public inbox for devel@edk2.groups.io
 help / color / mirror / Atom feed
* [PATCH 1/1] OvmfPkg/QemuFlashFvbServicesRuntimeDxe: add security warning
@ 2022-12-16 10:11 Gerd Hoffmann
  2022-12-17  3:10 ` Yao, Jiewen
       [not found] ` <173175F495CB0C1B.6312@groups.io>
  0 siblings, 2 replies; 7+ messages in thread
From: Gerd Hoffmann @ 2022-12-16 10:11 UTC (permalink / raw)
  To: devel
  Cc: Jordan Justen, Gerd Hoffmann, Ard Biesheuvel, Oliver Steffen,
	Pawel Polawski, Jiewen Yao

OVMF builds in stateless secure boot configuration
(SECURE_BOOT_ENABLE=TRUE + SMM_REQUIRE=FALSE) are expected to use the
emulated variable store (EmuVariableFvbRuntimeDxe) with the store being
re-initialized on each reset (see PlatformInitEmuVariableNvStore())

Using these builds with writable flash is not secure.  Log a warning
message saying so in case we find such a configuration.

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
---
 OvmfPkg/QemuFlashFvbServicesRuntimeDxe/FwBlockServiceDxe.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/OvmfPkg/QemuFlashFvbServicesRuntimeDxe/FwBlockServiceDxe.c b/OvmfPkg/QemuFlashFvbServicesRuntimeDxe/FwBlockServiceDxe.c
index 61e1f2e196e5..ab7154685424 100644
--- a/OvmfPkg/QemuFlashFvbServicesRuntimeDxe/FwBlockServiceDxe.c
+++ b/OvmfPkg/QemuFlashFvbServicesRuntimeDxe/FwBlockServiceDxe.c
@@ -57,6 +57,11 @@ InstallProtocolInterfaces (
                     NULL
                     );
     ASSERT_EFI_ERROR (Status);
+ #ifdef SECURE_BOOT_FEATURE_ENABLED
+    DEBUG ((DEBUG_WARN, "This build is configured for stateless secure boot.\n"));
+    DEBUG ((DEBUG_WARN, "Using this build with writable flash is NOT secure.\n"));
+    // should we ASSERT(0) here?
+ #endif
   } else if (IsDevicePathEnd (FvbDevice->DevicePath)) {
     //
     // Device already exists, so reinstall the FVB protocol
-- 
2.38.1


^ permalink raw reply related	[flat|nested] 7+ messages in thread

end of thread, other threads:[~2022-12-21  6:25 UTC | newest]

Thread overview: 7+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2022-12-16 10:11 [PATCH 1/1] OvmfPkg/QemuFlashFvbServicesRuntimeDxe: add security warning Gerd Hoffmann
2022-12-17  3:10 ` Yao, Jiewen
2022-12-19  8:53   ` Gerd Hoffmann
2022-12-19 14:47     ` [edk2-devel] " Yao, Jiewen
2022-12-20  7:18       ` Gerd Hoffmann
2022-12-21  6:25         ` Yao, Jiewen
     [not found] ` <173175F495CB0C1B.6312@groups.io>
2022-12-17  3:14   ` Yao, Jiewen

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox