OvmfPkg/X86QemuLoadImageLib: flip default for EnableLegacyLoader to false

What happened since commit 1549bf11cc94 ("OvmfPkg/X86QemuLoadImageLib:
make legacy loader configurable.") ?

First, qemu 10.0 has been released, which brings support for the -shim
command line option so direct kernel boot with secure boot works.

Second, support has been added to libvirt (version v11.2.0 and newer).

Third, we got a bunch of linux distro releases.  Latest debian, ubuntu
and fedora releases all have new enough edk2+qemu+libvirt packages to
support direct kernel boot with shim.efi loading and proper secure boot
verification.

Lastly, the edk2 security advisory GHSA-6pp6-cm5h-86g5 and CVE-2025-2296
have been published.

Time for the next step in tightening the screws:  Flip the default for
the EnableLegacyLoader config option from true to false.  Also update
the documentation accordingly.

The documentation for the config option is here:
https://github.com/tianocore/edk2/blob/master/OvmfPkg/RUNTIME_CONFIG.md#user-content-security-optorgtianocoreenablelegacyloader

Upcoming final step, in a year or two: remove the legacy loader from the
code base (drop X86QemuLoadImageLib, migrade all users to use
GenericQemuLoadImageLib instead).

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
diff --git a/OvmfPkg/Library/X86QemuLoadImageLib/X86QemuLoadImageLib.c b/OvmfPkg/Library/X86QemuLoadImageLib/X86QemuLoadImageLib.c
index b16bdeb..f98f8ab 100644
--- a/OvmfPkg/Library/X86QemuLoadImageLib/X86QemuLoadImageLib.c
+++ b/OvmfPkg/Library/X86QemuLoadImageLib/X86QemuLoadImageLib.c
@@ -449,7 +449,7 @@
                     &Enabled

                     );

       if (EFI_ERROR (RetStatus)) {

-        Enabled = TRUE;

+        Enabled = FALSE;

       }

 

       if (!Enabled) {

diff --git a/OvmfPkg/RUNTIME_CONFIG.md b/OvmfPkg/RUNTIME_CONFIG.md
index b75a5da..57d0dd9 100644
--- a/OvmfPkg/RUNTIME_CONFIG.md
+++ b/OvmfPkg/RUNTIME_CONFIG.md
@@ -153,16 +153,19 @@
 support is the least of your problems though ...

 

 The linux kernel is typically signed by the distro secure boot keys

-and is verified by the distro `shim.efi` binary.  qemu release 10.0

-(ETA ~ March 2025) will get support for passing the shim binary

+and is verified by the distro `shim.efi` binary.  qemu version 10.0

+(released in April 2025) got support for passing the shim binary

 (additionally to kernel + initrd) to the firmware, so the usual secure

 boot verification can work with direct kernel load too.

 

-For now the legacy loader is enabled by default.  Once the new qemu

-release is available in most linux distros the defaut will be flipped

-to disabled.

+In edk2-stable202502 and newer the EnableLegacyLoader config option is

+available and enabled by default.

 

-Usage (qemu 10.0+):

+In edk2-stable202602 and newer the EnableLegacyLoader config option is

+disabled by default.

+

+Here is the qemu command line for direct kernel boot with secure boot

+verification:

 

 ```

 qemu-system-x86_64 \