Am 26.03.25 um 15:40 schrieb dann frazier: > On Tue, Mar 25, 2025 at 11:03 AM Fiona Ebner <f.eb...@proxmox.com> wrote: >> >> Hi, >> I believe this is the same issue as reported here [0] and there doesn't >> seem much interest from upstream to provide a workaround unfortunately. > > Thanks Fiona, I hadn't seen that specific discussion. To be fair, > upstream has provided an interface to workaround this issue: > > https://github.com/tianocore/edk2/blob/master/OvmfPkg/RUNTIME_CONFIG.md#security-optorgtianocoreuninstallmemattrprotocol > > And that can be set either as a build-time default or as runtime w/ > -fw_cfg, but I'm confused about why the -fw_cfg parameter didn't avoid > the issue for me. I'll build a debug version to make sure I haven't > just fat-fingered something. >
AFAIU, for x86_64, this depends on the open pull request [0] that was also mentioned in the mailing list thread. >> So does the EFI_MEMORY_ATTRIBUTE_PROTOCOL need to be disabled/reverted >> like is already done for arm [1]? > > What I propose is that we disable it at build time for the non-secboot > variant, but leave it on for the secboot variant, for both > architectures. This appears to be what Fedora is planning for Fedora > 42: > https://src.fedoraproject.org/rpms/edk2/blob/f42/f/README.experimental#_15 > > I fear that if we keep disabling it entirely, we'll just be adding to > the problem. Users should be able to override this w/ the -fw_cfg > setting, if I can figure out why that isn't working for me. That is a good point! [0]: https://github.com/tianocore/edk2/pull/10667 Best Regards, Fiona
