From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from mail-wr1-f68.google.com (mail-wr1-f68.google.com [209.85.221.68])
 by mx.groups.io with SMTP id smtpd.web11.12604.1583415989761576685
 for <devel@edk2.groups.io>;
 Thu, 05 Mar 2020 05:46:30 -0800
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@linaro.org header.s=google header.b=v2oow2wC;
 spf=pass (domain: linaro.org, ip: 209.85.221.68, mailfrom: ard.biesheuvel@linaro.org)
Received: by mail-wr1-f68.google.com with SMTP id v11so5134495wrm.9
        for <devel@edk2.groups.io>; Thu, 05 Mar 2020 05:46:29 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=linaro.org; s=google;
        h=from:to:cc:subject:date:message-id:in-reply-to:references;
        bh=pNDNM9/AQ5nqQH+hLWLIJVrZg1K5pA09I61n5ZHa0NI=;
        b=v2oow2wCj55jHas2rZUw7nk5ljKoItqRP2HAuL9TMH3kpTrI8mWSU0evx53avY7M3H
         Rsetx/bvCMjdPxdeT4bvj3j11IsisPP+4aQwSZDL2XkHeBHbEFW2+ksmN+zpxY9xpdvT
         maQlZsiNio8ZVv2BWOb0dlcm63oSaNQJZt3OYVUtJ6fW7qAzlJ74n2Qq4vsCupDoz/Jx
         mnnSdI9FAaj4A/BFEodib0B9BNMvnt2CIZMVpao3jcnxBrdEwZNz3WbN/RuTXsEHsTUL
         tSuKefpfR2C+Z22/KePVTwK7l6DiKqTlfUVPTFEw/btqTqBBOl6d4sgQOzyNdHVA4F8f
         FAuQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
         :references;
        bh=pNDNM9/AQ5nqQH+hLWLIJVrZg1K5pA09I61n5ZHa0NI=;
        b=rWJW0SoBrnDzfUjmgbbTdWUmTWEc2ADwNUFGPZMlatmaABC9pmLr4pwdoDJnpSSO4P
         fzGuA5iBquehLPMDYGR7pkOgoTv35LHDq2SgmKpZb3BT73gjRDXY2pE+TMbzlpLIgPrG
         uC/SXanH4pEpKQh2qwMv9sUE2Q0WfhT6hXiJ7oDpYZ4mnBnxkyg5PXQWcvWJ/n5zPpLl
         6eG2W+z+1ByeOo6g1cI0OR2LIOvo/92+uvBQ98BAcCklJ9ML1QVPAJOAwE7gu1Pqd7JR
         yCFMkPdJuC897nRRr1pTR+ywd4ejPYfXDNUYBNMm4Xw6tePgwkbcWGwfKSXXTiKHPgDU
         yYVA==
X-Gm-Message-State: ANhLgQ1aVG9n6VrYXq7hJla/LNLH41YqQPm2yCcqjcsk0TvUGnrMW6jl
	rvWl6mTKVCud9fiMFJP3/gmfiFMDZEuh+w==
X-Google-Smtp-Source: ADFU+vsSQh9uS286iIf+PwheRQjpJ4So8Bin7kUt3C/CBNgO0wfrEdjo99V4tWQOSUZsWQxsSaSrDQ==
X-Received: by 2002:adf:ee4f:: with SMTP id w15mr10919212wro.254.1583415987991;
        Thu, 05 Mar 2020 05:46:27 -0800 (PST)
Return-Path: <ard.biesheuvel@linaro.org>
Received: from e123331-lin.home ([2a01:cb1d:112:6f00:816e:ff0d:fb69:f613])
        by smtp.gmail.com with ESMTPSA id m19sm9278701wmc.34.2020.03.05.05.46.26
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Thu, 05 Mar 2020 05:46:27 -0800 (PST)
From: "Ard Biesheuvel" <ard.biesheuvel@linaro.org>
To: devel@edk2.groups.io
Cc: lersek@redhat.com,
	Ard Biesheuvel <ard.biesheuvel@linaro.org>
Subject: [PATCH v3 14/14] OvmfPkg: use generic QEMU image loader for secure boot enabled builds
Date: Thu,  5 Mar 2020 14:46:07 +0100
Message-Id: <20200305134607.20125-15-ard.biesheuvel@linaro.org>
X-Mailer: git-send-email 2.17.1
In-Reply-To: <20200305134607.20125-1-ard.biesheuvel@linaro.org>
References: <20200305134607.20125-1-ard.biesheuvel@linaro.org>

The QemuLoadImageLib implementation we currently use for all OVMF
builds copies the behavior of the QEMU loader code that precedes it,
which is to disregard UEFI secure boot policies entirely when it comes
to loading kernel images that have been specified on the QEMU command
line. This behavior deviates from ArmVirtQemu based builds, which do
take UEFI secure boot policies into account, and refuse to load images
from the command line that cannot be authenticated.

