* [edk2-devel] Regarding MOR Secure feature @ 2024-06-21 8:03 Ni, Ray 2024-06-21 8:35 ` Ard Biesheuvel 0 siblings, 1 reply; 5+ messages in thread From: Ni, Ray @ 2024-06-21 8:03 UTC (permalink / raw) To: Ard Biesheuvel; +Cc: devel@edk2.groups.io, Yao, Jiewen, Ni, Ray, Xu, Wei6 [-- Attachment #1: Type: text/plain, Size: 1755 bytes --] Ard, 7 years ago, Laszlo added this commit (https://github.com/tianocore/edk2/commit/fda8f631edbbf3823760542a06f12bd60fd39181) to support some OS kernels that incorrectly "create" the MOR variable. The OS kernel bug is captured in this bugzilla (bugzilla.redhat.com/show_bug.cgi?id=1498159<https://bugzilla.redhat.com/show_bug.cgi?id=1498159>). It seems to me the OS kernel bugs only exist in Fedora 24 and 25 which are all EOL today. Fedora 26 has the correct implementation that does NOT "create" the MOR variable. The implementation is done by you here (https://lore.kernel.org/all/20170825155019.6740-2-ard.biesheuvel@linaro.org/T/#u). 5 years ago, you added StandaloneMm variable driver and VariableHaveTcgProtocols() returns FALSE always in the standalone MM version. (Commit: https://github.com/tianocore/edk2/commit/a855f63e2fdd990837391b0e61e78b3f06b56916) As a result, MorLock variable is not created. It causes a bug that the BIOS does not report the MOR Secure feature to OS. My questions are: 1. can we revert Laszlo's commit? As the bug that commit fixes only exists in Fedora 24/25 which are all EOL today. 2. why is the MOR secure bug not found in ARM platform? I think you are the best person to answer the questions because you not only fixed the kernel, but also know details on the ARM standalone MM. I am so happy with that:) Thanks, Ray -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#119666): https://edk2.groups.io/g/devel/message/119666 Mute This Topic: https://groups.io/mt/106795434/7686176 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io] -=-=-=-=-=-=-=-=-=-=-=- [-- Attachment #2: Type: text/html, Size: 6576 bytes --] ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [edk2-devel] Regarding MOR Secure feature 2024-06-21 8:03 [edk2-devel] Regarding MOR Secure feature Ni, Ray @ 2024-06-21 8:35 ` Ard Biesheuvel 2024-06-24 8:49 ` Ni, Ray 0 siblings, 1 reply; 5+ messages in thread From: Ard Biesheuvel @ 2024-06-21 8:35 UTC (permalink / raw) To: devel, ray.ni; +Cc: Yao, Jiewen, Xu, Wei6 Hi Ray, On Fri, 21 Jun 2024 at 10:03, Ni, Ray <ray.ni@intel.com> wrote: > > Ard, > > 7 years ago, Laszlo added this commit (https://github.com/tianocore/edk2/commit/fda8f631edbbf3823760542a06f12bd60fd39181) to support some OS kernels that incorrectly "create" the MOR variable. > The OS kernel bug is captured in this bugzilla (bugzilla.redhat.com/show_bug.cgi?id=1498159). It seems to me the OS kernel bugs only exist in Fedora 24 and 25 which are all EOL today. Fedora 26 has the correct implementation that does NOT "create" the MOR variable. The implementation is done by you here (https://lore.kernel.org/all/20170825155019.6740-2-ard.biesheuvel@linaro.org/T/#u). > > 5 years ago, you added StandaloneMm variable driver and VariableHaveTcgProtocols() returns FALSE always in the standalone MM version. (Commit: https://github.com/tianocore/edk2/commit/a855f63e2fdd990837391b0e61e78b3f06b56916) > As a result, MorLock variable is not created. It causes a bug that the BIOS does not report the MOR Secure feature to OS. > > My questions are: > > can we revert Laszlo's commit? As the bug that commit fixes only exists in Fedora 24/25 which are all EOL today. Yes, I think we can revert it, although it is not clear from the commit log what the erroneous behavior is. > why is the MOR secure bug not found in ARM platform? > This is definitely a bug on ARM (and likely other users of standalone MM). The problem is, of course, that standalone MM is standalone, and cannot know for certain which EFI protocols are exposed by the DXE core, nor invoke them directly. > > I think you are the best person to answer the questions because you not only fixed the kernel, but also know details on the ARM standalone MM. > I am so happy with that:) > :-) To be honest, I need some time to page this all back into my brain, but I am happy to help out. MOR does not really rely on the TCG protocols, right? If standalone MM can implement it without its ability to invoke those protocols, we should just separate those. I guess that is what you are doing at the moment? -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#119669): https://edk2.groups.io/g/devel/message/119669 Mute This Topic: https://groups.io/mt/106795434/7686176 