From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mx0a-001b2d01.pphosted.com (mx0a-001b2d01.pphosted.com [148.163.156.1]) by mx.groups.io with SMTP id smtpd.web10.6864.1623932337467528435 for ; Thu, 17 Jun 2021 05:18:57 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@ibm.com header.s=pp1 header.b=oFUCFN/i; spf=pass (domain: linux.ibm.com, ip: 148.163.156.1, mailfrom: dovmurik@linux.ibm.com) Received: from pps.filterd (m0098399.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.43/8.16.0.43) with SMTP id 15HC5TJf074122; Thu, 17 Jun 2021 08:18:57 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=subject : to : cc : references : from : message-id : date : in-reply-to : content-type : content-transfer-encoding : mime-version; s=pp1; bh=qwPw4O9wJA+Mz61CtbDO+0seqF4KFZK5Yk/gSGcDYFw=; b=oFUCFN/ikp4yF9JjB5TmYtwvOCeLrnWigPamIQ0o+j1yITyv3GSQ2m1OKLfJ7xGIlHrD ViUOT4S9u06NOVeY3LI5NQ9bA7qru4gdHWpyHPSMyUOEM9M5gipLe6ojBW5nWgQ2GmrJ RnZX2I+US7zwd/nBdKcUN9zGRcgTrEDAs/+n23CKSkWUGvMLYFdC4373jeEkCXdU0U89 n6spCtpszshLVmzV4xk4A7dJIlVVxYGzrYxDebz5dHei9H+eed+2Q/ROeUANjf62qX+m 9tIIiaFpJf1oCPQbEh2jzTTEZWitSLDj2ZNOVaOW9AQuHCFZK0KQ5LNtQHf2Wbk2rvBa fw== Received: from pps.reinject (localhost [127.0.0.1]) by mx0a-001b2d01.pphosted.com with ESMTP id 3984fcbkqh-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 17 Jun 2021 08:18:56 -0400 Received: from m0098399.ppops.net (m0098399.ppops.net [127.0.0.1]) by pps.reinject (8.16.0.43/8.16.0.43) with SMTP id 15HC69sn078053; Thu, 17 Jun 2021 08:18:56 -0400 Received: from ppma06fra.de.ibm.com (48.49.7a9f.ip4.static.sl-reverse.com [159.122.73.72]) by mx0a-001b2d01.pphosted.com with ESMTP id 3984fcbkpm-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 17 Jun 2021 08:18:56 -0400 Received: from pps.filterd (ppma06fra.de.ibm.com [127.0.0.1]) by ppma06fra.de.ibm.com (8.16.1.2/8.16.1.2) with SMTP id 15HCD5Xp015970; Thu, 17 Jun 2021 12:18:53 GMT Received: from b06cxnps3074.portsmouth.uk.ibm.com (d06relay09.portsmouth.uk.ibm.com [9.149.109.194]) by ppma06fra.de.ibm.com with ESMTP id 394m6h9g7w-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 17 Jun 2021 12:18:53 +0000 Received: from d06av25.portsmouth.uk.ibm.com (d06av25.portsmouth.uk.ibm.com [9.149.105.61]) by b06cxnps3074.portsmouth.uk.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 15HCIoYo30605758 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 17 Jun 2021 12:18:50 GMT Received: from d06av25.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 99CB611C054; Thu, 17 Jun 2021 12:18:50 +0000 (GMT) Received: from d06av25.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 37F6F11C04A; Thu, 17 Jun 2021 12:18:47 +0000 (GMT) Received: from [9.160.80.73] (unknown [9.160.80.73]) by d06av25.portsmouth.uk.ibm.com (Postfix) with ESMTP; Thu, 17 Jun 2021 12:18:46 +0000 (GMT) Subject: Re: [edk2-devel] [PATCH v2 0/3] OvmfPkg: Use QemuKernelLoaderFs to read cmdline/initrd To: Ard Biesheuvel , edk2-devel-groups-io Cc: Laszlo Ersek , Ard Biesheuvel , Jordan Justen , James Bottomley , Tobin Feldman-Fitzthum References: <20210617091244.2667569-1-dovmurik@linux.ibm.com> From: "Dov Murik" Message-ID: <48753015-34eb-de8a-2551-112d9e49b23d@linux.ibm.com> Date: Thu, 17 Jun 2021 15:18:45 +0300 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Thunderbird/78.11.0 In-Reply-To: X-TM-AS-GCONF: 00 X-Proofpoint-GUID: 1oZlnenx7yXaeHPOM0loSV59nXyqQUDf X-Proofpoint-ORIG-GUID: _9THa7re65v2230L-4gmK4dqoMqjpMsB X-Proofpoint-UnRewURL: 0 URL was un-rewritten MIME-Version: 1.0 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.391,18.0.790 definitions=2021-06-17_05:2021-06-15,2021-06-17 signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 malwarescore=0 suspectscore=0 impostorscore=0 mlxscore=0 mlxlogscore=999 spamscore=0 phishscore=0 adultscore=0 lowpriorityscore=0 priorityscore=1501 bulkscore=0 clxscore=1015 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2104190000 definitions=main-2106170079 Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit On 17/06/2021 15:01, Ard Biesheuvel wrote: > On Thu, 17 Jun 2021 at 11:12, Dov Murik wrote: >> >> BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3457 >> >> In order to support measured SEV boot with kernel/initrd/cmdline, we'd >> like to have one place that reads those blobs; in the future we'll add >> the measurement and verification in that place. >> >> We already have a synthetic filesystem (QemuKernelLoaderFs) which holds >> three files: "kernel", "initrd", and "cmdline". The kernel is indeed >> read from this filesystem in LoadImage; but the cmdline (and the length >> of initrd) are read from QemuFwCfgLib items. >> >> This patch series modifies GenericQemuLoadImageLib to read cmdline (and >> the initrd size) from the QemuKernelLoaderFs synthetic filesystem, thus >> removing the dependency on QemuFwCfgLib. >> >> Note that X86QemuLoadImageLib is not modified, because it contains a >> QemuLoadLegacyImage() which reads other items of the QemuFwCfg which are >> not available in QemuKernelLoaderFs. Since we don't want to support the >> legacy boot path in the future measured SEV boot, we leave >> X86QemuLoadImageLib as-is (except for a comment addition in patch 3) and >> will force use for GenericQemuLoadImageLib in the measured SEV boot >> implementation. >> >> Relevant discussion threads start in: >> https://edk2.groups.io/g/devel/message/76069 >> >> To test this on x86_64, I forced the use of GenericQemuLoadImageLib >> using the following local patch: >> >> >> diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc >> index 0a237a905866..46442b543bcf 100644 >> --- a/OvmfPkg/OvmfPkgX64.dsc >> +++ b/OvmfPkg/OvmfPkgX64.dsc >> @@ -404,7 +404,7 @@ [LibraryClasses.common.DXE_DRIVER] >> PciLib|OvmfPkg/Library/DxePciLibI440FxQ35/DxePciLibI440FxQ35.inf >> MpInitLib|UefiCpuPkg/Library/MpInitLib/DxeMpInitLib.inf >> QemuFwCfgS3Lib|OvmfPkg/Library/QemuFwCfgS3Lib/DxeQemuFwCfgS3LibFwCfg.inf >> - QemuLoadImageLib|OvmfPkg/Library/X86QemuLoadImageLib/X86QemuLoadImageLib.inf >> + QemuLoadImageLib|OvmfPkg/Library/GenericQemuLoadImageLib/GenericQemuLoadImageLib.inf # XXX don't commit this or someone will be mad >> !if $(TPM_ENABLE) == TRUE >> Tpm12DeviceLib|SecurityPkg/Library/Tpm12DeviceLibTcg/Tpm12DeviceLibTcg.inf >> Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibTcg2/Tpm2DeviceLibTcg2.inf >> >> >> I tested boot with QEMU and OVMF with the following QEMU arguments: >> >> -kernel a >> -kernel a -initrd b >> -kernel a -cmdline c >> -kernel a -initrd b -cmdline c >> >> (and also without -kernel) >> >> >> Code is at >> https://github.com/confidential-containers-demo/edk2/tree/use-synthetic-fs-for-cmdline-v2 >> >> v2 changes: >> >> - Add comment to header of X86QemuLoadImageLib.inf >> - Clearer function names in GenericQemuLoadImageLib.c >> - Fix coding style issues >> >> v1: https://edk2.groups.io/g/devel/message/76265 >> >> >> Cc: Laszlo Ersek >> Cc: Ard Biesheuvel >> Cc: Jordan Justen >> Cc: James Bottomley >> Cc: Tobin Feldman-Fitzthum >> >> Dov Murik (3): >> Revert "OvmfPkg/QemuKernelLoaderFsDxe: don't expose kernel command >> line" >> OvmfPkg/GenericQemuLoadImageLib: Read cmdline from QemuKernelLoaderFs >> OvmfPkg/X86QemuLoadImageLib: State fw_cfg dependency in file header >> > > > Please cc me on the entire series. > Sorry, my bad. Resent. -Dov > >> OvmfPkg/Library/GenericQemuLoadImageLib/GenericQemuLoadImageLib.inf | 2 +- >> OvmfPkg/Library/X86QemuLoadImageLib/X86QemuLoadImageLib.inf | 3 + >> OvmfPkg/Library/GenericQemuLoadImageLib/GenericQemuLoadImageLib.c | 145 ++++++++++++++++++-- >> OvmfPkg/Library/X86QemuLoadImageLib/X86QemuLoadImageLib.c | 3 + >> OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.c | 11 +- >> 5 files changed, 147 insertions(+), 17 deletions(-) >> >> -- >> 2.25.1 >> >> >> >> >> >>