shim: change automatically enable MOK_POLICY_REQUIRE_NX#761
shim: change automatically enable MOK_POLICY_REQUIRE_NX#761vathpela merged 1 commit intorhboot:mainfrom
Conversation
vathpela
force-pushed
the
enable-dynamic-nx-policy
branch
from
ecd665e to
296537c
Compare
vathpela
force-pushed
the
enable-dynamic-nx-policy
branch
from
296537c to
e886747
Compare
|
This patch is great, I haven't tested it but assuming it works correctly. It solves a miserable problems around NX deployment by letting non-NX chainloaded objects to continue working on non-NX machines even if the shim is set to NX compat. |
|
Hi vathpela, I have tested your patch on OVMF edk2-stable202505 and Mu release/202202. It works to me to auto detect firmware's NX/RO support and auto enable MOK_POLICY_REQUIRE_NX: OVMF edk2-stable202505: MdeModulePkg/MdeModulePkg.dec shim.c:2035:efi_main() SBAT self-check succeeded Vigor136:~ # cat /sys/firmware/efi/mok-variables/HSIStatus Mu release/202202: shim.c:2013:efi_main() SkuSiPolicyVersion variable initialization done � Vigor136:~ # cat /sys/firmware/efi/mok-variables/HSIStatus |
Hi Marta, Vigor136:~ # cat /sys/firmware/efi/mok-variables/HSIStatus Could you please teach me how to enable the RO section on OVMF? Thanks a lot! |
I think kraxon has done some work in https://copr.fedorainfracloud.org/coprs/kraxel/edk2.testbuilds/builds/ for this? |
|
Hi Joey, after posting that comment, I later deleted it because I wasn't quite happy with my testing. Sorry about that! I need to do a few more tests, I think. |
|
@joeyli I think you need edk2-ovmf-20250523-12, which is available in fedora rawhide: |
|
Tested the patch with edk2-ovmf-20250523-12, and it does what the commit message promises: since this fw enforces NX, a shim with NX compat bit set only loads GRUB and kernels which are also NX compat. [root@localhost ~]# cat /sys/firmware/efi/mok-variables/HSIStatus If the shim is non NX-compat, it will load non NX compat GRUB and kernels even if fw is enforcing. |
Thanks for vathpela and marta's information. The opt/org.tianocore/UninstallMemAttrProtocol=no does no work to me on my ovmf for ro-exctions. But I will dig vathpela's URL for finding out more detail. Thanks a lot! |
After enabling 'Set image protection policy' feature for 'Image from unknown device', the ro-sections works on ovmf edk2-stable202505 now. I put the change of ovmf here for reference: --- edk2-edk2-stable202505.orig/MdeModulePkg/MdeModulePkg.dec
And the following is testing result from Peter's patch with patches ovmf edk2-stable202505: memattrs.c:463:get_hsi_mem_info() Setting HSI from HASMAP|NX to HASMAP|HASDST|NX Vigor136:~ # cat /sys/firmware/efi/mok-variables/HSIStatus |
vathpela
force-pushed
the
enable-dynamic-nx-policy
branch
from
e886747 to
340d776
Compare
Currently whether shim enforces NX on its downstream consumers is set at build time. It would be better for this to be automatically detected and enforced. This patch changes the policy to be dynamically detected. In the case where shim has the NX bit set and the system has an appropriate protocol installed *and* appears to be enforcing NX, we enable the MOK policy bit to require NX. Signed-off-by: Peter Jones <pjones@redhat.com>
vathpela
force-pushed
the
enable-dynamic-nx-policy
branch
from
340d776 to
88cd97c
Compare
4 participants
Currently whether shim enforces NX on its downstream consumers is set at build time. It would be better for this to be automatically detected and enforced.
This patch changes the policy to be dynamically detected. In the case where shim has the NX bit set and the system has an appropriate protocol installed and appears to be enforcing NX, we enable the MOK policy bit to require NX.