OvmfPkg/X86QemuLoadImageLib: make legacy loader configurable.

Add the 'opt/org.tianocore/EnableLegacyLoader' FwCfg option to enable/disable the insecure legacy linux kernel loader. For now this is enabled by default. Probably the default will be flipped to disabled at some point in the future. Also print a warning to the screen in case the linux kernel secure boot verification has failed. Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2025-04-08 17:05:09 +02:00 · 2024-12-17 09:59:21 +01:00 · 2024-12-17 09:59:21 +01:00 · 1549bf11cc
commit 1549bf11cc
parent 4b507b4966
2 changed files with 42 additions and 7 deletions
--- a/OvmfPkg/Library/X86QemuLoadImageLib/X86QemuLoadImageLib.c
+++ b/OvmfPkg/Library/X86QemuLoadImageLib/X86QemuLoadImageLib.c
@ -19,8 +19,10 @@
 #include <Library/MemoryAllocationLib.h>
 #include <Library/PrintLib.h>
 #include <Library/QemuFwCfgLib.h>
+#include <Library/QemuFwCfgSimpleParserLib.h>
 #include <Library/QemuLoadImageLib.h>
 #include <Library/UefiBootServicesTableLib.h>
+#include <Library/UefiLib.h>
 #include <Protocol/DevicePath.h>
 #include <Protocol/LoadedImage.h>
 #include <Protocol/OvmfLoadedX86LinuxKernel.h>
@ -421,13 +423,45 @@ QemuLoadKernelImage (
    // Fall through
    //
    case EFI_ACCESS_DENIED:
-    //
-    // We are running with UEFI secure boot enabled, and the image failed to
-    // authenticate. For compatibility reasons, we fall back to the legacy
-    // loader in this case.
-    //
-    // Fall through
-    //
+      //
+      // We are running with UEFI secure boot enabled, and the image failed to
+      // authenticate. For compatibility reasons, we fall back to the legacy
+      // loader in this case (unless disabled via fw_cfg).
+      //
+    {
+      EFI_STATUS  RetStatus;
+      BOOLEAN     Enabled = TRUE;
+
+      AsciiPrint (
+        "OVMF: Secure boot image verification failed.  Consider using the '-shim'\n"
+        "OVMF: command line switch for qemu (available in version 10.0 + newer).\n"
+        "\n"
+        );
+
+      RetStatus = QemuFwCfgParseBool (
+                    "opt/org.tianocore/EnableLegacyLoader",
+                    &Enabled
+                    );
+      if (EFI_ERROR (RetStatus)) {
+        Enabled = TRUE;
+      }
+
+      if (!Enabled) {
+        AsciiPrint (
+          "OVMF: Fallback to insecure legacy linux kernel loader is disabled.\n"
+          "\n"
+          );
+        return EFI_ACCESS_DENIED;
+      } else {
+        AsciiPrint (
+          "OVMF: Using legacy linux kernel loader (insecure and deprecated).\n"
+          "\n"
+          );
+        //
+        // Fall through
+        //
+      }
+    }
    case EFI_UNSUPPORTED:
      //
      // The image is not natively supported or cross-type supported. Let's try
--- a/OvmfPkg/Library/X86QemuLoadImageLib/X86QemuLoadImageLib.inf
+++ b/OvmfPkg/Library/X86QemuLoadImageLib/X86QemuLoadImageLib.inf
@ -33,6 +33,7 @@
  LoadLinuxLib
  PrintLib
  QemuFwCfgLib
+  QemuFwCfgSimpleParserLib
  ReportStatusCodeLib
  UefiBootServicesTableLib