* Mon Mar 09 2026 Miroslav Rezanina <mrezanin@redhat.com> - 20251114-5

- edk2-add-uefi-vars-firmware-json-files.patch [RHEL-150696]
- Resolves: RHEL-150696
  (edk2: Add JSON descriptors for uefi-vars builds)

90-edk2-aarch64-qemuvars-sb-enrolled.json

@@ -0,0 +1,29 @@
+{
+    "description": "UEFI firmware for ARM64 virtual machines, SB enabled, MS certs enrolled",
+    "interface-types": [
+        "uefi"
+    ],
+    "mapping": {
+        "device": "memory",
+        "filename": "/usr/share/edk2/aarch64/QEMU_EFI.qemuvars.fd",
+        "uefi-vars": {
+            "template": "/usr/share/edk2/aarch64/vars.secboot.json"
+        }
+    },
+    "targets": [
+        {
+            "architecture": "aarch64",
+            "machines": [
+                "virt-*"
+            ]
+        }
+    ],
+    "features": [
+        "enrolled-keys",
+        "secure-boot",
+        "host-uefi-vars"
+    ],
+    "tags": [
+
+    ]
+}

90-edk2-ovmf-qemuvars-x64-sb-enrolled.json

@@ -0,0 +1,31 @@
+{
+    "description": "OVMF for qemu uefi-vars, SB enabled, MS certs enrolled",
+    "interface-types": [
+        "uefi"
+    ],
+    "mapping": {
+        "device": "memory",
+        "filename": "/usr/share/edk2/ovmf/OVMF.qemuvars.fd",
+        "uefi-vars": {
+            "template": "/usr/share/edk2/ovmf/vars.secboot.json"
+        }
+    },
+    "targets": [
+        {
+            "architecture": "x86_64",
+            "machines": [
+                "pc-q35-*"
+            ]
+        }
+    ],
+    "features": [
+        "acpi-s3",
+        "enrolled-keys",
+        "secure-boot",
+        "host-uefi-vars",
+        "verbose-dynamic"
+    ],
+    "tags": [
+
+    ]
+}

91-edk2-aarch64-qemuvars-sb.json

@@ -0,0 +1,28 @@
+{
+    "description": "UEFI firmware for ARM64 virtual machines, SB disabled",
+    "interface-types": [
+        "uefi"
+    ],
+    "mapping": {
+        "device": "memory",
+        "filename": "/usr/share/edk2/aarch64/QEMU_EFI.qemuvars.fd",
+        "uefi-vars": {
+            "template": "/usr/share/edk2/aarch64/vars.blank.json"
+        }
+    },
+    "targets": [
+        {
+            "architecture": "aarch64",
+            "machines": [
+                "virt-*"
+            ]
+        }
+    ],
+    "features": [
+        "secure-boot",
+        "host-uefi-vars"
+    ],
+    "tags": [
+
+    ]
+}

91-edk2-ovmf-qemuvars-x64-sb.json

@@ -0,0 +1,30 @@
+{
+    "description": "OVMF for qemu uefi-vars, SB disabled",
+    "interface-types": [
+        "uefi"
+    ],
+    "mapping": {
+        "device": "memory",
+        "filename": "/usr/share/edk2/ovmf/OVMF.qemuvars.fd",
+        "uefi-vars": {
+            "template": "/usr/share/edk2/ovmf/vars.blank.json"
+        }
+    },
+    "targets": [
+        {
+            "architecture": "x86_64",
+            "machines": [
+                "pc-q35-*"
+            ]
+        }
+    ],
+    "features": [
+        "acpi-s3",
+        "secure-boot",
+        "host-uefi-vars",
+        "verbose-dynamic"
+    ],
+    "tags": [
+
+    ]
+}

edk2.spec

@@ -25,7 +25,7 @@ ExclusiveArch: x86_64 aarch64 riscv64
 
 Name:       edk2
 Version:    %{GITDATE}
-Release:    4%{?dist}
+Release:    5%{?dist}
 Summary:    UEFI firmware for 64-bit virtual machines
 License:    BSD-2-Clause-Patent and Apache-2.0 and MIT
 URL:        http://www.tianocore.org
@@ -45,6 +45,11 @@ Source11: 51-edk2-aarch64-raw.json
 Source12: 52-edk2-aarch64-verbose-qcow2.json
 Source13: 53-edk2-aarch64-verbose-raw.json
 
+Source20: 90-edk2-ovmf-qemuvars-x64-sb-enrolled.json
+Source21: 91-edk2-ovmf-qemuvars-x64-sb.json
+Source22: 90-edk2-aarch64-qemuvars-sb-enrolled.json
+Source23: 91-edk2-aarch64-qemuvars-sb.json
+
 Source40: 30-edk2-ovmf-x64-sb-enrolled.json
 Source41: 40-edk2-ovmf-x64-sb.json
 Source43: 50-edk2-ovmf-x64-nosb.json
@@ -113,6 +118,9 @@ BuildRequires:  binutils gcc git gcc-c++ make
 BuildRequires:  perl perl(JSON)
 BuildRequires:  qemu-img
 
+# secure boot enrollment
+BuildRequires:  python3dist(virt-firmware) >= 25.4
+
 %if %{build_ovmf}
 # Only OVMF includes 80x86 assembly files (*.nasm*).
 BuildRequires:  nasm
@@ -123,9 +131,6 @@ BuildRequires:  dosfstools
 BuildRequires:  mtools
 BuildRequires:  xorriso
 
-# secure boot enrollment
-BuildRequires:  python3dist(virt-firmware) >= 25.4
-
 # endif build_ovmf
 %endif
 
