From: "Marek Marczykowski-Górecki" <marmarek@invisiblethingslab.com>
To: Jan Beulich <jbeulich@suse.com>
Cc: "Gerald Elder-Vass" <gerald.elder-vass@cloud.com>,
"Andrew Cooper" <andrew.cooper3@citrix.com>,
"Anthony PERARD" <anthony.perard@vates.tech>,
"Michal Orzel" <michal.orzel@amd.com>,
"Julien Grall" <julien@xen.org>,
"Roger Pau Monné" <roger.pau@citrix.com>,
"Stefano Stabellini" <sstabellini@kernel.org>,
"Kevin Lampis" <kevin.lampis@cloud.com>,
"Daniel P. Smith" <dpsmith@apertussolutions.com>,
xen-devel@lists.xenproject.org
Subject: Re: [XEN PATCH v2] efi: Use Shim's LoadImage to verify the Dom0 kernel
Date: Tue, 2 Sep 2025 17:06:54 +0200 [thread overview]
Message-ID: <aLcIDyO4Xfcfv_gD@mail-itl> (raw)
In-Reply-To: <12dada9a-96eb-45db-bd1a-5a88e323a100@suse.com>
[-- Attachment #1: Type: text/plain, Size: 998 bytes --]
On Tue, Sep 02, 2025 at 05:00:52PM +0200, Jan Beulich wrote:
> On 02.09.2025 16:44, Gerald Elder-Vass wrote:
> > + else
> > + {
> > + status = efi_bs->LocateProtocol(&shim_lock_guid, NULL, (void **)&shim_lock);
> > + if ( EFI_ERROR(status) )
> > + PrintErrMesg(L"Failed to locate SHIM_LOCK protocol", status);
>
> This is a behavioral change not justified in the description. Imo, if
> the original code was wrong, that would want to be a separate change
> anyway, so right here you want to retain original behavior. Simply
> consider the case of a shim-free boot, where neither of the two
> protocols would be available.
Yes, as commented by Yann on v1, this change as is seems to break
shim-free boot (well, technically UKI is shim-free and remain working,
but you know what I mean). That needs to remain working, even if only in
SecureBoot-free case.
--
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 488 bytes --]
prev parent reply other threads:[~2025-09-02 15:07 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-09-02 14:44 [XEN PATCH v2] efi: Use Shim's LoadImage to verify the Dom0 kernel Gerald Elder-Vass
2025-09-02 15:00 ` Jan Beulich
2025-09-02 15:06 ` Marek Marczykowski-Górecki [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aLcIDyO4Xfcfv_gD@mail-itl \
--to=marmarek@invisiblethingslab.com \
--cc=andrew.cooper3@citrix.com \
--cc=anthony.perard@vates.tech \
--cc=dpsmith@apertussolutions.com \
--cc=gerald.elder-vass@cloud.com \
--cc=jbeulich@suse.com \
--cc=julien@xen.org \
--cc=kevin.lampis@cloud.com \
--cc=michal.orzel@amd.com \
--cc=roger.pau@citrix.com \
--cc=sstabellini@kernel.org \
--cc=xen-devel@lists.xenproject.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.