From: "Ard Biesheuvel" <ard.biesheuvel@arm.com>
To: Laszlo Ersek <lersek@redhat.com>, devel@edk2.groups.io
Cc: "Philippe Mathieu-Daudé" <philmd@redhat.com>
Subject: Re: [edk2-devel] [PATCH v3 14/14] OvmfPkg: use generic QEMU image loader for secure boot enabled builds
Date: Thu, 11 Jun 2020 17:05:22 +0200 [thread overview]
Message-ID: <56eff0cf-b76e-be82-db0e-b6a44a7f1908@arm.com> (raw)
In-Reply-To: <85097379-850e-ece2-13e7-eefeb30d12ed@redhat.com>
On 6/11/20 4:55 PM, Laszlo Ersek wrote:
> Hi Ard,
>
> On 06/10/20 11:32, Ard Biesheuvel wrote:
>> On 6/10/20 11:22 AM, Laszlo Ersek wrote:
>
>>> (3) make it a dynamic boolean PCD, and use the recently introduced
>>> fw_cfg control interface
>>>
>>>
>>> In all three options, the OVMF DSC files would unconditionally use the
>>> X86QemuLoadImageLib instance, we'd just predicate the fallback to the
>>> legacy Linux/x86 boot protocol on:
>>>
>>> Â Â SecureBoot disabled || FallbackPcd
>>>
>>> (where "SecureBoot disabled" means that the SecureBoot standard UEFI
>>> variable doesn't exist, or has zero value).
>>>
>>> I think option (2) means the least churn, and it would be "good enough"
>>> functionally.
>>>
>>> Does this look palatable to you?
>>>
>>>
>>>> So what is the point of DEFER_EXECUTE_ON_SECURITY_VIOLATION anyway, if
>>>> you cannot start the image anyway?
>>>
>>> Honestly: I'm not sure!
>>>
>>>> Because I would prefer it if we could
>>>> start the image anyway, Unfortunately, the only way seems to be
>>>
>>> Right; it seems like the EFI_SECURITY_VIOLATION status would get saved
>>> in the private LoadImageStatus field, and that would cause StartImage()
>>> to fail early as well. I couldn't find a spot to "re-set"
>>> LoadImageStatus.
>>>
>>>> to use
>>>> the loaded image protocol data (base and size in memory) and do another
>>>> LoadImage() after adding the hash to "db", and this is also more
>>>> elaborate than I would like.
>>>
>>> Agreed. We shouldn't mess with "db".
>>>
>>>> Of course, the *correct* fix is to add the vendor cert to db - you are
>>>> loading a signed image from a known source, and this whole dance with
>>>> shim and the MS certs is ridiculous, and I am still hoping we can avoid
>>>> this mess on ARM
>>>
>>> I considered this. It didn't look feasible to me at first sight (how
>>> many vendors?), but now that you mention it and I've looked at it more
>>> closely, it does look feasible. Selfishly (!), if I look at the guest OS
>>> types officially supported on RHEL8 hosts:
>>>
>>> - https://access.redhat.com/articles/973133
>>> - https://access.redhat.com/articles/973163
>>>
>>> then all we (RH) would need are two patches for (upstream)
>>> OvmfPkg/EnrollDefaultKeys. Namely, we should enroll two more DB entries:
>>>
>>> - SUSE's CA certificate to which the key(s) chain that they use for
>>> signing their kernels
>>>
>>> - Red Hat's CA certificate to which the key(s) chain that we use for
>>> signing our kernels.
>>>
>>> That would strictly be an improvement even for upstream OVMF (more
>>> vendors accepted).
>>>
>>> Ultimately I think the right way is to pick option (3) -- dynamic PCD --
>>> *and* add the SUSE and RH CA certs to OvmfPkg/EnrollDefaultKeys. That
>>> means SUSE and RH signed kernels can be booted at once, with secure
>>> verification, and users would still have a QEMU command line option for
>>> opting *into* the legacy boot protocol fallback.
>>>
>>> Do you agree? Would you be OK with patches to this effect?
>>>
>>
>> Yes, option #3 looks reasonable to me. And adding the certs is the right
>> thing to do regardless - going around installing the MS certs everywhere
>> is a recipe for disaster, and AIUI, MS now requires you to remove them
>> in some cases?? (for DeviceGuard support or sth like that)
>
> I've "escalated" this internally to other virt team engineers, and they
> seem to consider this a plain regression. They suggested we should
> revert the patch, because:
>
> - the problem will affect every guest distro different from SUSE and RH
> out there, and every host distro providing KVM hypervisor,
>
> - the change isn't fixing a practical security issue.
