> Sorry for I forgot to put my testing environment in patch description. > My testing is on qemu with OVMF: > > - edk2-master or edk2-stable202211 > build --verbose --debug=1 -D SECURE_BOOT_ENABLE -D TPM_ENABLE -D > TPM_CONFIG_ENABLE \ > -D NETWORK_IP6_ENABLE -D NETWORK_HTTP_BOOT_ENABLE -a X64 -b DEBUG -t > GCC5 \ > -p OvmfPkg/OvmfPkgX64.dsc -D FD_SIZE_4MB -D NETWORK_TLS_ENABLE > > - qemu-7.1.0 with libvirt-8.0.0 > pc-q35 with pflash type and nvram: > <type arch='x86_64' machine='pc-q35-3.1'>hvm</type> > <loader readonly='yes' secure='no' > type='pflash'>/usr/share/qemu/ovmf-x86_64-code.bin</loader> > <nvram > template='/usr/share/qemu/ovmf-x86_64-vars.bin'>/var/lib/libvirt/qemu/nvram/opensuseTW_VARS.fd</nvram>
That is not secure. You have unprotected writable flash. You can either use a build with SMM_REQUIRE=TRUE and run with secure='yes', so only the firmware in SMM mode can write to flash. Or you run with both code and vars read-only. Easiest is <loader>OVMF.fd</loader>. Or you disable secure boot (SECURE_BOOT_ENABLE=FALSE) in your builds. You still have unprotected writable flash then, but it isn't a security hole any more. And the assert isn't triggered either because that code path is only executed for secure boot builds. take care, Gerd -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#97368): https://edk2.groups.io/g/devel/message/97368 Mute This Topic: https://groups.io/mt/95656983/21656 Group Owner: [email protected] Unsubscribe: https://edk2.groups.io/g/devel/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
