public inbox for devel@edk2.groups.io
 help / color / mirror / Atom feed
From: Laszlo Ersek <lersek@redhat.com>
To: Jordan Justen <jordan.l.justen@intel.com>,
	edk2-devel-01 <edk2-devel@lists.01.org>
Cc: Gary Ching-Pang Lin <glin@suse.com>
Subject: Re: [PATCH v2 4/5] OvmfPkg: raise max variable size (auth & non-auth) to 33KB for FD_SIZE_4MB
Date: Thu, 4 May 2017 18:52:48 +0200	[thread overview]
Message-ID: <795227c7-2191-239a-a940-4f5ea37adfc3@redhat.com> (raw)
In-Reply-To: <149391577010.7999.17667669342464390958@jljusten-skl.jf.intel.com>

On 05/04/17 18:36, Jordan Justen wrote:
> On 2017-05-03 14:39:46, Laszlo Ersek wrote:
>> The "ConfirmSetOfLargeVariable" test case of the Secure Boot Logo Test
>> ("Microsoft.UefiSecureBootLogo.Tests") suite in the Microsoft Hardware
>> Certification Kit sets a 32 KB large non-authenticated variable.
> 
> According to
> http://www.uefi.org/sites/default/files/resources/UEFI_Plugfest_Security_Microsoft_Fall_2016.pdf
> 
> "The maximum supported variable size must be at least 64kB"
> 
> Should we just bump the size to match this? We should be able to make
> this change later once it is in a test/spec, but for some reason I
> thought the requirement was already 64k.

The 32KB requirement comes from the most recent Secure Boot Logo Test. I
installed both the Windows Server 2008 R2 SP1 test controller and the
Windows 2016 Server test client just the other day, together with the
most recent filters, using the following descriptions:

https://msdn.microsoft.com/en-us/library/windows/hardware/jj123537.aspx
https://github.com/daynix/VirtHCK/wiki#Checklist_for_a_New_Controller_VM
https://github.com/daynix/VirtHCK/wiki#Checklist_for_a_New_Client_VM

Given that this limit can be bumped without breaking compatibility, as
you say, I'd like to remain frugal with it, same as we were in James's
commit f5404a3eba1d ("OvmfPkg: Increase the maximum size for
Authenticated variables", 2016-03-24).

I don't understand why the plugfest presentation and the SB Logo Test
require different limits... But, I'm certain our QE will find out in
short order once the SB Logo Test catches up with the presentation, and
I expect I'll submit the corresponding patch soon after.

I dislike the speculation in this series, but breaking compatibility is
even worse. (A lot worse, to me at least.) So I consider the varstore
restructuring the smaller of two wrongs. However, wrt.
PcdMaxVariableSize, it seems we're not being forced to either of those
wrongs (i.e., breaking compat or speculation), so we can delay the increase.

> 
> Aside from this question:
> 
> Series Reviewed-by: Jordan Justen <jordan.l.justen@intel.com>

Thanks a lot!

I'll await your ACK for the above argument before pushing the series.

