From 89538d347bf5a7c3d3652c58684c071d2f46602a Mon Sep 17 00:00:00 2001
From: Luca Boccassi <luca.boccassi@gmail.com>
Date: Sat, 5 Jul 2025 00:29:37 +0100
Subject: [PATCH] qemu: fix booting aarch64 with TPM2

EDK2 nowadays does provide secureboot for arm. Not only that, TPM2 support is
only enabled in builds that enable secure boot, probably because it's all
part of the TCG modules.

Default to uefi_secure_boot on arm too, like x86.

Also do not pass qemu x86-only configuration options that break booting
arm.
---
 mkosi/qemu.py | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/mkosi/qemu.py b/mkosi/qemu.py
index c75fa5ba6..85b11eec1 100644
--- a/mkosi/qemu.py
+++ b/mkosi/qemu.py
@@ -702,7 +702,10 @@ def finalize_firmware(
 
     # At the moment there are no qemu firmware descriptions for non-x86 architectures that advertise
     # secure-boot support so let's default to no secure boot for non-x86 architectures.
-    if config.architecture.is_x86_variant():
+    # Debian/Ubuntu however do ship those, so enable it there.
+    if config.architecture.is_x86_variant() or (
+        config.architecture.is_arm_variant() and config.distribution.is_apt_distribution()
+    ):
         return Firmware.uefi_secure_boot
 
     return Firmware.uefi
@@ -1313,7 +1316,8 @@ def run_qemu(args: Args, config: Config) -> None:
             ovmf_vars, ovmf_vars_format = finalize_firmware_variables(config, ovmf, stack)
 
             cmdline += ["-drive", f"file={ovmf_vars},if=pflash,format={ovmf_vars_format}"]
-            if firmware == Firmware.uefi_secure_boot:
+            # These configurations break booting aarch64
+            if firmware == Firmware.uefi_secure_boot and not config.architecture.is_arm_variant():
                 cmdline += [
                     "-global", "ICH9-LPC.disable_s3=1",
                     "-global", "driver=cfi.pflash01,property=secure,value=on",
-- 
2.47.3