From 41d7832db02d082405ccc1edf38208b7a5cb8d87 Mon Sep 17 00:00:00 2001 From: Gerd Hoffmann Date: Fri, 5 May 2023 07:17:24 +0200 Subject: OvmfPkg/PlatformBootManagerLib: add PcdBootRestrictToFirmware Add new PCD PcdBootRestrictToFirmware. When set to TRUE restrict boot options to EFI applications embedded into the firmware image. Behavior should be identical to the PlatformBootManagerLibGrub library variant. Signed-off-by: Gerd Hoffmann Acked-by: Jiewen Yao Acked-by: Ard Biesheuvel --- .../Library/PlatformBootManagerLib/BdsPlatform.c | 70 ++++++++++++++++++++-- .../PlatformBootManagerLib.inf | 2 + OvmfPkg/OvmfPkg.dec | 3 + 3 files changed, 71 insertions(+), 4 deletions(-) diff --git a/OvmfPkg/Library/PlatformBootManagerLib/BdsPlatform.c b/OvmfPkg/Library/PlatformBootManagerLib/BdsPlatform.c index 3b7dc53e9f..8dc2bbf973 100644 --- a/OvmfPkg/Library/PlatformBootManagerLib/BdsPlatform.c +++ b/OvmfPkg/Library/PlatformBootManagerLib/BdsPlatform.c @@ -290,6 +290,46 @@ RemoveStaleFvFileOptions ( EfiBootManagerFreeLoadOptions (BootOptions, BootOptionCount); } +VOID +RestrictBootOptionsToFirmware ( + VOID + ) +{ + EFI_BOOT_MANAGER_LOAD_OPTION *BootOptions; + UINTN BootOptionCount; + UINTN Index; + + BootOptions = EfiBootManagerGetLoadOptions ( + &BootOptionCount, + LoadOptionTypeBoot + ); + + for (Index = 0; Index < BootOptionCount; ++Index) { + EFI_DEVICE_PATH_PROTOCOL *Node1; + + // + // If the device path starts with Fv(...), + // then keep the boot option. + // + Node1 = BootOptions[Index].FilePath; + if (((DevicePathType (Node1) == MEDIA_DEVICE_PATH) && + (DevicePathSubType (Node1) == MEDIA_PIWG_FW_VOL_DP))) + { + continue; + } + + // + // Delete the boot option. + // + EfiBootManagerDeleteLoadOptionVariable ( + BootOptions[Index].OptionNumber, + LoadOptionTypeBoot + ); + } + + EfiBootManagerFreeLoadOptions (BootOptions, BootOptionCount); +} + VOID PlatformRegisterOptionsAndKeys ( VOID @@ -485,7 +525,9 @@ PlatformBootManagerBeforeConsole ( Status )); - PlatformRegisterOptionsAndKeys (); + if (!FeaturePcdGet (PcdBootRestrictToFirmware)) { + PlatformRegisterOptionsAndKeys (); + } // // Install both VIRTIO_DEVICE_PROTOCOL and (dependent) EFI_RNG_PROTOCOL @@ -1754,9 +1796,12 @@ PlatformBootManagerAfterConsole ( // // Perform some platform specific connect sequence // - PlatformBdsConnectSequence (); - - EfiBootManagerRefreshAllBootOption (); + if (FeaturePcdGet (PcdBootRestrictToFirmware)) { + RestrictBootOptionsToFirmware (); + } else { + PlatformBdsConnectSequence (); + EfiBootManagerRefreshAllBootOption (); + } // // Register UEFI Shell @@ -1767,6 +1812,15 @@ PlatformBootManagerAfterConsole ( LOAD_OPTION_ACTIVE ); + // + // Register Grub + // + PlatformRegisterFvBootOption ( + &gGrubFileGuid, + L"Grub Bootloader", + LOAD_OPTION_ACTIVE + ); + RemoveStaleFvFileOptions (); SetBootOrderFromQemu (); @@ -1935,6 +1989,14 @@ PlatformBootManagerUnableToBoot ( EFI_BOOT_MANAGER_LOAD_OPTION BootManagerMenu; UINTN Index; + if (FeaturePcdGet (PcdBootRestrictToFirmware)) { + AsciiPrint ( + "%a: No bootable option was found.\n", + gEfiCallerBaseName + ); + CpuDeadLoop (); + } + // // BootManagerMenu doesn't contain the correct information when return status // is EFI_NOT_FOUND. diff --git a/OvmfPkg/Library/PlatformBootManagerLib/PlatformBootManagerLib.inf b/OvmfPkg/Library/PlatformBootManagerLib/PlatformBootManagerLib.inf index c249a3cf1e..6b396eac7d 100644 --- a/OvmfPkg/Library/PlatformBootManagerLib/PlatformBootManagerLib.inf +++ b/OvmfPkg/Library/PlatformBootManagerLib/PlatformBootManagerLib.inf @@ -61,6 +61,7 @@ gUefiOvmfPkgTokenSpaceGuid.PcdEmuVariableEvent gUefiOvmfPkgTokenSpaceGuid.PcdOvmfFlashVariablesEnable gUefiOvmfPkgTokenSpaceGuid.PcdOvmfHostBridgePciDevId + gUefiOvmfPkgTokenSpaceGuid.PcdBootRestrictToFirmware gEfiMdeModulePkgTokenSpaceGuid.PcdAcpiS3Enable gEfiMdePkgTokenSpaceGuid.PcdPlatformBootTimeOut gEfiMdePkgTokenSpaceGuid.PcdUartDefaultBaudRate ## CONSUMES @@ -84,3 +85,4 @@ gEfiGlobalVariableGuid gRootBridgesConnectedEventGroupGuid gUefiShellFileGuid + gGrubFileGuid diff --git a/OvmfPkg/OvmfPkg.dec b/OvmfPkg/OvmfPkg.dec index 03ae29e7b0..cc5a4ceead 100644 --- a/OvmfPkg/OvmfPkg.dec +++ b/OvmfPkg/OvmfPkg.dec @@ -422,6 +422,9 @@ # check to decide whether to abort dispatch of the driver it is linked into. gUefiOvmfPkgTokenSpaceGuid.PcdEntryPointOverrideFwCfgVarName|""|VOID*|0x68 + ## Restrict boot to EFI applications in firmware volumes. + gUefiOvmfPkgTokenSpaceGuid.PcdBootRestrictToFirmware|FALSE|BOOLEAN|0x6c + [PcdsDynamic, PcdsDynamicEx] gUefiOvmfPkgTokenSpaceGuid.PcdEmuVariableEvent|0|UINT64|2 gUefiOvmfPkgTokenSpaceGuid.PcdOvmfFlashVariablesEnable|FALSE|BOOLEAN|0x10 -- cgit v1.2.3