From patchwork Wed Oct 1 10:47:18 2014 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Laszlo Ersek X-Patchwork-Id: 38229 Return-Path: X-Original-To: linaro@patches.linaro.org Delivered-To: linaro@patches.linaro.org Received: from mail-ee0-f69.google.com (mail-ee0-f69.google.com [74.125.83.69]) by ip-10-151-82-157.ec2.internal (Postfix) with ESMTPS id DD942202E7 for ; Wed, 1 Oct 2014 10:47:51 +0000 (UTC) Received: by mail-ee0-f69.google.com with SMTP id b57sf398494eek.4 for ; Wed, 01 Oct 2014 03:47:51 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:delivered-to:from:to:date:message-id:in-reply-to :references:subject:precedence:reply-to:list-id:list-unsubscribe :list-archive:list-post:list-help:list-subscribe:mime-version :errors-to:x-original-sender:x-original-authentication-results :mailing-list:content-type:content-transfer-encoding; bh=TcUjceVB8d/1b3hVgDRWIsVKsBnRUVKYD+vn+1TX4Ko=; b=CGJhZPkxIQ3ZqRbp8atoHG+ROaNaFP5BlM23y3wgcfv9jelVEtcsQH/TguA8RwDDsE prg9BhA8WiB4snTC1h6eUWXz4XSaStf3CMWnbFPM8QwR6r8jCwZBkbqL2r3o9HXv9+U9 R102YEtaUJ1bRTp7hVeE6jrCcW4khehiRGGEeD5REHZk4DnY007fBwZ5Ua8CROJhcUiA 9NvMHfkBTeqXrc9GWsVeLi+aecZRqk4tyG6WX1/oeGG0ocxVqjP2jrzMeiN9Tc0Loku9 TbfOIMsXeQTFkaOHIGSNp+3vvDXo9aW62dcyv/avAGRM2BEOhZ4C/lOa+21MAot+r7DY q6pg== X-Gm-Message-State: ALoCoQnYrhUTy8p7swZlLdZlD0vO7rLvhyPq97/XPzCXYZo2BN+Z+mf/f3xd+qletHdqn9Glole6 X-Received: by 10.112.131.33 with SMTP id oj1mr8137717lbb.7.1412160470951; Wed, 01 Oct 2014 03:47:50 -0700 (PDT) X-BeenThere: patchwork-forward@linaro.org Received: by 10.152.23.227 with SMTP id p3ls149230laf.39.gmail; Wed, 01 Oct 2014 03:47:50 -0700 (PDT) X-Received: by 10.112.83.235 with SMTP id t11mr17029994lby.101.1412160470730; Wed, 01 Oct 2014 03:47:50 -0700 (PDT) Received: from mail-la0-f47.google.com (mail-la0-f47.google.com [209.85.215.47]) by mx.google.com with ESMTPS id zw4si877411lbb.116.2014.10.01.03.47.50 for (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Wed, 01 Oct 2014 03:47:50 -0700 (PDT) Received-SPF: pass (google.com: domain of patch+caf_=patchwork-forward=linaro.org@linaro.org designates 209.85.215.47 as permitted sender) client-ip=209.85.215.47; Received: by mail-la0-f47.google.com with SMTP id pv20so47895lab.34 for ; Wed, 01 Oct 2014 03:47:50 -0700 (PDT) X-Received: by 10.152.204.231 with SMTP id lb7mr53538084lac.44.1412160470598; Wed, 01 Oct 2014 03:47:50 -0700 (PDT) X-Forwarded-To: patchwork-forward@linaro.org X-Forwarded-For: patch@linaro.org patchwork-forward@linaro.org Delivered-To: patch@linaro.org Received: by 10.112.130.169 with SMTP id of9csp506325lbb; Wed, 1 Oct 2014 03:47:49 -0700 (PDT) X-Received: by 10.50.80.116 with SMTP id q20mr18257487igx.22.1412160468415; Wed, 01 Oct 2014 03:47:48 -0700 (PDT) Received: from lists.sourceforge.net (lists.sourceforge.net. [216.34.181.88]) by mx.google.com with ESMTPS id n7si22009101igv.31.2014.10.01.03.47.47 for (version=TLSv1 cipher=RC4-SHA bits=128/128); Wed, 01 Oct 2014 03:47:48 -0700 (PDT) Received-SPF: pass (google.com: domain of edk2-devel-bounces@lists.sourceforge.net designates 216.34.181.88 as permitted sender) client-ip=216.34.181.88; Received: from localhost ([127.0.0.1] helo=sfs-ml-1.v29.ch3.sourceforge.com) by