How to build edk2/ovmf with secure boot enabled as done in Fedora with "*CODE.secboot.fd" and "*VARS.secboot.fd" files?


My env:
-qemu 6.0.0

I'm trying to install windows 10 from .iso installation disk in QEMU 6.0.0 with secure boot enabled in UEFI.

If I pass edk2/ovmf files provided by Fedora, I can find the .secboot.fd versions. Passing those files to qemu with:
-global driver=cfi.pflash01,property=secure,value=on \
-drive if=pflash,format=raw,file=/usr/share/edk2/ovmf/OVMF_CODE.secboot.fd,readonly=on \
-drive if=pflash,format=raw,file=./my-writable_OVMF_VARS.secboot.fd \

In this way I can see the option "secure boot" enabled in EUFI.

Ok, but now I want to download edk2/ovmf from sources using the latest stable tag:
git clone
cd edk2
git checkout edk2-stable202105
git submodule update --init

And finally I want to build it for x64 with secure boot:

I tried to use "./OvmfPkg/ -DSECURE_BOOT_ENABLE" but when I run QEMU, the secure boot option in UEFI is disabled.

Which is the right procedure to build edk2/OVMF with secure boot?

Thank you.

Join to automatically receive all group messages.