[PATCH edk2-firmware/qemu-server/manager 0/4] ovmf: support pre-enrolled-keys for ARM EFI disks

public inbox for pve-devel@lists.proxmox.com
 help / color / mirror / Atom feed

* [PATCH edk2-firmware/qemu-server/manager 0/4] ovmf: support pre-enrolled-keys for ARM EFI disks
@ 2026-05-20 14:20 Fiona Ebner
  2026-05-20 14:20 ` [PATCH edk2-firmware 1/4] d/rules: use dedicated install dir for AAVMF build Fiona Ebner
                   ` (3 more replies)
  0 siblings, 4 replies; 5+ messages in thread
From: Fiona Ebner @ 2026-05-20 14:20 UTC (permalink / raw)
  To: pve-devel

Have the firmware package for ARM ship the secureboot-enabled CODE
image. The VARS image with the pre-enrolled-keys was already shipped.

Let qemu-server actually honor the pre-enrolled-keys setting and use
those images when requested.

Finally, a small UX improvment to make the task warning when the
firmware package is outdated visible in the UI.

Might be nice to have soonish after the next point release since ARM
support was generally improved with that release.


pve-edk2-firmware:

Fiona Ebner (2):
  d/rules: use dedicated install dir for AAVMF build
  d/{rules,install}: build secureboot-enabled image for aarch64

 debian/pve-edk2-firmware-aarch64.install |  4 +--
 debian/rules                             | 39 +++++++++++++++---------
 2 files changed, 27 insertions(+), 16 deletions(-)


qemu-server:

Fiona Ebner (1):
  ovmf: honor pre-enrolled-keys setting for aarch64

 src/PVE/QemuServer/OVMF.pm | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)


manager:

Fiona Ebner (1):
  ui: qemu: hardware edit: create EFI disk via asynchronous API

 www/manager6/qemu/HDEfi.js | 1 +
 1 file changed, 1 insertion(+)


Summary over all repositories:
  4 files changed, 46 insertions(+), 16 deletions(-)

-- 
Generated by git-murpp 0.5.0




^ permalink raw reply	[flat|nested] 5+ messages in thread

* [PATCH edk2-firmware 1/4] d/rules: use dedicated install dir for AAVMF build
  2026-05-20 14:20 [PATCH edk2-firmware/qemu-server/manager 0/4] ovmf: support pre-enrolled-keys for ARM EFI disks Fiona Ebner
@ 2026-05-20 14:20 ` Fiona Ebner
  2026-05-20 14:20 ` [PATCH edk2-firmware 2/4] d/{rules,install}: build secureboot-enabled image for aarch64 Fiona Ebner
                   ` (2 subsequent siblings)
  3 siblings, 0 replies; 5+ messages in thread
From: Fiona Ebner @ 2026-05-20 14:20 UTC (permalink / raw)
  To: pve-devel

Better aligns it with the x86 builds and in preparation for adding a
secureboot CODE image, which requires a secondary build, so moving the
build targets out of the way.

Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
---
 debian/rules | 27 ++++++++++++++-------------
 1 file changed, 14 insertions(+), 13 deletions(-)

diff --git a/debian/rules b/debian/rules
index 044071cf90..90a4f6a5cc 100755
--- a/debian/rules
+++ b/debian/rules
@@ -102,15 +102,14 @@ OVMF_TDX_PREENROLLED_IMAGES := $(addprefix $(OVMF_TDX_INSTALL_DIR)/,OVMF_TDX_4M.
 
 QEMU_EFI_BUILD_ROOT = Build/ArmVirtQemu-$(EDK2_HOST_ARCH)
 QEMU_EFI_BUILD_DIR = $(QEMU_EFI_BUILD_ROOT)/$(BUILD_TYPE)_$(EDK2_TOOLCHAIN)
+AAVMF_INSTALL_DIR = debian/aavmf-install
 AAVMF_BUILD_ROOT = Build/ArmVirtQemu-AARCH64
 AAVMF_BUILD_DIR = $(AAVMF_BUILD_ROOT)/$(BUILD_TYPE)_$(EDK2_TOOLCHAIN)
 AAVMF_ENROLL    = $(AAVMF_BUILD_DIR)/AARCH64/EnrollDefaultKeys.efi
 AAVMF_SHELL     = $(AAVMF_BUILD_DIR)/AARCH64/Shell.efi
 AAVMF_BINARIES  = $(AAVMF_ENROLL) $(AAVMF_SHELL)
-AAVMF_CODE      = $(AAVMF_BUILD_DIR)/FV/AAVMF_CODE.fd
-AAVMF_VARS      = $(AAVMF_BUILD_DIR)/FV/AAVMF_VARS.fd
-AAVMF_IMAGES    = $(AAVMF_CODE) $(AAVMF_VARS)
-AAVMF_PREENROLLED_VARS = $(addprefix $(AAVMF_BUILD_DIR)/FV/,AAVMF_VARS.ms.fd AAVMF_VARS.snakeoil.fd)
+AAVMF_IMAGES    = $(addprefix $(AAVMF_INSTALL_DIR)/,AAVMF_CODE.fd AAVMF_VARS.fd)
+AAVMF_PREENROLLED_VARS = $(addprefix $(AAVMF_INSTALL_DIR)/,AAVMF_VARS.ms.fd AAVMF_VARS.snakeoil.fd)
 
 RISCV64_BUILD_ROOT = Build/RiscVVirtQemu
 RISCV64_BUILD_DIR = $(RISCV64_BUILD_ROOT)/$(BUILD_TYPE)_$(EDK2_TOOLCHAIN)
@@ -203,10 +202,10 @@ enroll_snakeoil = virt-fw-vars --input $(1) --output $(2) \
                              debian/PkKek-1-snakeoil.pem
 
 %/AAVMF_VARS.ms.fd: %/AAVMF_CODE.fd %/AAVMF_VARS.fd debian/PkKek-1-vendor.pem $(AAVMF_ENROLL) $(AAVMF_SHELL)
-	$(call enroll_vendor,$(AAVMF_VARS),$@,arm64)
+	$(call enroll_vendor,$(AAVMF_INSTALL_DIR)/AAVMF_VARS.fd,$@,arm64)
 
 %/AAVMF_VARS.snakeoil.fd: %/AAVMF_CODE.fd %/AAVMF_VARS.fd debian/PkKek-1-snakeoil.pem $(AAVMF_ENROLL) $(AAVMF_SHELL)
-	$(call enroll_snakeoil,$(AAVMF_VARS),$@)
+	$(call enroll_snakeoil,$(AAVMF_INSTALL_DIR)/AAVMF_VARS.fd,$@)
 
 %/OVMF_VARS.ms.fd: %/OVMF_CODE.secboot.fd %/OVMF_VARS.fd debian/PkKek-1-vendor.pem $(OVMF_ENROLL) $(OVMF_SHELL)
 	$(call enroll_vendor,$(OVMF_INSTALL_DIR)/OVMF_VARS.fd,$@,amd64)
@@ -227,23 +226,25 @@ BaseTools/Bin/GccLto/liblto-arm.a: BaseTools/Bin/GccLto/liblto-arm.s
 	$($(EDK2_TOOLCHAIN)_ARM_PREFIX)gcc -c -fpic $< -o $@
 