Thanks,
Laszlo

>> In the FD_SIZE_4MB build, our live varstore is now 256 KB big, so we can
>> accommodate this. Set both PcdMaxVariableSize and PcdMaxAuthVariableSize
>> to 0x8400 -- beyond DataSize=0x8000 from the HCK test, we need some room
>> for the variable name and attributes as well.
>>
>> Cc: Gary Ching-Pang Lin <glin@suse.com>
>> Cc: Jordan Justen <jordan.l.justen@intel.com>
>> Contributed-under: TianoCore Contribution Agreement 1.0
>> Signed-off-by: Laszlo Ersek <lersek@redhat.com>
>> ---
>>
>> Notes:
>>     v2:
>>     - adjust to FD_SIZE_IN_KB
>>     - update commit msg to state 256 KB for the varstore [Jordan]
>>
>>  OvmfPkg/OvmfPkgIa32.dsc    | 6 ++++++
>>  OvmfPkg/OvmfPkgIa32X64.dsc | 6 ++++++
>>  OvmfPkg/OvmfPkgX64.dsc     | 6 ++++++
>>  3 files changed, 18 insertions(+)
>>
>> diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc
>> index 26b807dde9fa..e0779ddaa426 100644
>> --- a/OvmfPkg/OvmfPkgIa32.dsc
>> +++ b/OvmfPkg/OvmfPkgIa32.dsc
>> @@ -404,28 +404,34 @@ [PcdsFeatureFlag]
>>    gUefiOvmfPkgTokenSpaceGuid.PcdSecureBootEnable|TRUE
>>  !endif
>>  !if $(SMM_REQUIRE) == TRUE
>>    gUefiOvmfPkgTokenSpaceGuid.PcdSmmSmramRequire|TRUE
>>    gUefiCpuPkgTokenSpaceGuid.PcdCpuSmmEnableBspElection|FALSE
>>  !endif
>>  
>>  [PcdsFixedAtBuild]
>>    gEfiMdeModulePkgTokenSpaceGuid.PcdStatusCodeMemorySize|1
>>    gEfiMdeModulePkgTokenSpaceGuid.PcdResetOnMemoryTypeInformationChange|FALSE
>>    gEfiMdePkgTokenSpaceGuid.PcdMaximumGuidedExtractHandler|0x10
>>    gEfiMdeModulePkgTokenSpaceGuid.PcdPeiCoreMaxFvSupported|6
>>    gEfiMdeModulePkgTokenSpaceGuid.PcdPeiCoreMaxPeimPerFv|32
>> +!if ($(FD_SIZE_IN_KB) == 1024) || ($(FD_SIZE_IN_KB) == 2048)
>>    gEfiMdeModulePkgTokenSpaceGuid.PcdMaxVariableSize|0x2000
>>    gEfiMdeModulePkgTokenSpaceGuid.PcdMaxAuthVariableSize|0x2800
>> +!endif
>> +!if $(FD_SIZE_IN_KB) == 4096
>> +  gEfiMdeModulePkgTokenSpaceGuid.PcdMaxVariableSize|0x8400
>> +  gEfiMdeModulePkgTokenSpaceGuid.PcdMaxAuthVariableSize|0x8400
>> +!endif
>>    gEfiMdeModulePkgTokenSpaceGuid.PcdVariableStoreSize|0xe000
>>  
>>    gEfiMdeModulePkgTokenSpaceGuid.PcdVpdBaseAddress|0x0
>>  
>>    gEfiMdePkgTokenSpaceGuid.PcdReportStatusCodePropertyMask|0x07
>>  
>>    # DEBUG_INIT      0x00000001  // Initialization
>>    # DEBUG_WARN      0x00000002  // Warnings
>>    # DEBUG_LOAD      0x00000004  // Load events
>>    # DEBUG_FS        0x00000008  // EFI File system
>>    # DEBUG_POOL      0x00000010  // Alloc & Free (pool)
>>    # DEBUG_PAGE      0x00000020  // Alloc & Free (page)
>>    # DEBUG_INFO      0x00000040  // Informational debug messages
>> diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc
>> index 41f06a6b6a66..bbe26e2cf452 100644
>> --- a/OvmfPkg/OvmfPkgIa32X64.dsc
>> +++ b/OvmfPkg/OvmfPkgIa32X64.dsc
>> @@ -409,28 +409,34 @@ [PcdsFeatureFlag]
>>    gUefiOvmfPkgTokenSpaceGuid.PcdSecureBootEnable|TRUE
>>  !endif
>>  !if $(SMM_REQUIRE) == TRUE
>>    gUefiOvmfPkgTokenSpaceGuid.PcdSmmSmramRequire|TRUE
>>    gUefiCpuPkgTokenSpaceGuid.PcdCpuSmmEnableBspElection|FALSE
>>  !endif
>>  
>>  [PcdsFixedAtBuild]
>>    gEfiMdeModulePkgTokenSpaceGuid.PcdStatusCodeMemorySize|1
>>    gEfiMdeModulePkgTokenSpaceGuid.PcdResetOnMemoryTypeInformationChange|FALSE
>>    gEfiMdePkgTokenSpaceGuid.PcdMaximumGuidedExtractHandler|0x10
>>    gEfiMdeModulePkgTokenSpaceGuid.PcdPeiCoreMaxFvSupported|6
>>    gEfiMdeModulePkgTokenSpaceGuid.PcdPeiCoreMaxPeimPerFv|32
>> +!if ($(FD_SIZE_IN_KB) == 1024) || ($(FD_SIZE_IN_KB) == 2048)
>>    gEfiMdeModulePkgTokenSpaceGuid.PcdMaxVariableSize|0x2000
>>    gEfiMdeModulePkgTokenSpaceGuid.PcdMaxAuthVariableSize|0x2800
>> +!endif
>> +!if $(FD_SIZE_IN_KB) == 4096
>> +  gEfiMdeModulePkgTokenSpaceGuid.PcdMaxVariableSize|0x8400
>> +  gEfiMdeModulePkgTokenSpaceGuid.PcdMaxAuthVariableSize|0x8400
>> +!endif
>>    gEfiMdeModulePkgTokenSpaceGuid.PcdVariableStoreSize|0xe000
>>  
>>    gEfiMdeModulePkgTokenSpaceGuid.PcdVpdBaseAddress|0x0
>>  
>>    gEfiMdePkgTokenSpaceGuid.PcdReportStatusCodePropertyMask|0x07
>>  
>>    # DEBUG_INIT      0x00000001  // Initialization
>>    # DEBUG_WARN      0x00000002  // Warnings
>>    # DEBUG_LOAD      0x00000004  // Load events
>>    # DEBUG_FS        0x00000008  // EFI File system
>>    # DEBUG_POOL      0x00000010  // Alloc & Free (pool)
>>    # DEBUG_PAGE      0x00000020  // Alloc & Free (page)
>>    # DEBUG_INFO      0x00000040  // Informational debug messages
>> diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc
>> index 053c84b685c5..ff795815f65f 100644
>> --- a/OvmfPkg/OvmfPkgX64.dsc
>> +++ b/OvmfPkg/OvmfPkgX64.dsc
>> @@ -409,28 +409,34 @@ [PcdsFeatureFlag]
>>    gUefiOvmfPkgTokenSpaceGuid.PcdSecureBootEnable|TRUE
>>  !endif
>>  !if $(SMM_REQUIRE) == TRUE
>>    gUefiOvmfPkgTokenSpaceGuid.PcdSmmSmramRequire|TRUE
>>    gUefiCpuPkgTokenSpaceGuid.PcdCpuSmmEnableBspElection|FALSE
>>  !endif
>>  
>>  [PcdsFixedAtBuild]
>>    gEfiMdeModulePkgTokenSpaceGuid.PcdStatusCodeMemorySize|1
>>    gEfiMdeModulePkgTokenSpaceGuid.PcdResetOnMemoryTypeInformationChange|FALSE
>>    gEfiMdePkgTokenSpaceGuid.PcdMaximumGuidedExtractHandler|0x10
>>    gEfiMdeModulePkgTokenSpaceGuid.PcdPeiCoreMaxFvSupported|6
>>    gEfiMdeModulePkgTokenSpaceGuid.PcdPeiCoreMaxPeimPerFv|32
>> +!if ($(FD_SIZE_IN_KB) == 1024) || ($(FD_SIZE_IN_KB) == 2048)
>>    gEfiMdeModulePkgTokenSpaceGuid.PcdMaxVariableSize|0x2000
>>    gEfiMdeModulePkgTokenSpaceGuid.PcdMaxAuthVariableSize|0x2800
>> +!endif
>> +!if $(FD_SIZE_IN_KB) == 4096
>> +  gEfiMdeModulePkgTokenSpaceGuid.PcdMaxVariableSize|0x8400
>> +  gEfiMdeModulePkgTokenSpaceGuid.PcdMaxAuthVariableSize|0x8400
>> +!endif
>>    gEfiMdeModulePkgTokenSpaceGuid.PcdVariableStoreSize|0xe000
>>  
>>    gEfiMdeModulePkgTokenSpaceGuid.PcdVpdBaseAddress|0x0
>>  
>>    gEfiMdePkgTokenSpaceGuid.PcdReportStatusCodePropertyMask|0x07
>>  
>>    # DEBUG_INIT      0x00000001  // Initialization
>>    # DEBUG_WARN      0x00000002  // Warnings
>>    # DEBUG_LOAD      0x00000004  // Load events
>>    # DEBUG_FS        0x00000008  // EFI File system
>>    # DEBUG_POOL      0x00000010  // Alloc & Free (pool)
>>    # DEBUG_PAGE      0x00000020  // Alloc & Free (page)
>>    # DEBUG_INFO      0x00000040  // Informational debug messages
>> -- 
>> 2.9.3
>>
>>



