OvmfPkg/AmdSev: add Grub Firmware Volume Package

This is used to package up the grub bootloader into a firmware volume
where it can be executed as a shell like the UEFI Shell.  Grub itself
is built as a minimal entity into a Fv and then added as a boot
option.  By default the UEFI shell isn't built but for debugging
purposes it can be enabled and will then be presented as a boot option
(This should never be allowed for secure boot in an external data
centre but may be useful for local debugging).  Finally all other boot
options except grub and possibly the shell are stripped and the boot
timeout forced to 0 so the system will not enter a setup menu and will
only boot to grub.  This is done by copying the
Library/PlatformBootManagerLib into Library/PlatformBootManagerLibGrub
and then customizing it.

Boot failure is fatal to try to prevent secret theft.

Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3077
Signed-off-by: James Bottomley <jejb@linux.ibm.com>
Message-Id: <20201130202819.3910-4-jejb@linux.ibm.com>
Acked-by: Ard Biesheuvel <ard.biesheuvel@arm.com>
[lersek@redhat.com: replace local variable initialization with assignment]
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
[lersek@redhat.com: squash 'OvmfPkg: add "gGrubFileGuid=Grub" to
 GuidCheck.IgnoreDuplicates', reviewed stand-alone by Phil (msgid
 <e6eae551-8563-ccfb-5547-7a97da6d46e5@redhat.com>) and Ard (msgid
 <10aeda37-def6-d9a4-6e02-4c66c1492f57@arm.com>)]

1 files changed, 15 insertions, 6 deletions

diff --git a/OvmfPkg/AmdSev/AmdSevX64.dsc b/OvmfPkg/AmdSev/AmdSevX64.dsc
index 59778c4954..18707725b3 100644
--- a/OvmfPkg/AmdSev/AmdSevX64.dsc
+++ b/OvmfPkg/AmdSev/AmdSevX64.dsc
@@ -25,6 +25,7 @@
   BUILD_TARGETS                  = NOOPT|DEBUG|RELEASE

   SKUID_IDENTIFIER               = DEFAULT

   FLASH_DEFINITION               = OvmfPkg/AmdSev/AmdSevX64.fdf

+  PREBUILD                       = sh OvmfPkg/AmdSev/Grub/grub.sh

 

   #

   # Defines for default states.  These can be changed on the command line.

@@ -35,6 +36,11 @@
   DEFINE TPM_CONFIG_ENABLE       = FALSE

 

   #

+  # Shell can be useful for debugging but should not be enabled for production

+  #

+  DEFINE BUILD_SHELL             = FALSE

+

+  #

   # Device drivers

   #

   DEFINE PVSCSI_ENABLE           = TRUE

@@ -149,7 +155,6 @@
   UefiDriverEntryPoint|MdePkg/Library/UefiDriverEntryPoint/UefiDriverEntryPoint.inf

   UefiApplicationEntryPoint|MdePkg/Library/UefiApplicationEntryPoint/UefiApplicationEntryPoint.inf

   DevicePathLib|MdePkg/Library/UefiDevicePathLibDevicePathProtocol/UefiDevicePathLibDevicePathProtocol.inf

-  NvVarsFileLib|OvmfPkg/Library/NvVarsFileLib/NvVarsFileLib.inf

   FileHandleLib|MdePkg/Library/UefiFileHandleLib/UefiFileHandleLib.inf

   UefiCpuLib|UefiCpuPkg/Library/BaseUefiCpuLib/BaseUefiCpuLib.inf

   SecurityManagementLib|MdeModulePkg/Library/DxeSecurityManagementLib/DxeSecurityManagementLib.inf

@@ -184,9 +189,11 @@
   VariablePolicyLib|MdeModulePkg/Library/VariablePolicyLib/VariablePolicyLib.inf

   VariablePolicyHelperLib|MdeModulePkg/Library/VariablePolicyHelperLib/VariablePolicyHelperLib.inf

 

+!if $(BUILD_SHELL) == TRUE

   ShellLib|ShellPkg/Library/UefiShellLib/UefiShellLib.inf

   ShellCEntryLib|ShellPkg/Library/UefiShellCEntryLib/UefiShellCEntryLib.inf

-  S3BootScriptLib|MdeModulePkg/Library/PiDxeS3BootScriptLib/DxeS3BootScriptLib.inf

