From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by mx.groups.io with SMTP id smtpd.web11.4411.1665054335367709864 for ; Thu, 06 Oct 2022 04:05:35 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=IP0tXns9; spf=pass (domain: redhat.com, ip: 170.10.133.124, mailfrom: kraxel@redhat.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1665054334; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=Rgcf41muxyRtYdQ9j8WDTGPa/0hVfdbrdi+PC8dKF6g=; b=IP0tXns9AJ6EWm4PLgPvf1cK/pfTRWKip+RhvYP1SV06HSU1/FE8t5PcBDX/vOa8VL2DN2 6SdqOEoo6nsy/bGF69K0GPYvrPdbGKLEFJfySjpQ8+XP8gpUw/ogOuvSAGk166YSkWLrMJ vCZdRxkl49kFLm2xiSHqQeaK7ImwrFU= Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-670-JQkf2CSJPz2RcIQMnxgE-g-1; Thu, 06 Oct 2022 07:05:31 -0400 X-MC-Unique: JQkf2CSJPz2RcIQMnxgE-g-1 Received: from smtp.corp.redhat.com (int-mx07.intmail.prod.int.rdu2.redhat.com [10.11.54.7]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 9F094855420; Thu, 6 Oct 2022 11:05:30 +0000 (UTC) Received: from sirius.home.kraxel.org (unknown [10.39.193.173]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 548A614588B5; Thu, 6 Oct 2022 11:05:30 +0000 (UTC) Received: by sirius.home.kraxel.org (Postfix, from userid 1000) id A14A1180079D; Thu, 6 Oct 2022 13:05:26 +0200 (CEST) From: "Gerd Hoffmann" To: devel@edk2.groups.io Cc: Ard Biesheuvel , Oliver Steffen , Jordan Justen , Gerd Hoffmann , Pawel Polawski , Jiewen Yao Subject: [PATCH 2/2] Revert "OvmfPkg/Microvm: no secure boot" Date: Thu, 6 Oct 2022 13:05:26 +0200 Message-Id: <20221006110526.1068475-3-kraxel@redhat.com> In-Reply-To: <20221006110526.1068475-1-kraxel@redhat.com> References: <20221006110526.1068475-1-kraxel@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.1 on 10.11.54.7 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: 8bit Content-Type: text/plain; charset="US-ASCII"; x-default=true This reverts commit 60d55c4156523e5dfb316b7c0c445b96c8f8be81. Now that we have stateless secure boot support (which doesn't need SMM) in OVMF we can enable the build option for MicroVM. Bring it back by reverting the commit removing it. Also add the new PlatformPKProtectionLib. Signed-off-by: Gerd Hoffmann --- OvmfPkg/Microvm/MicrovmX64.dsc | 22 +++++++++++++++++++++- OvmfPkg/Microvm/MicrovmX64.fdf | 4 ++++ 2 files changed, 25 insertions(+), 1 deletion(-) diff --git a/OvmfPkg/Microvm/MicrovmX64.dsc b/OvmfPkg/Microvm/MicrovmX64.dsc index e60d3a2071ab..7eff8e2a88d9 100644 --- a/OvmfPkg/Microvm/MicrovmX64.dsc +++ b/OvmfPkg/Microvm/MicrovmX64.dsc @@ -214,7 +214,15 @@ [LibraryClasses] !endif RngLib|MdePkg/Library/BaseRngLibTimerLib/BaseRngLibTimerLib.inf +!if $(SECURE_BOOT_ENABLE) == TRUE + PlatformSecureLib|OvmfPkg/Library/PlatformSecureLib/PlatformSecureLib.inf + AuthVariableLib|SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf + SecureBootVariableLib|SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf + PlatformPKProtectionLib|SecurityPkg/Library/PlatformPKProtectionLibVarPolicy/PlatformPKProtectionLibVarPolicy.inf + SecureBootVariableProvisionLib|SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootVariableProvisionLib.inf +!else AuthVariableLib|MdeModulePkg/Library/AuthVariableLibNull/AuthVariableLibNull.inf +!endif VarCheckLib|MdeModulePkg/Library/VarCheckLib/VarCheckLib.inf VariablePolicyLib|MdeModulePkg/Library/VariablePolicyLib/VariablePolicyLib.inf VariablePolicyHelperLib|MdeModulePkg/Library/VariablePolicyHelperLib/VariablePolicyHelperLib.inf @@ -691,7 +699,14 @@ [Components] MdeModulePkg/Core/RuntimeDxe/RuntimeDxe.inf - MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf + MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf { + +!if $(SECURE_BOOT_ENABLE) == TRUE + NULL|SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.inf +!include OvmfPkg/OvmfTpmSecurityStub.dsc.inc +!endif + } + MdeModulePkg/Universal/EbcDxe/EbcDxe.inf OvmfPkg/LocalApicTimerDxe/LocalApicTimerDxe.inf UefiCpuPkg/CpuIo2Dxe/CpuIo2Dxe.inf @@ -853,6 +868,11 @@ [Components] gEfiMdePkgTokenSpaceGuid.PcdUefiLibMaxPrintBufferSize|8000 } +!if $(SECURE_BOOT_ENABLE) == TRUE + SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf + OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf +!endif + OvmfPkg/PlatformDxe/Platform.inf OvmfPkg/IoMmuDxe/IoMmuDxe.inf diff --git a/OvmfPkg/Microvm/MicrovmX64.fdf b/OvmfPkg/Microvm/MicrovmX64.fdf index ff0aab2bcb9e..380ba3a36883 100644 --- a/OvmfPkg/Microvm/MicrovmX64.fdf +++ b/OvmfPkg/Microvm/MicrovmX64.fdf @@ -206,6 +206,10 @@ [FV.DXEFV] INF OvmfPkg/VirtioScsiDxe/VirtioScsi.inf INF OvmfPkg/VirtioRngDxe/VirtioRng.inf +!if $(SECURE_BOOT_ENABLE) == TRUE + INF SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf +!endif + INF MdeModulePkg/Universal/WatchdogTimerDxe/WatchdogTimer.inf INF MdeModulePkg/Universal/MonotonicCounterRuntimeDxe/MonotonicCounterRuntimeDxe.inf INF MdeModulePkg/Universal/CapsuleRuntimeDxe/CapsuleRuntimeDxe.inf -- 2.37.3