Hi, OvmfPkg forked SecureBootConfigDxe from SecurityPkg in SVN r13635. Since then the original has diverged significantly. Now I'm seeing that OpenSUSE builds OVMF in a way that the original (which has since diverged) is included, instead of the (now obsolete) fork.
https://build.opensuse.org/package/view_file/Virtualization/ovmf/ovmf-use-generic-sb-config.patch?expand=1 For reference, here's the diff between the original and the fork, when the fork was made (ie. at SVN r13635): > diff -ur > SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfig.vfr > OvmfPkg/SecureBootConfigDxe/SecureBootConfig.vfr > --- > SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfig.vfr > 2014-09-30 23:35:28.598067147 +0200 > +++ OvmfPkg/SecureBootConfigDxe/SecureBootConfig.vfr 2014-08-09 > 02:40:35.824851626 +0200 > @@ -51,7 +51,7 @@ > questionid = KEY_SECURE_BOOT_ENABLE, > prompt = STRING_TOKEN(STR_SECURE_BOOT_PROMPT), > help = STRING_TOKEN(STR_SECURE_BOOT_HELP), > - flags = INTERACTIVE | RESET_REQUIRED, > + flags = INTERACTIVE, > endcheckbox; > endif; > > @@ -158,7 +158,7 @@ > questionid = KEY_SECURE_BOOT_DELETE_PK, > prompt = STRING_TOKEN(STR_DELETE_PK), > help = STRING_TOKEN(STR_DELETE_PK_HELP), > - flags = INTERACTIVE | RESET_REQUIRED, > + flags = INTERACTIVE, > endcheckbox; > endif; > endform; > diff -ur > SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf > OvmfPkg/SecureBootConfigDxe/SecureBootConfigDxe.inf > --- > SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf > 2014-09-30 23:35:28.598067147 +0200 > +++ OvmfPkg/SecureBootConfigDxe/SecureBootConfigDxe.inf 2014-09-30 > 23:35:28.577067027 +0200 > @@ -1,5 +1,8 @@ > ## @file > -# Component name for SecureBoot configuration module. > +# Component name for SecureBoot configuration module for OVMF. > +# > +# Need custom SecureBootConfigDxe for OVMF that does not force > +# resets after PK changes since OVMF doesn't have persistent variables > # > # Copyright (c) 2011 - 2012, Intel Corporation. All rights reserved.<BR> > # This program and the accompanying materials > diff -ur > SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c > OvmfPkg/SecureBootConfigDxe/SecureBootConfigImpl.c > --- > SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c > 2014-09-30 23:35:28.599067153 +0200 > +++ OvmfPkg/SecureBootConfigDxe/SecureBootConfigImpl.c 2014-09-30 > 23:35:28.578067033 +0200 > @@ -2559,7 +2559,7 @@ > NULL > ); > } else { > - *ActionRequest = EFI_BROWSER_ACTION_REQUEST_RESET; > + *ActionRequest = EFI_BROWSER_ACTION_REQUEST_SUBMIT; > } > break; The commit message is not overly verbose: OvmfPkg: Add custom SecureBootConfigDxe that doesn't reset We don't force a platform reset for OVMF when PK is changed in custom mode setup. But the INF file hunk is telling: Need custom SecureBootConfigDxe for OVMF that does not force resets after PK changes since OVMF doesn't have persistent variables We do have persistent variables now. I think we should drop the (obsolete) OvmfPkg fork completely, and return to the (maintained) SecurityPkg-provided config driver. Thoughts? Thanks Laszlo ------------------------------------------------------------------------------ Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk _______________________________________________ edk2-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/edk2-devel
