diff options
| author | Laszlo Ersek <lersek@redhat.com> | 2019-02-06 10:08:53 +0100 |
|---|---|---|
| committer | Laszlo Ersek <lersek@redhat.com> | 2019-02-13 07:10:26 +0100 |
| commit | da06a2a2fa1e100392d9782d99ad0a71f4605b1f (patch) | |
| tree | 916959465a068e91b3b376e3f706e06dd48539ae | |
| parent | c0b612b3a4b879184b9439c1a04e747b73b6b4b5 (diff) | |
| download | edk2-da06a2a2fa1e100392d9782d99ad0a71f4605b1f.tar.gz edk2-da06a2a2fa1e100392d9782d99ad0a71f4605b1f.tar.bz2 edk2-da06a2a2fa1e100392d9782d99ad0a71f4605b1f.zip | |
ArmVirtPkg/ArmVirtXen: don't set Pcd*ImageVerificationPolicy
According to the
PCDs not used by modules or in conditional directives
sections of all the build reports for
{AARCH64,ARM} x {Xen} x {DEBUG,NOOPT,RELEASE} x {feat-1}
(6 builds in total), PcdOptionRomImageVerificationPolicy,
PcdFixedMediaImageVerificationPolicy, and
PcdRemovableMediaImageVerificationPolicy are not used in any of those
builds.
Restrict the settings to the ArmVirtQemu and ArmVirtQemuKernel platforms
(preserving the -D SECURE_BOOT_ENABLE restriction in the process).
("feat-1" stands for "-D HTTP_BOOT_ENABLE -D NETWORK_IP6_ENABLE -D
SECURE_BOOT_ENABLE -D TTY_TERMINAL", while "feat-0" stands for "".)
Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Cc: Julien Grall <julien.grall@linaro.org>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
| -rw-r--r-- | ArmVirtPkg/ArmVirt.dsc.inc | 7 | ||||
| -rw-r--r-- | ArmVirtPkg/ArmVirtQemu.dsc | 7 | ||||
| -rw-r--r-- | ArmVirtPkg/ArmVirtQemuKernel.dsc | 7 |
3 files changed, 14 insertions, 7 deletions
diff --git a/ArmVirtPkg/ArmVirt.dsc.inc b/ArmVirtPkg/ArmVirt.dsc.inc index dc3bd13973..d172a082c9 100644 --- a/ArmVirtPkg/ArmVirt.dsc.inc +++ b/ArmVirtPkg/ArmVirt.dsc.inc @@ -347,13 +347,6 @@ gEmbeddedTokenSpaceGuid.PcdMemoryTypeEfiLoaderCode|20
gEmbeddedTokenSpaceGuid.PcdMemoryTypeEfiLoaderData|0
-!if $(SECURE_BOOT_ENABLE) == TRUE
- # override the default values from SecurityPkg to ensure images from all sources are verified in secure boot
- gEfiSecurityPkgTokenSpaceGuid.PcdOptionRomImageVerificationPolicy|0x04
- gEfiSecurityPkgTokenSpaceGuid.PcdFixedMediaImageVerificationPolicy|0x04
- gEfiSecurityPkgTokenSpaceGuid.PcdRemovableMediaImageVerificationPolicy|0x04
-!endif
-
#
# Enable strict image permissions for all images. (This applies
# only to images that were built with >= 4 KB section alignment.)
diff --git a/ArmVirtPkg/ArmVirtQemu.dsc b/ArmVirtPkg/ArmVirtQemu.dsc index 83c8af0258..8cc31fda7a 100644 --- a/ArmVirtPkg/ArmVirtQemu.dsc +++ b/ArmVirtPkg/ArmVirtQemu.dsc @@ -148,6 +148,13 @@ #
gEfiMdeModulePkgTokenSpaceGuid.PcdSetNxForStack|TRUE
+!if $(SECURE_BOOT_ENABLE) == TRUE
+ # override the default values from SecurityPkg to ensure images from all sources are verified in secure boot
+ gEfiSecurityPkgTokenSpaceGuid.PcdOptionRomImageVerificationPolicy|0x04
+ gEfiSecurityPkgTokenSpaceGuid.PcdFixedMediaImageVerificationPolicy|0x04
+ gEfiSecurityPkgTokenSpaceGuid.PcdRemovableMediaImageVerificationPolicy|0x04
+!endif
+
[PcdsFixedAtBuild.AARCH64]
# Clearing BIT0 in this PCD prevents installing a 32-bit SMBIOS entry point,
# if the entry point version is >= 3.0. AARCH64 OSes cannot assume the
diff --git a/ArmVirtPkg/ArmVirtQemuKernel.dsc b/ArmVirtPkg/ArmVirtQemuKernel.dsc index 46d8bac3ef..c3e0c9bf25 100644 --- a/ArmVirtPkg/ArmVirtQemuKernel.dsc +++ b/ArmVirtPkg/ArmVirtQemuKernel.dsc @@ -142,6 +142,13 @@ #
gEmbeddedTokenSpaceGuid.PcdPrePiCpuIoSize|16
+!if $(SECURE_BOOT_ENABLE) == TRUE
+ # override the default values from SecurityPkg to ensure images from all sources are verified in secure boot
+ gEfiSecurityPkgTokenSpaceGuid.PcdOptionRomImageVerificationPolicy|0x04
+ gEfiSecurityPkgTokenSpaceGuid.PcdFixedMediaImageVerificationPolicy|0x04
+ gEfiSecurityPkgTokenSpaceGuid.PcdRemovableMediaImageVerificationPolicy|0x04
+!endif
+
[PcdsPatchableInModule.common]
#
# This will be overridden in the code
|