nrickert:
I would recommend using “ovmf-x86_64-smm-ms-code.bin”.
I have used several others.
The ones with “opensuse” as part of the name are using the opensuse signing certificate for secure-boot. The ones with “suse” as part of the name are using the suse signing certificate. The ones with “ms” as part of the name are using the Microsoft signing certificate.
The use of the Microsoft signing certificate more closely matches what is found on most hardware, so is a better choice (in my opinion).
The ones without any of those strings do not have a signing certificate. So, as provided, the don’t support secure-boot. I think they support you installing a certificate of your own, but I have not experimented with that.
Some of the firmware depend on particular instruction sets. I’m not sure of the details. You can explicitly select firmware if you use “virt-install” at the command line. But you might get error messages about mismatch between firmware and instruction set.
The “.code" and " .var” are companions. The “.var" is the initial NVRAM setup for using the corresponding " .code”. When using “virt-install”, I have specified both.
Possibly a dumb question, but what’s the difference between “ovmf-x86_64-smm-code.bin” and “ovmf-x86_64-4m-code.bin”? And which should I use when I want UEFI boot but not Secure Boot?
Thanks