public inbox for devel@edk2.groups.io
 help / color / mirror / Atom feed
From: "Gerd Hoffmann" <kraxel@redhat.com>
To: Ard Biesheuvel <ardb@kernel.org>
Cc: devel@edk2.groups.io, mike.maslenkin@gmail.com,
	 Jiewen Yao <jiewen.yao@intel.com>,
	Ard Biesheuvel <ardb+tianocore@kernel.org>,
	oliver@redhat.com
Subject: Re: [edk2-devel] [PATCH v2 1/1] OvmfPkg/VirtNorFlashDxe: sanity-check variables
Date: Fri, 8 Dec 2023 13:04:46 +0100	[thread overview]
Message-ID: <x2kwo5axcc4tw5pidrigfp5fmsb62zi72vmkjuo5ld3jx26mz2@glmfaxqrg27m> (raw)
In-Reply-To: <CAMj1kXEVgvQVUGBJOoTTAnaL2eVRJXKs5oOUX_QTHdKagxOSaA@mail.gmail.com>

On Thu, Dec 07, 2023 at 05:16:10PM +0100, Ard Biesheuvel wrote:
> Hi Gerd,
> 
> On Thu, 7 Dec 2023 at 10:44, Gerd Hoffmann <kraxel@redhat.com> wrote:
> >
> > Extend the ValidateFvHeader function, additionally to the header checks
> > walk over the list of variables and sanity check them.
> >
> > In case we find inconsistencies indicating variable store corruption
> > return EFI_NOT_FOUND so the variable store will be re-initialized.
> >
> > Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
> 
> This seems like a good idea to me, and the change looks generally
> fine, except for one nit below:

> > +      case VAR_HEADER_VALID_ONLY:
> > +        VarState = "header-ok";
> > +        VarName  = L"<unknown>";
> > +        break;
> > +      case VAR_ADDED:
> > +        VarState = "ok";
> > +        break;
> > +      case VAR_ADDED &VAR_IN_DELETED_TRANSITION:
> 
> This looks odd, so please add a comment explaining why these constants
> are constructed this way.

The VAR_HEADER_VALID_ONLY and VAR_ADDED states are applied using an
assignment, i.e. "State = VAR_...".

The other two are used to clear bits, i.e. "State &= VAR_...".

So the usual livecycle for the State field is:

  (1) 0x7f (VAR_HEADER_VALID_ONLY)
  (2) 0x3f (VAR_ADDED)
  (3) 0x3e (VAR_ADDED & VAR_IN_DELETED_TRANSITION)
  (4) 0x3c (VAR_ADDED & VAR_IN_DELETED_TRANSITION & VAR_DELETED)

Seems it can also happen that variable entries jump directly from (2) to
(4), resulting in 0x3d (VAR_ADDED & VAR_DELETED) being an possible
alternative value for (4).

I'm not fully sure what happens to VAR_HEADER_VALID_ONLY entries, i.e.
whenever they go through the (3) + (4) deletion cycles too or whenever
they are garbage-collected in some other way.  I suspect the latter,
given that the reclaim logic in the variable driver looks at the
variable names, but VAR_HEADER_VALID_ONLY entries don't have a valid
variable name.


BTW: Is there any good documentation on the design of the variable
driver and the fault tolerant flash writes?  Is the variable flash
supposed to be in a consistent state at any given time, even if
interrupted in the middle of some update operation?

The qemu flash emulation is a bit sloppy, specifically block writes can
be half-completed when a reset happens in the middle of the operation.
Which maybe is the root cause for varstore corruption.

On the other hand the edk2 flash code does not look like it carefully
chooses blocks when updating flash, so I'm not sure it actually depends
on atomic block updates to ensure consistency.

take care,
  Gerd



-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#112226): https://edk2.groups.io/g/devel/message/112226
Mute This Topic: https://groups.io/mt/103031342/7686176
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io]
-=-=-=-=-=-=-=-=-=-=-=-



  reply	other threads:[~2023-12-08 12:04 UTC|newest]

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2023-12-07  9:44 [edk2-devel] [PATCH v2 1/1] OvmfPkg/VirtNorFlashDxe: sanity-check variables Gerd Hoffmann
2023-12-07 16:16 ` Ard Biesheuvel
2023-12-08 12:04   ` Gerd Hoffmann [this message]
2023-12-11 23:37     ` Laszlo Ersek
2023-12-11 23:25 ` Laszlo Ersek
2023-12-14 15:31   ` Gerd Hoffmann
2023-12-14 16:18     ` Laszlo Ersek

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-list from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=x2kwo5axcc4tw5pidrigfp5fmsb62zi72vmkjuo5ld3jx26mz2@glmfaxqrg27m \
    --to=devel@edk2.groups.io \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox