Updated support for SHIM on RISC-V #641
Conversation
Add what is needed to build on riscv64. Signed-off-by: Heinrich Schuchardt <[email protected]> This is an update to rhboot#420 which brings it in alignment with the current upstream. Signed-off-by: Brian 'redbeard' Harrington <[email protected]>
brianredbeard
force-pushed
the
riscv-shim
branch
from
144f786 to
debe983
Compare
|
@vathpela can we get a review? |
brianredbeard
force-pushed
the
riscv-shim
branch
from
debe983 to
5031a99
Compare
|
FYI, reverted the previous commit after a discussion with @xypron. Heinrich helpfully pointed out that the structure of pre-processor definitions in the form of |
|
FYI gnu-efi ( https://github.com/rhboot/gnu-efi/tree/master ) has been rebased to 3.0.18 (released 3 days ago!). The builds are already available for F40 and F41 in Fedora too: |
Make.defaults
Outdated
| ARCH_GNUEFI ?= riscv64 | ||
| ARCH_SUFFIX ?= riscv64 | ||
| ARCH_SUFFIX_UPPER ?= RISCV64 | ||
| FORMAT := -O binary |
There was a problem hiding this comment.
We had some discussions with Peter Jones last year. There was a strong preference not to add more "-O binary" architectures. Two patches landed in binutils 2.42:
[PATCH] Add basic support for RISC-V 64-bit EFI objects
[PATCH] Handle "efi-app-riscv64" and similar targets in objcopy. // From Peter Jones
That means we have efi-app-riscv64 support. That probably means it should look more like aarch64. I haven't looked deeper or tested it.
There was a problem hiding this comment.
@davidlt Shim has an .sbat section with the contents of a CSV file for defining the security patch level. How would you create that section with binutils' efi-app-riscv64 target?
The content of the .sbat section is something like:
sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md
shim,4,UEFI shim,shim,1,https://github.com/rhboot/shim
shim.ubuntu,1,Ubuntu,shim,15.8-0ubuntu1,https://www.ubuntu.com/
There was a problem hiding this comment.
It really seems that the lines
+ FORMAT := -O binary
+ SUBSYSTEM := 0xa
+ ARCH_LDFLAGS += --defsym=EFI_SUBSYSTEM=$(SUBSYSTEM)
+ TIMESTAMP_LOCATION := 72
are not needed. SUBSYSTEM defaults to 0x0a in branch main of https://github.com/rhboot/gnu-efi.git:
gnu-efi/gnuefi/crt0-efi-riscv64.S:20:
#define EFI_SUBSYSTEM 10
TIMESTAMP_LOCATION is unused.
FORMAT is a flag passed to riscv64-linux-gnu-objcopy which seems unneded.
@brianredbeard Could you please drop the lines from your merge request.
|
The last commit is missing |
| @@ -128,6 +128,21 @@ | |||
| #endif | |||
| #endif | |||
|
|
|||
| #if defined(__riscv) && __riscv_xlen == 64 | |||
| #ifndef DEFAULT_LOADER | |||
| #define DEFAULT_LOADER L"\\grubriscv64.efi" | |||
There was a problem hiding this comment.
Shouldn't the file name be shorter (as in 8.3 format) given a FAT filesystem?
There was a problem hiding this comment.
- FAT supports long file names since Windows 95.
- The default name for EFI binaries on RISC-V is /EFI/BOOT/BOOTRISCV64.EFI. That is not 8.3 either.
- Distros like Fedora and Ubuntu are already using grubriscv64.efi as file name (cf. https://fedoraproject.org/wiki/Architectures/RISC-V/GRUB2)
There was a problem hiding this comment.
Okay, cool. I was just thinking I've seen some vendors expect/model on it being strict FAT12 in the x86 space, and seeing the longer file name started to bug me. Also interesting Ubuntu beat Debian since I checked Debian packaging yesterday when the question came up in another project of "what would the filename be?!" so we could correctly account for it.
There was a problem hiding this comment.
UEFI requires support for FAT long filenames (LFN) in all FAT12, FAT16 and FAT32 so it's fine
|
Hey, I'm wondering what's missing to get this one merged at this point? From a cursory look, it seems that all points raised during review have been addressed. I'm really keen on seeing this make its way to Fedora. Along with the lack of an up-to-date GRUB2 (which is something that's supposedly being addressed as we speak), not having shim is, at least as far as I'm aware, the last remaining blocker to producing usable (albeit still unofficial) Fedora images for RISC-V. |
|
It is not very clean, but I was able to build and boot shim on a VisionFive 2 and EDK2 on a qemu/libvirt VM. I forked shim and gnu-efi with some rough work I had to pull a few things together to get builds working on riscv64.
You can basically clone https://github.com/jmontleon/shim/tree/riscv and With |
I don't think any distro has intentions to sign anything for RISC-V yet and I don't know if Microsoft would even accept it, or what the value would be in handing Microsoft the control over the RISC-V CA too. And unsigned you can just use grub directly and be happy, so I think there's no value merging changes like this and adding the maintenance overhead or have it potentially break each release because nobody tests it. |
|
Am 24. Juni 2024 09:46:14 MESZ schrieb Julian Andres Klode ***@***.***>:
> Hey, I'm wondering what's missing to get this one merged at this point? From a cursory look, it seems that all points raised during review have been addressed.
>
> I'm really keen on seeing this make its way to Fedora. Along with the lack of an up-to-date GRUB2 (which is something that's supposedly [being ***@***.***/thread/PHGU7UQS6O5SLLZIWTVD3E73OTM4GCS7/) as we speak), not having shim is, at least as far as I'm aware, the last remaining blocker to producing usable (albeit still unofficial) Fedora images for RISC-V.
I don't think any distro has intentions to sign anything for RISC-V yet and I don't know if Microsoft would even accept it, or what the value would be in handing Microsoft the control over the RISC-V CA too.
Testing should be done in the CI. There is no need for Microsoft signing for testing.
There has not been any decision on a global signing authority yet.
We should avoid development after the hardware is out. Instead we should provide the RISC-V community the tools needed to test secure boot now. This does not imply that distros have to package it now.
Best regards
Heinrich
…
And unsigned you can just use grub directly and be happy, so I think there's no value merging changes like this and adding the maintenance overhead or have it potentially break each release because nobody tests it.
|
AFAIK shim doesn't just handle the Secure Boot part though, it also takes care of locating and running the GRUB binary when installed as the fallback entry ( Anyway, that's the part I'm interested in, as it would allow us to ship disk images that can be booted right away, without the need on the user's part to create UEFI boot entries themselves, For this to work there's no need for the shim binary to be signed, much less to determine who the signing entity would be. |
|
ncroxon/gnu-efi#34 was merged. Using that work and this PR I had to make a few changes to get things working properly. I also ended up having to reimplement the closed PR #410. I did see the note re: patching gnu-efi instead of shim, which would basically be undoing the CHAR8 commit (ncroxon/gnu-efi@ce1ec9d) if that approach is desired. |
I doubt it. SHIM and SHIM's gnu-efi is outdated and in a very inconsistent state. CHAR8 should be 'unsigned char' since that's how UEFI spec says it is. |
|
On the face, the code this patch adds looks mostly okay to me, but there are still several problems here regarding the result. Even after following jmontleon's suggestions above, there are issues here, ranging from a minor problem with the PR itself to things that make this difficult to consider merging:
|
|
@vathpela It has been awhile since I looked but I remain able to build off the latest upstream gnu-efi with the additional changes I laid out in https://github.com/jmontleon/shim But updating gnu-efi to 5ea320f0f01c8de8f9dd4e4e38a245608f0287dd still builds: I did a scratch a riscv64 scratch build (http://fedora.riscv.rocks/koji/taskinfo?taskID=1837632) and tested in a virtual machine quick. It seems to still work ok. I did see an issue with va_list on x86_64 and added a workaround patch to the srpm there so it should build on x86_64 now as well. I'm definitely not insisting this or all the rest is 100% correct and ready to merge, but it should at least be possible to build and perhaps we can start working down the list of other issues you raised above? |
UEFI spec says CHAR8 is Latin-1 (0-255) so it's unsigned
Can be done by defining GNU_EFI_3_0_COMPAT
Not defining GNU_EFI_USE_EXTERNAL_STDARG??
