From: Jason Dickens <jdickens@grammatech.com>
To: Bill Paul <wpaul@windriver.com>, edk2-devel@lists.01.org
Subject: Re: OVMF Secure Boot variable storage issue
Date: Thu, 6 Jul 2017 14:55:27 -0400 [thread overview]
Message-ID: <401a788a-49ea-f68f-7ee1-32daa21af3ee@grammatech.com> (raw)
In-Reply-To: <201707061130.26384.wpaul@windriver.com>
Thanks for the response Bill. If I should recognize your name, I'm
sorry, I'm bad with names, but I have been doing a lot of work with Wind
River recently (and in the past) so its possible I should.
Actually, I should have mentioned I'm using Xen with full
virtualization. This means that OVMF firmware can't change without
rebuilding Xen. For reasons I don't know, it seems the Xen build uses
the firmware image by first converting it to a C array and then
compiling it in.
However, I'm not sure that's the real issue. As far as I'm aware, OVMF
implements NvVars on the VM image to provide non-volatile storage
instead of actually modifying the image. As I mentioned, "some"
configuration changes do persist such as changing the screen resolution
in the OVMF settings. Also I can see that NvVars is updating its
modification time after setting secure boot variables. What I'm trying
to determine is if there a particular reason or implementation problem
that causes secure boot settings not persist.
On 7/6/2017 2:30 PM, Bill Paul wrote:
> Of all the gin joints in all the towns in all the world, Jason Dickens had to
> walk into mine at 10:31:18 on Thursday 06 July 2017 and say:
>
>> All,
>>
>> I'm trying to understand why the secure boot variables (PK, KEK, db,
>> etc) when using the OVMF build are not retained across reboot? It seems
>> that this code uses roughly the same SetVariable, GetVariable2 approach
>> as say the PlatformConfig uses to store screen resolution (which is
>> retained). Additionally, the NvVars file is being at least touched by
>> the secure boot configuration. So why are none of the keys retained on
>> the next reboot?
> If you're running OVMF in the QEMU simulator, and you're using the -bios
> option, try using the -pflash option instead.
>
> I know that when using -bios, QEMU only pretends to allow writes to the
> firmware region, and if you stop QEMU all changes are discarded. The same
> might be true if you just trigger a hard reboot in the simulator too.
>
> If you use -pflash instead, your changes will be saved. Note that this means
> your OVMF image will be modified, so keep a copy of the original elsewhere so
> that you can start over fresh again if you need to.
>
> (Unfortunately I don't think OVMF has a "load factor defaults" option in its
> internal menus.)
>
> -Bill
>
>> I know this was an issue in the past, but I haven't found the resolution?
>>
>> Jason
>>
>>
>> _______________________________________________
>> edk2-devel mailing list
>> edk2-devel@lists.01.org
>> https://lists.01.org/mailman/listinfo/edk2-devel
next prev parent reply other threads:[~2017-07-06 18:53 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-07-06 17:31 OVMF Secure Boot variable storage issue Jason Dickens
2017-07-06 18:30 ` Bill Paul
2017-07-06 18:55 ` Jason Dickens [this message]
2017-07-12 14:00 ` Konrad Rzeszutek Wilk
2017-07-06 19:08 ` Laszlo Ersek
2017-07-06 18:49 ` Laszlo Ersek
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-list from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=401a788a-49ea-f68f-7ee1-32daa21af3ee@grammatech.com \
--to=devel@edk2.groups.io \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox