summaryrefslogtreecommitdiffstats
path: root/OvmfPkg/IntelTdx
diff options
context:
space:
mode:
authorJan Bobek <jbobek@nvidia.com>2023-01-21 06:58:33 +0800
committermergify[bot] <37929162+mergify[bot]@users.noreply.github.com>2023-02-04 11:53:59 +0000
commitf6e4824533be5e4951b17e1938e4fb53bf66b7a5 (patch)
tree9e7e461575366080e1e2a4e7a82c5b4633a789d6 /OvmfPkg/IntelTdx
parent566cdfc675fa0da486af34cb12cb5f2e01578a5c (diff)
downloadedk2-f6e4824533be5e4951b17e1938e4fb53bf66b7a5.tar.gz
edk2-f6e4824533be5e4951b17e1938e4fb53bf66b7a5.tar.bz2
edk2-f6e4824533be5e4951b17e1938e4fb53bf66b7a5.zip
OvmfPkg: require self-signed PK when secure boot is enabled
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2506 In all DSC files that define SECURE_BOOT_ENABLE, opt-in into requiring self-signed PK when SECURE_BOOT_ENABLE is TRUE. Cc: Ard Biesheuvel <ardb+tianocore@kernel.org> Cc: Jiewen Yao <jiewen.yao@intel.com> Cc: Jordan Justen <jordan.l.justen@intel.com> Cc: Gerd Hoffmann <kraxel@redhat.com> Cc: Rebecca Cran <rebecca@bsdio.com> Cc: Peter Grehan <grehan@freebsd.org> Cc: Sebastien Boeuf <sebastien.boeuf@intel.com> Signed-off-by: Jan Bobek <jbobek@nvidia.com> Reviewed-by: Sean Brogan <sean.brogan@microsoft.com> Acked-by: Jiewen Yao <jiewen.yao@intel.com>
Diffstat (limited to 'OvmfPkg/IntelTdx')
-rw-r--r--OvmfPkg/IntelTdx/IntelTdxX64.dsc3
1 files changed, 3 insertions, 0 deletions
diff --git a/OvmfPkg/IntelTdx/IntelTdxX64.dsc b/OvmfPkg/IntelTdx/IntelTdxX64.dsc
index 41de2e9428..95b9594ddc 100644
--- a/OvmfPkg/IntelTdx/IntelTdxX64.dsc
+++ b/OvmfPkg/IntelTdx/IntelTdxX64.dsc
@@ -390,6 +390,9 @@
!ifdef $(CSM_ENABLE)
gUefiOvmfPkgTokenSpaceGuid.PcdCsmEnable|TRUE
!endif
+!if $(SECURE_BOOT_ENABLE) == TRUE
+ gEfiMdeModulePkgTokenSpaceGuid.PcdRequireSelfSignedPk|TRUE
+!endif
[PcdsFixedAtBuild]
gEfiMdeModulePkgTokenSpaceGuid.PcdStatusCodeMemorySize|1