Re: [edk2-devel] [PATCH 1/1] ArmPkg: Add Pcd to disable EFI_MEMORY_ATTRIBUTE_PROTOCOL

["Sean" <spbrogan@outlook.com>]

[-- Attachment #1: Type: text/plain, Size: 5546 bytes --]

I don't think a MemoryAttributes2Protocol with a single API would have 
avoided the errors.

The programming pattern that triggered this would still need multiple 
calls to any API and in the future where all memory is allocated as NX 
this possibility would still exist.

A short term effort to minimize the compatibility problem in the 
ecosystem is documented here Memory Protections: Document compatibility 
challenges · Issue #18 · tianocore/projects (github.com) 
<https://github.com/tianocore/projects/issues/18>  It does not address 
(and i don't see any reason to try to) a loader that uses the protocol 
incorrectly.

We have provided virtual reference platforms with these features enabled 
(both arm and x86) and have been working with the relevant communities 
for multiple years now.  The UEFI CA for option roms already have 
compliance requirements (UPDATED: UEFI Signing Requirements - Microsoft 
Community Hub 
<https://techcommunity.microsoft.com/t5/hardware-dev-center/updated-uefi-signing-requirements/ba-p/1062916>).  
But there are and will continue to be compatibility challenges when 
enabling a more restrictive execution environment in uefi and the uefi 
ecosystem.  The more things we make optional the longer this transition 
period will take.    "Memory Mitigations" were proposed and mostly coded 
over a decade ago.  The code changes are not that difficult. To change 
our vast and unwieldyecosystem is the hard part.   Please help to "stay 
the course" for this very necessary industry change.   If a production 
platform has requirements that force such a configuration option that is 
understandable but it is counter productive in open-source industry 
standard reference Edk2 code.

Thanks

Sean




On 6/20/2023 9:03 AM, Gerd Hoffmann wrote:
> On Tue, Jun 20, 2023 at 04:16:40PM +0300, Ard Biesheuvel wrote:
>> On Tue, Jun 20, 2023, 12:33 Gerd Hoffmann<kraxel@redhat.com>  wrote:
>>
>>> On Mon, Jun 19, 2023 at 10:32:25PM +0200, Oliver Steffen wrote:
>>>> Recent versions of shim (15.6 and 15.7) crash when the newly added
>>>> EFI_MEMORY_ATTRIBUTE_PROTOCOL is provided by the firmware.  To allow
>>>> existing installations to boot, provide a workaround in form of a Pcd
>>>> that allows tuning it off at build time (defaults to 'enabled').
>>> Background:  We have untested + broken code for
>>> EFI_MEMORY_ATTRIBUTE_PROTOCOL support in the listed shim releases.
>>>
>>> Now that firmware starts to actually provide that protocol the
>>> time bomb explodes.
>> Fantastic.
>>
>> This is kind of a big deal, really, and just turning it off for ArmVirtQemu
>> does not help at all with the fact that these shim builds will crash on any
>> platform that implements the protocol. (Including x86)
> Sure.  This hits VM firmware first because we quickly rebase our builds
> to new edk2 stable tags.  But yes, this is not limited to VMs and
> likewise not limited to arm.
>
>> Given that secure boot is kind of pointless on this particular platform
>> anyway, maybe this is a good opportunity to make shim optional in the boot
>> chain? I understand that this does not fix existing builds but shim proves
>> to be such a problematic component that you really should not be using it
>> if there is no need.
> I'd love to ditch shim.efi, even with secure boot.  For VMs one can
> just enroll the distro signing certificate to 'db' and be done with
> it.
>
> Unfortunately shim has a solid position being *the* entry point for
> linux efi systems due to being the only piece of software carrying a
> microsoft signature.  Especially on install media you can't really have
> more than one (such as different binaries depending on whenever secure
> boot is on or off).  For installed systems and cloud images shim also
> creates/restores BootNNNN entries.
>
> Additional problem is that shim is the piece of software which handles
> sbat revocations, so even in case the distro cert is enrolled in 'db' so
> the certificate handling implemented by shim is not needed I can't just
> ignore shim.efi.
>
>> As for the protocol, this has its own set of problems, and the bug in
>> question can partly be blamed on the misdesigned api, which has separate
>> set and clear methods. Not only does this force the implementation to
>> traverse the page tables twice for the common case of switching between RO
>> and XP or vice versa, it also means we lose any transactional properties of
>> a RO <-> XP switch. I.e., if we could make it the implementation's
>> responsibility to ensure that such a transformation either completes
>> successfully, or otherwise, doesn't make any modifications at all, the risk
>> of ending up in a limbo state is reduced significantly.
>>
>> So maybe there is still opportunity for specifying a MemoryAttributes2
>> protocol with a single method for set and clear? We could just drop the
>> current one in that case.
> Sounds reasonable to me.
>
>> In any case, while i can see how this patch helps make all your ci status
>> icons turn green again, it does so by papering over the underlying issue so
>> I'm not a fan.
> Yes.  It's not a solution, it's a workaround which we could use to turn
> off EFI_MEMORY_ATTRIBUTE_PROTOCOL for a year or two, depending on how
> quickly the shim / distro folks get their act together and updates
> rolled out.
>
> I'm not a fan either, but we need some temporary stopgap, and given that
> others likely meet the very same problem too we figured sending it to
> the list is a good idea, and here we are ;)
>
> take care,
>    Gerd
>
>
>
> 
>
>

[-- Attachment #2: Type: text/html, Size: 7735 bytes --]