 build-qemu-efi: debian/setup-build-stamp
+	rm -rf $(QEMU_EFI_INSTALL_DIR)
+	mkdir $(QEMU_EFI_INSTALL_DIR)
 	set -e; . ./edksetup.sh; \
 		build -a $(EDK2_HOST_ARCH) \
 			-t $(EDK2_TOOLCHAIN) \
 			-p ArmVirtPkg/ArmVirtQemu.dsc \
 			$(AAVMF_FLAGS) -b $(BUILD_TYPE)
-	cp $(QEMU_EFI_BUILD_DIR)/FV/QEMU_EFI.fd \
-		$(QEMU_EFI_BUILD_DIR)/FV/$(FW_NAME)_CODE.fd
-	cp $(QEMU_EFI_BUILD_DIR)/FV/QEMU_VARS.fd \
-		$(QEMU_EFI_BUILD_DIR)/FV/$(FW_NAME)_VARS.fd
 	# QEMU expects 64MiB CODE and VARS files on ARM/AARCH64 architectures
 	# Truncate the firmware files to the expected size
-	truncate -s 64M $(QEMU_EFI_BUILD_DIR)/FV/$(FW_NAME)_CODE.fd
-	truncate -s 64M $(QEMU_EFI_BUILD_DIR)/FV/$(FW_NAME)_VARS.fd
+	truncate -s 64M $(QEMU_EFI_BUILD_DIR)/FV/QEMU_EFI.fd
+	truncate -s 64M $(QEMU_EFI_BUILD_DIR)/FV/QEMU_VARS.fd
+	cp $(QEMU_EFI_BUILD_DIR)/FV/QEMU_EFI.fd \
+		$(QEMU_EFI_INSTALL_DIR)/$(FW_NAME)_CODE.fd
+	cp $(QEMU_EFI_BUILD_DIR)/FV/QEMU_VARS.fd \
+		$(QEMU_EFI_INSTALL_DIR)/$(FW_NAME)_VARS.fd
 
 build-qemu-efi-aarch64: $(AAVMF_BINARIES) $(AAVMF_IMAGES) $(AAVMF_PREENROLLED_VARS)
 $(AAVMF_BINARIES) $(AAVMF_IMAGES): BaseTools/Bin/GccLto/liblto-aarch64.a
-	$(MAKE) -f debian/rules build-qemu-efi EDK2_ARCH_DIR=AArch64 EDK2_HOST_ARCH=AARCH64 FW_NAME=AAVMF
+	$(MAKE) -f debian/rules build-qemu-efi EDK2_ARCH_DIR=AArch64 EDK2_HOST_ARCH=AARCH64 FW_NAME=AAVMF QEMU_EFI_INSTALL_DIR=$(AAVMF_INSTALL_DIR)
 
 build-qemu-efi-riscv64:  $(RISCV64_IMAGES)
 $(RISCV64_IMAGES): debian/setup-build-stamp
-- 
2.47.3





^ permalink raw reply related	[flat|nested] 5+ messages in thread

* [PATCH edk2-firmware 2/4] d/{rules,install}: build secureboot-enabled image for aarch64
  2026-05-20 14:20 [PATCH edk2-firmware/qemu-server/manager 0/4] ovmf: support pre-enrolled-keys for ARM EFI disks Fiona Ebner
  2026-05-20 14:20 ` [PATCH edk2-firmware 1/4] d/rules: use dedicated install dir for AAVMF build Fiona Ebner
@ 2026-05-20 14:20 ` Fiona Ebner
  2026-05-20 14:20 ` [PATCH qemu-server 3/4] ovmf: honor pre-enrolled-keys setting " Fiona Ebner
  2026-05-20 14:20 ` [PATCH manager 4/4] ui: qemu: hardware edit: create EFI disk via asynchronous API Fiona Ebner
  3 siblings, 0 replies; 5+ messages in thread
From: Fiona Ebner @ 2026-05-20 14:20 UTC (permalink / raw)
  To: pve-devel

Previously, a second copy of the CODE image was shipped as
/usr/share/pve-edk2-firmware/aarch64/QEMU_EFI.fd, but this is not
used by qemu-server and it was not yet expanded to 64MiB so it is
wouldn't even have worked with QEMU. Just drop it.

The BUILD_SHELL=FALSE flag is added for completeness. Not including
the shell is already guarded by edk2 commit f881b4d129 ("OvmfPkg: only
add shell to FV in case secure boot is disabled"), but it doesn't hurt
to be explicit and Debian does it too.

Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
---
 debian/pve-edk2-firmware-aarch64.install |  4 ++--
 debian/rules                             | 14 ++++++++++++--
 2 files changed, 14 insertions(+), 4 deletions(-)

diff --git a/debian/pve-edk2-firmware-aarch64.install b/debian/pve-edk2-firmware-aarch64.install
index 22cb9eef27..dea6fc9fb3 100644
--- a/debian/pve-edk2-firmware-aarch64.install
+++ b/debian/pve-edk2-firmware-aarch64.install
@@ -1,2 +1,2 @@
-Build/ArmVirtQemu-AARCH64/RELEASE_*GCC*/FV/QEMU_EFI.fd /usr/share/pve-edk2-firmware/aarch64
-Build/ArmVirtQemu-AARCH64/RELEASE_*GCC*/FV/AAVMF_*.fd /usr/share/pve-edk2-firmware
+debian/aavmf-install/AAVMF_CODE*.fd	/usr/share/pve-edk2-firmware
+debian/aavmf-install/AAVMF_VARS*.fd	/usr/share/pve-edk2-firmware
diff --git a/debian/rules b/debian/rules
index 90a4f6a5cc..8abc6a7d70 100755
--- a/debian/rules
+++ b/debian/rules
@@ -44,6 +44,7 @@ AAVMF_FLAGS  = $(COMMON_FLAGS)
 AAVMF_FLAGS += -DTPM2_ENABLE=TRUE
 AAVMF_FLAGS += -DTPM2_CONFIG_ENABLE=TRUE
 AAVMF_FLAGS += -DCAVIUM_ERRATUM_27456=TRUE
+AAVMF_SECBOOT_FLAGS = $(AAVMF_FLAGS) -DBUILD_SHELL=FALSE -DSECURE_BOOT_ENABLE=TRUE
 
 RISCV64_FLAGS = $(COMMON_FLAGS)
 
@@ -108,7 +109,7 @@ AAVMF_BUILD_DIR = $(AAVMF_BUILD_ROOT)/$(BUILD_TYPE)_$(EDK2_TOOLCHAIN)
 AAVMF_ENROLL    = $(AAVMF_BUILD_DIR)/AARCH64/EnrollDefaultKeys.efi
 AAVMF_SHELL     = $(AAVMF_BUILD_DIR)/AARCH64/Shell.efi
 AAVMF_BINARIES  = $(AAVMF_ENROLL) $(AAVMF_SHELL)
-AAVMF_IMAGES    = $(addprefix $(AAVMF_INSTALL_DIR)/,AAVMF_CODE.fd AAVMF_VARS.fd)
+AAVMF_IMAGES    = $(addprefix $(AAVMF_INSTALL_DIR)/,AAVMF_CODE.fd AAVMF_CODE.secboot.fd AAVMF_VARS.fd)
 AAVMF_PREENROLLED_VARS = $(addprefix $(AAVMF_INSTALL_DIR)/,AAVMF_VARS.ms.fd AAVMF_VARS.snakeoil.fd)
 
 RISCV64_BUILD_ROOT = Build/RiscVVirtQemu
@@ -201,7 +202,7 @@ enroll_snakeoil = virt-fw-vars --input $(1) --output $(2) \
                     --add-db OvmfEnrollDefaultKeys \
                              debian/PkKek-1-snakeoil.pem
 
-%/AAVMF_VARS.ms.fd: %/AAVMF_CODE.fd %/AAVMF_VARS.fd debian/PkKek-1-vendor.pem $(AAVMF_ENROLL) $(AAVMF_SHELL)
+%/AAVMF_VARS.ms.fd: %/AAVMF_CODE.secboot.fd %/AAVMF_VARS.fd debian/PkKek-1-vendor.pem $(AAVMF_ENROLL) $(AAVMF_SHELL)
 	$(call enroll_vendor,$(AAVMF_INSTALL_DIR)/AAVMF_VARS.fd,$@,arm64)
 
