From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mx0a-001b2d01.pphosted.com (mx0a-001b2d01.pphosted.com [148.163.156.1]) by mx.groups.io with SMTP id smtpd.web08.9501.1624877477346101953 for ; Mon, 28 Jun 2021 03:51:17 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@ibm.com header.s=pp1 header.b=E42n2a1V; spf=pass (domain: linux.ibm.com, ip: 148.163.156.1, mailfrom: dovmurik@linux.ibm.com) Received: from pps.filterd (m0098409.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.43/8.16.0.43) with SMTP id 15SAhWT3160430; Mon, 28 Jun 2021 06:51:17 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=from : to : cc : subject : date : message-id : content-transfer-encoding : mime-version; s=pp1; bh=gso4b2wogKzCzRocxcGwWS2Tt1l+vX07BGnF5YbrEUU=; b=E42n2a1VS2gG/sFyrniF2znH1xM2FRfYPAXz6dmgNTCvCUd2Wp+GVwqHzyTAEmiToxSv l5x3mfQSvLEsughuODwxiT8tLyGUBRieo4aYBl9pPAqaivcOlc+AluIlOjB7jTxWM9H0 9+34YP/Z0c2rCRIxwHIzQBtHDf8oLqfcpBYgRjSJxkmlXRWZZWuvAsaYqwtUbgekCFRN qcSLfU+txKeQCn+M/eSHIcIeKgQh7ItrDf3DsWhiE0kPWl6tC2R06W4MGJ7q4Fk2A/De q+byNDDMRXxfcHWWzEA/aZh2qgeYbK0Ut42ELVCsK2p9ZODYg3fpdTu8O9GkjnILBbiY 6A== Received: from pps.reinject (localhost [127.0.0.1]) by mx0a-001b2d01.pphosted.com with ESMTP id 39fcga0vs9-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 28 Jun 2021 06:51:16 -0400 Received: from m0098409.ppops.net (m0098409.ppops.net [127.0.0.1]) by pps.reinject (8.16.0.43/8.16.0.43) with SMTP id 15SAhajn160624; Mon, 28 Jun 2021 06:51:16 -0400 Received: from ppma02wdc.us.ibm.com (aa.5b.37a9.ip4.static.sl-reverse.com [169.55.91.170]) by mx0a-001b2d01.pphosted.com with ESMTP id 39fcga0vrs-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 28 Jun 2021 06:51:16 -0400 Received: from pps.filterd (ppma02wdc.us.ibm.com [127.0.0.1]) by ppma02wdc.us.ibm.com (8.16.1.2/8.16.1.2) with SMTP id 15SAgfxF031741; Mon, 28 Jun 2021 10:51:14 GMT Received: from b01cxnp22036.gho.pok.ibm.com (b01cxnp22036.gho.pok.ibm.com [9.57.198.26]) by ppma02wdc.us.ibm.com with ESMTP id 39duva98gs-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 28 Jun 2021 10:51:14 +0000 Received: from b01ledav006.gho.pok.ibm.com (b01ledav006.gho.pok.ibm.com [9.57.199.111]) by b01cxnp22036.gho.pok.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 15SApEm79110188 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Mon, 28 Jun 2021 10:51:14 GMT Received: from b01ledav006.gho.pok.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 19089AC059; Mon, 28 Jun 2021 10:51:14 +0000 (GMT) Received: from b01ledav006.gho.pok.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id E5CFBAC05B; Mon, 28 Jun 2021 10:51:13 +0000 (GMT) Received: from localhost.localdomain (unknown [9.2.130.16]) by b01ledav006.gho.pok.ibm.com (Postfix) with ESMTP; Mon, 28 Jun 2021 10:51:13 +0000 (GMT) From: "Dov Murik" To: devel@edk2.groups.io Cc: Dov Murik , Laszlo Ersek , Ard Biesheuvel , Jordan Justen , James Bottomley , Tobin Feldman-Fitzthum Subject: [PATCH v3 0/5] OvmfPkg: Use QemuKernelLoaderFs to read cmdline/initrd Date: Mon, 28 Jun 2021 10:51:05 +0000 Message-Id: <20210628105110.379951-1-dovmurik@linux.ibm.com> X-Mailer: git-send-email 2.25.1 X-TM-AS-GCONF: 00 X-Proofpoint-ORIG-GUID: mG8_Xd0Ud_EckPqGKtNUVVkiw0CCBBZh X-Proofpoint-GUID: Iib7hkJD2GPD-TFN64WZB0pAiDMl9UGE X-Proofpoint-UnRewURL: 0 URL was un-rewritten MIME-Version: 1.0 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.391,18.0.790 definitions=2021-06-28_09:2021-06-25,2021-06-28 signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 impostorscore=0 mlxscore=0 phishscore=0 priorityscore=1501 malwarescore=0 lowpriorityscore=0 clxscore=1015 suspectscore=0 spamscore=0 mlxlogscore=999 bulkscore=0 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2104190000 definitions=main-2106280074 Content-Transfer-Encoding: 8bit BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3457 