On Tue, Mar 25, 2025 at 11:03 AM Fiona Ebner <f.eb...@proxmox.com> wrote:
>
> Hi,
> I believe this is the same issue as reported here [0] and there doesn't
> seem much interest from upstream to provide a workaround unfortunately.

Thanks Fiona, I hadn't seen that specific discussion. To be fair,
upstream has provided an interface to workaround this issue:
  
https://github.com/tianocore/edk2/blob/master/OvmfPkg/RUNTIME_CONFIG.md#security-optorgtianocoreuninstallmemattrprotocol

And that can be set either as a build-time default or as runtime w/
-fw_cfg, but I'm confused about why the -fw_cfg parameter didn't avoid
the issue for me. I'll build a debug version to make sure I haven't
just fat-fingered something.

> So does the EFI_MEMORY_ATTRIBUTE_PROTOCOL need to be disabled/reverted
> like is already done for arm [1]?

What I propose is that we disable it at build time for the non-secboot
variant, but leave it on for the secboot variant, for both
architectures. This appears to be what Fedora is planning for Fedora
42:
  https://src.fedoraproject.org/rpms/edk2/blob/f42/f/README.experimental#_15

I fear that if we keep disabling it entirely, we'll just be adding to
the problem. Users should be able to override this w/ the -fw_cfg
setting, if I can figure out why that isn't working for me.

  -dann

Reply via email to