From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from EUR04-VI1-obe.outbound.protection.outlook.com (EUR04-VI1-obe.outbound.protection.outlook.com [40.107.8.44]) by mx.groups.io with SMTP id smtpd.web11.107126.1671031510838279283 for ; Wed, 14 Dec 2022 07:25:11 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@suse.com header.s=selector1 header.b=3O9N6+Hd; spf=pass (domain: suse.com, ip: 40.107.8.44, mailfrom: jlee@suse.com) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=U1K8bUC97UDnGapPaJVMtHuSBA8EUyWLKxPnaMyPCJ+ob38hR4D8LVqktEveRX32teBw97dZ3/Iox/mgrwVs46qE/x9DfiuZeN8pi6aZCDgnIysG1j6yl8y90jwc3r1ynt9b1QAq67FcFaAL86mH4KAzrAMJCifzw0tLzHEPmF/zsCZ5L1PflYdSAdBep1XJluzz502roVbfeOZJUWGMxm2mibM2smpiV4wygXL/TyGk39H6iVXrKEhpLl+E02V0Uoc3J+DZe2sEMn2RIWrNbRjBMtFh8iBKcxyXmA96X4Z7AMMi68rowFCtw8PNYVck619nTez5Remt8hUGbjABaw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=xK6SDRnhq770qW/5ztp37Zd2886TmeF9cfGfCo/HvP8=; b=G2n1EREZHAdWfskv9lalxuWZbnHYVjDaJEoXCqOr/lJoTpTBKLiC8zGf2/7g3m+7F+7/5RNkFJDTkAwsUbIQItBXzp+bwM9dvfMfJj0bX9S4Fh4u/0pbZvd+zMPnoYYmVDa3sD///gvtFIqt6aKuy7D4IlRpyJMNvpaVFlzYjhwBxvBP3L0u7t0m4ZmbZUBVFG7W7L5V1yo0AJXkKiftci1V2tVhGnlW5hWTvqvtHhMRU/P8TaQQzNctiF8qsGEcGo3Ge3Kd1Z6wvYMLzGXWtEohlTCZINkUOSJ1kFzMtzbRjtlkIqI33kaHChCvtVdPCLHmge2leRzdCwMHASL/9Q== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=suse.com; dmarc=pass action=none header.from=suse.com; dkim=pass header.d=suse.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=xK6SDRnhq770qW/5ztp37Zd2886TmeF9cfGfCo/HvP8=; b=3O9N6+Hd+nRm2NHKJnh32dc4PndzKYKo0Fy/gTOt8L4Dn9SOm6VGj/vGaBnW6JadNdFjgmSRpBKWVxhFIUGQZPoFfpK8wI4DCdDPkpEwddnYEiVNVkmm8+AhZH0BcNeK2/4w5D+UmxDF/sa+nk6uNOlxrSFduS8A44hMB8D0oh/q0edcuqwLNRJK/kEYXxYOA3FGMs3oU+KuZWNoF/mbwDsRq08OOx+uW8X8j5VdtCKo589HiLExFtDqjCE18eX07AMdPqMRKM5dNcGlefADQOXnWQFpp10Ve9VFh4MhZjkCyYWlkmublTqerM+cvTAs5eVWwBL1uoXg46TRFnaR6Q== Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=suse.com; Received: from DB8PR04MB7164.eurprd04.prod.outlook.com (2603:10a6:10:129::23) by DB8PR04MB6906.eurprd04.prod.outlook.com (2603:10a6:10:118::10) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5880.11; Wed, 14 Dec 2022 15:25:08 +0000 Received: from DB8PR04MB7164.eurprd04.prod.outlook.com ([fe80::3cc9:78f1:6e76:b1ef]) by DB8PR04MB7164.eurprd04.prod.outlook.com ([fe80::3cc9:78f1:6e76:b1ef%5]) with mapi id 15.20.5880.019; Wed, 14 Dec 2022 15:25:07 +0000 Date: Wed, 14 Dec 2022 23:24:53 +0800 From: "joeyli" To: Gerd Hoffmann Cc: devel@edk2.groups.io, "Lee, Chun-Yi" , Min M Xu , Jiewen Yao , Tom Lendacky , James Bottomley , Erdem Aktas Subject: Re: [edk2-devel] [PATCH] OvmfPkg/PlatformInitLib: Fix integrity checking failed of NvVarStore in some cases Message-ID: <20221214152453.GB11807@linux-l9pv.suse> References: <20221213155502.29548-1-jlee@suse.com> <20221214061528.zi627mkk4mumtdoo@sirius.home.kraxel.org> <20221214134516.GY11807@linux-l9pv.suse> <20221214141222.d5ri3262vo4vqoam@sirius.home.kraxel.org> In-Reply-To: <20221214141222.d5ri3262vo4vqoam@sirius.home.kraxel.org> User-Agent: Mutt/1.11.4 (2019-03-13) X-ClientProxiedBy: TY2PR02CA0062.apcprd02.prod.outlook.com (2603:1096:404:e2::26) To DB8PR04MB7164.eurprd04.prod.outlook.com (2603:10a6:10:129::23) Return-Path: JLee@suse.com MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: DB8PR04MB7164:EE_|DB8PR04MB6906:EE_ X-MS-Office365-Filtering-Correlation-Id: 6804ee74-9a3b-4b5b-6e27-08dadde761fa X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: VvV4ZGpEh3mx5xaL010fMOCq3h9qoJV3EChH1DxJjIYG0PL8q5JwMQHVE42mq+t1LLHtvS965QVMlhAsvsCyp8/8LA+VhTnd3VwLsmToweE7ZJbQc55H9qreN3iI2+pAlHMS6KJ9xWdEgIlNvgFgH4zzLl2HUHq/j8lg7aRvjVeeeb8uPAHGbdk0iV+XJuRqyjPHuFcvTR96QgFuDONh30h0375B7p497ntLosGjJCSA5FSoMfiUinv09V3cIsYDekHQiLZhW20zXd4lnHAfgGfYWxgd3YwHAW25XjVKglEmDCrDch1pLczIq4OcdnCi0kgz26hWA3iVmqCnwDOW0fC3cjlj0asIkN6MoN8GV4VrECaqP3pkqTS44T6Mjb/sf/14yr1Fwc/j7M256DuTz4UFUhKiBGMxT7bwY+7+zqANei1xKN73cP5G8WA+yFtBeL6p3VHMbD2wgpwoRwnUyob1pxf0o/c3oeEVXNqPRUB7pKwoZHNMigGcPcHd1Sv9yb4GrFAGajs2ZgzMmH8xxeqk6mim4P1zXSc3PAZ/xKWGSAWDEPknEQy/t1v1ahTUzMyXJ4k0piEyK8YNn93qf1FaGILsjlwQ+YeRUcgzNL6onM666lSx1xRtdzKqaiC64GiQNJ8M/GDUYOPG7iZkoR06H5DRPphZ+R0yGEykeAq4HbsfRmq8FUX/f0AqoodT X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:DB8PR04MB7164.eurprd04.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230022)(6029001)(366004)(346002)(396003)(376002)(136003)(39860400002)(451199015)(6666004)(478600001)(6486002)(86362001)(186003)(26005)(6506007)(9686003)(6512007)(6916009)(36756003)(8936002)(2906002)(54906003)(19627235002)(316002)(38100700002)(33656002)(41300700001)(1076003)(8676002)(5660300002)(4326008)(66946007)(66556008)(83380400001)(66476007)(43062005);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: =?us-ascii?Q?GyNdzOkezjOz4+seNm9yJm9dTdGDP8j2IZhG0yoe+UpUpjiXjInJZEZSi1P1?= =?us-ascii?Q?cYd6iZLTlEGpPiyEHeCnPuxNTEE0s8SQYYpT9AiUnpxofZnHii70NC2xDM3G?= =?us-ascii?Q?jvmElnAuq5HSSSCROWfikaE8t0VnWYEMigH/VR7rlFrNaz7CzFj3IxWm7CG1?= =?us-ascii?Q?4LHT8OvZIvGWoUpLruoACJnRrMUW0okNixOvMI1lPAf6czU+pSRQDmGhqwKH?= =?us-ascii?Q?cQbyoNFLKbTOMxBd0aGj0uPNTPcPM+0uvydPPwOsg6Yrl8hAcF8h0jRBOZeq?= =?us-ascii?Q?NqoqUUxE2j9Y5MY52VS6NJfuvEcbEplURB4ozowsH2KKE+qlT+2F8nbZkIn5?= =?us-ascii?Q?pOt722cdjVKKA4gyO5UB43Bqov+nqkmG2MoDoYWnoqtk2ud7fRDAB2hvZOll?= =?us-ascii?Q?b9lqq3iB0U3oEdZx2YH7olIT0DdI2KE8SGLwtMNQMUCWR7+a4M4FtBT2Kgi3?= =?us-ascii?Q?VwI8zQoKkqkucCgYAKEvX0j/Af9OCKpoYhMyiNe9VwZsshJHOujz93Stg0Z5?= =?us-ascii?Q?IuSImYag2A4zDZbne2W2V9o5g5e0kfTAFxFlXZi9kDzRzTMvTKYl+TBVXvr5?= =?us-ascii?Q?GEoX0ML5bpk2QmgmZR+XXkkYfngMVl8/2Crsqbspmw22Xa9tt0yfUvFQb8r/?= =?us-ascii?Q?BwLOTBNY68dP9VtKv3pDrCzcuuc+sSni4WJrGZqrgSs+9b3+LzWyugp+KwAx?= =?us-ascii?Q?9AzYWytVMpxOvqOnWyr6GSAc8OfBcDCpKuLbUvJvxFGF82ycAeVZwlyFznAY?= =?us-ascii?Q?e9mvkXO8IVrbJDFCiUus1unoNK3JhhTP3dKgo4gqb/RRVPbUaLqq8NtLzPX5?= =?us-ascii?Q?fXQRe8zmOo1DPaWZ24W8Zj2jxKyrx1NF00tf8IBqUNKo1W0X/a3fmHgSsm8J?= =?us-ascii?Q?8RU/npvpcpygEJyr/UjTM1TiFcYKk1pVGL+L/iusXYbEmJNxDYnJqsDVamXL?= =?us-ascii?Q?R92cJma48LR3fb5128ZlTjmmuDjtcyUOuFdkRCLoIODPKHSz/MP1UbxlKGjl?= =?us-ascii?Q?YEhGbMRcfN+xwPkwP2fHR3T/JLk3h9MsMprFq2lwdAYCihhFJYkzIVHrB2ta?= =?us-ascii?Q?jQy+n7XjcH7Z/aLVsd4WbtutAsmuPV1pi9Um1ZMW7588gE4GK9styHFFdvOd?= =?us-ascii?Q?YnjUxuyt1cwCqdOOwLA3QYaK6NxRRahQxGHJC21W06qL+mxAjWFGtlKYECjY?= =?us-ascii?Q?XFsV38jSb4e2Otys62aKP0HQ7WZhUIL/LNtr5oByaMCZAjO8ErELsp+T4qZK?= =?us-ascii?Q?50GeUL+EbggzJyiq+kWPjCZDrd21Hb/1wyknSE1WyWiuZk8WYt+dIY6X37VS?= =?us-ascii?Q?MuEGOzYvY7eMSANgS5LZI6E2Pi0LzaAW6cJCDgJT9s9hsr/rpyqzc1oTiBi4?= =?us-ascii?Q?dMWnXp5Fkn7rXHwIEXxRzFl0Ukiws11Kn1bocGx0bjHuQt+uA9rUlb/KwjRt?= =?us-ascii?Q?ufeooJ76n3lP1jf5S+WqQgKHt7QSc71WC7xu7vF8yHpUgNyCRgdgFFUt2RxR?= =?us-ascii?Q?D9TNOoOBOZ3nqRJcD80m9vzJ1HL/HwmtLzKIcs8yfcHh+RezxL8XWpp69gYq?= =?us-ascii?Q?B6Qg3xNXBYZWt07A6lA=3D?= X-OriginatorOrg: suse.com X-MS-Exchange-CrossTenant-Network-Message-Id: 6804ee74-9a3b-4b5b-6e27-08dadde761fa X-MS-Exchange-CrossTenant-AuthSource: DB8PR04MB7164.eurprd04.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 14 Dec 2022 15:25:07.8581 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: f7a17af6-1c5c-4a36-aa8b-f5be247aa4ba X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: A/ow4xJsKQeGJCpK8jwZkiQTgk5iXMwtdiV1q5bNb9Ctv2SbMx6BlLLh5rxct5dE X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB8PR04MB6906 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Wed, Dec 14, 2022 at 03:12:22PM +0100, Gerd Hoffmann wrote: > > Sorry for I forgot to put my testing environment in patch description. > > My testing is on qemu with OVMF: > > > > - edk2-master or edk2-stable202211 > > build --verbose --debug=1 -D SECURE_BOOT_ENABLE -D TPM_ENABLE -D TPM_CONFIG_ENABLE \ > > -D NETWORK_IP6_ENABLE -D NETWORK_HTTP_BOOT_ENABLE -a X64 -b DEBUG -t GCC5 \ > > -p OvmfPkg/OvmfPkgX64.dsc -D FD_SIZE_4MB -D NETWORK_TLS_ENABLE > > > > - qemu-7.1.0 with libvirt-8.0.0 > > pc-q35 with pflash type and nvram: > > hvm > > /usr/share/qemu/ovmf-x86_64-code.bin > > /var/lib/libvirt/qemu/nvram/opensuseTW_VARS.fd > > That is not secure. You have unprotected writable flash. > > You can either use a build with SMM_REQUIRE=TRUE and run with > secure='yes', so only the firmware in SMM mode can write to flash. > > Or you run with both code and vars read-only. > Easiest is OVMF.fd. > Thanks for your suggestion! It's really helpful! I will try it. > Or you disable secure boot (SECURE_BOOT_ENABLE=FALSE) in your > builds. You still have unprotected writable flash then, but > it isn't a security hole any more. And the assert isn't triggered > either because that code path is only executed for secure boot > builds. > Yes, before I produce the patch, I need to disable SECURE_BOOT_ENABLE to workaround my VM hang problem. IMHO, using "variable header State was invalid" assert to prevent user writes to a unprotected flash is not a good idea. It causes some problem: - User's existing virtual machine can not boot/reboot after updated to edk2-stable202211 OVMF. VM just hangs there and doesn't have any hint. - The VM still works in the first boot. User doesn't know that second boot will hangs because they are writing an unprotected writable flash. - Even enabled debug log, we don't know what does "NvVarStore Variable header State was invalid." mean. Thanks Joey Lee