In order to support measured SEV boot with kernel/initrd/cmdline, we'd like to have one place that reads those blobs; in the future we'll add the measurement and verification in that place. We already have a synthetic filesystem (QemuKernelLoaderFs) which holds three files: "kernel", "initrd", and "cmdline". The kernel is indeed read from this filesystem in LoadImage; but the cmdline (and the length of initrd) are read from QemuFwCfgLib items. This patch series first fixes two identical memory leak bugs in GenericQemuLoadImageLib and X86QemuLoadImageLib; then modifies GenericQemuLoadImageLib to read cmdline (and the initrd size) from the QemuKernelLoaderFs synthetic filesystem, thus removing the dependency on QemuFwCfgLib. Note that X86QemuLoadImageLib is not modified, because it contains a QemuLoadLegacyImage() which reads other items of the QemuFwCfg which are not available in QemuKernelLoaderFs. Since we don't want to support the legacy boot path in the future measured SEV boot, we leave X86QemuLoadImageLib as-is (except for a comment addition in patch 3) and will force use for GenericQemuLoadImageLib in the measured SEV boot implementation. Relevant discussion threads start in: https://edk2.groups.io/g/devel/message/76069 To test this on x86_64, I forced the use of GenericQemuLoadImageLib using the following local patch: diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc index 0a237a905866..46442b543bcf 100644 --- a/OvmfPkg/OvmfPkgX64.dsc +++ b/OvmfPkg/OvmfPkgX64.dsc @@ -404,7 +404,7 @@ [LibraryClasses.common.DXE_DRIVER] PciLib|OvmfPkg/Library/DxePciLibI440FxQ35/DxePciLibI440FxQ35.inf MpInitLib|UefiCpuPkg/Library/MpInitLib/DxeMpInitLib.inf QemuFwCfgS3Lib|OvmfPkg/Library/QemuFwCfgS3Lib/DxeQemuFwCfgS3LibFwCfg.inf - QemuLoadImageLib|OvmfPkg/Library/X86QemuLoadImageLib/X86QemuLoadImageLib.inf + QemuLoadImageLib|OvmfPkg/Library/GenericQemuLoadImageLib/GenericQemuLoadImageLib.inf # XXX don't commit this or someone will be mad !if $(TPM_ENABLE) == TRUE Tpm12DeviceLib|SecurityPkg/Library/Tpm12DeviceLibTcg/Tpm12DeviceLibTcg.inf Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibTcg2/Tpm2DeviceLibTcg2.inf I tested boot with QEMU and OVMF with the following QEMU arguments: -kernel a -kernel a -initrd b -kernel a -cmdline c -kernel a -initrd b -cmdline c (and also without -kernel) Code is at https://github.com/confidential-containers-demo/edk2/tree/use-synthetic-fs-for-cmdline-v3 v3 changes: - Insert patches 1+2 at the top of the series to fix cmdline leak bugs - Organize #include and .inf - Add UINTN overflow check - Fix error paths and function epilogue to properly release all resources - Clarity: rename long variables, reword comments v2: https://edk2.groups.io/g/devel/message/76664 v2 changes: - Add comment to header of X86QemuLoadImageLib.inf - Clearer function names in GenericQemuLoadImageLib.c - Fix coding style issues v1: https://edk2.groups.io/g/devel/message/76265 Cc: Laszlo Ersek Cc: Ard Biesheuvel Cc: Jordan Justen Cc: James Bottomley Cc: Tobin Feldman-Fitzthum Dov Murik (5): OvmfPkg/GenericQemuLoadImageLib: plug cmdline blob leak on success OvmfPkg/X86QemuLoadImageLib: plug cmdline blob leak on success Revert "OvmfPkg/QemuKernelLoaderFsDxe: don't expose kernel command line" OvmfPkg/GenericQemuLoadImageLib: Read cmdline from QemuKernelLoaderFs OvmfPkg/X86QemuLoadImageLib: State fw_cfg dependency in file header OvmfPkg/Library/GenericQemuLoadImageLib/GenericQemuLoadImageLib.inf | 3 +- OvmfPkg/Library/X86QemuLoadImageLib/X86QemuLoadImageLib.inf | 3 + OvmfPkg/Library/GenericQemuLoadImageLib/GenericQemuLoadImageLib.c | 157 ++++++++++++++++++-- OvmfPkg/Library/X86QemuLoadImageLib/X86QemuLoadImageLib.c | 9 +- OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.c | 11 +- 5 files changed, 161 insertions(+), 22 deletions(-) -- 2.25.1