From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from EUR02-AM0-obe.outbound.protection.outlook.com (EUR02-AM0-obe.outbound.protection.outlook.com [40.107.247.42]) by mx.groups.io with SMTP id smtpd.web11.56880.1680274130771668415 for ; Fri, 31 Mar 2023 07:48:51 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@suse.com header.s=selector1 header.b=l+JT3mEB; spf=pass (domain: suse.com, ip: 40.107.247.42, mailfrom: jlee@suse.com) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=CUmIyfEfzn/MGwumHqP6lLv6NE0aYAKeR/IydmyzzhgTKRqtROlyNOFgIirx1IuvEZfi+17bODKMJXwH7pJtDS0yOAXOmmOWIFKv8EoA78hiuAxQnAN68wvhhtHUTzzJePiCSfD3Y4mJe9iV8nuGb/2v1FajlZw3qfUVose9D1lwt6+C83DQ8vK1MFktzi+C1ZhtKs2Py5nDf6/5smxTbYbKMxr6jv+6y216afQGIpBDk4SqodsfhE/jQR5QIanEYLSogrMkA/cnwNO6OvfT/Q6gcuPwhtRm3Yjz4Xt8VfI0WBf/Thxuh0v8zbLXDZFylcj/PJl3vEoRv5kRY5wOCA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=ielQobhpogxQp12uHcebfl2xA+xpdJzCtsuILmGUaec=; b=AwvrpqGYnXYm8JpHF/zvRcqEk3R+codFBWuz46Fniue8XVqTws+iiylhDWw3hHhL7EeeycLE13SsEff+NzzKrHmGM+VHftijG2hZ7XWKopFSTONilSmdoT2N0J/+S3uxoJhicitQmvFEWz7BR4xuljRr1opJav6Z213Dm5qNQ+Zc0XzGK7LYbN0QBkgvfhPJZIfJDjEWS0YBcr438d64Ri2vd7godc3yo4NcOYbUscDLMEheM1y6hVb1RclGYwR/2rAL2NERPvtkiA7BdPQnyM29N3Asw/Gq7AOkQBOmijzP4NB3ZC9RTVpz+YUTFd3F73xclr6UbzKagNiIryC4Kw== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=suse.com; dmarc=pass action=none header.from=suse.com; dkim=pass header.d=suse.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=ielQobhpogxQp12uHcebfl2xA+xpdJzCtsuILmGUaec=; b=l+JT3mEBbgJ7mRdfRNpt3vLmp2oMqkW9wAW+6YCGXnPfFhrqeEaSH9z6J+D8/TEff+tv1OPovfuyaKTNGHJMzKx/9t9oee3M11on6pMwMvJ7TQw/qAVIarSvlKJBYJGkIosEluWxc+3zffFBuQRBwX37/+1p2BjdLR+7Pwo3SHBy5o1v7kvM+0ZT50WZ3Ze1eVmatEEb4VzDrE3nPjONCEzFqsWpOAhCNfm2r58mVzmrZOoPn/whXEB+J749gvJrvYz0a1RancSs1iSrQeYoZFKSylycZYmGSFuVnSVc55MQpA768JLbJ3bZ37AGpLxI6vnH2RZUngg1CaXRu2qIKQ== Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=suse.com; Received: from DB8PR04MB7164.eurprd04.prod.outlook.com (2603:10a6:10:129::23) by PAXPR04MB9352.eurprd04.prod.outlook.com (2603:10a6:102:2b5::12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6222.30; Fri, 31 Mar 2023 14:48:47 +0000 Received: from DB8PR04MB7164.eurprd04.prod.outlook.com ([fe80::ea33:6d90:451b:6a1c]) by DB8PR04MB7164.eurprd04.prod.outlook.com ([fe80::ea33:6d90:451b:6a1c%6]) with mapi id 15.20.6254.021; Fri, 31 Mar 2023 14:48:47 +0000 Date: Fri, 31 Mar 2023 22:48:34 +0800 From: "joeyli" To: Gerd Hoffmann Cc: Min Xu , devel@edk2.groups.io, Erdem Aktas , James Bottomley , Jiewen Yao , Tom Lendacky , Michael Roth Subject: Re: [PATCH V1 1/1] OvmfPkg/PlatformPei: Skip PlatformInitEmuVariableNvStore in SEV guest Message-ID: <20230331144834.GK8569@linux-l9pv.suse> References: <20230329052310.27-1-min.m.xu@intel.com> <4tmi32c3kevecoc3y7mb6jlv7d7ygmctt6bgwflvjybqwphjqk@gnnertcj5kz2> <20230331075956.GJ8569@linux-l9pv.suse> In-Reply-To: User-Agent: Mutt/1.11.4 (2019-03-13) X-ClientProxiedBy: TYCPR01CA0182.jpnprd01.prod.outlook.com (2603:1096:400:2b0::6) To DB8PR04MB7164.eurprd04.prod.outlook.com (2603:10a6:10:129::23) Return-Path: JLee@suse.com MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: DB8PR04MB7164:EE_|PAXPR04MB9352:EE_ X-MS-Office365-Filtering-Correlation-Id: 082a2799-c535-4a08-fa68-08db31f70852 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: coT3vKIgoeB9GqPqMslSVaSe1wovtJlz5CDdXmr3hurM2EsHgduZJ4FNXQFhaBm+dctMxea0qCC6nJbxdLfdgB0+/gJ1/R73g/FelRZqaiwel70t/I2lBbSSScmajxHzuE8FCqaNRKsdv3we2/wpSAeTK1ShEu0+0BJMWs+4c+HR6txS12atq4gI56BKrRFqjYKF68sagL5r4Cz17/Ecc0Fc7BhWzeuBz03c9+1WbDnxrDvZhJIzqT20qVcwoH84HTAsXqmQAls0uGdLe4cMHQHju/uBQsftJvgv3zv2SQt//d8n3lPobOzjD2CeZI2kFkJZ82Es27sYXGg6wN5CVSW0DaTlm14T91RCuFKKIZyGhjvVoBj9G1LweNo5aED1LsIA9QHZWuZoXE3ZBHpgZ1FjDA0n/Yb0yl7NGcHcxRzLFNPPh5hUp7UT435R9sEVLk9tIW0ItEeNDrc8yazpjeYIJEjtNBFkb4WKYDddS7aBbzoSd2WrbhR/UqMgrFGxp8voFiAdjOY0CELCEGWS/iRlD9d7QOGX/uE/Sf41aUfQrm17YFuEjQpiJqWymSoflB0lSXM0QpEBSIpWtKx1L1ilWrT9roP8h0/rRDr/7GM= X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:DB8PR04MB7164.eurprd04.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230028)(6029001)(366004)(396003)(136003)(376002)(346002)(39860400002)(451199021)(9686003)(6512007)(26005)(41300700001)(186003)(6506007)(1076003)(6666004)(966005)(6486002)(83380400001)(478600001)(8676002)(54906003)(316002)(38100700002)(66476007)(4326008)(66556008)(6916009)(5660300002)(66946007)(2906002)(33656002)(36756003)(86362001)(8936002)(43062005);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: =?us-ascii?Q?2sje8rl9D4f8eYhSMeVHAn8ZZsjKQTW4eARWngUYst309HJh+mDKLQL5MU4m?= =?us-ascii?Q?jlsvl2NP1xr1xI9nq9wi3iJK8g6bASN/ss3vYM4uL4RXtsluVF8q9vLHwxSs?= =?us-ascii?Q?1NQuzJIC+JkoI4Vqcp2CzzRV2Edha8MXou0p+BC2yMs1uB82JiiWzOw6h1Er?= =?us-ascii?Q?6EKXzMRjP3T4KBSj5xhY75wRcqhCX4E2VWH/RuQWVzbBr5BC3ZsrZaJFxWex?= =?us-ascii?Q?CrK/2k/SsJWzjFY+TLUWKTTLvVgDW4nUbOkFcofaOFlLfrEJLntc9/Rrkmvs?= =?us-ascii?Q?x8M6VevN5BOaufyL4C4NMcAfD3cut8t7alc+Qtd5fvVHoPPvkzrYeQBhyWrq?= =?us-ascii?Q?j+cOaivsRwyPHcl7vqwF2HS26dGNf24Yo7K7eTQR/lbSHqRM3ac2VvAuL1Ru?= =?us-ascii?Q?fVYJh/BrB4xpkYZDZorFghPH4riebHNq2NziNCYd5DO7dCKOzUdx7UzqpCJn?= =?us-ascii?Q?7bV0dbF7USu3ua9Icml92NCymGignh7yzGIVdqIzKKr3StiNurvXGgl48TcY?= =?us-ascii?Q?t9WDvqjnD4sQjPprFxv2F5nWxoSFruxwtvbhQhmvkquMPU8h5yEdW9T8Gc/a?= =?us-ascii?Q?2UevizSnhOcNHOc+k6HJg5cseBJeUHS+F+PKaAa8Y5JIqlNP0zj+OyDTnl1U?= =?us-ascii?Q?fJH4hUYh/VK3HiJGdBu6GLYfMZAwWltVZizo4dRHI/0QSfTwSOH6h5oWU5Jn?= =?us-ascii?Q?zt6Xd2SkM2fUuQaqUu6hl7Y72cLEhkOMAO//U5qGOlnE2/Eup4qnYHxbF4d9?= =?us-ascii?Q?4Y02JI00ODEaH9xXlmC8xuf7Cke3gbWjTCMnPrpq+z1CVCHqfn9+mrBQffrZ?= =?us-ascii?Q?QCRTgfC0wdxU+TtvNCq0qpRnXaRk8nGaNwgj/hlkpVnWQnJw94eTEY21ynzm?= =?us-ascii?Q?XpawJ9ddqxKdsNOl9xU0jDT7ClDTuHELDw/e9nkVmQQ4iVmVN3ldy/ekUN0o?= =?us-ascii?Q?ZqlnMtTPmNaGbcPSBwkS1VImQoE85p+luSWW86WfR6f9eVEAt+X4ta7TvdKp?= =?us-ascii?Q?77RKYYmCdsu6DJIz+ASz8rIWSU/skDuIrB5PNF724nW8utmd78u0WW6hFaTK?= =?us-ascii?Q?OqM9zoKUXx3KvO7Zw6sIXe1axBstBgyRlYXOcvDpl6HGxXdT0gBpJj+CiNdM?= =?us-ascii?Q?qUHtv/fb00+WPDzskYQMkEdz03AnzNAPw831jX0+L+eDQGOtAFYOesXht8Lv?= =?us-ascii?Q?D8pqa11myjCNRgl7i0Xyx/lbhJCaqs2dzmAc2OmrXCB19DophUwOwCiQmdm7?= =?us-ascii?Q?C5anhD/CgkTp8vEWEwe5MkoFiPOK/xAgHDSKW3IBJSHAMMEDH6gSP/scBz8W?= =?us-ascii?Q?FurFf9mhoyys0HKy1EG4r/vGz03PKpf5C+xxkfPGNiNz04WfxHynwQ6Oh6Xv?