git.proxmox.com Git - mirror

author	Brijesh Singh <brijesh.singh@amd.com>
	Thu, 5 Oct 2017 20:16:41 +0000 (15:16 -0500)
committer	Laszlo Ersek <lersek@redhat.com>
	Tue, 17 Oct 2017 19:28:26 +0000 (21:28 +0200)
commit	071f1d19ddbc4abaaccbddfc7d6fcc5677f9b5c3
tree	613606109d69d3682585d996601449a11f170394	tree
parent	65c77f02104cf0cf7bd224df3a5fc08795df9aad	commit \| diff

SecurityPkg: make PcdOptionRomImageVerificationPolicy dynamic

By default the image verification policy for option ROM images is 0x4
(DENY_EXECUTE_ON_SECURITY_VIOLATION) but the following OvmfPkg commit:

1fea9ddb4e3f OvmfPkg: execute option ROM images regardless of Secure Boot

set it to 0x0 (ALWAYS_EXECUTE). This is fine because typically option
ROMs comes from host-side and most of the time cloud provider (i.e
hypervisor) have full access over a guest anyway. But when secure boot
is enabled, we would like to deny the execution of option ROM when
SEV is active. Having dynamic Pcd will give us flexibility to set the
security policy at the runtime.

Fixes: https://bugzilla.tianocore.org/show_bug.cgi?id=728
Cc: Chao Zhang <chao.b.zhang@intel.com>
Cc: Jordan Justen <jordan.l.justen@intel.com>
Cc: Laszlo Ersek <lersek@redhat.com>
Cc: Tom Lendacky <thomas.lendacky@amd.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Brijesh Singh <brijesh.singh@amd.com>
Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
Reviewed-by: Long Qin <qin.long@intel.com>