On 10/05/17 22:16, Brijesh Singh wrote: > The following commit: > > 1fea9ddb4e3f OvmfPkg: execute option ROM images regardless of Secure Boot > > sets the OptionRomImageVerificationPolicy to ALWAYS_EXECUTE the expansion > ROMs attached to the emulated PCI devices. A expansion ROM constitute > another channel through which a cloud provider (i.e hypervisor) can > inject a code in guest boot flow to compromise it. > > When SEV is enabled, the bios code has been verified by the guest owner > via the SEV guest launch sequence before its executed. When secure boot, > is enabled, lets make sure that we do not allow guest bios to execute a > code which is not signed by the guest owner. > > Fixes: https://bugzilla.tianocore.org/show_bug.cgi?id=728 > Cc: Chao Zhang <chao.b.zh...@intel.com> > Cc: Jordan Justen <jordan.l.jus...@intel.com> > Cc: Laszlo Ersek <ler...@redhat.com> > Cc: Tom Lendacky <thomas.lenda...@amd.com> > Contributed-under: TianoCore Contribution Agreement 1.1 > Signed-off-by: Brijesh Singh <brijesh.si...@amd.com> > --- > Changes since v1: > * Add Contributed-under tag > * Fix OvmfPkgIa32.dsc build > > OvmfPkg/OvmfPkgIa32.dsc | 9 +++++---- > OvmfPkg/OvmfPkgIa32X64.dsc | 9 +++++---- > OvmfPkg/OvmfPkgX64.dsc | 9 +++++---- > OvmfPkg/PlatformPei/PlatformPei.inf | 2 ++ > OvmfPkg/PlatformPei/AmdSev.c | 7 +++++++ > 5 files changed, 24 insertions(+), 12 deletions(-) > > diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc > index 92e943d4a0d0..7fb557b7c9cd 100644 > --- a/OvmfPkg/OvmfPkgIa32.dsc > +++ b/OvmfPkg/OvmfPkgIa32.dsc > @@ -483,10 +483,6 @@ [PcdsFixedAtBuild] > gUefiCpuPkgTokenSpaceGuid.PcdCpuSmmStackSize|0x4000 > !endif > > -!if $(SECURE_BOOT_ENABLE) == TRUE > - gEfiSecurityPkgTokenSpaceGuid.PcdOptionRomImageVerificationPolicy|0x00 > -!endif > - > # IRQs 5, 9, 10, 11 are level-triggered > gPcAtChipsetPkgTokenSpaceGuid.Pcd8259LegacyModeEdgeLevel|0x0E20 > > @@ -544,6 +540,11 @@ [PcdsDynamicDefault] > gUefiCpuPkgTokenSpaceGuid.PcdCpuSmmApSyncTimeout|100000 > !endif > > +!if $(SECURE_BOOT_ENABLE) == TRUE > + gEfiSecurityPkgTokenSpaceGuid.PcdOptionRomImageVerificationPolicy|0x00 > +!endif > + > + > > ################################################################################ > # > # Components Section - list of all EDK II Modules needed by this Platform. > diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc > index 7f9220ccb90a..4bcbddb95768 100644 > --- a/OvmfPkg/OvmfPkgIa32X64.dsc > +++ b/OvmfPkg/OvmfPkgIa32X64.dsc > @@ -489,10 +489,6 @@ [PcdsFixedAtBuild.X64] > gUefiCpuPkgTokenSpaceGuid.PcdCpuSmmStackSize|0x4000 > !endif > > -!if $(SECURE_BOOT_ENABLE) == TRUE > - gEfiSecurityPkgTokenSpaceGuid.PcdOptionRomImageVerificationPolicy|0x00 > -!endif > - > # IRQs 5, 9, 10, 11 are level-triggered > gPcAtChipsetPkgTokenSpaceGuid.Pcd8259LegacyModeEdgeLevel|0x0E20 > > @@ -552,6 +548,11 @@ [PcdsDynamicDefault] > gUefiCpuPkgTokenSpaceGuid.PcdCpuSmmApSyncTimeout|100000 > !endif > > +!if $(SECURE_BOOT_ENABLE) == TRUE > + gEfiSecurityPkgTokenSpaceGuid.PcdOptionRomImageVerificationPolicy|0x00 > +!endif > + > + > > ################################################################################ > # > # Components Section - list of all EDK II Modules needed by this Platform. > diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc > index 36c60fc19c40..e52a3bd4db9b 100644 > --- a/OvmfPkg/OvmfPkgX64.dsc > +++ b/OvmfPkg/OvmfPkgX64.dsc > @@ -488,10 +488,6 @@ [PcdsFixedAtBuild] > gUefiCpuPkgTokenSpaceGuid.PcdCpuSmmStackSize|0x4000 > !endif > > -!if $(SECURE_BOOT_ENABLE) == TRUE > - gEfiSecurityPkgTokenSpaceGuid.PcdOptionRomImageVerificationPolicy|0x00 > -!endif > - > # IRQs 5, 9, 10, 11 are level-triggered > gPcAtChipsetPkgTokenSpaceGuid.Pcd8259LegacyModeEdgeLevel|0x0E20 > > @@ -551,6 +547,11 @@ [PcdsDynamicDefault] > gUefiCpuPkgTokenSpaceGuid.PcdCpuSmmApSyncTimeout|100000 > !endif > > +!if $(SECURE_BOOT_ENABLE) == TRUE > + gEfiSecurityPkgTokenSpaceGuid.PcdOptionRomImageVerificationPolicy|0x00 > +!endif > + > + > > ################################################################################ > # > # Components Section - list of all EDK II Modules needed by this Platform. > diff --git a/OvmfPkg/PlatformPei/PlatformPei.inf > b/OvmfPkg/PlatformPei/PlatformPei.inf > index 16a8db7b0bd2..de7434d93dc0 100644 > --- a/OvmfPkg/PlatformPei/PlatformPei.inf > +++ b/OvmfPkg/PlatformPei/PlatformPei.inf > @@ -41,6 +41,7 @@ [Packages] > IntelFrameworkModulePkg/IntelFrameworkModulePkg.dec > MdePkg/MdePkg.dec > MdeModulePkg/MdeModulePkg.dec > + SecurityPkg/SecurityPkg.dec > UefiCpuPkg/UefiCpuPkg.dec > OvmfPkg/OvmfPkg.dec > > @@ -96,6 +97,7 @@ [Pcd] > gEfiMdeModulePkgTokenSpaceGuid.PcdPropertiesTableEnable > gEfiMdeModulePkgTokenSpaceGuid.PcdAcpiS3Enable > gEfiMdeModulePkgTokenSpaceGuid.PcdPteMemoryEncryptionAddressOrMask > + gEfiSecurityPkgTokenSpaceGuid.PcdOptionRomImageVerificationPolicy > gUefiCpuPkgTokenSpaceGuid.PcdCpuLocalApicBaseAddress > gUefiCpuPkgTokenSpaceGuid.PcdCpuMaxLogicalProcessorNumber > gUefiCpuPkgTokenSpaceGuid.PcdCpuApInitTimeOutInMicroSeconds > diff --git a/OvmfPkg/PlatformPei/AmdSev.c b/OvmfPkg/PlatformPei/AmdSev.c > index 26f7c3fdbb13..1539e5b5cdce 100644 > --- a/OvmfPkg/PlatformPei/AmdSev.c > +++ b/OvmfPkg/PlatformPei/AmdSev.c > @@ -59,4 +59,11 @@ AmdSevInitialize ( > ASSERT_RETURN_ERROR (PcdStatus); > > DEBUG ((DEBUG_INFO, "SEV is enabled (mask 0x%lx)\n", EncryptionMask)); > + > + // > + // Set Pcd to Deny the execution of option ROM when security > + // violation. > + // > + PcdStatus = PcdSet32S (PcdOptionRomImageVerificationPolicy, 0x4); > + ASSERT_RETURN_ERROR (PcdStatus); > } >
Reviewed-by: Laszlo Ersek <ler...@redhat.com> Thanks! Laszlo _______________________________________________ edk2-devel mailing list edk2-devel@lists.01.org https://lists.01.org/mailman/listinfo/edk2-devel