P4X-ng · P4X-ng · Apr 8, 2026 · gemini-code-assist · Apr 8, 2026 · gemini-code-assist
diff --git a/docs/AGENTS.md b/docs/AGENTS.md
@@ -29,3 +29,6 @@ The following system packages are required: `qemu-system-x86`, `ovmf`, `mtools`,
 - `pf` (the task runner) is NOT a pip package. It is cloned from `https://github.com/P4X-ng/pf-runner` and the `pf-cli-base/pf_parser.py` file is installed as `~/.local/bin/pf` with shebang `#!/usr/bin/env python3`. It requires `fabric` and `lark` pip packages.
 - `$HOME/.local/bin` must be on `PATH` for pip-installed scripts and the `pf` runner to work.
 - The cloud VM does not have `/dev/kvm`, so QEMU tests must omit `-enable-kvm` and `-cpu host`.
+- The cloud VM kernel does not support `vfat` mounts, so `pf build-package-esp` and `pf test-qemu` fail out-of-the-box. Build the ESP image manually using `mtools` (`mmd`, `mcopy`) instead of `mount`. See the build steps used during initial setup for the exact recipe.
- The cloud VM kernel does not support `vfat` mounts, so `pf build-package-esp` and `pf test-qemu` fail out-of-the-box. Build the ESP image manually using `mtools` (`mmd`, `mcopy`) instead of `mount`. See the build steps used during initial setup for the exact recipe.
+- The cloud VM kernel does not support vfat mounts, so pf build-package-esp and pf test-qemu fail out-of-the-box. In these environments, the ESP image must be created and populated using mtools (e.g., mformat, mmd, mcopy) instead of the mount command.
- The cloud VM kernel does not support `vfat` mounts, so `pf build-package-esp` and `pf test-qemu` fail out-of-the-box. Build the ESP image manually using `mtools` (`mmd`, `mcopy`) instead of `mount`. See the build steps used during initial setup for the exact recipe.
+- The cloud VM kernel does not support vfat mounts, so pf build-package-esp and pf test-qemu fail out-of-the-box. In these environments, the ESP image must be created and populated using mtools (e.g., mformat, mmd, mcopy) instead of the mount command.
+- `uuid-runtime` (provides `uuidgen`) must be installed for `pf secure-make-auth` to work. Add it alongside the other system packages listed above.
- `uuid-runtime` (provides `uuidgen`) must be installed for `pf secure-make-auth` to work. Add it alongside the other system packages listed above.
+- uuid-runtime (provides uuidgen) is required for pf secure-make-auth to generate unique identifiers for SecureBoot variables.
- `uuid-runtime` (provides `uuidgen`) must be installed for `pf secure-make-auth` to work. Add it alongside the other system packages listed above.
+- uuid-runtime (provides uuidgen) is required for pf secure-make-auth to generate unique identifiers for SecureBoot variables.
+- The QEMU boot test passes when the `PhoenixGuard` string appears in `out/qemu/serial.log`. Attestation failures (`PG-ATTEST=FAIL`) are expected without SecureBoot enrollment.
- The QEMU boot test passes when the `PhoenixGuard` string appears in `out/qemu/serial.log`. Attestation failures (`PG-ATTEST=FAIL`) are expected without SecureBoot enrollment.
+- Attestation failures (PG-ATTEST=FAIL) in out/qemu/serial.log are expected when running QEMU tests without prior SecureBoot enrollment.
- The QEMU boot test passes when the `PhoenixGuard` string appears in `out/qemu/serial.log`. Attestation failures (`PG-ATTEST=FAIL`) are expected without SecureBoot enrollment.
+- Attestation failures (PG-ATTEST=FAIL) in out/qemu/serial.log are expected when running QEMU tests without prior SecureBoot enrollment.