From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <brijesh.singh@amd.com>
Received-SPF: Pass (sender SPF authorized) identity=helo;
 client-ip=104.47.40.70; helo=nam03-co1-obe.outbound.protection.outlook.com;
 envelope-from=brijesh.singh@amd.com; receiver=edk2-devel@lists.01.org 
Received: from NAM03-CO1-obe.outbound.protection.outlook.com
 (mail-co1nam03on0070.outbound.protection.outlook.com [104.47.40.70])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits))
 (No client certificate requested)
 by ml01.01.org (Postfix) with ESMTPS id 59C0A21CF58A8
 for <edk2-devel@lists.01.org>; Thu,  5 Oct 2017 11:45:41 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=amdcloud.onmicrosoft.com; s=selector1-amd-com;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version;
 bh=a9Lny2Ya0EKA4+hQwzaZuEB5wUq6G5zLQVyAo43041E=;
 b=O/i0+l9wtw0OJMWD/cyqo7P9FcCVDvha2XRHfVwEz0ug+E6+mqSSR9Q+v53A4EDq9DOlyOPNPRCsFfeqRzO8DVXL7SuOilAQcRqvAYHFHlcvpci+AOxN5Q+O8D+c5pwUaOLrO8D4KUlgG+izkcHyCTpjWewg6eTSSv8zupuBs8c=
Authentication-Results: spf=none (sender IP is )
 smtp.mailfrom=brijesh.singh@amd.com; 
Received: from ubuntu-010236106000.amd.com (165.204.78.1) by
 DM2PR12MB0156.namprd12.prod.outlook.com (2a01:111:e400:50ce::19) with
 Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.20.77.7; Thu, 5 Oct
 2017 18:49:02 +0000
From: Brijesh Singh <brijesh.singh@amd.com>
To: edk2-devel@lists.01.org
Cc: Brijesh Singh <brijesh.singh@amd.com>, Chao Zhang <chao.b.zhang@intel.com>,
 Jordan Justen <jordan.l.justen@intel.com>,
 Laszlo Ersek <lersek@redhat.com>, Tom Lendacky <thomas.lendacky@amd.com>
Date: Thu,  5 Oct 2017 13:48:47 -0500
Message-Id: <20171005184848.94432-1-brijesh.singh@amd.com>
X-Mailer: git-send-email 2.9.5
MIME-Version: 1.0
X-Originating-IP: [165.204.78.1]
X-ClientProxiedBy: MWHPR04CA0031.namprd04.prod.outlook.com
 (2603:10b6:300:ee::17) To DM2PR12MB0156.namprd12.prod.outlook.com
 (2a01:111:e400:50ce::19)
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: 4d901d86-287e-4076-cea6-08d50c21bf83
X-MS-Office365-Filtering-HT: Tenant
X-Microsoft-Antispam: UriScan:; BCL:0; PCL:0;
 RULEID:(22001)(2017030254152)(48565401081)(2017052603199)(201703131423075)(201703031133081)(201702281549075);
 SRVR:DM2PR12MB0156; 
X-Microsoft-Exchange-Diagnostics: 1; DM2PR12MB0156;
 3:KW5JSwBx9U2XgI8T6b0BdJ5JKx31JK6S0C9zFtDLCylOxI5xUabLbsnTloBJ1YfiumwDITnBuYsoTw+n+zSJ/JeP4dkIgNKVQjZK5tOMp4STdkcGh0ulflOxgo981CyO0kk3i7VSSIRno/fhDtjrn7a4/HxeAv4p5dKxHTzXwD/hB5h1r2gaqxc3ngFdd+JtwVzS1Vn8IV3mDXgrr2Be3b06XE9YrL/JzP5IhjcoME7Ld5RWCEmVjbNmCg1DVR92;
