* [PATCH 0/2] OvmfPkg/Microvm: support stateless secure boot
@ 2022-10-06 11:05 Gerd Hoffmann
2022-10-06 11:05 ` [PATCH 1/2] OvmfPkg/Microvm: add SECURE_BOOT_FEATURE_ENABLED Gerd Hoffmann
` (2 more replies)
0 siblings, 3 replies; 4+ messages in thread
From: Gerd Hoffmann @ 2022-10-06 11:05 UTC (permalink / raw)
To: devel
Cc: Ard Biesheuvel, Oliver Steffen, Jordan Justen, Gerd Hoffmann,
Pawel Polawski, Jiewen Yao
Gerd Hoffmann (2):
OvmfPkg/Microvm: add SECURE_BOOT_FEATURE_ENABLED
Revert "OvmfPkg/Microvm: no secure boot"
OvmfPkg/Microvm/MicrovmX64.dsc | 31 ++++++++++++++++++++++++++++++-
OvmfPkg/Microvm/MicrovmX64.fdf | 4 ++++
2 files changed, 34 insertions(+), 1 deletion(-)
--
2.37.3
^ permalink raw reply [flat|nested] 4+ messages in thread* [PATCH 1/2] OvmfPkg/Microvm: add SECURE_BOOT_FEATURE_ENABLED
2022-10-06 11:05 [PATCH 0/2] OvmfPkg/Microvm: support stateless secure boot Gerd Hoffmann
@ 2022-10-06 11:05 ` Gerd Hoffmann
2022-10-06 11:05 ` [PATCH 2/2] Revert "OvmfPkg/Microvm: no secure boot" Gerd Hoffmann
2022-10-07 21:49 ` [PATCH 0/2] OvmfPkg/Microvm: support stateless secure boot Ard Biesheuvel
2 siblings, 0 replies; 4+ messages in thread
From: Gerd Hoffmann @ 2022-10-06 11:05 UTC (permalink / raw)
To: devel
Cc: Ard Biesheuvel, Oliver Steffen, Jordan Justen, Gerd Hoffmann,
Pawel Polawski, Jiewen Yao
Compiler flag is needed to make (stateless) secure boot be actually
secure, i.e. restore EFI variables from ROM on reset.
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
---
OvmfPkg/Microvm/MicrovmX64.dsc | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/OvmfPkg/Microvm/MicrovmX64.dsc b/OvmfPkg/Microvm/MicrovmX64.dsc
index 33d68a5493de..e60d3a2071ab 100644
--- a/OvmfPkg/Microvm/MicrovmX64.dsc
+++ b/OvmfPkg/Microvm/MicrovmX64.dsc
@@ -91,6 +91,15 @@ [BuildOptions]
INTEL:*_*_*_CC_FLAGS = /D DISABLE_NEW_DEPRECATED_INTERFACES
GCC:*_*_*_CC_FLAGS = -D DISABLE_NEW_DEPRECATED_INTERFACES
+ #
+ # SECURE_BOOT_FEATURE_ENABLED
+ #
+!if $(SECURE_BOOT_ENABLE) == TRUE
+ MSFT:*_*_*_CC_FLAGS = /D SECURE_BOOT_FEATURE_ENABLED
+ INTEL:*_*_*_CC_FLAGS = /D SECURE_BOOT_FEATURE_ENABLED
+ GCC:*_*_*_CC_FLAGS = -D SECURE_BOOT_FEATURE_ENABLED
+!endif
+
!include NetworkPkg/NetworkBuildOptions.dsc.inc
[BuildOptions.common.EDKII.DXE_RUNTIME_DRIVER]
--
2.37.3
^ permalink raw reply related [flat|nested] 4+ messages in thread
* [PATCH 2/2] Revert "OvmfPkg/Microvm: no secure boot"
2022-10-06 11:05 [PATCH 0/2] OvmfPkg/Microvm: support stateless secure boot Gerd Hoffmann
2022-10-06 11:05 ` [PATCH 1/2] OvmfPkg/Microvm: add SECURE_BOOT_FEATURE_ENABLED Gerd Hoffmann
@ 2022-10-06 11:05 ` Gerd Hoffmann
2022-10-07 21:49 ` [PATCH 0/2] OvmfPkg/Microvm: support stateless secure boot Ard Biesheuvel
2 siblings, 0 replies; 4+ messages in thread
From: Gerd Hoffmann @ 2022-10-06 11:05 UTC (permalink / raw)
To: devel
Cc: Ard Biesheuvel, Oliver Steffen, Jordan Justen, Gerd Hoffmann,
Pawel Polawski, Jiewen Yao
This reverts commit 60d55c4156523e5dfb316b7c0c445b96c8f8be81.
Now that we have stateless secure boot support (which doesn't
need SMM) in OVMF we can enable the build option for MicroVM.
Bring it back by reverting the commit removing it.
Also add the new PlatformPKProtectionLib.
