On Wed, Dec 14, 2022 at 03:12:22PM +0100, Gerd Hoffmann wrote: > > Sorry for I forgot to put my testing environment in patch description. > > My testing is on qemu with OVMF: > > > > - edk2-master or edk2-stable202211 > > build --verbose --debug=1 -D SECURE_BOOT_ENABLE -D TPM_ENABLE -D > > TPM_CONFIG_ENABLE \ > > -D NETWORK_IP6_ENABLE -D NETWORK_HTTP_BOOT_ENABLE -a X64 -b DEBUG -t > > GCC5 \ > > -p OvmfPkg/OvmfPkgX64.dsc -D FD_SIZE_4MB -D NETWORK_TLS_ENABLE > > > > - qemu-7.1.0 with libvirt-8.0.0 > > pc-q35 with pflash type and nvram: > > <type arch='x86_64' machine='pc-q35-3.1'>hvm</type> > > <loader readonly='yes' secure='no' > > type='pflash'>/usr/share/qemu/ovmf-x86_64-code.bin</loader> > > <nvram > > template='/usr/share/qemu/ovmf-x86_64-vars.bin'>/var/lib/libvirt/qemu/nvram/opensuseTW_VARS.fd</nvram> > > That is not secure. You have unprotected writable flash. > > You can either use a build with SMM_REQUIRE=TRUE and run with > secure='yes', so only the firmware in SMM mode can write to flash. > > Or you run with both code and vars read-only. > Easiest is <loader>OVMF.fd</loader>. >
Thanks for your suggestion! It's really helpful! I will try it. > Or you disable secure boot (SECURE_BOOT_ENABLE=FALSE) in your > builds. You still have unprotected writable flash then, but > it isn't a security hole any more. And the assert isn't triggered > either because that code path is only executed for secure boot > builds. > Yes, before I produce the patch, I need to disable SECURE_BOOT_ENABLE to workaround my VM hang problem. IMHO, using "variable header State was invalid" assert to prevent user writes to a unprotected flash is not a good idea. It causes some problem: - User's existing virtual machine can not boot/reboot after updated to edk2-stable202211 OVMF. VM just hangs there and doesn't have any hint. - The VM still works in the first boot. User doesn't know that second boot will hangs because they are writing an unprotected writable flash. - Even enabled debug log, we don't know what does "NvVarStore Variable header State was invalid." mean. Thanks Joey Lee -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#97373): https://edk2.groups.io/g/devel/message/97373 Mute This Topic: https://groups.io/mt/95656983/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
