The AAVMF_CODE*.fd files provide UEFI firmware for a QEMU guest that is intended to be read-only. The AAVMF_VARS*.fd files provide UEFI variable template images which are intended to be read-write, and therefore each guest should be given its own copy. Here's an overview of each of them: AAVMF_CODE.no-secboot.fd Use this for booting guests in non-Secure Boot mode. This image contains a built-in UEFI shell which makes it insecure for use in Secureoot mode. Use the AAVMF_VARS.fd template with this. AAVMF_CODE.fd This is a compatibility symlink to facilitate smooth upgrades from before the secboot/no-secboot split. Users should migrate away from this and expect it to be removed in a future release. AAVMF_CODE.ms.fd This is a symlink to AAVMF_CODE.secboot.fd. It is useful in the context of libvirt because the included JSON firmware descriptors will tell libvirt to pair AAVMF_VARS.ms.fd with it, which has Secure Boot pre-enabled. AAVMF_CODE.secboot.fd This image is recommended for guests in Secure Boot mode. It does not contain a built-in UEFI shell because it could be used to bypass Secure Boot. Be aware that the included JSON firmware descriptors associate this with OVMF_CODE_4M.fd. Which means, if you specify this image in libvirt, you'll get a guest that is Secure Boot-*capable*, but has Secure Boot disabled. To enable it, you'll need to manually import PK/KEK/DB keys and activate Secure Boot from the UEFI setup menu. If you want Secure Boot active from the start, consider using OVMF_CODE.ms.fd instead. AAVMF_VARS.fd This is an empty variable store template, which means it has no built-in Secure Boot keys and Secure Boot is disabled. You can use it with any AAVMF_CODE image, but keep in mind that if you want to boot in Secure Boot mode, you will have to enable it manually. AAVMF_VARS.ms.fd This template has distribution-specific PK and KEK1 keys, and the default Microsoft keys in KEK/DB. It also has Secure Boot already activated. Using this with AAVMF_CODE.ms.fd will boot a guest directly in Secure Boot mode. AAVMF_CODE.snakeoil.fd AAVMF_VARS.snakeoil.fd This image is **for testing purposes only**. It includes an insecure "snakeoil" key in PK, KEK & DB. The private key and cert are also shipped in this package as well, so that testers can easily sign binaries that will be considered valid. PkKek-1-snakeoil.key PkKek-1-snakeoil.pem The private key and certificate for the snakeoil key. Use these to sign binaries that can be verified by the key in the AAVMF_VARS.snakeoil.fd template. The password for the key is 'snakeoil'. -- dann frazier , Sun, 9 Mar 2025 14:05:51 -0600