This reverts commit ced77332cab626f35fbdb36630be27303d289d79. The command
virt-install --location NETWORK-URL downloads the vmlinuz and initrd files from the remote OS tree, and passes them to the guest firmware via fw_cfg. When used with IA32 / X64 guests, virt-install expects the guest firmware to do two things, at the same time: - launch the fw_cfg kernel image even if the latter does not pass SB verification (SB checking is supposed to be bypassed entirely in favor of the Linux/x86 Boot Protocol), - still let the guest kernel perceive SB as enabled. Commit ced77332cab6 prevented this, by removing the Linux/x86 Boot Protocol from such an OVMF image that was built with SECURE_BOOT_ENALBE. While that's the right thing in theory, in practice "virt-install --location NETWORK-URL" is entrenched, and we shouldn't break it. We can tolerate the Linux/x86 Boot Protocol as a one-of-a-kind SB bypass for direct-booted kernels, because: - the fw_cfg content comes from QEMU, and the guest is already at QEMU's mercy, - in the guest, OS boots after the initial installation will use "shim" rather than an fw_cfg kernel, which we can consider somewhat similar to "Audit Mode / Deployed Mode" (~ trust for install, lock down after). Cc: Ard Biesheuvel <ard.biesheu...@arm.com> Cc: Jordan Justen <jordan.l.jus...@intel.com> Cc: Philippe Mathieu-Daudé <phi...@redhat.com> Signed-off-by: Laszlo Ersek <ler...@redhat.com> Acked-by: Ard Biesheuvel <ard.biesheu...@arm.com> --- Notes: - pick up Ard's ACK from c06ee730-e421-0aa5-882f-bc09ae9c546f@arm.com">http://mid.mail-archive.com/c06ee730-e421-0aa5-882f-bc09ae9c546f@arm.com https://edk2.groups.io/g/devel/message/61169 - posting to the list to enable feedback on the commit message (I intend to push the patch in one or two days) - repo: https://pagure.io/lersek/edk2.git branch: reenable_fwcfg_x86_boot_proto OvmfPkg/OvmfPkgIa32.dsc | 4 ---- OvmfPkg/OvmfPkgIa32X64.dsc | 4 ---- OvmfPkg/OvmfPkgX64.dsc | 4 ---- 3 files changed, 12 deletions(-) diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc index d0df9cbbfb2b..16103d177374 100644 --- a/OvmfPkg/OvmfPkgIa32.dsc +++ b/OvmfPkg/OvmfPkgIa32.dsc @@ -379,11 +379,7 @@ [LibraryClasses.common.DXE_DRIVER] PciLib|OvmfPkg/Library/DxePciLibI440FxQ35/DxePciLibI440FxQ35.inf MpInitLib|UefiCpuPkg/Library/MpInitLib/DxeMpInitLib.inf QemuFwCfgS3Lib|OvmfPkg/Library/QemuFwCfgS3Lib/DxeQemuFwCfgS3LibFwCfg.inf -!if $(SECURE_BOOT_ENABLE) == TRUE - QemuLoadImageLib|OvmfPkg/Library/GenericQemuLoadImageLib/GenericQemuLoadImageLib.inf -!else QemuLoadImageLib|OvmfPkg/Library/X86QemuLoadImageLib/X86QemuLoadImageLib.inf -!endif !if $(TPM_ENABLE) == TRUE Tpm12DeviceLib|SecurityPkg/Library/Tpm12DeviceLibTcg/Tpm12DeviceLibTcg.inf Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibTcg2/Tpm2DeviceLibTcg2.inf diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc index b3ae62fee92b..9597ef6721da 100644 --- a/OvmfPkg/OvmfPkgIa32X64.dsc +++ b/OvmfPkg/OvmfPkgIa32X64.dsc @@ -383,11 +383,7 @@ [LibraryClasses.common.DXE_DRIVER] PciLib|OvmfPkg/Library/DxePciLibI440FxQ35/DxePciLibI440FxQ35.inf MpInitLib|UefiCpuPkg/Library/MpInitLib/DxeMpInitLib.inf QemuFwCfgS3Lib|OvmfPkg/Library/QemuFwCfgS3Lib/DxeQemuFwCfgS3LibFwCfg.inf -!if $(SECURE_BOOT_ENABLE) == TRUE - QemuLoadImageLib|OvmfPkg/Library/GenericQemuLoadImageLib/GenericQemuLoadImageLib.inf -!else QemuLoadImageLib|OvmfPkg/Library/X86QemuLoadImageLib/X86QemuLoadImageLib.inf -!endif !if $(TPM_ENABLE) == TRUE Tpm12DeviceLib|SecurityPkg/Library/Tpm12DeviceLibTcg/Tpm12DeviceLibTcg.inf Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibTcg2/Tpm2DeviceLibTcg2.inf diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc index f7fe75ebf531..a6e585c03d41 100644 --- a/OvmfPkg/OvmfPkgX64.dsc +++ b/OvmfPkg/OvmfPkgX64.dsc @@ -383,11 +383,7 @@ [LibraryClasses.common.DXE_DRIVER] PciLib|OvmfPkg/Library/DxePciLibI440FxQ35/DxePciLibI440FxQ35.inf MpInitLib|UefiCpuPkg/Library/MpInitLib/DxeMpInitLib.inf QemuFwCfgS3Lib|OvmfPkg/Library/QemuFwCfgS3Lib/DxeQemuFwCfgS3LibFwCfg.inf -!if $(SECURE_BOOT_ENABLE) == TRUE - QemuLoadImageLib|OvmfPkg/Library/GenericQemuLoadImageLib/GenericQemuLoadImageLib.inf -!else QemuLoadImageLib|OvmfPkg/Library/X86QemuLoadImageLib/X86QemuLoadImageLib.inf -!endif !if $(TPM_ENABLE) == TRUE Tpm12DeviceLib|SecurityPkg/Library/Tpm12DeviceLibTcg/Tpm12DeviceLibTcg.inf Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibTcg2/Tpm2DeviceLibTcg2.inf -- 2.19.1.3.g30247aa5d201 -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#61301): https://edk2.groups.io/g/devel/message/61301 Mute This Topic: https://groups.io/mt/74895863/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-