From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [216.205.24.124]) by mx.groups.io with SMTP id smtpd.web08.12657.1617718759285624451 for ; Tue, 06 Apr 2021 07:19:19 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=PZy+9H2m; spf=pass (domain: redhat.com, ip: 216.205.24.124, mailfrom: lersek@redhat.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1617718758; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=NSaMU4Nako+853gcheWe+XQY4vojkc3rd1ovGGLiyxg=; b=PZy+9H2mjsxXXdIJMh0OegJtEJHR3y2isi6THhYXMsdCmueHpZoRtOdjI7gfbEnD1sl/Ue u7VcPhROLBDeI9zDVAO25gGm5z5Y9tWIDBIsU+j8VObRTwhw8htUYx0XI82GubTe+uRfen OEizJly0xFhXK3EneFkXJhBNeyOWqAM= Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-533-gx_5FAlVMHaoSoFsRKiY6Q-1; Tue, 06 Apr 2021 10:19:16 -0400 X-MC-Unique: gx_5FAlVMHaoSoFsRKiY6Q-1 Received: from smtp.corp.redhat.com (int-mx07.intmail.prod.int.phx2.redhat.com [10.5.11.22]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 196E585C710; Tue, 6 Apr 2021 14:19:01 +0000 (UTC) Received: from lacos-laptop-7.usersys.redhat.com (ovpn-115-134.ams2.redhat.com [10.36.115.134]) by smtp.corp.redhat.com (Postfix) with ESMTP id 7F97E10016F4; Tue, 6 Apr 2021 14:19:00 +0000 (UTC) Subject: Re: [edk2-devel] Enabling Secure boot To: devel@edk2.groups.io, sent888@gmail.com References: <9Sx0.1617267793542590857.aBnu@groups.io> From: "Laszlo Ersek" Message-ID: <0e8c1390-ec49-6690-0a74-0c930d8cfdf1@redhat.com> Date: Tue, 6 Apr 2021 16:18:59 +0200 MIME-Version: 1.0 In-Reply-To: <9Sx0.1617267793542590857.aBnu@groups.io> X-Scanned-By: MIMEDefang 2.84 on 10.5.11.22 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=lersek@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 8bit On 04/01/21 11:03, sent888@gmail.com wrote: > Hi, >  I have enable the secure boot for CorebootPayloadPkg in EDK 2017 and > got the secure boot configuration in the boot menu. But the problem is > Attempt secure boot is disabled. Also when I changed from standard mode > to custom mode to add vmware key in the db, after reset its not getting > saved. This may due to NVRAM support is not there. > > How to make "Attempt secure boot" to be enabled? > If NVRAM is not there, how i will add vmware keys in db database? > Can i hardcode the keys in the edk2 source and secure boot? If so where > to modify it? Secure boot is based on authenticated non-volatile UEFI variables that are described by the UEFI spec. If you don't have functional, tamper-proof storage on your platform (virtual or otherwise) for said non-volatile UEFI variables, secure boot will either not work, or will not be secure in fact. (By "tamper-proof", I mean that e.g. the operating system must be prevented from modifying said variables, unless it invokes the appropriate UEFI runtime services.) I don't know how this specifically applies to CorebootPayloadPkg though. Thanks Laszlo