From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received-SPF: Pass (sender SPF authorized) identity=mailfrom; client-ip=2a00:1450:4864:20::341; helo=mail-wm1-x341.google.com; envelope-from=leif.lindholm@linaro.org; receiver=edk2-devel@lists.01.org Received: from mail-wm1-x341.google.com (mail-wm1-x341.google.com [IPv6:2a00:1450:4864:20::341]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id 6CBA12116821B for ; Tue, 20 Nov 2018 04:58:09 -0800 (PST) Received: by mail-wm1-x341.google.com with SMTP id k198so2138788wmd.3 for ; Tue, 20 Nov 2018 04:58:09 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to:user-agent; bh=yOgWDebz6sytPZvkEYA0drGh31zQQZX+6SyGTxT68V4=; b=AlSM+RCX8ThYClYkosIRAuPdjXqN8Cdmgyp9gEqN20ZxnyVUq0N5EoQRRTcBJcSfuk IzznoNkPmcalVtvgK6H4TYITwish0KLAlPoIOueAISS3fvc2eO+cGmxNUHFhzc83hXFi kKU78Z6ScVPNtFyC1ISTtptWpJuCs01qX66VM= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to:user-agent; bh=yOgWDebz6sytPZvkEYA0drGh31zQQZX+6SyGTxT68V4=; b=o4Qx0K0q58a9eu/pwYC6wXDVrkgFIMYOmvLWty2rDYljUceGoneY3I6SOnbd4gzvi8 kAlSYOE1JFa4ermOZ+zJB1TSxb4Q1YtADqJ4ekb4pSpFA53i37+Bz3jvxscvl54da5JW 0krdv9nN6mzTI4GkQWEFpCArrm6f1kg8mUKo+fpmWcaAC9BY1wcFoKzNQZMPhRDb7SNz 0xRjTIXG/PduW0BGXuLlsrAuV8ILO76tutnWTMHFXtGhb//ss5k9rhL/A2nL4Asbqirx TgPC/ZuPVSCkxkpzyQgl0AkfB/AkABUPbQ3gSnBf3TUgllw2Yb2BWw4qxIa2QehWocsP BXDQ== X-Gm-Message-State: AA+aEWZYNNRrc0wIrbH3ZGlQwOwriv5mVMQjYij/6eYvjH/wBK5VsNSF DvCO9rsHO89tZMzjp3dNCzNpVg== X-Google-Smtp-Source: AFSGD/UnYIkJIIaOCbrU4EVPRxx2AJzKlzYR8Bz83oZH8cazbsChE4jsKXFdQtUwSvw8DOgk2ts7/A== X-Received: by 2002:a1c:83cb:: with SMTP id f194-v6mr2118487wmd.26.1542718687641; Tue, 20 Nov 2018 04:58:07 -0800 (PST) Received: from bivouac.eciton.net (bivouac.eciton.net. [2a00:1098:0:86:1000:23:0:2]) by smtp.gmail.com with ESMTPSA id w9sm16279353wme.47.2018.11.20.04.58.06 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Tue, 20 Nov 2018 04:58:06 -0800 (PST) Date: Tue, 20 Nov 2018 12:58:05 +0000 From: Leif Lindholm To: Ming Huang Cc: linaro-uefi@lists.linaro.org, edk2-devel@lists.01.org, graeme.gregory@linaro.org, ard.biesheuvel@linaro.org, michael.d.kinney@intel.com, lersek@redhat.com, wanghuiqiang@huawei.com, huangming23@huawei.com, zhangjinsong2@huawei.com, huangdaode@hisilicon.com, john.garry@huawei.com, xinliang.liu@linaro.org, zhangfeng56@huawei.com Message-ID: <20181120125805.jn6xfxbg47izxwo2@bivouac.eciton.net> References: <20181120090150.1102-1-ming.huang@linaro.org> <20181120090150.1102-2-ming.huang@linaro.org> <20181120121309.mwsoxljgjwy4yv7i@bivouac.eciton.net> MIME-Version: 1.0 In-Reply-To: User-Agent: NeoMutt/20170113 (1.7.2) Subject: Re: [PATCH edk2-platforms v3 1/5] Hisilicon/D0x: Fix secure boot bug in FlashFvbDxe X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 20 Nov 2018 12:58:09 -0000 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Tue, Nov 20, 2018 at 08:40:28PM +0800, Ming Huang wrote: > > > On 11/20/2018 8:13 PM, Leif Lindholm wrote: > > On Tue, Nov 20, 2018 at 05:01:46PM +0800, Ming Huang wrote: > >> Now that the generic Variable Runtime DXE code no longer > >> distinguishes between gEfiVariableGuid and > >> gEfiAuthenticatedVariableGuid in the varstore FV header. > >> We can relax the check in the flashFvb driver to accept > >> either GUID regardless of whether we are running a secure > >> boot capable build or not. > > > > We are still in a situation where D06 is not buildable with Secure > > Boot enabled though. > > > > If you build with -D