mirror of
https://gitlab.com/libvirt/libvirt.git
synced 2024-07-12 21:05:48 +00:00
18249f278a
It should be enough to enable or disable the enrolled-keys feature
to control whether Secure Boot is enforced, but there's a slight
complication: many distro packages for edk2 include, in addition
to general purpose firmware images, builds that are targeting the
Confidential Computing use case.
For those, the firmware descriptor will not advertise the
enrolled-keys feature, which will technically make them suitable
for satisfying a configuration such as
<os firmware='efi'>
<firmware>
<feature state='off' name='enrolled-keys'/>
</firmware>
</os>
In practice, users will expect the general purpose build to be
used in this case. Explicitly asking for the secure-boot feature
to be enabled achieves that result at the cost of some slight
additional verbosity.
Signed-off-by: Andrea Bolognani <abologna@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
|
||
|---|---|---|
| .. | ||
| internals | ||
| backing_chains.rst | ||
| debuglogs.rst | ||
| domainstatecapture.rst | ||
| index.rst | ||
| kvm-realtime.rst | ||
| launch_security_sev.rst | ||
| live_full_disk_backup.rst | ||
| locking-lockd.rst | ||
| locking-sanlock.rst | ||
| locking.rst | ||
| memorydevices.rst | ||
| merging_disk_image_chains.rst | ||
| meson.build | ||
| qemu-core-dump.rst | ||
| qemu-passthrough-security.rst | ||
| rpm-deployment.rst | ||
| s390_protected_virt.rst | ||
| secureboot.rst | ||
| secureusage.rst | ||
| snapshots.rst | ||
| systemtap.rst | ||
| tlscerts.rst | ||
| virtiofs.rst | ||