Totally agree - this is a bit clutching at straws though - if there's a problem that isn't fixed just send a bug report |
Okay, but if I try that in the fairly straightforward way with this PR's code, which seems like it should be similar, it doesn't work because of the char signedness issue on riscv64: https://github.com/rhboot/shim/actions/runs/12678246015/job/35335419817?pr=713 I don't doubt that you've got something working, but I'm not reviewing some series of changes somewhere else, because I can't pull that. I'm reviewing a pull request here, and it doesn't work for the reasons state above.
That needs to be represented in the patches here.
Sure, that makes sense - but that's what this PR is for? The changes we need should be in the PR. Now obviously we need to have some more discussion about gnu-efi especially with regard to the char issue and the va_list weirdness; I understand that. But there's no proposed fix for those issues in this PR as far as I can see. |
Minor correction to myself - it's failing in #713 because there's no patch here to fix the define to make the breaking change with realloc() work. If I define GNU_EFI_3_0_COMPAT, it then breaks on something regarding elf.h changes and include paths in gnu-efi. I haven't debugged this further. |
I'm not even sure if this is actually an issue right now, because again, this PR doesn't give me a tree that builds due to other issues. Happy to continue this part of the discussion once we've figured out the blocking issues.
Looks likely, but even adding that here doesn't get me a tree that builds with any version of gnu-efi that I have.
It may well be that the right answer is to define that for this platform and not add the code that's added to
No, this is not clutching at straws - things that a) are sometimes hard to even notice, b) take up giant amounts of time to debug and c) can introduce exploitable flaws on other arches are an absolute showstopper, and I'm telling you that's a significant concern. Even if I weren't concerned about that, just rebasing to the upstream gnu-efi tree doesn't look possible without significant work, as it's an absolute mess. I can't even fast forward the master branch on top of an older checkout of that master branch. Seriously, try it: Rebasing our patches on top of it is also a mess, partly because of some refactoring patches that need to be rectified, partly because of the incredibly excessive use of merge commits, and partly because several patches from the rhboot gnu-efi tree appear to have been cherry-picked and sent upstream with different commit messages and attribution, which is itself concerning but in a different way. |
|
@vathpela thanks for looking further into this! I have no wisdom to share when it comes to the specifics of the changes being discussed, so I'll leave that to the other people involved in the conversation. It seems obvious to me though that the diff in this PR doesn't match what is currently being used in Fedora RISC-V, since we are definitely building the package successfully there. @jmontleon perhaps you can work with @brianredbeard to update this PR so that it matches reality? Anyway, I see that you've enabled a riscv64 cross-compilation job as part of #713. That's very nice! And it looks like it didn't require a big effort to do so either. In case you are interested in going further than mere compile-testing (once the PR is updated, of course!), we have documented the process of setting up an emulated riscv64 environment using QEMU. It should hopefully be fairly straightforward, but feel free to reach out to me if you have any questions. Hope this helps :) |
|
Currently attempting to build a working tree (yes i'm aware commit messages look awful -- this was purely for testing) |
|
Things still to do - after people have given more comments about my changes:
|
|
@gmbr3 I am in no position to give any feedback on the technical side of things, but I have to say that I'm absolutely ecstatic to see you making progress. As someone who's extremely keen on seeing shim running on riscv64, your continued efforts give me a lot of hope. Thank you and keep up the excellent work! |
Add what is needed to build on riscv64.
Signed-off-by: Heinrich Schuchardt [email protected]
This is an update which supersedes #420 which brings it in alignment with the current upstream and fixes a minor style nit around the definition of
__riscv.