Problem

• the qemu loader for direct kernel boot (qemu -kernel $vmlinuz) has issues:
  • the code patches the setup section of the linux kernel. Which is needed for BIOS boot (pass information from boot loader to kernel). For UEFI it is not needed though (the EFI stub handles information transfer instead), and when using secure boot patching the header incalidates the secure boot signature.
  • the code tries to patch the setup section even for efi binaries which are not a linux kernel, which can break those binaries.
• secure boot verification of distro kernels requires distro shim.efi (which typically has the distro secure boot ca cert compiled in for verification). There is no way to pass shim.efi to the guest

Goals

• provide two variants of the kernel via fw_cfg, the patched (for BIOS) and the unpatched (for UEFI).
• provide shim.efi via fw_cfg.
• patch only binaries identified as linux kernels.