On Thu, 2023-05-04 at 15:32 +0200, Gerd Hoffmann wrote: > Use PlatformBootManagerLib with PcdBootRestrictToFirmware > set to TRUE instead. > > Signed-off-by: Gerd Hoffmann <kra...@redhat.com> > --- > OvmfPkg/AmdSev/AmdSevX64.dsc | 10 ++++++++-- > 1 file changed, 8 insertions(+), 2 deletions(-) > > diff --git a/OvmfPkg/AmdSev/AmdSevX64.dsc > b/OvmfPkg/AmdSev/AmdSevX64.dsc > index 943c4eed9831..b32049194d39 100644 > --- a/OvmfPkg/AmdSev/AmdSevX64.dsc > +++ b/OvmfPkg/AmdSev/AmdSevX64.dsc > @@ -153,6 +153,7 @@ [LibraryClasses] > > UefiDriverEntryPoint|MdePkg/Library/UefiDriverEntryPoint/UefiDriverEn > tryPoint.inf > > UefiApplicationEntryPoint|MdePkg/Library/UefiApplicationEntryPoint/Ue > fiApplicationEntryPoint.inf > > DevicePathLib|MdePkg/Library/UefiDevicePathLibDevicePathProtocol/Uefi > DevicePathLibDevicePathProtocol.inf > + NvVarsFileLib|OvmfPkg/Library/NvVarsFileLib/NvVarsFileLib.inf
All additions apart from this look fine, but this one is a security risk: EFI variables represent an unmeasured configuration for SEV boot and, as such, can be used to influence the boot and potentially reveal boot secrets, so the AmdSevPkg was designed to have read only EFI variables that couldn't be subject to outside influence. James -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#104009): https://edk2.groups.io/g/devel/message/104009 Mute This Topic: https://groups.io/mt/98683761/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
