From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received-SPF: Pass (sender SPF authorized) identity=mailfrom; client-ip=209.132.183.28; helo=mx1.redhat.com; envelope-from=lersek@redhat.com; receiver=edk2-devel@lists.01.org Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id C46EF211CAC8E for ; Wed, 6 Feb 2019 04:11:44 -0800 (PST) Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.phx2.redhat.com [10.5.11.16]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 0964981138; Wed, 6 Feb 2019 12:11:44 +0000 (UTC) Received: from lacos-laptop-7.usersys.redhat.com (ovpn-120-4.rdu2.redhat.com [10.10.120.4]) by smtp.corp.redhat.com (Postfix) with ESMTP id D1E405C54A; Wed, 6 Feb 2019 12:11:42 +0000 (UTC) From: Laszlo Ersek To: edk2-devel@lists.01.org Date: Wed, 6 Feb 2019 13:11:09 +0100 Message-Id: <20190206121109.8776-15-lersek@redhat.com> In-Reply-To: <20190206121109.8776-1-lersek@redhat.com> References: <20190206121109.8776-1-lersek@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.16 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.27]); Wed, 06 Feb 2019 12:11:44 +0000 (UTC) Subject: [PATCH 14/14] ArmVirtPkg/ArmVirtXen: don't set Pcd*ImageVerificationPolicy X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Feb 2019 12:11:45 -0000 Content-Transfer-Encoding: 8bit According to the PCDs not used by modules or in conditional directives sections of all the build reports for {AARCH64,ARM} x {Xen} x {DEBUG,NOOPT,RELEASE} x {feat-1} (6 builds in total), PcdOptionRomImageVerificationPolicy, PcdFixedMediaImageVerificationPolicy, and PcdRemovableMediaImageVerificationPolicy are not used in any of those builds. Restrict the settings to the ArmVirtQemu and ArmVirtQemuKernel platforms (preserving the -D SECURE_BOOT_ENABLE restriction in the process). ("feat-1" stands for "-D HTTP_BOOT_ENABLE -D NETWORK_IP6_ENABLE -D SECURE_BOOT_ENABLE -D TTY_TERMINAL", while "feat-0" stands for "".) Cc: Ard Biesheuvel Cc: Julien Grall Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Laszlo Ersek --- ArmVirtPkg/ArmVirt.dsc.inc | 7 ------- ArmVirtPkg/ArmVirtQemu.dsc | 7 +++++++ ArmVirtPkg/ArmVirtQemuKernel.dsc | 7 +++++++ 3 files changed, 14 insertions(+), 7 deletions(-) diff --git a/ArmVirtPkg/ArmVirt.dsc.inc b/ArmVirtPkg/ArmVirt.dsc.inc index f7c51e3c160f..5d541d35e0c0 100644 --- a/ArmVirtPkg/ArmVirt.dsc.inc +++ b/ArmVirtPkg/ArmVirt.dsc.inc @@ -347,13 +347,6 @@ [PcdsFixedAtBuild.common] gEmbeddedTokenSpaceGuid.PcdMemoryTypeEfiLoaderCode|20 gEmbeddedTokenSpaceGuid.PcdMemoryTypeEfiLoaderData|0 -!if $(SECURE_BOOT_ENABLE) == TRUE - # override the default values from SecurityPkg to ensure images from all sources are verified in secure boot - gEfiSecurityPkgTokenSpaceGuid.PcdOptionRomImageVerificationPolicy|0x04 - gEfiSecurityPkgTokenSpaceGuid.PcdFixedMediaImageVerificationPolicy|0x04 - gEfiSecurityPkgTokenSpaceGuid.PcdRemovableMediaImageVerificationPolicy|0x04 -!endif - # # Enable strict image permissions for all images. (This applies # only to images that were built with >= 4 KB section alignment.) diff --git a/ArmVirtPkg/ArmVirtQemu.dsc b/ArmVirtPkg/ArmVirtQemu.dsc index 83c8af0258b2..8cc31fda7a37 100644 --- a/ArmVirtPkg/ArmVirtQemu.dsc +++ b/ArmVirtPkg/ArmVirtQemu.dsc @@ -148,6 +148,13 @@ [PcdsFixedAtBuild.common] # gEfiMdeModulePkgTokenSpaceGuid.PcdSetNxForStack|TRUE +!if $(SECURE_BOOT_ENABLE) == TRUE + # override the default values from SecurityPkg to ensure images from all sources are verified in secure boot + gEfiSecurityPkgTokenSpaceGuid.PcdOptionRomImageVerificationPolicy|0x04 + gEfiSecurityPkgTokenSpaceGuid.PcdFixedMediaImageVerificationPolicy|0x04 + gEfiSecurityPkgTokenSpaceGuid.PcdRemovableMediaImageVerificationPolicy|0x04 +!endif + [PcdsFixedAtBuild.AARCH64] # Clearing BIT0 in this PCD prevents installing a 32-bit SMBIOS entry point, # if the entry point version is >= 3.0. AARCH64 OSes cannot assume the diff --git a/ArmVirtPkg/ArmVirtQemuKernel.dsc b/ArmVirtPkg/ArmVirtQemuKernel.dsc index 46d8bac3ef4d..c3e0c9bf2549 100644 --- a/ArmVirtPkg/ArmVirtQemuKernel.dsc +++ b/ArmVirtPkg/ArmVirtQemuKernel.dsc @@ -142,6 +142,13 @@ [PcdsFixedAtBuild.common] # gEmbeddedTokenSpaceGuid.PcdPrePiCpuIoSize|16 +!if $(SECURE_BOOT_ENABLE) == TRUE + # override the default values from SecurityPkg to ensure images from all sources are verified in secure boot + gEfiSecurityPkgTokenSpaceGuid.PcdOptionRomImageVerificationPolicy|0x04 + gEfiSecurityPkgTokenSpaceGuid.PcdFixedMediaImageVerificationPolicy|0x04 + gEfiSecurityPkgTokenSpaceGuid.PcdRemovableMediaImageVerificationPolicy|0x04 +!endif + [PcdsPatchableInModule.common] # # This will be overridden in the code -- 2.19.1.3.g30247aa5d201