From nobody Thu May 9 05:19:14 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) client-ip=66.175.222.108; envelope-from=bounce+27952+94786+1787277+3901457@groups.io; helo=mail02.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+94786+1787277+3901457@groups.io; dmarc=fail(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1665054335; cv=none; d=zohomail.com; s=zohoarc; b=dTofEzW3ymSg90CNdX91PQLs1q9Oq7oIYvQFfcVK31YmSzCrqVZqyHyZHsNOCQGKA1xXiOAmpEbTS+B7ar+1u/TLzaJMA9oY7z/Ulrj1QJGxc8bDHs2NhYtkXmn8QPLiSoJy/WEGVbMdJGg0ClDJ8SbHpjA8BXjXKaaDo/k/OJE= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1665054335; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:References:Sender:Subject:To; bh=B2UGTkj5Xk1gCIRKBvjmLqhxOA/AVbs8xOnJXV1TRXQ=; b=VhaORaX2X08jh3HspCl+OOKgI8BwClFmMSJYCRPWMFtz/HnJj8GVGwKQ7Fl4knxq3sagyHlgfM9iOpoUSDRh/YxaVpHTn6OhAF7nFyyFqOB9T/fLInYbGsIoPIvhlMn8ds2xg1dI+As4uiCH6gR8JXwrhzxSn8/BQuMPWJDNlGg= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+94786+1787277+3901457@groups.io; dmarc=fail header.from= (p=none dis=none) Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by mx.zohomail.com with SMTPS id 1665054335654881.0219647073505; Thu, 6 Oct 2022 04:05:35 -0700 (PDT) Return-Path: X-Received: by 127.0.0.2 with SMTP id rSRoYY1788612x3ky7hNcS5z; Thu, 06 Oct 2022 04:05:35 -0700 X-Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by mx.groups.io with SMTP id smtpd.web10.4429.1665054334338832843 for ; Thu, 06 Oct 2022 04:05:34 -0700 X-Received: from mimecast-mx02.redhat.com (mx3-rdu2.redhat.com [66.187.233.73]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-404-BrEJd4LqM2W2ShCQG8vuzw-1; Thu, 06 Oct 2022 07:05:28 -0400 X-MC-Unique: BrEJd4LqM2W2ShCQG8vuzw-1 X-Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.rdu2.redhat.com [10.11.54.3]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 97ED13C01DA2; Thu, 6 Oct 2022 11:05:28 +0000 (UTC) X-Received: from sirius.home.kraxel.org (unknown [10.39.193.173]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 55C231121339; Thu, 6 Oct 2022 11:05:28 +0000 (UTC) X-Received: by sirius.home.kraxel.org (Postfix, from userid 1000) id 9BCB0180079A; Thu, 6 Oct 2022 13:05:26 +0200 (CEST) From: "Gerd Hoffmann" To: devel@edk2.groups.io Cc: Ard Biesheuvel , Oliver Steffen , Jordan Justen , Gerd Hoffmann , Pawel Polawski , Jiewen Yao Subject: [edk2-devel] [PATCH 1/2] OvmfPkg/Microvm: add SECURE_BOOT_FEATURE_ENABLED Date: Thu, 6 Oct 2022 13:05:25 +0200 Message-Id: <20221006110526.1068475-2-kraxel@redhat.com> In-Reply-To: <20221006110526.1068475-1-kraxel@redhat.com> References: <20221006110526.1068475-1-kraxel@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.1 on 10.11.54.3 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Precedence: Bulk List-Unsubscribe: List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,kraxel@redhat.com X-Gm-Message-State: ZQSlZC8Ha4nGscrECthBDwaGx1787277AA= Content-Transfer-Encoding: quoted-printable DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1665054335; bh=GixDGuzOec9rchK9f++DnGk02n1MW4CFensuzIFvMiA=; h=Cc:Content-Type:Date:From:Reply-To:Subject:To; b=YDQMmGBHPkdcFle+Wu8Lco9y+g3ptKJY64XpDsSorAnQKg0+tI4d+HM2Qx7pB8kJt12 K+TvFfPQm61ToVx5JGSBfvgU2D7X0sVE4fp/veaWFnaXQTSljkvA6HWxGRBfTtLuD64So Ue6vLHi4aDQHyoTVanGUZb3p5RG86wzbLdk= X-ZohoMail-DKIM: pass (identity @groups.io) X-ZM-MESSAGEID: 1665054336169100001 Content-Type: text/plain; charset="utf-8"; x-default="true" Compiler flag is needed to make (stateless) secure boot be actually secure, i.e. restore EFI variables from ROM on reset. Signed-off-by: Gerd Hoffmann --- OvmfPkg/Microvm/MicrovmX64.dsc | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/OvmfPkg/Microvm/MicrovmX64.dsc b/OvmfPkg/Microvm/MicrovmX64.dsc index 33d68a5493de..e60d3a2071ab 