From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <jdickens@grammatech.com>
Received: from placid.grammatech.com (placid1.grammatech.com [98.159.213.246])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256
 bits)) (No client certificate requested)
 by ml01.01.org (Postfix) with ESMTPS id 7064F21CE73F7
 for <edk2-devel@lists.01.org>; Thu,  6 Jul 2017 10:29:40 -0700 (PDT)
Received: from placid.grammatech.com (placid1 [192.168.219.7])
 (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by placid.grammatech.com (Postfix) with ESMTPS id B15D5B20A7
 for <edk2-devel@lists.01.org>; Thu,  6 Jul 2017 13:31:19 -0400 (EDT)
Received: from [10.233.218.30] (barracuda.grammatech.com [192.168.219.10])
 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
 (No client certificate requested)
 by placid.grammatech.com (Postfix) with ESMTPSA id A616AB20A4
 for <edk2-devel@lists.01.org>; Thu,  6 Jul 2017 13:31:19 -0400 (EDT)
To: edk2-devel@lists.01.org
From: Jason Dickens <jdickens@grammatech.com>
Message-ID: <6703d38b-e99b-c11e-0126-ad24239dacee@grammatech.com>
Date: Thu, 6 Jul 2017 13:31:18 -0400
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:52.0) Gecko/20100101
 Thunderbird/52.2.0
MIME-Version: 1.0
Subject: OVMF Secure Boot variable storage issue
X-BeenThere: edk2-devel@lists.01.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: EDK II Development  <edk2-devel.lists.01.org>
List-Unsubscribe: <https://lists.01.org/mailman/options/edk2-devel>,
 <mailto:edk2-devel-request@lists.01.org?subject=unsubscribe>
List-Archive: <http://lists.01.org/pipermail/edk2-devel/>
List-Post: <mailto:edk2-devel@lists.01.org>
List-Help: <mailto:edk2-devel-request@lists.01.org?subject=help>
List-Subscribe: <https://lists.01.org/mailman/listinfo/edk2-devel>,
 <mailto:edk2-devel-request@lists.01.org?subject=subscribe>
X-List-Received-Date: Thu, 06 Jul 2017 17:29:40 -0000
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
Content-Language: en-US

All,

I'm trying to understand why the secure boot variables (PK, KEK, db, 
etc) when using the OVMF build are not retained across reboot? It seems 
that this code uses roughly the same SetVariable, GetVariable2 approach 
as say the PlatformConfig uses to store screen resolution (which is 
retained). Additionally, the NvVars file is being at least touched by 
the secure boot configuration. So why are none of the keys retained on 
the next reboot?

I know this was an issue in the past, but I haven't found the resolution?

Jason