kbase: Always explicitly enable secure-boot firmware feature

It should be enough to enable or disable the enrolled-keys feature to control whether Secure Boot is enforced, but there's a slight complication: many distro packages for edk2 include, in addition to general purpose firmware images, builds that are targeting the Confidential Computing use case. For those, the firmware descriptor will not advertise the enrolled-keys feature, which will technically make them suitable for satisfying a configuration such as <os firmware='efi'> <firmware> <feature state='off' name='enrolled-keys'/> </firmware> </os> In practice, users will expect the general purpose build to be used in this case. Explicitly asking for the secure-boot feature to be enabled achieves that result at the cost of some slight additional verbosity. Signed-off-by: Andrea Bolognani <abologna@redhat.com> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
2025-01-30 16:35:24 +00:00 · 2022-08-03 18:07:12 +02:00 · 2022-08-03 18:07:12 +02:00 · 18249f278a
commit 18249f278a
parent 155416ed77
1 changed files with 3 additions and 0 deletions
--- a/docs/kbase/secureboot.rst
+++ b/docs/kbase/secureboot.rst
@ -14,6 +14,7 @@ ask for Secure Boot to be enabled with

  <os firmware='efi'>
    <firmware>
+      <feature enabled='yes' name='secure-boot'/>
      <feature enabled='yes' name='enrolled-keys'/>
    </firmware>
  </os>
@ -24,6 +25,7 @@ and for it to be disabled with

  <os firmware='efi'>
    <firmware>
+      <feature enabled='yes' name='secure-boot'/>
      <feature enabled='no' name='enrolled-keys'/>
    </firmware>
  </os>
@ -44,6 +46,7 @@ snippet:
  <os firmware='efi'>
    <loader secure='yes'/>
    <firmware>
+      <feature enabled='yes' name='secure-boot'/>
      <feature enabled='yes' name='enrolled-keys'/>
    </firmware>
  </os>