>
> (I'm quite stressed about bringing this internal feedback to you,
> admittedly...)
>
Don't worry about it.
If we can ensure that the only bootable images that are exempt from the
secure boot checks are ones that were provided directly by the host
userspace, then I think their position is not unreasonable, given that
the guest is at its mercy anyway.
next prev parent reply other threads:[~2020-06-11 15:05 UTC|newest]
Thread overview: 30+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-03-05 13:45 [PATCH v3 00/14] Ovmf: use LoadImage/StartImage for loading command line images Ard Biesheuvel
2020-03-05 13:45 ` [PATCH v3 01/14] OvmfPkg: add GUID for the QEMU kernel loader fs media device path Ard Biesheuvel
2020-03-05 13:45 ` [PATCH v3 02/14] OvmfPkg: export abstract QEMU blob filesystem in standalone driver Ard Biesheuvel
2020-03-05 13:45 ` [PATCH v3 03/14] OvmfPkg: introduce QemuLoadImageLib library class Ard Biesheuvel
2020-03-05 13:45 ` [PATCH v3 04/14] OvmfPkg: provide a generic implementation of QemuLoadImageLib Ard Biesheuvel
2020-03-05 13:45 ` [PATCH v3 05/14] ArmVirtPkg: incorporate the new QEMU kernel loader driver and library Ard Biesheuvel
2020-03-05 13:45 ` [PATCH v3 06/14] ArmVirtPkg/PlatformBootManagerLib: switch to separate QEMU loader Ard Biesheuvel
2020-03-05 13:46 ` [PATCH v3 07/14] OvmfPkg/QemuKernelLoaderFsDxe: don't expose kernel command line Ard Biesheuvel
2020-03-05 13:46 ` [PATCH v3 08/14] OvmfPkg/QemuKernelLoaderFsDxe: add support for the kernel setup block Ard Biesheuvel
2020-03-05 13:46 ` [PATCH v3 09/14] OvmfPkg: create protocol and GUID header for loaded x86 Linux kernels Ard Biesheuvel
2020-03-05 16:01 ` [edk2-devel] " Laszlo Ersek
2020-03-05 13:46 ` [PATCH v3 10/14] OvmfPkg: implement QEMU loader library for X86 with legacy fallback Ard Biesheuvel
2020-03-05 18:03 ` [edk2-devel] " Laszlo Ersek
2020-03-05 13:46 ` [PATCH v3 11/14] OvmfPkg: add new QEMU kernel image loader components Ard Biesheuvel
2020-03-05 13:46 ` [PATCH v3 12/14] OvmfPkg/PlatformBootManagerLib: switch to QemuLoadImageLib Ard Biesheuvel
2020-03-05 21:15 ` [edk2-devel] " Laszlo Ersek
2020-03-05 21:20 ` Ard Biesheuvel
2020-03-05 23:42 ` Laszlo Ersek
2020-03-05 13:46 ` [PATCH v3 13/14] OvmfPkg/QemuKernelLoaderFsDxe: add support for new Linux initrd device path Ard Biesheuvel
2020-03-05 13:46 ` [PATCH v3 14/14] OvmfPkg: use generic QEMU image loader for secure boot enabled builds Ard Biesheuvel
2020-06-09 9:51 ` [edk2-devel] " Laszlo Ersek
2020-06-09 10:45 ` Ard Biesheuvel
2020-06-10 9:22 ` Laszlo Ersek
2020-06-10 9:32 ` Ard Biesheuvel
2020-06-11 14:55 ` Laszlo Ersek
2020-06-11 15:05 ` Ard Biesheuvel [this message]
2020-06-11 18:13 ` Laszlo Ersek
2020-06-11 19:07 ` Ard Biesheuvel
2020-03-06 2:01 ` [edk2-devel] [PATCH v3 00/14] Ovmf: use LoadImage/StartImage for loading command line images Bob Feng
2020-03-06 7:42 ` Ard Biesheuvel
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-list from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=56eff0cf-b76e-be82-db0e-b6a44a7f1908@arm.com \
--to=devel@edk2.groups.io \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox