git.ipfire.org Git - thirdparty/mkosi.git/commit

author	Daan De Meyer <daan.j.demeyer@gmail.com>
	Mon, 11 Mar 2024 13:57:58 +0000 (14:57 +0100)
committer	Daan De Meyer <daan.j.demeyer@gmail.com>
	Wed, 13 Mar 2024 10:11:29 +0000 (11:11 +0100)
commit	b68a3ff10fb95c835c541897fc807e312e7351bc
tree	d5bdd5b03edab54f49e9c1525a4a54c71b89e5b5	tree
parent	7e7a3c71696d66d1774abff3eff80d5032612c88	commit \| diff

Rework QemuFirmware=

- Use the qemu official firmware descriptions to look up OVMF
  firmware instead of having our own homegrown logic.
- Add QemuFirmware=uefi-secure-boot to explicitly look for firmware
  with secure boot support
- Add QemuFirmwareVariables=microsoft to use OVMF variables with
  Microsoft keys enrolled
- Add QemuFirmwareVariables=custom to enroll the certificate from
  SecureBootCertificate= into the OVMF variables

This commit also contains the changes from a second commit that
was accidentally rebased into this one:

Only use already signed binaries when ShimBootloader=signed

When we're using signed shim, we need to make sure we use already
signed bootloaders, kernel images and UKIs. Anything we sign ourselves
will cause security violations in shim.

mkosi.conf		diff \| blob \| blame \| history
mkosi.conf.d/20-arch.conf		diff \| blob \| blame \| history
mkosi.conf.d/20-opensuse.conf		diff \| blob \| blame \| history
mkosi.conf.d/30-centos-fedora/mkosi.conf.d/20-uefi.conf		diff \| blob \| blame \| history
mkosi.conf.d/30-debian-ubuntu/mkosi.conf.d/20-x86-64.conf		diff \| blob \| blame \| history
mkosi/__init__.py		diff \| blob \| blame \| history
mkosi/config.py		diff \| blob \| blame \| history
mkosi/qemu.py		diff \| blob \| blame \| history
mkosi/resources/mkosi-tools/mkosi.conf.d/10-arch.conf		diff \| blob \| blame \| history
mkosi/resources/mkosi-tools/mkosi.conf.d/10-centos-fedora/mkosi.conf		diff \| blob \| blame \| history
mkosi/resources/mkosi.md		diff \| blob \| blame \| history
mkosi/vmspawn.py		diff \| blob \| blame \| history
tests/test_boot.py		diff \| blob \| blame \| history