Hi Alper, On Sat, 8 Jul 2023 at 18:21, Alper Nebi Yasak <alpernebiya...@gmail.com> wrote: > > Debian's arm64 UEFI Secure Boot shim makes the EFI variable store run > out of space while mirroring its MOK database to variables. This can be > observed in QEMU like so: > > $ tools/buildman/buildman -o build/qemu_arm64 --boards=qemu_arm64 -w > $ cd build/qemu_arm64 > $ curl -L -o debian.iso \ > > https://cdimage.debian.org/debian-cd/current/arm64/iso-cd/debian-12.0.0-arm64-netinst.iso > $ qemu-system-aarch64 \ > -nographic -bios u-boot.bin \ > -machine virt -cpu cortex-a53 -m 1G -smp 2 \ > -drive > if=virtio,file=debian.iso,index=0,format=raw,readonly=on,media=cdrom > [...] > => # interrupt autoboot > => env set -e -bs -nv -rt -guid 605dab50-e046-4300-abb6-3dd810dd8b23 > SHIM_VERBOSE 1 > => boot > [...] > mok.c:296:mirror_one_esl() SetVariable("MokListXRT43", ... varsz=0x4C) = > Out of Resources > mok.c:452:mirror_mok_db() esd:0x7DB92D20 adj:0x30 > Failed to set MokListXRT: Out of Resources > mok.c:767:mirror_one_mok_variable() mirror_mok_db("MokListXRT", > datasz=17328) returned Out of Resources > mok.c:812:mirror_one_mok_variable() returning Out of Resources > Could not create MokListXRT: Out of Resources > [...] > Welcome to GRUB! > > This would normally be fine as shim would continue to run grubaa64.efi, > but shim's error handling code for this case has a bug [1] that causes a > synchronous abort on at least chromebook_kevin (but apparently not on > QEMU arm64). > > Double the default variable store size so the variables fit. There is a > note about this value matching PcdFlashNvStorageVariableSize when > EFI_MM_COMM_TEE is enabled, so keep the old default in that case.
Thanks for the report. That EFI_MM_COMM_TEE basically means that the variables will be stored in an RPMB partition of an eMMC device. This has a couple of advantages compared to storing it in a file (mostly security related), but I can change that in the future. When you use 32kb how much space do you have left after MoK etc have been written? Thanks /Ilias > [1] https://github.com/rhboot/shim/pull/577 > > Signed-off-by: Alper Nebi Yasak <alpernebiya...@gmail.com> > --- > I'm not very familiar with EFI things, apologies if this default > should not be changed (consider this a bug report in that case). > > lib/efi_loader/Kconfig | 5 +++-- > 1 file changed, 3 insertions(+), 2 deletions(-) > > diff --git a/lib/efi_loader/Kconfig b/lib/efi_loader/Kconfig > index c5835e6ef61a..0660d1174902 100644 > --- a/lib/efi_loader/Kconfig > +++ b/lib/efi_loader/Kconfig > @@ -96,7 +96,8 @@ endif > > config EFI_VAR_BUF_SIZE > int "Memory size of the UEFI variable store" > - default 16384 > + default 16384 if EFI_MM_COMM_TEE > + default 32768 > range 4096 2147483647 > help > This defines the size in bytes of the memory area reserved for > keeping > @@ -106,7 +107,7 @@ config EFI_VAR_BUF_SIZE > match the value of PcdFlashNvStorageVariableSize used to compile the > StandAloneMM module. > > - Minimum 4096, default 16384. > + Minimum 4096, default 32768, or 16384 when using StandAloneMM. > > config EFI_GET_TIME > bool "GetTime() runtime service" > -- > 2.40.1 >
