From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received-SPF: Pass (sender SPF authorized) identity=mailfrom; client-ip=2607:f8b0:4864:20::641; helo=mail-pl1-x641.google.com; envelope-from=ming.huang@linaro.org; receiver=edk2-devel@lists.01.org Received: from mail-pl1-x641.google.com (mail-pl1-x641.google.com [IPv6:2607:f8b0:4864:20::641]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id 9455521B02822 for ; Tue, 20 Nov 2018 07:01:02 -0800 (PST) Received: by mail-pl1-x641.google.com with SMTP id f12-v6so1134009plo.1 for ; Tue, 20 Nov 2018 07:01:02 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-language:content-transfer-encoding; bh=cyfwVBmRwnmtV/Y0pP6AN9aQ4CzGa7CN11F+sRjAPBM=; b=EG2usVQmScOc2f8SWToG0m6Euuf6woXa2XKXmZW1/I27JF8sRZXs7p4gDxnCqONIaS J2FnIr7FwUdDTWzkDZ8EGWrQY+wHueSFFTdq9pj9Au9hWDni3ZIS9TnYRwtQkwT+zgRN VWKQk1uVbD7tcNzqWf8pgFuy7P0cEImWs0gEk= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=cyfwVBmRwnmtV/Y0pP6AN9aQ4CzGa7CN11F+sRjAPBM=; b=VvvFrzH1bDIbX10B54skBPO43rGvwaqravln9ENPb4/wj6hnSYrPcUCRiGDln+nuTh Um9MD7sdc9Fb1ERQJVKKaeNU2d4HetaSw5nYggXPDsIWnI3x0MT623qlaEHSr99NW9ZS SRug7oSrws499x8cEuYX5ijAY91qOK8YkCJO3kgPvFuHYqSBKN096g154+HHd85Xu36f /FXIKYZL/gLHUZsx/XG0Tqvu2kpXz7Q3KFd+UwCkm4o+sAn0lMukzeEi8pRJ8CibNftI bC8xQn5+0AvgYEzDJpRbtlP2Oq4fSwnOzCPYLVxIiHQOdcDomHfqxgYHs3okcUBHJuWt GmgA== X-Gm-Message-State: AA+aEWaVRjWcEKJOA0yn8V9gi0XC5+5VFgXviMlhtaTvGg5qg7VXBHA1 cu47Pivgj4cadVyylD0vsKpv9w== X-Google-Smtp-Source: AFSGD/WUy7Xip2vVmDN3Lha60vemBtCXUptZucuEoCxlrerlt6FMNNp7xljlxjf8pQMNQ14eYDWkvg== X-Received: by 2002:a17:902:45:: with SMTP id 63mr2467674pla.272.1542726061946; Tue, 20 Nov 2018 07:01:01 -0800 (PST) Received: from [10.139.0.118] ([64.64.108.162]) by smtp.gmail.com with ESMTPSA id v9sm16557937pfe.49.2018.11.20.07.00.53 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 20 Nov 2018 07:01:01 -0800 (PST) To: Leif Lindholm Cc: linaro-uefi@lists.linaro.org, edk2-devel@lists.01.org, graeme.gregory@linaro.org, ard.biesheuvel@linaro.org, michael.d.kinney@intel.com, lersek@redhat.com, wanghuiqiang@huawei.com, huangming23@huawei.com, zhangjinsong2@huawei.com, huangdaode@hisilicon.com, john.garry@huawei.com, xinliang.liu@linaro.org, zhangfeng56@huawei.com References: <20181120090150.1102-1-ming.huang@linaro.org> <20181120090150.1102-2-ming.huang@linaro.org> <20181120121309.mwsoxljgjwy4yv7i@bivouac.eciton.net> <20181120125805.jn6xfxbg47izxwo2@bivouac.eciton.net> <1e4db632-9c2c-79e0-2bbe-cdc7913aa0c5@linaro.org> <20181120143912.p7jeqwjgtqsgmf75@bivouac.eciton.net> From: Ming Huang Message-ID: <067f13ef-f03e-327e-685f-f4d5516fb6a4@linaro.org> Date: Tue, 20 Nov 2018 23:00:49 +0800 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0) Gecko/20100101 Thunderbird/60.0 MIME-Version: 1.0 In-Reply-To: <20181120143912.p7jeqwjgtqsgmf75@bivouac.eciton.net> Subject: Re: [PATCH edk2-platforms v3 1/5] Hisilicon/D0x: Fix secure boot bug in FlashFvbDxe X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 20 Nov 2018 15:01:02 -0000 Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 8bit On 11/20/2018 10:39 PM, Leif Lindholm wrote: > On Tue, Nov 20, 2018 at 10:29:57PM +0800, Ming Huang wrote: >>>>> And all Hisilicon platforms still use >>>>> AuthVariableLib|MdeModulePkg/Library/AuthVariableLibNull/AuthVariableLibNull.inf >>>>> regardless of Secure Boot setting. >>>>> >>>>> So what problem does this patch solve? A runtime one? >>>> >>>> This patch solve bug in FlashFvbDxe. >>> >>> Yes, but what bug? What is the symptom? What _specific_ problem goes >>> away by adding this patch? That information should have been in the >>> original commit message. I have no information available to me as I >>> now build -rc1 to suggest that this patch should be included. >> >> The bug is that gEfiAuthenticatedVariableGuid should be used in FlashFvbDxe, >> not gEfiVariableGuid when enable secure boot. > > OK, I will ask a third time: what _problem_ does this solve? > What is the symptom? > When someone uses the buggy firmware, what does not work for them? > This information _always_ needs to be in the commit message. This patch is using with series v1 patch 'Hisilicon/D06: Fix SBBR-SCT AuthVar issue' to fix the SCT issue: RT.SetVariable - Set Invalid Time Base Auth Variable – FAILURE; RT.SetVariable - Create one Time Base Auth Variable, the expect return status should be EFI_SUCCESS – FAILURE. > >>>> Should I add a patch before this patch >>>> to solve build error with -D SECURE_BOOT_ENABLE=TRUE in v4? >>> >>> That would require a sane implementation of PlatformSecureLib, >>> implementing a real UserPhysicalPresent(). >>> Can you turn that around within the next few hours? >> >> My original idea is using OvmfPkg/Library/PlatformSecureLib/PlatformSecureLib. >> There is not enough time to implement a real UserPhysicalPresent. > > If there is not enough time to implement a real PlatformSecureLib, > there is no need to have Secure Boot at all. Same thing goes for > secure variable store (to hardware devices that are not accessible > from Non-secure world). > >> This patch will add when we implement real secure boot in future. > > That sounds like the best thing to do. > > Meanwhile, could you create a patch to get rid of the SECURE_BOOT > options completely from the .dsc/.fdf please? I don't like having it > in there when we know it doesn't build. > > / > Leif >