On Tue, Mar 25, 2025 at 11:03 AM Fiona Ebner <f.eb...@proxmox.com> wrote: > > Hi, > I believe this is the same issue as reported here [0] and there doesn't > seem much interest from upstream to provide a workaround unfortunately.
Thanks Fiona, I hadn't seen that specific discussion. To be fair, upstream has provided an interface to workaround this issue: https://github.com/tianocore/edk2/blob/master/OvmfPkg/RUNTIME_CONFIG.md#security-optorgtianocoreuninstallmemattrprotocol And that can be set either as a build-time default or as runtime w/ -fw_cfg, but I'm confused about why the -fw_cfg parameter didn't avoid the issue for me. I'll build a debug version to make sure I haven't just fat-fingered something. > So does the EFI_MEMORY_ATTRIBUTE_PROTOCOL need to be disabled/reverted > like is already done for arm [1]? What I propose is that we disable it at build time for the non-secboot variant, but leave it on for the secboot variant, for both architectures. This appears to be what Fedora is planning for Fedora 42: https://src.fedoraproject.org/rpms/edk2/blob/f42/f/README.experimental#_15 I fear that if we keep disabling it entirely, we'll just be adding to the problem. Users should be able to override this w/ the -fw_cfg setting, if I can figure out why that isn't working for me. -dann