From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail.windriver.com (mail.windriver.com [147.11.1.11]) (using TLSv1.1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id 00DF721CE740B for ; Thu, 6 Jul 2017 11:21:30 -0700 (PDT) Received: from ALA-HCA.corp.ad.wrs.com (ala-hca.corp.ad.wrs.com [147.11.189.40]) by mail.windriver.com (8.15.2/8.15.1) with ESMTPS id v66IN3VL001749 (version=TLSv1 cipher=AES128-SHA bits=128 verify=FAIL); Thu, 6 Jul 2017 11:23:03 -0700 (PDT) Received: from ala-wpaul-lx1.wrs.com (147.11.157.242) by ALA-HCA.corp.ad.wrs.com (147.11.189.50) with Microsoft SMTP Server (TLS) id 14.3.294.0; Thu, 6 Jul 2017 11:23:03 -0700 From: Bill Paul Organization: Wind River Systems To: Date: Thu, 6 Jul 2017 11:30:26 -0700 User-Agent: KMail/1.13.5 (Linux/2.6.32-28-generic; KDE/4.4.5; x86_64; ; ) CC: Jason Dickens References: <6703d38b-e99b-c11e-0126-ad24239dacee@grammatech.com> In-Reply-To: <6703d38b-e99b-c11e-0126-ad24239dacee@grammatech.com> MIME-Version: 1.0 Message-ID: <201707061130.26384.wpaul@windriver.com> Subject: Re: OVMF Secure Boot variable storage issue X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 06 Jul 2017 18:21:31 -0000 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Of all the gin joints in all the towns in all the world, Jason Dickens had to walk into mine at 10:31:18 on Thursday 06 July 2017 and say: > All, > > I'm trying to understand why the secure boot variables (PK, KEK, db, > etc) when using the OVMF build are not retained across reboot? It seems > that this code uses roughly the same SetVariable, GetVariable2 approach > as say the PlatformConfig uses to store screen resolution (which is > retained). Additionally, the NvVars file is being at least touched by > the secure boot configuration. So why are none of the keys retained on > the next reboot? If you're running OVMF in the QEMU simulator, and you're using the -bios option, try using the -pflash option instead. I know that when using -bios, QEMU only pretends to allow writes to the firmware region, and if you stop QEMU all changes are discarded. The same might be true if you just trigger a hard reboot in the simulator too. If you use -pflash instead, your changes will be saved. Note that this means your OVMF image will be modified, so keep a copy of the original elsewhere so that you can start over fresh again if you need to. (Unfortunately I don't think OVMF has a "load factor defaults" option in its internal menus.) -Bill > I know this was an issue in the past, but I haven't found the resolution? > > Jason > > > _______________________________________________ > edk2-devel mailing list > edk2-devel@lists.01.org > https://lists.01.org/mailman/listinfo/edk2-devel -- ============================================================================= -Bill Paul (510) 749-2329 | Senior Member of Technical Staff, wpaul@windriver.com | Master of Unix-Fu - Wind River Systems ============================================================================= "I put a dollar in a change machine. Nothing changed." - George Carlin =============================================================================