From 0f2b492f5171706ea51f73efacc947930546097d Mon Sep 17 00:00:00 2001
From: Sam Leonard <sam.leonard@codethink.co.uk>
Date: Mon, 15 Jan 2024 16:40:09 +0000
Subject: [PATCH] vmspawn: ignore firmwares with enrolled-keys by default

---
 src/vmspawn/vmspawn-util.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/src/vmspawn/vmspawn-util.c b/src/vmspawn/vmspawn-util.c
index 6270b7ffae7..16ece318097 100644
--- a/src/vmspawn/vmspawn-util.c
+++ b/src/vmspawn/vmspawn-util.c
@@ -191,7 +191,12 @@ int find_ovmf_config(int search_sb, OvmfConfig **ret) {
                         continue;
                 }
 
-                int sb_present = !!strv_find(fwd->features, "secure-boot");
+                if (strv_contains(fwd->features, "enrolled-keys")) {
+                        log_debug("Skipping %s, firmware has enrolled keys which has been known to cause issues", *file);
+                        continue;
+                }
+
+                bool sb_present = strv_contains(fwd->features, "secure-boot");
 
                 /* exclude firmware which doesn't match our Secure Boot requirements */
                 if (search_sb >= 0 && search_sb != sb_present) {
-- 
2.47.3