  reply	other threads:[~2017-05-04 16:52 UTC|newest]

Thread overview: 17+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2017-05-03 21:39 [PATCH v2 0/5] OvmfPkg: add FD_SIZE_4MB for Windows HCK SB tests, and for future proofing Laszlo Ersek
2017-05-03 21:39 ` [PATCH v2 1/5] OvmfPkg: introduce the FD_SIZE_IN_KB macro / build flag Laszlo Ersek
2017-05-03 21:39 ` [PATCH v2 2/5] OvmfPkg/OvmfPkg.fdf.inc: extract VARS_LIVE_SIZE and VARS_SPARE_SIZE macros Laszlo Ersek
2017-05-03 21:39 ` [PATCH v2 3/5] OvmfPkg: introduce 4MB flash image (mainly) for Windows HCK Laszlo Ersek
2017-05-05  4:07   ` Laszlo Ersek
2017-05-05  8:57     ` Jordan Justen
2017-05-05 12:07       ` Laszlo Ersek
2017-05-05 15:43         ` Jordan Justen
2017-05-05 16:46           ` Laszlo Ersek
2017-05-03 21:39 ` [PATCH v2 4/5] OvmfPkg: raise max variable size (auth & non-auth) to 33KB for FD_SIZE_4MB Laszlo Ersek
2017-05-04 16:36   ` Jordan Justen
2017-05-04 16:52     ` Laszlo Ersek [this message]
2017-05-04 18:50       ` Jordan Justen
2017-05-04 19:27         ` Laszlo Ersek
2017-05-04 19:30           ` Laszlo Ersek
2017-05-04 23:00       ` Laszlo Ersek
2017-05-03 21:39 ` [PATCH v2 5/5] OvmfPkg: make the 4MB flash size the default Laszlo Ersek

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-list from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=795227c7-2191-239a-a940-4f5ea37adfc3@redhat.com \
    --to=devel@edk2.groups.io \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox