This is really good and I'd want this in focal now. I've used it for signing and will boot soon, but so far things look good for signing & in ovmf boot environment.
Some nitpicks (unrelated to the snakeoil stuff really):
Most OVMF builds are in /usr/share/OVMF
Apart from /usr/share/ovmf/OVMF.fd which is referenced by /usr/share/qemu/OVMF.fd symlink. ovmf/OVMF.fd seems to be different from OVMF/OVMF_CODE*.fd, what is it and do we need it? can both ovmf/ and qemu/ be replaced with symlinks to somewhere in OVMF/ ?
Do we need a /usr/share/qemu/firmware/40-edk2-x86_64-snakeoil.json? Not sure what the syntax of it is, and how it is used.
I removed the password from /usr/share/ovmf/PkKek-1-snakeoil.key locally, but I guess it good to have password there to make people think about password/protection management.
Otherwise this is good to land as is, and we can fixup / adress / explain above points separately.
Hi!
This is really good and I'd want this in focal now. I've used it for signing and will boot soon, but so far things look good for signing & in ovmf boot environment.
Some nitpicks (unrelated to the snakeoil stuff really):
Most OVMF builds are in /usr/share/OVMF
Apart from /usr/share/ ovmf/OVMF. fd which is referenced by /usr/share/ qemu/OVMF. fd symlink. ovmf/OVMF.fd seems to be different from OVMF/OVMF_CODE*.fd, what is it and do we need it? can both ovmf/ and qemu/ be replaced with symlinks to somewhere in OVMF/ ?
Do we need a /usr/share/ qemu/firmware/ 40-edk2- x86_64- snakeoil. json? Not sure what the syntax of it is, and how it is used.
I removed the password from /usr/share/ ovmf/PkKek- 1-snakeoil. key locally, but I guess it good to have password there to make people think about password/protection management.
Otherwise this is good to land as is, and we can fixup / adress / explain above points separately.