From 9fd3f881c6edb3daf42277a24c4d1b8932a6df50 Mon Sep 17 00:00:00 2001 From: Alper Nebi Yasak Date: Sat, 8 Jul 2023 18:21:12 +0300 Subject: [PATCH] efi_loader: Increase default variable store size to 64KiB Debian's arm64 UEFI Secure Boot shim makes the EFI variable store run out of space while mirroring its MOK database to variables. This can be observed in QEMU like so: $ tools/buildman/buildman -o build/qemu_arm64 --boards=qemu_arm64 -w $ cd build/qemu_arm64 $ curl -L -o debian.iso \ https://cdimage.debian.org/debian-cd/current/arm64/iso-cd/debian-12.0.0-arm64-netinst.iso $ qemu-system-aarch64 \ -nographic -bios u-boot.bin \ -machine virt -cpu cortex-a53 -m 1G -smp 2 \ -drive if=virtio,file=debian.iso,index=0,format=raw,readonly=on,media=cdrom [...] => # interrupt autoboot => env set -e -bs -nv -rt -guid 605dab50-e046-4300-abb6-3dd810dd8b23 SHIM_VERBOSE 1 => boot [...] mok.c:296:mirror_one_esl() SetVariable("MokListXRT43", ... varsz=0x4C) = Out of Resources mok.c:452:mirror_mok_db() esd:0x7DB92D20 adj:0x30 Failed to set MokListXRT: Out of Resources mok.c:767:mirror_one_mok_variable() mirror_mok_db("MokListXRT", datasz=17328) returned Out of Resources mok.c:812:mirror_one_mok_variable() returning Out of Resources Could not create MokListXRT: Out of Resources [...] Welcome to GRUB! This would normally be fine as shim would continue to run grubaa64.efi, but shim's error handling code for this case has a bug [1] that causes a synchronous abort on at least chromebook_kevin (but apparently not on QEMU arm64). Double the default variable store size so the variables fit. There is a note about this value matching PcdFlashNvStorageVariableSize when EFI_MM_COMM_TEE is enabled, so keep the old default in that case. [1] https://github.com/rhboot/shim/pull/577 Signed-off-by: Alper Nebi Yasak Reviewed-by: Heinrich Schuchardt --- lib/efi_loader/Kconfig | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/lib/efi_loader/Kconfig b/lib/efi_loader/Kconfig index c5835e6ef6..a22e47616f 100644 --- a/lib/efi_loader/Kconfig +++ b/lib/efi_loader/Kconfig @@ -96,7 +96,8 @@ endif config EFI_VAR_BUF_SIZE int "Memory size of the UEFI variable store" - default 16384 + default 16384 if EFI_MM_COMM_TEE + default 65536 range 4096 2147483647 help This defines the size in bytes of the memory area reserved for keeping @@ -106,7 +107,7 @@ config EFI_VAR_BUF_SIZE match the value of PcdFlashNvStorageVariableSize used to compile the StandAloneMM module. - Minimum 4096, default 16384. + Minimum 4096, default 65536, or 16384 when using StandAloneMM. config EFI_GET_TIME bool "GetTime() runtime service"