]>
Commit | Line | Data |
---|---|---|
a65627a8 TL |
1 | The OVMF_CODE*.fd files provide UEFI firmware for a QEMU guest that is |
2 | intended to be read-only. The OVMF_VARS*.fd files provide UEFI variable | |
3 | template images which are intended to be read-write, and therefore each | |
4 | guest should be given its own copy. Here's an overview of each of them: | |
5 | ||
6 | OVMF_CODE_4M.fd | |
7 | Use this for booting guests in non-Secure Boot mode. While this image | |
8 | technically supports Secure Boot, it does so without requiring SMM | |
9 | support from QEMU, so it is less secure. Use the OVMF_VARS.fd template | |
10 | with this. | |
11 | ||
12 | OVMF_CODE_4M.secboot.fd | |
13 | Like OVMF_CODE_4M.fd, but will abort if QEMU does not support SMM. | |
14 | Use this for guests for which you may enable Secure Boot. If you specify | |
15 | this image, you'll get a guest that is Secure Boot-*capable*, but has | |
16 | Secure Boot disabled. To enable it, you'll need to manually import | |
17 | PK/KEK/DB keys and activate Secure Boot from the UEFI setup menu. | |
18 | ||
19 | OVMF_VARS_4M.fd | |
20 | This is an empty variable store template, which means it has no | |
21 | built-in Secure Boot keys and Secure Boot is disabled. You can use | |
22 | it with any OVMF_CODE image, but keep in mind that if you want to | |
23 | boot in Secure Boot mode, you will have to enable it manually. | |
24 | ||
25 | OVMF_VARS_4M.ms.fd | |
26 | This template has distribution-specific PK and KEK1 keys, and | |
27 | the default Microsoft keys in KEK/DB. It also has Secure Boot | |
28 | already activated. Using this with OVMF_CODE.ms.fd will boot a | |
29 | guest directly in Secure Boot mode. | |
30 | ||
31 | OVMF32_CODE_4M.secboot.fd | |
32 | OVMF32_VARS_4M.fd | |
33 | These images are the same as their "OVMF" variants, but for 32-bit guests. | |
34 | ||
35 | OVMF_CODE.fd | |
36 | OVMF_CODE.ms.fd | |
37 | OVMF_CODE.secboot.fd | |
38 | OVMF_VARS.fd | |
39 | OVMF_VARS.ms.fd | |
40 | These images are the same as their "4M" variants, but for use with guests | |
41 | using a 2MB flash device. 2MB flash is no longer considered sufficient for | |
42 | use with Secure Boot. This is provided only for backwards compatibility. | |
43 | ||
44 | OVMF_CODE_4M.snakeoil.fd | |
45 | OVMF_VARS_4M.snakeoil.fd | |
46 | This image is **for testing purposes only**. It includes an insecure | |
47 | "snakeoil" key in PK, KEK & DB. The private key and cert are also | |
48 | shipped in this package as well, so that testers can easily sign | |
49 | binaries that will be considered valid. | |
50 | ||
51 | PkKek-1-snakeoil.key | |
52 | PkKek-1-snakeoil.pem | |
53 | The private key and certificate for the snakeoil key. Use these | |
54 | to sign binaries that can be verified by the key in the | |
55 | OVMF_VARS.snakeoil.fd template. The password for the key is | |
56 | 'snakeoil'. | |
57 | ||
58 | -- dann frazier <dannf@debian.org>, Thu, 30 Sep 2021 10:33:08 -0600 |