| Message ID | 20240411094830.1337658-5-kraxel@redhat.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | x86/loader: secure boot support for direct kernel load | expand |
On Thu, Apr 11, 2024 at 11:48:28AM +0200, Gerd Hoffmann wrote: > Add a new "etc/boot/kernel" fw_cfg file, containing the kernel without > the setup header patches. Intended use is booting in UEFI with secure > boot enabled, where the setup header patching breaks secure boot > verification. > > Needs OVMF changes too to be actually useful. > > Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> So given we have this, do we still need patch 2? > --- > hw/i386/x86.c | 3 +++ > 1 file changed, 3 insertions(+) > > diff --git a/hw/i386/x86.c b/hw/i386/x86.c > index 6f75948b3021..6724e408e576 100644 > --- a/hw/i386/x86.c > +++ b/hw/i386/x86.c > @@ -1125,6 +1125,9 @@ void x86_load_linux(X86MachineState *x86ms, > sev_load_ctx.setup_data = (char *)setup; > sev_load_ctx.setup_size = setup_size; > > + /* kernel without setup header patches */ > + fw_cfg_add_file(fw_cfg, "etc/boot/kernel", kernel, kernel_size); > + > if (sev_enabled()) { > sev_add_kernel_loader_hashes(&sev_load_ctx, &error_fatal); > } > -- > 2.44.0
On Sun, Jun 02, 2024 at 09:26:09AM GMT, Michael S. Tsirkin wrote: > On Thu, Apr 11, 2024 at 11:48:28AM +0200, Gerd Hoffmann wrote: > > Add a new "etc/boot/kernel" fw_cfg file, containing the kernel without > > the setup header patches. Intended use is booting in UEFI with secure > > boot enabled, where the setup header patching breaks secure boot > > verification. > > > > Needs OVMF changes too to be actually useful. > > > > Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> > > So given we have this, do we still need patch 2? With this merged to qemu plus related edk2 patches merged too OVMF will stop using the patched linux kernel setup header fw_cfg file. So, patch #2 will not be essential for direct kernel boot to work correctly with UEFI. Nevertheless I'd consider patch #2 a clear bugfix. Trying to patch linux kernel setup header fields in binaries which are /not/ a linux kernel doesn't make any sense. take care, Gerd
diff --git a/hw/i386/x86.c b/hw/i386/x86.c index 6f75948b3021..6724e408e576 100644 --- a/hw/i386/x86.c +++ b/hw/i386/x86.c @@ -1125,6 +1125,9 @@ void x86_load_linux(X86MachineState *x86ms, sev_load_ctx.setup_data = (char *)setup; sev_load_ctx.setup_size = setup_size; + /* kernel without setup header patches */ + fw_cfg_add_file(fw_cfg, "etc/boot/kernel", kernel, kernel_size); + if (sev_enabled()) { sev_add_kernel_loader_hashes(&sev_load_ctx, &error_fatal); }
Add a new "etc/boot/kernel" fw_cfg file, containing the kernel without the setup header patches. Intended use is booting in UEFI with secure boot enabled, where the setup header patching breaks secure boot verification. Needs OVMF changes too to be actually useful. Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> --- hw/i386/x86.c | 3 +++ 1 file changed, 3 insertions(+)