From: "Philippe Mathieu-Daudé" <philmd@redhat.com>
To: Laszlo Ersek <lersek@redhat.com>,
edk2-devel-groups-io <devel@edk2.groups.io>
Cc: Ard Biesheuvel <ard.biesheuvel@arm.com>,
Jordan Justen <jordan.l.justen@intel.com>
Subject: Re: [PATCH] Revert "OvmfPkg: use generic QEMU image loader for secure boot enabled builds"
Date: Mon, 15 Jun 2020 16:49:39 +0200 [thread overview]
Message-ID: <93f89ea3-9a4c-6030-6259-3ad778731910@redhat.com> (raw)
In-Reply-To: <20200615144514.24597-1-lersek@redhat.com>
On 6/15/20 4:45 PM, Laszlo Ersek wrote:
> This reverts commit ced77332cab626f35fbdb36630be27303d289d79.
>
> The command
>
> virt-install --location NETWORK-URL
>
> downloads the vmlinuz and initrd files from the remote OS tree, and passes
> them to the guest firmware via fw_cfg.
>
> When used with IA32 / X64 guests, virt-install expects the guest firmware
> to do two things, at the same time:
>
> - launch the fw_cfg kernel image even if the latter does not pass SB
> verification (SB checking is supposed to be bypassed entirely in favor
> of the Linux/x86 Boot Protocol),
>
> - still let the guest kernel perceive SB as enabled.
>
> Commit ced77332cab6 prevented this, by removing the Linux/x86 Boot
> Protocol from such an OVMF image that was built with SECURE_BOOT_ENALBE.
> While that's the right thing in theory, in practice "virt-install
> --location NETWORK-URL" is entrenched, and we shouldn't break it.
>
> We can tolerate the Linux/x86 Boot Protocol as a one-of-a-kind SB bypass
> for direct-booted kernels, because:
>
> - the fw_cfg content comes from QEMU, and the guest is already at QEMU's
> mercy,
>
> - in the guest, OS boots after the initial installation will use "shim"
> rather than an fw_cfg kernel, which we can consider somewhat similar to
> "Audit Mode / Deployed Mode" (~ trust for install, lock down after).
>
> Cc: Ard Biesheuvel <ard.biesheuvel@arm.com>
> Cc: Jordan Justen <jordan.l.justen@intel.com>
> Cc: Philippe Mathieu-Daudé <philmd@redhat.com>
> Signed-off-by: Laszlo Ersek <lersek@redhat.com>
> Acked-by: Ard Biesheuvel <ard.biesheuvel@arm.com>
> ---
>
> Notes:
> - pick up Ard's ACK from
>
> http://mid.mail-archive.com/c06ee730-e421-0aa5-882f-bc09ae9c546f@arm.com
> https://edk2.groups.io/g/devel/message/61169
>
> - posting to the list to enable feedback on the commit message (I intend
> to push the patch in one or two days)
>
> - repo: https://pagure.io/lersek/edk2.git
> branch: reenable_fwcfg_x86_boot_proto
>
> OvmfPkg/OvmfPkgIa32.dsc | 4 ----
> OvmfPkg/OvmfPkgIa32X64.dsc | 4 ----
> OvmfPkg/OvmfPkgX64.dsc | 4 ----
> 3 files changed, 12 deletions(-)
>
> diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc
> index d0df9cbbfb2b..16103d177374 100644
> --- a/OvmfPkg/OvmfPkgIa32.dsc
> +++ b/OvmfPkg/OvmfPkgIa32.dsc
> @@ -379,11 +379,7 @@ [LibraryClasses.common.DXE_DRIVER]
> PciLib|OvmfPkg/Library/DxePciLibI440FxQ35/DxePciLibI440FxQ35.inf
> MpInitLib|UefiCpuPkg/Library/MpInitLib/DxeMpInitLib.inf
> QemuFwCfgS3Lib|OvmfPkg/Library/QemuFwCfgS3Lib/DxeQemuFwCfgS3LibFwCfg.inf
> -!if $(SECURE_BOOT_ENABLE) == TRUE
> - QemuLoadImageLib|OvmfPkg/Library/GenericQemuLoadImageLib/GenericQemuLoadImageLib.inf
> -!else
> QemuLoadImageLib|OvmfPkg/Library/X86QemuLoadImageLib/X86QemuLoadImageLib.inf
> -!endif
> !if $(TPM_ENABLE) == TRUE
> Tpm12DeviceLib|SecurityPkg/Library/Tpm12DeviceLibTcg/Tpm12DeviceLibTcg.inf
> Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibTcg2/Tpm2DeviceLibTcg2.inf
> diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc
> index b3ae62fee92b..9597ef6721da 100644
> --- a/OvmfPkg/OvmfPkgIa32X64.dsc
> +++ b/OvmfPkg/OvmfPkgIa32X64.dsc
> @@ -383,11 +383,7 @@ [LibraryClasses.common.DXE_DRIVER]
> PciLib|OvmfPkg/Library/DxePciLibI440FxQ35/DxePciLibI440FxQ35.inf
> MpInitLib|UefiCpuPkg/Library/MpInitLib/DxeMpInitLib.inf
> QemuFwCfgS3Lib|OvmfPkg/Library/QemuFwCfgS3Lib/DxeQemuFwCfgS3LibFwCfg.inf
> -!if $(SECURE_BOOT_ENABLE) == TRUE
> - QemuLoadImageLib|OvmfPkg/Library/GenericQemuLoadImageLib/GenericQemuLoadImageLib.inf
> -!else
> QemuLoadImageLib|OvmfPkg/Library/X86QemuLoadImageLib/X86QemuLoadImageLib.inf
> -!endif
> !if $(TPM_ENABLE) == TRUE
> Tpm12DeviceLib|SecurityPkg/Library/Tpm12DeviceLibTcg/Tpm12DeviceLibTcg.inf
> Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibTcg2/Tpm2DeviceLibTcg2.inf
> diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc
> index f7fe75ebf531..a6e585c03d41 100644
> --- a/OvmfPkg/OvmfPkgX64.dsc
> +++ b/OvmfPkg/OvmfPkgX64.dsc
> @@ -383,11 +383,7 @@ [LibraryClasses.common.DXE_DRIVER]
> PciLib|OvmfPkg/Library/DxePciLibI440FxQ35/DxePciLibI440FxQ35.inf
> MpInitLib|UefiCpuPkg/Library/MpInitLib/DxeMpInitLib.inf
> QemuFwCfgS3Lib|OvmfPkg/Library/QemuFwCfgS3Lib/DxeQemuFwCfgS3LibFwCfg.inf
> -!if $(SECURE_BOOT_ENABLE) == TRUE
> - QemuLoadImageLib|OvmfPkg/Library/GenericQemuLoadImageLib/GenericQemuLoadImageLib.inf
> -!else
> QemuLoadImageLib|OvmfPkg/Library/X86QemuLoadImageLib/X86QemuLoadImageLib.inf
> -!endif
> !if $(TPM_ENABLE) == TRUE
> Tpm12DeviceLib|SecurityPkg/Library/Tpm12DeviceLibTcg/Tpm12DeviceLibTcg.inf
> Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibTcg2/Tpm2DeviceLibTcg2.inf
>
Reviewed-by: Philippe Mathieu-Daude <philmd@redhat.com>
next prev parent reply other threads:[~2020-06-15 14:49 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-06-15 14:45 [PATCH] Revert "OvmfPkg: use generic QEMU image loader for secure boot enabled builds" Laszlo Ersek
2020-06-15 14:49 ` Philippe Mathieu-Daudé [this message]
2020-06-16 20:40 ` [edk2-devel] " Laszlo Ersek
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-list from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=93f89ea3-9a4c-6030-6259-3ad778731910@redhat.com \
--to=devel@edk2.groups.io \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox