ArmVirtPkg/ArmVirtXen: don't set Pcd*ImageVerificationPolicy

According to the

  PCDs not used by modules or in conditional directives

sections of all the build reports for

  {AARCH64,ARM} x {Xen} x {DEBUG,NOOPT,RELEASE} x {feat-1}

(6 builds in total), PcdOptionRomImageVerificationPolicy,
PcdFixedMediaImageVerificationPolicy, and
PcdRemovableMediaImageVerificationPolicy are not used in any of those
builds.

Restrict the settings to the ArmVirtQemu and ArmVirtQemuKernel platforms
(preserving the -D SECURE_BOOT_ENABLE restriction in the process).

("feat-1" stands for "-D HTTP_BOOT_ENABLE -D NETWORK_IP6_ENABLE -D
SECURE_BOOT_ENABLE -D TTY_TERMINAL", while "feat-0" stands for "".)

Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Cc: Julien Grall <julien.grall@linaro.org>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>

diff --git a/ArmVirtPkg/ArmVirt.dsc.inc b/ArmVirtPkg/ArmVirt.dsc.inc
index dc3bd13973a7f4d62c3899964ba198c6714c9974..d172a082c9b527aeab7e25ec000509752bc14b0f 100644 (file)
--- a/ArmVirtPkg/ArmVirt.dsc.inc
+++ b/ArmVirtPkg/ArmVirt.dsc.inc
@@ -347,13 +347,6 @@
   gEmbeddedTokenSpaceGuid.PcdMemoryTypeEfiLoaderCode|20\r
   gEmbeddedTokenSpaceGuid.PcdMemoryTypeEfiLoaderData|0\r
 \r
-!if $(SECURE_BOOT_ENABLE) == TRUE\r
-  # override the default values from SecurityPkg to ensure images from all sources are verified in secure boot\r
-  gEfiSecurityPkgTokenSpaceGuid.PcdOptionRomImageVerificationPolicy|0x04\r
-  gEfiSecurityPkgTokenSpaceGuid.PcdFixedMediaImageVerificationPolicy|0x04\r
-  gEfiSecurityPkgTokenSpaceGuid.PcdRemovableMediaImageVerificationPolicy|0x04\r
-!endif\r
-\r
   #\r
   # Enable strict image permissions for all images. (This applies\r
   # only to images that were built with >= 4 KB section alignment.)\r

diff --git a/ArmVirtPkg/ArmVirtQemu.dsc b/ArmVirtPkg/ArmVirtQemu.dsc
index 83c8af0258b2ee68958399b0acd27cc3de7ec152..8cc31fda7a379864d168441cf8d061d690e3d4a7 100644 (file)
--- a/ArmVirtPkg/ArmVirtQemu.dsc
+++ b/ArmVirtPkg/ArmVirtQemu.dsc
@@ -148,6 +148,13 @@
   #\r
   gEfiMdeModulePkgTokenSpaceGuid.PcdSetNxForStack|TRUE\r
 \r
+!if $(SECURE_BOOT_ENABLE) == TRUE\r
+  # override the default values from SecurityPkg to ensure images from all sources are verified in secure boot\r
+  gEfiSecurityPkgTokenSpaceGuid.PcdOptionRomImageVerificationPolicy|0x04\r
+  gEfiSecurityPkgTokenSpaceGuid.PcdFixedMediaImageVerificationPolicy|0x04\r
+  gEfiSecurityPkgTokenSpaceGuid.PcdRemovableMediaImageVerificationPolicy|0x04\r
+!endif\r
+\r
 [PcdsFixedAtBuild.AARCH64]\r
   # Clearing BIT0 in this PCD prevents installing a 32-bit SMBIOS entry point,\r
   # if the entry point version is >= 3.0. AARCH64 OSes cannot assume the\r

diff --git a/ArmVirtPkg/ArmVirtQemuKernel.dsc b/ArmVirtPkg/ArmVirtQemuKernel.dsc
index 46d8bac3ef4d48feebd22ecb6afe249b56f5d49c..c3e0c9bf25492b03c522b20ec620487a25009458 100644 (file)
--- a/ArmVirtPkg/ArmVirtQemuKernel.dsc
+++ b/ArmVirtPkg/ArmVirtQemuKernel.dsc
@@ -142,6 +142,13 @@
   #\r
   gEmbeddedTokenSpaceGuid.PcdPrePiCpuIoSize|16\r
 \r
+!if $(SECURE_BOOT_ENABLE) == TRUE\r
+  # override the default values from SecurityPkg to ensure images from all sources are verified in secure boot\r
+  gEfiSecurityPkgTokenSpaceGuid.PcdOptionRomImageVerificationPolicy|0x04\r
+  gEfiSecurityPkgTokenSpaceGuid.PcdFixedMediaImageVerificationPolicy|0x04\r
+  gEfiSecurityPkgTokenSpaceGuid.PcdRemovableMediaImageVerificationPolicy|0x04\r
+!endif\r
+\r
 [PcdsPatchableInModule.common]\r
   #\r
   # This will be overridden in the code\r