From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail05.groups.io (mail05.groups.io [45.79.224.7]) by spool.mail.gandi.net (Postfix) with ESMTPS id 6509AD800EA for ; Thu, 1 Aug 2024 23:47:50 +0000 (UTC) DKIM-Signature: a=rsa-sha256; bh=EJPXvH8BSQainzOf2bQBVcVLUi8gT0gxf6po0ZVvo2I=; c=relaxed/simple; d=groups.io; h=From:Message-id:MIME-version:Subject:Date:In-reply-to:Cc:To:References:Precedence:List-Subscribe:List-Help:Sender:List-Id:Mailing-List:Delivered-To:Resent-Date:Resent-From:Reply-To:List-Unsubscribe-Post:List-Unsubscribe:Content-type; s=20240206; t=1722556070; v=1; b=3sUmqR2nQ43CYzU09t45xSys4ABgOEWLGD5dms3cBDo9h5PMwT3j6k0yXPkoaPLAJnxi5xK3 1YPJ8NvMgBTavSe6PhyNgi1DLFLtacHZXyukAQq27tvGdaVO28sQnFq392fZ4cchMpWhny6+50C r9oywMVrSJFHtYcky6mGTdX1M7mukyaApZd6CjsOhBxKbDPuH4y/Iut+v+modo+Xi9qeATEavtf MGQRr0SbrftcCdF6Hpm0xbMNs7y/j0vtbO2uBx1gkL3hhxCNHuj/Okq86NTO7YdPjNEAo3eufCe 55SGxBmL0SXBnRybEP8fjfvTfZ/f2NP1THwZIwY6OUbuA== X-Received: by 127.0.0.2 with SMTP id wytHYY7687511xMfZ4cyZfZ2; Thu, 01 Aug 2024 16:47:48 -0700 X-Received: from rn-mailsvcp-mx-lapp01.apple.com (rn-mailsvcp-mx-lapp01.apple.com [17.179.253.22]) by mx.groups.io with SMTP id smtpd.web11.81912.1722556068166592607 for ; Thu, 01 Aug 2024 16:47:48 -0700 X-Received: from rn-mailsvcp-mta-lapp02.rno.apple.com (rn-mailsvcp-mta-lapp02.rno.apple.com [10.225.203.150]) by rn-mailsvcp-mx-lapp01.rno.apple.com (Oracle Communications Messaging Server 8.1.0.23.20230328 64bit (built Mar 28 2023)) with ESMTPS id <0SHK00HUFCRNO710@rn-mailsvcp-mx-lapp01.rno.apple.com> for devel@edk2.groups.io; Thu, 01 Aug 2024 16:47:47 -0700 (PDT) X-Received: from rn-mailsvcp-policy-lapp01.rno.apple.com (rn-mailsvcp-policy-lapp01.rno.apple.com [17.179.253.18]) by rn-mailsvcp-mta-lapp02.rno.apple.com (Oracle Communications Messaging Server 8.1.0.23.20230328 64bit (built Mar 28 2023)) with ESMTPS id <0SHK011PZCRNFB70@rn-mailsvcp-mta-lapp02.rno.apple.com>; Thu, 01 Aug 2024 16:47:47 -0700 (PDT) X-Received: from process_milters-daemon.rn-mailsvcp-policy-lapp01.rno.apple.com by rn-mailsvcp-policy-lapp01.rno.apple.com (Oracle Communications Messaging Server 8.1.0.22.20230228 64bit (built Feb 28 2023)) id <0SHK00200CIYTQ00@rn-mailsvcp-policy-lapp01.rno.apple.com>; Thu, 01 Aug 2024 16:47:47 -0700 (PDT) X-Va-A: X-Va-T-CD: f6004631931ab5e20f27190edb3c36bd X-Va-E-CD: ec0fa83473824fccddc2461ce3e020f9 X-Va-R-CD: b50139bb486356eb0aadd8a79ac0c533 X-Va-ID: 24c7710c-2d87-451f-a21c-a84a0b635c1d X-Va-CD: 0 X-V-A: X-V-T-CD: f6004631931ab5e20f27190edb3c36bd X-V-E-CD: ec0fa83473824fccddc2461ce3e020f9 X-V-R-CD: b50139bb486356eb0aadd8a79ac0c533 X-V-ID: d9220d64-db5b-47d4-8488-d92a197affac X-V-CD: 0 X-Received: from smtpclient.apple (unknown [17.234.108.76]) by rn-mailsvcp-policy-lapp01.rno.apple.com (Oracle Communications Messaging Server 8.1.0.22.20230228 64bit (built Feb 28 2023)) with ESMTPSA id <0SHK0006UCRJN600@rn-mailsvcp-policy-lapp01.rno.apple.com>; Thu, 01 Aug 2024 16:47:47 -0700 (PDT) From: "Andrew Fish via groups.io" Message-id: <9251E7FF-7617-470C-AC8E-078F54722828@apple.com> MIME-version: 1.0 (Mac OS X Mail 16.0 \(3774.300.61.1.2\)) Subject: Re: [edk2-devel] [PATCH 1/3] OvmfPkg/PlatformInitLib: Detect FlashNvVarStore before validate it Date: Thu, 01 Aug 2024 16:47:32 -0700 In-reply-to: Cc: Tom Lendacky , =?utf-8?B?6Z+p6YeM5rSL?= , Erdem Aktas , jejb@linux.ibm.com, "Yao, Jiewen" , min.m.xu@intel.com To: edk2-devel-groups-io , Gerd Hoffmann References: <20240714122455.136148-1-wojiaohanliyang@163.com> <20240714122455.136148-2-wojiaohanliyang@163.com> <5c722bb7-e1cb-9f4d-f9e2-48b0a99db781@amd.com> <7dc6b311-69d0-69c6-77ee-65b945ee1b5c@amd.com> <1a14dc5e.26b5.190be867682.Coremail.wojiaohanliyang@163.com> Precedence: Bulk List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Resent-Date: Thu, 01 Aug 2024 16:47:48 -0700 Resent-From: afish@apple.com Reply-To: devel@edk2.groups.io,afish@apple.com List-Unsubscribe-Post: List-Unsubscribe=One-Click List-Unsubscribe: X-Gm-Message-State: 5Sne47TJEfiiUuW2vVcVnZKSx7686176AA= Content-type: multipart/alternative; boundary="Apple-Mail=_2236BE34-A6D8-41EC-9033-284736875469" X-GND-Status: LEGIT Authentication-Results: spool.mail.gandi.net; dkim=pass header.d=groups.io header.s=20240206 header.b=3sUmqR2n; spf=pass (spool.mail.gandi.net: domain of bounce@groups.io designates 45.79.224.7 as permitted sender) smtp.mailfrom=bounce@groups.io; dmarc=pass (policy=none) header.from=groups.io --Apple-Mail=_2236BE34-A6D8-41EC-9033-284736875469 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 > On Jul 19, 2024, at 12:35=E2=80=AFAM, Gerd Hoffmann w= rote: >=20 > On Thu, Jul 18, 2024 at 07:57:27PM GMT, Tom Lendacky wrote: >> On 7/16/24 21:30, =E9=9F=A9=E9=87=8C=E6=B4=8B wrote: >>> Hi Tom, >>>=20 >>>=20 >>>=20 >>>=20 >>> Thank you for your response. >>>=20 >>> In fact, I'm unable to proceed with the development of the fix patch lo= cally as I don't have a SEV-SNP hardware for experimentation. However, it h= as proven to be crucial for effectively testing and completing the patch. >>>=20 >>> Given your expertise and potentially available hardware, would your tea= m be able to take over the fixing of this issue? (bugzilla: https://bugzill= a.tianocore.org/show_bug.cgi?id=3D4807 ) >>=20 >> Secure Boot is not supported under SEV-ES and SEV-SNP because SMM is >> required in order for Secure Boot to be secure. >=20 > The other option is initializing the variable store from ROM on each > boot. Which implies there are no persistent EFI variables, which has > its own set of drawbacks. But this is what the IntelTdx build is doing > and AmdSev should be able to do this too. >=20 Seems like you might be able to just overwrite the secure boot related vari= ables on every boot to a hard coded value. You could have PCDs for the defa= ult values of the variables.=20 Thanks, Andrew Fish > take care, > Gerd >=20 >=20 >=20 >=20 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#120200): https://edk2.groups.io/g/devel/message/120200 Mute This Topic: https://groups.io/mt/107212942/7686176 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- --Apple-Mail=_2236BE34-A6D8-41EC-9033-284736875469 Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=utf-8

On Jul 19, 2024, at 12:35= =E2=80=AFAM, Gerd Hoffmann <kraxel@redhat.com> wrote:

On Thu, Jul 18, 2024 a= t 07:57:27PM GMT, Tom Lendacky wrote:
On 7/16/24 21:30, =E9=9F=A9=E9= =87=8C=E6=B4=8B wrote:
Hi Tom,



=
Thank you for your response.

In fact, I'm unable to proceed with= the development of the fix patch locally as I don't have a SEV-SNP hardwar= e for experimentation. However, it has proven to be crucial for effectively= testing and completing the patch.

Given your expertise and potentia= lly available hardware, would your team be able to take over the fixing of = this issue? (bugzilla: https://bugzilla.tianocore.org/show_bug.cgi?id=3D480= 7 )

Secure Boot is not supported under SEV-ES and SEV-S= NP because SMM is
required in order for Secure Boot to be secure.

The other option is initializing the variable s= tore from ROM on each
boot.  Which implies the= re are no persistent EFI variables, which has
its o= wn set of drawbacks.  But this is what the IntelTdx build is doing
and AmdSev should be able to do this too.


Seems like you might be able to just overwrite the secure boot rela= ted variables on every boot to a hard coded value. You could have PCDs for = the default values of the variables. 

Thanks,=

Andrew Fish

take= care,
 Gerd



_._,_._,_

Groups.io Links:

=20 You receive all messages sent to this group. =20 =20

View/Reply Online (#120200) | =20 | Mute= This Topic | New Topic
Your Subscriptio= n | Contact Group Owner | Unsubscribe [rebecca@openfw.io]

_._,_._,_
--Apple-Mail=_2236BE34-A6D8-41EC-9033-284736875469--