Arch Linux

Please read this before reporting a bug:
https://wiki.archlinux.org/index.php/Reporting_Bug_Guidelines

Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.

REPEAT: Do NOT report bugs for outdated packages!
Tasklist

FS#71383 - [edk2-ovmf] Package Missing Secboot EFI VAR File

Attached to Project: Arch Linux
Opened by Shane Francis (BuzzBumbleBee) - Monday, 28 June 2021, 13:18 GMT
Last edited by Andreas Radke (AndyRTR) - Tuesday, 29 June 2021, 06:31 GMT
Task Type Bug Report
Category Packages: Extra
Status Assigned
Assigned To Anatol Pomozov (anatolik)
David Runge (dvzrv)
Architecture All
Severity Medium
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 0%
Votes 3
Private No

Details

Other distros supply EFI variable files that include a default secure boot keychain, for example :

Ubuntu :
OVMF_VARS.fd
OVMF_VARS.ms.fd (MS secure boot)

Fedora :
OVMF_VARS.fd
OVMF_VARS.secboot.fd


Currently on Arch this means that anyone making use of the "OVMF_CODE.secboot.fd" loader will need to manually import / setup the secure boot keychain.


Current Arch edk2-ovmf file list for x64 :


usr/share/edk2-ovmf/x64/OVMF.fd
usr/share/edk2-ovmf/x64/OVMF_CODE.fd
usr/share/edk2-ovmf/x64/OVMF_CODE.secboot.fd
usr/share/edk2-ovmf/x64/OVMF_VARS.fd
This task depends upon

Comment by Shane Francis (BuzzBumbleBee) - Monday, 28 June 2021, 13:20 GMT
Gentoo linux also has the file :

/usr/share/edk2-ovmf/OVMF_CODE.fd
/usr/share/edk2-ovmf/OVMF_CODE.secboot.fd
/usr/share/edk2-ovmf/OVMF_VARS.fd
/usr/share/edk2-ovmf/OVMF_VARS.secboot.fd
Comment by Morten Linderud (Foxboron) - Monday, 28 June 2021, 13:54 GMT
This is an addition Fedora and Ubuntu adds based around this project https://github.com/rhuefi/qemu-ovmf-secureboot

These files are not provided by the `edk2-ovmf` project so they do not belong strictly speaking.
Comment by David Runge (dvzrv) - Tuesday, 29 June 2021, 08:30 GMT
@BuzzBumbleBee: Thanks for the report.

Yes, these keys are currently missing and most downstream distributions add them to the package in some way.
Usually this does not only include the default Microsoft key but also the distribution's key. Unfortunately Arch Linux does not have one (yet) (see FS#53864).
Comment by Shane Francis (BuzzBumbleBee) - Tuesday, 29 June 2021, 09:39 GMT
That makes sense, I'll write up how to build / import the secure boot keychain and put on the wiki for now.
Comment by Alexander Epaneshnikov (alex19EP) - Thursday, 23 September 2021, 02:50 GMT
hello @BuzzBumbleBee did you written a wiki article?

Loading...