Ubuntu
edk2 package

What is OVMF_CODE.ms.fd for?

Bug #1864535 reported by dann frazier
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
edk2 (Ubuntu)
Fix Released
Undecided
dann frazier

Bug Description

In the ovmf package, /usr/share/OVMF/OVMF_CODE.ms.fd is a symlink to OVMF_CODE.fd, which is a build of OVMF that does *not* support Secure Boot. I assume the "ms" stands for Microsoft, whose signing keys are included in the OVMF_VARS.ms.fd nvram template. If so, shouldn't OVMF_CODE.ms.fd point to OVMF_CODE.secboot.fd, which actually supports Secure Boot and makes use of those keys?

(Correction) OVMF_CODE.fd apparently does support Secure Boot. However, it does not enforce that QEMU supports SMM - which is required for Secure Boot to actually be secure.

See original description
Revision history for this message
Steve Langasek (vorlon) wrote :

Yes, that is the purpose of OVMF_CODE.ms.fd. If it links to the wrong actual code, then maybe that should be fixed, or maybe the fact that it links to the wrong thing means it's unused in practice?

Revision history for this message
dann frazier (dannf) wrote :

Thanks Steve. At this time I'm leaning more towards removing the link vs. changing what it points to. AFAICT, the link really just serves as a hint that it should be paired with OVMF_VARS.ms.fd. But IMHO, that's better clarified for humans in documentation, which we now have in /usr/share/doc/ovmf/README.Debian, and for programs via the /usr/share/qemu/firmware descriptors.

Also, if anyone *is* using the link, I think it'd be a more obvious failure mode for a guest to now fail to boot due to a missing file than if it starts up but just seems to hang or whatever because we've changed the behavior.

Let me know if you disagree.

dann frazier (dannf)
Changed in edk2 (Ubuntu):
status: New → In Progress
assignee: nobody → dann frazier (dannf)
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package edk2 - 0~20191122.bd85bf54-2

---------------
edk2 (0~20191122.bd85bf54-2) unstable; urgency=medium

  * Bump debhelper compatibility level to 12.
  * Provide an OVMF_VARS.snakeoil.fd image and matching private key for
    development testing. LP: #1850848.
  * Drop OVMF_CODE.ms.fd symlink. LP: #1864535.

 -- dann frazier <email address hidden> Thu, 27 Feb 2020 07:23:16 -0700

Changed in edk2 (Ubuntu):
status: In Progress → Fix Released
dann frazier (dannf)
description: updated
Revision history for this message
calvin wong (wongcalvin) wrote :

How does OVMF_CODE_4M.secboot.fd etc get made/complied? Thx

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.