@@ -220,6 +225,7 @@ git config am.keepcr true
 
 cp -a -- %{SOURCE1} .
 cp -a -- %{SOURCE10} %{SOURCE11} %{SOURCE12} %{SOURCE13} .
+cp -a -- %{SOURCE20} %{SOURCE21} %{SOURCE22} %{SOURCE23} .
 cp -a -- %{SOURCE40} %{SOURCE41} %{SOURCE43} %{SOURCE44} %{SOURCE45} .
 cp -a -- %{SOURCE50} .
 cp -a -- %{SOURCE80} %{SOURCE82} .
@@ -292,6 +298,10 @@ virt-fw-vars --input   RHEL-10/ovmf/OVMF.inteltdx.fd \
              --set-dbx DBXUpdate-%{DBXDATE}.x64.bin \
              --enroll-redhat --secure-boot \
              --set-fallback-no-reboot
+virt-fw-vars --output-json RHEL-10/ovmf/vars.blank.json
+virt-fw-vars --output-json RHEL-10/ovmf/vars.secboot.json \
+             --set-dbx DBXUpdate-%{DBXDATE}.x64.bin \
+             --enroll-redhat --secure-boot
 %endif
 
 %if %{build_aarch64}
@@ -301,6 +311,10 @@ for raw in */aarch64/*.raw; do
     qcow2="${raw%.raw}.qcow2"
     qemu-img convert -f raw -O qcow2 -o cluster_size=4096 -S 4096 "$raw" "$qcow2"
 done
+virt-fw-vars --output-json RHEL-10/aarch64/vars.blank.json
+virt-fw-vars --output-json RHEL-10/aarch64/vars.secboot.json \
+             --set-dbx DBXUpdate-%{DBXDATE}.aa64.bin \
+             --enroll-redhat --secure-boot
 %endif
 
 %if %{build_riscv64}
@@ -347,7 +361,9 @@ ln -s OVMF_CODE.fd %{buildroot}%{_datadir}/%{name}/ovmf/OVMF_CODE.cc.fd
 
 install -m 0644 \
         30-edk2-ovmf-x64-sb-enrolled.json \
+        90-edk2-ovmf-qemuvars-x64-sb-enrolled.json \
         40-edk2-ovmf-x64-sb.json \
+        91-edk2-ovmf-qemuvars-x64-sb.json \
         50-edk2-ovmf-x64-nosb.json \
         60-edk2-ovmf-x64-amdsev.json \
         60-edk2-ovmf-x64-inteltdx.json \
@@ -371,6 +387,8 @@ install -m 0644 \
         51-edk2-aarch64-raw.json \
         52-edk2-aarch64-verbose-qcow2.json \
         53-edk2-aarch64-verbose-raw.json \
+        90-edk2-aarch64-qemuvars-sb-enrolled.json \
+        91-edk2-aarch64-qemuvars-sb.json \
         %{buildroot}%{_datadir}/qemu/firmware
 
 # endif build_aarch64
@@ -414,8 +432,11 @@ install -m 0644 \
 %{_datadir}/OVMF/UefiShell.iso
 %{_datadir}/%{name}/ovmf/Shell.efi
 %{_datadir}/%{name}/ovmf/EnrollDefaultKeys.efi
+%{_datadir}/%{name}/ovmf/vars.*.json
 %{_datadir}/qemu/firmware/30-edk2-ovmf-x64-sb-enrolled.json
+%{_datadir}/qemu/firmware/90-edk2-ovmf-qemuvars-x64-sb-enrolled.json
 %{_datadir}/qemu/firmware/40-edk2-ovmf-x64-sb.json
+%{_datadir}/qemu/firmware/91-edk2-ovmf-qemuvars-x64-sb.json
 %{_datadir}/qemu/firmware/50-edk2-ovmf-x64-nosb.json
 %{_datadir}/qemu/firmware/60-edk2-ovmf-x64-amdsev.json
 %{_datadir}/qemu/firmware/60-edk2-ovmf-x64-inteltdx.json
@@ -439,10 +460,13 @@ install -m 0644 \
 %{_datadir}/%{name}/aarch64/QEMU_EFI.silent.fd
 %{_datadir}/%{name}/aarch64/QEMU_EFI.qemuvars.fd
 %{_datadir}/%{name}/aarch64/QEMU_VARS.fd
+%{_datadir}/%{name}/aarch64/vars.*.json
 %{_datadir}/qemu/firmware/50-edk2-aarch64-qcow2.json
 %{_datadir}/qemu/firmware/51-edk2-aarch64-raw.json
 %{_datadir}/qemu/firmware/52-edk2-aarch64-verbose-qcow2.json
 %{_datadir}/qemu/firmware/53-edk2-aarch64-verbose-raw.json
+%{_datadir}/qemu/firmware/90-edk2-aarch64-qemuvars-sb-enrolled.json
+%{_datadir}/qemu/firmware/91-edk2-aarch64-qemuvars-sb.json
 # endif build_aarch64
 %endif
 
@@ -479,6 +503,11 @@ install -m 0644 \
 
 
 %changelog
+* Mon Mar 09 2026 Miroslav Rezanina <mrezanin@redhat.com> - 20251114-5
+- edk2-add-uefi-vars-firmware-json-files.patch [RHEL-150696]
+- Resolves: RHEL-150696
+  (edk2: Add JSON descriptors for uefi-vars builds)
+
 * Thu Feb 12 2026 Miroslav Rezanina <mrezanin@redhat.com> - 20251114-4
 - edk2-OvmfPkg-X86QemuLoadImageLib-flip-default-for-EnableL.patch [RHEL-134956]
 - edk2-update-openssl-rhel-submodule.patch [RHEL-147785]