 %/AAVMF_VARS.snakeoil.fd: %/AAVMF_CODE.fd %/AAVMF_VARS.fd debian/PkKek-1-snakeoil.pem $(AAVMF_ENROLL) $(AAVMF_SHELL)
@@ -241,6 +242,15 @@ build-qemu-efi: debian/setup-build-stamp
 		$(QEMU_EFI_INSTALL_DIR)/$(FW_NAME)_CODE.fd
 	cp $(QEMU_EFI_BUILD_DIR)/FV/QEMU_VARS.fd \
 		$(QEMU_EFI_INSTALL_DIR)/$(FW_NAME)_VARS.fd
+	rm -rf $(QEMU_EFI_BUILD_ROOT)
+	set -e; . ./edksetup.sh; \
+		build -a $(EDK2_HOST_ARCH) \
+			-t $(EDK2_TOOLCHAIN) \
+			-p ArmVirtPkg/ArmVirtQemu.dsc \
+			$(AAVMF_SECBOOT_FLAGS) -b $(BUILD_TYPE)
+	truncate -s 64M $(QEMU_EFI_BUILD_DIR)/FV/QEMU_EFI.fd
+	cp $(QEMU_EFI_BUILD_DIR)/FV/QEMU_EFI.fd \
+		$(QEMU_EFI_INSTALL_DIR)/$(FW_NAME)_CODE.secboot.fd
 
 build-qemu-efi-aarch64: $(AAVMF_BINARIES) $(AAVMF_IMAGES) $(AAVMF_PREENROLLED_VARS)
 $(AAVMF_BINARIES) $(AAVMF_IMAGES): BaseTools/Bin/GccLto/liblto-aarch64.a
-- 
2.47.3





^ permalink raw reply related	[flat|nested] 5+ messages in thread

* [PATCH qemu-server 3/4] ovmf: honor pre-enrolled-keys setting for aarch64
  2026-05-20 14:20 [PATCH edk2-firmware/qemu-server/manager 0/4] ovmf: support pre-enrolled-keys for ARM EFI disks Fiona Ebner
  2026-05-20 14:20 ` [PATCH edk2-firmware 1/4] d/rules: use dedicated install dir for AAVMF build Fiona Ebner
  2026-05-20 14:20 ` [PATCH edk2-firmware 2/4] d/{rules,install}: build secureboot-enabled image for aarch64 Fiona Ebner
@ 2026-05-20 14:20 ` Fiona Ebner
  2026-05-20 14:20 ` [PATCH manager 4/4] ui: qemu: hardware edit: create EFI disk via asynchronous API Fiona Ebner
  3 siblings, 0 replies; 5+ messages in thread
From: Fiona Ebner @ 2026-05-20 14:20 UTC (permalink / raw)
  To: pve-devel

pve-edk2-firmware-aarch64 <= 4.2025.05-2 did not ship the
secure-boot-enabled CODE image yet. If it is present, honor the
pre-enrolled-keys option for the EFI drive. If it does not exist,
because it's a too old version, fall back to the old behavior, but
warn the user.

Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
---
 src/PVE/QemuServer/OVMF.pm | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/src/PVE/QemuServer/OVMF.pm b/src/PVE/QemuServer/OVMF.pm
index 7a765fad..1b625e33 100644
--- a/src/PVE/QemuServer/OVMF.pm
+++ b/src/PVE/QemuServer/OVMF.pm
@@ -49,6 +49,9 @@ my $OVMF = {
         ],
     },
     aarch64 => {
+        ms => [
+            "$EDK2_FW_BASE/AAVMF_CODE.secboot.fd", "$EDK2_FW_BASE/AAVMF_VARS.ms.fd",
+        ],
         default => [
             "$EDK2_FW_BASE/AAVMF_CODE.fd", "$EDK2_FW_BASE/AAVMF_VARS.fd",
         ],
@@ -83,6 +86,21 @@ my sub get_ovmf_files($$$$) {
         } else {
             # TODO: log_warn about use of legacy images for x86_64 with Promxox VE 9
         }
+    } elsif ($arch eq 'aarch64') {
+        if ($efidisk->{'pre-enrolled-keys'}) {
+            # FIXME: MAJOR VERSION: drop this check and expect that the secure-boot-enabled CODE
+            # image is present. pve-edk2-firmware-aarch64 <= 4.2025.05-2 didn't ship it.
+            if (file_exists("$EDK2_FW_BASE/AAVMF_CODE.secboot.fd")) {
+                $type = 'ms';
+            } else {
+                log_warn(
+                    "requested EFI image with pre-enrolled-keys, but ignoring because"
+                    . " $EDK2_FW_BASE/AAVMF_CODE.secboot.fd' file is missing - check that"
+                    . " pve-edk2-firmware-aarch64 is correctly installed with version > 4.2025.05-2"
+                );
+                delete($efidisk->{'pre-enrolled-keys'});
+            }
+        }
     }
 
     my ($ovmf_code, $ovmf_vars) = $types->{$type}->@*;
-- 
2.47.3





^ permalink raw reply related	[flat|nested] 5+ messages in thread

* [PATCH manager 4/4] ui: qemu: hardware edit: create EFI disk via asynchronous API
  2026-05-20 14:20 [PATCH edk2-firmware/qemu-server/manager 0/4] ovmf: support pre-enrolled-keys for ARM EFI disks Fiona Ebner
                   ` (2 preceding siblings ...)
  2026-05-20 14:20 ` [PATCH qemu-server 3/4] ovmf: honor pre-enrolled-keys setting " Fiona Ebner
@ 2026-05-20 14:20 ` Fiona Ebner
  3 siblings, 0 replies; 5+ messages in thread
From: Fiona Ebner @ 2026-05-20 14:20 UTC (permalink / raw)
  To: pve-devel

Specifying a backgroundDelay aligns the EFI edit panel with the panel
for regular drives and makes the input panel use a POST method for the
API request. Otherwise, task warnings from the operation are not
visible and since the EFI disk needs to be copied to the target
storage, IO is involved, so in principle, the operation might take a
while in certain situations.

Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
---
 www/manager6/qemu/HDEfi.js | 1 +
 1 file changed, 1 insertion(+)

diff --git a/www/manager6/qemu/HDEfi.js b/www/manager6/qemu/HDEfi.js
index 1ae63add..14a64fc0 100644
--- a/www/manager6/qemu/HDEfi.js
+++ b/www/manager6/qemu/HDEfi.js
@@ -94,6 +94,7 @@ Ext.define('PVE.qemu.EFIDiskEdit', {
     extend: 'Proxmox.window.Edit',
 
     isAdd: true,
+    backgroundDelay: 5,
     subject: gettext('EFI Disk'),
 
     width: 450,
-- 
2.47.3





^ permalink raw reply related	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2026-05-20 14:21 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-05-20 14:20 [PATCH edk2-firmware/qemu-server/manager 0/4] ovmf: support pre-enrolled-keys for ARM EFI disks Fiona Ebner
2026-05-20 14:20 ` [PATCH edk2-firmware 1/4] d/rules: use dedicated install dir for AAVMF build Fiona Ebner
2026-05-20 14:20 ` [PATCH edk2-firmware 2/4] d/{rules,install}: build secureboot-enabled image for aarch64 Fiona Ebner
2026-05-20 14:20 ` [PATCH qemu-server 3/4] ovmf: honor pre-enrolled-keys setting " Fiona Ebner
2026-05-20 14:20 ` [PATCH manager 4/4] ui: qemu: hardware edit: create EFI disk via asynchronous API Fiona Ebner

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox

Service provided by Proxmox Server Solutions GmbH | Privacy | Legal