= =?us-ascii?Q?OSvKWGs6P9S6EsiNwLdk42oeuSl2wJAM6o8cxNZF7yRJZ4BXuNV3pKZUknfD?= =?us-ascii?Q?b1D3eJ9559WsE/27KHo4T6U4QYXnX2+yu1j3qN5hT7o0PZWIqh8/K7p/YVQv?= =?us-ascii?Q?GGK/8YbDTZjV/1HMGvl810CXj33vNVCck5e6HHlXCzovJx137JIeDIaXK/x2?= =?us-ascii?Q?N1qNTcJabDHZ+ft2p+k=3D?= X-OriginatorOrg: suse.com X-MS-Exchange-CrossTenant-Network-Message-Id: 082a2799-c535-4a08-fa68-08db31f70852 X-MS-Exchange-CrossTenant-AuthSource: DB8PR04MB7164.eurprd04.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 31 Mar 2023 14:48:47.2514 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: f7a17af6-1c5c-4a36-aa8b-f5be247aa4ba X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: WNgxdKWF/wWTx4fhqxht3FDVboRKFL22TpoLAApvwyTgwf38+P3NxOCNIk2tUNHv X-MS-Exchange-Transport-CrossTenantHeadersStamped: PAXPR04MB9352 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Fri, Mar 31, 2023 at 10:25:09AM +0200, Gerd Hoffmann wrote: > On Fri, Mar 31, 2023 at 03:59:56PM +0800, joeyli wrote: > > Hi Gerd, > > > > On Thu, Mar 30, 2023 at 09:50:53AM +0200, Gerd Hoffmann wrote: > > > On Wed, Mar 29, 2023 at 01:23:10PM +0800, Min Xu wrote: > > > > From: Min M Xu > > > > > > > > BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=4379 > > > > > > > > PlatformInitEmuVariableNvStore is called to initialize the > > > > EmuVariableNvStore with the content pointed by > > > > PcdOvmfFlashNvStorageVariableBase. This is because when OVMF is launched > > > > with -bios parameter, UEFI variables will be partially emulated, and > > > > non-volatile variables may lose their contents after a reboot. This makes > > > > the secure boot feature not working. > > > > > > > > But in SEV guest, this design doesn't work. Because at this point the > > > > variable store mapping is still private/encrypted, OVMF will see > > > > ciphertext. So we skip the call of PlatformInitEmuVariableNvStore in > > > > SEV guest. > > > > > > I'd suggest to simply build without -D SECURE_BOOT_ENABLE instead. > > > Without initializing the emu var store you will not get a functional > > > secure boot setup anyway. > > > > In our case, we already shipped ovmf with -D SECURE_BOOT_ENABLE in a couple > > of versions. Removing it will causes problem in VM live migration. > > Hmm? qemu live-migrates the rom image too. Only after poweroff and > reboot the guest will see an updated firmware image. > Thanks for your explanation. Understood. > > I will prefer Min M's solution, until SEV experts found better > > solution. > > I'd prefer to not poke holes into secure boot. Re-Initializing the emu > var store from rom on each reset is also needed for security reasons in > case the efi variable store is not in smm-protected flash memory. > I agree that the efi variable store is not secure without smm. But after 58eb8517ad7b be introduced, the -D SECURE_BOOT_ENABLE doesn't work with SEV. System just hangs in "NvVarStore FV headers were invalid." If secure boot can not work with SEV (even it is not really secure), why not just block the building process when SEV with SECURE_BOOT_ENABLE? At least the issue will not happen at runtime. Thanks Joey Lee