From 6041ac65ae879389f3ab5c0699f916d3e71c97fe Mon Sep 17 00:00:00 2001 From: Brijesh Singh Date: Thu, 5 Oct 2017 15:16:42 -0500 Subject: OvmfPkg/PlatformPei: DENY_EXECUTE_ON_SECURITY_VIOLATION when SEV is active The following commit: 1fea9ddb4e3f OvmfPkg: execute option ROM images regardless of Secure Boot sets the OptionRomImageVerificationPolicy to ALWAYS_EXECUTE the expansion ROMs attached to the emulated PCI devices. A expansion ROM constitute another channel through which a cloud provider (i.e hypervisor) can inject a code in guest boot flow to compromise it. When SEV is enabled, the bios code has been verified by the guest owner via the SEV guest launch sequence before its executed. When secure boot, is enabled, lets make sure that we do not allow guest bios to execute a code which is not signed by the guest owner. Fixes: https://bugzilla.tianocore.org/show_bug.cgi?id=728 Cc: Chao Zhang Cc: Jordan Justen Cc: Laszlo Ersek Cc: Tom Lendacky Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Brijesh Singh Reviewed-by: Laszlo Ersek --- OvmfPkg/OvmfPkgX64.dsc | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) (limited to 'OvmfPkg/OvmfPkgX64.dsc') diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc index 36c60fc19c..e52a3bd4db 100644 --- a/OvmfPkg/OvmfPkgX64.dsc +++ b/OvmfPkg/OvmfPkgX64.dsc @@ -488,10 +488,6 @@ gUefiCpuPkgTokenSpaceGuid.PcdCpuSmmStackSize|0x4000 !endif -!if $(SECURE_BOOT_ENABLE) == TRUE - gEfiSecurityPkgTokenSpaceGuid.PcdOptionRomImageVerificationPolicy|0x00 -!endif - # IRQs 5, 9, 10, 11 are level-triggered gPcAtChipsetPkgTokenSpaceGuid.Pcd8259LegacyModeEdgeLevel|0x0E20 @@ -551,6 +547,11 @@ gUefiCpuPkgTokenSpaceGuid.PcdCpuSmmApSyncTimeout|100000 !endif +!if $(SECURE_BOOT_ENABLE) == TRUE + gEfiSecurityPkgTokenSpaceGuid.PcdOptionRomImageVerificationPolicy|0x00 +!endif + + ################################################################################ # # Components Section - list of all EDK II Modules needed by this Platform. -- cgit v1.2.3