--- /dev/null
+The OVMF_CODE*.fd files provide UEFI firmware for a QEMU guest that is
+intended to be read-only. The OVMF_VARS*.fd files provide UEFI variable
+template images which are intended to be read-write, and therefore each
+guest should be given its own copy. Here's an overview of each of them:
+
+OVMF_CODE_4M.fd
+ Use this for booting guests in non-Secure Boot mode. While this image
+ technically supports Secure Boot, it does so without requiring SMM
+ support from QEMU, so it is less secure. Use the OVMF_VARS.fd template
+ with this.
+
+OVMF_CODE_4M.secboot.fd
+ Like OVMF_CODE_4M.fd, but will abort if QEMU does not support SMM.
+ Use this for guests for which you may enable Secure Boot. If you specify
+ this image, you'll get a guest that is Secure Boot-*capable*, but has
+ Secure Boot disabled. To enable it, you'll need to manually import
+ PK/KEK/DB keys and activate Secure Boot from the UEFI setup menu.
+
+OVMF_VARS_4M.fd
+ This is an empty variable store template, which means it has no
+ built-in Secure Boot keys and Secure Boot is disabled. You can use
+ it with any OVMF_CODE image, but keep in mind that if you want to
+ boot in Secure Boot mode, you will have to enable it manually.
+
+OVMF_VARS_4M.ms.fd
+ This template has distribution-specific PK and KEK1 keys, and
+ the default Microsoft keys in KEK/DB. It also has Secure Boot
+ already activated. Using this with OVMF_CODE.ms.fd will boot a
+ guest directly in Secure Boot mode.
+
+OVMF32_CODE_4M.secboot.fd
+OVMF32_VARS_4M.fd
+ These images are the same as their "OVMF" variants, but for 32-bit guests.
+
+OVMF_CODE.fd
+OVMF_CODE.ms.fd
+OVMF_CODE.secboot.fd
+OVMF_VARS.fd
+OVMF_VARS.ms.fd
+ These images are the same as their "4M" variants, but for use with guests
+ using a 2MB flash device. 2MB flash is no longer considered sufficient for
+ use with Secure Boot. This is provided only for backwards compatibility.
+
+OVMF_CODE_4M.snakeoil.fd
+OVMF_VARS_4M.snakeoil.fd
+ This image is **for testing purposes only**. It includes an insecure
+ "snakeoil" key in PK, KEK & DB. The private key and cert are also
+ shipped in this package as well, so that testers can easily sign
+ binaries that will be considered valid.
+
+PkKek-1-snakeoil.key
+PkKek-1-snakeoil.pem
+ The private key and certificate for the snakeoil key. Use these
+ to sign binaries that can be verified by the key in the
+ OVMF_VARS.snakeoil.fd template. The password for the key is
+ 'snakeoil'.
+
+ -- dann frazier <dannf@debian.org>, Thu, 30 Sep 2021 10:33:08 -0600