summaryrefslogtreecommitdiffstats
path: root/OvmfPkg
diff options
context:
space:
mode:
authorLaszlo Ersek <lersek@redhat.com>2020-06-15 16:45:14 +0200
committermergify[bot] <37929162+mergify[bot]@users.noreply.github.com>2020-06-16 20:31:17 +0000
commit82808b422617ea5d1e62f5c5741eb8ce9dff4a7b (patch)
treebb98b2c6592ab6326050dc6b783356ee9c1be276 /OvmfPkg
parent493f2c69311806a214de2b3db7fdf7bc9162ea81 (diff)
downloadedk2-82808b422617ea5d1e62f5c5741eb8ce9dff4a7b.tar.gz
edk2-82808b422617ea5d1e62f5c5741eb8ce9dff4a7b.tar.bz2
edk2-82808b422617ea5d1e62f5c5741eb8ce9dff4a7b.zip
Revert "OvmfPkg: use generic QEMU image loader for secure boot enabled ..."
This reverts commit ced77332cab626f35fbdb36630be27303d289d79. The command virt-install --location NETWORK-URL downloads the vmlinuz and initrd files from the remote OS tree, and passes them to the guest firmware via fw_cfg. When used with IA32 / X64 guests, virt-install expects the guest firmware to do two things, at the same time: - launch the fw_cfg kernel image even if the latter does not pass SB verification (SB checking is supposed to be bypassed entirely in favor of the Linux/x86 Boot Protocol), - still let the guest kernel perceive SB as enabled. Commit ced77332cab6 prevented this, by removing the Linux/x86 Boot Protocol from such an OVMF image that was built with SECURE_BOOT_ENALBE. While that's the right thing in theory, in practice "virt-install --location NETWORK-URL" is entrenched, and we shouldn't break it. We can tolerate the Linux/x86 Boot Protocol as a one-of-a-kind SB bypass for direct-booted kernels, because: - the fw_cfg content comes from QEMU, and the guest is already at QEMU's mercy, - in the guest, OS boots after the initial installation will use "shim" rather than an fw_cfg kernel, which we can consider somewhat similar to "Audit Mode / Deployed Mode" (~ trust for install, lock down after). Cc: Ard Biesheuvel <ard.biesheuvel@arm.com> Cc: Jordan Justen <jordan.l.justen@intel.com> Cc: Philippe Mathieu-Daudé <philmd@redhat.com> Signed-off-by: Laszlo Ersek <lersek@redhat.com> Acked-by: Ard Biesheuvel <ard.biesheuvel@arm.com> Message-Id: <20200615144514.24597-1-lersek@redhat.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> [lersek@redhat.com: truncate the subject line, originally auto-generated by git-revert, to pacify PatchCheck.py]
Diffstat (limited to 'OvmfPkg')
-rw-r--r--OvmfPkg/OvmfPkgIa32.dsc4
-rw-r--r--OvmfPkg/OvmfPkgIa32X64.dsc4
-rw-r--r--OvmfPkg/OvmfPkgX64.dsc4
3 files changed, 0 insertions, 12 deletions
diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc
index d0df9cbbfb..16103d1773 100644
--- a/OvmfPkg/OvmfPkgIa32.dsc
+++ b/OvmfPkg/OvmfPkgIa32.dsc
@@ -379,11 +379,7 @@
PciLib|OvmfPkg/Library/DxePciLibI440FxQ35/DxePciLibI440FxQ35.inf
MpInitLib|UefiCpuPkg/Library/MpInitLib/DxeMpInitLib.inf
QemuFwCfgS3Lib|OvmfPkg/Library/QemuFwCfgS3Lib/DxeQemuFwCfgS3LibFwCfg.inf
-!if $(SECURE_BOOT_ENABLE) == TRUE
- QemuLoadImageLib|OvmfPkg/Library/GenericQemuLoadImageLib/GenericQemuLoadImageLib.inf
-!else
QemuLoadImageLib|OvmfPkg/Library/X86QemuLoadImageLib/X86QemuLoadImageLib.inf
-!endif
!if $(TPM_ENABLE) == TRUE
Tpm12DeviceLib|SecurityPkg/Library/Tpm12DeviceLibTcg/Tpm12DeviceLibTcg.inf
Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibTcg2/Tpm2DeviceLibTcg2.inf
diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc
index b3ae62fee9..9597ef6721 100644
--- a/OvmfPkg/OvmfPkgIa32X64.dsc
+++ b/OvmfPkg/OvmfPkgIa32X64.dsc
@@ -383,11 +383,7 @@
PciLib|OvmfPkg/Library/DxePciLibI440FxQ35/DxePciLibI440FxQ35.inf
MpInitLib|UefiCpuPkg/Library/MpInitLib/DxeMpInitLib.inf
QemuFwCfgS3Lib|OvmfPkg/Library/QemuFwCfgS3Lib/DxeQemuFwCfgS3LibFwCfg.inf
-!if $(SECURE_BOOT_ENABLE) == TRUE
- QemuLoadImageLib|OvmfPkg/Library/GenericQemuLoadImageLib/GenericQemuLoadImageLib.inf
-!else
QemuLoadImageLib|OvmfPkg/Library/X86QemuLoadImageLib/X86QemuLoadImageLib.inf
-!endif
!if $(TPM_ENABLE) == TRUE
Tpm12DeviceLib|SecurityPkg/Library/Tpm12DeviceLibTcg/Tpm12DeviceLibTcg.inf
Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibTcg2/Tpm2DeviceLibTcg2.inf
diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc
index f7fe75ebf5..a6e585c03d 100644
--- a/OvmfPkg/OvmfPkgX64.dsc
+++ b/OvmfPkg/OvmfPkgX64.dsc
@@ -383,11 +383,7 @@
PciLib|OvmfPkg/Library/DxePciLibI440FxQ35/DxePciLibI440FxQ35.inf
MpInitLib|UefiCpuPkg/Library/MpInitLib/DxeMpInitLib.inf
QemuFwCfgS3Lib|OvmfPkg/Library/QemuFwCfgS3Lib/DxeQemuFwCfgS3LibFwCfg.inf
-!if $(SECURE_BOOT_ENABLE) == TRUE
- QemuLoadImageLib|OvmfPkg/Library/GenericQemuLoadImageLib/GenericQemuLoadImageLib.inf
-!else
QemuLoadImageLib|OvmfPkg/Library/X86QemuLoadImageLib/X86QemuLoadImageLib.inf
-!endif
!if $(TPM_ENABLE) == TRUE
Tpm12DeviceLib|SecurityPkg/Library/Tpm12DeviceLibTcg/Tpm12DeviceLibTcg.inf
Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibTcg2/Tpm2DeviceLibTcg2.inf