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io] -=-=-=-=-=-=-=-=-=-=-=- ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [edk2-devel] Regarding MOR Secure feature 2024-06-21 8:35 ` Ard Biesheuvel @ 2024-06-24 8:49 ` Ni, Ray 2024-06-24 11:17 ` Gerd Hoffmann 2024-08-16 10:49 ` Xu, Wei6 0 siblings, 2 replies; 5+ messages in thread From: Ni, Ray @ 2024-06-24 8:49 UTC (permalink / raw) To: Ard Biesheuvel, devel@edk2.groups.io Cc: Yao, Jiewen, Xu, Wei6, Ni, Ray, Wu, Jiaxin [-- Attachment #1: Type: text/plain, Size: 3171 bytes --] Ard, Thank you very much for your willingness to think about this topic. Yes. we found the TCG MOR secure feature does not work in standalone MM env and want to fix it. That leads the review of the code change history. If you can confirm my understanding (F24/F25 are EOL today and Laszlo's fix is not needed), I can create a PR to remove that change. Thanks, Ray ________________________________ From: Ard Biesheuvel <ardb@kernel.org> Sent: Friday, June 21, 2024 16:35 To: devel@edk2.groups.io <devel@edk2.groups.io>; Ni, Ray <ray.ni@intel.com> Cc: Yao, Jiewen <jiewen.yao@intel.com>; Xu, Wei6 <wei6.xu@intel.com> Subject: Re: [edk2-devel] Regarding MOR Secure feature Hi Ray, On Fri, 21 Jun 2024 at 10:03, Ni, Ray <ray.ni@intel.com> wrote: > > Ard, > > 7 years ago, Laszlo added this commit (https://github.com/tianocore/edk2/commit/fda8f631edbbf3823760542a06f12bd60fd39181) to support some OS kernels that incorrectly "create" the MOR variable. > The OS kernel bug is captured in this bugzilla (bugzilla.redhat.com/show_bug.cgi?id=1498159). It seems to me the OS kernel bugs only exist in Fedora 24 and 25 which are all EOL today. Fedora 26 has the correct implementation that does NOT "create" the MOR variable. The implementation is done by you here (https://lore.kernel.org/all/20170825155019.6740-2-ard.biesheuvel@linaro.org/T/#u). > > 5 years ago, you added StandaloneMm variable driver and VariableHaveTcgProtocols() returns FALSE always in the standalone MM version. (Commit: https://github.com/tianocore/edk2/commit/a855f63e2fdd990837391b0e61e78b3f06b56916) > As a result, MorLock variable is not created. It causes a bug that the BIOS does not report the MOR Secure feature to OS. > > My questions are: > > can we revert Laszlo's commit? As the bug that commit fixes only exists in Fedora 24/25 which are all EOL today. Yes, I think we can revert it, although it is not clear from the commit log what the erroneous behavior is. > why is the MOR secure bug not found in ARM platform? > This is definitely a bug on ARM (and likely other users of standalone MM). The problem is, of course, that standalone MM is standalone, and cannot know for certain which EFI protocols are exposed by the DXE core, nor invoke them directly. > > I think you are the best person to answer the questions because you not only fixed the kernel, but also know details on the ARM standalone MM. > I am so happy with that:) > :-) To be honest, I need some time to page this all back into my brain, but I am happy to help out. MOR does not really rely on the TCG protocols, right? If standalone MM can implement it without its ability to invoke those protocols, we should just separate those. I guess that is what you are doing at the moment? -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#119683): https://edk2.groups.io/g/devel/message/119683 Mute This Topic: https://groups.io/mt/106795434/7686176 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io] -=-=-=-=-=-=-=-=-=-=-=- [-- Attachment #2: Type: text/html, Size: 7078 bytes --] ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [edk2-devel] Regarding MOR Secure feature 2024-06-24 8:49 ` Ni, Ray @ 2024-06-24 11:17 ` Gerd Hoffmann 2024-08-16 10:49 ` Xu, Wei6 1 sibling, 0 replies; 5+ messages in thread From: Gerd Hoffmann @ 2024-06-24 11:17 UTC (permalink / raw) To: devel, ray.ni; +Cc: Ard Biesheuvel, Yao, Jiewen, Xu, Wei6, Wu, Jiaxin On Mon, Jun 24, 2024 at 08:49:52AM GMT, Ni, Ray wrote: > If you can confirm my understanding (F24/F25 are EOL today and Laszlo's fix is not needed), I can create a PR to remove that change. Yes, F24/F25 are long EOL. Fedora releases come roughly every 6 months and are supported for ~13-14 months. Right now F39 and F40 supported, F38 went EOL last month. take care, Gerd -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#119685): https://edk2.groups.io/g/devel/message/119685 Mute This Topic: https://groups.io/mt/106795434/7686176 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io] -=-=-=-=-=-=-=-=-=-=-=- ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [edk2-devel] Regarding MOR Secure feature 2024-06-24 8:49 ` Ni, Ray 2024-06-24 11:17 ` Gerd Hoffmann @ 2024-08-16 10:49 ` Xu, Wei6 1 sibling, 0 replies; 5+ messages in thread From: Xu, Wei6 @ 2024-08-16 10:49 UTC (permalink / raw) To: Ni, Ray, Ard Biesheuvel, devel@edk2.groups.io; +Cc: Yao, Jiewen, Wu, Jiaxin [-- Attachment #1: Type: text/plain, Size: 4035 bytes --] Hi Ard, Regarding the PR: MdeModulePkg/Variable: Revert 'delete and lock OS-created MOR variable' by xuweiintel * Pull Request #5902 * tianocore/edk2 (github.com)<https://github.com/tianocore/edk2/pull/5902> Thanks a lot for reviewing the patch. I update it according to your comments. Could you please help to review it again? Thanks. BR, Wei From: Ni, Ray <ray.ni@intel.com> Sent: Monday, June 24, 2024 4:50 PM To: Ard Biesheuvel <ardb@kernel.org>; devel@edk2.groups.io Cc: Yao, Jiewen <jiewen.yao@intel.com>; Xu, Wei6 <wei6.xu@intel.com>; Ni, Ray <ray.ni@intel.com>; Wu, Jiaxin <jiaxin.wu@intel.com> Subject: Re: [edk2-devel] Regarding MOR Secure feature Ard, Thank you very much for your willingness to think about this topic. Yes. we found the TCG MOR secure feature does not work in standalone MM env and want to fix it. That leads the review of the code change history. If you can confirm my understanding (F24/F25 are EOL today and Laszlo's fix is not needed), I can create a PR to remove that change. Thanks, Ray ________________________________ From: Ard Biesheuvel <ardb@kernel.org<mailto:ardb@kernel.org>> Sent: Friday, June 21, 2024 16:35 To: devel@edk2.groups.io<mailto:devel@edk2.groups.io> <devel@edk2.groups.io<mailto:devel@edk2.groups.io>>; Ni, Ray <ray.ni@intel.com<mailto:ray.ni@intel.com>> Cc: Yao, Jiewen <jiewen.yao@intel.com<mailto:jiewen.yao@intel.com>>; Xu, Wei6 <wei6.xu@intel.com<mailto:wei6.xu@intel.com>> Subject: Re: [edk2-devel] Regarding MOR Secure feature Hi Ray, On Fri, 21 Jun 2024 at 10:03, Ni, Ray <ray.ni@intel.com<mailto:ray.ni@intel.com>> wrote: > > Ard, > > 7 years ago, Laszlo added this commit (https://github.com/tianocore/edk2/commit/fda8f631edbbf3823760542a06f12bd60fd39181) to support some OS kernels that incorrectly "create" the MOR variable. > The OS kernel bug is captured in this bugzilla (bugzilla.redhat.com/show_bug.cgi?id=1498159). It seems to me the OS kernel bugs only exist in Fedora 24 and 25 which are all EOL today. Fedora 26 has the correct implementation that does NOT "create" the MOR variable. The implementation is done by you here (https://lore.kernel.org/all/20170825155019.6740-2-ard.biesheuvel@linaro.org/T/#u). > > 5 years ago, you added StandaloneMm variable driver and VariableHaveTcgProtocols() returns FALSE always in the standalone MM version. (Commit: https://github.com/tianocore/edk2/commit/a855f63e2fdd990837391b0e61e78b3f06b56916) > As a result, MorLock variable is not created. It causes a bug that the BIOS does not report the MOR Secure feature to OS. > > My questions are: > > can we revert Laszlo's commit? As the bug that commit fixes only exists in Fedora 24/25 which are all EOL today. Yes, I think we can revert it, although it is not clear from the commit log what the erroneous behavior is. > why is the MOR secure bug not found in ARM platform? > This is definitely a bug on ARM (and likely other users of standalone MM). The problem is, of course, that standalone MM is standalone, and cannot know for certain which EFI protocols are exposed by the DXE core, nor invoke them directly. > > I think you are the best person to answer the questions because you not only fixed the kernel, but also know details on the ARM standalone MM. > I am so happy with that:) > :-) To be honest, I need some time to page this all back into my brain, but I am happy to help out. MOR does not really rely on the TCG protocols, right? If standalone MM can implement it without its ability to invoke those protocols, we should just separate those. I guess that is what you are doing at the moment? -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#120358): https://edk2.groups.io/g/devel/message/120358 Mute This Topic: https://groups.io/mt/106795434/7686176 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io] -=-=-=-=-=-=-=-=-=-=-=- [-- Attachment #2: Type: text/html, Size: 11365 bytes --] ^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2024-08-16 10:50 UTC | newest] Thread overview: 5+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2024-06-21 8:03 [edk2-devel] Regarding MOR Secure feature Ni, Ray 2024-06-21 8:35 ` Ard Biesheuvel 2024-06-24 8:49 ` Ni, Ray 2024-06-24 11:17 ` Gerd Hoffmann 2024-08-16 10:49 ` Xu, Wei6
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox