Apologies for my delay in responding. On Fri, Apr 25, 2025 at 11:27:28PM +0000, Mathias Gibbens wrote: > Thanks for pointing that out; since the NEWS entry is specific to > arm64 it hadn't popped up as something important to me when that update > came through on my various amd64 systems.
I linked to that file because this bug is about arm64, but the equivalent content also exists for ovmf/x86: https://salsa.debian.org/qemu-team/edk2/-/blob/08d4411d458eefc4df5d48acce4f995d4ae6087d/debian/ovmf.NEWS#L1 > Would it be possible to roll this back for the trixie release, then > re-enable it early in forky development? The set of affected VM images > is unknown, and since they're older most likely it wouldn't be feasible > to backport whatever changes are needed to fix their bootloaders. The > alternative is trying to update all the software launching VMs to > automagically detect and then modify the qemu arguments. That seems > like a fragile approach and unlikely to complete before the hard freeze > starts. I don't love that this would leave Debian as a less-secure host operating system by-default for a full release cycle. And I don't love that we've already delayed this a full release cycle for arm64: https://salsa.debian.org/qemu-team/edk2/-/commit/a0be41b75c989351b55211c7521ef1309e4e51fe But I do understand that switching the default this late in the release doesn't provide reasonable time for vm managers to adjust, so I agree that waiting to switch the default util forky opens for devel is the practical thing to do. I do want to make it easy and upgrade-safe for trixie users to opt-in to NX-safe bootloaders though. So, unless someone has better ideas, I'll prepare an upload that: - uninstalls the MemAttrProtocol for all existing images - adds new "strict" variants that retain the MemAttrProtocol - updates README.Debian and NEWS to recommend the strict variants for compatible operating systems (it'd be nice to have a wiki that documents know compatible/incompatible versions) And, once trixie has shipped, I'll restore MemAttrProtocol for the secboot images, with the strict image files becoming compat symlinks. -dann
