qemu /
edk2 /
d2cbaefc082294eadaa30a3d5f0fa8ba264a574a OvmfPkg/X86QemuLoadImageLib: flip default for EnableLegacyLoader to false
What happened since commit 1549bf11cc94 ("OvmfPkg/X86QemuLoadImageLib:
make legacy loader configurable.") ?
First, qemu 10.0 has been released, which brings support for the -shim
command line option so direct kernel boot with secure boot works.
Second, support has been added to libvirt (version v11.2.0 and newer).
Third, we got a bunch of linux distro releases. Latest debian, ubuntu
and fedora releases all have new enough edk2+qemu+libvirt packages to
support direct kernel boot with shim.efi loading and proper secure boot
verification.
Lastly, the edk2 security advisory GHSA-6pp6-cm5h-86g5 and CVE-2025-2296
have been published.
Time for the next step in tightening the screws: Flip the default for
the EnableLegacyLoader config option from true to false. Also update
the documentation accordingly.
The documentation for the config option is here:
https://github.com/tianocore/edk2/blob/master/OvmfPkg/RUNTIME_CONFIG.md#user-content-security-optorgtianocoreenablelegacyloader
Upcoming final step, in a year or two: remove the legacy loader from the
code base (drop X86QemuLoadImageLib, migrade all users to use
GenericQemuLoadImageLib instead).
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2 files changed
