Commit Graph

4 Commits

Author SHA1 Message Date
Andrea Bolognani
550bf7682d kbase: Document how to disable Secure Boot entirely
In most cases, disabling the secure-boot or the enrolled-keys
firmware feature will achieve the same result: allowing an
unsigned operating system to run.

Right now we're only documenting the latter configuration. Add
the former as well, and explain the difference between the two.

Signed-off-by: Andrea Bolognani <abologna@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
2022-08-04 14:39:18 +02:00
Andrea Bolognani
18249f278a kbase: Always explicitly enable secure-boot firmware feature
It should be enough to enable or disable the enrolled-keys feature
to control whether Secure Boot is enforced, but there's a slight
complication: many distro packages for edk2 include, in addition
to general purpose firmware images, builds that are targeting the
Confidential Computing use case.

For those, the firmware descriptor will not advertise the
enrolled-keys feature, which will technically make them suitable
for satisfying a configuration such as

  <os firmware='efi'>
    <firmware>
      <feature state='off' name='enrolled-keys'/>
    </firmware>
  </os>

In practice, users will expect the general purpose build to be
used in this case. Explicitly asking for the secure-boot feature
to be enabled achieves that result at the cost of some slight
additional verbosity.

Signed-off-by: Andrea Bolognani <abologna@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
2022-08-04 14:39:11 +02:00
Tim Wiederhake
58e6bb8be8 Fix spelling
Signed-off-by: Tim Wiederhake <twiederh@redhat.com>
2022-07-04 10:07:47 +02:00
Andrea Bolognani
7d285059f4 docs: Add kbase page for Secure Boot
Provide simple recipes for the most common high-level tasks.

Signed-off-by: Andrea Bolognani <abologna@redhat.com>
Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
2022-07-01 15:10:43 +02:00