The disparity was originally due to the fact that the QEMU command line
kernel loader did not use LoadImage and StartImage at all, but this
changed recently, and now, there are only a couple of reasons left to
stick with the legacy loader:
- it permits loading images that lack a valid PE/COFF header,
- it permits loading X64 kernels on IA32 firmware running on a X64
  capable system.

Since every non-authentic PE/COFF image can trivially be converted into
an image that lacks a valid PE/COFF header, the former case can simply
not be supported in a UEFI secure boot context. The latter case is highly
theoretical, given that one could easily switch to native X64 firmware in
a VM scenario.

That leaves us with little justification to use the legacy loader at all
when UEFI secure boot policies are in effect, so let's switch to the
generic loader for UEFI secure boot enabled builds.

Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=2566
Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
---
 OvmfPkg/OvmfPkgIa32.dsc    | 4 ++++
 OvmfPkg/OvmfPkgIa32X64.dsc | 4 ++++
 OvmfPkg/OvmfPkgX64.dsc     | 4 ++++
 3 files changed, 12 insertions(+)

diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc
index ec21d2f3f6cb..8916255df4df 100644
--- a/OvmfPkg/OvmfPkgIa32.dsc
+++ b/OvmfPkg/OvmfPkgIa32.dsc
@@ -363,7 +363,11 @@ [LibraryClasses.common.DXE_DRIVER]
   PciLib|OvmfPkg/Library/DxePciLibI440FxQ35/DxePciLibI440FxQ35.inf
   MpInitLib|UefiCpuPkg/Library/MpInitLib/DxeMpInitLib.inf
   QemuFwCfgS3Lib|OvmfPkg/Library/QemuFwCfgS3Lib/DxeQemuFwCfgS3LibFwCfg.inf
+!if $(SECURE_BOOT_ENABLE) == TRUE
+  QemuLoadImageLib|OvmfPkg/Library/GenericQemuLoadImageLib/GenericQemuLoadImageLib.inf
+!else
   QemuLoadImageLib|OvmfPkg/Library/X86QemuLoadImageLib/X86QemuLoadImageLib.inf
+!endif
 !if $(TPM_ENABLE) == TRUE
   Tpm12DeviceLib|SecurityPkg/Library/Tpm12DeviceLibTcg/Tpm12DeviceLibTcg.inf
   Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibTcg2/Tpm2DeviceLibTcg2.inf
diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc
index 3c80a18c6086..342ff96cc279 100644
--- a/OvmfPkg/OvmfPkgIa32X64.dsc
+++ b/OvmfPkg/OvmfPkgIa32X64.dsc
@@ -367,7 +367,11 @@ [LibraryClasses.common.DXE_DRIVER]
   PciLib|OvmfPkg/Library/DxePciLibI440FxQ35/DxePciLibI440FxQ35.inf
   MpInitLib|UefiCpuPkg/Library/MpInitLib/DxeMpInitLib.inf
   QemuFwCfgS3Lib|OvmfPkg/Library/QemuFwCfgS3Lib/DxeQemuFwCfgS3LibFwCfg.inf
+!if $(SECURE_BOOT_ENABLE) == TRUE
+  QemuLoadImageLib|OvmfPkg/Library/GenericQemuLoadImageLib/GenericQemuLoadImageLib.inf
+!else
   QemuLoadImageLib|OvmfPkg/Library/X86QemuLoadImageLib/X86QemuLoadImageLib.inf
+!endif
 !if $(TPM_ENABLE) == TRUE
   Tpm12DeviceLib|SecurityPkg/Library/Tpm12DeviceLibTcg/Tpm12DeviceLibTcg.inf
   Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibTcg2/Tpm2DeviceLibTcg2.inf
diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc
index 63f1f935f4f3..1fb2de5e0121 100644
--- a/OvmfPkg/OvmfPkgX64.dsc
+++ b/OvmfPkg/OvmfPkgX64.dsc
@@ -367,7 +367,11 @@ [LibraryClasses.common.DXE_DRIVER]
   PciLib|OvmfPkg/Library/DxePciLibI440FxQ35/DxePciLibI440FxQ35.inf
   MpInitLib|UefiCpuPkg/Library/MpInitLib/DxeMpInitLib.inf
   QemuFwCfgS3Lib|OvmfPkg/Library/QemuFwCfgS3Lib/DxeQemuFwCfgS3LibFwCfg.inf
+!if $(SECURE_BOOT_ENABLE) == TRUE
+  QemuLoadImageLib|OvmfPkg/Library/GenericQemuLoadImageLib/GenericQemuLoadImageLib.inf
+!else
   QemuLoadImageLib|OvmfPkg/Library/X86QemuLoadImageLib/X86QemuLoadImageLib.inf
+!endif
 !if $(TPM_ENABLE) == TRUE
   Tpm12DeviceLib|SecurityPkg/Library/Tpm12DeviceLibTcg/Tpm12DeviceLibTcg.inf
   Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibTcg2/Tpm2DeviceLibTcg2.inf
-- 
2.17.1