From: "Gerd Hoffmann" <kraxel@redhat.com>
To: devel@edk2.groups.io, ardb@kernel.org
Cc: Michael Kubacki <michael.kubacki@microsoft.com>,
Jiewen Yao <jiewen.yao@intel.com>,
Oliver Steffen <osteffen@redhat.com>
Subject: Re: [edk2-devel] [PATCH v2 0/6] ArmVirtPkg: Increase PlatformCI coverage
Date: Wed, 25 Jan 2023 10:41:12 +0100 [thread overview]
Message-ID: <20230125094112.3eatf2sbdjngwn7e@sirius.home.kraxel.org> (raw)
In-Reply-To: <20230124163417.584727-1-ardb@kernel.org>
On Tue, Jan 24, 2023 at 05:34:11PM +0100, Ard Biesheuvel wrote:
> We recently experienced some build breakage in one of the ArmVirtPkg
> platforms that is not covered by PlatformCI, in the PrePi component
> which replaces the entire PEI stage. This component is now also being
> used in TDVF, and so any modifications to it may regress the existing
> users.
>
> So add build and boot tests of ArmVirtQemuKernel (which is a version of
> ArmVirtQemu which can be loaded as a loadable image instead of executing
> from [emulated] NOR flash), and a build test of ArmVirtKvmTool, which is
> also based on PrePi and runs under the kvmtool VMM. To further increase
> coverage, enable secure boot, TPM support and HTTP(s) boot support when
> building ArmVirtQemu for AARCH64.
Acked-by: Gerd Hoffmann <kraxel@redhat.com>
As you mention secure boot: As far I know current state of affairs is
that nothing protects efi variable flash on ArmVirt, so secure boot
isn't actually secure because the OS can easily manipulate 'db' etc.
State of affairs on physical hardware (at least on Qualcomm SoCs) seems
to be that there is some service running in the Trusted Zone secure
world which manages (and controls access to) EFI variables. See
https://lore.kernel.org/lkml/eaa455ed-2dd2-a33f-6420-a75484eccc35@gmail.com/t/
Do you happen to know whenever any of this is available as open source,
be it the secure world code or the EFI drivers talking to it? Is there
some kind of standard for this or does every vendor brew its own?
thanks & take care,
Gerd
next prev parent reply other threads:[~2023-01-25 9:42 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-01-24 16:34 [PATCH v2 0/6] ArmVirtPkg: Increase PlatformCI coverage Ard Biesheuvel
2023-01-24 16:34 ` [PATCH v2 1/6] ArmVirtPkg/PrePi: Ensure timely execution of library constructors Ard Biesheuvel
2023-01-24 16:34 ` [PATCH v2 2/6] ArmVirtPkg/ArmVirtQemu: enlarge initial flash mapping Ard Biesheuvel
2023-01-24 16:34 ` [PATCH v2 3/6] ArmVirtPkg/PlatformCI: factor out reusable PlatformBuildLib.py Ard Biesheuvel
2023-01-26 14:34 ` [edk2-devel] " Michael Kubacki
2023-01-24 16:34 ` [PATCH v2 4/6] ArmVirtPkg/PlatformCI: Enable optional features on Qemu AARCH64 builds Ard Biesheuvel
2023-01-26 14:35 ` [edk2-devel] " Michael Kubacki
2023-01-24 16:34 ` [PATCH v2 5/6] ArmVirtPkg/PlatformCI: Add CI coverage for ArmVirtQemuKernel Ard Biesheuvel
2023-01-26 14:35 ` [edk2-devel] " Michael Kubacki
2023-01-24 16:34 ` [PATCH v2 6/6] ArmVirtPkg/PlatformCI: Perform build test of ArmVirtKvmTool Ard Biesheuvel
2023-01-26 14:35 ` [edk2-devel] " Michael Kubacki
2023-01-25 9:41 ` Gerd Hoffmann [this message]
2023-01-25 12:38 ` [edk2-devel] [PATCH v2 0/6] ArmVirtPkg: Increase PlatformCI coverage Ard Biesheuvel
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-list from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230125094112.3eatf2sbdjngwn7e@sirius.home.kraxel.org \
--to=devel@edk2.groups.io \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox