git.proxmox.com Git - mirror

author	Brijesh Singh <brijesh.singh@amd.com>
	Thu, 5 Oct 2017 20:16:42 +0000 (15:16 -0500)
committer	Laszlo Ersek <lersek@redhat.com>
	Tue, 17 Oct 2017 19:28:27 +0000 (21:28 +0200)
commit	6041ac65ae879389f3ab5c0699f916d3e71c97fe
tree	7fc1093afd722d3c8c2eb47c30d382746c2cabce	tree
parent	071f1d19ddbc4abaaccbddfc7d6fcc5677f9b5c3	commit \| diff

OvmfPkg/PlatformPei: DENY_EXECUTE_ON_SECURITY_VIOLATION when SEV is active

The following commit:

1fea9ddb4e3f OvmfPkg: execute option ROM images regardless of Secure Boot

sets the OptionRomImageVerificationPolicy to ALWAYS_EXECUTE the expansion
ROMs attached to the emulated PCI devices. A expansion ROM constitute
another channel through which a cloud provider (i.e hypervisor) can
inject a code in guest boot flow to compromise it.

When SEV is enabled, the bios code has been verified by the guest owner
via the SEV guest launch sequence before its executed. When secure boot,
is enabled, lets make sure that we do not allow guest bios to execute a
code which is not signed by the guest owner.

Fixes: https://bugzilla.tianocore.org/show_bug.cgi?id=728
Cc: Chao Zhang <chao.b.zhang@intel.com>
Cc: Jordan Justen <jordan.l.justen@intel.com>
Cc: Laszlo Ersek <lersek@redhat.com>
Cc: Tom Lendacky <thomas.lendacky@amd.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Brijesh Singh <brijesh.singh@amd.com>
Reviewed-by: Laszlo Ersek <lersek@redhat.com>

OvmfPkg/OvmfPkgIa32.dsc		diff \| blob \| blame \| history
OvmfPkg/OvmfPkgIa32X64.dsc		diff \| blob \| blame \| history
OvmfPkg/OvmfPkgX64.dsc		diff \| blob \| blame \| history
OvmfPkg/PlatformPei/AmdSev.c		diff \| blob \| blame \| history
OvmfPkg/PlatformPei/PlatformPei.inf		diff \| blob \| blame \| history