzfhPrSI8JAB+oVhGzeMpzk46voPHJ58zr01FCtKRmWUA0NYFz
NOY9oj0Iyzd8CUZtBQwPZXRYR32iM/PFR8hBuSGygHf7YEk6SS8SK2p4cSqJtJet
eqH4kw9oEftHirdDrUaVvmQAzZsOpLSe6m6hkbR2OBcH3glx9NBVUYyGsQ09Uj4F
j+7R31fywBaAxW4zz4lDySQ59bukdCMsmnCeDlR4ggjLU0S7sUl6E40BGgodwC7H
k0Mp3e5ZIAf5GJl0a41L80UdgqywyUiVjrofSORvk4Kg95y83YxADVZe351pxRed
g96lfTtwhk2/x65dlmtQlLmJts0UitsxNKQe+faeyBR26XsaDdCzAl+v2mThQyLu
6lNzBLNDW5HM9mZ+8eipQYWUJG6ziQpbl5D/3EogApRpGn5sApcNRw27wZcakxpf
N4JjTcziv4MgXaqtsKn+7PHRBUVgI0syLbpnqZ57XDYbEI4US4us3xjjOWRcb1Is
HzfD7QHqciS+CSQA3Zk4NXwRGY1h/GSf6085Ar633n0REiOxyFU=
=w+3B
-----END PGP SIGNATURE-----


?