[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [RFC] OVMF NVRAM Variable Retention



On 06/07/18 01:59, Ross Lagerwall wrote:

On 06/06/2018 04:01 PM, aaron.young@xxxxxxxxxx wrote:


   Hello all,
I have been tasked with the issue of UEFI NVRAM variable retention with Xen HVM/OVMF based guests and wanted to consult the experts before I undertake any significant coding effort. I am new to Xen so any help/direction would be appreciated. 

   What I hope to gain from this RFC inquiry is the following:
1. Has there been any significant past discussion regarding this issue? If so, can somebody kindly point me to these discussion(s) and/or give me an overview of the findings? 

   2. Is there any current coding effort going on in this area?


Yes! I'm working on this at the moment.


    Great! I'm glad I asked before starting implementation.
3. Any suggestions or proposals on how to fix the issue including any issues or caveats that I should be aware of? 


Issue details:
In a nutshell, if a Xen guest which has been configured to use OVMF is destroyed and re-created, the UEFI NVRAM variables are not retained. This seems to be a well-known issue to which there is no resolution. The issue seems to center around the fact that these Xen guests are not configured to use a file-backed backing store for the NVRAM variables (such as is commonly used with QEMU/KVM guests).
This issue can cause OVMF OS boot option(s) to be lost preventing the ability to boot the OS after a guest is destroyed/re-created. It also has implications on secure boot (which require NVRAM variables to be retained). 


Some key observations:
1. OVMF currently supports memory-mapped, file-backed 'pflash' devices from Qemu. i.e. Qemu can map varstore files into memory for use by OVMF via -drive parameters such as: 

       -drive if=pflash,format=raw,readonly,file=OVMF_CODE.fd \
       -drive if=pflash,format=raw,file=OVMF_VARS.fd
OVMF scans the flash device (i.e. the Non-volatile data storage FV) for a mapped varstore and if found will use it store NVRAM variables (via its QemuFlashFvbServicesRuntimeDxe driver)
This is outlined well in the OVMF whitepaper (http://www.linux-kvm.org/downloads/lersek/ovmf-whitepaper-c770f8c.txt)
2. When Xen HVM/OVMF guests are created, the qemu process that is executed (from xl) does not contain these -drive arguments. Thus qemu does not map a varstore for use by OVMF causing OVMF to fallback and use a simple memory buffer for NVRAM variables (if I'm not mistaken here). This causes the variables to not be retained across destroy/create operations on the VM.
3. Unlike qemu/kvm guests where both OVMF and the varstore file are loaded/mapped into memory and executed directly by qemu, Xen appears to only use qemu as a "device model" and OVMF is not mapped/loaded directly by qemu. Instead, under Xen, OVMF is loaded indirectly by hvmloader (which is loaded by qemu). This could complicate the fix idea below. 


Possible idea for fix:
Since OVMF currently has support for QEMU mapped varstore files, it seems the most straightforward way to fix this issue would be for Xen (i.e. xl) to pass a -drive argument to qemu to specify a varstore file and to enhance the Xen memory init code in qemu (i.e. xen_hvm.c:xen_[hvm|ram]_init()) to map this file into memory for use by OVMF (possibly taking advantage of the already present qemu code to do such a mapping (i.e. code out of pc_memory_init()). As mentioned above, this would have to (somehow) be compatible with how OVMF is loaded indirectly by hvmloader. 

   Any comments/suggestions/opinions/caveats on this approach?


I did this a while back. It is easy enough to do:

1) Have Xen load OVMF_code.fd rather than the combined blob.

2) Tweak the location in guest memory where hvmloader loads the blob.

3) Tweak QEMU to load the OVMF_vars.fd blob at the correct location.

4) Start QEMU with emulated flash for OVMF_vars.fd only.
Tweaking the locations ensures that the various parts of OVMF are at the location it expects. If you want, I could probably dig up some patches (hacks) which do this. 

    Yes, this is the _exact_ solution I had in mind.
I would very much like to see your patches so I can see how you did it (which would assist me in learning the code). If you wouldn't mind, could please send the patches to me privately? I'd greatly appreciate it. Thanks!! 





   Or any other suggested approaches on how to fix this issue?


However... I did not like this approach for two reasons:
1) Having an emulated flash blob is difficult to manage outside of the guest (i.e. populating initial state, updating variables if needed). For XenServer, we want more flexibility.
2) While Secure Boot can be enabled with this implementation, it is not sufficiently secure because the guest is able to write anything it wants to the emulated flash. KVM solved this problem with SMM mode but I don't like that solution either. 

So I am busy implementing:
A UEFI driver frontend which implements variable services by proxying requests to a backend running in dom0 (could be part of QEMU). This ensures security because the guest cannot directly write to the variable storage and the authentication checks are done outside of guest context. It allows flexibility because the backend can store the variables in any form (e.g. an sqlite database) rather than being restricted to an emulated flash blob.
So far I've got the normal variable services implemented and am busy with the authenticated variable services.
Let me know if you have any questions. I hope to present this approach at the QEMU/KVM forum later this year. 

Hope that helps,


  Thank you very much for the info.

   Look forward to your solution!

  -Aaron


_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxxx
https://lists.xenproject.org/mailman/listinfo/xen-devel

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.