public inbox for devel@edk2.groups.io
 help / color / mirror / Atom feed
From: "Rebecca Cran" <rebecca@bsdio.com>
To: "devel@edk2.groups.io" <devel@edk2.groups.io>
Cc: Doug Flick <dougflick@microsoft.com>
Subject: [edk2-devel] Debugging EFI Runtime crash when trying to update DBX for Secure Boot in Linux (fwupdmgr update)
Date: Mon, 2 Dec 2024 14:25:26 -0700	[thread overview]
Message-ID: <2622e377-6909-4a85-bea3-eedc8c43ced6@bsdio.com> (raw)

I've set up Secure Boot for my firmware, but I'm having problems when 
trying to have fwupdmgr install a DBX update.

Since I've run into problems setting up arm64_DBXUpdate.bin from 
uefi.org or DefaultDbx.bin from a build of secureboot_objects I'm 
generating my own certificate and installing that as dbxDefault just so 
that the variable exists.

I reset the entire SPI-NOR to default (i.e. deleting any existing 
variables), then enable Secure Boot in UiApp and boot openSUSE. When I 
run fwupmgr update, I get:

localhost:~ # fwupdmgr update
Devices with no available firmware updates:
  • System Firmware
  • WD BLACK SN850X 4000GB
╔══════════════════════════════════════════════════════════════════════════════╗
║ Upgrade UEFI dbx from 0 to 
26?                                               ║
╠══════════════════════════════════════════════════════════════════════════════╣
║ Insecure versions of the Microsoft Windows boot manager affected by 
Black    ║
║ Lotus were added to the list of forbidden signatures due to a 
discovered     ║
║ security problem.This updates the dbx to the latest release from 
Microsoft.  ║
║ ║
║ Before installing the update, fwupd will check for any affected 
executables  ║
║ in the ESP and will refuse to update if it finds any boot binaries 
signed    ║
║ with any of the forbidden signatures.Applying this update may also 
cause     ║
║ some Windows install media to not start 
correctly.                           ║
║ ║
╚══════════════════════════════════════════════════════════════════════════════╝
Perform operation? [Y|n]: y
Downloading…             [ - ]

Decompressing… [***************************************]

Authenticating… [***************************************]

Waiting… [***************************************]

Writing… [***************************************]

Restarting device… [                                       ]

Writing… [                                       ]

Decompressing… [                                       ]

Writing…                 [

[   53.309930][  T360] [Firmware Bug]: Unable to handle paging request 
in EFI runtime service
                                      ]
failed to write data to efivarfs: Error writing to file descriptor: 
Input/output error


And dmesg shows:

[   53.309930] [    T360] [Firmware Bug]: Unable to handle paging 
request in EFI runtime service
[   53.321038] [   T2422] ------------[ cut here ]------------
[   53.321047] [   T2422] WARNING: CPU: 42 PID: 2422 at 
drivers/firmware/efi/runtime-wrappers.c:341 __efi_queue_work+0xe4/0x120
[   53.321062] [   T2422] Modules linked in: af_packet nft_fib_inet 
nft_fib_ipv4 nft_fib_ipv6 nft_fib nft_reject_inet nf_reject_ipv4 
nf_reject_ipv6 nft_reject nft_ct nft_chain_nat ebtable_nat 
ebtable_broute rfkill ip6table_nat ip6table_mangle ip6table_raw 
ip6table_security iptable_nat nf_nat nf_conntrack nf_defrag_ipv6 
nf_defrag_ipv4 iptable_mangle iptable_raw iptable_security 
ebtable_filter ebtables ip6table_filter ip6_tables qrtr nf_tables 
iptable_filter binfmt_misc joydev cdc_subset cdc_ether usbnet cdc_acm 
mii nls_iso8859_1 nls_cp437 vfat fat snd_usb_audio snd_usbmidi_lib 
snd_hwdep snd_ump snd_rawmidi uas snd_seq_device usb_storage mc snd_pcm 
sd_mod scsi_dh_emc snd_timer scsi_dh_rdac scsi_dh_alua snd hid_generic 
sg soundcore scsi_mod usbhid scsi_common acpi_ipmi ipmi_ssif 
ipmi_devintf tiny_power_button igb arm_spe_pmu ipmi_msghandler button 
arm_cmn acpiphp_ampere_altra arm_dmc620_pmu arm_dsu_pmu cppc_cpufreq 
nvme_fabrics fuse nvme_keyring loop efi_pstore dm_mod nfnetlink 
dmi_sysfs ip_tables x_tables aes_ce_blk aes_ce_cipher
[   53.321224] [   T2422]  crct10dif_ce xhci_pci xhci_pci_renesas 
polyval_ce polyval_generic ghash_ce gf128mul xhci_hcd sm4 sha2_ce nvme 
sha256_arm64 usbcore sha1_ce nvme_core sbsa_gwdt ast nvme_auth 
i2c_algo_bit usb_common xgene_hwmon gpio_dwapb btrfs blake2b_generic 
libcrc32c xor xor_neon raid6_pq i2c_dev efivarfs
[   53.321279] [   T2422] CPU: 42 UID: 0 PID: 2422 Comm: fwupd Tainted: 
G          I        6.11.8-1-default #1 openSUSE Tumbleweed 
1400000003000000474e5500ae3eced04b985462
[   53.321290] [   T2422] Tainted: [I]=FIRMWARE_WORKAROUND
[   53.321293] [   T2422] Hardware name: Adlink Ampere Altra Developer 
Platform/COM-HPC-Carrier, BIOS TianoCore 24.12.02-01 (SYS: 
2.10.20230517) 12/02/2024
[   53.321296] [   T2422] pstate: 60400009 (nZCv daif +PAN -UAO -TCO 
-DIT -SSBS BTYPE=--)
[   53.321303] [   T2422] pc : __efi_queue_work+0xe4/0x120
[   53.321308] [   T2422] lr : __efi_queue_work+0xd0/0x120
[   53.321312] [   T2422] sp : ffff80008583b940
[   53.321315] [   T2422] x29: ffff80008583b940 x28: ffff07ff8bcc4500 
x27: 0000000000000000
[   53.321324] [   T2422] x26: 0000000000001208 x25: ffff07ff94859c00 
x24: 0000000000000067
[   53.321332] [   T2422] x23: ffff07ff94859800 x22: ffff07ff94859c00 
x21: 0000000000001202
[   53.321339] [   T2422] x20: ffffaa255f9655a8 x19: ffffaa255f965548 
x18: 0000000000000001
[   53.321345] [   T2422] x17: ffff07ff90946340 x16: ffffaa255d6b3198 
x15: 000000000000037d
[   53.321352] [   T2422] x14: 0000000000000001 x13: 0000000000000000 
x12: 0000000000000800
[   53.321359] [   T2422] x11: 071c71c71c71c71c x10: 0000000000001bc0 x9 
: ffffaa255da39d18
[   53.321366] [   T2422] x8 : ffff07ff8bcc6120 x7 : 0000000000000000 x6 
: 00000000000003e8
[   53.321372] [   T2422] x5 : 00000000410fd0c0 x4 : 0000000000300001 x3 
: 0000000000000000
[   53.321379] [   T2422] x2 : 0000000000000000 x1 : 8000000000000015 x0 
: 8000000000000015
[   53.321385] [   T2422] Call trace:
[   53.321388] [   T2422]  __efi_queue_work+0xe4/0x120
[   53.321392] [   T2422]  virt_efi_set_variable+0x74/0xe0
[   53.321398] [   T2422]  efivar_set_variable_locked+0x7c/0x100
[   53.321402] [   T2422]  efivar_entry_set_get_size+0x9c/0x170 
[efivarfs 1400000003000000474e55008e4f4f0ee8473f7a]
[   53.321414] [   T2422]  efivarfs_file_write+0x140/0x2e0 [efivarfs 
1400000003000000474e55008e4f4f0ee8473f7a]
[   53.321421] [   T2422]  vfs_write+0xdc/0x370
[   53.321427] [   T2422]  ksys_write+0x78/0x120
[   53.321431] [   T2422]  __arm64_sys_write+0x24/0x40
[   53.321435] [   T2422]  invoke_syscall+0x6c/0x100
[   53.321443] [   T2422]  el0_svc_common.constprop.0+0xc8/0xf0
[   53.321450] [   T2422]  do_el0_svc+0x24/0x38
[   53.321457] [   T2422]  el0_svc+0x3c/0x170
[   53.321464] [   T2422]  el0t_64_sync_handler+0x120/0x130
[   53.321470] [   T2422]  el0t_64_sync+0x1a8/0x1b0
[   53.321475] [   T2422] ---[ end trace 0000000000000000 ]---
[   53.321489] [   T2422] efi: EFI Runtime Services are disabled!


I have no idea how to go about debugging why the SetVariable call is 
causing the crash. Is it likely to be the way I've got dbxDefault set 
up, or does anyone know how I could debug it further?


Rebecca





-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#120855): https://edk2.groups.io/g/devel/message/120855
Mute This Topic: https://groups.io/mt/109889108/7686176
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io]
-=-=-=-=-=-=-=-=-=-=-=-



             reply	other threads:[~2024-12-02 21:25 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2024-12-02 21:25 Rebecca Cran [this message]
2024-12-02 23:29 ` [edk2-devel] Debugging EFI Runtime crash when trying to update DBX for Secure Boot in Linux (fwupdmgr update) Pedro Falcato via groups.io
2024-12-02 23:39   ` Rebecca Cran
2024-12-02 23:47     ` Pedro Falcato via groups.io
2024-12-03  9:13 ` Ard Biesheuvel via groups.io

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-list from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=2622e377-6909-4a85-bea3-eedc8c43ced6@bsdio.com \
    --to=devel@edk2.groups.io \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox