How to build edk2/ovmf with secure boot enabled as done in Fedora with "*CODE.secboot.fd" and "*VARS.secboot.fd" files?


Ks89
 

My env:
-centos8
-qemu 6.0.0

I'm trying to install windows 10 from .iso installation disk in QEMU 6.0.0 with secure boot enabled in UEFI.

If I pass edk2/ovmf files provided by Fedora, I can find the .secboot.fd versions. Passing those files to qemu with:
-global driver=cfi.pflash01,property=secure,value=on \
-drive if=pflash,format=raw,file=/usr/share/edk2/ovmf/OVMF_CODE.secboot.fd,readonly=on \
-drive if=pflash,format=raw,file=./my-writable_OVMF_VARS.secboot.fd \

In this way I can see the option "secure boot" enabled in EUFI.

Ok, but now I want to download edk2/ovmf from sources using the latest stable tag:
git clone https://github.com/tianocore/edk2.git
cd edk2
git checkout edk2-stable202105
git submodule update --init

And finally I want to build it for x64 with secure boot:
./OvmfPkg/build.sh

I tried to use "./OvmfPkg/build.sh -DSECURE_BOOT_ENABLE" but when I run QEMU, the secure boot option in UEFI is disabled.

Which is the right procedure to build edk2/OVMF with secure boot?

Thank you.

Join discuss@edk2.groups.io to automatically receive all group messages.