[PATCH] efi_loader: Increase default variable store size to 32K

Ilias Apalodimas ilias.apalodimas at linaro.org
Fri Jul 28 13:15:40 CEST 2023 

Hi  Alper,

On Sat, 8 Jul 2023 at 18:21, Alper Nebi Yasak <alpernebiyasak at gmail.com> wrote:
>
> Debian's arm64 UEFI Secure Boot shim makes the EFI variable store run
> out of space while mirroring its MOK database to variables. This can be
> observed in QEMU like so:
>
>   $ tools/buildman/buildman -o build/qemu_arm64 --boards=qemu_arm64 -w
>   $ cd build/qemu_arm64
>   $ curl -L -o debian.iso \
>       https://cdimage.debian.org/debian-cd/current/arm64/iso-cd/debian-12.0.0-arm64-netinst.iso
>   $ qemu-system-aarch64 \
>       -nographic -bios u-boot.bin \
>       -machine virt -cpu cortex-a53 -m 1G -smp 2 \
>       -drive if=virtio,file=debian.iso,index=0,format=raw,readonly=on,media=cdrom
>   [...]
>   => # interrupt autoboot
>   => env set -e -bs -nv -rt -guid 605dab50-e046-4300-abb6-3dd810dd8b23 SHIM_VERBOSE 1
>   => boot
>   [...]
>   mok.c:296:mirror_one_esl() SetVariable("MokListXRT43", ... varsz=0x4C) = Out of Resources
>   mok.c:452:mirror_mok_db() esd:0x7DB92D20 adj:0x30
>   Failed to set MokListXRT: Out of Resources
>   mok.c:767:mirror_one_mok_variable() mirror_mok_db("MokListXRT",  datasz=17328) returned Out of Resources
>   mok.c:812:mirror_one_mok_variable() returning Out of Resources
>   Could not create MokListXRT: Out of Resources
>   [...]
>   Welcome to GRUB!
>
> This would normally be fine as shim would continue to run grubaa64.efi,
> but shim's error handling code for this case has a bug [1] that causes a
> synchronous abort on at least chromebook_kevin (but apparently not on
> QEMU arm64).
>
> Double the default variable store size so the variables fit. There is a
> note about this value matching PcdFlashNvStorageVariableSize when
> EFI_MM_COMM_TEE is enabled, so keep the old default in that case.

Thanks for the report.  That EFI_MM_COMM_TEE basically means that the
variables will be stored in an RPMB partition of an eMMC device.  This
has a couple of advantages compared to storing it in a file (mostly
security related), but I can change that in the future. When you use
32kb how much space do you have left after MoK etc have been written?

Thanks
/Ilias
> [1] https://github.com/rhboot/shim/pull/577
>
> Signed-off-by: Alper Nebi Yasak <alpernebiyasak at gmail.com>
> ---
> I'm not very familiar with EFI things, apologies if this default
> should not be changed (consider this a bug report in that case).
>
>  lib/efi_loader/Kconfig | 5 +++--
>  1 file changed, 3 insertions(+), 2 deletions(-)
>
> diff --git a/lib/efi_loader/Kconfig b/lib/efi_loader/Kconfig
> index c5835e6ef61a..0660d1174902 100644
> --- a/lib/efi_loader/Kconfig
> +++ b/lib/efi_loader/Kconfig
> @@ -96,7 +96,8 @@ endif
>
>  config EFI_VAR_BUF_SIZE
>         int "Memory size of the UEFI variable store"
> -       default 16384
> +       default 16384 if EFI_MM_COMM_TEE
> +       default 32768
>         range 4096 2147483647
>         help
>           This defines the size in bytes of the memory area reserved for keeping
> @@ -106,7 +107,7 @@ config EFI_VAR_BUF_SIZE
>           match the value of PcdFlashNvStorageVariableSize used to compile the
>           StandAloneMM module.
>
> -         Minimum 4096, default 16384.
> +         Minimum 4096, default 32768, or 16384 when using StandAloneMM.
>
>  config EFI_GET_TIME
>         bool "GetTime() runtime service"
> --
> 2.40.1
>

More information about the U-Boot mailing list