[edk2-devel] [PATCH] EmbeddedPkg/VirtualRealTimeClockLib: Support SOURCE_DATE_EPOCH
From: Chun-Yi Lee RISC-V ovmf used VirtualRealTimeClockLib but the default epoch is a compilation time. It causes that the RISC-V ovmf binary image is NOT reproducible. This patch added the support of SOURCE_DATE_EPOCH by printenv command. If SOURCE_DATE_EPOCH be found then we use it as BUILD_EPOCH. Otherwise we run date command for setting BUILD_EPOCH. For distributions want a reproducible RISC-V ovmf image, they should export SOURCE_DATE_EPOCH environment variable before building ovmf. References: https://reproducible-builds.org/docs/source-date-epoch/ Cc: Pete Batard Cc: Ard Biesheuvel Signed-off-by: Chun-Yi Lee --- .../Library/VirtualRealTimeClockLib/VirtualRealTimeClockLib.inf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/EmbeddedPkg/Library/VirtualRealTimeClockLib/VirtualRealTimeClockLib.inf b/EmbeddedPkg/Library/VirtualRealTimeClockLib/VirtualRealTimeClockLib.inf index 5d0f867..285e880 100644 --- a/EmbeddedPkg/Library/VirtualRealTimeClockLib/VirtualRealTimeClockLib.inf +++ b/EmbeddedPkg/Library/VirtualRealTimeClockLib/VirtualRealTimeClockLib.inf @@ -34,4 +34,4 @@ # Current usage of this library expects GCC in a UNIX-like shell environment with the date command [BuildOptions] - GCC:*_*_*_CC_FLAGS = -DBUILD_EPOCH=`date +%s` + GCC:*_*_*_CC_FLAGS = -DBUILD_EPOCH=`printenv SOURCE_DATE_EPOCH || date +%s` -- 2.35.3 -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#117664): https://edk2.groups.io/g/devel/message/117664 Mute This Topic: https://groups.io/mt/105479031/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[edk2-devel] [PATCH v2] OvmfPkg/PlatformInitLib: Fix integrity checking failed of NvVarStore in some cases
In the commit 4f173db8b4 "OvmfPkg/PlatformInitLib: Add functions for
EmuVariableNvStore", it introduced a PlatformValidateNvVarStore() function
for checking the integrity of NvVarStore.
In some cases when the VariableHeader->StartId is VARIABLE_DATA, the
VariableHeader->State is not just one of the four primary states:
VAR_IN_DELETED_TRANSITION, VAR_DELETED, VAR_HEADER_VALID_ONLY, VAR_ADDED.
The state may combined two or three states, e.g.
0x3C = (VAR_IN_DELETED_TRANSITION & VAR_ADDED) & VAR_DELETED
or
0x3D = VAR_ADDED & VAR_DELETED
When the variable store has those variables, system booting/rebooting will
hangs in a ASSERT:
NvVarStore Variable header State was invalid.
ASSERT
/mnt/working/source_code-git/edk2/OvmfPkg/Library/PlatformInitLib/Platform.c(819):
((BOOLEAN)(0==1))
Adding more log to UpdateVariable() and PlatformValidateNvVarStore(), we
saw some variables which have 0x3C or 0x3D state in store.
e.g.
UpdateVariable(), VariableName=BootOrder
L1871, State=003F <-- VAR_ADDED
State &= VAR_DELETED=003D
FlushHobVariableToFlash(), VariableName=BootOrder
...
UpdateVariable(), VariableName=InitialAttemptOrder
L1977, State=003F
State &= VAR_IN_DELETED_TRANSITION=003E
L2376, State=003E
State &= VAR_DELETED=003C
FlushHobVariableToFlash(), VariableName=InitialAttemptOrder
...
UpdateVariable(), VariableName=ConIn
L1977, State=003F
State &= VAR_IN_DELETED_TRANSITION=003E
L2376, State=003E
State &= VAR_DELETED=003C
FlushHobVariableToFlash(), VariableName=ConIn
...
So, only allowing the four primary states is not enough. This patch changes
the falid states list (Follow Jiewen Yao's suggestion):
1. VAR_HEADER_VALID_ONLY (0x7F)
- Header added (*)
2. VAR_ADDED (0x3F)
- Header + data added
3. VAR_ADDED & VAR_IN_DELETED_TRANSITION (0x3E)
- marked as deleted, but still valid, before new data is added. (*)
4. VAR_ADDED & VAR_IN_DELETED_TRANSITION & VAR_DELETED (0x3C)
- deleted, after new data is added.
5. VAR_ADDED & VAR_DELETED (0x3D)
- deleted directly, without new data.
(*) means to support surprise shutdown.
And removed (VAR_IN_DELETED_TRANSITION) and (VAR_DELETED) because they are
invalid states.
v2:
Follow Jiewen Yao's suggestion to add the following valid states:
VAR_ADDED & VAR_DELETED (0x3D)
VAR_ADDED & VAR_IN_DELETED_TRANSITION (0x3E)
VAR_ADDED & VAR_IN_DELETED_TRANSITION & VAR_DELETED (0x3C)
and removed the following invalid states:
VAR_IN_DELETED_TRANSITION
VAR_DELETED
Signed-off-by: "Lee, Chun-Yi"
---
OvmfPkg/Library/PlatformInitLib/Platform.c | 9 +
1 file changed, 5 insertions(+), 4 deletions(-)
diff --git a/OvmfPkg/Library/PlatformInitLib/Platform.c
b/OvmfPkg/Library/PlatformInitLib/Platform.c
index 77f22de046..6963c47e0b 100644
--- a/OvmfPkg/Library/PlatformInitLib/Platform.c
+++ b/OvmfPkg/Library/PlatformInitLib/Platform.c
@@ -702,10 +702,11 @@ PlatformValidateNvVarStore (
VariableOffset = NvVarStoreHeader->Size - sizeof (VARIABLE_STORE_HEADER);
} else {
- if (!((VariableHeader->State == VAR_IN_DELETED_TRANSITION) ||
-(VariableHeader->State == VAR_DELETED) ||
-(VariableHeader->State == VAR_HEADER_VALID_ONLY) ||
-(VariableHeader->State == VAR_ADDED)))
+ if (!((VariableHeader->State == VAR_HEADER_VALID_ONLY) ||
+ (VariableHeader->State == VAR_ADDED) ||
+ (VariableHeader->State == (VAR_ADDED & VAR_DELETED)) ||
+ (VariableHeader->State == (VAR_ADDED & VAR_IN_DELETED_TRANSITION))
||
+ (VariableHeader->State == (VAR_ADDED & VAR_IN_DELETED_TRANSITION &
VAR_DELETED
{
DEBUG ((DEBUG_ERROR, "NvVarStore Variable header State was
invalid.\n"));
return FALSE;
--
2.35.3
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#97581): https://edk2.groups.io/g/devel/message/97581
Mute This Topic: https://groups.io/mt/95777531/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
[edk2-devel] [PATCH] OvmfPkg/PlatformInitLib: Fix integrity checking failed of NvVarStore in some cases
In the commit 4f173db8b4 "OvmfPkg/PlatformInitLib: Add functions for
EmuVariableNvStore"
, it introduced a PlatformValidateNvVarStore() function for checking the
integrity of NvVarStore.
In some cases when the VariableHeader->StartId is VARIABLE_DATA, the
VariableHeader->State
is not just one of the four primary states: VAR_IN_DELETED_TRANSITION,
VAR_DELETED,
VAR_HEADER_VALID_ONLY, VAR_ADDED. The state may combined two or three
states, e.g.
0x3C = (VAR_IN_DELETED_TRANSITION & VAR_ADDED) & VAR_DELETED
or
0x3D = VAR_ADDED & VAR_DELETED
When the variable store has those variables, then system booting/rebooting will
hangs in a ASSERT:
NvVarStore Variable header State was invalid.
ASSERT
/mnt/working/source_code-git/edk2/OvmfPkg/Library/PlatformInitLib/Platform.c(819):
((BOOLEAN)(0==1))
Adding more log to UpdateVariable() and PlatformValidateNvVarStore(), we
can see there have some variables have 0x3C or 0x3D state in store.
e.g.
UpdateVariable(), VariableName=BootOrder
L1871, State=003F <-- VAR_ADDED
State &= VAR_DELETED=003D
FlushHobVariableToFlash(), VariableName=BootOrder
...
UpdateVariable(), VariableName=InitialAttemptOrder
L1977, State=003F
State &= VAR_IN_DELETED_TRANSITION=003E
L2376, State=003E
State &= VAR_DELETED=003C
FlushHobVariableToFlash(), VariableName=InitialAttemptOrder
...
UpdateVariable(), VariableName=ConIn
L1977, State=003F
State &= VAR_IN_DELETED_TRANSITION=003E
L2376, State=003E
State &= VAR_DELETED=003C
FlushHobVariableToFlash(), VariableName=ConIn
...
So, only allowing the four primary states is not enough. This patch adds
two more combined states to the valid states list:
(VAR_IN_DELETED_TRANSITION & VAR_ADDED) & VAR_DELETED = 0x3c
VAR_ADDED & VAR_DELETED = 0x3d
Signed-off-by: "Lee, Chun-Yi"
---
OvmfPkg/Library/PlatformInitLib/Platform.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/OvmfPkg/Library/PlatformInitLib/Platform.c
b/OvmfPkg/Library/PlatformInitLib/Platform.c
index 77f22de046..2af4cefd10 100644
--- a/OvmfPkg/Library/PlatformInitLib/Platform.c
+++ b/OvmfPkg/Library/PlatformInitLib/Platform.c
@@ -705,7 +705,9 @@ PlatformValidateNvVarStore (
if (!((VariableHeader->State == VAR_IN_DELETED_TRANSITION) ||
(VariableHeader->State == VAR_DELETED) ||
(VariableHeader->State == VAR_HEADER_VALID_ONLY) ||
-(VariableHeader->State == VAR_ADDED)))
+(VariableHeader->State == VAR_ADDED) ||
+(VariableHeader->State == (VAR_ADDED & VAR_DELETED)) ||
+(VariableHeader->State == (VAR_ADDED & VAR_IN_DELETED_TRANSITION &
VAR_DELETED
{
DEBUG ((DEBUG_ERROR, "NvVarStore Variable header State was
invalid.\n"));
return FALSE;
--
2.35.3
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#97329): https://edk2.groups.io/g/devel/message/97329
Mute This Topic: https://groups.io/mt/95656983/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
[edk2-devel] [PATCH v2] OvmfPkg/IncompatiblePciDeviceSupportDxe: Ignore OptionRom in Sev guest
Reference: https://bugzilla.tianocore.org/show_bug.cgi?id=4031
This patch is similar to the c477b2783f patch for Td guest.
Host VMM may inject OptionRom which is untrusted in Sev guest. So PCI
OptionRom needs to be ignored if it is Sev guest. According to
"Table 20. ACPI 2.0 & 3.0 QWORD Address Space Descriptor Usage"
PI spec 1.7, type-specific flags can be set to 0 when Address
Translation Offset == 6 to skip device option ROM.
Without this patch, Sev guest may shows invalid MMIO opcode error
as following:
Invalid MMIO opcode (F6)
ASSERT
/home/abuild/rpmbuild/BUILD/edk2-edk2-stable202202/OvmfPkg/Library/VmgExitLib/VmgExitVcHandler.c(1041):
((BOOLEAN)(0==1))
The OptionRom must be disabled both on Td and Sev guests, so we direct
use CcProbe().
v2: Use CcProbe() instead of TdIsEnabled() and MemEncryptSevIsEnabled().
Signed-off-by: "Lee, Chun-Yi"
---
.../IncompatiblePciDeviceSupportDxe/IncompatiblePciDeviceSupport.c | 5 +++--
.../IncompatiblePciDeviceSupportDxe/IncompatiblePciDeviceSupport.inf | 1 +
2 files changed, 4 insertions(+), 2 deletions(-)
diff --git
a/OvmfPkg/IncompatiblePciDeviceSupportDxe/IncompatiblePciDeviceSupport.c
b/OvmfPkg/IncompatiblePciDeviceSupportDxe/IncompatiblePciDeviceSupport.c
index 2d385d26ef..686d85633e 100644
--- a/OvmfPkg/IncompatiblePciDeviceSupportDxe/IncompatiblePciDeviceSupport.c
+++ b/OvmfPkg/IncompatiblePciDeviceSupportDxe/IncompatiblePciDeviceSupport.c
@@ -18,6 +18,7 @@
#include
#include
#include
+#include
#include
#include
@@ -264,7 +265,7 @@ CheckDevice (
//
// In Td guest OptionRom is not allowed.
