When the user requires "security" by passing -D SMM_REQUIRE, and consequently by setting PcdSmmSmramRequire, enforce flash-based variables.
Furthermore, add two ASSERT()s to catch if the wrong module were pulled into the build. Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Laszlo Ersek <ler...@redhat.com> --- OvmfPkg/QemuFlashFvbServicesRuntimeDxe/FvbServicesRuntimeDxe.inf | 2 ++ OvmfPkg/QemuFlashFvbServicesRuntimeDxe/FvbServicesSmm.inf | 2 ++ OvmfPkg/QemuFlashFvbServicesRuntimeDxe/FwBlockServiceDxe.c | 3 +++ OvmfPkg/QemuFlashFvbServicesRuntimeDxe/FwBlockServiceSmm.c | 3 +++ OvmfPkg/QemuFlashFvbServicesRuntimeDxe/QemuFlash.c | 1 + 5 files changed, 11 insertions(+) diff --git a/OvmfPkg/QemuFlashFvbServicesRuntimeDxe/FvbServicesRuntimeDxe.inf b/OvmfPkg/QemuFlashFvbServicesRuntimeDxe/FvbServicesRuntimeDxe.inf index ea8413f..c0dda75 100644 --- a/OvmfPkg/QemuFlashFvbServicesRuntimeDxe/FvbServicesRuntimeDxe.inf +++ b/OvmfPkg/QemuFlashFvbServicesRuntimeDxe/FvbServicesRuntimeDxe.inf @@ -85,6 +85,8 @@ [Pcd] gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageVariableBase64 gUefiOvmfPkgTokenSpaceGuid.PcdOvmfFlashVariablesEnable +[FeaturePcd] + gUefiOvmfPkgTokenSpaceGuid.PcdSmmSmramRequire [Depex] TRUE diff --git a/OvmfPkg/QemuFlashFvbServicesRuntimeDxe/FvbServicesSmm.inf b/OvmfPkg/QemuFlashFvbServicesRuntimeDxe/FvbServicesSmm.inf index 6af0649..ba2d367 100644 --- a/OvmfPkg/QemuFlashFvbServicesRuntimeDxe/FvbServicesSmm.inf +++ b/OvmfPkg/QemuFlashFvbServicesRuntimeDxe/FvbServicesSmm.inf @@ -84,6 +84,8 @@ [Pcd] gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageVariableBase64 gUefiOvmfPkgTokenSpaceGuid.PcdOvmfFlashVariablesEnable +[FeaturePcd] + gUefiOvmfPkgTokenSpaceGuid.PcdSmmSmramRequire [Depex] TRUE diff --git a/OvmfPkg/QemuFlashFvbServicesRuntimeDxe/FwBlockServiceDxe.c b/OvmfPkg/QemuFlashFvbServicesRuntimeDxe/FwBlockServiceDxe.c index c11f598..63b3086 100644 --- a/OvmfPkg/QemuFlashFvbServicesRuntimeDxe/FwBlockServiceDxe.c +++ b/OvmfPkg/QemuFlashFvbServicesRuntimeDxe/FwBlockServiceDxe.c @@ -17,6 +17,7 @@ #include <Guid/EventGroup.h> #include <Library/DebugLib.h> #include <Library/DevicePathLib.h> +#include <Library/PcdLib.h> #include <Library/UefiBootServicesTableLib.h> #include <Library/UefiRuntimeLib.h> #include <Protocol/DevicePath.h> @@ -34,6 +35,8 @@ InstallProtocolInterfaces ( EFI_HANDLE FwbHandle; EFI_FIRMWARE_VOLUME_BLOCK_PROTOCOL *OldFwbInterface; + ASSERT (!FeaturePcdGet (PcdSmmSmramRequire)); + // // Find a handle with a matching device path that has supports FW Block // protocol diff --git a/OvmfPkg/QemuFlashFvbServicesRuntimeDxe/FwBlockServiceSmm.c b/OvmfPkg/QemuFlashFvbServicesRuntimeDxe/FwBlockServiceSmm.c index e77129e..e0617f2 100644 --- a/OvmfPkg/QemuFlashFvbServicesRuntimeDxe/FwBlockServiceSmm.c +++ b/OvmfPkg/QemuFlashFvbServicesRuntimeDxe/FwBlockServiceSmm.c @@ -15,6 +15,7 @@ **/ #include <Library/DebugLib.h> +#include <Library/PcdLib.h> #include <Library/SmmServicesTableLib.h> #include <Protocol/DevicePath.h> #include <Protocol/SmmFirmwareVolumeBlock.h> @@ -29,6 +30,8 @@ InstallProtocolInterfaces ( EFI_HANDLE FvbHandle; EFI_STATUS Status; + ASSERT (FeaturePcdGet (PcdSmmSmramRequire)); + // // There is no SMM service that can install multiple protocols in the SMM // protocol database in one go. diff --git a/OvmfPkg/QemuFlashFvbServicesRuntimeDxe/QemuFlash.c b/OvmfPkg/QemuFlashFvbServicesRuntimeDxe/QemuFlash.c index 28bcb13..5677b5e 100644 --- a/OvmfPkg/QemuFlashFvbServicesRuntimeDxe/QemuFlash.c +++ b/OvmfPkg/QemuFlashFvbServicesRuntimeDxe/QemuFlash.c @@ -245,6 +245,7 @@ QemuFlashInitialize ( mFdBlockCount = PcdGet32 (PcdOvmfFirmwareFdSize) / mFdBlockSize; if (!QemuFlashDetected ()) { + ASSERT (!FeaturePcdGet (PcdSmmSmramRequire)); return EFI_WRITE_PROTECTED; } -- 1.8.3.1 _______________________________________________ edk2-devel mailing list edk2-devel@lists.01.org https://lists.01.org/mailman/listinfo/edk2-devel