]>
Commit | Line | Data |
---|---|---|
a65627a8 TL |
1 | The OVMF_CODE*.fd files provide UEFI firmware for a QEMU guest that is |
2 | intended to be read-only. The OVMF_VARS*.fd files provide UEFI variable | |
3 | template images which are intended to be read-write, and therefore each | |
4 | guest should be given its own copy. Here's an overview of each of them: | |
5 | ||
6 | OVMF_CODE_4M.fd | |
7 | Use this for booting guests in non-Secure Boot mode. While this image | |
8 | technically supports Secure Boot, it does so without requiring SMM | |
9 | support from QEMU, so it is less secure. Use the OVMF_VARS.fd template | |
10 | with this. | |
11 | ||
12 | OVMF_CODE_4M.secboot.fd | |
13 | Like OVMF_CODE_4M.fd, but will abort if QEMU does not support SMM. | |
14 | Use this for guests for which you may enable Secure Boot. If you specify | |
15 | this image, you'll get a guest that is Secure Boot-*capable*, but has | |
16 | Secure Boot disabled. To enable it, you'll need to manually import | |
17 | PK/KEK/DB keys and activate Secure Boot from the UEFI setup menu. | |
18 | ||
19 | OVMF_VARS_4M.fd | |
20 | This is an empty variable store template, which means it has no | |
21 | built-in Secure Boot keys and Secure Boot is disabled. You can use | |
22 | it with any OVMF_CODE image, but keep in mind that if you want to | |
23 | boot in Secure Boot mode, you will have to enable it manually. | |
24 | ||
25 | OVMF_VARS_4M.ms.fd | |
26 | This template has distribution-specific PK and KEK1 keys, and | |
27 | the default Microsoft keys in KEK/DB. It also has Secure Boot | |
28 | already activated. Using this with OVMF_CODE.ms.fd will boot a | |
29 | guest directly in Secure Boot mode. | |
30 | ||
31 | OVMF32_CODE_4M.secboot.fd | |
32 | OVMF32_VARS_4M.fd | |
33 | These images are the same as their "OVMF" variants, but for 32-bit guests. | |
34 | ||
35 | OVMF_CODE.fd | |
36 | OVMF_CODE.ms.fd | |
37 | OVMF_CODE.secboot.fd | |
38 | OVMF_VARS.fd | |
39 | OVMF_VARS.ms.fd | |
40 | These images are the same as their "4M" variants, but for use with guests | |
41 | using a 2MB flash device. 2MB flash is no longer considered sufficient for | |
42 | use with Secure Boot. This is provided only for backwards compatibility. | |
43 | ||
44 | OVMF_CODE_4M.snakeoil.fd | |
45 | OVMF_VARS_4M.snakeoil.fd | |
46 | This image is **for testing purposes only**. It includes an insecure | |
47 | "snakeoil" key in PK, KEK & DB. The private key and cert are also | |
48 | shipped in this package as well, so that testers can easily sign | |
49 | binaries that will be considered valid. | |
50 | ||
51 | PkKek-1-snakeoil.key | |
52 | PkKek-1-snakeoil.pem | |
53 | The private key and certificate for the snakeoil key. Use these | |
54 | to sign binaries that can be verified by the key in the | |
55 | OVMF_VARS.snakeoil.fd template. The password for the key is | |
56 | 'snakeoil'. | |
57 | ||
58 | -- dann frazier <dannf@debian.org>, Thu, 30 Sep 2021 10:33:08 -0600 | |
3bcaf1a2 TL |
59 | |
60 | The AAVMF_CODE*.fd files provide UEFI firmware for a QEMU guest that is | |
61 | intended to be read-only. The AAVMF_VARS*.fd files provide UEFI variable | |
62 | template images which are intended to be read-write, and therefore each | |
63 | guest should be given its own copy. Here's an overview of each of them: | |
64 | ||
65 | AAVMF_CODE.fd | |
66 | Use this for booting guests in non-Secure Boot mode. While this image | |
67 | technically supports Secure Boot, it does so without requiring SMM | |
68 | support from QEMU, so it is less secure. Use the OVMF_VARS.fd template | |
69 | with this. | |
70 | ||
71 | AAVMF_CODE.ms.fd | |
72 | This is a symlink to AAVMF_CODE.fd. It is useful in the context of libvirt | |
73 | because the included JSON firmware descriptors will tell libvirt to pair | |
74 | AAVMF_VARS.ms.fd with it, which has Secure Boot pre-enabled. | |
75 | ||
76 | AAVMF_VARS.fd | |
77 | This is an empty variable store template, which means it has no | |
78 | built-in Secure Boot keys and Secure Boot is disabled. You can use | |
79 | it with any AAVMF_CODE image, but keep in mind that if you want to | |
80 | boot in Secure Boot mode, you will have to enable it manually. | |
81 | ||
82 | AAVMF_VARS.ms.fd | |
83 | This template has distribution-specific PK and KEK1 keys, and | |
84 | the default Microsoft keys in KEK/DB. It also has Secure Boot | |
85 | already activated. Using this with OVMF_CODE.ms.fd will boot a | |
86 | guest directly in Secure Boot mode. | |
87 | ||
88 | AAVMF_CODE.snakeoil.fd | |
89 | AAVMF_VARS.snakeoil.fd | |
90 | This image is **for testing purposes only**. It includes an insecure | |
91 | "snakeoil" key in PK, KEK & DB. The private key and cert are also | |
92 | shipped in this package as well, so that testers can easily sign | |
93 | binaries that will be considered valid. | |
94 | ||
95 | PkKek-1-snakeoil.key | |
96 | PkKek-1-snakeoil.pem | |
97 | The private key and certificate for the snakeoil key. Use these | |
98 | to sign binaries that can be verified by the key in the | |
99 | OVMF_VARS.snakeoil.fd template. The password for the key is | |
100 | 'snakeoil'. | |
101 | ||
102 | -- dann frazier <dannf@debian.org>, Fri, 4 Feb 2022 17:01:31 -0700 |