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
---
OvmfPkg/Microvm/MicrovmX64.dsc | 22 +++++++++++++++++++++-
OvmfPkg/Microvm/MicrovmX64.fdf | 4 ++++
2 files changed, 25 insertions(+), 1 deletion(-)
diff --git a/OvmfPkg/Microvm/MicrovmX64.dsc b/OvmfPkg/Microvm/MicrovmX64.dsc
index e60d3a2071ab..7eff8e2a88d9 100644
--- a/OvmfPkg/Microvm/MicrovmX64.dsc
+++ b/OvmfPkg/Microvm/MicrovmX64.dsc
@@ -214,7 +214,15 @@ [LibraryClasses]
!endif
RngLib|MdePkg/Library/BaseRngLibTimerLib/BaseRngLibTimerLib.inf
+!if $(SECURE_BOOT_ENABLE) == TRUE
+ PlatformSecureLib|OvmfPkg/Library/PlatformSecureLib/PlatformSecureLib.inf
+ AuthVariableLib|SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf
+ SecureBootVariableLib|SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf
+ PlatformPKProtectionLib|SecurityPkg/Library/PlatformPKProtectionLibVarPolicy/PlatformPKProtectionLibVarPolicy.inf
+ SecureBootVariableProvisionLib|SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootVariableProvisionLib.inf
+!else
AuthVariableLib|MdeModulePkg/Library/AuthVariableLibNull/AuthVariableLibNull.inf
+!endif
VarCheckLib|MdeModulePkg/Library/VarCheckLib/VarCheckLib.inf
VariablePolicyLib|MdeModulePkg/Library/VariablePolicyLib/VariablePolicyLib.inf
VariablePolicyHelperLib|MdeModulePkg/Library/VariablePolicyHelperLib/VariablePolicyHelperLib.inf
@@ -691,7 +699,14 @@ [Components]
MdeModulePkg/Core/RuntimeDxe/RuntimeDxe.inf
- MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf
+ MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf {
+ <LibraryClasses>
+!if $(SECURE_BOOT_ENABLE) == TRUE
+ NULL|SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.inf
+!include OvmfPkg/OvmfTpmSecurityStub.dsc.inc
+!endif
+ }
+
MdeModulePkg/Universal/EbcDxe/EbcDxe.inf
OvmfPkg/LocalApicTimerDxe/LocalApicTimerDxe.inf
UefiCpuPkg/CpuIo2Dxe/CpuIo2Dxe.inf
@@ -853,6 +868,11 @@ [Components]
gEfiMdePkgTokenSpaceGuid.PcdUefiLibMaxPrintBufferSize|8000
}
+!if $(SECURE_BOOT_ENABLE) == TRUE
+ SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
+ OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf
+!endif
+
OvmfPkg/PlatformDxe/Platform.inf
OvmfPkg/IoMmuDxe/IoMmuDxe.inf
diff --git a/OvmfPkg/Microvm/MicrovmX64.fdf b/OvmfPkg/Microvm/MicrovmX64.fdf
index ff0aab2bcb9e..380ba3a36883 100644
--- a/OvmfPkg/Microvm/MicrovmX64.fdf
+++ b/OvmfPkg/Microvm/MicrovmX64.fdf
@@ -206,6 +206,10 @@ [FV.DXEFV]
INF OvmfPkg/VirtioScsiDxe/VirtioScsi.inf
INF OvmfPkg/VirtioRngDxe/VirtioRng.inf
+!if $(SECURE_BOOT_ENABLE) == TRUE
+ INF SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
+!endif
+
INF MdeModulePkg/Universal/WatchdogTimerDxe/WatchdogTimer.inf
INF MdeModulePkg/Universal/MonotonicCounterRuntimeDxe/MonotonicCounterRuntimeDxe.inf
INF MdeModulePkg/Universal/CapsuleRuntimeDxe/CapsuleRuntimeDxe.inf
--
2.37.3
^ permalink raw reply related [flat|nested] 4+ messages in thread* Re: [PATCH 0/2] OvmfPkg/Microvm: support stateless secure boot
2022-10-06 11:05 [PATCH 0/2] OvmfPkg/Microvm: support stateless secure boot Gerd Hoffmann
2022-10-06 11:05 ` [PATCH 1/2] OvmfPkg/Microvm: add SECURE_BOOT_FEATURE_ENABLED Gerd Hoffmann
2022-10-06 11:05 ` [PATCH 2/2] Revert "OvmfPkg/Microvm: no secure boot" Gerd Hoffmann
@ 2022-10-07 21:49 ` Ard Biesheuvel
2 siblings, 0 replies; 4+ messages in thread
From: Ard Biesheuvel @ 2022-10-07 21:49 UTC (permalink / raw)
To: Gerd Hoffmann
Cc: devel, Ard Biesheuvel, Oliver Steffen, Jordan Justen,
Pawel Polawski, Jiewen Yao
Merged #3449 into master.
On Thu, 6 Oct 2022 at 13:05, Gerd Hoffmann <kraxel@redhat.com> wrote:
>
>
>
> Gerd Hoffmann (2):
> OvmfPkg/Microvm: add SECURE_BOOT_FEATURE_ENABLED
> Revert "OvmfPkg/Microvm: no secure boot"
>
> OvmfPkg/Microvm/MicrovmX64.dsc | 31 ++++++++++++++++++++++++++++++-
> OvmfPkg/Microvm/MicrovmX64.fdf | 4 ++++
> 2 files changed, 34 insertions(+), 1 deletion(-)
>
> --
> 2.37.3
>
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2022-10-07 21:49 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2022-10-06 11:05 [PATCH 0/2] OvmfPkg/Microvm: support stateless secure boot Gerd Hoffmann
2022-10-06 11:05 ` [PATCH 1/2] OvmfPkg/Microvm: add SECURE_BOOT_FEATURE_ENABLED Gerd Hoffmann
2022-10-06 11:05 ` [PATCH 2/2] Revert "OvmfPkg/Microvm: no secure boot" Gerd Hoffmann
2022-10-07 21:49 ` [PATCH 0/2] OvmfPkg/Microvm: support stateless secure boot Ard Biesheuvel
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox