From patchwork Fri Oct 11 01:01:09 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Luis Chamberlain X-Patchwork-Id: 13831713 Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id C8889522F for ; Fri, 11 Oct 2024 01:01:12 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=198.137.202.133 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1728608474; cv=none; b=ZHw/8i8jYgVs6Leyx1ckH9ik6CSNsntfviRAfZyrF4CCkayVGEeUpg2ETiD3f6as8Eet72LXrBDf/OsDAXo5cj1f8QGAjoQ3uj5kNyvak01ghnRGhflzLFmW+Gp/W9pg3D7YWZXnDMmZXwgqbJdgSn1mCRLiWWpdeZSvfLIO+zg= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1728608474; c=relaxed/simple; bh=BpZsmb4itDXzZSqnKspZOxebV6hRdqkRM5qSmdwASEY=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=SM3o8epe/R+SV7HQW5GFHtqTvp8HbXL9f82AyO0g/IjhzFgh5mkKna2rcyPPTqisQ5xprvJFNR4rvbFuQSRdqNt7K+wte6EQ6i5LqoNng8z/rkUGWLwZ+XMgeIJUnmSPC6yIrfySNLkPbCPWyLRDcDd0fd4NXBRfwUtlmEczo1w= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=fail (p=quarantine dis=none) header.from=kernel.org; spf=none smtp.mailfrom=infradead.org; dkim=pass (2048-bit key) header.d=infradead.org header.i=@infradead.org header.b=vfAqwKgh; arc=none smtp.client-ip=198.137.202.133 Authentication-Results: smtp.subspace.kernel.org; dmarc=fail (p=quarantine dis=none) header.from=kernel.org Authentication-Results: smtp.subspace.kernel.org; spf=none smtp.mailfrom=infradead.org Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=infradead.org header.i=@infradead.org header.b="vfAqwKgh" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=infradead.org; s=bombadil.20210309; h=Sender:Content-Transfer-Encoding: MIME-Version:References:In-Reply-To:Message-ID:Date:Subject:Cc:To:From: Reply-To:Content-Type:Content-ID:Content-Description; bh=x6UWNV4telymfGPxNvYxH+T32g+49aZ/qX0kqB/yCBg=; b=vfAqwKgheJ6MH148ddsNR5zujh W25ACw1LRC/hEaLB9L/mU1ra5LpKWUat16oLUnZWpkkc6kGtnp3M8fAVYpUtHY9nMGBLn99GZYbuq 0APtNYt9eMYCB3EUWqPqC513Q2pBYqSAXUGAMiVYeXBUWzMsTMhWstVhQEUEjEmKVanRnmeowWwUO Bif1Gun8UjCY1k9AhFaRjwv9W3uLj8E8BmPQIQYPP7mAkm3Gf2+Tx9ynJlc16ycCjzTB9/WCOyW1p 70q6w0cQDX54LaWtI+5jy2Zybqf7+qQ60PryUuHsUJCIE/tdw49AY3IZvQf/TT9paJUmfNBiHGHxL Kq0AejCQ==; Received: from mcgrof by bombadil.infradead.org with local (Exim 4.98 #2 (Red Hat Linux)) id 1sz41o-0000000ErxM-1qUi; Fri, 11 Oct 2024 01:01:12 +0000 From: Luis Chamberlain To: kdevops@lists.linux.dev, ross@kallisti.us Cc: mcgrof@kernel.org Subject: [PATCH kdevops 2/4] guestfs: fix uefi boot for debian trixie Date: Thu, 10 Oct 2024 18:01:09 -0700 Message-ID: <20241011010111.3543993-3-mcgrof@kernel.org> X-Mailer: git-send-email 2.46.0 In-Reply-To: <20241011010111.3543993-1-mcgrof@kernel.org> References: <20241011010111.3543993-1-mcgrof@kernel.org> Precedence: bulk X-Mailing-List: kdevops@lists.linux.dev List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Sender: Luis Chamberlain When UEFI boot is needed on an image we should disable secure boot as we're doing kernel hacking and want to make kernel building and booting fast & furious. Doing kernel signing is tedious for CI testing of kernels when doing kernel hacking. If folks want to add support later for it, they can but let's not break kernel hacking. Without this we fail to boot custom kernels with: Bad shim signature The reason is secure boot is enabled. When readonly is not specified, the guest operating system may be able to modify the firmware during runtime. This is usually not desirable for UEFI binaries, so explicitly set readonly='yes' to protect the integrity of the firmware. Only debian trixie selects guestfs_requires_uefi so that's the only distribution we're fixing here. This should not regress anything otherwise. Signed-off-by: Luis Chamberlain --- playbooks/roles/gen_nodes/templates/guestfs_q35.j2.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/playbooks/roles/gen_nodes/templates/guestfs_q35.j2.xml b/playbooks/roles/gen_nodes/templates/guestfs_q35.j2.xml index dd2e7d39097c..adaba9188767 100644 --- a/playbooks/roles/gen_nodes/templates/guestfs_q35.j2.xml +++ b/playbooks/roles/gen_nodes/templates/guestfs_q35.j2.xml @@ -6,7 +6,7 @@ {% if guestfs_requires_uefi %} hvm - + {% else %}