sfs-ml-1.v29.ch3.sourceforge.com with esmtp (Exim 4.76) (envelope-from ) id 1XZHRa-0006pc-AX; Wed, 01 Oct 2014 10:47:38 +0000 Received: from sog-mx-1.v43.ch3.sourceforge.com ([172.29.43.191] helo=mx.sourceforge.net) by sfs-ml-1.v29.ch3.sourceforge.com with esmtp (Exim 4.76) (envelope-from ) id 1XZHRY-0006pV-Gn for edk2-devel@lists.sourceforge.net; Wed, 01 Oct 2014 10:47:36 +0000 Received-SPF: pass (sog-mx-1.v43.ch3.sourceforge.com: domain of redhat.com designates 209.132.183.28 as permitted sender) client-ip=209.132.183.28; envelope-from=lersek@redhat.com; helo=mx1.redhat.com; Received: from mx1.redhat.com ([209.132.183.28]) by sog-mx-1.v43.ch3.sourceforge.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.76) id 1XZHRW-00026N-Pd for edk2-devel@lists.sourceforge.net; Wed, 01 Oct 2014 10:47:36 +0000 Received: from int-mx13.intmail.prod.int.phx2.redhat.com (int-mx13.intmail.prod.int.phx2.redhat.com [10.5.11.26]) by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id s91AlS7G012333 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL) for ; Wed, 1 Oct 2014 06:47:28 -0400 Received: from lacos-laptop-7.usersys.redhat.com (ovpn-116-67.ams2.redhat.com [10.36.116.67]) by int-mx13.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id s91AlOGp021108 for ; Wed, 1 Oct 2014 06:47:27 -0400 From: Laszlo Ersek To: edk2-devel@lists.sourceforge.net Date: Wed, 1 Oct 2014 12:47:18 +0200 Message-Id: <1412160439-18223-2-git-send-email-lersek@redhat.com> In-Reply-To: <1412160439-18223-1-git-send-email-lersek@redhat.com> References: <1412160439-18223-1-git-send-email-lersek@redhat.com> X-Scanned-By: MIMEDefang 2.68 on 10.5.11.26 X-Spam-Score: -2.1 (--) X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. -1.5 SPF_CHECK_PASS SPF reports sender host as permitted sender for sender-domain -0.0 SPF_HELO_PASS SPF: HELO matches SPF record -0.0 SPF_PASS SPF: sender matches SPF record -0.6 RP_MATCHES_RCVD Envelope sender domain matches handover relay domain X-Headers-End: 1XZHRW-00026N-Pd Subject: [edk2] [PATCH 1/2] OvmfPkg: disable stale fork of SecureBootConfigDxe X-BeenThere: edk2-devel@lists.sourceforge.net X-Mailman-Version: 2.1.9 Precedence: list Reply-To: edk2-devel@lists.sourceforge.net List-Id: List-Unsubscribe: , List-Archive: List-Post: , List-Help: , List-Subscribe: , MIME-Version: 1.0 Errors-To: edk2-devel-bounces@lists.sourceforge.net X-Removed-Original-Auth: Dkim didn't pass. X-Original-Sender: lersek@redhat.com X-Original-Authentication-Results: mx.google.com; spf=pass (google.com: domain of patch+caf_=patchwork-forward=linaro.org@linaro.org designates 209.85.215.47 as permitted sender) smtp.mail=patch+caf_=patchwork-forward=linaro.org@linaro.org Mailing-list: list patchwork-forward@linaro.org; contact patchwork-forward+owners@linaro.org X-Google-Group-Id: 836684582541 OvmfPkg forked SecureBootConfigDxe from SecurityPkg in SVN r13635 (git commit 8c71ec8f). Since then, the original (in "SecurityPkg/VariableAuthenticated/SecureBootConfigDxe") has diverged significantly. The initial diff between the original and the fork, when the fork was made (ie. at SVN r13635), reads as follows: > diff -ur SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfig.vfr OvmfPkg/SecureBootConfigDxe/SecureBootConfig.vfr > --- SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfig.vfr 2014-09-30 23:35:28.598067147 +0200 > +++ OvmfPkg/SecureBootConfigDxe/SecureBootConfig.vfr 2014-08-09 02:40:35.824851626 +0200 > @@ -51,7 +51,7 @@ > questionid = KEY_SECURE_BOOT_ENABLE, > prompt = STRING_TOKEN(STR_SECURE_BOOT_PROMPT), > help = STRING_TOKEN(STR_SECURE_BOOT_HELP), > - flags = INTERACTIVE | RESET_REQUIRED, > + flags = INTERACTIVE, > endcheckbox; > endif; > > @@ -158,7 +158,7 @@ > questionid = KEY_SECURE_BOOT_DELETE_PK, > prompt = STRING_TOKEN(STR_DELETE_PK), > help = STRING_TOKEN(STR_DELETE_PK_HELP), > - flags = INTERACTIVE | RESET_REQUIRED, > + flags = INTERACTIVE, > endcheckbox; > endif; > endform; > diff -ur SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf OvmfPkg/SecureBootConfigDxe/SecureBootConfigDxe.inf > --- SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf 2014-09-30 23:35:28.598067147 +0200 > +++ OvmfPkg/SecureBootConfigDxe/SecureBootConfigDxe.inf 2014-09-30 23:35:28.577067027 +0200 > @@ -1,5 +1,8 @@ > ## @file > -# Component name for SecureBoot configuration module. > +# Component name for SecureBoot configuration module for OVMF. > +# > +# Need custom SecureBootConfigDxe for OVMF that does not force > +# resets after PK changes since OVMF doesn't have persistent variables > # > # Copyright (c) 2011 - 2012, Intel Corporation. All rights reserved.
> # This program and the accompanying materials > diff -ur SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c OvmfPkg/SecureBootConfigDxe/SecureBootConfigImpl.c > --- SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c 2014-09-30 23:35:28.599067153 +0200 > +++ OvmfPkg/SecureBootConfigDxe/SecureBootConfigImpl.c 2014-09-30 23:35:28.578067033 +0200 > @@ -2559,7 +2559,7 @@ > NULL > ); > } else { > - *ActionRequest = EFI_BROWSER_ACTION_REQUEST_RESET; > + *ActionRequest = EFI_BROWSER_ACTION_REQUEST_SUBMIT; > } > break; The commit message is not overly verbose: OvmfPkg: Add custom SecureBootConfigDxe that doesn't reset We don't force a platform reset for OVMF when PK is changed in custom mode setup. But the INF file hunk is telling: Need custom SecureBootConfigDxe for OVMF that does not force resets after PK changes since OVMF doesn't have persistent variables We do have persistent variables now. Let's disable the (now obsolete) OvmfPkg fork, and revert to the (well maintained) SecurityPkg-provided config driver. Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Laszlo Ersek --- OvmfPkg/OvmfPkgIa32.dsc | 2 +- OvmfPkg/OvmfPkgIa32.fdf | 2 +- OvmfPkg/OvmfPkgIa32X64.dsc | 2 +- OvmfPkg/OvmfPkgIa32X64.fdf | 2 +- OvmfPkg/OvmfPkgX64.dsc | 2 +- OvmfPkg/OvmfPkgX64.fdf | 2 +- OvmfPkg/README | 2 ++ 7 files changed, 8 insertions(+), 6 deletions(-) diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc index 6ae36f3..8527ece 100644 --- a/OvmfPkg/OvmfPkgIa32.dsc +++ b/OvmfPkg/OvmfPkgIa32.dsc @@ -562,7 +562,7 @@ BaseCryptLib|CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLib.inf } - OvmfPkg/SecureBootConfigDxe/SecureBootConfigDxe.inf + SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf !endif OvmfPkg/PlatformDxe/Platform.inf diff --git a/OvmfPkg/OvmfPkgIa32.fdf b/OvmfPkg/OvmfPkgIa32.fdf index e971445..ef3cdef 100644 --- a/OvmfPkg/OvmfPkgIa32.fdf +++ b/OvmfPkg/OvmfPkgIa32.fdf @@ -230,7 +230,7 @@ INF MdeModulePkg/Universal/FaultTolerantWriteDxe/FaultTolerantWriteDxe.inf !if $(SECURE_BOOT_ENABLE) == TRUE INF SecurityPkg/VariableAuthenticated/RuntimeDxe/VariableRuntimeDxe.inf - INF OvmfPkg/SecureBootConfigDxe/SecureBootConfigDxe.inf + INF SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf !else INF MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf !endif diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc index 5cd23a1..823f005 100644 --- a/OvmfPkg/OvmfPkgIa32X64.dsc +++ b/OvmfPkg/OvmfPkgIa32X64.dsc @@ -569,7 +569,7 @@ BaseCryptLib|CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLib.inf } - OvmfPkg/SecureBootConfigDxe/SecureBootConfigDxe.inf + SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf !endif OvmfPkg/PlatformDxe/Platform.inf diff --git a/OvmfPkg/OvmfPkgIa32X64.fdf b/OvmfPkg/OvmfPkgIa32X64.fdf index 218a78e..375afac 100644 --- a/OvmfPkg/OvmfPkgIa32X64.fdf +++ b/OvmfPkg/OvmfPkgIa32X64.fdf @@ -230,7 +230,7 @@ INF MdeModulePkg/Universal/FaultTolerantWriteDxe/FaultTolerantWriteDxe.inf !if $(SECURE_BOOT_ENABLE) == TRUE INF SecurityPkg/VariableAuthenticated/RuntimeDxe/VariableRuntimeDxe.inf - INF OvmfPkg/SecureBootConfigDxe/SecureBootConfigDxe.inf + INF SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf !else INF MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf !endif diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc index 8a5a321..05f5992 100644 --- a/OvmfPkg/OvmfPkgX64.dsc +++ b/OvmfPkg/OvmfPkgX64.dsc @@ -592,7 +592,7 @@ BaseCryptLib|CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLib.inf } - OvmfPkg/SecureBootConfigDxe/SecureBootConfigDxe.inf + SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf !endif OvmfPkg/PlatformDxe/Platform.inf diff --git a/OvmfPkg/OvmfPkgX64.fdf b/OvmfPkg/OvmfPkgX64.fdf index 29382fb..a0c1ac1 100644 --- a/OvmfPkg/OvmfPkgX64.fdf +++ b/OvmfPkg/OvmfPkgX64.fdf @@ -230,7 +230,7 @@ INF MdeModulePkg/Universal/FaultTolerantWriteDxe/FaultTolerantWriteDxe.inf !if $(SECURE_BOOT_ENABLE) == TRUE INF SecurityPkg/VariableAuthenticated/RuntimeDxe/VariableRuntimeDxe.inf - INF OvmfPkg/SecureBootConfigDxe/SecureBootConfigDxe.inf + INF SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf !else INF MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf !endif diff --git a/OvmfPkg/README b/OvmfPkg/README index 44942e6..ef49bf8 100644 --- a/OvmfPkg/README +++ b/OvmfPkg/README @@ -66,6 +66,8 @@ http://sourceforge.net/apps/mediawiki/tianocore/index.php?title=How_to_build_OVM - Option 1: QEMU 1.6 or newer; Use QEMU -pflash parameter * QEMU/OVMF will use emulated flash, and fully support UEFI variables * Run qemu with: -pflash path/to/OVMF.fd + * Note that this option is required for running SecureBoot-enabled builds + (-D SECURE_BOOT_ENABLE). - Option 2: Use QEMU -bios parameter * Note that UEFI variables will be partially emulated, and non-volatile variables may lose their contents after a reboot