[PATCH] efi_loader: Increase default variable store size to 32K

Alper Nebi Yasak alpernebiyasak at gmail.com
Sat Jul 8 17:21:12 CEST 2023 

Debian's arm64 UEFI Secure Boot shim makes the EFI variable store run
out of space while mirroring its MOK database to variables. This can be
observed in QEMU like so:

  $ tools/buildman/buildman -o build/qemu_arm64 --boards=qemu_arm64 -w
  $ cd build/qemu_arm64
  $ curl -L -o debian.iso \
      https://cdimage.debian.org/debian-cd/current/arm64/iso-cd/debian-12.0.0-arm64-netinst.iso
  $ qemu-system-aarch64 \
      -nographic -bios u-boot.bin \
      -machine virt -cpu cortex-a53 -m 1G -smp 2 \
      -drive if=virtio,file=debian.iso,index=0,format=raw,readonly=on,media=cdrom
  [...]
  => # interrupt autoboot
  => env set -e -bs -nv -rt -guid 605dab50-e046-4300-abb6-3dd810dd8b23 SHIM_VERBOSE 1
  => boot
  [...]
  mok.c:296:mirror_one_esl() SetVariable("MokListXRT43", ... varsz=0x4C) = Out of Resources
  mok.c:452:mirror_mok_db() esd:0x7DB92D20 adj:0x30
  Failed to set MokListXRT: Out of Resources
  mok.c:767:mirror_one_mok_variable() mirror_mok_db("MokListXRT",  datasz=17328) returned Out of Resources
  mok.c:812:mirror_one_mok_variable() returning Out of Resources
  Could not create MokListXRT: Out of Resources
  [...]
  Welcome to GRUB!

This would normally be fine as shim would continue to run grubaa64.efi,
but shim's error handling code for this case has a bug [1] that causes a
synchronous abort on at least chromebook_kevin (but apparently not on
QEMU arm64).

Double the default variable store size so the variables fit. There is a
note about this value matching PcdFlashNvStorageVariableSize when
EFI_MM_COMM_TEE is enabled, so keep the old default in that case.

[1] https://github.com/rhboot/shim/pull/577

Signed-off-by: Alper Nebi Yasak <alpernebiyasak at gmail.com>
---
I'm not very familiar with EFI things, apologies if this default
should not be changed (consider this a bug report in that case).

 lib/efi_loader/Kconfig | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/lib/efi_loader/Kconfig b/lib/efi_loader/Kconfig
index c5835e6ef61a..0660d1174902 100644
--- a/lib/efi_loader/Kconfig
+++ b/lib/efi_loader/Kconfig
@@ -96,7 +96,8 @@ endif
 
 config EFI_VAR_BUF_SIZE
 	int "Memory size of the UEFI variable store"
-	default 16384
+	default 16384 if EFI_MM_COMM_TEE
+	default 32768
 	range 4096 2147483647
 	help
 	  This defines the size in bytes of the memory area reserved for keeping
@@ -106,7 +107,7 @@ config EFI_VAR_BUF_SIZE
 	  match the value of PcdFlashNvStorageVariableSize used to compile the
 	  StandAloneMM module.
 
-	  Minimum 4096, default 16384.
+	  Minimum 4096, default 32768, or 16384 when using StandAloneMM.
 
 config EFI_GET_TIME
 	bool "GetTime() runtime service"
-- 
2.40.1

More information about the U-Boot mailing list