From: Luca Boccassi <luca.boccassi@gmail.com>
Date: Fri, 4 Jul 2025 23:29:37 +0000 (+0100)
Subject: qemu: fix booting aarch64 with TPM2
X-Git-Tag: v26~182^2~3
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=89538d347bf5a7c3d3652c58684c071d2f46602a;p=thirdparty%2Fmkosi.git

qemu: fix booting aarch64 with TPM2

EDK2 nowadays does provide secureboot for arm. Not only that, TPM2 support is
only enabled in builds that enable secure boot, probably because it's all
part of the TCG modules.

Default to uefi_secure_boot on arm too, like x86.

Also do not pass qemu x86-only configuration options that break booting
arm.
---

diff --git a/mkosi/qemu.py b/mkosi/qemu.py
index c75fa5ba6..85b11eec1 100644
--- a/mkosi/qemu.py
+++ b/mkosi/qemu.py
@@ -702,7 +702,10 @@ def finalize_firmware(
 
     # At the moment there are no qemu firmware descriptions for non-x86 architectures that advertise
     # secure-boot support so let's default to no secure boot for non-x86 architectures.
-    if config.architecture.is_x86_variant():
+    # Debian/Ubuntu however do ship those, so enable it there.
+    if config.architecture.is_x86_variant() or (
+        config.architecture.is_arm_variant() and config.distribution.is_apt_distribution()
+    ):
         return Firmware.uefi_secure_boot
 
     return Firmware.uefi
@@ -1313,7 +1316,8 @@ def run_qemu(args: Args, config: Config) -> None:
             ovmf_vars, ovmf_vars_format = finalize_firmware_variables(config, ovmf, stack)
 
             cmdline += ["-drive", f"file={ovmf_vars},if=pflash,format={ovmf_vars_format}"]
-            if firmware == Firmware.uefi_secure_boot:
+            # These configurations break booting aarch64
+            if firmware == Firmware.uefi_secure_boot and not config.architecture.is_arm_variant():
                 cmdline += [
                     "-global", "ICH9-LPC.disable_s3=1",
                     "-global", "driver=cfi.pflash01,property=secure,value=on",