render / rpms / edk2

Forked from rpms/edk2 3 months ago
Clone

Blame SOURCES/0027-Revert-OvmfPkg-use-generic-QEMU-image-loader-for-sec.patch

82dd91
From 74e5313dfa6719f7990c7e175e035d17c9b3f657 Mon Sep 17 00:00:00 2001
82dd91
From: Laszlo Ersek <lersek@redhat.com>
82dd91
Date: Fri, 5 Jun 2020 23:44:43 +0200
82dd91
Subject: Revert "OvmfPkg: use generic QEMU image loader for secure boot
82dd91
 enabled builds"
82dd91
82dd91
Notes about the RHEL-8.2/20190904-37eef91017ad [edk2-stable201908] ->
82dd91
RHEL-8.3/20200603-ca407c7246bf [edk2-stable202005] rebase:
82dd91
82dd91
- new patch (to be dropped later, hopefully)
82dd91
82dd91
This reverts commit ced77332cab626f35fbdb36630be27303d289d79.
82dd91
82dd91
Upstream commit ced77332cab6 ("OvmfPkg: use generic QEMU image loader for
82dd91
secure boot enabled builds", 2020-03-05) changes the "Secure Boot threat
82dd91
model" in a way that is incompatible with at least two use cases.
82dd91
82dd91
Namely, OVMF has always considered kernel images direct-booted via fw_cfg
82dd91
as trusted, bypassing Secure Boot validation. While that approach is
82dd91
rooted in a technicality (namely, OVMF doesn't load such images with the
82dd91
LoadImage() UEFI boot service / through the UEFI stub, but with the
82dd91
Linux/x86 Boot Protocol), that doesn't mean it's wrong. The direct-booted
82dd91
kernel from fw_cfg comes from the host side, and Secure Boot in the guest
82dd91
is a barrier between the guest firmware and the guest operating system --
82dd91
it's not a barrier between host and guest.
82dd91
82dd91
Upstream commit ced77332cab6 points out that the above (historical) OVMF
82dd91
behavior differs from ArmVirtQemu's -- the latter direct-boots kernels
82dd91
from fw_cfg with the LoadImage() / StartImage() boot services. While that
82dd91
difference indeed exists between OVMF and ArmVirtQemu, it's not relevant
82dd91
for RHEL downstream. That's because we never build the ArmVirtQemu
82dd91
firmware with the Secure Boot feature, so LoadImage() can never reject the
82dd91
direct-booted kernel due to a signing issue.
82dd91
82dd91
Subjecting a kernel direct-booted via fw_cfg to Secure Boot verification
82dd91
breaks at least two use cases with OVMF:
82dd91
82dd91
- It breaks the %check stage in the SPEC file.
82dd91
82dd91
  In that stage, we use the "ovmf-vars-generator" utility from the
82dd91
  "qemu-ovmf-secureboot" project, for verifying whether the Secure Boot
82dd91
  operational mode is enabled. The guest kernel is supposed to boot, and
82dd91
  to print "Secure boot enabled".
82dd91
82dd91
  As guest kernel, we pick whatever host kernel is available in the Brew
82dd91
  build root. The kernel in question may be a publicly released RHEL
82dd91
  kernel, signed with "Red Hat Secure Boot (signing key 1)", or a
82dd91
  development build, signed for example with "Red Hat Secure Boot Signing
82dd91
  3 (beta)". Either way, none of these keys are accepted by the
82dd91
  certificates that were enrolled by "ovmf-vars-generator" /
82dd91
  "EnrollDefaultKeys.efi" in the %build stage. Therefore, the %check stage
82dd91
  fails.
82dd91
82dd91
- It breaks "virt-install --location NETWORK-URL" Linux guest
82dd91
  installations, if the variable store template used for the new domain
82dd91
  has the Secure Boot operational mode enabled. "virt-install --location"
82dd91
  fetches the kernel from the remote OS tree, and passes it to the guest
82dd91
  firmware via fw_cfg. Therefore the above symptom appears (even for
82dd91
  publicly released OSes).
