The following commit:
1fea9ddb4e3f OvmfPkg: execute option ROM images regardless of Secure Boot
sets the OptionRomImageVerificationPolicy to ALWAYS_EXECUTE the expansion
ROMs attached to the emulated PCI devices. A expansion ROM constitute
another channel through which a cloud provider (i.e hypervisor) can
inject a code in guest boot flow to compromise it.
When SEV is enabled, the bios code has been verified by the guest owner
via the SEV guest launch sequence before its executed. When secure boot,
is enabled, lets make sure that we do not allow guest bios to execute a
code which is not signed by the guest owner.
Fixes: https://bugzilla.tianocore.org/show_bug.cgi?id=728
Cc: Chao Zhang <chao.b.zhang@intel.com>
Cc: Jordan Justen <jordan.l.justen@intel.com>
Cc: Laszlo Ersek <lersek@redhat.com>
Cc: Tom Lendacky <thomas.lendacky@amd.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Brijesh Singh <brijesh.singh@amd.com>
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
gUefiCpuPkgTokenSpaceGuid.PcdCpuSmmStackSize|0x4000\r
!endif\r
\r
gUefiCpuPkgTokenSpaceGuid.PcdCpuSmmStackSize|0x4000\r
!endif\r
\r
-!if $(SECURE_BOOT_ENABLE) == TRUE\r
- gEfiSecurityPkgTokenSpaceGuid.PcdOptionRomImageVerificationPolicy|0x00\r
-!endif\r
-\r
# IRQs 5, 9, 10, 11 are level-triggered\r
gPcAtChipsetPkgTokenSpaceGuid.Pcd8259LegacyModeEdgeLevel|0x0E20\r
\r
# IRQs 5, 9, 10, 11 are level-triggered\r
gPcAtChipsetPkgTokenSpaceGuid.Pcd8259LegacyModeEdgeLevel|0x0E20\r
\r
gUefiCpuPkgTokenSpaceGuid.PcdCpuSmmApSyncTimeout|100000\r
!endif\r
\r
gUefiCpuPkgTokenSpaceGuid.PcdCpuSmmApSyncTimeout|100000\r
!endif\r
\r
+!if $(SECURE_BOOT_ENABLE) == TRUE\r
+ gEfiSecurityPkgTokenSpaceGuid.PcdOptionRomImageVerificationPolicy|0x00\r
+!endif\r
+\r
+\r
################################################################################\r
#\r
# Components Section - list of all EDK II Modules needed by this Platform.\r
################################################################################\r
#\r
# Components Section - list of all EDK II Modules needed by this Platform.\r
gUefiCpuPkgTokenSpaceGuid.PcdCpuSmmStackSize|0x4000\r
!endif\r
\r
gUefiCpuPkgTokenSpaceGuid.PcdCpuSmmStackSize|0x4000\r
!endif\r
\r
-!if $(SECURE_BOOT_ENABLE) == TRUE\r
- gEfiSecurityPkgTokenSpaceGuid.PcdOptionRomImageVerificationPolicy|0x00\r
-!endif\r
-\r
# IRQs 5, 9, 10, 11 are level-triggered\r
gPcAtChipsetPkgTokenSpaceGuid.Pcd8259LegacyModeEdgeLevel|0x0E20\r
\r
# IRQs 5, 9, 10, 11 are level-triggered\r
gPcAtChipsetPkgTokenSpaceGuid.Pcd8259LegacyModeEdgeLevel|0x0E20\r
\r
gUefiCpuPkgTokenSpaceGuid.PcdCpuSmmApSyncTimeout|100000\r
!endif\r
\r
gUefiCpuPkgTokenSpaceGuid.PcdCpuSmmApSyncTimeout|100000\r
!endif\r
\r
+!if $(SECURE_BOOT_ENABLE) == TRUE\r
+ gEfiSecurityPkgTokenSpaceGuid.PcdOptionRomImageVerificationPolicy|0x00\r
+!endif\r
+\r
+\r
################################################################################\r
#\r
# Components Section - list of all EDK II Modules needed by this Platform.\r
################################################################################\r
#\r
# Components Section - list of all EDK II Modules needed by this Platform.\r
gUefiCpuPkgTokenSpaceGuid.PcdCpuSmmStackSize|0x4000\r
!endif\r
\r
gUefiCpuPkgTokenSpaceGuid.PcdCpuSmmStackSize|0x4000\r
!endif\r
\r
-!if $(SECURE_BOOT_ENABLE) == TRUE\r
- gEfiSecurityPkgTokenSpaceGuid.PcdOptionRomImageVerificationPolicy|0x00\r
-!endif\r
-\r
# IRQs 5, 9, 10, 11 are level-triggered\r
gPcAtChipsetPkgTokenSpaceGuid.Pcd8259LegacyModeEdgeLevel|0x0E20\r
\r
# IRQs 5, 9, 10, 11 are level-triggered\r
gPcAtChipsetPkgTokenSpaceGuid.Pcd8259LegacyModeEdgeLevel|0x0E20\r
\r
gUefiCpuPkgTokenSpaceGuid.PcdCpuSmmApSyncTimeout|100000\r
!endif\r
\r
gUefiCpuPkgTokenSpaceGuid.PcdCpuSmmApSyncTimeout|100000\r
!endif\r
\r
+!if $(SECURE_BOOT_ENABLE) == TRUE\r
+ gEfiSecurityPkgTokenSpaceGuid.PcdOptionRomImageVerificationPolicy|0x00\r
+!endif\r
+\r
+\r
################################################################################\r
#\r
# Components Section - list of all EDK II Modules needed by this Platform.\r
################################################################################\r
#\r
# Components Section - list of all EDK II Modules needed by this Platform.\r
ASSERT_RETURN_ERROR (PcdStatus);\r
\r
DEBUG ((DEBUG_INFO, "SEV is enabled (mask 0x%lx)\n", EncryptionMask));\r
ASSERT_RETURN_ERROR (PcdStatus);\r
\r
DEBUG ((DEBUG_INFO, "SEV is enabled (mask 0x%lx)\n", EncryptionMask));\r
+\r
+ //\r
+ // Set Pcd to Deny the execution of option ROM when security\r
+ // violation.\r
+ //\r
+ PcdStatus = PcdSet32S (PcdOptionRomImageVerificationPolicy, 0x4);\r
+ ASSERT_RETURN_ERROR (PcdStatus);\r
IntelFrameworkModulePkg/IntelFrameworkModulePkg.dec\r
MdePkg/MdePkg.dec\r
MdeModulePkg/MdeModulePkg.dec\r
IntelFrameworkModulePkg/IntelFrameworkModulePkg.dec\r
MdePkg/MdePkg.dec\r
MdeModulePkg/MdeModulePkg.dec\r
+ SecurityPkg/SecurityPkg.dec\r
UefiCpuPkg/UefiCpuPkg.dec\r
OvmfPkg/OvmfPkg.dec\r
\r
UefiCpuPkg/UefiCpuPkg.dec\r
OvmfPkg/OvmfPkg.dec\r
\r
gEfiMdeModulePkgTokenSpaceGuid.PcdPropertiesTableEnable\r
gEfiMdeModulePkgTokenSpaceGuid.PcdAcpiS3Enable\r
gEfiMdeModulePkgTokenSpaceGuid.PcdPteMemoryEncryptionAddressOrMask\r
gEfiMdeModulePkgTokenSpaceGuid.PcdPropertiesTableEnable\r
gEfiMdeModulePkgTokenSpaceGuid.PcdAcpiS3Enable\r
gEfiMdeModulePkgTokenSpaceGuid.PcdPteMemoryEncryptionAddressOrMask\r
+ gEfiSecurityPkgTokenSpaceGuid.PcdOptionRomImageVerificationPolicy\r
gUefiCpuPkgTokenSpaceGuid.PcdCpuLocalApicBaseAddress\r
gUefiCpuPkgTokenSpaceGuid.PcdCpuMaxLogicalProcessorNumber\r
gUefiCpuPkgTokenSpaceGuid.PcdCpuApInitTimeOutInMicroSeconds\r
gUefiCpuPkgTokenSpaceGuid.PcdCpuLocalApicBaseAddress\r
gUefiCpuPkgTokenSpaceGuid.PcdCpuMaxLogicalProcessorNumber\r
gUefiCpuPkgTokenSpaceGuid.PcdCpuApInitTimeOutInMicroSeconds\r
projects / mirror_edk2.git / commitdiff