| Message ID | 20241011010111.3543993-3-mcgrof@kernel.org (mailing list archive) |
|---|---|
| State | New |
| Headers | show |
| Series | kdevops: make trixie default | expand |
diff --git a/playbooks/roles/gen_nodes/templates/guestfs_q35.j2.xml b/playbooks/roles/gen_nodes/templates/guestfs_q35.j2.xml index dd2e7d39097c..adaba9188767 100644 --- a/playbooks/roles/gen_nodes/templates/guestfs_q35.j2.xml +++ b/playbooks/roles/gen_nodes/templates/guestfs_q35.j2.xml @@ -6,7 +6,7 @@ {% if guestfs_requires_uefi %} <os firmware='efi'> <type arch='x86_64' machine='q35'>hvm</type> - <loader secure='yes'/> + <loader readonly='yes' secure='no'/> <boot dev='hd'/> </os> {% else %}
When UEFI boot is needed on an image we should disable secure boot as we're doing kernel hacking and want to make kernel building and booting fast & furious. Doing kernel signing is tedious for CI testing of kernels when doing kernel hacking. If folks want to add support later for it, they can but let's not break kernel hacking. Without this we fail to boot custom kernels with: Bad shim signature The reason is secure boot is enabled. When readonly is not specified, the guest operating system may be able to modify the firmware during runtime. This is usually not desirable for UEFI binaries, so explicitly set readonly='yes' to protect the integrity of the firmware. Only debian trixie selects guestfs_requires_uefi so that's the only distribution we're fixing here. This should not regress anything otherwise. Signed-off-by: Luis Chamberlain <mcgrof@kernel.org> --- playbooks/roles/gen_nodes/templates/guestfs_q35.j2.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)