From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail05.groups.io (mail05.groups.io [45.79.224.7]) by spool.mail.gandi.net (Postfix) with ESMTPS id CBF32D811B0 for ; Tue, 3 Dec 2024 09:14:15 +0000 (UTC) DKIM-Signature: a=rsa-sha256; bh=/IbYLNrb/26vKpD/p3xntH2XhVPxdXe7prn9InYcjsY=; c=relaxed/simple; d=groups.io; h=MIME-Version:References:In-Reply-To:From:Date:Message-ID:Subject:To:Cc:Precedence:List-Subscribe:List-Help:Sender:List-Id:Mailing-List:Delivered-To:Resent-Date:Resent-From:Reply-To:List-Unsubscribe-Post:List-Unsubscribe:Content-Type:Content-Transfer-Encoding; s=20240830; t=1733217255; v=1; x=1733476454; b=f+1viJ6u2Xgr2Cr9W1d2QtMi2dDYGGXid+WfI22nPmZztdVwaa114IAkwEnJJaCbL5MqI310 DrYVwUEOiyHqZuTVkhhh3tqOfP/Xb3SOvcMlJ79OhpmCDciOozYNtebcPtbl74w82/jpgH9yNWa Nipuppk+IsKhPnj/7mpHJ7Egq1+rA+UjVw8A8UcMHfFlGD5f7PzQ54Zco3tc24pjZ29ub+3LReN LXZV50vKa2z6KGpDvN/HFodak8w4+/AdHOCEJr0hmHHsoAnjuTMnMQb/rDRuJU+/BgfbYYnED1u rS8GfoOzMHz3XKpXQFE3GPj4onm2XRraMRhpo/VQ0PLug== X-Received: by 127.0.0.2 with SMTP id F4SSYY7687511xaf72fhiSjV; Tue, 03 Dec 2024 01:14:14 -0800 X-Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217]) by mx.groups.io with SMTP id smtpd.web10.15286.1733217253502598703 for ; Tue, 03 Dec 2024 01:14:13 -0800 X-Received: from smtp.kernel.org (transwarp.subspace.kernel.org [100.75.92.58]) by dfw.source.kernel.org (Postfix) with ESMTP id F2E565C6973 for ; Tue, 3 Dec 2024 09:13:29 +0000 (UTC) X-Received: by smtp.kernel.org (Postfix) with ESMTPSA id A4B17C4CED9 for ; Tue, 3 Dec 2024 09:14:12 +0000 (UTC) X-Received: by mail-lf1-f49.google.com with SMTP id 2adb3069b0e04-53df1e063d8so6803280e87.3 for ; Tue, 03 Dec 2024 01:14:12 -0800 (PST) X-Gm-Message-State: 3skcSZkjnUK0yryOwOZWk5Qvx7686176AA= X-Google-Smtp-Source: AGHT+IFCklAJo1p2QIZbFYwoV6XbKrpynUTZ7HWC0poZjIlchvVFkX9wOJd0GJs5/cpUBHzVRoIpnohvrOtFmUjldxU= X-Received: by 2002:a05:651c:4cb:b0:2ff:d2a9:23e6 with SMTP id 38308e7fff4ca-30009c9e011mr8746271fa.31.1733217250849; Tue, 03 Dec 2024 01:14:10 -0800 (PST) MIME-Version: 1.0 References: <2622e377-6909-4a85-bea3-eedc8c43ced6@bsdio.com> In-Reply-To: <2622e377-6909-4a85-bea3-eedc8c43ced6@bsdio.com> From: "Ard Biesheuvel via groups.io" Date: Tue, 3 Dec 2024 10:13:59 +0100 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [edk2-devel] Debugging EFI Runtime crash when trying to update DBX for Secure Boot in Linux (fwupdmgr update) To: devel@edk2.groups.io, rebecca@bsdio.com Cc: Doug Flick Precedence: Bulk List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Resent-Date: Tue, 03 Dec 2024 01:14:13 -0800 Resent-From: ardb@kernel.org Reply-To: devel@edk2.groups.io,ardb@kernel.org List-Unsubscribe-Post: List-Unsubscribe=One-Click List-Unsubscribe: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-GND-Status: LEGIT Authentication-Results: spool.mail.gandi.net; dkim=pass header.d=groups.io header.s=20240830 header.b=f+1viJ6u; spf=pass (spool.mail.gandi.net: domain of bounce@groups.io designates 45.79.224.7 as permitted sender) smtp.mailfrom=bounce@groups.io; dmarc=pass (policy=none) header.from=groups.io On Mon, 2 Dec 2024 at 22:25, Rebecca Cran wrote: > > I've set up Secure Boot for my firmware, but I'm having problems when > trying to have fwupdmgr install a DBX