From: "Gerd Hoffmann" <kraxel@redhat.com>
To: "Yao, Jiewen" <jiewen.yao@intel.com>
Cc: "devel@edk2.groups.io" <devel@edk2.groups.io>,
Ard Biesheuvel <ardb@kernel.org>,
Oliver Steffen <osteffen@redhat.com>
Subject: Re: [edk2-devel] [PATCH 0/4] OvmfPkg: Add VirtHstiDxe driver
Date: Thu, 18 Apr 2024 13:45:03 +0200 [thread overview]
Message-ID: <cqxqxbtisxbsf4kw3lqsepeqvkyti4oddvqwqn5yfrz67ynmw7@34fs2rsip6nf> (raw)
In-Reply-To: <MW4PR11MB58729D8EB28F5FDA7FA2E93B8C0F2@MW4PR11MB5872.namprd11.prod.outlook.com>
On Wed, Apr 17, 2024 at 01:20:57PM +0000, Yao, Jiewen wrote:
> That is good start. The SMRAM lock and Flash lock seem good to me.
>
> Comment:
> 1) Do we really need to add "Q35" for the policy?
> #define VIRT_HSTI_BYTE0_Q35_SMM_SMRAM_LOCK BIT0
> #define VIRT_HSTI_BYTE0_Q35_SMM_SECURE_VARS_FLASH BIT1
>
> I feel we had better remove it, since SMM_SMRAM_LOCK and SMM_SECURE_VARS_FLASH are common features for almost all X86 platforms.
Well, SMM mode is supported for the qemu 'q35' machine type only, the
'pc' machine type doesn't provide enough memory for SMM. Which why I've
added 'Q35' to the name.
The SMM_SMRAM_LOCK test actually is q35-specific because the control
registers are chipset specific. But, yes, the concept is not q35
specific.
I can drop 'Q35' if you prefer it that way.
> 2) Would you please let me know what "READONLY_CODE_FLASH" really means?
>
> #define VIRT_HSTI_BYTE0_Q35_SMM_SECURE_VARS_FLASH BIT1
> #define VIRT_HSTI_BYTE0_READONLY_CODE_FLASH BIT2
>
> Does READONLY_CODE_FLASH mean NO write to flash even in SMM mode?
> Or does it just mean NO write in normal operation mode, but still writable in SMM mode?
With qemu being configured properly flash behavior should be this:
| OVMF_CODE.fd | OVMF_VARS.fd
-------------------------------+----------------+----------------
SMM_REQUIRE=TRUE, SMM mode | read-only | writable
SMM_REQUIRE=TRUE, normal mode | read-only (1) | read-only (2)
SMM_REQUIRE=FALSE | read-only (3) | writable
VIRT_HSTI_BYTE0_READONLY_CODE_FLASH will verify (1) + (3).
VIRT_HSTI_BYTE0_Q35_SMM_SECURE_VARS_FLASH will verify (2).
(probably a good idea to add that as comment to the patches).
take care,
Gerd
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#117983): https://edk2.groups.io/g/devel/message/117983
Mute This Topic: https://groups.io/mt/105086174/7686176
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io]
-=-=-=-=-=-=-=-=-=-=-=-
next prev parent reply other threads:[~2024-04-18 11:45 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-03-22 14:27 [edk2-devel] [PATCH 0/4] OvmfPkg: Add VirtHstiDxe driver Gerd Hoffmann
2024-03-22 14:27 ` [edk2-devel] [PATCH 1/4] " Gerd Hoffmann
2024-03-22 14:27 ` [edk2-devel] [PATCH 2/4] OvmfPkg: Add VirtHstiDxe to OVMF firmware build Gerd Hoffmann
2024-03-22 14:27 ` [edk2-devel] [PATCH 3/4] OvmfPkg/VirtHstiDxe: add varstore flash check Gerd Hoffmann
2024-03-22 14:27 ` [edk2-devel] [PATCH 4/4] OvmfPkg/VirtHstiDxe: add code " Gerd Hoffmann
2024-04-17 8:18 ` [edk2-devel] [PATCH 0/4] OvmfPkg: Add VirtHstiDxe driver Gerd Hoffmann
2024-04-17 11:38 ` Ard Biesheuvel
2024-04-18 11:09 ` Gerd Hoffmann
2024-04-17 13:20 ` Yao, Jiewen
2024-04-18 11:45 ` Gerd Hoffmann [this message]
2024-04-18 14:01 ` Yao, Jiewen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-list from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=cqxqxbtisxbsf4kw3lqsepeqvkyti4oddvqwqn5yfrz67ynmw7@34fs2rsip6nf \
--to=devel@edk2.groups.io \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox