Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Shim Reboot workaround #3

Open
wants to merge 1 commit into
base: svsm
Choose a base branch
from

Conversation

osteffenrh
Copy link

When booting a distro image that uses shim for the first time (via the removable media path),
shim will install itself as the default boot option and wants to reboot the machine.
This is annoying, since manual intervention is required, as reboots do not work under SNP.
Shim can be told to not reboot by setting an EFI variable.

Let's set this by default and never bother the user with reboots.

This is done via a code rather than pre-populating the OVMF image, since OVMF is using the
emulated in-ram variable store.

Add a callback at the end of the Dxe phase that sets the
"FB_NO_REBOOT" variable under the Shim GUID.
This is a workaround for a boot loop in case a confidential
guest that uses shim is booted with a vtpm device present.

Signed-off-by: Oliver Steffen <osteffen@redhat.com>
@osteffenrh osteffenrh force-pushed the coconut-shim-fallback-workaround branch from 5ffb4fb to 7a4cf97 Compare August 26, 2024 16:59
stefano-garzarella pushed a commit to stefano-garzarella/edk2 that referenced this pull request Oct 10, 2024
REF:https://bugzilla.tianocore.org/show_bug.cgi?id=4536

Bug Overview:
PixieFail Bug coconut-svsm#3
CVE-2023-45231
CVSS 6.5 : CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CWE-125 Out-of-bounds Read

Out-of-bounds read when handling a ND Redirect message with truncated
options

Change Overview:

Adds a check to prevent truncated options from being parsed
+  //
+  // Cannot process truncated options.
+  // Cannot process options with a length of 0 as there is no Type
field.
+  //
+  if (OptionLen < sizeof (IP6_OPTION_HEADER)) {
+    return FALSE;
+  }

Cc: Saloni Kasbekar <saloni.kasbekar@intel.com>
Cc: Zachary Clark-williams <zachary.clark-williams@intel.com>

Signed-off-by: Doug Flick [MSFT] <doug.edk2@gmail.com>
Reviewed-by: Saloni Kasbekar <saloni.kasbekar@intel.com>
stefano-garzarella pushed a commit to stefano-garzarella/edk2 that referenced this pull request Nov 5, 2024
This patch does not impact functionality. It aims to clarify the
synchronization flow between the BSP and APs to enhance code
readability and understanding:

Steps tianocore#6 and tianocore#11 are the basic synchronization requirements for all
cases.

Steps coconut-svsm#1 is additional requirements if the MmCpuSyncModeTradition
mode is selected.

Steps coconut-svsm#1, coconut-svsm#2, coconut-svsm#3, coconut-svsm#4, tianocore#5, tianocore#7, tianocore#8, tianocore#9, and tianocore#10 are additional
requirements if the system needs to configure the MTRR.

Steps tianocore#9 and tianocore#10 are additional requirements if the system needs to
support the mSmmDebugAgentSupport.

Signed-off-by: Jiaxin Wu <jiaxin.wu@intel.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant