From: "James Bottomley" <jejb@linux.ibm.com>
To: Gerd Hoffmann <kraxel@redhat.com>, devel@edk2.groups.io
Cc: "Jiewen Yao" <jiewen.yao@intel.com>,
"Erdem Aktas" <erdemaktas@google.com>,
"Min Xu" <min.m.xu@intel.com>,
"Tom Lendacky" <thomas.lendacky@amd.com>,
"Jordan Justen" <jordan.l.justen@intel.com>,
"Stefan Berger" <stefanb@linux.ibm.com>,
"Julien Grall" <julien@xen.org>,
"Anthony Perard" <anthony.perard@citrix.com>,
"Marc-André Lureau" <marcandre.lureau@redhat.com>,
"Ard Biesheuvel" <ardb+tianocore@kernel.org>,
"Oliver Steffen" <osteffen@redhat.com>,
"Pawel Polawski" <ppolawsk@redhat.com>,
"Michael Roth" <michael.roth@amd.com>
Subject: Re: [PATCH 2/3] OvmfPkg/AmdSev: stop using PlatformBootManagerLibGrub
Date: Thu, 04 May 2023 10:16:05 -0400 [thread overview]
Message-ID: <b4722568547d54b15de4b592dcbd24755893ef88.camel@linux.ibm.com> (raw)
In-Reply-To: <20230504133251.1031341-3-kraxel@redhat.com>
On Thu, 2023-05-04 at 15:32 +0200, Gerd Hoffmann wrote:
> Use PlatformBootManagerLib with PcdBootRestrictToFirmware
> set to TRUE instead.
>
> Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
> ---
> OvmfPkg/AmdSev/AmdSevX64.dsc | 10 ++++++++--
> 1 file changed, 8 insertions(+), 2 deletions(-)
>
> diff --git a/OvmfPkg/AmdSev/AmdSevX64.dsc
> b/OvmfPkg/AmdSev/AmdSevX64.dsc
> index 943c4eed9831..b32049194d39 100644
> --- a/OvmfPkg/AmdSev/AmdSevX64.dsc
> +++ b/OvmfPkg/AmdSev/AmdSevX64.dsc
> @@ -153,6 +153,7 @@ [LibraryClasses]
>
> UefiDriverEntryPoint|MdePkg/Library/UefiDriverEntryPoint/UefiDriverEn
> tryPoint.inf
>
> UefiApplicationEntryPoint|MdePkg/Library/UefiApplicationEntryPoint/Ue
> fiApplicationEntryPoint.inf
>
> DevicePathLib|MdePkg/Library/UefiDevicePathLibDevicePathProtocol/Uefi
> DevicePathLibDevicePathProtocol.inf
> + NvVarsFileLib|OvmfPkg/Library/NvVarsFileLib/NvVarsFileLib.inf
All additions apart from this look fine, but this one is a security
risk: EFI variables represent an unmeasured configuration for SEV boot
and, as such, can be used to influence the boot and potentially reveal
boot secrets, so the AmdSevPkg was designed to have read only EFI
variables that couldn't be subject to outside influence.
James
next prev parent reply other threads:[~2023-05-04 14:16 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-05-04 13:32 [PATCH 0/3] OvmfPkg: remove PlatformBootManagerLibGrub Gerd Hoffmann
2023-05-04 13:32 ` [PATCH 1/3] OvmfPkg/PlatformBootManagerLib: add PcdBootRestrictToFirmware Gerd Hoffmann
2023-05-04 13:32 ` [PATCH 2/3] OvmfPkg/AmdSev: stop using PlatformBootManagerLibGrub Gerd Hoffmann
2023-05-04 14:16 ` James Bottomley [this message]
2023-05-04 15:08 ` Gerd Hoffmann
2023-05-04 15:14 ` [edk2-devel] " James Bottomley
2023-05-04 13:32 ` [PATCH 3/3] OvmfPkg: drop PlatformBootManagerLibGrub Gerd Hoffmann
2023-05-04 13:44 ` [PATCH 0/3] OvmfPkg: remove PlatformBootManagerLibGrub Yao, Jiewen
2023-05-04 14:02 ` Ard Biesheuvel
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-list from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=b4722568547d54b15de4b592dcbd24755893ef88.camel@linux.ibm.com \
--to=devel@edk2.groups.io \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox