[PATCH] efi_loader: Increase default variable store size to 32K

Alper Nebi Yasak alpernebiyasak at gmail.com
Fri Aug 4 13:50:08 CEST 2023 

Hi Ilias,

On 2023-07-28 14:15 +03:00, Ilias Apalodimas wrote:
> On Sat, 8 Jul 2023 at 18:21, Alper Nebi Yasak <alpernebiyasak at gmail.com> wrote:
>>
>> Debian's arm64 UEFI Secure Boot shim makes the EFI variable store run
>> out of space while mirroring its MOK database to variables. This can be
>> observed in QEMU like so:
>>
>>   $ tools/buildman/buildman -o build/qemu_arm64 --boards=qemu_arm64 -w
>>   $ cd build/qemu_arm64
>>   $ curl -L -o debian.iso \
>>       https://cdimage.debian.org/debian-cd/current/arm64/iso-cd/debian-12.0.0-arm64-netinst.iso
>>   $ qemu-system-aarch64 \
>>       -nographic -bios u-boot.bin \
>>       -machine virt -cpu cortex-a53 -m 1G -smp 2 \
>>       -drive if=virtio,file=debian.iso,index=0,format=raw,readonly=on,media=cdrom
>>   [...]
>>   => # interrupt autoboot
>>   => env set -e -bs -nv -rt -guid 605dab50-e046-4300-abb6-3dd810dd8b23 SHIM_VERBOSE 1
>>   => boot
>>   [...]
>>   mok.c:296:mirror_one_esl() SetVariable("MokListXRT43", ... varsz=0x4C) = Out of Resources
>>   mok.c:452:mirror_mok_db() esd:0x7DB92D20 adj:0x30
>>   Failed to set MokListXRT: Out of Resources
>>   mok.c:767:mirror_one_mok_variable() mirror_mok_db("MokListXRT",  datasz=17328) returned Out of Resources
>>   mok.c:812:mirror_one_mok_variable() returning Out of Resources
>>   Could not create MokListXRT: Out of Resources
>>   [...]
>>   Welcome to GRUB!
>>
>> This would normally be fine as shim would continue to run grubaa64.efi,
>> but shim's error handling code for this case has a bug [1] that causes a
>> synchronous abort on at least chromebook_kevin (but apparently not on
>> QEMU arm64).
>>
>> Double the default variable store size so the variables fit. There is a
>> note about this value matching PcdFlashNvStorageVariableSize when
>> EFI_MM_COMM_TEE is enabled, so keep the old default in that case.
> 
> Thanks for the report.  That EFI_MM_COMM_TEE basically means that the
> variables will be stored in an RPMB partition of an eMMC device.  This
> has a couple of advantages compared to storing it in a file (mostly
> security related), but I can change that in the future.

I've read your article on it, but haven't really explored this stuff
because one-time-programmable things make me a bit afraid.

Mind that this happens even without any persistence at all, i.e.
ENV_IS_NOWHERE and EFI_VARIABLE_NO_STORE.

> When you use 32kb how much space do you have left after MoK etc have
> been written?
I can press "c" at the GRUB menu and run "exit" to get back to the
U-Boot shell, then I have:

=> efidebug query -bs -rt -nv
Max storage size 65512
Remaining storage size 54968
Max variable size 65480

=> env print -e -n
SecureBoot:
    8be4df61-93ca-11d2-aa0d-00e098032b8c (EFI_GLOBAL_VARIABLE_GUID)
    BS|RT|RO, DataSize = 0x1
SetupMode:
    8be4df61-93ca-11d2-aa0d-00e098032b8c (EFI_GLOBAL_VARIABLE_GUID)
    BS|RT|RO, DataSize = 0x1
AuditMode:
    8be4df61-93ca-11d2-aa0d-00e098032b8c (EFI_GLOBAL_VARIABLE_GUID)
    BS|RT|RO, DataSize = 0x1
DeployedMode:
    8be4df61-93ca-11d2-aa0d-00e098032b8c (EFI_GLOBAL_VARIABLE_GUID)
    BS|RT|RO, DataSize = 0x1
VendorKeys:
    8be4df61-93ca-11d2-aa0d-00e098032b8c (EFI_GLOBAL_VARIABLE_GUID)
    BS|RT|RO, DataSize = 0x1
PlatformLangCodes:
    8be4df61-93ca-11d2-aa0d-00e098032b8c (EFI_GLOBAL_VARIABLE_GUID)
    BS|RT|RO, DataSize = 0x6
PlatformLang:
    8be4df61-93ca-11d2-aa0d-00e098032b8c (EFI_GLOBAL_VARIABLE_GUID)
    NV|BS|RT, DataSize = 0x6
OsIndicationsSupported:
    8be4df61-93ca-11d2-aa0d-00e098032b8c (EFI_GLOBAL_VARIABLE_GUID)
    BS|RT|RO, DataSize = 0x8
SbatLevel:
    605dab50-e046-4300-abb6-3dd810dd8b23
(605dab50-e046-4300-abb6-3dd810dd8b23)
    NV|BS, DataSize = 0x19
MokListRT:
    605dab50-e046-4300-abb6-3dd810dd8b23
(605dab50-e046-4300-abb6-3dd810dd8b23)
    BS|RT, DataSize = 0x3ce
MokListXRT:
    605dab50-e046-4300-abb6-3dd810dd8b23
(605dab50-e046-4300-abb6-3dd810dd8b23)
    BS|RT, DataSize = 0x21d8
SbatLevelRT:
    605dab50-e046-4300-abb6-3dd810dd8b23
(605dab50-e046-4300-abb6-3dd810dd8b23)
    BS|RT, DataSize = 0x19
MokListTrustedRT:
    605dab50-e046-4300-abb6-3dd810dd8b23
(605dab50-e046-4300-abb6-3dd810dd8b23)
    BS|RT, DataSize = 0x1

It's weird seeing 65512 - 54968 == 10544 < 16K. (Heinrich bumped it to
64K as he applied the patch, based on Windows docs.) But I'm noticing
how MokListXRT DataSize 0x21d8 * 2 == 17328 matches the datasz value in
the error.

If I retry with 16K, I see 43 extra values each with 0x4c size in
addition to the above.

=> efidebug query -bs -rt -nv
Max storage size 16360
Remaining storage size 0
Max variable size 16328

=> env print -e -n
[...]
MokListXRT1:
    605dab50-e046-4300-abb6-3dd810dd8b23
(605dab50-e046-4300-abb6-3dd810dd8b23)
    BS|RT, DataSize = 0x4c
[..]
MokListXRT43:
    605dab50-e046-4300-abb6-3dd810dd8b23
(605dab50-e046-4300-abb6-3dd810dd8b23)
    BS|RT, DataSize = 0x4c

Hope that helps, tell me if there's other commands you want me to run.

More information about the U-Boot mailing list