1 The OVMF_CODE*.fd files provide UEFI firmware for a QEMU guest that is
2 intended to be read-only. The OVMF_VARS*.fd files provide UEFI variable
3 template images which are intended to be read-write, and therefore each
4 guest should be given its own copy. Here's an overview of each of them:
7 Use this for booting guests in non-Secure Boot mode. While this image
8 technically supports Secure Boot, it does so without requiring SMM
9 support from QEMU, so it is less secure. Use the OVMF_VARS.fd template
12 OVMF_CODE_4M.secboot.fd
13 Like OVMF_CODE_4M.fd, but will abort if QEMU does not support SMM.
14 Use this for guests for which you may enable Secure Boot. If you specify
15 this image, you'll get a guest that is Secure Boot-*capable*, but has
16 Secure Boot disabled. To enable it, you'll need to manually import
17 PK/KEK/DB keys and activate Secure Boot from the UEFI setup menu.
20 This is an empty variable store template, which means it has no
21 built-in Secure Boot keys and Secure Boot is disabled. You can use
22 it with any OVMF_CODE image, but keep in mind that if you want to
23 boot in Secure Boot mode, you will have to enable it manually.
26 This template has distribution-specific PK and KEK1 keys, and
27 the default Microsoft keys in KEK/DB. It also has Secure Boot
28 already activated. Using this with OVMF_CODE.ms.fd will boot a
29 guest directly in Secure Boot mode.
31 OVMF32_CODE_4M.secboot.fd
33 These images are the same as their "OVMF" variants, but for 32-bit guests.
40 These images are the same as their "4M" variants, but for use with guests
41 using a 2MB flash device. 2MB flash is no longer considered sufficient for
42 use with Secure Boot. This is provided only for backwards compatibility.
44 OVMF_CODE_4M.snakeoil.fd
45 OVMF_VARS_4M.snakeoil.fd
46 This image is **for testing purposes only**. It includes an insecure
47 "snakeoil" key in PK, KEK & DB. The private key and cert are also
48 shipped in this package as well, so that testers can easily sign
49 binaries that will be considered valid.
53 The private key and certificate for the snakeoil key. Use these
54 to sign binaries that can be verified by the key in the
55 OVMF_VARS.snakeoil.fd template. The password for the key is
58 -- dann frazier <dannf@debian.org>, Thu, 30 Sep 2021 10:33:08 -0600