From: Fiona Ebner <f.ebner@proxmox.com>
To: pve-devel@lists.proxmox.com
Subject: [PATCH qemu-server 3/4] ovmf: honor pre-enrolled-keys setting for aarch64
Date: Wed, 20 May 2026 16:20:34 +0200 [thread overview]
Message-ID: <20260520142044.502304-4-f.ebner@proxmox.com> (raw)
In-Reply-To: <20260520142044.502304-1-f.ebner@proxmox.com>
pve-edk2-firmware-aarch64 <= 4.2025.05-2 did not ship the
secure-boot-enabled CODE image yet. If it is present, honor the
pre-enrolled-keys option for the EFI drive. If it does not exist,
because it's a too old version, fall back to the old behavior, but
warn the user.
Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
---
src/PVE/QemuServer/OVMF.pm | 18 ++++++++++++++++++
1 file changed, 18 insertions(+)
diff --git a/src/PVE/QemuServer/OVMF.pm b/src/PVE/QemuServer/OVMF.pm
index 7a765fad..1b625e33 100644
--- a/src/PVE/QemuServer/OVMF.pm
+++ b/src/PVE/QemuServer/OVMF.pm
@@ -49,6 +49,9 @@ my $OVMF = {
],
},
aarch64 => {
+ ms => [
+ "$EDK2_FW_BASE/AAVMF_CODE.secboot.fd", "$EDK2_FW_BASE/AAVMF_VARS.ms.fd",
+ ],
default => [
"$EDK2_FW_BASE/AAVMF_CODE.fd", "$EDK2_FW_BASE/AAVMF_VARS.fd",
],
@@ -83,6 +86,21 @@ my sub get_ovmf_files($$$$) {
} else {
# TODO: log_warn about use of legacy images for x86_64 with Promxox VE 9
}
+ } elsif ($arch eq 'aarch64') {
+ if ($efidisk->{'pre-enrolled-keys'}) {
+ # FIXME: MAJOR VERSION: drop this check and expect that the secure-boot-enabled CODE
+ # image is present. pve-edk2-firmware-aarch64 <= 4.2025.05-2 didn't ship it.
+ if (file_exists("$EDK2_FW_BASE/AAVMF_CODE.secboot.fd")) {
+ $type = 'ms';
+ } else {
+ log_warn(
+ "requested EFI image with pre-enrolled-keys, but ignoring because"
+ . " $EDK2_FW_BASE/AAVMF_CODE.secboot.fd' file is missing - check that"
+ . " pve-edk2-firmware-aarch64 is correctly installed with version > 4.2025.05-2"
+ );
+ delete($efidisk->{'pre-enrolled-keys'});
+ }
+ }
}
my ($ovmf_code, $ovmf_vars) = $types->{$type}->@*;
--
2.47.3
next prev parent reply other threads:[~2026-05-20 14:20 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-20 14:20 [PATCH edk2-firmware/qemu-server/manager 0/4] ovmf: support pre-enrolled-keys for ARM EFI disks Fiona Ebner
2026-05-20 14:20 ` [PATCH edk2-firmware 1/4] d/rules: use dedicated install dir for AAVMF build Fiona Ebner
2026-05-20 14:20 ` [PATCH edk2-firmware 2/4] d/{rules,install}: build secureboot-enabled image for aarch64 Fiona Ebner
2026-05-20 14:20 ` Fiona Ebner [this message]
2026-05-20 14:20 ` [PATCH manager 4/4] ui: qemu: hardware edit: create EFI disk via asynchronous API Fiona Ebner
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260520142044.502304-4-f.ebner@proxmox.com \
--to=f.ebner@proxmox.com \
--cc=pve-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox