From 3cc1097f10c393f5ea35906b828a60ed9cc473bd Mon Sep 17 00:00:00 2001
From: Gerd Hoffmann <kraxel@redhat.com>
Date: Mon, 27 Nov 2023 11:05:52 +0100
Subject: [PATCH] enroll sb keys for tdx image

---
 60-edk2-ovmf-x64-inteltdx.json | 4 +++-
 edk2.spec                      | 9 +++++++++
 2 files changed, 12 insertions(+), 1 deletion(-)

diff --git a/60-edk2-ovmf-x64-inteltdx.json b/60-edk2-ovmf-x64-inteltdx.json
index 44993ab..e4ee2fd 100644
--- a/60-edk2-ovmf-x64-inteltdx.json
+++ b/60-edk2-ovmf-x64-inteltdx.json
@@ -7,7 +7,7 @@
         "device": "flash",
         "mode": "stateless",
         "executable": {
-            "filename": "/usr/share/edk2/ovmf/OVMF.inteltdx.fd",
+            "filename": "/usr/share/edk2/ovmf/OVMF.inteltdx.secboot.fd",
             "format": "raw"
         }
     },
@@ -20,7 +20,9 @@
         }
     ],
     "features": [
+        "enrolled-keys",
         "intel-tdx",
+        "secure-boot",
         "verbose-dynamic"
     ],
     "tags": [
diff --git a/edk2.spec b/edk2.spec
index 9ed1703..b78b9b5 100644
--- a/edk2.spec
+++ b/edk2.spec
@@ -385,6 +385,10 @@ virt-fw-vars --input   RHEL-9/ovmf/OVMF_VARS.fd \
              --output  RHEL-9/ovmf/OVMF_VARS.secboot.fd \
              --set-dbx DBXUpdate-%{DBXDATE}.x64.bin \
              --enroll-redhat --secure-boot
+virt-fw-vars --input   RHEL-9/ovmf/OVMF.inteltdx.fd \
+             --output  RHEL-9/ovmf/OVMF.inteltdx.secboot.fd \
+             --set-dbx DBXUpdate-%{DBXDATE}.x64.bin \
+             --enroll-redhat --secure-boot
 build_iso RHEL-9/ovmf
 cp DBXUpdate-%{DBXDATE}.x64.bin RHEL-9/ovmf
 
@@ -400,6 +404,10 @@ virt-fw-vars --input   Fedora/ovmf/OVMF_VARS_4M.fd \
              --output  Fedora/ovmf/OVMF_VARS_4M.secboot.fd \
              --set-dbx DBXUpdate-%{DBXDATE}.x64.bin \
              --enroll-redhat --secure-boot
+virt-fw-vars --input   Fedora/ovmf/OVMF.inteltdx.fd \
+             --output  Fedora/ovmf/OVMF.inteltdx.secboot.fd \
+             --set-dbx DBXUpdate-%{DBXDATE}.x64.bin \
+             --enroll-redhat --secure-boot
 virt-fw-vars --input   Fedora/ovmf-ia32/OVMF_VARS.fd \
              --output  Fedora/ovmf-ia32/OVMF_VARS.secboot.fd \
              --set-dbx DBXUpdate-%{DBXDATE}.ia32.bin \
@@ -621,6 +629,7 @@ done
 %{_datadir}/%{name}/ovmf/OVMF_VARS.secboot.fd
 %{_datadir}/%{name}/ovmf/OVMF.amdsev.fd
 %{_datadir}/%{name}/ovmf/OVMF.inteltdx.fd
+%{_datadir}/%{name}/ovmf/OVMF.inteltdx.secboot.fd
 %{_datadir}/%{name}/ovmf/UefiShell.iso
 %{_datadir}/%{name}/ovmf/Shell.efi
 %{_datadir}/%{name}/ovmf/EnrollDefaultKeys.efi