From: Luis Chamberlain <mcgrof@kernel.org>
To: kdevops@lists.linux.dev, ross@kallisti.us
Cc: mcgrof@kernel.org
Subject: [PATCH kdevops 2/4] guestfs: fix uefi boot for debian trixie
Date: Thu, 10 Oct 2024 18:01:09 -0700 [thread overview]
Message-ID: <20241011010111.3543993-3-mcgrof@kernel.org> (raw)
In-Reply-To: <20241011010111.3543993-1-mcgrof@kernel.org>
When UEFI boot is needed on an image we should disable secure boot
as we're doing kernel hacking and want to make kernel building and
booting fast & furious. Doing kernel signing is tedious for CI testing
of kernels when doing kernel hacking. If folks want to add support
later for it, they can but let's not break kernel hacking. Without
this we fail to boot custom kernels with:
Bad shim signature
The reason is secure boot is enabled.
When readonly is not specified, the guest operating system may be able
to modify the firmware during runtime. This is usually not desirable for
UEFI binaries, so explicitly set readonly='yes' to protect the
integrity of the firmware.
Only debian trixie selects guestfs_requires_uefi so that's the only
distribution we're fixing here. This should not regress anything
otherwise.
Signed-off-by: Luis Chamberlain <mcgrof@kernel.org>
---
playbooks/roles/gen_nodes/templates/guestfs_q35.j2.xml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/playbooks/roles/gen_nodes/templates/guestfs_q35.j2.xml b/playbooks/roles/gen_nodes/templates/guestfs_q35.j2.xml
index dd2e7d39097c..adaba9188767 100644
--- a/playbooks/roles/gen_nodes/templates/guestfs_q35.j2.xml
+++ b/playbooks/roles/gen_nodes/templates/guestfs_q35.j2.xml
@@ -6,7 +6,7 @@
{% if guestfs_requires_uefi %}
<os firmware='efi'>
<type arch='x86_64' machine='q35'>hvm</type>
- <loader secure='yes'/>
+ <loader readonly='yes' secure='no'/>
<boot dev='hd'/>
</os>
{% else %}
--
2.43.0
next prev parent reply other threads:[~2024-10-11 1:01 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-10-11 1:01 [PATCH kdevops 0/4] kdevops: make trixie default Luis Chamberlain
2024-10-11 1:01 ` [PATCH kdevops 1/4] guestfs: make trixie generic image the default Luis Chamberlain
2024-10-11 1:01 ` Luis Chamberlain [this message]
2024-10-11 1:01 ` [PATCH kdevops 3/4] guestfs: fix trixie bringup Luis Chamberlain
2024-10-11 1:01 ` [PATCH kdevops 4/4] guestfs: make debian trixie default Luis Chamberlain
2024-10-11 19:00 ` [PATCH kdevops 0/4] kdevops: make " Luis Chamberlain
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20241011010111.3543993-3-mcgrof@kernel.org \
--to=mcgrof@kernel.org \
--cc=kdevops@lists.linux.dev \
--cc=ross@kallisti.us \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox