On Tue, Sep 30, 2014 at 2:43 PM, Laszlo Ersek <[email protected]> wrote: > Hi, > > OvmfPkg forked SecureBootConfigDxe from SecurityPkg in SVN r13635. Since > then the original has diverged significantly. Now I'm seeing that > OpenSUSE builds OVMF in a way that the original (which has since > diverged) is included, instead of the (now obsolete) fork. > > https://build.opensuse.org/package/view_file/Virtualization/ovmf/ovmf-use-generic-sb-config.patch?expand=1 > > For reference, here's the diff between the original and the fork, when > the fork was made (ie. at SVN r13635): > >> diff -ur >> SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfig.vfr >> OvmfPkg/SecureBootConfigDxe/SecureBootConfig.vfr >> --- >> SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfig.vfr >> 2014-09-30 23:35:28.598067147 +0200 >> +++ OvmfPkg/SecureBootConfigDxe/SecureBootConfig.vfr 2014-08-09 >> 02:40:35.824851626 +0200 >> @@ -51,7 +51,7 @@ >> questionid = KEY_SECURE_BOOT_ENABLE, >> prompt = STRING_TOKEN(STR_SECURE_BOOT_PROMPT), >> help = STRING_TOKEN(STR_SECURE_BOOT_HELP), >> - flags = INTERACTIVE | RESET_REQUIRED, >> + flags = INTERACTIVE, >> endcheckbox; >> endif; >> >> @@ -158,7 +158,7 @@ >> questionid = KEY_SECURE_BOOT_DELETE_PK, >> prompt = STRING_TOKEN(STR_DELETE_PK), >> help = STRING_TOKEN(STR_DELETE_PK_HELP), >> - flags = INTERACTIVE | RESET_REQUIRED, >> + flags = INTERACTIVE, >> endcheckbox; >> endif; >> endform; >> diff -ur >> SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf >> OvmfPkg/SecureBootConfigDxe/SecureBootConfigDxe.inf >> --- >> SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf >> 2014-09-30 23:35:28.598067147 +0200 >> +++ OvmfPkg/SecureBootConfigDxe/SecureBootConfigDxe.inf 2014-09-30 >> 23:35:28.577067027 +0200 >> @@ -1,5 +1,8 @@ >> ## @file >> -# Component name for SecureBoot configuration module. >> +# Component name for SecureBoot configuration module for OVMF. >> +# >> +# Need custom SecureBootConfigDxe for OVMF that does not force >> +# resets after PK changes since OVMF doesn't have persistent variables >> # >> # Copyright (c) 2011 - 2012, Intel Corporation. All rights reserved.<BR> >> # This program and the accompanying materials >> diff -ur >> SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c >> OvmfPkg/SecureBootConfigDxe/SecureBootConfigImpl.c >> --- >> SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c >> 2014-09-30 23:35:28.599067153 +0200 >> +++ OvmfPkg/SecureBootConfigDxe/SecureBootConfigImpl.c 2014-09-30 >> 23:35:28.578067033 +0200 >> @@ -2559,7 +2559,7 @@ >> NULL >> ); >> } else { >> - *ActionRequest = EFI_BROWSER_ACTION_REQUEST_RESET; >> + *ActionRequest = EFI_BROWSER_ACTION_REQUEST_SUBMIT; >> } >> break; > > The commit message is not overly verbose: > > OvmfPkg: Add custom SecureBootConfigDxe that doesn't reset > > We don't force a platform reset for OVMF when PK is changed in > custom mode setup. > > But the INF file hunk is telling: > > Need custom SecureBootConfigDxe for OVMF that does not force > resets after PK changes since OVMF doesn't have persistent variables > > We do have persistent variables now. I think we should drop the > (obsolete) OvmfPkg fork completely, and return to the > (maintained) SecurityPkg-provided config driver. > > Thoughts?
Yeah, I agree. Let's require NV vars support for Secure Boot. -Jordan ------------------------------------------------------------------------------ Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk _______________________________________________ edk2-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/edk2-devel