 25:nbdV0hTepFo6MjTPDj/sdViFynA1DvMi8hAvyAO1wijMDxUXhQwBWKhdATFgfqjS+Gnv2SUSou0VEOc9HFu2k1HJHuzqZ+bjNlGMLWqWJafsp+aoUlX0y6grmk+KBc/B/ppYxeH2NKV2LigawVAyOyd7+bE5aHG78+5fxcU0O6nUAPCluIVOhQOAhxsKXeVf8Y0hVlN3st/CMOCpas3AiczO/zTBmCiSl0pauMe6zAXkWCnYhR69m04RfbVZ3XkehJNWKdrHTowRt/VW2zlLfe3E0BHFsgWfqap3m1SN2OvNg3QmRcWGm20AZnI79bJSX6BEzuGj5Q4qScAFuMM2vg==;
 31:D+jcTbVtkMOEa7m/c1/up7QdRiJ28KAzlFQvTdcVxwlmjqmQjLl6A0j0d9qKJEyt/41aZeCRoK8Fvc3bubhOuWzUOmoEFWd9aPq7X5CtYRNCvdWnm0Fx/L/6yI1g8VY2+sM+I4qiJnCsvYLoeMSVCKWiEwzbmxZjF+C+gFmQZrwyvsvRUu0xZSkkv9SHEHFsodRylZLGeK65D9+TCo1iKo8FdAsHqpFSZtvtmeZO8DA=
X-MS-TrafficTypeDiagnostic: DM2PR12MB0156:
X-Microsoft-Exchange-Diagnostics: 1; DM2PR12MB0156;
 20:ipnxEv3bEnhpZSnT/eF1KUD4Yj/4mPNVa+p4hFGEAtdMplOs0WD3h+/tuoUJOPl3/iwfu/G/dK7VckaN4MHlSGNBn2QQ2kIFCb2PsCO2oGQb6jPCvZnwQdxf7hyhKD9W4RXtV+XZMKDOGdsr0Fi4Zw1lYMe1NVR8qJUDfrIMs/BprQpdXHpqoE91/9WfJiLW9zBD8o+2UPvbvtvVEIJ52ojMJ4mGOGKJEHjQ4PCRmUTlrUmdE8dxa7LZRtqs1YHuzfd2GyBqxA1qIhKAracgCn6WAIY2qmNTrnZZZmRMLj/6/QLG33HbNLcB4xDy7+Pt3Jd/9ae84C8RSzLLZbrpTPfUaeGC+d+YtTYoz9GGRebwSUhKibPGdRYx2UB1uo4APivO4P/EEKmwQVu/2FffpH4KmpLBn294eiE874gQkFfvYnk7nC7YZYSEEnDJRDwaOpYB4eHQ3CfxZn1DJ2MtAN+MOC6j54tKGAx9aQqZy6aohMY7ZHq3CVC/ZfFiGtvQ;
 4:UbAvPphR9ppWibfEZDV2kV6pe5ivKe9+9JOCt63boBduGg5I4KhzWZdEXj3OebGF4JgLeEleYcLxYHhAJWUyf2flXlzb91sr6FZopmHUoyV9rR/3o+ges0k6Hx3W3u4BYuvKpjZ+vOLj6k7jGuwcbdoQ1kUVOyExFAiJMxLz7E+wvaltnBqV0gpZtsW+i8Ru+H4KN6B9KNXO7H1Jq0QiisasiCGlOz5U+usI00GuIs9k0INzEMbSwqjq+QewVqPrKb+2Qa5vKZoo9NrK9UVEFYQ7kKyWncDdTMkDfBxYl0JGAmerhANTyp/MmI+YQYF/cSzyzzYx86DhPq/WSBJWwo6wlYH8vLTu276+igIrJBY=
X-Exchange-Antispam-Report-Test: UriScan:(192374486261705)(767451399110)(228905959029699); 
X-Microsoft-Antispam-PRVS: <DM2PR12MB01564CB7775AF0C6BD152B7CE5700@DM2PR12MB0156.namprd12.prod.outlook.com>
X-Exchange-Antispam-Report-CFA-Test: BCL:0; PCL:0;
 RULEID:(100000700101)(100105000095)(100000701101)(100105300095)(100000702101)(100105100095)(6040450)(2401047)(5005006)(8121501046)(93006095)(93001095)(100000703101)(100105400095)(10201501046)(3002001)(6055026)(6041248)(20161123558100)(201703131423075)(201702281528075)(201703061421075)(201703061406153)(20161123560025)(20161123562025)(20161123555025)(20161123564025)(6072148)(201708071742011)(100000704101)(100105200095)(100000705101)(100105500095);
 SRVR:DM2PR12MB0156; BCL:0; PCL:0;
 RULEID:(100000800101)(100110000095)(100000801101)(100110300095)(100000802101)(100110100095)(100000803101)(100110400095)(100000804101)(100110200095)(100000805101)(100110500095);
 SRVR:DM2PR12MB0156; 
X-Forefront-PRVS: 04519BA941
X-Forefront-Antispam-Report: SFV:NSPM;
