From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <leif.lindholm@linaro.org>
Received-SPF: Pass (sender SPF authorized) identity=mailfrom;
 client-ip=2a00:1450:4864:20::441; helo=mail-wr1-x441.google.com;
 envelope-from=leif.lindholm@linaro.org; receiver=edk2-devel@lists.01.org 
Received: from mail-wr1-x441.google.com (mail-wr1-x441.google.com
 [IPv6:2a00:1450:4864:20::441])
 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
 (No client certificate requested)
 by ml01.01.org (Postfix) with ESMTPS id A727C21B02822
 for <edk2-devel@lists.01.org>; Tue, 20 Nov 2018 04:13:14 -0800 (PST)
Received: by mail-wr1-x441.google.com with SMTP id l9so1700620wrt.13
 for <edk2-devel@lists.01.org>; Tue, 20 Nov 2018 04:13:14 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google;
 h=date:from:to:cc:subject:message-id:references:mime-version
 :content-disposition:in-reply-to:user-agent;
 bh=uc0+Ah4XB6S7Zq/3rRlrx1od+06pLf8sOQnN3Ctlk1U=;
 b=GZr5Ib6+StyDy16OFs/v/XCmCciD5LpeYSB05EaZ2HXmjWTIDR+Y03hD0iCW63mqGL
 WBCrEzCtMQASF6PkZd9qWaqjGEpB63R1+HyoC58RSfl7VH3fAYCV5Ev1/fETP+znYYg8
 2N5IGPxOWEhBNf3R4CdBwOWwBxKVLBX7afcYA=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:date:from:to:cc:subject:message-id:references
 :mime-version:content-disposition:in-reply-to:user-agent;
 bh=uc0+Ah4XB6S7Zq/3rRlrx1od+06pLf8sOQnN3Ctlk1U=;
 b=qPBnFlsQzqFuYi7rZs70j0NVtrTs6gzkWApAi8ODautB9WORIIdOkDYf1+Ob7/staU
 G2kaVX9ZzvmSOK/q91mVQBAFh2zs7k4eI+5Ztqctjes3g5LqwaxnShBWSO59202wAL4A
 17HwtVFW13P3RlJD0M+sRJQPdmnFCxxfajyV1OqQ6jZSdnfvtI5iJh8xxGQ8oN5ZUVzR
 ZU2LQSVP8HXpvM36Nd9ue0R+s3CUESKm1ZC4ofFj9NVxhbo0GweoOcDOj+WKxYCA8hND
 P0Q2jGeGb8lq0qGQyMP+jW92+FrKdWxAatNpFvhcN/OMjPaoe1i2xRdBGkxQBqbEe5KV
 kmbw==
X-Gm-Message-State: AA+aEWY13cA8SkZxXB7hiZrUG5VO7qmlnxT3z9LGdas32dfLCUs+30YQ
 t0z61Bcc4UPsQPa2X6wqA1Rttg==
X-Google-Smtp-Source: AFSGD/WTX38T1aFM8AAriMhXOixivC52BcJtvoSiWizVlcwzCSR9JljAFwuw+qG/JRbPmb3imnt+eg==
X-Received: by 2002:adf:fb8b:: with SMTP id a11mr1374375wrr.318.1542715992812; 
 Tue, 20 Nov 2018 04:13:12 -0800 (PST)
Received: from bivouac.eciton.net (bivouac.eciton.net.
 [2a00:1098:0:86:1000:23:0:2])
 by smtp.gmail.com with ESMTPSA id h67-v6sm48105206wma.10.2018.11.20.04.13.11
 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256);
 Tue, 20 Nov 2018 04:13:11 -0800 (PST)
Date: Tue, 20 Nov 2018 12:13:09 +0000
From: Leif Lindholm <leif.lindholm@linaro.org>
To: Ming Huang <ming.huang@linaro.org>
Cc: linaro-uefi@lists.linaro.org, edk2-devel@lists.01.org,
 graeme.gregory@linaro.org, ard.biesheuvel@linaro.org,
 michael.d.kinney@intel.com, lersek@redhat.com,
 wanghuiqiang@huawei.com, huangming23@huawei.com,
 zhangjinsong2@huawei.com, huangdaode@hisilicon.com,
 john.garry@huawei.com, xinliang.liu@linaro.org, zhangfeng56@huawei.com
Message-ID: <20181120121309.mwsoxljgjwy4yv7i@bivouac.eciton.net>
References: <20181120090150.1102-1-ming.huang@linaro.org>
 <20181120090150.1102-2-ming.huang@linaro.org>
MIME-Version: 1.0
In-Reply-To: <20181120090150.1102-2-ming.huang@linaro.org>
User-Agent: NeoMutt/20170113 (1.7.2)
Subject: Re: [PATCH edk2-platforms v3 1/5] Hisilicon/D0x: Fix secure boot bug in FlashFvbDxe
X-BeenThere: edk2-devel@lists.01.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: EDK II Development  <edk2-devel.lists.01.org>
List-Unsubscribe: <https://lists.01.org/mailman/options/edk2-devel>,
 <mailto:edk2-devel-request@lists.01.org?subject=unsubscribe>
List-Archive: <http://lists.01.org/pipermail/edk2-devel/>
List-Post: <mailto:edk2-devel@lists.01.org>
List-Help: <mailto:edk2-devel-request@lists.01.org?subject=help>
List-Subscribe: <https://lists.01.org/mailman/listinfo/edk2-devel>,
 <mailto:edk2-devel-request@lists.01.org?subject=subscribe>
X-List-Received-Date: Tue, 20 Nov 2018 12:13:15 -0000
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

On Tue, Nov 20, 2018 at 05:01:46PM +0800, Ming Huang wrote:
> Now that the generic Variable Runtime DXE code no longer
> distinguishes between gEfiVariableGuid and
> gEfiAuthenticatedVariableGuid in the varstore FV header.
> We can relax the check in the flashFvb driver to accept
> either GUID regardless of whether we are running a secure
> boot capable build or not.

We are still in a situation where D06 is not buildable with Secure
Boot enabled though.

If you build with -D SECURE_BOOT_ENABLE=TRUE, you still end up with
/work/git/edk2-platforms/Platform/Hisilicon/D06/D06.dsc(...): error
4000: Instance of library class [PlatformSecureLib] is not found
      in [/work/git/edk2/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf] [AARCH64]
      consumed by module [/work/git/edk2/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf]

And all Hisilicon platforms still use
AuthVariableLib|MdeModulePkg/Library/AuthVariableLibNull/AuthVariableLibNull.inf
regardless of Secure Boot setting.

So what problem does this patch solve? A runtime one?

/
    Leif

> Contributed-under: TianoCore Contribution Agreement 1.1
> Signed-off-by: Ming Huang <ming.huang@linaro.org>
> ---
>  Silicon/Hisilicon/Drivers/FlashFvbDxe/FlashFvbDxe.inf | 1 +
>  Silicon/Hisilicon/Drivers/FlashFvbDxe/FlashFvbDxe.c   | 5 +++--
>  2 files changed, 4 insertions(+), 2 deletions(-)
> 
> diff --git a/Silicon/Hisilicon/Drivers/FlashFvbDxe/FlashFvbDxe.inf b/Silicon/Hisilicon/Drivers/FlashFvbDxe/FlashFvbDxe.inf
> index f8be4741ef7c..a0226e0d87c0 100644
> --- a/Silicon/Hisilicon/Drivers/FlashFvbDxe/FlashFvbDxe.inf
> +++ b/Silicon/Hisilicon/Drivers/FlashFvbDxe/FlashFvbDxe.inf
> @@ -44,6 +44,7 @@ [LibraryClasses]
>    UefiRuntimeLib
>  
>  [Guids]
> +  gEfiAuthenticatedVariableGuid
>    gEfiSystemNvDataFvGuid
>    gEfiVariableGuid
>  
> diff --git a/Silicon/Hisilicon/Drivers/FlashFvbDxe/FlashFvbDxe.c b/Silicon/Hisilicon/Drivers/FlashFvbDxe/FlashFvbDxe.c
> index e18cc9e06ec2..12baed41cd4e 100644
> --- a/Silicon/Hisilicon/Drivers/FlashFvbDxe/FlashFvbDxe.c
> +++ b/Silicon/Hisilicon/Drivers/FlashFvbDxe/FlashFvbDxe.c
> @@ -189,7 +189,7 @@ InitializeFvAndVariableStoreHeaders (
>      // VARIABLE_STORE_HEADER
>      //
>      VariableStoreHeader = (VARIABLE_STORE_HEADER*)((UINTN)Headers + (UINTN)FirmwareVolumeHeader->HeaderLength);
> -    CopyGuid (&VariableStoreHeader->Signature, &gEfiVariableGuid);
> +    CopyGuid (&VariableStoreHeader->Signature, &gEfiAuthenticatedVariableGuid);
>      VariableStoreHeader->Size = PcdGet32(PcdFlashNvStorageVariableSize) - FirmwareVolumeHeader->HeaderLength;
>      VariableStoreHeader->Format            = VARIABLE_STORE_FORMATTED;
>      VariableStoreHeader->State             = VARIABLE_STORE_HEALTHY;
> @@ -258,7 +258,8 @@ ValidateFvHeader (
>      VariableStoreHeader = (VARIABLE_STORE_HEADER*)((UINTN)FwVolHeader + (UINTN)FwVolHeader->HeaderLength);
>  
>      // Check the Variable Store Guid
> -    if ( CompareGuid (&VariableStoreHeader->Signature, &gEfiVariableGuid) == FALSE )
> +    if (!CompareGuid (&VariableStoreHeader->Signature, &gEfiVariableGuid) &&
> +        !CompareGuid (&VariableStoreHeader->Signature, &gEfiAuthenticatedVariableGuid))
>      {
>          DEBUG ((EFI_D_ERROR, "ValidateFvHeader: Variable Store Guid non-compatible\n"));
>          return EFI_NOT_FOUND;
> -- 
> 2.9.5
>