On 20 June 2017 at 17:52, Tommy Huynh Tommy.Huynh@arm.com wrote:
Hi Ard/Leif,
Thank you for your responses. I built edk2 for QEMUv8 with the this supergit: https://github.com/OP-TEE/build. I tried enabling secure boot by passing "-D SECURE_BOOT_ENABLE=TRUE" and even tried modifying the default value for SECURE_BOOT_ENABLE in edk2/ArmVirtPkg/{ArmVirtQemuKernel.dsc, ArmVirtQemu.dsc}
However in the boot log, I saw messages like these: Variable PK does not exist. Variable SetupMode is 1 Variable SecureBoot is 0 Variable SecureBootEnable is 0 Variable CustomMode is 0 Variable VendorKeys is 1
What's the proper way to enable secure boot for qemu?
You need to run QEMU with persistent flash, no any changes you make are not lost when you restart QEMU (use -pflash rather than -bios). Then, you need to enroll certificates in the UEFI setup screen. This is not specific to arm, so Google is your friend here (pk kek db secure boot uefi)