Jordan, I don't know whether OVMF can be simulated and install Windows OS. If yes, at least 64 KB of NV storage is required according to Windows Hardware Certification Requirement. http://msdn.microsoft.com/en-us/library/windows/hardware/jj128256.aspx
System.Fundamentals.Firmware.UEFISecureBoot Reserved Memory for Windows Secure Boot UEFI Variables. A total of at least 64 KB of non-volatile NVRAM storage memory must be reserved for NV UEFI variables (authenticated and unauthenticated, BS and RT) used by UEFI Secure Boot and Windows, and the maximum supported variable size must be at least 32kB. There is no maximum NVRAM storage limit. -----Original Message----- From: Larry Cleeton [mailto:[email protected]] Sent: Wednesday, February 19, 2014 7:45 AM To: [email protected] Subject: Re: [edk2] Secure Boot & NV storage size Data Point: In our Hyper-V Generation 2 VM UEFI implementation we chose an arbitrary artificial limit of 128KB for NV variables. We considered the various references to a limit of 64KB, looked at what actually ended up in the store after OS install, and settled on 128KB as a generous limit. We made it generous because, well, we could as our mechanism of persistence is relatively unlimited on the hosting platform. We imposed a limit to prevent a VM from maliciously consuming the persistent store on the hosting platform via its UEFI variable service. I think the important thing to consider with Secure Boot is the additional size of the PK, KEK, db, and dbx variables beyond the typical set of variables without Secure Boot. These new "signature databases" could grow during the life of the platform, especially the db and dbx. The db could grow a little if you anticipate adding new trusted certs or hashes. It's likely there will only a few of those and the size is pretty easy to anticipate. The dbx will grow as you should anticipate having to block certs or hashes. Adding hashes to the dbx is most likely. The size of each hash is easy to anticipate, however, how many hashes that will be added over the lifetime of the platform has to be a smart guess. So far our experience is 128KB is still generous. --Larry -----Original Message----- From: Jordan Justen [mailto:[email protected]] Sent: Tuesday, February 18, 2014 3:07 PM To: [email protected] Subject: [edk2] Secure Boot & NV storage size What is a good practical and/or spec'd size of NV storage to best support Secure Boot? In OVMF, we recently added support for NV variables. I chose what I thought was a generous size of 56KB. With a 4KB 'event log' and 4KB NV Working Store, this makes the NV storage 64KB. Of course, we needed to reserve yet another 64KB to backup this storage if the block needs to be erased. So, all told 128KB of flash. Is this (56KB) a good size to support Secure Boot? -Jordan ------------------------------------------------------------------------------ Managing the Performance of Cloud-Based Applications Take advantage of what the Cloud has to offer - Avoid Common Pitfalls. Read the Whitepaper. http://pubads.g.doubleclick.net/gampad/clk?id=121054471&iu=/4140/ostg.clktrk _______________________________________________ edk2-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/edk2-devel ------------------------------------------------------------------------------ Managing the Performance of Cloud-Based Applications Take advantage of what the Cloud has to offer - Avoid Common Pitfalls. Read the Whitepaper. http://pubads.g.doubleclick.net/gampad/clk?id=121054471&iu=/4140/ostg.clktrk _______________________________________________ edk2-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/edk2-devel ------------------------------------------------------------------------------ Managing the Performance of Cloud-Based Applications Take advantage of what the Cloud has to offer - Avoid Common Pitfalls. Read the Whitepaper. http://pubads.g.doubleclick.net/gampad/clk?id=121054471&iu=/4140/ostg.clktrk _______________________________________________ edk2-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/edk2-devel