update. > > Since I've run into problems setting up arm64_DBXUpdate.bin from > uefi.org or DefaultDbx.bin from a build of secureboot_objects I'm > generating my own certificate and installing that as dbxDefault just so > that the variable exists. > > I reset the entire SPI-NOR to default (i.e. deleting any existing > variables), then enable Secure Boot in UiApp and boot openSUSE. When I > run fwupmgr update, I get: > > localhost:~ # fwupdmgr update > Devices with no available firmware updates: > =E2=80=A2 System Firmware > =E2=80=A2 WD BLACK SN850X 4000GB > =E2=95=94=E2=95=90=E2=95=90=E2=95=90=E2=95=90=E2=95=90=E2=95=90=E2=95=90= =E2=95=90=E2=95=90=E2=95=90=E2=95=90=E2=95=90=E2=95=90=E2=95=90=E2=95=90=E2= =95=90=E2=95=90=E2=95=90=E2=95=90=E2=95=90=E2=95=90=E2=95=90=E2=95=90=E2=95= =90=E2=95=90=E2=95=90=E2=95=90=E2=95=90=E2=95=90=E2=95=90=E2=95=90=E2=95=90= =E2=95=90=E2=95=90=E2=95=90=E2=95=90=E2=95=90=E2=95=90=E2=95=90=E2=95=90=E2= =95=90=E2=95=90=E2=95=90=E2=95=90=E2=95=90=E2=95=90=E2=95=90=E2=95=90=E2=95= =90=E2=95=90=E2=95=90=E2=95=90=E2=95=90=E2=95=90=E2=95=90=E2=95=90=E2=95=90= =E2=95=90=E2=95=90=E2=95=90=E2=95=90=E2=95=90=E2=95=90=E2=95=90=E2=95=90=E2= =95=90=E2=95=90=E2=95=90=E2=95=90=E2=95=90=E2=95=90=E2=95=90=E2=95=90=E2=95= =90=E2=95=90=E2=95=90=E2=95=90=E2=95=90=E2=95=97 > =E2=95=91 Upgrade UEFI dbx from 0 to > 26? =E2=95=91 > =E2=95=A0=E2=95=90=E2=95=90=E2=95=90=E2=95=90=E2=95=90=E2=95=90=E2=95=90= =E2=95=90=E2=95=90=E2=95=90=E2=95=90=E2=95=90=E2=95=90=E2=95=90=E2=95=90=E2= =95=90=E2=95=90=E2=95=90=E2=95=90=E2=95=90=E2=95=90=E2=95=90=E2=95=90=E2=95= =90=E2=95=90=E2=95=90=E2=95=90=E2=95=90=E2=95=90=E2=95=90=E2=95=90=E2=95=90= =E2=95=90=E2=95=90=E2=95=90=E2=95=90=E2=95=90=E2=95=90=E2=95=90=E2=95=90=E2= =95=90=E2=95=90=E2=95=90=E2=95=90=E2=95=90=E2=95=90=E2=95=90=E2=95=90=E2=95= =90=E2=95=90=E2=95=90=E2=95=90=E2=95=90=E2=95=90=E2=95=90=E2=95=90=E2=95=90= =E2=95=90=E2=95=90=E2=95=90=E2=95=90=E2=95=90=E2=95=90=E2=95=90=E2=95=90=E2= =95=90=E2=95=90=E2=95=90=E2=95=90=E2=95=90=E2=95=90=E2=95=90=E2=95=90=E2=95= =90=E2=95=90=E2=95=90=E2=95=90=E2=95=90=E2=95=A3 > =E2=95=91 Insecure versions of the Microsoft Windows boot manager affecte= d by > Black =E2=95=91 > =E2=95=91 Lotus were added to the list of forbidden signatures due to a > discovered =E2=95=91 > =E2=95=91 security problem.This updates the dbx to the latest release fro= m > Microsoft. =E2=95=91 > =E2=95=91 =E2=95=91 > =E2=95=91 Before installing the update, fwupd will check for any affected > executables =E2=95=91 > =E2=95=91 in the ESP and will refuse to update if it finds any boot binar= ies > signed =E2=95=91 > =E2=95=91 with any of the forbidden signatures.Applying this update may a= lso > cause =E2=95=91 > =E2=95=91 some Windows install media to not start > correctly. =E2=95=91 > =E2=95=91 =E2=95=91 > =E2=95=9A=E2=95=90=E2=95=90=E2=95=90=E2=95=90=E2=95=90=E2=95=90=E2=95=90= =E2=95=90=E2=95=90=E2=95=90=E2=95=90=E2=95=90=E2=95=90=E2=95=90=E2=95=90=E2= =95=90=E2=95=90=E2=95=90=E2=95=90=E2=95=90=E2=95=90=E2=95=90=E2=95=90=E2=95= =90=E2=95=90=E2=95=90=E2=95=90=E2=95=90=E2=95=90=E2=95=90=E2=95=90=E2=95=90= =E2=95=90=E2=95=90=E2=95=90=E2=95=90=E2=95=90=E2=95=90=E2=95=90=E2=95=90=E2= =95=90=E2=95=90=E2=95=90=E2=95=90=E2=95=90=E2=95=90=E2=95=90=E2=95=90=E2=95= =90=E2=95=90=E2=95=90=E2=95=90=E2=95=90=E2=95=90=E2=95=90=E2=95=90=E2=95=90= =E2=95=90=E2=95=90=E2=95=90=E2=95=90=E2=95=90=E2=95=90=E2=95=90=E2=95=90=E2= =95=90=E2=95=90=E2=95=90=E2=95=90=E2=95=90=E2=95=90=E2=95=90=E2=95=90=E2=95= =90=E2=95=90=E2=95=90=E2=95=90=E2=95=90=E2=95=9D > Perform operation? [Y|n]: y > Downloading=E2=80=A6 [ - ] > > Decompressing=E2=80=A6 [***************************************] > > Authenticating=E2=80=A6 [***************************************] > > Waiting=E2=80=A6 [***************************************] > > Writing=E2=80=A6 [***************************************] > > Restarting device=E2=80=A6 [ ] > > Writing=E2=80=A6 [ ] > > Decompressing=E2=80=A6 [ ] > > Writing=E2=80=A6 [ > > [ 53.309930][ T360] [Firmware Bug]: Unable to handle paging request > in EFI runtime service > ] > failed to write data to efivarfs: Error writing to file descriptor: > Input/output error > > > And dmesg shows: > > [ 53.309930] [ T360] [Firmware Bug]: Unable to handle paging > request in EFI runtime service > [ 53.321038] [ T2422] ------------[ cut here ]------------ > [ 53.321047] [ T2422] WARNING: CPU: 42 PID: 2422 at > drivers/firmware/efi/runtime-wrappers.c:341 __efi_queue_work+0xe4/0x120 > [ 53.321062] [ T2422] Modules linked in: af_packet nft_fib_inet > nft_fib_ipv4 nft_fib_ipv6 nft_fib nft_reject_inet nf_reject_ipv4 > nf_reject_ipv6 nft_reject nft_ct nft_chain_nat ebtable_nat > ebtable_broute rfkill ip6table_nat ip6table_mangle ip6table_raw > ip6table_security iptable_nat nf_nat nf_conntrack nf_defrag_ipv6 > nf_defrag_ipv4 iptable_mangle iptable_raw iptable_security > ebtable_filter ebtables ip6table_filter ip6_tables qrtr nf_tables > iptable_filter binfmt_misc joydev cdc_subset cdc_ether usbnet cdc_acm > mii nls_iso8859_1 nls_cp437 vfat fat snd_usb_audio snd_usbmidi_lib > snd_hwdep snd_ump snd_rawmidi uas snd_seq_device usb_storage mc snd_pcm > sd_mod scsi_dh_emc snd_timer scsi_dh_rdac scsi_dh_alua snd hid_generic > sg soundcore scsi_mod usbhid scsi_common acpi_ipmi ipmi_ssif > ipmi_devintf tiny_power_button igb arm_spe_pmu ipmi_msghandler button > arm_cmn acpiphp_ampere_altra arm_dmc620_pmu arm_dsu_pmu cppc_cpufreq > nvme_fabrics fuse nvme_keyring loop efi_pstore dm_mod nfnetlink > dmi_sysfs ip_tables x_tables aes_ce_blk aes_ce_cipher > [ 53.321224] [ T2422] crct10dif_ce xhci_pci xhci_pci_renesas > polyval_ce polyval_generic ghash_ce gf128mul xhci_hcd sm4 sha2_ce nvme > sha256_arm64 usbcore sha1_ce nvme_core sbsa_gwdt ast nvme_auth > i2c_algo_bit usb_common xgene_hwmon gpio_dwapb btrfs blake2b_generic > libcrc32c xor xor_neon raid6_pq i2c_dev efivarfs > [ 53.321279] [ T2422] CPU: 42 UID: 0 PID: 2422 Comm: fwupd Tainted: > G I 6.11.8-1-default #1 openSUSE Tumbleweed > 1400000003000000474e5500ae3eced04b985462 > [ 53.321290] [ T2422] Tainted: [I]=3DFIRMWARE_WORKAROUND > [ 53.321293] [ T2422] Hardware name: Adlink Ampere Altra Developer > Platform/COM-HPC-Carrier, BIOS TianoCore 24.12.02-01 (SYS: > 2.10.20230517) 12/02/2024 > [ 53.321296] [ T2422] pstate: 60400009 (nZCv daif +PAN -UAO -TCO > -DIT -SSBS BTYPE=3D--) > [ 53.321303] [ T2422] pc : __efi_queue_work+0xe4/0x120 > [ 53.321308] [ T2422] lr : __efi_queue_work+0xd0/0x120 > [ 53.321312] [ T2422] sp : ffff80008583b940 > [ 53.321315] [ T2422] x29: ffff80008583b940 x28: ffff07ff8bcc4500 > x27: 0000000000000000 > [ 53.321324] [ T2422] x26: 0000000000001208 x25: ffff07ff94859c00 > x24: 0000000000000067 > [ 53.321332] [ T2422] x23: ffff07ff94859800 x22: ffff07ff94859c00 > x21: 0000000000001202 > [ 53.321339] [ T2422] x20: ffffaa255f9655a8 x19: ffffaa255f965548 > x18: 0000000000000001 > [ 53.321345] [ T2422] x17: ffff07ff90946340 x16: ffffaa255d6b3198 > x15: 000000000000037d > [ 53.321352] [ T2422] x14: 0000000000000001 x13: 0000000000000000 > x12: 0000000000000800 > [ 53.321359] [ T2422] x11: 071c71c71c71c71c x10: 0000000000001bc0 x9 > : ffffaa255da39d18 > [ 53.321366] [ T2422] x8 : ffff07ff8bcc6120 x7 : 0000000000000000 x6 > : 00000000000003e8 > [ 53.321372] [ T2422] x5 : 00000000410fd0c0 x4 : 0000000000300001 x3 > : 0000000000000000 > [ 53.321379] [ T2422] x2 : 0000000000000000 x1 : 8000000000000015 x0 > : 8000000000000015 > [ 53.321385] [ T2422] Call trace: > [ 53.321388] [ T2422] __efi_queue_work+0xe4/0x120 > [ 53.321392] [ T2422] virt_efi_set_variable+0x74/0xe0 > [ 53.321398] [ T2422] efivar_set_variable_locked+0x7c/0x100 > [ 53.321402] [ T2422] efivar_entry_set_get_size+0x9c/0x170 > [efivarfs 1400000003000000474e55008e4f4f0ee8473f7a] > [ 53.321414] [ T2422] efivarfs_file_write+0x140/0x2e0 [efivarfs > 1400000003000000474e55008e4f4f0ee8473f7a] > [ 53.321421] [ T2422] vfs_write+0xdc/0x370 > [ 53.321427] [ T2422] ksys_write+0x78/0x120 > [ 53.321431] [ T2422] __arm64_sys_write+0x24/0x40 > [ 53.321435] [ T2422] invoke_syscall+0x6c/0x100 > [ 53.321443] [ T2422] el0_svc_common.constprop.0+0xc8/0xf0 > [ 53.321450] [ T2422] do_el0_svc+0x24/0x38 > [ 53.321457] [ T2422] el0_svc+0x3c/0x170 > [ 53.321464] [ T2422] el0t_64_sync_handler+0x120/0x130 > [ 53.321470] [ T2422] el0t_64_sync+0x1a8/0x1b0 > [ 53.321475] [ T2422] ---[ end trace 0000000000000000 ]--- > [ 53.321489] [ T2422] efi: EFI Runtime Services are disabled! > > > I have no idea how to go about debugging why the SetVariable call is > causing the crash. Is it likely to be the way I've got dbxDefault set > up, or does anyone know how I could debug it further? > > This is definitely going to be tricky to debug. If this firmware does not have the Altra/eMAG bug, i.e., if you *don't* see EFI stub: Working around broken SetVirtualAddressMap() on the console right before Linux boots, the runtime services will be mapped 1:1 wrt their boot time mappings, and so it should be possible to load the boot time symbols and use them for debugging SetVariable() at runtime. Alternatively, if you have multiple UARTs, you could use a separate one for DEBUG output and keep it enabled while running under the OS. You will need to create a runtime mapping for it in this case, similar to e.g., how the PL031 driver creates a mapping for its MMIO registers so that the GetTime boot services can access them. Note that you will need to hide this UART from the OS description too. -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#120860): https://edk2.groups.io/g/devel/message/120860 Mute This Topic: https://groups.io/mt/109889108/7686176 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-