From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [IPv6:2a01:7e0:0:424::9]) by lore.proxmox.com (Postfix) with ESMTPS id 297631FF179 for ; Wed, 12 Nov 2025 15:47:21 +0100 (CET) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 62E3170C2; Wed, 12 Nov 2025 15:48:06 +0100 (CET) Message-ID: <56e09334-ea26-437a-960c-4ec257a5d432@proxmox.com> Date: Wed, 12 Nov 2025 15:48:03 +0100 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird From: Fiona Ebner To: Proxmox VE development discussion , Anton Iacobaeus References: <20251028125459.287308-1-anton.iacobaeus@canarybit.eu> Content-Language: en-US In-Reply-To: X-Bm-Milter-Handled: 55990f41-d878-4baa-be0a-ee34c49e34d2 X-Bm-Transport-Timestamp: 1762958858273 X-SPAM-LEVEL: Spam detection results: 0 AWL -0.019 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment RCVD_IN_VALIDITY_CERTIFIED_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. RCVD_IN_VALIDITY_RPBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. RCVD_IN_VALIDITY_SAFE_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record Subject: Re: [pve-devel] [PATCH edk2-firmware/manager/qemu-server v3 0/9] Add support for Intel TDX X-BeenThere: pve-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox VE development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: Proxmox VE development discussion Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: pve-devel-bounces@lists.proxmox.com Sender: "pve-devel" Am 12.11.25 um 2:48 PM schrieb Fiona Ebner: > I did not go ahead with applying the edk2 patches yet, because I got a > question: Don't we want to enroll the Microsoft and distro keys for the > image? Debian upstream added TDX support just a few days ago and they > enroll the Microsoft and distro keys and even dropped the variant > without pre-enrolled keys [1] that was part of the initial merge. The > changes [0] include an "enroll_vendor" helper so we could use that and > get an OVMF_TDX_4M.ms.fd image. > > What do you think? My proposal to add on top: > diff --git a/debian/pve-edk2-firmware-ovmf.install b/debian/pve-edk2-firmware-ovmf.install > index 22186563bb..cd5313bb0d 100644 > --- a/debian/pve-edk2-firmware-ovmf.install > +++ b/debian/pve-edk2-firmware-ovmf.install > @@ -3,7 +3,7 @@ debian/ovmf-install/OVMF_VARS*.fd /usr/share/pve-edk2-firmware > debian/ovmf-sev-install/OVMF_SEV_CODE*.fd /usr/share/pve-edk2-firmware > debian/ovmf-sev-install/OVMF_SEV_VARS*.fd /usr/share/pve-edk2-firmware > debian/ovmf-sev-install/OVMF_SEV_4M.fd /usr/share/pve-edk2-firmware > -debian/ovmf-tdx-install/OVMF_TDX_4M.fd /usr/share/pve-edk2-firmware > +debian/ovmf-tdx-install/OVMF_TDX_4M.ms.fd /usr/share/pve-edk2-firmware > debian/ovmf32-install/OVMF32_CODE*.fd /usr/share/pve-edk2-firmware > debian/ovmf32-install/OVMF32_VARS*.fd /usr/share/pve-edk2-firmware > debian/PkKek-1-snakeoil.* /usr/share/pve-edk2-firmware > diff --git a/debian/rules b/debian/rules > index 9def34d267..044071cf90 100755 > --- a/debian/rules > +++ b/debian/rules > @@ -95,8 +95,10 @@ OVMF_TDX_INSTALL_DIR = debian/ovmf-tdx-install > OVMF_TDX_BUILD_ROOT = Build/IntelTdx > OVMF_TDX_BUILD_DIR = $(OVMF_TDX_BUILD_ROOT)/$(BUILD_TYPE)_$(EDK2_TOOLCHAIN) (Note that I already split the above to follow commit "16bb13da3d debian/rules: Define *_BUILD_ROOT variables" that was picked up from Debian). > OVMF_TDX_SHELL = $(OVMF_TDX_BUILD_DIR)/X64/Shell.efi > +OVMF_TDX_ENROLL = $(OVMF_TDX_BUILD_DIR)/X64/EnrollDefaultKeys.efi > OVMF_TDX_BINARIES = $(OVMF_TDX_SHELL) > OVMF_TDX_IMAGES := $(addprefix $(OVMF_TDX_INSTALL_DIR)/,OVMF_TDX_4M.fd) > +OVMF_TDX_PREENROLLED_IMAGES := $(addprefix $(OVMF_TDX_INSTALL_DIR)/,OVMF_TDX_4M.ms.fd) > > QEMU_EFI_BUILD_ROOT = Build/ArmVirtQemu-$(EDK2_HOST_ARCH) > QEMU_EFI_BUILD_DIR = $(QEMU_EFI_BUILD_ROOT)/$(BUILD_TYPE)_$(EDK2_TOOLCHAIN) > @@ -145,7 +147,7 @@ $(OVMF_SEV_BINARIES) $(OVMF_SEV_IMAGES): debian/setup-build-stamp > cp $(OVMF_SEV_BUILD_DIR)/FV/OVMF.fd \ > $(OVMF_SEV_INSTALL_DIR)/OVMF_SEV_4M.fd > > -build-ovmf-tdx: $(OVMF_TDX_BINARIES) $(OVMF_TDX_IMAGES) > +build-ovmf-tdx: $(OVMF_TDX_BINARIES) $(OVMF_TDX_IMAGES) $(OVMF_TDX_PREENROLLED_IMAGES) > $(OVMF_TDX_BINARIES) $(OVMF_TDX_IMAGES): debian/setup-build-stamp > rm -rf $(OVMF_TDX_INSTALL_DIR) > mkdir $(OVMF_TDX_INSTALL_DIR) > @@ -215,6 +217,9 @@ enroll_snakeoil = virt-fw-vars --input $(1) --output $(2) \ > %/OVMF_VARS_4M.snakeoil.fd: %/OVMF_CODE_4M.fd %/OVMF_VARS_4M.fd debian/PkKek-1-snakeoil.pem $(OVMF_ENROLL) $(OVMF_SHELL) > $(call enroll_snakeoil,$(OVMF_INSTALL_DIR)/OVMF_VARS_4M.fd,$@) > > +%/OVMF_TDX_4M.ms.fd: %/OVMF_TDX_4M.fd debian/PkKek-1-vendor.pem $(OVMF_TDX_ENROLL) $(OVMF_TDX_SHELL) > + $(call enroll_vendor,$(OVMF_TDX_INSTALL_DIR)/OVMF_TDX_4M.fd,$@,amd64) > + > BaseTools/Bin/GccLto/liblto-aarch64.a: BaseTools/Bin/GccLto/liblto-aarch64.s > $($(EDK2_TOOLCHAIN)_AARCH64_PREFIX)gcc -c -fpic $< -o $@ > Let me know if this looks good to you or if you prefer something else :) Best Regards, Fiona _______________________________________________ pve-devel mailing list pve-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel