debian/README.Proxmox-VE

   1 The OVMF_CODE*.fd files provide UEFI firmware for a QEMU guest that is
   2 intended to be read-only. The OVMF_VARS*.fd files provide UEFI variable
   3 template images which are intended to be read-write, and therefore each
   4 guest should be given its own copy. Here's an overview of each of them:
   5
   6 OVMF_CODE_4M.fd
   7   Use this for booting guests in non-Secure Boot mode. While this image
   8   technically supports Secure Boot, it does so without requiring SMM
   9   support from QEMU, so it is less secure. Use the OVMF_VARS.fd template
  10   with this.
  11
  12 OVMF_CODE_4M.secboot.fd
  13   Like OVMF_CODE_4M.fd, but will abort if QEMU does not support SMM.
  14   Use this for guests for which you may enable Secure Boot. If you specify
  15   this image, you'll get a guest that is Secure Boot-*capable*, but has
  16   Secure Boot disabled. To enable it, you'll need to manually import
  17   PK/KEK/DB keys and activate Secure Boot from the UEFI setup menu.
  18
  19 OVMF_VARS_4M.fd
  20   This is an empty variable store template, which means it has no
  21   built-in Secure Boot keys and Secure Boot is disabled. You can use
  22   it with any OVMF_CODE image, but keep in mind that if you want to
  23   boot in Secure Boot mode, you will have to enable it manually.
  24
  25 OVMF_VARS_4M.ms.fd
  26   This template has distribution-specific PK and KEK1 keys, and
  27   the default Microsoft keys in KEK/DB. It also has Secure Boot
  28   already activated. Using this with OVMF_CODE.ms.fd will boot a
  29   guest directly in Secure Boot mode.
  30
  31 OVMF32_CODE_4M.secboot.fd
  32 OVMF32_VARS_4M.fd
  33   These images are the same as their "OVMF" variants, but for 32-bit guests.
  34
  35 OVMF_CODE.fd
  36 OVMF_CODE.ms.fd
  37 OVMF_CODE.secboot.fd
  38 OVMF_VARS.fd
  39 OVMF_VARS.ms.fd
  40   These images are the same as their "4M" variants, but for use with guests
  41   using a 2MB flash device. 2MB flash is no longer considered sufficient for
  42   use with Secure Boot. This is provided only for backwards compatibility.
  43   NOTE: As 2MB support was removed with 2023.08 release, we now ship them as
  44   static builds from our last release before that (2023.02)
  45
  46 OVMF_CODE_4M.snakeoil.fd
  47 OVMF_VARS_4M.snakeoil.fd
  48   This image is **for testing purposes only**. It includes an insecure
  49   "snakeoil" key in PK, KEK & DB. The private key and cert are also
  50   shipped in this package as well, so that testers can easily sign
  51   binaries that will be considered valid.
  52
  53 PkKek-1-snakeoil.key
  54 PkKek-1-snakeoil.pem
  55   The private key and certificate for the snakeoil key. Use these
  56   to sign binaries that can be verified by the key in the
  57   OVMF_VARS.snakeoil.fd template. The password for the key is
  58   'snakeoil'.
  59
  60  -- dann frazier <dannf@debian.org>, Thu, 30 Sep 2021 10:33:08 -0600
  61
  62 The AAVMF_CODE*.fd files provide UEFI firmware for a QEMU guest that is
  63 intended to be read-only. The AAVMF_VARS*.fd files provide UEFI variable
  64 template images which are intended to be read-write, and therefore each
  65 guest should be given its own copy. Here's an overview of each of them:
  66
  67 AAVMF_CODE.fd
  68   Use this for booting guests in non-Secure Boot mode. While this image
  69   technically supports Secure Boot, it does so without requiring SMM
  70   support from QEMU, so it is less secure. Use the OVMF_VARS.fd template
  71   with this.
  72
  73 AAVMF_CODE.ms.fd
  74   This is a symlink to AAVMF_CODE.fd. It is useful in the context of libvirt
  75   because the included JSON firmware descriptors will tell libvirt to pair
  76   AAVMF_VARS.ms.fd with it, which has Secure Boot pre-enabled.
  77
  78 AAVMF_VARS.fd
  79   This is an empty variable store template, which means it has no
  80   built-in Secure Boot keys and Secure Boot is disabled. You can use
  81   it with any AAVMF_CODE image, but keep in mind that if you want to
  82   boot in Secure Boot mode, you will have to enable it manually.
  83
  84 AAVMF_VARS.ms.fd
  85   This template has distribution-specific PK and KEK1 keys, and
  86   the default Microsoft keys in KEK/DB. It also has Secure Boot
  87   already activated. Using this with OVMF_CODE.ms.fd will boot a
  88   guest directly in Secure Boot mode.
  89
  90 AAVMF_CODE.snakeoil.fd
  91 AAVMF_VARS.snakeoil.fd
  92   This image is **for testing purposes only**. It includes an insecure
  93   "snakeoil" key in PK, KEK & DB. The private key and cert are also
  94   shipped in this package as well, so that testers can easily sign
  95   binaries that will be considered valid.
  96
  97 PkKek-1-snakeoil.key
  98 PkKek-1-snakeoil.pem
  99   The private key and certificate for the snakeoil key. Use these
 100   to sign binaries that can be verified by the key in the
 101   OVMF_VARS.snakeoil.fd template. The password for the key is
 102   'snakeoil'.
 103
 104  -- Proxmox Support Team <support@proxmox.com>, dann frazier <dannf@debian.org>, Fri,  4 Feb 2022 17:01:31 -0700