From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by mx.groups.io with SMTP id smtpd.web11.104619.1671027151390788400 for ; Wed, 14 Dec 2022 06:12:31 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=RZUE+uTU; spf=pass (domain: redhat.com, ip: 170.10.133.124, mailfrom: kraxel@redhat.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1671027150; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=IGNY9huQavJWClxcmOJ1uztNKFTLxSLSBpwMF7OfzxM=; b=RZUE+uTUHVmnQqQtNyNbptbim8dlOLZeZSj60lS4IAt9M7NMHB6+iyveQDNmy1bfN6MIzE lh4+r2FdRXKCfTMVNa+k7DY8DvVDhz7VVaj+hIBP6AxCnCgj7jzxFWUm60gw1bbcy1xkpJ /WYa2YIkiS/PYVrrOzkNZLIW4eGNF7g= Received: from mimecast-mx02.redhat.com (mx3-rdu2.redhat.com [66.187.233.73]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-322-LUJPp72LNmKpIDL6sQE2xA-1; Wed, 14 Dec 2022 09:12:26 -0500 X-MC-Unique: LUJPp72LNmKpIDL6sQE2xA-1 Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.rdu2.redhat.com [10.11.54.6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id DD8992A5956A; Wed, 14 Dec 2022 14:12:25 +0000 (UTC) Received: from sirius.home.kraxel.org (unknown [10.39.192.83]) by smtp.corp.redhat.com (Postfix) with ESMTPS id A28762166B26; Wed, 14 Dec 2022 14:12:25 +0000 (UTC) Received: by sirius.home.kraxel.org (Postfix, from userid 1000) id 2C8BE1800613; Wed, 14 Dec 2022 15:12:22 +0100 (CET) Date: Wed, 14 Dec 2022 15:12:22 +0100 From: "Gerd Hoffmann" To: joeyli Cc: devel@edk2.groups.io, "Lee, Chun-Yi" , Min M Xu , Jiewen Yao , Tom Lendacky , James Bottomley , Erdem Aktas Subject: Re: [edk2-devel] [PATCH] OvmfPkg/PlatformInitLib: Fix integrity checking failed of NvVarStore in some cases Message-ID: <20221214141222.d5ri3262vo4vqoam@sirius.home.kraxel.org> References: <20221213155502.29548-1-jlee@suse.com> <20221214061528.zi627mkk4mumtdoo@sirius.home.kraxel.org> <20221214134516.GY11807@linux-l9pv.suse> MIME-Version: 1.0 In-Reply-To: <20221214134516.GY11807@linux-l9pv.suse> X-Scanned-By: MIMEDefang 3.1 on 10.11.54.6 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset=us-ascii Content-Disposition: inline > Sorry for I forgot to put my testing environment in patch description. > My testing is on qemu with OVMF: > > - edk2-master or edk2-stable202211 > build --verbose --debug=1 -D SECURE_BOOT_ENABLE -D TPM_ENABLE -D TPM_CONFIG_ENABLE \ > -D NETWORK_IP6_ENABLE -D NETWORK_HTTP_BOOT_ENABLE -a X64 -b DEBUG -t GCC5 \ > -p OvmfPkg/OvmfPkgX64.dsc -D FD_SIZE_4MB -D NETWORK_TLS_ENABLE > > - qemu-7.1.0 with libvirt-8.0.0 > pc-q35 with pflash type and nvram: > hvm > /usr/share/qemu/ovmf-x86_64-code.bin > /var/lib/libvirt/qemu/nvram/opensuseTW_VARS.fd That is not secure. You have unprotected writable flash. You can either use a build with SMM_REQUIRE=TRUE and run with secure='yes', so only the firmware in SMM mode can write to flash. Or you run with both code and vars read-only. Easiest is OVMF.fd. Or you disable secure boot (SECURE_BOOT_ENABLE=FALSE) in your builds. You still have unprotected writable flash then, but it isn't a security hole any more. And the assert isn't triggered either because that code path is only executed for secure boot builds. take care, Gerd