Re: [PATCH V1 1/1] OvmfPkg/PlatformPei: Skip PlatformInitEmuVariableNvStore in SEV guest

public inbox for devel@edk2.groups.io
 help / color / mirror / Atom feed

From: "joeyli" <jlee@suse.com>
To: Gerd Hoffmann <kraxel@redhat.com>
Cc: Min Xu <min.m.xu@intel.com>,
	devel@edk2.groups.io, Erdem Aktas <erdemaktas@google.com>,
	James Bottomley <jejb@linux.ibm.com>,
	Jiewen Yao <jiewen.yao@intel.com>,
	Tom Lendacky <thomas.lendacky@amd.com>,
	Michael Roth <michael.roth@amd.com>
Subject: Re: [PATCH V1 1/1] OvmfPkg/PlatformPei: Skip PlatformInitEmuVariableNvStore in SEV guest
Date: Fri, 31 Mar 2023 22:48:34 +0800	[thread overview]
Message-ID: <20230331144834.GK8569@linux-l9pv.suse> (raw)
In-Reply-To: <tpqy52rfi4idj3woc3ei3ylm2rpgarxila464dl6g62jqd5lku@2kfb2cjspx5y>

On Fri, Mar 31, 2023 at 10:25:09AM +0200, Gerd Hoffmann wrote:
> On Fri, Mar 31, 2023 at 03:59:56PM +0800, joeyli wrote:
> > Hi Gerd,
> > 
> > On Thu, Mar 30, 2023 at 09:50:53AM +0200, Gerd Hoffmann wrote:
> > > On Wed, Mar 29, 2023 at 01:23:10PM +0800, Min Xu wrote:
> > > > From: Min M Xu <min.m.xu@intel.com>
> > > > 
> > > > BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=4379
> > > > 
> > > > PlatformInitEmuVariableNvStore is called to initialize the
> > > > EmuVariableNvStore with the content pointed by
> > > > PcdOvmfFlashNvStorageVariableBase. This is because when OVMF is launched
> > > > with -bios parameter, UEFI variables will be partially emulated, and
> > > > non-volatile variables may lose their contents after a reboot. This makes
> > > > the secure boot feature not working.
> > > > 
> > > > But in SEV guest, this design doesn't work. Because at this point the
> > > > variable store mapping is still private/encrypted, OVMF will see
> > > > ciphertext. So we skip the call of PlatformInitEmuVariableNvStore in
> > > > SEV guest.
> > > 
> > > I'd suggest to simply build without -D SECURE_BOOT_ENABLE instead.
> > > Without initializing the emu var store you will not get a functional
> > > secure boot setup anyway.
> > 
> > In our case, we already shipped ovmf with -D SECURE_BOOT_ENABLE in a couple
> > of versions. Removing it will causes problem in VM live migration.
> 
> Hmm?  qemu live-migrates the rom image too.  Only after poweroff and
> reboot the guest will see an updated firmware image.
>

Thanks for your explanation. Understood.
 
> > I will prefer Min M's solution, until SEV experts found better
> > solution.
> 
> I'd prefer to not poke holes into secure boot.  Re-Initializing the emu
> var store from rom on each reset is also needed for security reasons in
> case the efi variable store is not in smm-protected flash memory.
>

I agree that the efi variable store is not secure without smm. But after
58eb8517ad7b be introduced, the -D SECURE_BOOT_ENABLE doesn't work with
SEV. System just hangs in "NvVarStore FV headers were invalid."

If secure boot can not work with SEV (even it is not really secure), why
not just block the building process when SEV with SECURE_BOOT_ENABLE? At
least the issue will not happen at runtime.

Thanks 
Joey Lee

next prev parent reply	other threads:[~2023-03-31 14:48 UTC|newest]

Thread overview: 28+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2023-03-29  5:23 [PATCH V1 1/1] OvmfPkg/PlatformPei: Skip PlatformInitEmuVariableNvStore in SEV guest Min Xu
2023-03-30  7:50 ` Gerd Hoffmann
2023-03-31  7:59   ` joeyli
2023-03-31  8:25     ` Gerd Hoffmann
2023-03-31 14:48       ` joeyli [this message]
2023-04-03  0:21         ` Min Xu
2023-04-03 11:20           ` Gerd Hoffmann
2023-04-06  1:42             ` Min Xu
2023-04-06 20:28               ` Lendacky, Thomas
2023-04-07  1:56                 ` Min Xu
2023-04-07 14:49                   ` [edk2-devel] " joeyli
2023-04-07 17:00                   ` Lendacky, Thomas
2023-04-11 10:04                     ` Gerd Hoffmann
2023-04-11 18:03                       ` Lendacky, Thomas
2023-04-12  7:24                         ` Gerd Hoffmann
2023-04-12 15:23                           ` Lendacky, Thomas
2023-04-13  6:05                             ` Gerd Hoffmann
2023-04-13 13:58                               ` Lendacky, Thomas
2023-04-14 10:20                                 ` Gerd Hoffmann
2023-04-20 15:16                                   ` Lendacky, Thomas
2023-04-21  9:18                                     ` Gerd Hoffmann
2023-04-21 20:49                                       ` Lendacky, Thomas
2023-04-24  9:45                                         ` Gerd Hoffmann
2023-04-26 20:43                                           ` Lendacky, Thomas
2023-04-28  8:41                                             ` Gerd Hoffmann
2023-05-01 19:06                                               ` Lendacky, Thomas
2023-04-07  9:41           ` joeyli
2023-04-07 11:54             ` Min Xu

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-list from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20230331144834.GK8569@linux-l9pv.suse \
    --to=devel@edk2.groups.io \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox