From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by mx.groups.io with SMTP id smtpd.web12.6582.1623931278364814447 for ; Thu, 17 Jun 2021 05:01:18 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=PsfHVFOr; spf=pass (domain: kernel.org, ip: 198.145.29.99, mailfrom: ardb@kernel.org) Received: by mail.kernel.org (Postfix) with ESMTPSA id D971561209 for ; Thu, 17 Jun 2021 12:01:17 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1623931277; bh=cdc/NiTTT2o5YU+ePZF7vKrVs20cyhKxmKqne+HHIbw=; h=References:In-Reply-To:From:Date:Subject:To:Cc:From; b=PsfHVFOrSM+9y/37bunhd3We8oNwjUHdpdgLDb4Fn5U4HzbBC96bYaOUn5KnrhQYP r+iAnPmbrimUUInVqHrsUsSdqAQs9Obuzqrk56904KuzJftMRNvWHCBCObCKXj3Auk Ux8i2D0yGHb4cGNRomnBFHzLNKQfkM8hXM6Cpib5fBBbDAIAj/0BLlhBhYzrFUkANn i7mylIX2du9Hs30WWzCoGzQXU+U3LvMiE5kaKoLqth7EfvaOnMR3Bywb5kFSXmcRnL oJ7+ZUEWqvGEgIrO3oDqqiFHCcZbNjuUCaHYMEkzyEMAafI0anWPxykpDPnNaHCZZW 4TExo/dW4bCiA== Received: by mail-oi1-f175.google.com with SMTP id a26so6226988oie.11 for ; Thu, 17 Jun 2021 05:01:17 -0700 (PDT) X-Gm-Message-State: AOAM530A+a5OBKogMe3koq7gKq9xqr6o918xlcO3HrLPrGkoO8g2eHix pheUV+uGpk6zZEm7Ah9I3e+f/panAVI3ZnSjEdQ= X-Google-Smtp-Source: ABdhPJwqTTmsgn2px59WNydaiJBkMZtx8N/GVHWMKAr13uK14Bjz0SzpkdIA1VmhZC/KeSsOgTd29JXmnO5iWfS6h6s= X-Received: by 2002:aca:eb55:: with SMTP id j82mr2982902oih.174.1623931277249; Thu, 17 Jun 2021 05:01:17 -0700 (PDT) MIME-Version: 1.0 References: <20210617091244.2667569-1-dovmurik@linux.ibm.com> In-Reply-To: <20210617091244.2667569-1-dovmurik@linux.ibm.com> From: "Ard Biesheuvel" Date: Thu, 17 Jun 2021 14:01:05 +0200 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [edk2-devel] [PATCH v2 0/3] OvmfPkg: Use QemuKernelLoaderFs to read cmdline/initrd To: edk2-devel-groups-io , Dov Murik Cc: Laszlo Ersek , Ard Biesheuvel , Jordan Justen , James Bottomley , Tobin Feldman-Fitzthum Content-Type: text/plain; charset="UTF-8" On Thu, 17 Jun 2021 at 11:12, Dov Murik wrote: > > BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3457 > > In order to support measured SEV boot with kernel/initrd/cmdline, we'd > like to have one place that reads those blobs; in the future we'll add > the measurement and verification in that place. > > We already have a synthetic filesystem (QemuKernelLoaderFs) which holds > three files: "kernel", "initrd", and "cmdline". The kernel is indeed > read from this filesystem in LoadImage; but the cmdline (and the length > of initrd) are read from QemuFwCfgLib items. > > This patch series modifies GenericQemuLoadImageLib to read cmdline (and > the initrd size) from the QemuKernelLoaderFs synthetic filesystem, thus > removing the dependency on QemuFwCfgLib. > > Note that X86QemuLoadImageLib is not modified, because it contains a > QemuLoadLegacyImage() which reads other items of the QemuFwCfg which are > not available in QemuKernelLoaderFs. Since we don't want to support the > legacy boot path in the future measured SEV boot, we leave > X86QemuLoadImageLib as-is (except for a comment addition in patch 3) and > will force use for GenericQemuLoadImageLib in the measured SEV boot > implementation. > > Relevant discussion threads start in: > https://edk2.groups.io/g/devel/message/76069 > > To test this on x86_64, I forced the use of GenericQemuLoadImageLib > using the following local patch: > > > diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc > index 0a237a905866..46442b543bcf 100644 > --- a/OvmfPkg/OvmfPkgX64.dsc > +++ b/OvmfPkg/OvmfPkgX64.dsc > @@ -404,7 +404,7 @@ [LibraryClasses.common.DXE_DRIVER] > PciLib|OvmfPkg/Library/DxePciLibI440FxQ35/DxePciLibI440FxQ35.inf > MpInitLib|UefiCpuPkg/Library/MpInitLib/DxeMpInitLib.inf > QemuFwCfgS3Lib|OvmfPkg/Library/QemuFwCfgS3Lib/DxeQemuFwCfgS3LibFwCfg.inf > - QemuLoadImageLib|OvmfPkg/Library/X86QemuLoadImageLib/X86QemuLoadImageLib.inf > + QemuLoadImageLib|OvmfPkg/Library/GenericQemuLoadImageLib/GenericQemuLoadImageLib.inf # XXX don't commit this or someone will be mad > !if $(TPM_ENABLE) == TRUE > Tpm12DeviceLib|SecurityPkg/Library/Tpm12DeviceLibTcg/Tpm12DeviceLibTcg.inf > Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibTcg2/Tpm2DeviceLibTcg2.inf > > > I tested boot with QEMU and OVMF with the following QEMU arguments: > > -kernel a > -kernel a -initrd b > -kernel a -cmdline c > -kernel a -initrd b -cmdline c > > (and also without -kernel) > > > Code is at > https://github.com/confidential-containers-demo/edk2/tree/use-synthetic-fs-for-cmdline-v2 > > v2 changes: > > - Add comment to header of X86QemuLoadImageLib.inf > - Clearer function names in GenericQemuLoadImageLib.c > - Fix coding style issues > > v1: https://edk2.groups.io/g/devel/message/76265 > > > Cc: Laszlo Ersek > Cc: Ard Biesheuvel > Cc: Jordan Justen > Cc: James Bottomley > Cc: Tobin Feldman-Fitzthum > > Dov Murik (3): > Revert "OvmfPkg/QemuKernelLoaderFsDxe: don't expose kernel command > line" > OvmfPkg/GenericQemuLoadImageLib: Read cmdline from QemuKernelLoaderFs > OvmfPkg/X86QemuLoadImageLib: State fw_cfg dependency in file header > Please cc me on the entire series. > OvmfPkg/Library/GenericQemuLoadImageLib/GenericQemuLoadImageLib.inf | 2 +- > OvmfPkg/Library/X86QemuLoadImageLib/X86QemuLoadImageLib.inf | 3 + > OvmfPkg/Library/GenericQemuLoadImageLib/GenericQemuLoadImageLib.c | 145 ++++++++++++++++++-- > OvmfPkg/Library/X86QemuLoadImageLib/X86QemuLoadImageLib.c | 3 + > OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.c | 11 +- > 5 files changed, 147 insertions(+), 17 deletions(-) > > -- > 2.25.1 > > > > > >