From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from list by lists.gnu.org with archive (Exim 4.90_1) id 1paPFK-0004Tb-VD for mharc-grub-devel@gnu.org; Thu, 09 Mar 2023 18:00:26 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1paPFI-0004TP-RL for grub-devel@gnu.org; Thu, 09 Mar 2023 18:00:25 -0500 Received: from us-smtp-delivery-124.mimecast.com ([170.10.129.124]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1paPFC-0007ZB-UP for grub-devel@gnu.org; Thu, 09 Mar 2023 18:00:24 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1678402816; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=umtgqMwytJt44q+ydkg2UHVqDh+GBbRgS3MiUPUMghk=; b=HgPaXdNhu0RxgPyJ8MtCLhzzFBr0/b/DwamnwkMTRbb1xfDbr77o77r9hOAeE1R91/oVjD hF16uwRrpt2GxIF4RPW84+3r+hgBzYfl5W/mbIx/sAwWfqAmJy4XK8DKBAX0R6seISQRkG clGn4Xf8xDnvWEHZQbjq4u/xcNd4+VE= Received: from mail-qk1-f199.google.com (mail-qk1-f199.google.com [209.85.222.199]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-425-nkaJqpeKNuuOmTPPv4iGmQ-1; Thu, 09 Mar 2023 18:00:14 -0500 X-MC-Unique: nkaJqpeKNuuOmTPPv4iGmQ-1 Received: by mail-qk1-f199.google.com with SMTP id c13-20020a05620a0ced00b007422bf7c4aeso2153142qkj.0 for ; Thu, 09 Mar 2023 15:00:14 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; t=1678402814; h=mime-version:message-id:date:references:in-reply-to:subject:cc:to :from:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=umtgqMwytJt44q+ydkg2UHVqDh+GBbRgS3MiUPUMghk=; b=4ZmOy9PV0oeV1/trXNq7ceACVKbuJzPQnmdnb3NUAeildFtKF00bSM7j5t4KmKXjTg 9g3BIKWvkREQh58J98FZn4hDnWEOIDMkweS7Pvn99jQb2eIXfTiyhjh93EiubjWznmgF wW3gmvrMpDgOn/r7dPIYKrnMX+k54e1FiHgwmNbzCL1Zsv1cQ9TQyqYHk8OybdP8h9Fn YkC702/JYdBQWbZ4S0fkMRTpykXA20wQZTR94ercjAWbf4f9xQ/Cmt2N4VC3iRT661c/ lxZ47e3jfgu8iwK9+bUlZ6aKwZ89IehmgYvWoz9HhvDznDXbqMLXmTi9Az2GahRW5Z1L QWMg== X-Gm-Message-State: AO0yUKXLd34jhSTf9EMhazd/9amTRRu6gP1wZAU92M1jrjyG9UcvFRDw QV865ubgCI+0wdM8r5zP3wcnQP8Rhk4e3jt27yFNXyZUKv9rDCbzeHR53XdJqrW50YVuov3CBNp BrSX+U2L16zg= X-Received: by 2002:a05:622a:4ce:b0:3bf:ca4f:9c4c with SMTP id q14-20020a05622a04ce00b003bfca4f9c4cmr6387905qtx.56.1678402813766; Thu, 09 Mar 2023 15:00:13 -0800 (PST) X-Google-Smtp-Source: AK7set8Da0Fn65ZYZEKN5hab3asTFK5Cg1beSUIprxMmgZT4NvcL3L0HlDOg3B7z6r9M4v1zvL4k2A== X-Received: by 2002:a05:622a:4ce:b0:3bf:ca4f:9c4c with SMTP id q14-20020a05622a04ce00b003bfca4f9c4cmr6387854qtx.56.1678402813407; Thu, 09 Mar 2023 15:00:13 -0800 (PST) Received: from localhost ([2600:4040:5204:6800:da7c:a2cd:3b13:a673]) by smtp.gmail.com with ESMTPSA id b1-20020ac801c1000000b003b9e1d3a502sm211265qtg.54.2023.03.09.15.00.12 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 09 Mar 2023 15:00:12 -0800 (PST) From: Robbie Harwood To: Glenn Washburn , grub-devel@gnu.org, Daniel Kiper Cc: Glenn Washburn , Peter Jones Subject: Re: [RFC PATCH] gdb: Add more support for debugging on EFI platforms In-Reply-To: <20230227213526.2379718-1-development@efficientek.com> References: <20230227213526.2379718-1-development@efficientek.com> Date: Thu, 09 Mar 2023 18:00:04 -0500 Message-ID: MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" Received-SPF: pass client-ip=170.10.129.124; envelope-from=rharwood@redhat.com; helo=us-smtp-delivery-124.mimecast.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: grub-devel@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: The development of GNU GRUB List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 09 Mar 2023 23:00:26 -0000 --=-=-= Content-Type: text/plain Glenn Washburn writes: > If the configure option --enable-efi-debug is given, then enable the > printing early in EFI startup of the command needed to load symbols for > the GRUB EFI kernel. This is needed because EFI firmware determines where > to load the GRUB EFI at runtime, and so the relevant addresses are not > known ahead of time. This is not printed when secure boot is enabled. > > The command is a custom command defined in the gdb_grub GDB script. So > GDB should be started with the script as an argument to the -x option or > sourced into an active GDB session before running the outputted command. > > Also a command named "gdbinfo" is enabled which allows the user to print > the gdb command string on-demand, which can be valuable as the printing > early in EFI startup is quickly replaced by other text. So if using a > physical screen it may appear too briefly to be registered. > > Co-developed-by: Peter Jones > Signed-off-by: Glenn Washburn > --- > This is patch 9 from the v6 "GDB script fixes and improvements" series, with > one modification. Now the gdbinfo command will print the gdb load command > even when the configure option is not enabled (though still not when lockdown > is enabled). > > Robbie had 2 concerns with the last patch. > > 1. Does this need to be configurable? > * I responded that this was requested by Daniel because of concerns about > it breaking silent boot and it seemed reasonable to me, but that I don't > have a strong opinion. I've left it configurable until Dnaiel weighs in. Yeah, I think these concerns are valid. The version in the rhboot tree gates printing on an env var. Right now, it seems to me that: - we want it to be default-off because silent boot - we want to have the ability to reenable without rebuilding because secureboot, convenience, etc. > 2. Why should the load command not be printed when secure boot is enabled? > * This was also requested by Daniel, I assume because of infomation leakage > that may be a security concern. I seem to have also missed Daniel's reply about this earlier, which was: >> I think leaking info about the GRUB image addresses on the Secure >> Boot enabled systems is not the best idea. Or do you think having >> this feature enabled by default overweight potential dangers coming >> from its misuse? I don't know how these could help an attacker. They'd need access to console out to retrieve the values, and some way to send input... and that's basically physical presence: at the very least, if they have those, I imagine they'd just edit the menu entries, or drop to the grub shell. Do you see a danger here? Be well, --Robbie --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQJIBAEBCgAyFiEEA5qc6hnelQjDaHWqJTL5F2qVpEIFAmQKZPQUHHJoYXJ3b29k QHJlZGhhdC5jb20ACgkQJTL5F2qVpELe/g//aSvUQ05DwWEG+KSO3zW0XOPXDleJ EU8y8ELgQze2ltLcnVkHCkazqED7+5mUvVo2O7nT9SIrLCFFm9KWv/x0glO2dow0 CDJKEYbU2iFfQS82wW1+N4qKo347QOSx1zQUEzEu6gPdVZk1AJHXVN8RBx6fk68O T1xrLv0mf2bU5m6ikuC99m1hhhfAP6QMlIBRM8XmrRslDJ5JjwnSqQ/2h0OILoJq 7MIHlm8UwOMpEvRWlo7KvfhLBerBAJeaQDBd4CL285Ggj1HN4hcmhfHEyTVbqyUx 0PweRius/n8tie5OQhDK3271uWEbN9RTVMwNvoGs6/2bK+rruh8NAFeRbkiqVg4f lgC38rgdN0hi0cUp4We+3am4xuTn9Em0meGBVfzZTRjZ6phQosIp/RxDBp7MXP2y MIDiOiLmzuL2O7SVslhjRm8R9exAR2FffPvta2tazdlBmmhRVWjNTujQuUKYhl51 b5bkAT8wvxe1TpwDbvpt5VNV9a+IogNDAkMSl+uIkZ6S3mn2eqiRsgu99U12EpGt ECHBlTZNBAmndWfLlxtp/DIyhukhoZvCpJw9jQ2aH8tx0d7gwum1QLIoVB8kd2MO G6x4hrKb0y34glxhTpMdJnUV+hRzLhy8HyFjO6FuC0KVOgc74bhcQhGshj65Hpa0 xTzMHtHzeevZ7xc= =lMeH -----END PGP SIGNATURE----- --=-=-=--