100644 --- a/OvmfPkg/Microvm/MicrovmX64.dsc +++ b/OvmfPkg/Microvm/MicrovmX64.dsc @@ -91,6 +91,15 @@ [BuildOptions] INTEL:*_*_*_CC_FLAGS =3D /D DISABLE_NEW_DEPRECATED_INTERFACES GCC:*_*_*_CC_FLAGS =3D -D DISABLE_NEW_DEPRECATED_INTERFACES =20 + # + # SECURE_BOOT_FEATURE_ENABLED + # +!if $(SECURE_BOOT_ENABLE) =3D=3D TRUE + MSFT:*_*_*_CC_FLAGS =3D /D SECURE_BOOT_FEATURE_ENABLED + INTEL:*_*_*_CC_FLAGS =3D /D SECURE_BOOT_FEATURE_ENABLED + GCC:*_*_*_CC_FLAGS =3D -D SECURE_BOOT_FEATURE_ENABLED +!endif + !include NetworkPkg/NetworkBuildOptions.dsc.inc =20 [BuildOptions.common.EDKII.DXE_RUNTIME_DRIVER] --=20 2.37.3 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#94786): https://edk2.groups.io/g/devel/message/94786 Mute This Topic: https://groups.io/mt/94155095/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- From nobody Thu May 9 05:19:14 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) client-ip=66.175.222.108; envelope-from=bounce+27952+94787+1787277+3901457@groups.io; helo=mail02.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+94787+1787277+3901457@groups.io; dmarc=fail(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1665054336; cv=none; d=zohomail.com; s=zohoarc; b=fYomDXulOyEtDMPnTlBq4FefxGtqDPm9mtLhuHENmVbQCLO1iVLAYxNY4FSm58YinKWx1YlyVlKOK/x36TtHuN1Ik3fnsfvagDDa/tl/3HFSK0iH9fTHLPWT9rrym91YwzlzHnfh4O63XYm5nmFgmMWBsfRs7QHwq0rujuacrYw= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1665054336; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:References:Sender:Subject:To; bh=fsik7BoABv/lkNP6E72S5CeITQtraRn04hpwSqPrlno=; b=n2qBRQUCNAXbR+j1ceKXfYDYWwoynTWvwpaaC+VrUPP7JPdfnMJ6E4NYu2tYXADUN9td+Hskd9M29KeeOg6Eqv75UXt+0P/UaqpM5j8zmwJ39DrHe4broc8WG1Czzt/sAdo9Z6IVMx0ettPI0LB7QFuUOVQrNE8TVeE0L6XHUNY= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+94787+1787277+3901457@groups.io; dmarc=fail header.from= (p=none dis=none) Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by mx.zohomail.com with SMTPS id 1665054336778224.6741847250354; Thu, 6 Oct 2022 04:05:36 -0700 (PDT) Return-Path: X-Received: by 127.0.0.2 with SMTP id JavAYY1788612xrANEQfarIS; Thu, 06 Oct 2022 04:05:36 -0700 X-Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by mx.groups.io with SMTP id smtpd.web11.4411.1665054335367709864 for ; Thu, 06 Oct 2022 04:05:35 -0700 X-Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-670-JQkf2CSJPz2RcIQMnxgE-g-1; Thu, 06 Oct 2022 07:05:31 -0400 X-MC-Unique: JQkf2CSJPz2RcIQMnxgE-g-1 X-Received: from smtp.corp.redhat.com (int-mx07.intmail.prod.int.rdu2.redhat.com [10.11.54.7]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 9F094855420; Thu, 6 Oct 2022 11:05:30 +0000 (UTC) X-Received: from sirius.home.kraxel.org (unknown [10.39.193.173]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 548A614588B5; Thu, 6 Oct 2022 11:05:30 +0000 (UTC) X-Received: by sirius.home.kraxel.org (Postfix, from userid 1000) id A14A1180079D; Thu, 6 Oct 2022 13:05:26 +0200 (CEST) From: "Gerd Hoffmann" To: devel@edk2.groups.io Cc: Ard Biesheuvel , Oliver Steffen , Jordan Justen , Gerd Hoffmann , Pawel Polawski , Jiewen Yao Subject: [edk2-devel] [PATCH 2/2] Revert "OvmfPkg/Microvm: no secure boot" Date: Thu, 6 Oct 2022 13:05:26 +0200 Message-Id: <20221006110526.1068475-3-kraxel@redhat.com> In-Reply-To: <20221006110526.1068475-1-kraxel@redhat.com> References: <20221006110526.1068475-1-kraxel@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.1 on 10.11.54.7 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Precedence: Bulk List-Unsubscribe: List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,kraxel@redhat.com X-Gm-Message-State: dkNRpZTnUKzb8edfykv9AIDpx1787277AA= Content-Transfer-Encoding: quoted-printable DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1665054336; bh=1S+uHmrnqFjKw6/Yxk/tOYoAG9hWtKaIIJSFgTP+SM0=; h=Cc:Content-Type:Date:From:Reply-To:Subject:To; b=jKFq6xB0Q2GwQ658ZZ2dLXTIUvw59+GDaI5AfNcByk7+fA8gpDlTMuqJC7gvG9CUnM3 r4AiATDX5B229jGHTbztwJThgMX2S+0C5NECkok/npIAqytxXhR+kZEovyLCRk51i2z+9 QPRYbVBdYZF4Rc0cdWwmnhlslptCveKJH60= X-ZohoMail-DKIM: pass (identity @groups.io) X-ZM-MESSAGEID: 1665054338265100008 Content-Type: text/plain; charset="utf-8"; x-default="true" This reverts commit 60d55c4156523e5dfb316b7c0c445b96c8f8be81. Now that we have stateless secure boot support (which doesn't need SMM) in OVMF we can enable the build option for MicroVM. Bring it back by reverting the commit removing it. Also add the new PlatformPKProtectionLib. Signed-off-by: Gerd Hoffmann --- OvmfPkg/Microvm/MicrovmX64.dsc | 22 +++++++++++++++++++++- OvmfPkg/Microvm/MicrovmX64.fdf | 4 ++++ 2 files changed, 25 insertions(+), 1 deletion(-) diff --git a/OvmfPkg/Microvm/MicrovmX64.dsc b/OvmfPkg/Microvm/MicrovmX64.dsc index e60d3a2071ab..7eff8e2a88d9 100644 --- a/OvmfPkg/Microvm/MicrovmX64.dsc +++ b/OvmfPkg/Microvm/MicrovmX64.dsc @@ -214,7 +214,15 @@ [LibraryClasses] !endif RngLib|MdePkg/Library/BaseRngLibTimerLib/BaseRngLibTimerLib.inf =20 +!if $(SECURE_BOOT_ENABLE) =3D=3D TRUE + PlatformSecureLib|OvmfPkg/Library/PlatformSecureLib/PlatformSecureLib.inf + AuthVariableLib|SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf + SecureBootVariableLib|SecurityPkg/Library/SecureBootVariableLib/SecureBo= otVariableLib.inf + PlatformPKProtectionLib|SecurityPkg/Library/PlatformPKProtectionLibVarPo= licy/PlatformPKProtectionLibVarPolicy.inf + SecureBootVariableProvisionLib|SecurityPkg/Library/SecureBootVariablePro= visionLib/SecureBootVariableProvisionLib.inf +!else AuthVariableLib|MdeModulePkg/Library/AuthVariableLibNull/AuthVariableLib= Null.inf +!endif VarCheckLib|MdeModulePkg/Library/VarCheckLib/VarCheckLib.inf VariablePolicyLib|MdeModulePkg/Library/VariablePolicyLib/VariablePolicyL= ib.inf VariablePolicyHelperLib|MdeModulePkg/Library/VariablePolicyHelperLib/Var= iablePolicyHelperLib.inf @@ -691,7 +699,14 @@ [Components] =20 MdeModulePkg/Core/RuntimeDxe/RuntimeDxe.inf =20 - MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf + MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf { + +!if $(SECURE_BOOT_ENABLE) =3D=3D TRUE + NULL|SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificatio= nLib.inf +!include OvmfPkg/OvmfTpmSecurityStub.dsc.inc +!endif + } + MdeModulePkg/Universal/EbcDxe/EbcDxe.inf OvmfPkg/LocalApicTimerDxe/LocalApicTimerDxe.inf UefiCpuPkg/CpuIo2Dxe/CpuIo2Dxe.inf @@ -853,6 +868,11 @@ [Components] gEfiMdePkgTokenSpaceGuid.PcdUefiLibMaxPrintBufferSize|8000 } =20 +!if $(SECURE_BOOT_ENABLE) =3D=3D TRUE + SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDx= e.inf + OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf +!endif + OvmfPkg/PlatformDxe/Platform.inf OvmfPkg/IoMmuDxe/IoMmuDxe.inf =20 diff --git a/OvmfPkg/Microvm/MicrovmX64.fdf b/OvmfPkg/Microvm/MicrovmX64.fdf index ff0aab2bcb9e..380ba3a36883 100644 --- a/OvmfPkg/Microvm/MicrovmX64.fdf +++ b/OvmfPkg/Microvm/MicrovmX64.fdf @@ -206,6 +206,10 @@ [FV.DXEFV] INF OvmfPkg/VirtioScsiDxe/VirtioScsi.inf INF OvmfPkg/VirtioRngDxe/VirtioRng.inf =20 +!if $(SECURE_BOOT_ENABLE) =3D=3D TRUE + INF SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootCon= figDxe.inf +!endif + INF MdeModulePkg/Universal/WatchdogTimerDxe/WatchdogTimer.inf INF MdeModulePkg/Universal/MonotonicCounterRuntimeDxe/MonotonicCounterRun= timeDxe.inf INF MdeModulePkg/Universal/CapsuleRuntimeDxe/CapsuleRuntimeDxe.inf --=20 2.37.3 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#94787): https://edk2.groups.io/g/devel/message/94787 Mute This Topic: https://groups.io/mt/94155096/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-