ovmf does not contain secureboot firmware

  • Open
  • quality assurance status badge
Details
One participant
  • Tomas Volf
Owner
unassigned
Submitted by
Tomas Volf
Severity
normal

Debbugs page

Tomas Volf wrote 1 years ago
(address . bug-guix@gnu.org)
ZZlZbUOr1BGtKJ0q@ws
Hello,

looking at the ovmf package, is seems that it does not contain files required
for secureboot. When I compare what Archlinux ships:

usr/share/edk2/ia32/OVMF.4m.fd
usr/share/edk2/ia32/OVMF.fd
usr/share/edk2/ia32/OVMF_CODE.4m.fd
usr/share/edk2/ia32/OVMF_CODE.csm.4m.fd
usr/share/edk2/ia32/OVMF_CODE.csm.fd
usr/share/edk2/ia32/OVMF_CODE.fd
usr/share/edk2/ia32/OVMF_CODE.secboot.4m.fd
usr/share/edk2/ia32/OVMF_CODE.secboot.fd
usr/share/edk2/ia32/OVMF_VARS.4m.fd
usr/share/edk2/ia32/OVMF_VARS.fd
usr/share/edk2/x64/
usr/share/edk2/x64/MICROVM.4m.fd
usr/share/edk2/x64/MICROVM.fd
usr/share/edk2/x64/OVMF.4m.fd
usr/share/edk2/x64/OVMF.fd
usr/share/edk2/x64/OVMF_CODE.4m.fd
usr/share/edk2/x64/OVMF_CODE.csm.4m.fd
usr/share/edk2/x64/OVMF_CODE.csm.fd
usr/share/edk2/x64/OVMF_CODE.fd
usr/share/edk2/x64/OVMF_CODE.secboot.4m.fd
usr/share/edk2/x64/OVMF_CODE.secboot.fd
usr/share/edk2/x64/OVMF_VARS.4m.fd
usr/share/edk2/x64/OVMF_VARS.fd

with what we do:

/gnu/store/nqv29p1kz1lwc6g3rifyi5mrapcx97wf-ovmf-202308/share/firmware/ovmf_code_ia32.bin
/gnu/store/nqv29p1kz1lwc6g3rifyi5mrapcx97wf-ovmf-202308/share/firmware/ovmf_code_x64.bin
/gnu/store/nqv29p1kz1lwc6g3rifyi5mrapcx97wf-ovmf-202308/share/firmware/ovmf_ia32.bin
/gnu/store/nqv29p1kz1lwc6g3rifyi5mrapcx97wf-ovmf-202308/share/firmware/ovmf_vars_ia32.bin
/gnu/store/nqv29p1kz1lwc6g3rifyi5mrapcx97wf-ovmf-202308/share/firmware/ovmf_vars_x64.bin
/gnu/store/nqv29p1kz1lwc6g3rifyi5mrapcx97wf-ovmf-202308/share/firmware/ovmf_x64.bin

There seem to be some files missing. The secboot would be useful, but the csm
might be as well.

I tried to make a patch to build multiple firmwares, however due to how other
packages inherit from it, it was quite messy. I wonder if having just a single
ovmf package would simplify things. The size bloat from merging them
seems... negligible. At least for the QEMU use case.

Have a nice day,
Tomas Volf

--
There are only two hard things in Computer Science:
cache invalidation, naming things and off-by-one errors.
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEt4NJs4wUfTYpiGikL7/ufbZ/wakFAmWZWW0ACgkQL7/ufbZ/
wamBTg/9GU5OHRT+tx+Eb6LKgsdWJtZYQ/N/5+UkKCUgQ7CLEbEkmEGnDVdXZUjo
2QnMTEgqnCVVDk2ipFjVEeJS9ln+X32rKdmSeIwMHhvjIAejpRg7rchaW0ZMiloz
vLSw3CEc23vc3kCzfhPrSI8JAB+oVhGzeMpzk46voPHJ58zr01FCtKRmWUA0NYFz
NOY9oj0Iyzd8CUZtBQwPZXRYR32iM/PFR8hBuSGygHf7YEk6SS8SK2p4cSqJtJet
eqH4kw9oEftHirdDrUaVvmQAzZsOpLSe6m6hkbR2OBcH3glx9NBVUYyGsQ09Uj4F
j+7R31fywBaAxW4zz4lDySQ59bukdCMsmnCeDlR4ggjLU0S7sUl6E40BGgodwC7H
k0Mp3e5ZIAf5GJl0a41L80UdgqywyUiVjrofSORvk4Kg95y83YxADVZe351pxRed
g96lfTtwhk2/x65dlmtQlLmJts0UitsxNKQe+faeyBR26XsaDdCzAl+v2mThQyLu
6lNzBLNDW5HM9mZ+8eipQYWUJG6ziQpbl5D/3EogApRpGn5sApcNRw27wZcakxpf
N4JjTcziv4MgXaqtsKn+7PHRBUVgI0syLbpnqZ57XDYbEI4US4us3xjjOWRcb1Is
HzfD7QHqciS+CSQA3Zk4NXwRGY1h/GSf6085Ar633n0REiOxyFU=
=w+3B
-----END PGP SIGNATURE-----


?
Your comment

Commenting via the web interface is currently disabled.

To comment on this conversation send an email to 68286@debbugs.gnu.org

To respond to this issue using the mumi CLI, first switch to it
mumi current 68286
Then, you may apply the latest patchset in this issue (with sign off)
mumi am -- -s
Or, compose a reply to this issue
mumi compose
Or, send patches to this issue
mumi send-email *.patch
You may also tag this issue. See list of standard tags. For example, to set the confirmed and easy tags
mumi command -t +confirmed -t +easy
Or, remove the moreinfo tag and set the help tag
mumi command -t -moreinfo -t +help