From 63887e272d124f53828664e3c312741b63e7a100 Mon Sep 17 00:00:00 2001
From: Gerd Hoffmann <kraxel@redhat.com>
Date: Fri, 5 May 2023 07:17:25 +0200
Subject: OvmfPkg/NvVarsFileLib: disable in case PcdBootRestrictToFirmware is
 set

In case PcdBootRestrictToFirmware is set, disable loading EFI variables
from NvVars file.

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Ard Biesheuvel <ardb@kernel.org>
---
 OvmfPkg/Library/NvVarsFileLib/NvVarsFileLib.c   | 4 +++-
 OvmfPkg/Library/NvVarsFileLib/NvVarsFileLib.inf | 1 +
 2 files changed, 4 insertions(+), 1 deletion(-)

(limited to 'OvmfPkg')

diff --git a/OvmfPkg/Library/NvVarsFileLib/NvVarsFileLib.c b/OvmfPkg/Library/NvVarsFileLib/NvVarsFileLib.c
index d4139b9115..86380a867a 100644
--- a/OvmfPkg/Library/NvVarsFileLib/NvVarsFileLib.c
+++ b/OvmfPkg/Library/NvVarsFileLib/NvVarsFileLib.c
@@ -30,7 +30,9 @@ ConnectNvVarsToFileSystem (
 {
   EFI_STATUS  Status;
 
-  if (FeaturePcdGet (PcdSecureBootSupported)) {
+  if (FeaturePcdGet (PcdSecureBootSupported) ||
+      FeaturePcdGet (PcdBootRestrictToFirmware))
+  {
     return EFI_UNSUPPORTED;
   }
 
diff --git a/OvmfPkg/Library/NvVarsFileLib/NvVarsFileLib.inf b/OvmfPkg/Library/NvVarsFileLib/NvVarsFileLib.inf
index f152c55046..9ae40ffe43 100644
--- a/OvmfPkg/Library/NvVarsFileLib/NvVarsFileLib.inf
+++ b/OvmfPkg/Library/NvVarsFileLib/NvVarsFileLib.inf
@@ -49,6 +49,7 @@
 
 [Pcd]
   gUefiOvmfPkgTokenSpaceGuid.PcdSecureBootSupported
+  gUefiOvmfPkgTokenSpaceGuid.PcdBootRestrictToFirmware
 
 [Guids]
   gEfiFileInfoGuid
-- 
cgit v1.2.3