OvmfPkg: QemuFlashFvbServicesRuntimeDxe: adhere to -D SMM_REQUIRE

When the user requires "security" by passing -D SMM_REQUIRE, and
consequently by setting PcdSmmSmramRequire, enforce flash-based variables.

Furthermore, add two ASSERT()s to catch if the wrong module were pulled
into the build.

Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Jordan Justen <jordan.l.justen@intel.com>

git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@19063 6f19259b-4bc3-4df7-8a09-765794883524

5 files changed, 11 insertions, 0 deletions

diff --git a/OvmfPkg/QemuFlashFvbServicesRuntimeDxe/FvbServicesRuntimeDxe.inf b/OvmfPkg/QemuFlashFvbServicesRuntimeDxe/FvbServicesRuntimeDxe.inf
index ea8413fcfd..c0dda75bf7 100644
--- a/OvmfPkg/QemuFlashFvbServicesRuntimeDxe/FvbServicesRuntimeDxe.inf
+++ b/OvmfPkg/QemuFlashFvbServicesRuntimeDxe/FvbServicesRuntimeDxe.inf
@@ -85,6 +85,8 @@
   gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageVariableBase64

   gUefiOvmfPkgTokenSpaceGuid.PcdOvmfFlashVariablesEnable

 

+[FeaturePcd]

+  gUefiOvmfPkgTokenSpaceGuid.PcdSmmSmramRequire

 

 [Depex]

   TRUE

diff --git a/OvmfPkg/QemuFlashFvbServicesRuntimeDxe/FvbServicesSmm.inf b/OvmfPkg/QemuFlashFvbServicesRuntimeDxe/FvbServicesSmm.inf
index 6af0649f86..ba2d3679a4 100644
--- a/OvmfPkg/QemuFlashFvbServicesRuntimeDxe/FvbServicesSmm.inf
+++ b/OvmfPkg/QemuFlashFvbServicesRuntimeDxe/FvbServicesSmm.inf
@@ -84,6 +84,8 @@
   gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageVariableBase64

   gUefiOvmfPkgTokenSpaceGuid.PcdOvmfFlashVariablesEnable

 

+[FeaturePcd]

+  gUefiOvmfPkgTokenSpaceGuid.PcdSmmSmramRequire

 

 [Depex]

   TRUE

diff --git a/OvmfPkg/QemuFlashFvbServicesRuntimeDxe/FwBlockServiceDxe.c b/OvmfPkg/QemuFlashFvbServicesRuntimeDxe/FwBlockServiceDxe.c
index c11f598b5a..63b308658e 100644
--- a/OvmfPkg/QemuFlashFvbServicesRuntimeDxe/FwBlockServiceDxe.c
+++ b/OvmfPkg/QemuFlashFvbServicesRuntimeDxe/FwBlockServiceDxe.c
@@ -17,6 +17,7 @@
 #include <Guid/EventGroup.h>

 #include <Library/DebugLib.h>

 #include <Library/DevicePathLib.h>

+#include <Library/PcdLib.h>

 #include <Library/UefiBootServicesTableLib.h>

 #include <Library/UefiRuntimeLib.h>

 #include <Protocol/DevicePath.h>

@@ -34,6 +35,8 @@ InstallProtocolInterfaces (
   EFI_HANDLE                         FwbHandle;

   EFI_FIRMWARE_VOLUME_BLOCK_PROTOCOL *OldFwbInterface;

 

+  ASSERT (!FeaturePcdGet (PcdSmmSmramRequire));

+

   //

   // Find a handle with a matching device path that has supports FW Block

   // protocol

diff --git a/OvmfPkg/QemuFlashFvbServicesRuntimeDxe/FwBlockServiceSmm.c b/OvmfPkg/QemuFlashFvbServicesRuntimeDxe/FwBlockServiceSmm.c
index e77129e03b..e0617f2503 100644
--- a/OvmfPkg/QemuFlashFvbServicesRuntimeDxe/FwBlockServiceSmm.c
+++ b/OvmfPkg/QemuFlashFvbServicesRuntimeDxe/FwBlockServiceSmm.c
@@ -15,6 +15,7 @@
 **/

 

 #include <Library/DebugLib.h>

+#include <Library/PcdLib.h>

 #include <Library/SmmServicesTableLib.h>

 #include <Protocol/DevicePath.h>

 #include <Protocol/SmmFirmwareVolumeBlock.h>

@@ -29,6 +30,8 @@ InstallProtocolInterfaces (
   EFI_HANDLE FvbHandle;

   EFI_STATUS Status;

 

+  ASSERT (FeaturePcdGet (PcdSmmSmramRequire));

+

   //

   // There is no SMM service that can install multiple protocols in the SMM

   // protocol database in one go.

diff --git a/OvmfPkg/QemuFlashFvbServicesRuntimeDxe/QemuFlash.c b/OvmfPkg/QemuFlashFvbServicesRuntimeDxe/QemuFlash.c
index 28bcb135ae..5677b5ee11 100644
--- a/OvmfPkg/QemuFlashFvbServicesRuntimeDxe/QemuFlash.c
+++ b/OvmfPkg/QemuFlashFvbServicesRuntimeDxe/QemuFlash.c
@@ -245,6 +245,7 @@ QemuFlashInitialize (
   mFdBlockCount = PcdGet32 (PcdOvmfFirmwareFdSize) / mFdBlockSize;

 

   if (!QemuFlashDetected ()) {

+    ASSERT (!FeaturePcdGet (PcdSmmSmramRequire));

     return EFI_WRITE_PROTECTED;

   }