From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mx0b-001b2d01.pphosted.com (mx0b-001b2d01.pphosted.com [148.163.158.5]) by mx.groups.io with SMTP id smtpd.web09.7812.1624971817573252386 for ; Tue, 29 Jun 2021 06:03:37 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@ibm.com header.s=pp1 header.b=NQpzTjDE; spf=pass (domain: linux.ibm.com, ip: 148.163.158.5, mailfrom: dovmurik@linux.ibm.com) Received: from pps.filterd (m0127361.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.43/8.16.0.43) with SMTP id 15TCXW1I169303; Tue, 29 Jun 2021 09:03:36 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=subject : to : cc : references : from : message-id : date : in-reply-to : content-type : content-transfer-encoding : mime-version; s=pp1; bh=yvImOm0/UyWq8YwgGteKqD+9CFSN7SGt4m+RNQo0tqo=; b=NQpzTjDEjf9LuVpFJprGhlAKn/yxXbXp7ncvy54LLiLflcw6lo/QRVBJJR89+0Ywrm99 /5Z170/3m6pwvQbmfA0hzoHGQK614a/h051zREVLqzShkP86JTi/dbYBCORqyre8jkOT MOVjSTP4CW9oa9VO2CsbA1SVDcyc62AqZ8Jd2rLuHgaps+PF2dgSea2VeaEiDmYEw+Jj qEQO8OXIrE9Mb9twGl9NLBPIsZvYBFlQ/7PKKD/P5BdUZmLp95GS4Q3y5R2MRvbxUEqZ abps4qL578Tx6ZUhSpSFjQUV/91YU7uxKcVkGP1dfA0GAYmS3OgAXfNzYNhzxWJJDtFd yw== Received: from pps.reinject (localhost [127.0.0.1]) by mx0a-001b2d01.pphosted.com with ESMTP id 39g24skf88-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 29 Jun 2021 09:03:35 -0400 Received: from m0127361.ppops.net (m0127361.ppops.net [127.0.0.1]) by pps.reinject (8.16.0.43/8.16.0.43) with SMTP id 15TCiJwn019409; Tue, 29 Jun 2021 09:03:33 -0400 Received: from ppma03ams.nl.ibm.com (62.31.33a9.ip4.static.sl-reverse.com [169.51.49.98]) by mx0a-001b2d01.pphosted.com with ESMTP id 39g24skf78-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 29 Jun 2021 09:03:33 -0400 Received: from pps.filterd (ppma03ams.nl.ibm.com [127.0.0.1]) by ppma03ams.nl.ibm.com (8.16.1.2/8.16.1.2) with SMTP id 15TD3Vw7020895; Tue, 29 Jun 2021 13:03:31 GMT Received: from b06cxnps3075.portsmouth.uk.ibm.com (d06relay10.portsmouth.uk.ibm.com [9.149.109.195]) by ppma03ams.nl.ibm.com with ESMTP id 39duv899xx-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 29 Jun 2021 13:03:31 +0000 Received: from b06wcsmtp001.portsmouth.uk.ibm.com (b06wcsmtp001.portsmouth.uk.ibm.com [9.149.105.160]) by b06cxnps3075.portsmouth.uk.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 15TD3SKn29032918 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 29 Jun 2021 13:03:28 GMT Received: from b06wcsmtp001.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id BCA65A4065; Tue, 29 Jun 2021 13:03:28 +0000 (GMT) Received: from b06wcsmtp001.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id D07D7A4073; Tue, 29 Jun 2021 13:03:26 +0000 (GMT) Received: from [9.160.49.135] (unknown [9.160.49.135]) by b06wcsmtp001.portsmouth.uk.ibm.com (Postfix) with ESMTP; Tue, 29 Jun 2021 13:03:26 +0000 (GMT) Subject: Re: [edk2-devel] [PATCH v3 0/5] OvmfPkg: Use QemuKernelLoaderFs to read cmdline/initrd To: Laszlo Ersek , devel@edk2.groups.io Cc: Ard Biesheuvel , Jordan Justen , James Bottomley , Tobin Feldman-Fitzthum References: <20210628105110.379951-1-dovmurik@linux.ibm.com> <65d9fc4d-998f-1b94-4d79-1ff9df26c93f@redhat.com> From: "Dov Murik" Message-ID: Date: Tue, 29 Jun 2021 16:03:25 +0300 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Thunderbird/78.11.0 In-Reply-To: <65d9fc4d-998f-1b94-4d79-1ff9df26c93f@redhat.com> X-TM-AS-GCONF: 00 X-Proofpoint-GUID: _EBVzKajMztjlGZCW6sA0GTvJ8A_wTCz X-Proofpoint-ORIG-GUID: G4Rzh3EOpk4kVZov1y03Dx3LfYyEzjhR X-Proofpoint-UnRewURL: 0 URL was un-rewritten MIME-Version: 1.0 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.391,18.0.790 definitions=2021-06-29_06:2021-06-28,2021-06-29 signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 phishscore=0 priorityscore=1501 malwarescore=0 mlxscore=0 spamscore=0 lowpriorityscore=0 suspectscore=0 bulkscore=0 adultscore=0 mlxlogscore=999 impostorscore=0 clxscore=1015 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2104190000 definitions=main-2106290085 Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit On 29/06/2021 15:54, Laszlo Ersek wrote: > On 06/28/21 12:51, Dov Murik wrote: >> BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3457 >> >> In order to support measured SEV boot with kernel/initrd/cmdline, we'd >> like to have one place that reads those blobs; in the future we'll add >> the measurement and verification in that place. >> >> We already have a synthetic filesystem (QemuKernelLoaderFs) which holds >> three files: "kernel", "initrd", and "cmdline". The kernel is indeed >> read from this filesystem in LoadImage; but the cmdline (and the length >> of initrd) are read from QemuFwCfgLib items. >> >> This patch series first fixes two identical memory leak bugs in >> GenericQemuLoadImageLib and X86QemuLoadImageLib; then modifies >> GenericQemuLoadImageLib to read cmdline (and the initrd size) from the >> QemuKernelLoaderFs synthetic filesystem, thus removing the dependency on >> QemuFwCfgLib. >> >> Note that X86QemuLoadImageLib is not modified, because it contains a >> QemuLoadLegacyImage() which reads other items of the QemuFwCfg which are >> not available in QemuKernelLoaderFs. Since we don't want to support the >> legacy boot path in the future measured SEV boot, we leave >> X86QemuLoadImageLib as-is (except for a comment addition in patch 3) and >> will force use for GenericQemuLoadImageLib in the measured SEV boot >> implementation. >> >> Relevant discussion threads start in: >> https://edk2.groups.io/g/devel/message/76069 >> >> To test this on x86_64, I forced the use of GenericQemuLoadImageLib >> using the following local patch: >> >> >> diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc >> index 0a237a905866..46442b543bcf 100644 >> --- a/OvmfPkg/OvmfPkgX64.dsc >> +++ b/OvmfPkg/OvmfPkgX64.dsc >> @@ -404,7 +404,7 @@ [LibraryClasses.common.DXE_DRIVER] >> PciLib|OvmfPkg/Library/DxePciLibI440FxQ35/DxePciLibI440FxQ35.inf >> MpInitLib|UefiCpuPkg/Library/MpInitLib/DxeMpInitLib.inf >> QemuFwCfgS3Lib|OvmfPkg/Library/QemuFwCfgS3Lib/DxeQemuFwCfgS3LibFwCfg.inf >> - QemuLoadImageLib|OvmfPkg/Library/X86QemuLoadImageLib/X86QemuLoadImageLib.inf >> + QemuLoadImageLib|OvmfPkg/Library/GenericQemuLoadImageLib/GenericQemuLoadImageLib.inf # XXX don't commit this or someone will be mad >> !if $(TPM_ENABLE) == TRUE >> Tpm12DeviceLib|SecurityPkg/Library/Tpm12DeviceLibTcg/Tpm12DeviceLibTcg.inf >> Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibTcg2/Tpm2DeviceLibTcg2.inf >> >> >> I tested boot with QEMU and OVMF with the following QEMU arguments: >> >> -kernel a >> -kernel a -initrd b >> -kernel a -cmdline c >> -kernel a -initrd b -cmdline c >> >> (and also without -kernel) >> >> >> Code is at >> https://github.com/confidential-containers-demo/edk2/tree/use-synthetic-fs-for-cmdline-v3 >> >> v3 changes: >> - Insert patches 1+2 at the top of the series to fix cmdline leak bugs >> - Organize #include and .inf >> - Add UINTN overflow check >> - Fix error paths and function epilogue to properly release all resources >> - Clarity: rename long variables, reword comments >> >> v2: https://edk2.groups.io/g/devel/message/76664 >> v2 changes: >> - Add comment to header of X86QemuLoadImageLib.inf >> - Clearer function names in GenericQemuLoadImageLib.c >> - Fix coding style issues >> >> v1: https://edk2.groups.io/g/devel/message/76265 >> >> >> Cc: Laszlo Ersek >> Cc: Ard Biesheuvel >> Cc: Jordan Justen >> Cc: James Bottomley >> Cc: Tobin Feldman-Fitzthum >> >> >> Dov Murik (5): >> OvmfPkg/GenericQemuLoadImageLib: plug cmdline blob leak on success >> OvmfPkg/X86QemuLoadImageLib: plug cmdline blob leak on success >> Revert "OvmfPkg/QemuKernelLoaderFsDxe: don't expose kernel command >> line" >> OvmfPkg/GenericQemuLoadImageLib: Read cmdline from QemuKernelLoaderFs >> OvmfPkg/X86QemuLoadImageLib: State fw_cfg dependency in file header >> >> OvmfPkg/Library/GenericQemuLoadImageLib/GenericQemuLoadImageLib.inf | 3 +- >> OvmfPkg/Library/X86QemuLoadImageLib/X86QemuLoadImageLib.inf | 3 + >> OvmfPkg/Library/GenericQemuLoadImageLib/GenericQemuLoadImageLib.c | 157 ++++++++++++++++++-- >> OvmfPkg/Library/X86QemuLoadImageLib/X86QemuLoadImageLib.c | 9 +- >> OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.c | 11 +- >> 5 files changed, 161 insertions(+), 22 deletions(-) >> > > Merged as commit range d1fc3d7ef3cb..9421f5ab8d1e, via > . > > (The BZ remains open for the upcoming (related) patch sets.) > Thanks a lot Laszlo for the thorough review rounds. I'll prepare the next phase. Out of curiousity, I wonder regarding the leak fixes -- is there a way to see that the fix works? Is there some accounting of used pages that we can check that decreases after the fix? Thanks, -Dov