Comment 16 for bug 2040139
Revision history for this message
| Aleksandr Mikhalitsyn (mihalicyn) wrote | #16 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
a60fb26
(Get the code!)
>There is a library called python-uefivars which allows you to modify UEFI variables FDs without having to boot a VM at all. I think it might be viable to write a script that enrolls the keys externally using it.
Yep, we have it in our plan to look on python virt-firmware and integrate it with LXD. As far as I understand python-uefivars is yet another python package that allows to edit NVRAM images.
>In the meantime, it doesn't seem to me that you actually need the shell to be built into the CODE fd itself here.
Is my understanding correct that the shell is put in a FAT image as `boot{x64,a64}.efi` and ran that way? And it seems to run before SecureBoot is enabled anyways, so shouldn't it be possible to still build the Shell as an external EFI binary but not include it in the `code_{.*}.fd`s?
You are partially right. We run shell using a Shell.efi application, at the same time when BUILD_SHELL = false, this application won't be built. I have checked that experimentally. I haven't dived into the edk2 code very deeply but it looks like Shell.efi is just a "client-side" part, while the main Shell API is in the firmware itself. That's why it makes no sense to build Shell.efi without having built-in shell components in the firmware.