[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH] x86/boot: fix MB2 header to require EFI BS



On Tue, Oct 24, 2017 at 03:49:10PM -0500, Doug Goldstein wrote:
> On 10/24/17 3:22 PM, Andrew Cooper wrote:
> > On 24/10/17 21:08, Daniel Kiper wrote:
> >> On Tue, Oct 24, 2017 at 02:40:41PM -0500, Doug Goldstein wrote:
> >>> The EFI multiboot2 entry point currently requires EFI BootServices to
> >>> not have been exited however the header currently tells the boot
> >>> loader that Xen optionally supports EFI BootServices having been exited.
> >>> With this change Xen properly advertises that EFI must not be exited
> >>> allowing the boot loader to report an error that it cannot boot Xen if
> >>> it is unable to meet its needs.
> >>>
> >>> Signed-off-by: Doug Goldstein <cardoe@xxxxxxxxxx>
> >>> ---
> >>>
> >>> This should likely be applied against Xen 4.9 and Xen 4.10 as well as
> >>> staging. I am trying to get multiboot2 support for iPXE and upstream
> >>> is concerned that leaving EFI BootServices enabled will not be
> >>> compatible with their aims to support Secure Boot. So when I build
> >> Hmmm... What are exact arguments for that? How do they implement e.g.
> >> chain loading then? What about the shim support?
> >>
> >>> my iPXE without support for passing on Boot Services, Xen will be
> >>> loaded by iPXE but then it will fall down with "ERR: Bootloader
> >>> shutdown EFI x64 boot services!" implying that this is required. By
> >>> having Xen expose in its header that its required it allows me to
> >>> handle the situation gracefully in iPXE.
> >>>
> >>> To quote the multiboot2 spec exact:
> >>>
> >>> "This tag indicates that payload supports starting without terminating
> >>> boot services."
> >>>
> >>> Unfortunately the spec is a bit vague and how I am reading it is:
> >>> - no tag = exit boot services in the boot loader
> >>> - tag present marked optional = boot loader can or cannot exit boot 
> >>> services
> >>> - tag present marked required = boot loader cannot exit boot services
> >> NACK, please take a look at section 3.1.4, Multiboot2 information request
> >> in Multiboot2 spec. OPTIONAL/REQUIRED has different meaning for the 
> >> bootloader
> >> than you think.
> >
> > The meaning of tag, if understood by Grub, is "don't exit boot services
> > before passing control".
> >
> > The tag is currently marked as optional, which means Grub is free to
> > ignore it if it doesn't understand it, resulting in EBS being called
> > before passing control.
> >
> > Xen cannot cope with with EBS having been called, so must not be passed
> > control under those circumstances.
> >
> > Doug's patch marks it as non-optional which, by that section above,
> > requires Grub to fail with an error rather than proceeding, if it does
> > not understand the tag.
> >
> >
> > By my reading, Doug's patch looks correct.
> >
> > How does your interpretation of the spec differ?
> >
> > ~Andrew
> >
>
> So I've been sitting here reading it for a bit. I'm guessing what Daniel
> is arguing is that the spec says that the boot loader MUST understand a
> tag if its marked as required and does not have to understand it if its
> marked as optional. The next sentence then seems to be a total escape
> hatch because it seems to imply that the boot loader doesn't have to
> respect any tag regardless of its required or optional settings. Which
> seems to defeat the purpose of having any info requests at all. And
> results in no guarantees that if your binary requires something that it
> will get it before being executed. And therefore requires a binary to
> support all cases always.

Sadly you are right here.

> If that's truly the case you are arguing for Daniel then this whole spec
> really has too big of a loophole to be safely considered as useful. I
> know that's a bit harsh but as more tags are added over time the matrix
> of required support will snowball.

I think that we can use another bit from flags and if it set then
interpret it as: I (image/OS/Xen/...) have to have this data. If
you (the booloader) are not able to provide it then do not start
me and fail nicely, e.g. display user prompt. This bit should be
checked only if current bit is in REQUIRED state. Otherwise, if new
bit is in REQUIRED state and current one is in OPTIONAL state then
the bootloader should complain. This way older GRUB will fail if it
sees an unsupported option and newer one will always provide required
data to the loaded image. And by the way, we should check unused
flags bits for 1. If one of it is set then the bootloader should fail.
Right now at least GRUB2 does not do that.

Does it make sense?

Daniel

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
https://lists.xen.org/xen-devel

 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.