OvmfPkg: introduce -D SMM_REQUIRE and PcdSmmSmramRequire

This build time flag and corresponding Feature PCD will control whether
OVMF supports (and, equivalently, requires) SMM/SMRAM support from QEMU.

Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Jordan Justen <jordan.l.justen@intel.com>
git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@19034 6f19259b-4bc3-4df7-8a09-765794883524

diff --git a/OvmfPkg/OvmfPkg.dec b/OvmfPkg/OvmfPkg.dec
index 049f6edd059ebe6a8f96b5f2dd0e7cc5621ff848..47b0e696292847af66235b8c4e892c400ef13d07 100644 (file)
--- a/OvmfPkg/OvmfPkg.dec
+++ b/OvmfPkg/OvmfPkg.dec
@@ -117,3 +117,13 @@
   gUefiOvmfPkgTokenSpaceGuid.PcdSecureBootEnable|FALSE|BOOLEAN|3\r
   gUefiOvmfPkgTokenSpaceGuid.PcdQemuBootOrderPciTranslation|TRUE|BOOLEAN|0x1c\r
   gUefiOvmfPkgTokenSpaceGuid.PcdQemuBootOrderMmioTranslation|FALSE|BOOLEAN|0x1d\r
+\r
+  ## This feature flag enables SMM/SMRAM support. Note that it also requires\r
+  #  such support from the underlying QEMU instance; if that support is not\r
+  #  present, the firmware will reject continuing after a certain point.\r
+  #\r
+  #  The flag also acts as a general "security switch"; when TRUE, many\r
+  #  components will change behavior, with the goal of preventing a malicious\r
+  #  runtime OS from tampering with firmware structures (special memory ranges\r
+  #  used by OVMF, the varstore pflash chip, LockBox etc).\r
+  gUefiOvmfPkgTokenSpaceGuid.PcdSmmSmramRequire|FALSE|BOOLEAN|0x1e\r

diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc
index 77fd21cd59683152bf5ccee5fa41f75817cf26fc..74f6e784f3f908d99fe2222935015a4dce4cd61d 100644 (file)
--- a/OvmfPkg/OvmfPkgIa32.dsc
+++ b/OvmfPkg/OvmfPkgIa32.dsc
@@ -36,6 +36,7 @@
   DEFINE SECURE_BOOT_ENABLE      = FALSE\r
   DEFINE NETWORK_IP6_ENABLE      = FALSE\r
   DEFINE HTTP_BOOT_ENABLE        = FALSE\r
+  DEFINE SMM_REQUIRE             = FALSE\r
 \r
 [BuildOptions]\r
   GCC:*_UNIXGCC_*_CC_FLAGS             = -DMDEPKG_NDEBUG\r
@@ -310,6 +311,9 @@
 !if $(SECURE_BOOT_ENABLE) == TRUE\r
   gUefiOvmfPkgTokenSpaceGuid.PcdSecureBootEnable|TRUE\r
 !endif\r
+!if $(SMM_REQUIRE) == TRUE\r
+  gUefiOvmfPkgTokenSpaceGuid.PcdSmmSmramRequire|TRUE\r
+!endif\r
 \r
 [PcdsFixedAtBuild]\r
   gEfiMdeModulePkgTokenSpaceGuid.PcdStatusCodeMemorySize|1\r

diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc
index 47cc311165d078e4e3938423e0097db17576edb2..cdf4e0cb90f8f528eb41e57785e779a984bd531b 100644 (file)
--- a/OvmfPkg/OvmfPkgIa32X64.dsc
+++ b/OvmfPkg/OvmfPkgIa32X64.dsc
@@ -36,6 +36,7 @@
   DEFINE SECURE_BOOT_ENABLE      = FALSE\r
   DEFINE NETWORK_IP6_ENABLE      = FALSE\r
   DEFINE HTTP_BOOT_ENABLE        = FALSE\r
+  DEFINE SMM_REQUIRE             = FALSE\r
 \r
 [BuildOptions]\r
   GCC:*_UNIXGCC_*_CC_FLAGS             = -DMDEPKG_NDEBUG\r
@@ -315,6 +316,9 @@
 !if $(SECURE_BOOT_ENABLE) == TRUE\r
   gUefiOvmfPkgTokenSpaceGuid.PcdSecureBootEnable|TRUE\r
 !endif\r
+!if $(SMM_REQUIRE) == TRUE\r
+  gUefiOvmfPkgTokenSpaceGuid.PcdSmmSmramRequire|TRUE\r
+!endif\r
 \r
 [PcdsFixedAtBuild]\r
   gEfiMdeModulePkgTokenSpaceGuid.PcdStatusCodeMemorySize|1\r

diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc
index 44b9c792e12ed805657e8722bd918ae0e00cd69d..2b0ad9d05d098099eab6fa6467e2f40b5afddc9a 100644 (file)
--- a/OvmfPkg/OvmfPkgX64.dsc
+++ b/OvmfPkg/OvmfPkgX64.dsc
@@ -36,6 +36,7 @@
   DEFINE SECURE_BOOT_ENABLE      = FALSE\r
   DEFINE NETWORK_IP6_ENABLE      = FALSE\r
   DEFINE HTTP_BOOT_ENABLE        = FALSE\r
+  DEFINE SMM_REQUIRE             = FALSE\r
 \r
 [BuildOptions]\r
   GCC:*_UNIXGCC_*_CC_FLAGS             = -DMDEPKG_NDEBUG\r
@@ -315,6 +316,9 @@
 !if $(SECURE_BOOT_ENABLE) == TRUE\r
   gUefiOvmfPkgTokenSpaceGuid.PcdSecureBootEnable|TRUE\r
 !endif\r
+!if $(SMM_REQUIRE) == TRUE\r
+  gUefiOvmfPkgTokenSpaceGuid.PcdSmmSmramRequire|TRUE\r
+!endif\r
 \r
 [PcdsFixedAtBuild]\r
   gEfiMdeModulePkgTokenSpaceGuid.PcdStatusCodeMemorySize|1\r