 SFS:(10009020)(6009001)(39860400002)(346002)(376002)(199003)(15404003)(189002)(68736007)(15650500001)(478600001)(25786009)(53416004)(106356001)(105586002)(50226002)(47776003)(36756003)(66066001)(189998001)(6666003)(6306002)(6486002)(2361001)(2351001)(8936002)(101416001)(50986999)(966005)(4326008)(53936002)(316002)(6916009)(81166006)(81156014)(50466002)(305945005)(97736004)(48376002)(86362001)(5003940100001)(2906002)(6116002)(16586007)(3846002)(33646002)(5660300001)(8676002)(16526018)(54906003)(7736002)(1076002)(213903007)(14943795004);
 DIR:OUT; SFP:1101; SCL:1; SRVR:DM2PR12MB0156; H:ubuntu-010236106000.amd.com;
 FPR:; SPF:None; PTR:InfoNoRecords; A:1; MX:1; LANG:en; 
Received-SPF: None (protection.outlook.com: amd.com does not designate
 permitted sender hosts)
X-Microsoft-Exchange-Diagnostics: =?us-ascii?Q?1; DM2PR12MB0156;
 23:ho1TwLfDI+ZT4kI0RbJHsqpHPoqE6eJB6xgvvlPg3?=
 =?us-ascii?Q?kV5LePtveBTkWB5SUyqCnq+aVfTDRd8W57oF9yAiLmfaq9EeI5rU4fErDPTg?=
 =?us-ascii?Q?BthBNk+6TA9crRwdzbI0k3vrz7mL6pZYSXff8rPYVWKsCNktxjrn6zlYTvz2?=
 =?us-ascii?Q?4s9pqYCIgOYuVwH+vknQsKTm8LaGj+5B9BDKkl5u6za0EabpjZv3jM4W2C1r?=
 =?us-ascii?Q?upV4W/trLjTIjqdqFlYWoNaNdBntWOjF04ap2srTpnBqebd4zqcQt6dKAsjw?=
 =?us-ascii?Q?ZyeYhL5eZyUaX3ULIBDYLSd2zQlrWLmrhIY400EG9FI70iSdG4qv7voO9cy+?=
 =?us-ascii?Q?Tliuc+magY2TumJ6FOSJRBdDAxNkTWOWRmHZ/Dms7a3BFnDzHs1/eUfyXO4J?=
 =?us-ascii?Q?2aDKSnkcX2I8K8xV0h2Ff40FpIq5HEqGkpcr54W8Ar0oHALLqNqaou7oJoge?=
 =?us-ascii?Q?e0EdvtHePzrjBrL1tGK67hE74Mc3Sc18w5mvZs3wSnuF6sMhtYwqCSRgCYfr?=
 =?us-ascii?Q?2OdwhrEIW1nlhHg0aQUvamthUvazFIeKlnakokNfIKHeZTH3DDC+blD13UtO?=
 =?us-ascii?Q?erBnUjYQOAtih84RqF1cAjhcyMASekqCra/Tx5NL+e6WGb4A8vNX5Sx6+Yw2?=
 =?us-ascii?Q?0/IrMgG5J0yqoqVyYEGP9+/03YQOPrHfB6GYzd150OyFoDmF+pp4IOf3XHwz?=
 =?us-ascii?Q?0zeRGl7UyNbdWXXsq0XjJgLvMFz27vk8cFCmYj+PDZFvkojcUXfFoyZYNRVy?=
 =?us-ascii?Q?uKifliYaEL1xGzum8RLb+a9gTUiYEUm3GdaLw3v4LoDrNW2KJoBcAejC8SEu?=
 =?us-ascii?Q?bMcsT1A9nbSeueO/J+SRobsVCYYooKNmm997fOj4WAtnZs+7HSHL7EA1QvK5?=
 =?us-ascii?Q?giXH6bD/qTWClzW6uBeICYDKbc9oyEU6g5MunDy0aeOggvPilIP9RXybPH3t?=
 =?us-ascii?Q?BYRFhIvtz2Bn9yFu9KiOFIcHaP4RWR75fNFejE7MYlmURXpFM18lZrqquXDw?=
 =?us-ascii?Q?zy2liDk6yEazOJh6jPStlk5gRz0d3PoYacqGn+gzD4DrpAl0gZKWlQsYF8uR?=
 =?us-ascii?Q?nWKIFJxq9ED1Sc/jSwTo2w9RmAOVuo0Q0c/9kpGIK6f4tUEr93gZADyWk02A?=
 =?us-ascii?Q?+upZa8kT6YYDNqUUwhfK0X0NRyJ63XPpBEk8y832zoO48rZ2Ajs5hz4Tugf0?=
 =?us-ascii?Q?xg/6Uy54AVduvtIbarMibLanyUDUHHbmD0M/gJpslcZW+uhBlezPueQjQ=3D?=
 =?us-ascii?Q?=3D?=
X-Microsoft-Exchange-Diagnostics: 1; DM2PR12MB0156;
 6:DaTFnWvo9Zws7ANVdbztUvdZO9Lw93PqQDGcWF62B4k5da0qH9sDsTsRUI4ULVYT+WeQVvb3yV5RezwTwNhgKx5+jKn6T8M3FAfKBEYfVQifAVOj5+joqdCYdKvSVxP3PsbqzCtHLIiFQ1/jaVQ+Smp436dTui7Gband6KGtOvID4brxUnOdUcl9/9yyTWqJ75GP6Gxh+vZlhoWnN7fUWONSmd5SfUIFO78r5aFZxjNX4CHShEquSJfTVibGpXYBBwykcwQQNoZcD5yTITMWUk1VNPQgKxgQ6yl2Lk3x3LILFdsV8jbiVC8IK3EvLubK5hiuTJJHsohWyWj1j6NrtQ==;
