#1064059 U-Boot: secure boot support

#1064059#5
Date:
2024-02-16 14:57:13 UTC
From:
To:
debian/patches/qemu/efi-secure-boot.patch is not a good approach to
enabling secure boot with U-Boot. Variables entered via the command line
containing the security database will be stored on file but will not be
loaded into U-Boot on the next boot.

If you want a version of U-Boot that supports secure boot properly, use
CONFIG_EFI_VARIABLES_PRESEED=y and provide a file with the security
database which will be built into U-Boot. tools/efivar.py can be used to
build that file.

Separate U-Boot binaries for secure and non-secure would have to be
provided.

Existing EDK II packages provide secure boot. Hence I suggest to simply
drop patch debian/patches/qemu/efi-secure-boot.patch.

Best regards

Heinrich