From: Sam Leonard <sam.leonard@codethink.co.uk>
Date: Mon, 15 Jan 2024 16:40:09 +0000 (+0000)
Subject: vmspawn: ignore firmwares with enrolled-keys by default
X-Git-Tag: v256-rc1~1138^2~1
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=0f2b492f5171706ea51f73efacc947930546097d;p=thirdparty%2Fsystemd.git

vmspawn: ignore firmwares with enrolled-keys by default
---

diff --git a/src/vmspawn/vmspawn-util.c b/src/vmspawn/vmspawn-util.c
index 6270b7ffae7..16ece318097 100644
--- a/src/vmspawn/vmspawn-util.c
+++ b/src/vmspawn/vmspawn-util.c
@@ -191,7 +191,12 @@ int find_ovmf_config(int search_sb, OvmfConfig **ret) {
                         continue;
                 }
 
-                int sb_present = !!strv_find(fwd->features, "secure-boot");
+                if (strv_contains(fwd->features, "enrolled-keys")) {
+                        log_debug("Skipping %s, firmware has enrolled keys which has been known to cause issues", *file);
+                        continue;
+                }
+
+                bool sb_present = strv_contains(fwd->features, "secure-boot");
 
                 /* exclude firmware which doesn't match our Secure Boot requirements */
                 if (search_sb >= 0 && search_sb != sb_present) {