+!endif

+

   SmbusLib|MdePkg/Library/BaseSmbusLibNull/BaseSmbusLibNull.inf

   OrderedCollectionLib|MdePkg/Library/BaseOrderedCollectionRedBlackTreeLib/BaseOrderedCollectionRedBlackTreeLib.inf

   XenHypercallLib|OvmfPkg/Library/XenHypercallLib/XenHypercallLib.inf

@@ -343,7 +350,7 @@
 !else

   DebugLib|OvmfPkg/Library/PlatformDebugLibIoPort/PlatformDebugLibIoPort.inf

 !endif

-  PlatformBootManagerLib|OvmfPkg/Library/PlatformBootManagerLib/PlatformBootManagerLib.inf

+  PlatformBootManagerLib|OvmfPkg/Library/PlatformBootManagerLibGrub/PlatformBootManagerLibGrub.inf

   PlatformBmPrintScLib|OvmfPkg/Library/PlatformBmPrintScLib/PlatformBmPrintScLib.inf

   QemuBootOrderLib|OvmfPkg/Library/QemuBootOrderLib/QemuBootOrderLib.inf

   CpuExceptionHandlerLib|UefiCpuPkg/Library/CpuExceptionHandlerLib/DxeCpuExceptionHandlerLib.inf

@@ -507,6 +514,7 @@
   # Point to the MdeModulePkg/Application/UiApp/UiApp.inf

   gEfiMdeModulePkgTokenSpaceGuid.PcdBootManagerMenuFile|{ 0x21, 0xaa, 0x2c, 0x46, 0x14, 0x76, 0x03, 0x45, 0x83, 0x6e, 0x8a, 0xb6, 0xf4, 0x66, 0x23, 0x31 }

 

+  gEfiMdeModulePkgTokenSpaceGuid.PcdConInConnectOnDemand|TRUE

 ################################################################################

 #

 # Pcd Dynamic Section - list of all EDK II PCD Entries defined by this Platform

@@ -751,8 +759,6 @@
   MdeModulePkg/Universal/Acpi/AcpiTableDxe/AcpiTableDxe.inf

   OvmfPkg/AcpiPlatformDxe/AcpiPlatformDxe.inf

   OvmfPkg/AcpiTables/AcpiTables.inf

-  MdeModulePkg/Universal/Acpi/S3SaveStateDxe/S3SaveStateDxe.inf

-  MdeModulePkg/Universal/Acpi/BootScriptExecutorDxe/BootScriptExecutorDxe.inf

   MdeModulePkg/Universal/Acpi/BootGraphicsResourceTableDxe/BootGraphicsResourceTableDxe.inf

 

   #

@@ -765,12 +771,14 @@
   MdeModulePkg/Bus/Usb/UsbKbDxe/UsbKbDxe.inf

   MdeModulePkg/Bus/Usb/UsbMassStorageDxe/UsbMassStorageDxe.inf

 

-!if $(TOOL_CHAIN_TAG) != "XCODE5"

+!if $(TOOL_CHAIN_TAG) != "XCODE5" && $(BUILD_SHELL) == TRUE

   OvmfPkg/LinuxInitrdDynamicShellCommand/LinuxInitrdDynamicShellCommand.inf {

     <PcdsFixedAtBuild>

       gEfiShellPkgTokenSpaceGuid.PcdShellLibAutoInitialize|FALSE

   }

 !endif

+  OvmfPkg/AmdSev/Grub/Grub.inf

+!if $(BUILD_SHELL) == TRUE

   ShellPkg/Application/Shell/Shell.inf {

     <LibraryClasses>

       ShellCommandLib|ShellPkg/Library/UefiShellCommandLib/UefiShellCommandLib.inf

@@ -789,6 +797,7 @@
       gEfiShellPkgTokenSpaceGuid.PcdShellLibAutoInitialize|FALSE

       gEfiMdePkgTokenSpaceGuid.PcdUefiLibMaxPrintBufferSize|8000

   }

+!endif

 

   OvmfPkg/PlatformDxe/Platform.inf

   OvmfPkg/AmdSevDxe/AmdSevDxe.inf