\r
!if $(SECURE_BOOT_ENABLE) == TRUE\r
# override the default values from SecurityPkg to ensure images from all sources are verified in secure boot\r
- gEfiSecurityPkgTokenSpaceGuid.PcdOptionRomImageVerificationPolicy|0x05\r
- gEfiSecurityPkgTokenSpaceGuid.PcdFixedMediaImageVerificationPolicy|0x05\r
- gEfiSecurityPkgTokenSpaceGuid.PcdRemovableMediaImageVerificationPolicy|0x05\r
+ gEfiSecurityPkgTokenSpaceGuid.PcdOptionRomImageVerificationPolicy|0x04\r
+ gEfiSecurityPkgTokenSpaceGuid.PcdFixedMediaImageVerificationPolicy|0x04\r
+ gEfiSecurityPkgTokenSpaceGuid.PcdRemovableMediaImageVerificationPolicy|0x04\r
!endif\r
\r
################################################################################\r
\r
!if $(SECURE_BOOT_ENABLE) == TRUE\r
# override the default values from SecurityPkg to ensure images from all sources are verified in secure boot\r
- gEfiSecurityPkgTokenSpaceGuid.PcdOptionRomImageVerificationPolicy|0x05\r
- gEfiSecurityPkgTokenSpaceGuid.PcdFixedMediaImageVerificationPolicy|0x05\r
- gEfiSecurityPkgTokenSpaceGuid.PcdRemovableMediaImageVerificationPolicy|0x05\r
+ gEfiSecurityPkgTokenSpaceGuid.PcdOptionRomImageVerificationPolicy|0x04\r
+ gEfiSecurityPkgTokenSpaceGuid.PcdFixedMediaImageVerificationPolicy|0x04\r
+ gEfiSecurityPkgTokenSpaceGuid.PcdRemovableMediaImageVerificationPolicy|0x04\r
!endif\r
\r
# IRQs 5, 9, 10, 11 are level-triggered\r
[PcdsFixedAtBuild.X64]\r
!if $(SECURE_BOOT_ENABLE) == TRUE\r
# override the default values from SecurityPkg to ensure images from all sources are verified in secure boot\r
- gEfiSecurityPkgTokenSpaceGuid.PcdOptionRomImageVerificationPolicy|0x05\r
- gEfiSecurityPkgTokenSpaceGuid.PcdFixedMediaImageVerificationPolicy|0x05\r
- gEfiSecurityPkgTokenSpaceGuid.PcdRemovableMediaImageVerificationPolicy|0x05\r
+ gEfiSecurityPkgTokenSpaceGuid.PcdOptionRomImageVerificationPolicy|0x04\r
+ gEfiSecurityPkgTokenSpaceGuid.PcdFixedMediaImageVerificationPolicy|0x04\r
+ gEfiSecurityPkgTokenSpaceGuid.PcdRemovableMediaImageVerificationPolicy|0x04\r
!endif\r
\r
# IRQs 5, 9, 10, 11 are level-triggered\r
\r
!if $(SECURE_BOOT_ENABLE) == TRUE\r
# override the default values from SecurityPkg to ensure images from all sources are verified in secure boot\r
- gEfiSecurityPkgTokenSpaceGuid.PcdOptionRomImageVerificationPolicy|0x05\r
- gEfiSecurityPkgTokenSpaceGuid.PcdFixedMediaImageVerificationPolicy|0x05\r
- gEfiSecurityPkgTokenSpaceGuid.PcdRemovableMediaImageVerificationPolicy|0x05\r
+ gEfiSecurityPkgTokenSpaceGuid.PcdOptionRomImageVerificationPolicy|0x04\r
+ gEfiSecurityPkgTokenSpaceGuid.PcdFixedMediaImageVerificationPolicy|0x04\r
+ gEfiSecurityPkgTokenSpaceGuid.PcdRemovableMediaImageVerificationPolicy|0x04\r
!endif\r
\r
# IRQs 5, 9, 10, 11 are level-triggered\r
return EFI_ACCESS_DENIED;\r
}\r
\r
+ //\r
+ // The policy QUERY_USER_ON_SECURITY_VIOLATION violates the UEFI spec and has been removed.\r
+ //\r
+ ASSERT (Policy != QUERY_USER_ON_SECURITY_VIOLATION);\r
+ if (Policy == QUERY_USER_ON_SECURITY_VIOLATION) {\r
+ CpuDeadLoop ();\r
+ }\r
+\r
GetEfiGlobalVariable2 (EFI_SECURE_BOOT_MODE_NAME, (VOID**)&SecureBoot, NULL);\r
//\r
// Skip verification if SecureBoot variable doesn't exist.\r
# DEFER_EXECUTE_ON_SECURITY_VIOLATION 0x00000003\r
# DENY_EXECUTE_ON_SECURITY_VIOLATION 0x00000004\r
# QUERY_USER_ON_SECURITY_VIOLATION 0x00000005 \r
- gEfiSecurityPkgTokenSpaceGuid.PcdOptionRomImageVerificationPolicy|0x00|UINT32|0x00000001\r
+ # NOTE: Do NOT use QUERY_USER_ON_SECURITY_VIOLATION since it violates the UEFI specification and has been removed.\r
+ gEfiSecurityPkgTokenSpaceGuid.PcdOptionRomImageVerificationPolicy|0x04|UINT32|0x00000001\r
\r
## Pcd for removable media.\r
# Removable media include CD-ROM, Floppy, USB and network.\r
# DEFER_EXECUTE_ON_SECURITY_VIOLATION 0x00000003\r
# DENY_EXECUTE_ON_SECURITY_VIOLATION 0x00000004\r
# QUERY_USER_ON_SECURITY_VIOLATION 0x00000005\r
- gEfiSecurityPkgTokenSpaceGuid.PcdRemovableMediaImageVerificationPolicy|0x05|UINT32|0x00000002\r
+ # NOTE: Do NOT use QUERY_USER_ON_SECURITY_VIOLATION since it violates the UEFI specification and has been removed.\r
+ gEfiSecurityPkgTokenSpaceGuid.PcdRemovableMediaImageVerificationPolicy|0x04|UINT32|0x00000002\r
\r
## Pcd for fixed media.\r
# Fixed media include hard disk.\r
# DEFER_EXECUTE_ON_SECURITY_VIOLATION 0x00000003\r
# DENY_EXECUTE_ON_SECURITY_VIOLATION 0x00000004\r
# QUERY_USER_ON_SECURITY_VIOLATION 0x00000005 \r
- gEfiSecurityPkgTokenSpaceGuid.PcdFixedMediaImageVerificationPolicy|0x05|UINT32|0x00000003\r
+ # NOTE: Do NOT use QUERY_USER_ON_SECURITY_VIOLATION since it violates the UEFI specification and has been removed.\r
+ gEfiSecurityPkgTokenSpaceGuid.PcdFixedMediaImageVerificationPolicy|0x04|UINT32|0x00000003\r
\r
## Defer Image Load policy settings.\r
# The policy is bitwise. \r