From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received-SPF: Pass (sender SPF authorized) identity=mailfrom; client-ip=2607:f8b0:4864:20::642; helo=mail-pl1-x642.google.com; envelope-from=ming.huang@linaro.org; receiver=edk2-devel@lists.01.org Received: from mail-pl1-x642.google.com (mail-pl1-x642.google.com [IPv6:2607:f8b0:4864:20::642]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id CAC112115C07D for ; Tue, 20 Nov 2018 23:42:50 -0800 (PST) Received: by mail-pl1-x642.google.com with SMTP id e5so4263509plb.5 for ; Tue, 20 Nov 2018 23:42:50 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-language:content-transfer-encoding; bh=crrJu8ZAXQr6zjq0D/Ut0EcYLGXnW5qwE4DY3pYlFWM=; b=Xerr9kuOPskl9+O4lPry/f1fHRifVVx124/Rjj6mJbXnLfVliu+yJQE17SN5JVEzQy Hl4mO1+ymBhjYRI9EoPpshUw2j5xozfhmnR0w1Puqb5SJJ1VcpgqeC0Kga020zZ0iHpK KUlrrO16G3vJiTyPT4eZ/Nchc8sg2yDgwUZPc= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=crrJu8ZAXQr6zjq0D/Ut0EcYLGXnW5qwE4DY3pYlFWM=; b=m+i8umiQvZjYBu/47cbz5ihzXcBMxuIOIMtRIWJ1OKUoCKcb2lbz0i5PQ2G0uAdqS5 hNJXWY/6EOauvXdjQjfNfPZows6cUY4Xv2nAAIOaJGq/U9fKfZwT1JvuRMp38dgCpFpT 626WaqbbCVHIxqY7xrw5MrgMA4nSerDAY26q3HBwpVN9o6aKn7O0UtGKihRaefXF8O+1 o4cEzNW908GFwoaeGainwtvufX2FHOq9Op79MQBLxyEdPYqjyY3/OH3EyExFLlftJzmP EozeVoaGPyLW3EtC72MB5zhHeIac0/u+YJyEnV5fEepS3GB3VweQwNQ63pls9DHnNcbh m0NA== X-Gm-Message-State: AGRZ1gKu7lzXOpInBNjdtDX+7qY4Vjv4lK/rJjfAWy9GleyZ6qVzyI0c +OuBznsNX7d0zws93H5t1YnvWw== X-Google-Smtp-Source: AJdET5dP30lU5MAWQYlEstrqvTUcKglGuayT0sNexbX5OEgFTb6m69U3tGuYT5bdjoaOZ7dCQFbCOg== X-Received: by 2002:aa7:804e:: with SMTP id y14-v6mr5581564pfm.73.1542786170278; Tue, 20 Nov 2018 23:42:50 -0800 (PST) Received: from [10.40.0.202] ([64.64.108.183]) by smtp.gmail.com with ESMTPSA id b2-v6sm5015176pfe.60.2018.11.20.23.42.42 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 20 Nov 2018 23:42:49 -0800 (PST) To: Leif Lindholm Cc: linaro-uefi@lists.linaro.org, edk2-devel@lists.01.org, graeme.gregory@linaro.org, ard.biesheuvel@linaro.org, michael.d.kinney@intel.com, lersek@redhat.com, wanghuiqiang@huawei.com, huangming23@huawei.com, zhangjinsong2@huawei.com, huangdaode@hisilicon.com, john.garry@huawei.com, xinliang.liu@linaro.org, zhangfeng56@huawei.com References: <20181120090150.1102-1-ming.huang@linaro.org> <20181120090150.1102-2-ming.huang@linaro.org> <20181120121309.mwsoxljgjwy4yv7i@bivouac.eciton.net> <20181120125805.jn6xfxbg47izxwo2@bivouac.eciton.net> <1e4db632-9c2c-79e0-2bbe-cdc7913aa0c5@linaro.org> <20181120143912.p7jeqwjgtqsgmf75@bivouac.eciton.net> From: Ming Huang Message-ID: Date: Wed, 21 Nov 2018 15:42:37 +0800 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0) Gecko/20100101 Thunderbird/60.0 MIME-Version: 1.0 In-Reply-To: <20181120143912.p7jeqwjgtqsgmf75@bivouac.eciton.net> Subject: Re: [PATCH edk2-platforms v3 1/5] Hisilicon/D0x: Fix secure boot bug in FlashFvbDxe X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 21 Nov 2018 07:42:51 -0000 Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit On 11/20/2018 10:39 PM, Leif Lindholm wrote: > On Tue, Nov 20, 2018 at 10:29:57PM +0800, Ming Huang wrote: >>>>> And all Hisilicon platforms still use >>>>> AuthVariableLib|MdeModulePkg/Library/AuthVariableLibNull/AuthVariableLibNull.inf >>>>> regardless of Secure Boot setting. >>>>> >>>>> So what problem does this patch solve? A runtime one? >>>> >>>> This patch solve bug in FlashFvbDxe. >>> >>> Yes, but what bug? What is the symptom? What _specific_ problem goes >>> away by adding this patch? That information should have been in the >>> original commit message. I have no information available to me as I >>> now build -rc1 to suggest that this patch should be included. >> >> The bug is that gEfiAuthenticatedVariableGuid should be used in FlashFvbDxe, >> not gEfiVariableGuid when enable secure boot. > > OK, I will ask a third time: what _problem_ does this solve? > What is the symptom? > When someone uses the buggy firmware, what does not work for them? > This information _always_ needs to be in the commit message. > >>>> Should I add a patch before this patch >>>> to solve build error with -D SECURE_BOOT_ENABLE=TRUE in v4? >>> >>> That would require a sane implementation of PlatformSecureLib, >>> implementing a real UserPhysicalPresent(). >>> Can you turn that around within the next few hours? >> >> My original idea is using OvmfPkg/Library/PlatformSecureLib/PlatformSecureLib. >> There is not enough time to implement a real UserPhysicalPresent. > > If there is not enough time to implement a real PlatformSecureLib, > there is no need to have Secure Boot at all. Same thing goes for > secure variable store (to hardware devices that are not accessible > from Non-secure world). > >> This patch will add when we implement real secure boot in future. > > That sounds like the best thing to do. > > Meanwhile, could you create a patch to get rid of the SECURE_BOOT > options completely from the .dsc/.fdf please? I don't like having it > in there when we know it doesn't build. OK, I will send the patch in next series. Thanks. > > / > Leif >