From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail05.groups.io (mail05.groups.io [45.79.224.7]) by spool.mail.gandi.net (Postfix) with ESMTPS id 1FD0B7803CE for ; Tue, 7 May 2024 23:20:16 +0000 (UTC) DKIM-Signature: a=rsa-sha256; bh=hGyG8dDiXyREIZuDt5YaN1/tIlnjI47Cpl85yVEzodg=; c=relaxed/simple; d=groups.io; h=MIME-Version:References:In-Reply-To:From:Date:Message-ID:Subject:To:Cc:Precedence:List-Subscribe:List-Help:Sender:List-Id:Mailing-List:Delivered-To:Resent-Date:Resent-From:Reply-To:List-Unsubscribe-Post:List-Unsubscribe:Content-Type:Content-Transfer-Encoding; s=20240206; t=1715124015; v=1; b=v5pdxGUhj0jXqRVRdONa8uBJ3yXo2rG+6pHOO1kzywNt95NbRtvxnrXK3d9EfWQ5IcKonaRa rHw3KNn+KhGaM5zTwIdmDUH5bKJcpPdPPmZaUw/SBf9jVp0fT7MPHUF74YEuGaBrvmzJrFpMsfa m1n34DXry1arrwIDVfy6tkpsGM51QBbRMbdfiHz3KsHrJZz/mWh8XaDkW+BjU+p8BHk0jLzBkiv 6YR+005fPNCNt3soXwRQFO+Xsa7ypHlZ+rR3B+kh6GTkXftwHmgNdWkqpIgceLeEGyIbveti/SD G/rbi8Krxgmg2H83xwWahNwj3aI7Pxz0TLYRExBwFv9Kw== X-Received: by 127.0.0.2 with SMTP id 76mFYY7687511xDfpeye78SH; Tue, 07 May 2024 16:20:15 -0700 X-Received: from sin.source.kernel.org (sin.source.kernel.org [145.40.73.55]) by mx.groups.io with SMTP id smtpd.web10.3499.1715124009607889426 for ; Tue, 07 May 2024 16:20:09 -0700 X-Received: from smtp.kernel.org (transwarp.subspace.kernel.org [100.75.92.58]) by sin.source.kernel.org (Postfix) with ESMTP id 70F8ACE171D for ; Tue, 7 May 2024 23:20:06 +0000 (UTC) X-Received: by smtp.kernel.org (Postfix) with ESMTPSA id ADC83C2BBFC for ; Tue, 7 May 2024 23:20:05 +0000 (UTC) X-Received: by mail-lf1-f45.google.com with SMTP id 2adb3069b0e04-51aa6a8e49aso5076593e87.3 for ; Tue, 07 May 2024 16:20:05 -0700 (PDT) X-Gm-Message-State: 3C6S3Q7V2HgOtgp7hfZCkdvjx7686176AA= X-Google-Smtp-Source: AGHT+IF1rgTJzFIMEiZT9OFufP4OZRzkh0jxfh/BHfJOdhePrmtCfE1Y3nzCrqEXBPuyRDZ6TK/3O6/W6iv8Cyvysrw= X-Received: by 2002:ac2:43d7:0:b0:51e:f52c:34eb with SMTP id 2adb3069b0e04-5217cc42c72mr471839e87.51.1715124004022; Tue, 07 May 2024 16:20:04 -0700 (PDT) MIME-Version: 1.0 References: <16532.1715120911049756755@groups.io> In-Reply-To: <16532.1715120911049756755@groups.io> From: "Ard Biesheuvel" Date: Wed, 8 May 2024 01:19:52 +0200 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [edk2-devel] Assistance Needed: ArmVirtPkg To: Doug Flick Cc: devel@edk2.groups.io Precedence: Bulk List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Resent-Date: Tue, 07 May 2024 16:20:10 -0700 Resent-From: ardb@kernel.org Reply-To: devel@edk2.groups.io,ardb@kernel.org List-Unsubscribe-Post: List-Unsubscribe=One-Click List-Unsubscribe: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-GND-Status: LEGIT Authentication-Results: spool.mail.gandi.net; dkim=pass header.d=groups.io header.s=20240206 header.b=v5pdxGUh; dmarc=fail reason="SPF not aligned (relaxed), DKIM not aligned (relaxed)" header.from=kernel.org (policy=none); spf=pass (spool.mail.gandi.net: domain of bounce@groups.io designates 45.79.224.7 as permitted sender) smtp.mailfrom=bounce@groups.io There are no code changes, the only difference is adding the --pcd PcdMonitorConduitHvc=3DTRUE option to the build.sh command line, and running QEMU with -device virtio-rng-pci (which we should be doing in any case, IMO) The DEPEX might fix this, and this is actually the appropriate thing to do if the driver cannot even be dispatched without the RNG protocol available. However, I'm not convinced this is the right approach - I think dispatching the driver but failing in the Supported() call on a missing RNG protocol would be less disruptive, and give more opportunity for a meaningful warning/error message to the actual user. But I must admit I have only taken a very cursory look at the underlying CVE and your proposed mitigation. On Wed, 8 May 2024 at 00:28, Doug Flick via groups.io wrote: > > Thanks Ard for the explanation! Would you be able to tell me the exact ch= anges you made to get to this point and if that would be an acceptable chan= ge to make to get these CVE patches on the mailing list? I'm happy adding t= he depex but fundamentally I think the goal is get these patches into this = release. My attempts to rollback some of my changes and use VirtioRngDxe ha= ve been unsuccessful so far. -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#118649): https://edk2.groups.io/g/devel/message/118649 Mute This Topic: https://groups.io/mt/105949609/7686176 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-