From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by mx.groups.io with SMTP id smtpd.web10.41635.1674639724532673456 for ; Wed, 25 Jan 2023 01:42:04 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=H5Tqn1Du; spf=pass (domain: redhat.com, ip: 170.10.129.124, mailfrom: kraxel@redhat.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1674639723; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=VHnWvDRVB530A1xLF0hwE/YWx/K4duu5rqvfqEjPWqQ=; b=H5Tqn1DuJWAGcemXxs/Am6gDCpnzXk5RNPJ7c1IlaypKvChNCtOuTF5518q1wdHRma+sWa Zb395sokxWY1kCAA5JqWLshm4kbkUyBtGvAzevJXGeksWAIyMrjTkdR9xePfUMlHXIB2VB C4IRLxyJDBfVCDC52ehHKqluB8OXRDM= Received: from mimecast-mx02.redhat.com (mx3-rdu2.redhat.com [66.187.233.73]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-79-RLbH4tiVObmSe_Iv0GWfZw-1; Wed, 25 Jan 2023 04:41:14 -0500 X-MC-Unique: RLbH4tiVObmSe_Iv0GWfZw-1 Received: from smtp.corp.redhat.com (int-mx07.intmail.prod.int.rdu2.redhat.com [10.11.54.7]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 11ADB29ABA09; Wed, 25 Jan 2023 09:41:14 +0000 (UTC) Received: from sirius.home.kraxel.org (unknown [10.39.192.186]) by smtp.corp.redhat.com (Postfix) with ESMTPS id C0E5A14171BB; Wed, 25 Jan 2023 09:41:13 +0000 (UTC) Received: by sirius.home.kraxel.org (Postfix, from userid 1000) id 5CC5B1800623; Wed, 25 Jan 2023 10:41:12 +0100 (CET) Date: Wed, 25 Jan 2023 10:41:12 +0100 From: "Gerd Hoffmann" To: devel@edk2.groups.io, ardb@kernel.org Cc: Michael Kubacki , Jiewen Yao , Oliver Steffen Subject: Re: [edk2-devel] [PATCH v2 0/6] ArmVirtPkg: Increase PlatformCI coverage Message-ID: <20230125094112.3eatf2sbdjngwn7e@sirius.home.kraxel.org> References: <20230124163417.584727-1-ardb@kernel.org> MIME-Version: 1.0 In-Reply-To: <20230124163417.584727-1-ardb@kernel.org> X-Scanned-By: MIMEDefang 3.1 on 10.11.54.7 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Tue, Jan 24, 2023 at 05:34:11PM +0100, Ard Biesheuvel wrote: > We recently experienced some build breakage in one of the ArmVirtPkg > platforms that is not covered by PlatformCI, in the PrePi component > which replaces the entire PEI stage. This component is now also being > used in TDVF, and so any modifications to it may regress the existing > users. > > So add build and boot tests of ArmVirtQemuKernel (which is a version of > ArmVirtQemu which can be loaded as a loadable image instead of executing > from [emulated] NOR flash), and a build test of ArmVirtKvmTool, which is > also based on PrePi and runs under the kvmtool VMM. To further increase > coverage, enable secure boot, TPM support and HTTP(s) boot support when > building ArmVirtQemu for AARCH64. Acked-by: Gerd Hoffmann As you mention secure boot: As far I know current state of affairs is that nothing protects efi variable flash on ArmVirt, so secure boot isn't actually secure because the OS can easily manipulate 'db' etc. State of affairs on physical hardware (at least on Qualcomm SoCs) seems to be that there is some service running in the Trusted Zone secure world which manages (and controls access to) EFI variables. See https://lore.kernel.org/lkml/eaa455ed-2dd2-a33f-6420-a75484eccc35@gmail.com/t/ Do you happen to know whenever any of this is available as open source, be it the secure world code or the EFI drivers talking to it? Is there some kind of standard for this or does every vendor brew its own? thanks & take care, Gerd