+ Please note that the certificate has to be in the DER format.\r
+\r
+ You can also append a certificate to the existing list with the following\r
+ command:\r
+\r
+ efisiglist -i <old certdb> -a <cert file> -o <new certdb>\r
+\r
+ NOTE: You may need the patch to make efisiglist generate the correct header.\r
+ (https://github.com/rhboot/pesign/pull/40)\r
+\r
+* Besides the trusted certificates, it's also possible to configure the trusted\r
+ cipher suites for HTTPS through another fw_cfg entry: etc/edk2/https/ciphers.\r
+\r
+ -fw_cfg name=etc/edk2/https/ciphers,file=<cipher suites>\r
+\r
+ OVMF expects a binary UINT16 array which comprises the cipher suites HEX\r
+ IDs(*4). If the cipher suite list is given, OVMF will choose the cipher\r
+ suite from the intersection of the given list and the built-in cipher\r
+ suites. Otherwise, OVMF just chooses whatever proper cipher suites from the\r
+ built-in ones.\r
+\r
+ While the tool(*5) to create the cipher suite array is still under\r
+ development, the array can be generated with the following script:\r
+\r
+ export LC_ALL=C\r
+ openssl ciphers -V \\r
+ | sed -r -n \\r
+ -e 's/^ *0x([0-9A-F]{2}),0x([0-9A-F]{2}) - .*$/\\\\x\1 \\\\x\2/p' \\r
+ | xargs -r -- printf -- '%b' > ciphers.bin\r
+\r
+ This script creates ciphers.bin that contains all the cipher suite IDs\r
+ supported by openssl according to the local host configuration.\r
+\r
+ You may want to enable only a limited set of cipher suites. Then, you\r
+ should check the validity of your list first:\r
+\r
+ openssl ciphers -V <cipher list>\r
+\r
+ If all the cipher suites in your list map to the proper HEX IDs, go ahead\r
+ to modify the script and execute it:\r
+\r
+ export LC_ALL=C\r
+ openssl ciphers -V <cipher list> \\r
+ | sed -r -n \\r
+ -e 's/^ *0x([0-9A-F]{2}),0x([0-9A-F]{2}) - .*$/\\\\x\1 \\\\x\2/p' \\r
+ | xargs -r -- printf -- '%b' > ciphers.bin\r
+\r
+* In the future (after release 2.12), QEMU should populate both above fw_cfg\r
+ files automatically from the local host configuration, and enable the user\r
+ to override either with dedicated options or properties.\r
+\r
+(*1) See "31.4.1 Signature Database" in UEFI specification 2.7 errata A.\r
+(*2) p11-kit: https://github.com/p11-glue/p11-kit/\r
+(*3) efisiglist: https://github.com/rhboot/pesign/blob/master/src/efisiglist.c\r
+(*4) https://wiki.mozilla.org/Security/Server_Side_TLS#Cipher_names_correspondence_table\r
+(*5) update-crypto-policies: https://gitlab.com/redhat-crypto/fedora-crypto-policies\r
+\r
+=== OVMF Flash Layout ===\r
+\r
+Like all current IA32/X64 system designs, OVMF's firmware device (rom/flash)\r
+appears in QEMU's physical address space just below 4GB (0x100000000).\r
+\r
+OVMF supports building a 1MB, 2MB or 4MB flash image (see the DSC files for the\r
+FD_SIZE_1MB, FD_SIZE_2MB, FD_SIZE_4MB build defines). The base address for the\r
+1MB image in QEMU physical memory is 0xfff00000. The base address for the 2MB\r
+image is 0xffe00000. The base address for the 4MB image is 0xffc00000.\r
+\r
+Using the 1MB or 2MB image, the layout of the firmware device in memory looks\r
+like:\r
+\r
++--------------------------------------- 4GB (0x100000000)\r
+| VTF0 (16-bit reset code) and OVMF SEC\r
+| (SECFV, 208KB/0x34000)\r
++--------------------------------------- varies based on flash size\r
+|\r
+| Compressed main firmware image\r
+| (FVMAIN_COMPACT)\r
+|\r
++--------------------------------------- base + 0x20000\r
+| Fault-tolerant write (FTW)\r
+| Spare blocks (64KB/0x10000)\r
++--------------------------------------- base + 0x10000\r
+| FTW Work block (4KB/0x1000)\r
++--------------------------------------- base + 0x0f000\r
+| Event log area (4KB/0x1000)\r
++--------------------------------------- base + 0x0e000\r
+| Non-volatile variable storage\r
+| area (56KB/0xe000)\r
++--------------------------------------- base address\r
+\r
+Using the 4MB image, the layout of the firmware device in memory looks like:\r
+\r
++--------------------------------------- base + 0x400000 (4GB/0x100000000)\r
+| VTF0 (16-bit reset code) and OVMF SEC\r
+| (SECFV, 208KB/0x34000)\r
++--------------------------------------- base + 0x3cc000\r
+|\r
+| Compressed main firmware image\r
+| (FVMAIN_COMPACT, 3360KB/0x348000)\r
+|\r
++--------------------------------------- base + 0x84000\r
+| Fault-tolerant write (FTW)\r
+| Spare blocks (264KB/0x42000)\r
++--------------------------------------- base + 0x42000\r
+| FTW Work block (4KB/0x1000)\r
++--------------------------------------- base + 0x41000\r
+| Event log area (4KB/0x1000)\r
++--------------------------------------- base + 0x40000\r
+| Non-volatile variable storage\r
+| area (256KB/0x40000)\r
++--------------------------------------- base address (0xffc00000)\r
+\r
+The code in SECFV locates FVMAIN_COMPACT, and decompresses the\r
+main firmware (MAINFV) into RAM memory at address 0x800000. The\r
+remaining OVMF firmware then uses this decompressed firmware\r
+volume image.\r
+\r
+=== UEFI Windows 7 & Windows 2008 Server ===\r
+\r
+* One of the '-vga std' and '-vga qxl' QEMU options should be used.\r
+* Only one video mode, 1024x768x32, is supported at OS runtime.\r
+* The '-vga qxl' QEMU option is recommended. After booting the installed\r
+ guest OS, select the video card in Device Manager, and upgrade its driver\r
+ to the QXL XDDM one. Download location:\r
+ <http://www.spice-space.org/download.html>, Guest | Windows binaries.\r
+ This enables further resolutions at OS runtime, and provides S3\r
+ (suspend/resume) capability.\r