-[PcdsFixedAtBuild]\r
- ## Pcd for OptionRom.\r
- # Image verification policy settings:\r
- # ALWAYS_EXECUTE 0x00000000\r
- # NEVER_EXECUTE 0x00000001\r
- # ALLOW_EXECUTE_ON_SECURITY_VIOLATION 0x00000002\r
- # DEFER_EXECUTE_ON_SECURITY_VIOLATION 0x00000003\r
- # DENY_EXECUTE_ON_SECURITY_VIOLATION 0x00000004\r
- # QUERY_USER_ON_SECURITY_VIOLATION 0x00000005 \r
- gEfiSecurityPkgTokenSpaceGuid.PcdOptionRomImageVerificationPolicy|0x00|UINT32|0x00000001\r
- \r
- ## Pcd for removable media.\r
- # Removable media include CD-ROM, Floppy, USB and network.\r
- # Image verification policy settings:\r
- # ALWAYS_EXECUTE 0x00000000\r
- # NEVER_EXECUTE 0x00000001\r
- # ALLOW_EXECUTE_ON_SECURITY_VIOLATION 0x00000002\r
- # DEFER_EXECUTE_ON_SECURITY_VIOLATION 0x00000003\r
- # DENY_EXECUTE_ON_SECURITY_VIOLATION 0x00000004\r
- # QUERY_USER_ON_SECURITY_VIOLATION 0x00000005\r
- gEfiSecurityPkgTokenSpaceGuid.PcdRemovableMediaImageVerificationPolicy|0x05|UINT32|0x00000002\r
- \r
- ## Pcd for fixed media.\r
- # Fixed media include hard disk.\r
- # Image verification policy settings:\r
- # ALWAYS_EXECUTE 0x00000000\r
- # NEVER_EXECUTE 0x00000001\r
- # ALLOW_EXECUTE_ON_SECURITY_VIOLATION 0x00000002\r
- # DEFER_EXECUTE_ON_SECURITY_VIOLATION 0x00000003\r
- # DENY_EXECUTE_ON_SECURITY_VIOLATION 0x00000004\r
- # QUERY_USER_ON_SECURITY_VIOLATION 0x00000005 \r
- gEfiSecurityPkgTokenSpaceGuid.PcdFixedMediaImageVerificationPolicy|0x05|UINT32|0x00000003\r
- \r
- ## Defer Image Load policy settings.\r
- # The policy is bitwise. \r
- # If bit is set, the image from corresponding device will be trust when loading.\r
- #\r
- # IMAGE_UNKNOWN 0x00000001\r
- # IMAGE_FROM_FV 0x00000002\r
- # IMAGE_FROM_OPTION_ROM 0x00000004\r
- # IMAGE_FROM_REMOVABLE_MEDIA 0x00000008\r
- # IMAGE_FROM_FIXED_MEDIA 0x00000010\r
+ ## Include/Ppi/FirmwareVolumeInfoMeasurementExcluded.h\r
+ gEfiPeiFirmwareVolumeInfoMeasurementExcludedPpiGuid = { 0x6e056ff9, 0xc695, 0x4364, { 0x9e, 0x2c, 0x61, 0x26, 0xf5, 0xce, 0xea, 0xae } }\r
+\r
+#\r
+# [Error.gEfiSecurityPkgTokenSpaceGuid]\r
+# 0x80000001 | Invalid value provided.\r
+# 0x80000002 | Reserved bits must be set to zero.\r
+#\r
+\r
+[PcdsFixedAtBuild, PcdsPatchableInModule]\r
+ ## Image verification policy for OptionRom. Only following values are valid:<BR><BR>\r
+ # NOTE: Do NOT use 0x5 and 0x2 since it violates the UEFI specification and has been removed.<BR>\r
+ # 0x00000000 Always trust the image.<BR>\r
+ # 0x00000001 Never trust the image.<BR>\r
+ # 0x00000002 Allow execution when there is security violation.<BR>\r
+ # 0x00000003 Defer execution when there is security violation.<BR>\r
+ # 0x00000004 Deny execution when there is security violation.<BR>\r
+ # 0x00000005 Query user when there is security violation.<BR>\r
+ # @Prompt Set policy for the image from OptionRom.\r
+ # @ValidRange 0x80000001 | 0x00000000 - 0x00000005\r
+ gEfiSecurityPkgTokenSpaceGuid.PcdOptionRomImageVerificationPolicy|0x04|UINT32|0x00000001\r
+\r
+ ## Image verification policy for removable media which includes CD-ROM, Floppy, USB and network.\r
+ # Only following values are valid:<BR><BR>\r
+ # NOTE: Do NOT use 0x5 and 0x2 since it violates the UEFI specification and has been removed.<BR>\r
+ # 0x00000000 Always trust the image.<BR>\r
+ # 0x00000001 Never trust the image.<BR>\r
+ # 0x00000002 Allow execution when there is security violation.<BR>\r
+ # 0x00000003 Defer execution when there is security violation.<BR>\r
+ # 0x00000004 Deny execution when there is security violation.<BR>\r
+ # 0x00000005 Query user when there is security violation.<BR>\r
+ # @Prompt Set policy for the image from removable media.\r
+ # @ValidRange 0x80000001 | 0x00000000 - 0x00000005\r
+ gEfiSecurityPkgTokenSpaceGuid.PcdRemovableMediaImageVerificationPolicy|0x04|UINT32|0x00000002\r
+\r
+ ## Image verification policy for fixed media which includes hard disk.\r
+ # Only following values are valid:<BR><BR>\r
+ # NOTE: Do NOT use 0x5 and 0x2 since it violates the UEFI specification and has been removed.<BR>\r
+ # 0x00000000 Always trust the image.<BR>\r
+ # 0x00000001 Never trust the image.<BR>\r
+ # 0x00000002 Allow execution when there is security violation.<BR>\r
+ # 0x00000003 Defer execution when there is security violation.<BR>\r
+ # 0x00000004 Deny execution when there is security violation.<BR>\r
+ # 0x00000005 Query user when there is security violation.<BR>\r
+ # @Prompt Set policy for the image from fixed media.\r
+ # @ValidRange 0x80000001 | 0x00000000 - 0x00000005 \r
+ gEfiSecurityPkgTokenSpaceGuid.PcdFixedMediaImageVerificationPolicy|0x04|UINT32|0x00000003\r
+\r
+ ## Defer Image Load policy settings. The policy is bitwise. \r
+ # If a bit is set, the image from corresponding device will be trusted when loading. Or \r
+ # the image will be deferred. The deferred image will be checked after user is identified.<BR><BR>\r
+ # BIT0 - Image from unknown device. <BR>\r
+ # BIT1 - Image from firmware volume.<BR>\r
+ # BIT2 - Image from OptionRom.<BR>\r
+ # BIT3 - Image from removable media which includes CD-ROM, Floppy, USB and network.<BR>\r
+ # BIT4 - Image from fixed media device which includes hard disk.<BR>\r
+ # @Prompt Set policy whether trust image before user identification.\r
+ # @ValidRange 0x80000002 | 0x00000000 - 0x0000001F \r