FS#71383 : [edk2-ovmf] Package Missing Secboot EFI VAR File

FS#71383 - [edk2-ovmf] Package Missing Secboot EFI VAR File

Attached to Project: Arch Linux
Opened by Shane Francis (BuzzBumbleBee) - Monday, 28 June 2021, 13:18 GMT
Last edited by Buggy McBugFace (bugbot) - Saturday, 25 November 2023, 20:16 GMT

Task Type	Bug Report
Category	Packages: Extra
Status	Closed
Assigned To	Anatol Pomozov (anatolik) David Runge (dvzrv)
Architecture	All
Severity	Medium
Priority	Normal
Reported Version
Due in Version	Undecided
Due Date	Undecided
Percent Complete
Votes	6 krumelmonster (krumelmonster) (2023-05-05) Ioannis Kozanitis (giannis-arch) (2022-06-12) Prajna Sariputra (m7) (2022-04-16) nl6720 (nl6720) (2021-11-29) Michele Pappalardo (Wiichele) (2021-10-01) Alexander Epaneshnikov (alex19EP) (2021-09-22)
Private	No

Details

Other distros supply EFI variable files that include a default secure boot keychain, for example :

Ubuntu :
OVMF_VARS.fd
OVMF_VARS.ms.fd (MS secure boot)

Fedora :
OVMF_VARS.fd
OVMF_VARS.secboot.fd

Currently on Arch this means that anyone making use of the "OVMF_CODE.secboot.fd" loader will need to manually import / setup the secure boot keychain.

Current Arch edk2-ovmf file list for x64 :

usr/share/edk2-ovmf/x64/OVMF.fd
usr/share/edk2-ovmf/x64/OVMF_CODE.fd
usr/share/edk2-ovmf/x64/OVMF_CODE.secboot.fd
usr/share/edk2-ovmf/x64/OVMF_VARS.fd

This task depends upon

Closed by Buggy McBugFace (bugbot)
Saturday, 25 November 2023, 20:16 GMT
Reason for closing: Moved
Additional comments about closing: https://gitlab.archlinux.org/archlinux/p ackaging/packages/edk2/issues/1

Comment by Shane Francis (BuzzBumbleBee) - Monday, 28 June 2021, 13:20 GMT

Gentoo linux also has the file :

/usr/share/edk2-ovmf/OVMF_CODE.fd
/usr/share/edk2-ovmf/OVMF_CODE.secboot.fd
/usr/share/edk2-ovmf/OVMF_VARS.fd
/usr/share/edk2-ovmf/OVMF_VARS.secboot.fd

Comment by Morten Linderud (Foxboron) - Monday, 28 June 2021, 13:54 GMT

This is an addition Fedora and Ubuntu adds based around this project https://github.com/rhuefi/qemu-ovmf-secureboot

These files are not provided by the `edk2-ovmf` project so they do not belong strictly speaking.

Comment by David Runge (dvzrv) - Tuesday, 29 June 2021, 08:30 GMT

@BuzzBumbleBee: Thanks for the report.

Yes, these keys are currently missing and most downstream distributions add them to the package in some way.
Usually this does not only include the default Microsoft key but also the distribution's key. Unfortunately Arch Linux does not have one (yet) (see FS#53864).

Comment by Shane Francis (BuzzBumbleBee) - Tuesday, 29 June 2021, 09:39 GMT

That makes sense, I'll write up how to build / import the secure boot keychain and put on the wiki for now.

Comment by Alexander Epaneshnikov (alex19EP) - Thursday, 23 September 2021, 02:50 GMT

hello @BuzzBumbleBee did you written a wiki article?

Comment by David Runge (dvzrv) - Sunday, 27 November 2022, 16:29 GMT

@BuzzBumbleBee: I have added virt-firmware to the repositories so we'll have an easier time enrolling the required certificates in the packaging process.

I'll look into that the coming weeks.

Comment by Toolybird (Toolybird) - Friday, 05 May 2023, 21:14 GMT

Dupe ~~FS#78419~~

Comment by Buggy McBugFace (bugbot) - Tuesday, 08 August 2023, 19:11 GMT

This is an automated comment as this bug is open for more then 2 years. Please reply if you still experience this bug otherwise this issue will be closed after 1 month.

	Tasks related to this task (0)

Duplicate tasks of this task (1)
~~FS#78419 - edk2-ovmf should include an OVMF_VARS.secboot.fd~~

Arch Linux

FS#71383 - [edk2-ovmf] Package Missing Secboot EFI VAR File

Details

Loading...