[pve-edk2-firmware.git] / debian / README.Proxmox-VE

The OVMF_CODE*.fd files provide UEFI firmware for a QEMU guest that is
intended to be read-only. The OVMF_VARS*.fd files provide UEFI variable
template images which are intended to be read-write, and therefore each
guest should be given its own copy. Here's an overview of each of them:

OVMF_CODE_4M.fd
  Use this for booting guests in non-Secure Boot mode. While this image
  technically supports Secure Boot, it does so without requiring SMM
  support from QEMU, so it is less secure. Use the OVMF_VARS.fd template
  with this.

OVMF_CODE_4M.secboot.fd
  Like OVMF_CODE_4M.fd, but will abort if QEMU does not support SMM.
  Use this for guests for which you may enable Secure Boot. If you specify
  this image, you'll get a guest that is Secure Boot-*capable*, but has
  Secure Boot disabled. To enable it, you'll need to manually import
  PK/KEK/DB keys and activate Secure Boot from the UEFI setup menu.

OVMF_VARS_4M.fd
  This is an empty variable store template, which means it has no
  built-in Secure Boot keys and Secure Boot is disabled. You can use
  it with any OVMF_CODE image, but keep in mind that if you want to
  boot in Secure Boot mode, you will have to enable it manually.

OVMF_VARS_4M.ms.fd
  This template has distribution-specific PK and KEK1 keys, and
  the default Microsoft keys in KEK/DB. It also has Secure Boot
  already activated. Using this with OVMF_CODE.ms.fd will boot a
  guest directly in Secure Boot mode.

OVMF32_CODE_4M.secboot.fd
OVMF32_VARS_4M.fd
  These images are the same as their "OVMF" variants, but for 32-bit guests.

OVMF_CODE.fd
OVMF_CODE.ms.fd
OVMF_CODE.secboot.fd
OVMF_VARS.fd
OVMF_VARS.ms.fd
  These images are the same as their "4M" variants, but for use with guests
  using a 2MB flash device. 2MB flash is no longer considered sufficient for
  use with Secure Boot. This is provided only for backwards compatibility.
  NOTE: As 2MB support was removed with 2023.08 release, we now ship them as
  static builds from our last release before that (2023.02)

OVMF_CODE_4M.snakeoil.fd
OVMF_VARS_4M.snakeoil.fd
  This image is **for testing purposes only**. It includes an insecure
  "snakeoil" key in PK, KEK & DB. The private key and cert are also
  shipped in this package as well, so that testers can easily sign
  binaries that will be considered valid.

PkKek-1-snakeoil.key
PkKek-1-snakeoil.pem
  The private key and certificate for the snakeoil key. Use these
  to sign binaries that can be verified by the key in the
  OVMF_VARS.snakeoil.fd template. The password for the key is
  'snakeoil'.

 -- dann frazier <dannf@debian.org>, Thu, 30 Sep 2021 10:33:08 -0600

The AAVMF_CODE*.fd files provide UEFI firmware for a QEMU guest that is
intended to be read-only. The AAVMF_VARS*.fd files provide UEFI variable
template images which are intended to be read-write, and therefore each
guest should be given its own copy. Here's an overview of each of them:

AAVMF_CODE.fd
  Use this for booting guests in non-Secure Boot mode. While this image
  technically supports Secure Boot, it does so without requiring SMM
  support from QEMU, so it is less secure. Use the OVMF_VARS.fd template
  with this.

AAVMF_CODE.ms.fd
  This is a symlink to AAVMF_CODE.fd. It is useful in the context of libvirt
  because the included JSON firmware descriptors will tell libvirt to pair
  AAVMF_VARS.ms.fd with it, which has Secure Boot pre-enabled.

AAVMF_VARS.fd
  This is an empty variable store template, which means it has no
  built-in Secure Boot keys and Secure Boot is disabled. You can use
  it with any AAVMF_CODE image, but keep in mind that if you want to
  boot in Secure Boot mode, you will have to enable it manually.

AAVMF_VARS.ms.fd
  This template has distribution-specific PK and KEK1 keys, and
  the default Microsoft keys in KEK/DB. It also has Secure Boot
  already activated. Using this with OVMF_CODE.ms.fd will boot a
  guest directly in Secure Boot mode.

AAVMF_CODE.snakeoil.fd
AAVMF_VARS.snakeoil.fd
  This image is **for testing purposes only**. It includes an insecure
  "snakeoil" key in PK, KEK & DB. The private key and cert are also
  shipped in this package as well, so that testers can easily sign
  binaries that will be considered valid.

PkKek-1-snakeoil.key
PkKek-1-snakeoil.pem
  The private key and certificate for the snakeoil key. Use these
  to sign binaries that can be verified by the key in the
  OVMF_VARS.snakeoil.fd template. The password for the key is
  'snakeoil'.

 -- Proxmox Support Team <support@proxmox.com>, dann frazier <dannf@debian.org>, Fri,  4 Feb 2022 17:01:31 -0700
Commit	Line	Data
a65627a8 TL	1	The OVMF_CODE*.fd files provide UEFI firmware for a QEMU guest that is
	2	intended to be read-only. The OVMF_VARS*.fd files provide UEFI variable
	3	template images which are intended to be read-write, and therefore each
	4	guest should be given its own copy. Here's an overview of each of them:
	5
	6	OVMF_CODE_4M.fd
	7	Use this for booting guests in non-Secure Boot mode. While this image
	8	technically supports Secure Boot, it does so without requiring SMM
	9	support from QEMU, so it is less secure. Use the OVMF_VARS.fd template
	10	with this.
	11
	12	OVMF_CODE_4M.secboot.fd
	13	Like OVMF_CODE_4M.fd, but will abort if QEMU does not support SMM.
	14	Use this for guests for which you may enable Secure Boot. If you specify
	15	this image, you'll get a guest that is Secure Boot-capable, but has
	16	Secure Boot disabled. To enable it, you'll need to manually import
	17	PK/KEK/DB keys and activate Secure Boot from the UEFI setup menu.
	18
	19	OVMF_VARS_4M.fd
	20	This is an empty variable store template, which means it has no
	21	built-in Secure Boot keys and Secure Boot is disabled. You can use
	22	it with any OVMF_CODE image, but keep in mind that if you want to
	23	boot in Secure Boot mode, you will have to enable it manually.
	24
	25	OVMF_VARS_4M.ms.fd
	26	This template has distribution-specific PK and KEK1 keys, and
	27	the default Microsoft keys in KEK/DB. It also has Secure Boot
	28	already activated. Using this with OVMF_CODE.ms.fd will boot a
	29	guest directly in Secure Boot mode.
	30
	31	OVMF32_CODE_4M.secboot.fd
	32	OVMF32_VARS_4M.fd
	33	These images are the same as their "OVMF" variants, but for 32-bit guests.
	34
	35	OVMF_CODE.fd
	36	OVMF_CODE.ms.fd
	37	OVMF_CODE.secboot.fd
	38	OVMF_VARS.fd
	39	OVMF_VARS.ms.fd
	40	These images are the same as their "4M" variants, but for use with guests
	41	using a 2MB flash device. 2MB flash is no longer considered sufficient for
	42	use with Secure Boot. This is provided only for backwards compatibility.
8d856e13 TL	43	NOTE: As 2MB support was removed with 2023.08 release, we now ship them as
8d856e13 TL	44	static builds from our last release before that (2023.02)
a65627a8 TL	45
	46	OVMF_CODE_4M.snakeoil.fd
	47	OVMF_VARS_4M.snakeoil.fd
	48	This image is for testing purposes only. It includes an insecure
	49	"snakeoil" key in PK, KEK & DB. The private key and cert are also
	50	shipped in this package as well, so that testers can easily sign
	51	binaries that will be considered valid.
	52
	53	PkKek-1-snakeoil.key
	54	PkKek-1-snakeoil.pem
	55	The private key and certificate for the snakeoil key. Use these
	56	to sign binaries that can be verified by the key in the
	57	OVMF_VARS.snakeoil.fd template. The password for the key is
	58	'snakeoil'.
	59
	60	-- dann frazier <dannf@debian.org>, Thu, 30 Sep 2021 10:33:08 -0600
3bcaf1a2 TL	61
	62	The AAVMF_CODE*.fd files provide UEFI firmware for a QEMU guest that is
	63	intended to be read-only. The AAVMF_VARS*.fd files provide UEFI variable
	64	template images which are intended to be read-write, and therefore each
	65	guest should be given its own copy. Here's an overview of each of them:
	66
	67	AAVMF_CODE.fd
	68	Use this for booting guests in non-Secure Boot mode. While this image
	69	technically supports Secure Boot, it does so without requiring SMM
	70	support from QEMU, so it is less secure. Use the OVMF_VARS.fd template
	71	with this.
	72
	73	AAVMF_CODE.ms.fd
	74	This is a symlink to AAVMF_CODE.fd. It is useful in the context of libvirt
	75	because the included JSON firmware descriptors will tell libvirt to pair
	76	AAVMF_VARS.ms.fd with it, which has Secure Boot pre-enabled.
	77
	78	AAVMF_VARS.fd
	79	This is an empty variable store template, which means it has no
	80	built-in Secure Boot keys and Secure Boot is disabled. You can use
	81	it with any AAVMF_CODE image, but keep in mind that if you want to
	82	boot in Secure Boot mode, you will have to enable it manually.
	83
	84	AAVMF_VARS.ms.fd
	85	This template has distribution-specific PK and KEK1 keys, and
	86	the default Microsoft keys in KEK/DB. It also has Secure Boot
	87	already activated. Using this with OVMF_CODE.ms.fd will boot a
	88	guest directly in Secure Boot mode.
	89
	90	AAVMF_CODE.snakeoil.fd
	91	AAVMF_VARS.snakeoil.fd
	92	This image is for testing purposes only. It includes an insecure
	93	"snakeoil" key in PK, KEK & DB. The private key and cert are also
	94	shipped in this package as well, so that testers can easily sign
	95	binaries that will be considered valid.
	96
	97	PkKek-1-snakeoil.key
	98	PkKek-1-snakeoil.pem
	99	The private key and certificate for the snakeoil key. Use these
	100	to sign binaries that can be verified by the key in the
	101	OVMF_VARS.snakeoil.fd template. The password for the key is
	102	'snakeoil'.
	103
8d856e13	104	-- Proxmox Support Team <support@proxmox.com>, dann frazier <dannf@debian.org>, Fri, 4 Feb 2022 17:01:31 -0700