From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received-SPF: Pass (sender SPF authorized) identity=mailfrom; client-ip=2607:f8b0:4864:20::544; helo=mail-pg1-x544.google.com; envelope-from=ming.huang@linaro.org; receiver=edk2-devel@lists.01.org Received: from mail-pg1-x544.google.com (mail-pg1-x544.google.com [IPv6:2607:f8b0:4864:20::544]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id B36BD21B02822 for ; Tue, 20 Nov 2018 06:30:12 -0800 (PST) Received: by mail-pg1-x544.google.com with SMTP id w6so984493pgl.6 for ; Tue, 20 Nov 2018 06:30:12 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-language:content-transfer-encoding; bh=wVA9UtlSJJ6SMIedqpM+8AUvBrTCf6RRNJ+nm1p8xXE=; b=ThHBntLwbc+zzVXDFOPZPu1h7zMcBLH3ZnTRPU1W0yArH3xgfT3oyBVGxGMYwYorGC tyTM8ZTEqI4SO7WcBbHfBPGY7hU8prj5xda2CqD1hA8plYo17qHQvlWCmhS7D4oIClKj 4/jJfEGi7sz4sPlydn98fgsgRtNd4VTO/tkeI= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=wVA9UtlSJJ6SMIedqpM+8AUvBrTCf6RRNJ+nm1p8xXE=; b=hZlgyfIefJviEcU3Quv24zttPt4HWKPv4Jsogd4gey+dr1nnT3Cw+KTFg5COHPLUUR 9UeISW68KI004RnzzoPu3jh9vNu9nxhLNzz0LIlU9JYuD1l8FATx6K1X3tKxyXf6uXGF Alo37QZ8g74acyi4kga7XqWvZozyXEQ6T+DkEe0Bpkl5j5QZ92YI8m2vzqSMwjAKJj0f LSu6KHkd/Mr6rM7z/7tzTvd/i7+K1hc+/BajbWLMA3cPGeyPX4laK/WEiCmU0M0OU7F8 UqrNhGhrNWq13v/6WM8DCO9CXP/l5jYqjGHWt1n8p7LQtY9IYw8WyFwdbts8f3bqcgQh wYWw== X-Gm-Message-State: AGRZ1gL0uKdnK1Nd2PgMr3OAmPu3WnJoX+JQi7Phh3pv+vzLobFr4oiN YbT0tGhREpRoNJpzWAD9J2fp6Q== X-Google-Smtp-Source: AJdET5dbGEka6RV/TGfqI3zL/nd0epWRZfTP78o0GZVZ/LlNQ6sjRBa6ZSPZ6y1IsMbRXRznLWUaOQ== X-Received: by 2002:a62:d885:: with SMTP id e127mr2363266pfg.197.1542724211746; Tue, 20 Nov 2018 06:30:11 -0800 (PST) Received: from [10.139.0.118] ([64.64.108.162]) by smtp.gmail.com with ESMTPSA id a16-v6sm38446255pfh.107.2018.11.20.06.30.03 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 20 Nov 2018 06:30:11 -0800 (PST) To: Leif Lindholm Cc: linaro-uefi@lists.linaro.org, edk2-devel@lists.01.org, graeme.gregory@linaro.org, ard.biesheuvel@linaro.org, michael.d.kinney@intel.com, lersek@redhat.com, wanghuiqiang@huawei.com, huangming23@huawei.com, zhangjinsong2@huawei.com, huangdaode@hisilicon.com, john.garry@huawei.com, xinliang.liu@linaro.org, zhangfeng56@huawei.com References: <20181120090150.1102-1-ming.huang@linaro.org> <20181120090150.1102-2-ming.huang@linaro.org> <20181120121309.mwsoxljgjwy4yv7i@bivouac.eciton.net> <20181120125805.jn6xfxbg47izxwo2@bivouac.eciton.net> From: Ming Huang Message-ID: <1e4db632-9c2c-79e0-2bbe-cdc7913aa0c5@linaro.org> Date: Tue, 20 Nov 2018 22:29:57 +0800 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0) Gecko/20100101 Thunderbird/60.0 MIME-Version: 1.0 In-Reply-To: <20181120125805.jn6xfxbg47izxwo2@bivouac.eciton.net> Subject: Re: [PATCH edk2-platforms v3 1/5] Hisilicon/D0x: Fix secure boot bug in FlashFvbDxe X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 20 Nov 2018 14:30:12 -0000 Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit On 11/20/2018 8:58 PM, Leif Lindholm wrote: > On Tue, Nov 20, 2018 at 08:40:28PM +0800, Ming Huang wrote: >> >> >> On 11/20/2018 8:13 PM, Leif Lindholm wrote: >>> On Tue, Nov 20, 2018 at 05:01:46PM +0800, Ming Huang wrote: >>>> Now that the generic Variable Runtime DXE code no longer >>>> distinguishes between gEfiVariableGuid and >>>> gEfiAuthenticatedVariableGuid in the varstore FV header. >>>> We can relax the check in the flashFvb driver to accept >>>> either GUID regardless of whether we are running a secure >>>> boot capable build or not. >>> >>> We are still in a situation where D06 is not buildable with Secure >>> Boot enabled though. >>> >>> If you build with -D SECURE_BOOT_ENABLE=TRUE, you still end up with >>> /work/git/edk2-platforms/Platform/Hisilicon/D06/D06.dsc(...): error >>> 4000: Instance of library class [PlatformSecureLib] is not found >>> in [/work/git/edk2/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf] [AARCH64] >>> consumed by module [/work/git/edk2/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf] >>> >>> And all Hisilicon platforms still use >>> AuthVariableLib|MdeModulePkg/Library/AuthVariableLibNull/AuthVariableLibNull.inf >>> regardless of Secure Boot setting. >>> >>> So what problem does this patch solve? A runtime one? >> >> This patch solve bug in FlashFvbDxe. > > Yes, but what bug? What is the symptom? What _specific_ problem goes > away by adding this patch? That information should have been in the > original commit message. I have no information available to me as I > now build -rc1 to suggest that this patch should be included. The bug is that gEfiAuthenticatedVariableGuid should be used in FlashFvbDxe, not gEfiVariableGuid when enable secure boot. > >> Should I add a patch before this patch >> to solve build error with -D SECURE_BOOT_ENABLE=TRUE in v4? > > That would require a sane implementation of PlatformSecureLib, > implementing a real UserPhysicalPresent(). > Can you turn that around within the next few hours? My original idea is using OvmfPkg/Library/PlatformSecureLib/PlatformSecureLib. There is not enough time to implement a real UserPhysicalPresent. This patch will add when we implement real secure boot in future. Thanks. > > Regards, > > Leif > >> Thanks. >> >>> >>> / >>> Leif >>> >>>> Contributed-under: TianoCore Contribution Agreement 1.1 >>>> Signed-off-by: Ming Huang >>>> --- >>>> Silicon/Hisilicon/Drivers/FlashFvbDxe/FlashFvbDxe.inf | 1 + >>>> Silicon/Hisilicon/Drivers/FlashFvbDxe/FlashFvbDxe.c | 5 +++-- >>>> 2 files changed, 4 insertions(+), 2 deletions(-) >>>> >>>> diff --git a/Silicon/Hisilicon/Drivers/FlashFvbDxe/FlashFvbDxe.inf b/Silicon/Hisilicon/Drivers/FlashFvbDxe/FlashFvbDxe.inf >>>> index f8be4741ef7c..a0226e0d87c0 100644 >>>> --- a/Silicon/Hisilicon/Drivers/FlashFvbDxe/FlashFvbDxe.inf >>>> +++ b/Silicon/Hisilicon/Drivers/FlashFvbDxe/FlashFvbDxe.inf >>>> @@ -44,6 +44,7 @@ [LibraryClasses] >>>> UefiRuntimeLib >>>> >>>> [Guids] >>>> + gEfiAuthenticatedVariableGuid >>>> gEfiSystemNvDataFvGuid >>>> gEfiVariableGuid >>>> >>>> diff --git a/Silicon/Hisilicon/Drivers/FlashFvbDxe/FlashFvbDxe.c b/Silicon/Hisilicon/Drivers/FlashFvbDxe/FlashFvbDxe.c >>>> index e18cc9e06ec2..12baed41cd4e 100644 >>>> --- a/Silicon/Hisilicon/Drivers/FlashFvbDxe/FlashFvbDxe.c >>>> +++ b/Silicon/Hisilicon/Drivers/FlashFvbDxe/FlashFvbDxe.c >>>> @@ -189,7 +189,7 @@ InitializeFvAndVariableStoreHeaders ( >>>> // VARIABLE_STORE_HEADER >>>> // >>>> VariableStoreHeader = (VARIABLE_STORE_HEADER*)((UINTN)Headers + (UINTN)FirmwareVolumeHeader->HeaderLength); >>>> - CopyGuid (&VariableStoreHeader->Signature, &gEfiVariableGuid); >>>> + CopyGuid (&VariableStoreHeader->Signature, &gEfiAuthenticatedVariableGuid); >>>> VariableStoreHeader->Size = PcdGet32(PcdFlashNvStorageVariableSize) - FirmwareVolumeHeader->HeaderLength; >>>> VariableStoreHeader->Format = VARIABLE_STORE_FORMATTED; >>>> VariableStoreHeader->State = VARIABLE_STORE_HEALTHY; >>>> @@ -258,7 +258,8 @@ ValidateFvHeader ( >>>> VariableStoreHeader = (VARIABLE_STORE_HEADER*)((UINTN)FwVolHeader + (UINTN)FwVolHeader->HeaderLength); >>>> >>>> // Check the Variable Store Guid >>>> - if ( CompareGuid (&VariableStoreHeader->Signature, &gEfiVariableGuid) == FALSE ) >>>> + if (!CompareGuid (&VariableStoreHeader->Signature, &gEfiVariableGuid) && >>>> + !CompareGuid (&VariableStoreHeader->Signature, &gEfiAuthenticatedVariableGuid)) >>>> { >>>> DEBUG ((EFI_D_ERROR, "ValidateFvHeader: Variable Store Guid non-compatible\n")); >>>> return EFI_NOT_FOUND; >>>> -- >>>> 2.9.5 >>>>