From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by mx.groups.io with SMTP id smtpd.web10.9636.1671185508059711001 for ; Fri, 16 Dec 2022 02:11:48 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=hgt85IVI; spf=pass (domain: redhat.com, ip: 170.10.133.124, mailfrom: kraxel@redhat.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1671185507; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=aiGrTwOsxJaHF0UAnecZw6HuOJh723uGsuJvAh2nVno=; b=hgt85IVIvLpJMa1w/ZmEOHnO+Lfe23ctFdlGXmmvSTH+M2J+Xu7fLbTwsESKX1eHM0arbj 2k+aePY1ipusvttkFpHNmHI3CNewpi+KPGl2Hpa0OH8kFPT88CF0iAh8wxn+/ay1ZUJceb oD/XZN4W3NIoOKoEXd9dusiqMdduJBU= Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-532-MMaHUxDPPu-WBWPWbT1riQ-1; Fri, 16 Dec 2022 05:11:36 -0500 X-MC-Unique: MMaHUxDPPu-WBWPWbT1riQ-1 Received: from smtp.corp.redhat.com (int-mx08.intmail.prod.int.rdu2.redhat.com [10.11.54.8]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 0B1B9183B3C0; Fri, 16 Dec 2022 10:11:36 +0000 (UTC) Received: from sirius.home.kraxel.org (unknown [10.39.192.83]) by smtp.corp.redhat.com (Postfix) with ESMTPS id B967FC15BAD; Fri, 16 Dec 2022 10:11:35 +0000 (UTC) Received: by sirius.home.kraxel.org (Postfix, from userid 1000) id 5CE601800084; Fri, 16 Dec 2022 11:11:34 +0100 (CET) From: "Gerd Hoffmann" To: devel@edk2.groups.io Cc: Jordan Justen , Gerd Hoffmann , Ard Biesheuvel , Oliver Steffen , Pawel Polawski , Jiewen Yao Subject: [PATCH 1/1] OvmfPkg/QemuFlashFvbServicesRuntimeDxe: add security warning Date: Fri, 16 Dec 2022 11:11:34 +0100 Message-Id: <20221216101134.2201546-1-kraxel@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.1 on 10.11.54.8 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: 8bit Content-Type: text/plain; charset="US-ASCII"; x-default=true OVMF builds in stateless secure boot configuration (SECURE_BOOT_ENABLE=TRUE + SMM_REQUIRE=FALSE) are expected to use the emulated variable store (EmuVariableFvbRuntimeDxe) with the store being re-initialized on each reset (see PlatformInitEmuVariableNvStore()) Using these builds with writable flash is not secure. Log a warning message saying so in case we find such a configuration. Signed-off-by: Gerd Hoffmann --- OvmfPkg/QemuFlashFvbServicesRuntimeDxe/FwBlockServiceDxe.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/OvmfPkg/QemuFlashFvbServicesRuntimeDxe/FwBlockServiceDxe.c b/OvmfPkg/QemuFlashFvbServicesRuntimeDxe/FwBlockServiceDxe.c index 61e1f2e196e5..ab7154685424 100644 --- a/OvmfPkg/QemuFlashFvbServicesRuntimeDxe/FwBlockServiceDxe.c +++ b/OvmfPkg/QemuFlashFvbServicesRuntimeDxe/FwBlockServiceDxe.c @@ -57,6 +57,11 @@ InstallProtocolInterfaces ( NULL ); ASSERT_EFI_ERROR (Status); + #ifdef SECURE_BOOT_FEATURE_ENABLED + DEBUG ((DEBUG_WARN, "This build is configured for stateless secure boot.\n")); + DEBUG ((DEBUG_WARN, "Using this build with writable flash is NOT secure.\n")); + // should we ASSERT(0) here? + #endif } else if (IsDevicePathEnd (FvbDevice->DevicePath)) { // // Device already exists, so reinstall the FVB protocol -- 2.38.1