SECURE_BOOT_ENABLE=TRUE, you still end up with > > /work/git/edk2-platforms/Platform/Hisilicon/D06/D06.dsc(...): error > > 4000: Instance of library class [PlatformSecureLib] is not found > > in [/work/git/edk2/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf] [AARCH64] > > consumed by module [/work/git/edk2/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf] > > > > And all Hisilicon platforms still use > > AuthVariableLib|MdeModulePkg/Library/AuthVariableLibNull/AuthVariableLibNull.inf > > regardless of Secure Boot setting. > > > > So what problem does this patch solve? A runtime one? > > This patch solve bug in FlashFvbDxe. Yes, but what bug? What is the symptom? What _specific_ problem goes away by adding this patch? That information should have been in the original commit message. I have no information available to me as I now build -rc1 to suggest that this patch should be included. > Should I add a patch before this patch > to solve build error with -D SECURE_BOOT_ENABLE=TRUE in v4? That would require a sane implementation of PlatformSecureLib, implementing a real UserPhysicalPresent(). Can you turn that around within the next few hours? Regards, Leif > Thanks. > > > > > / > > Leif > > > >> Contributed-under: TianoCore Contribution Agreement 1.1 > >> Signed-off-by: Ming Huang > >> --- > >> Silicon/Hisilicon/Drivers/FlashFvbDxe/FlashFvbDxe.inf | 1 + > >> Silicon/Hisilicon/Drivers/FlashFvbDxe/FlashFvbDxe.c | 5 +++-- > >> 2 files changed, 4 insertions(+), 2 deletions(-) > >> > >> diff --git a/Silicon/Hisilicon/Drivers/FlashFvbDxe/FlashFvbDxe.inf b/Silicon/Hisilicon/Drivers/FlashFvbDxe/FlashFvbDxe.inf > >> index f8be4741ef7c..a0226e0d87c0 100644 > >> --- a/Silicon/Hisilicon/Drivers/FlashFvbDxe/FlashFvbDxe.inf > >> +++ b/Silicon/Hisilicon/Drivers/FlashFvbDxe/FlashFvbDxe.inf > >> @@ -44,6 +44,7 @@ [LibraryClasses] > >> UefiRuntimeLib > >> > >> [Guids] > >> + gEfiAuthenticatedVariableGuid > >> gEfiSystemNvDataFvGuid > >> gEfiVariableGuid > >> > >> diff --git a/Silicon/Hisilicon/Drivers/FlashFvbDxe/FlashFvbDxe.c b/Silicon/Hisilicon/Drivers/FlashFvbDxe/FlashFvbDxe.c > >> index e18cc9e06ec2..12baed41cd4e 100644 > >> --- a/Silicon/Hisilicon/Drivers/FlashFvbDxe/FlashFvbDxe.c > >> +++ b/Silicon/Hisilicon/Drivers/FlashFvbDxe/FlashFvbDxe.c > >> @@ -189,7 +189,7 @@ InitializeFvAndVariableStoreHeaders ( > >> // VARIABLE_STORE_HEADER > >> // > >> VariableStoreHeader = (VARIABLE_STORE_HEADER*)((UINTN)Headers + (UINTN)FirmwareVolumeHeader->HeaderLength); > >> - CopyGuid (&VariableStoreHeader->Signature, &gEfiVariableGuid); > >> + CopyGuid (&VariableStoreHeader->Signature, &gEfiAuthenticatedVariableGuid); > >> VariableStoreHeader->Size = PcdGet32(PcdFlashNvStorageVariableSize) - FirmwareVolumeHeader->HeaderLength; > >> VariableStoreHeader->Format = VARIABLE_STORE_FORMATTED; > >> VariableStoreHeader->State = VARIABLE_STORE_HEALTHY; > >> @@ -258,7 +258,8 @@ ValidateFvHeader ( > >> VariableStoreHeader = (VARIABLE_STORE_HEADER*)((UINTN)FwVolHeader + (UINTN)FwVolHeader->HeaderLength); > >> > >> // Check the Variable Store Guid > >> - if ( CompareGuid (&VariableStoreHeader->Signature, &gEfiVariableGuid) == FALSE ) > >> + if (!CompareGuid (&VariableStoreHeader->Signature, &gEfiVariableGuid) && > >> + !CompareGuid (&VariableStoreHeader->Signature, &gEfiAuthenticatedVariableGuid)) > >> { > >> DEBUG ((EFI_D_ERROR, "ValidateFvHeader: Variable Store Guid non-compatible\n")); > >> return EFI_NOT_FOUND; > >> -- > >> 2.9.5 > >>