diff options
| author | Gerd Hoffmann <kraxel@redhat.com> | 2024-12-17 09:59:21 +0100 |
|---|---|---|
| committer | Ard Biesheuvel <workofard@gmail.com> | 2025-01-21 13:45:46 +0100 |
| commit | 1549bf11cc94b135b6ad8fa5ebc34bdf7c18ba9c (patch) | |
| tree | 99b8bfa05141055e0894757ae842385d02cfaa97 | |
| parent | 4b507b49664514d7f09e6b7a9ca2da25a5e440fd (diff) | |
| download | edk2-1549bf11cc94b135b6ad8fa5ebc34bdf7c18ba9c.tar.gz | |
OvmfPkg/X86QemuLoadImageLib: make legacy loader configurable.
Add the 'opt/org.tianocore/EnableLegacyLoader' FwCfg option to
enable/disable the insecure legacy linux kernel loader.
For now this is enabled by default. Probably the default will be
flipped to disabled at some point in the future.
Also print a warning to the screen in case the linux kernel secure
boot verification has failed.
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
| -rw-r--r-- | OvmfPkg/Library/X86QemuLoadImageLib/X86QemuLoadImageLib.c | 48 | ||||
| -rw-r--r-- | OvmfPkg/Library/X86QemuLoadImageLib/X86QemuLoadImageLib.inf | 1 |
2 files changed, 42 insertions, 7 deletions
diff --git a/OvmfPkg/Library/X86QemuLoadImageLib/X86QemuLoadImageLib.c b/OvmfPkg/Library/X86QemuLoadImageLib/X86QemuLoadImageLib.c index e4dbc2dc7e..2d610f6bd3 100644 --- a/OvmfPkg/Library/X86QemuLoadImageLib/X86QemuLoadImageLib.c +++ b/OvmfPkg/Library/X86QemuLoadImageLib/X86QemuLoadImageLib.c @@ -19,8 +19,10 @@ #include <Library/MemoryAllocationLib.h>
#include <Library/PrintLib.h>
#include <Library/QemuFwCfgLib.h>
+#include <Library/QemuFwCfgSimpleParserLib.h>
#include <Library/QemuLoadImageLib.h>
#include <Library/UefiBootServicesTableLib.h>
+#include <Library/UefiLib.h>
#include <Protocol/DevicePath.h>
#include <Protocol/LoadedImage.h>
#include <Protocol/OvmfLoadedX86LinuxKernel.h>
@@ -421,13 +423,45 @@ QemuLoadKernelImage ( // Fall through
//
case EFI_ACCESS_DENIED:
- //
- // We are running with UEFI secure boot enabled, and the image failed to
- // authenticate. For compatibility reasons, we fall back to the legacy
- // loader in this case.
- //
- // Fall through
- //
+ //
+ // We are running with UEFI secure boot enabled, and the image failed to
+ // authenticate. For compatibility reasons, we fall back to the legacy
+ // loader in this case (unless disabled via fw_cfg).
+ //
+ {
+ EFI_STATUS RetStatus;
+ BOOLEAN Enabled = TRUE;
+
+ AsciiPrint (
+ "OVMF: Secure boot image verification failed. Consider using the '-shim'\n"
+ "OVMF: command line switch for qemu (available in version 10.0 + newer).\n"
+ "\n"
+ );
+
+ RetStatus = QemuFwCfgParseBool (
+ "opt/org.tianocore/EnableLegacyLoader",
+ &Enabled
+ );
+ if (EFI_ERROR (RetStatus)) {
+ Enabled = TRUE;
+ }
+
+ if (!Enabled) {
+ AsciiPrint (
+ "OVMF: Fallback to insecure legacy linux kernel loader is disabled.\n"
+ "\n"
+ );
+ return EFI_ACCESS_DENIED;
+ } else {
+ AsciiPrint (
+ "OVMF: Using legacy linux kernel loader (insecure and deprecated).\n"
+ "\n"
+ );
+ //
+ // Fall through
+ //
+ }
+ }
case EFI_UNSUPPORTED:
//
// The image is not natively supported or cross-type supported. Let's try
diff --git a/OvmfPkg/Library/X86QemuLoadImageLib/X86QemuLoadImageLib.inf b/OvmfPkg/Library/X86QemuLoadImageLib/X86QemuLoadImageLib.inf index c7ec041cb7..09babd3be8 100644 --- a/OvmfPkg/Library/X86QemuLoadImageLib/X86QemuLoadImageLib.inf +++ b/OvmfPkg/Library/X86QemuLoadImageLib/X86QemuLoadImageLib.inf @@ -33,6 +33,7 @@ LoadLinuxLib
PrintLib
QemuFwCfgLib
+ QemuFwCfgSimpleParserLib
ReportStatusCodeLib
UefiBootServicesTableLib
|