 5:9biSqhKHUFuCjx3oJ2KaOYX2UUCCCi7fridBbe+re6OFnwMEPNsf/3Q7Q9D7WIkGjgsPbnUtRVaQrNnlmCzGTvKFY/dYiOLB7sKpIxRP95ks6XN6CTM4hDpx9VQwjtzYt0IYskfmV4BBnPip2EOisw==;
 24:NAZAZKn1ds8hmsGja10RzLpcuzqW5+9fLBThzDCRRfOsnazA0LW3gtnKUJS3OXQzsMc0Z1LnyJd0U/LvpzM+YgREpPNIcWw//CFSQwnkch4=;
 7:oQrijO2mC6Hazb/Mo6jreLSkyvqnKwwI0H7ftkDEaHietqmMBTBOAcZ3PtjCdlkuMx+MAUoWeWt3ZjWnl0s/J+9j3Leo6GeA0FT9Kf7vGWn0JJ/m+nnpImVww2uM7c//WSDxxNbYzdkf5X2TtBXXrAeAr6dAGj/Yp1Wxy+rue1RYyi+6WLAlWBSWIHcoVUalZ5C1tmu0ndaey5SLA0ROSLO0NROiuos7MAhcJRGEF1I=
SpamDiagnosticOutput: 1:99
SpamDiagnosticMetadata: NSPM
X-Microsoft-Exchange-Diagnostics: 1; DM2PR12MB0156;
 20:GigcH7PZa0CRDkbocVf/2cGOwCKp3q2PEgzF/lStsIC/UyQHMqfLaz9Hx+/vxnb/yMciglVVs3fzGJt+wSfje0rofGdBIvTwjdIZvcUWD2xZxmr2pkP73MT0+BzEZBIiyUjqBpKveA+uNoJZ0T7Gbwp6YSxAfE5hMd+WQl87737giTj1K0kQLTXlYrLUOvlrRTFCl/5pX3pxgJdgHdruef5fNfE7Hdv9jbLFMB5MONUjZmdVXVOvCGro0YwrrmV5
X-OriginatorOrg: amd.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 05 Oct 2017 18:49:02.1052 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: 3dd8961f-e488-4e60-8e11-a82d994e183d
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM2PR12MB0156
Subject: [PATCH 1/2] SecurityPkg: make PcdOptionRomImageVerificationPolicy dynamic
X-BeenThere: edk2-devel@lists.01.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: EDK II Development  <edk2-devel.lists.01.org>
List-Unsubscribe: <https://lists.01.org/mailman/options/edk2-devel>,
 <mailto:edk2-devel-request@lists.01.org?subject=unsubscribe>
List-Archive: <http://lists.01.org/pipermail/edk2-devel/>
List-Post: <mailto:edk2-devel@lists.01.org>
List-Help: <mailto:edk2-devel-request@lists.01.org?subject=help>
List-Subscribe: <https://lists.01.org/mailman/listinfo/edk2-devel>,
 <mailto:edk2-devel-request@lists.01.org?subject=subscribe>
X-List-Received-Date: Thu, 05 Oct 2017 18:45:42 -0000
Content-Type: text/plain

By default the image verification policy for option ROM images is 0x4
(DENY_EXECUTE_ON_SECURITY_VIOLATION) but the following OvmfPkg commit:

1fea9ddb4e3f OvmfPkg: execute option ROM images regardless of Secure Boot

set it to 0x0 (ALWAYS_EXECUTE). This is fine because typically option
ROMs comes from host-side and most of the time cloud provider (i.e
hypervisor) have full access over a guest anyway. But when secure boot
is enabled, we would like to deny the execution of option ROM when
SEV is active. Having a dynamic Pcd will give us flexibility to set the
security policy at the runtime.