82dd91
82dd91
  Importantly, if the user downloads the installer ISO of the publicly
82dd91
  released Fedora / RHEL OS, and exposes the ISO to the guest for example
82dd91
  as a virtio-scsi CD-ROM, then the installation with "virt-install"
82dd91
  (without "--location") does succeed. That's because that way, "shim" is
82dd91
  booted first, from the UEFI-bootable CD-ROM. "Shim" does pass Secure
82dd91
  Boot verification against the Microsoft certificates, and then it is
82dd91
  "shim" that accepts the "Red Hat Secure Boot (signing key 1)" signature
82dd91
  on the guest kernel.
82dd91
82dd91
Some ways to approach this problem (without reverting upstream commit
82dd91
ced77332cab6):
82dd91
82dd91
- Equip "ovmf-vars-generator" / "EnrollDefaultKeys.efi" to enroll the
82dd91
  public half of "Red Hat Secure Boot (signing key 1)" in the %build
82dd91
  stage. Use a publicly released RHEL kernel in the %check stage.
82dd91
82dd91
  Downsides:
82dd91
82dd91
  - The Brew build root does not offer any particular released RHEL
82dd91
    kernel, so either the %check stage would have to download it, or the
82dd91
    SRPM would have to bundle it. However, Brew build environments do not
82dd91
    have unfettered network access (rightly so), so the download wouldn't
82dd91
    work. Furthermore, for bundling with the SRPM, such a kernel image
82dd91
    could be considered too large.
82dd91
82dd91
  - Does not solve the "virt-install --location" issue for other vendors'
82dd91
    signed kernels.
82dd91
82dd91
- Invoke "ovmf-vars-generator" / "EnrollDefaultKeys.efi" multiple times
82dd91
  during %build, to create multiple varstore templates. One that would
82dd91
  accept publicly released RHEL kernels, and another to accept development
82dd91
  kernels. Don't try to use a particular guest kernel for verification;
82dd91
  instead, check what kernel Brew offers in the build environment, and use
82dd91
  the varstore template matching *that* kernel.
82dd91
82dd91
  Downsides:
82dd91
82dd91
  - It may be considered useless to perform %check with a varstore
82dd91
    template that is *not* the one that we ship.
82dd91
82dd91
  - Does not solve the "virt-install --location" issue for other vendors'
82dd91
    signed kernels.
82dd91
82dd91
- Sign the RHEL kernels such that the currently enrolled certificates
82dd91
  accept them.
82dd91
82dd91
  Downsides:
82dd91
82dd91
  - Not feasible at all; it would require Microsoft to sign our kernels.
82dd91
    "Shim" exists exactly to eliminate such signing requirements.
82dd91
82dd91
- Modify "virt-install --location NETWORK-URL" such that it download a
82dd91
  complete (UEFI-bootable) installer ISO image, rather than broken-out
82dd91
  vmlinuz / initrd files. In other words, replace direct (fw_cfg) kernel
82dd91
  boot with a CD-ROM / "shim" boot, internally to "virt-install".
82dd91
82dd91
  Downsides:
82dd91
82dd91
  - Defeats the goal of "virt-install --location NETWORK-URL", and defeats
82dd91
    the network installation method of (for example) Anaconda.
82dd91
82dd91
For now, revert upstream commit ced77332cab6, in order to return to the
82dd91
model we had used in RHEL-8.2 and before. The following ticket has been
82dd91
filed to investigate the problem separately:
82dd91
<https://bugzilla.redhat.com/show_bug.cgi?id=1844653>.
82dd91
82dd91
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
82dd91
---
82dd91
 OvmfPkg/OvmfPkgIa32.dsc    | 4 ----
82dd91
 OvmfPkg/OvmfPkgIa32X64.dsc | 4 ----
82dd91
 OvmfPkg/OvmfPkgX64.dsc     | 4 ----
82dd91
 3 files changed, 12 deletions(-)
82dd91
82dd91
diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc
82dd91
index e8868136d8..5b1e757cb9 100644
82dd91
--- a/OvmfPkg/OvmfPkgIa32.dsc
82dd91
+++ b/OvmfPkg/OvmfPkgIa32.dsc
82dd91
@@ -379,11 +379,7 @@
82dd91
   PciLib|OvmfPkg/Library/DxePciLibI440FxQ35/DxePciLibI440FxQ35.inf
82dd91
   MpInitLib|UefiCpuPkg/Library/MpInitLib/DxeMpInitLib.inf
82dd91
   QemuFwCfgS3Lib|OvmfPkg/Library/QemuFwCfgS3Lib/DxeQemuFwCfgS3LibFwCfg.inf
82dd91
-!if $(SECURE_BOOT_ENABLE) == TRUE
82dd91
-  QemuLoadImageLib|OvmfPkg/Library/GenericQemuLoadImageLib/GenericQemuLoadImageLib.inf
82dd91
-!else
82dd91
   QemuLoadImageLib|OvmfPkg/Library/X86QemuLoadImageLib/X86QemuLoadImageLib.inf
82dd91
-!endif
82dd91
 !if $(TPM_ENABLE) == TRUE
82dd91
   Tpm12DeviceLib|SecurityPkg/Library/Tpm12DeviceLibTcg/Tpm12DeviceLibTcg.inf
82dd91
   Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibTcg2/Tpm2DeviceLibTcg2.inf
82dd91
diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc
82dd91
index d05275a324..5dffc32105 100644
82dd91
--- a/OvmfPkg/OvmfPkgIa32X64.dsc
82dd91
+++ b/OvmfPkg/OvmfPkgIa32X64.dsc
82dd91
@@ -383,11 +383,7 @@
82dd91
   PciLib|OvmfPkg/Library/DxePciLibI440FxQ35/DxePciLibI440FxQ35.inf
82dd91
   MpInitLib|UefiCpuPkg/Library/MpInitLib/DxeMpInitLib.inf
82dd91
   QemuFwCfgS3Lib|OvmfPkg/Library/QemuFwCfgS3Lib/DxeQemuFwCfgS3LibFwCfg.inf
82dd91
-!if $(SECURE_BOOT_ENABLE) == TRUE
82dd91
-  QemuLoadImageLib|OvmfPkg/Library/GenericQemuLoadImageLib/GenericQemuLoadImageLib.inf
82dd91
-!else
82dd91
   QemuLoadImageLib|OvmfPkg/Library/X86QemuLoadImageLib/X86QemuLoadImageLib.inf
82dd91
-!endif
82dd91
 !if $(TPM_ENABLE) == TRUE
82dd91
   Tpm12DeviceLib|SecurityPkg/Library/Tpm12DeviceLibTcg/Tpm12DeviceLibTcg.inf
82dd91
   Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibTcg2/Tpm2DeviceLibTcg2.inf
82dd91
diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc
82dd91
index cac4cecf18..a2a76fdeea 100644
82dd91
--- a/OvmfPkg/OvmfPkgX64.dsc
82dd91
+++ b/OvmfPkg/OvmfPkgX64.dsc
82dd91
@@ -383,11 +383,7 @@
82dd91
   PciLib|OvmfPkg/Library/DxePciLibI440FxQ35/DxePciLibI440FxQ35.inf
82dd91
   MpInitLib|UefiCpuPkg/Library/MpInitLib/DxeMpInitLib.inf
82dd91
   QemuFwCfgS3Lib|OvmfPkg/Library/QemuFwCfgS3Lib/DxeQemuFwCfgS3LibFwCfg.inf
82dd91
-!if $(SECURE_BOOT_ENABLE) == TRUE
82dd91
-  QemuLoadImageLib|OvmfPkg/Library/GenericQemuLoadImageLib/GenericQemuLoadImageLib.inf
82dd91
-!else
82dd91
   QemuLoadImageLib|OvmfPkg/Library/X86QemuLoadImageLib/X86QemuLoadImageLib.inf
82dd91
-!endif
82dd91
 !if $(TPM_ENABLE) == TRUE
82dd91
   Tpm12DeviceLib|SecurityPkg/Library/Tpm12DeviceLibTcg/Tpm12DeviceLibTcg.inf
82dd91
   Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibTcg2/Tpm2DeviceLibTcg2.inf
82dd91
-- 
82dd91
2.18.1
82dd91