This build time flag and corresponding Feature PCD will control whether OVMF supports (and, equivalently, requires) SMM/SMRAM support from QEMU.
Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Laszlo Ersek <ler...@redhat.com> Reviewed-by: Jordan Justen <jordan.l.jus...@intel.com> --- OvmfPkg/OvmfPkg.dec | 10 ++++++++++ OvmfPkg/OvmfPkgIa32.dsc | 4 ++++ OvmfPkg/OvmfPkgIa32X64.dsc | 4 ++++ OvmfPkg/OvmfPkgX64.dsc | 4 ++++ 4 files changed, 22 insertions(+) diff --git a/OvmfPkg/OvmfPkg.dec b/OvmfPkg/OvmfPkg.dec index d79aff4..f9decd3 100644 --- a/OvmfPkg/OvmfPkg.dec +++ b/OvmfPkg/OvmfPkg.dec @@ -121,3 +121,13 @@ [PcdsFeatureFlag] gUefiOvmfPkgTokenSpaceGuid.PcdSecureBootEnable|FALSE|BOOLEAN|3 gUefiOvmfPkgTokenSpaceGuid.PcdQemuBootOrderPciTranslation|TRUE|BOOLEAN|0x1c gUefiOvmfPkgTokenSpaceGuid.PcdQemuBootOrderMmioTranslation|FALSE|BOOLEAN|0x1d + + ## This feature flag enables SMM/SMRAM support. Note that it also requires + # such support from the underlying QEMU instance; if that support is not + # present, the firmware will reject continuing after a certain point. + # + # The flag also acts as a general "security switch"; when TRUE, many + # components will change behavior, with the goal of preventing a malicious + # runtime OS from tampering with firmware structures (special memory ranges + # used by OVMF, the varstore pflash chip, LockBox etc). + gUefiOvmfPkgTokenSpaceGuid.PcdSmmSmramRequire|FALSE|BOOLEAN|0x1e diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc index 7616aa5..24747c9 100644 --- a/OvmfPkg/OvmfPkgIa32.dsc +++ b/OvmfPkg/OvmfPkgIa32.dsc @@ -36,6 +36,7 @@ [Defines] DEFINE SECURE_BOOT_ENABLE = FALSE DEFINE NETWORK_IP6_ENABLE = FALSE DEFINE HTTP_BOOT_ENABLE = FALSE + DEFINE SMM_REQUIRE = FALSE [BuildOptions] GCC:*_UNIXGCC_*_CC_FLAGS = -DMDEPKG_NDEBUG @@ -311,6 +312,9 @@ [PcdsFeatureFlag] !if $(SECURE_BOOT_ENABLE) == TRUE gUefiOvmfPkgTokenSpaceGuid.PcdSecureBootEnable|TRUE !endif +!if $(SMM_REQUIRE) == TRUE + gUefiOvmfPkgTokenSpaceGuid.PcdSmmSmramRequire|TRUE +!endif [PcdsFixedAtBuild] gEfiMdeModulePkgTokenSpaceGuid.PcdStatusCodeMemorySize|1 diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc index 81864eb..0ebc88b 100644 --- a/OvmfPkg/OvmfPkgIa32X64.dsc +++ b/OvmfPkg/OvmfPkgIa32X64.dsc @@ -36,6 +36,7 @@ [Defines] DEFINE SECURE_BOOT_ENABLE = FALSE DEFINE NETWORK_IP6_ENABLE = FALSE DEFINE HTTP_BOOT_ENABLE = FALSE + DEFINE SMM_REQUIRE = FALSE [BuildOptions] GCC:*_UNIXGCC_*_CC_FLAGS = -DMDEPKG_NDEBUG @@ -316,6 +317,9 @@ [PcdsFeatureFlag] !if $(SECURE_BOOT_ENABLE) == TRUE gUefiOvmfPkgTokenSpaceGuid.PcdSecureBootEnable|TRUE !endif +!if $(SMM_REQUIRE) == TRUE + gUefiOvmfPkgTokenSpaceGuid.PcdSmmSmramRequire|TRUE +!endif [PcdsFixedAtBuild] gEfiMdeModulePkgTokenSpaceGuid.PcdStatusCodeMemorySize|1 diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc index fc66a13..056c0c0 100644 --- a/OvmfPkg/OvmfPkgX64.dsc +++ b/OvmfPkg/OvmfPkgX64.dsc @@ -36,6 +36,7 @@ [Defines] DEFINE SECURE_BOOT_ENABLE = FALSE DEFINE NETWORK_IP6_ENABLE = FALSE DEFINE HTTP_BOOT_ENABLE = FALSE + DEFINE SMM_REQUIRE = FALSE [BuildOptions] GCC:*_UNIXGCC_*_CC_FLAGS = -DMDEPKG_NDEBUG @@ -316,6 +317,9 @@ [PcdsFeatureFlag] !if $(SECURE_BOOT_ENABLE) == TRUE gUefiOvmfPkgTokenSpaceGuid.PcdSecureBootEnable|TRUE !endif +!if $(SMM_REQUIRE) == TRUE + gUefiOvmfPkgTokenSpaceGuid.PcdSmmSmramRequire|TRUE +!endif [PcdsFixedAtBuild] gEfiMdeModulePkgTokenSpaceGuid.PcdStatusCodeMemorySize|1 -- 1.8.3.1 _______________________________________________ edk2-devel mailing list edk2-devel@lists.01.org https://lists.01.org/mailman/listinfo/edk2-devel