Fixes: https://bugzilla.tianocore.org/show_bug.cgi?id=728
Cc: Chao Zhang <chao.b.zhang@intel.com>
Cc: Jordan Justen <jordan.l.justen@intel.com>
Cc: Laszlo Ersek <lersek@redhat.com>
Cc: Tom Lendacky <thomas.lendacky@amd.com>
Signed-off-by: Brijesh Singh <brijesh.singh@amd.com>
---
 SecurityPkg/SecurityPkg.dec | 24 ++++++++++----------
 1 file changed, 12 insertions(+), 12 deletions(-)

diff --git a/SecurityPkg/SecurityPkg.dec b/SecurityPkg/SecurityPkg.dec
index 01bff01ed50a..4e32d172d7d9 100644
--- a/SecurityPkg/SecurityPkg.dec
+++ b/SecurityPkg/SecurityPkg.dec
@@ -230,18 +230,6 @@
 #
 
 [PcdsFixedAtBuild, PcdsPatchableInModule]
-  ## Image verification policy for OptionRom. Only following values are valid:<BR><BR>
-  #  NOTE: Do NOT use 0x5 and 0x2 since it violates the UEFI specification and has been removed.<BR>
-  #  0x00000000      Always trust the image.<BR>
-  #  0x00000001      Never trust the image.<BR>
-  #  0x00000002      Allow execution when there is security violation.<BR>
-  #  0x00000003      Defer execution when there is security violation.<BR>
-  #  0x00000004      Deny execution when there is security violation.<BR>
-  #  0x00000005      Query user when there is security violation.<BR>
-  # @Prompt Set policy for the image from OptionRom.
-  # @ValidRange 0x80000001 | 0x00000000 - 0x00000005
-  gEfiSecurityPkgTokenSpaceGuid.PcdOptionRomImageVerificationPolicy|0x04|UINT32|0x00000001
-
   ## Image verification policy for removable media which includes CD-ROM, Floppy, USB and network.
   #  Only following values are valid:<BR><BR>
   #  NOTE: Do NOT use 0x5 and 0x2 since it violates the UEFI specification and has been removed.<BR>
@@ -304,6 +292,18 @@
   gEfiSecurityPkgTokenSpaceGuid.PcdStatusCodeSubClassTpmDevice|0x010D0000|UINT32|0x00000007
 
 [PcdsFixedAtBuild, PcdsPatchableInModule, PcdsDynamic, PcdsDynamicEx]
+  ## Image verification policy for OptionRom. Only following values are valid:<BR><BR>
+  #  NOTE: Do NOT use 0x5 and 0x2 since it violates the UEFI specification and has been removed.<BR>
+  #  0x00000000      Always trust the image.<BR>
+  #  0x00000001      Never trust the image.<BR>
+  #  0x00000002      Allow execution when there is security violation.<BR>
+  #  0x00000003      Defer execution when there is security violation.<BR>
+  #  0x00000004      Deny execution when there is security violation.<BR>
+  #  0x00000005      Query user when there is security violation.<BR>
+  # @Prompt Set policy for the image from OptionRom.
+  # @ValidRange 0x80000001 | 0x00000000 - 0x00000005
+  gEfiSecurityPkgTokenSpaceGuid.PcdOptionRomImageVerificationPolicy|0x04|UINT32|0x00000001
+
   ## Indicates the presence or absence of the platform operator during firmware booting.
   #  If platform operator is not physical presence during boot. TPM will be locked and the TPM commands 
   #  that required operator physical presence can not run.<BR><BR>
-- 
2.9.5