Re: [Qemu-devel] [qemu RFC v2] qapi: add "firmware.json"

[Gerd Hoffmann]

> This surfaced in the RFCv1 discussion, but Daniel suggested ignoring
> version numbers:
> 
> http://mid.mail-archive.com/address@hidden
> 
> On 04/10/18 11:34, Daniel P. Berrangé wrote:
> > IMHO it would be valid to just keep life simple and only record the
> > base machine type name that can use the firmware ie "pc", "q35", and
> > ignore the fact that in some cases the firmware might require a
> > specific version of the machine type.

IIRC this bit referes to the fact that SMM requires qemu >= 2.x (don't
remember which x) to work.  So smm-enabled edk2 would just say
"pc-q35-*" instead of trying to specifying a version range somehow.

> Continuing:
> 
> On 04/18/18 08:02, Gerd Hoffmann wrote:
> >> +# @secure-boot: The firmware implements the software interfaces for UEFI 
> >> Secure
> >> +#               Boot, as defined in the UEFI specification. Note that 
> >> without
> >> +#               @requires-smm, guest code running with kernel privileges 
> >> can
> >> +#               undermine the security of Secure Boot.
> >> +#
> >> +# @secure-boot-enrolled-keys: The variable store (NVRAM) template 
> >> associated
> >
> > I think "enrolled-keys" should better be a separate feature.
> 
> It's not possible from the edk2 side; without -D SECURE_BOOT_ENABLE, the
> SB-related variables (SetupMode, PK, KEK, ...) don't work at all.

Sure.  The firmware builds will advertise both "secure-boot" and
"enrolled-keys" features to specify that.

But I think it should be enough to check for "secure-boot" feature to
figure whenever a given firmware build supports secure boot, not both
"secure-boot" and "secure-boot-plus-something-else".

cheers,
  Gerd