//
- if (TdIsEnabled ()) {
+ if (CcProbe ()) {
Length += sizeof mOptionRomConfiguration;
}
@@ -286,7 +287,7 @@ CheckDevice (
CopyMem (Ptr, &mMmio64Configuration, sizeof mMmio64Configuration);
Length = sizeof mMmio64Configuration;
- if (TdIsEnabled ()) {
+ if (CcProbe ()) {
CopyMem (Ptr + Length, &mOptionRomConfiguration, sizeof
mOptionRomConfiguration);
Length += sizeof mOptionRomConfiguration;
}
diff --git
a/OvmfPkg/IncompatiblePciDeviceSupportDxe/IncompatiblePciDeviceSupport.inf
b/OvmfPkg/IncompatiblePciDeviceSupportDxe/IncompatiblePciDeviceSupport.inf
index c3e6bb9447..ad38128fcb 100644
--- a/OvmfPkg/IncompatiblePciDeviceSupportDxe/IncompatiblePciDeviceSupport.inf
+++ b/OvmfPkg/IncompatiblePciDeviceSupportDxe/IncompatiblePciDeviceSupport.inf
@@ -24,6 +24,7 @@
OvmfPkg/OvmfPkg.dec
[LibraryClasses]
+ CcProbeLib
DebugLib
MemoryAllocationLib
PcdLib
--
2.12.3
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#92868): https://edk2.groups.io/g/devel/message/92868
Mute This Topic: https://groups.io/mt/93271877/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
[edk2-devel] [PATCH] OvmfPkg/IncompatiblePciDeviceSupportDxe: Ignore OptionRom in Sev guest
Reference: https://bugzilla.tianocore.org/show_bug.cgi?id=4031
This patch is similar to the c477b2783f patch for Td guest.
Host VMM may inject OptionRom which is untrusted in Sev guest. So PCI
OptionRom needs to be ignored if it is Sev guest. According to
"Table 20. ACPI 2.0 & 3.0 QWORD Address Space Descriptor Usage"
PI spec 1.7, type-specific flags can be set to 0 when Address
Translation Offset == 6 to skip device option ROM.
Without this patch, Sev guest may shows invalid MMIO opcode error
as following:
Invalid MMIO opcode (F6)
ASSERT
/home/abuild/rpmbuild/BUILD/edk2-edk2-stable202202/OvmfPkg/Library/VmgExitLib/VmgExitVcHandler.c(1041):
((BOOLEAN)(0==1))
Signed-off-by: "Lee, Chun-Yi"
---
.../IncompatiblePciDeviceSupportDxe/IncompatiblePciDeviceSupport.c | 5 +++--
.../IncompatiblePciDeviceSupportDxe/IncompatiblePciDeviceSupport.inf | 1 +
2 files changed, 4 insertions(+), 2 deletions(-)
diff --git
a/OvmfPkg/IncompatiblePciDeviceSupportDxe/IncompatiblePciDeviceSupport.c
b/OvmfPkg/IncompatiblePciDeviceSupportDxe/IncompatiblePciDeviceSupport.c
index 2d385d26ef..269e6c2b91 100644
--- a/OvmfPkg/IncompatiblePciDeviceSupportDxe/IncompatiblePciDeviceSupport.c
+++ b/OvmfPkg/IncompatiblePciDeviceSupportDxe/IncompatiblePciDeviceSupport.c
@@ -16,6 +16,7 @@
#include
#include
+#include
#include
#include
@@ -264,7 +265,7 @@ CheckDevice (
//
// In Td guest OptionRom is not allowed.
//
- if (TdIsEnabled ()) {
+ if (TdIsEnabled () || MemEncryptSevIsEnabled()) {
Length += sizeof mOptionRomConfiguration;
}
@@ -286,7 +287,7 @@ CheckDevice (
CopyMem (Ptr, &mMmio64Configuration, sizeof mMmio64Configuration);
Length = sizeof mMmio64Configuration;
- if (TdIsEnabled ()) {
+ if (TdIsEnabled () || MemEncryptSevIsEnabled()) {
CopyMem (Ptr + Length, &mOptionRomConfiguration, sizeof
mOptionRomConfiguration);
Length += sizeof mOptionRomConfiguration;
}
diff --git
a/OvmfPkg/IncompatiblePciDeviceSupportDxe/IncompatiblePciDeviceSupport.inf
b/OvmfPkg/IncompatiblePciDeviceSupportDxe/IncompatiblePciDeviceSupport.inf
index c3e6bb9447..be2b883c40 100644
--- a/OvmfPkg/IncompatiblePciDeviceSupportDxe/IncompatiblePciDeviceSupport.inf
+++ b/OvmfPkg/IncompatiblePciDeviceSupportDxe/IncompatiblePciDeviceSupport.inf
@@ -25,6 +25,7 @@
[LibraryClasses]
DebugLib
+ MemEncryptSevLib
MemoryAllocationLib
PcdLib
UefiBootServicesTableLib
--
2.12.3
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#92813): https://edk2.groups.io/g/devel/message/92813
Mute This Topic: https://groups.io/mt/93248346/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
