From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mga02.intel.com (mga02.intel.com [134.134.136.20]) by mx.groups.io with SMTP id smtpd.web11.29686.1683357283709898442 for ; Sat, 06 May 2023 00:14:43 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="unable to parse pub key" header.i=@intel.com header.s=intel header.b=aSiAWbNb; spf=pass (domain: intel.com, ip: 134.134.136.20, mailfrom: jiewen.yao@intel.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1683357283; x=1714893283; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=EW3bfxwdHnliq4DsGdgKeJ01yYZYf6lG7LXOpKZ4vw4=; b=aSiAWbNbn9+Lw5nFpbv5MOVfuzSljU6mOc6ob609MqHlWYPoUUP7cpdq WLFosFpcMsRQCC027ZoN9YchPnt/cieQOcjzj/A52MT2A9OaLoxVeczuJ beNu8+j9HBV+MVzemjC1zk5DEg6P7+guH9LpmvUpogcTEOnN9V4/EE4ZG ICqLQdGwbAUbCyi4K/6VBUsEctoPRZ0EsqRsj/OrS6W9XUmdIaJjzDE+n 033hfXGS+nPhVbO3rKXOVMrwJ+V+Xvqv9gXhnz8A1soUVyqc9AfHQ8gs5 WXTJMBiWvH+75zusXO7hJcFljMd0cCDpCIBMh31tiQyzhQduAhTI35DW5 Q==; X-IronPort-AV: E=McAfee;i="6600,9927,10701"; a="338564961" X-IronPort-AV: E=Sophos;i="5.99,254,1677571200"; d="scan'208";a="338564961" Received: from orsmga004.jf.intel.com ([10.7.209.38]) by orsmga101.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 06 May 2023 00:14:43 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=McAfee;i="6600,9927,10701"; a="822015194" X-IronPort-AV: E=Sophos;i="5.99,254,1677571200"; d="scan'208";a="822015194" Received: from orsmsx603.amr.corp.intel.com ([10.22.229.16]) by orsmga004.jf.intel.com with ESMTP; 06 May 2023 00:14:43 -0700 Received: from orsmsx611.amr.corp.intel.com (10.22.229.24) by ORSMSX603.amr.corp.intel.com (10.22.229.16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.23; Sat, 6 May 2023 00:14:42 -0700 Received: from orsmsx610.amr.corp.intel.com (10.22.229.23) by ORSMSX611.amr.corp.intel.com (10.22.229.24) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.23; Sat, 6 May 2023 00:14:42 -0700 Received: from ORSEDG601.ED.cps.intel.com (10.7.248.6) by orsmsx610.amr.corp.intel.com (10.22.229.23) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.23 via Frontend Transport; Sat, 6 May 2023 00:14:42 -0700 Received: from NAM11-CO1-obe.outbound.protection.outlook.com (104.47.56.170) by edgegateway.intel.com (134.134.137.102) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.2507.23; Sat, 6 May 2023 00:14:42 -0700 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=kY0xuGhzaTXlzo2/bFGdjoxas1LFif+WcFQfwxL59Wrn3FE13jrxRrH/+7iCTVpnt3GaiFdUcJ1Y+GpR4yk896M7wfrNRmsIoZwo2U0h9nq7NVAkv55merq7IpFwRv0SKFEw/yHey2errx1eNs+fjEZKxA6AGP63nmDT+juX24o4AYlcY3d/Cv2K7c2UhU2FyUtdwQZxTOt7xoc1g8njNqMRX6EzszNp4DKfqQfRbbjjalDDEeOIrWbYWFDUtNK77DLGN8KsFdYbmX0OK+0hlFuzhuM2m4AcseQjZv27wVxoyGZ1WJQR2GS7TJbcJOlxKg0w3lo9q3z8E66kS33NtA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=dnu1ZG+nFUiyS/qCGVJ8G80V7XAGE7pDN0ecVvSUdQs=; b=Gm1BzasagiKi5hOHNICbfWZIs1tm2LqNRAu/8wpRrf5PXKbfTUmRnwegagwyp/5PkZfF6Z+r5rZFhDL4lBPP0tEPP5OvrUogm5qcQlHptluhoEtExXsjN9hnjYbui8x8A6ktsPiGnwud9zFxXBqs92RfK1i8Q+J7l+8uYtHRTE+hzMcQLn8m0jqnOTj8AhUtqT6xBkQuYv7kQcOm2vkwM6jkQ+3x6NBvBLz1Vtk3r8U2lbq3zKPkpE6FB449dpLGxDBmhvkQNsEK8FmE4e5D7TVfAmsX8400lyjlZahpcalbrYJMIYgDuJBTDLDm6k8GB4NiVAqZgeFlpxjR6xDsGA== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=intel.com; dmarc=pass action=none header.from=intel.com; dkim=pass header.d=intel.com; arc=none Received: from MW4PR11MB5872.namprd11.prod.outlook.com (2603:10b6:303:169::14) by DS0PR11MB8082.namprd11.prod.outlook.com (2603:10b6:8:157::8) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6363.27; Sat, 6 May 2023 07:14:40 +0000 Received: from MW4PR11MB5872.namprd11.prod.outlook.com ([fe80::48e9:aeb0:c365:388]) by MW4PR11MB5872.namprd11.prod.outlook.com ([fe80::48e9:aeb0:c365:388%6]) with mapi id 15.20.6363.029; Sat, 6 May 2023 07:14:40 +0000 From: "Yao, Jiewen" To: Gerd Hoffmann , "devel@edk2.groups.io" CC: "Boeuf, Sebastien" , Pawel Polawski , Ard Biesheuvel , "Justen, Jordan L" , Oliver Steffen Subject: Re: [PATCH v2 1/1] OvmfPkg: replace SECURE_BOOT_FEATURE_ENABLED with PcdSecureBootSupported Thread-Topic: [PATCH v2 1/1] OvmfPkg: replace SECURE_BOOT_FEATURE_ENABLED with PcdSecureBootSupported Thread-Index: AQHZdB5V3g11b47MW0We7qHKHE2/Aa9M7Iqg Date: Sat, 6 May 2023 07:14:40 +0000 Message-ID: References: <20230421065544.53525-1-kraxel@redhat.com> In-Reply-To: <20230421065544.53525-1-kraxel@redhat.com> Accept-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=intel.com; x-ms-publictraffictype: Email x-ms-traffictypediagnostic: MW4PR11MB5872:EE_|DS0PR11MB8082:EE_ x-ms-office365-filtering-correlation-id: ac642c58-c274-44e1-8db3-08db4e018ef8 x-ms-exchange-senderadcheck: 1 x-ms-exchange-antispam-relay: 0 x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: Z6bpaiw/DFLi4Mm8HAck3qPuw1iVpmjLWYHjfvnPElf6DDMeTHyLZAFCg7/pHz5CATBz8MwroXr2bU+UAUsvUTEzylPPBU6ASC+fXhk4HFfIChTqZvvbz54gj9ux3x52T+GLo6P14yW2jmi5/j8UWccKv19Ra7JCop0d6DcJYPZ+vTfNvMb1V0jZ0d5kTMR11MicpUQJWhSOyBtuNcf6enzHMIjemXQjjNOfb7ejuZcV76i8oOaEhR379Vy1mL4c/pJmzDEJ1mF0gW6Sx43qXPziM69dVb8wrU3LzfFSAhnAtlRQz3ZsdqDxwS8W18k7dzI4GOFPJ+KcLqdS+MtEXKHZ43pqndj6tBfKSPF1zNqXIqa6tErLr49se+6muehM8+LUQNp3ofs1RCzRKDoSmUncm9M6Ald4aEIh5UhqNOTHJaztaby0FmFGTrFeR0qJAFAjD3TYCfi6aZYJoIz/3mnWqqCx7uO2nGOS5IfJcNQsiBkd2ozDcd88QRgiBnVgehA+7Qj6Kc6ky1/B0/LjCvsJRzsVo66ySURKtC9oG9YqCnztPou0xIVFTdEsSRiLpdBRhpdO3RO86+svQZBR8fe1RXUvlbZ+QvX8daVWU9ukGF8HVFvWo1JsEOlrHWngjOcu8g4vVrwKbEyATTCW3Q== x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:MW4PR11MB5872.namprd11.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230028)(366004)(396003)(136003)(39860400002)(346002)(376002)(451199021)(7696005)(66946007)(66556008)(66446008)(66476007)(64756008)(76116006)(4326008)(71200400001)(316002)(54906003)(110136005)(19627235002)(33656002)(86362001)(478600001)(83380400001)(53546011)(9686003)(6506007)(5660300002)(8676002)(52536014)(30864003)(8936002)(41300700001)(2906002)(55016003)(38070700005)(186003)(38100700002)(82960400001)(122000001)(473944003);DIR:OUT;SFP:1102; x-ms-exchange-antispam-messagedata-chunkcount: 1 x-ms-exchange-antispam-messagedata-0: =?us-ascii?Q?5pK9AmpYJndHCqL1Q58rgfBF4BE+b6rW/eFstteWS6loHZhbh5VuO3qwFI7G?= =?us-ascii?Q?0ZoqpRvYQE1wg9NSIJJoHOPMtnpacMsG0Lffly050eH6ZDqIBO+SjdV9OX4v?= =?us-ascii?Q?THd3krKXQzav07mF4b1y/de0V2dDmUxDngqpafrpA5FH67WZVhQ6LL5EruF3?= =?us-ascii?Q?XA/N9eqkT29hwXBgeLTR5R0srlKQFnU+i3XVYH13oGBrWkwHTHuyA7ve8Cev?= =?us-ascii?Q?MBwOSCobU70kFbINr4ovWsLbzD4BvkAS3MpIBRn/z8i+XZ+AI4fREPVPnLFx?= =?us-ascii?Q?ksPyPvMWUW3KvEY7446XW64l6S51GWtu1AHDqFsiFfBsAeTZLeotRzDad1Ve?= =?us-ascii?Q?/Ligu2dGrXZNUle+aJK9GkPLmRR/9Gkn1cIP28fqVyaYwYhAAGg4aLJUpJk5?= =?us-ascii?Q?t9TtT7jcjtZHXBhb9xTwSEahJ9EqPQjEsuOFou0creYluvz+gAOsuSlX4VLl?= =?us-ascii?Q?qiZ/rQbvkpXxRa2qKbQbgLUG5vaTXxYF3LaxrMNKtYZsM/zJ8Ovm2Itm64xn?= =?us-ascii?Q?Y+p/s6MOAV5PT5U9+yyywdi/RSe7GTO7j0xj+fzPdd+X4pyNM5CXtlnTh7gy?= =?us-ascii?Q?XtmNfii9sNQ3bTjrbYBXyOFyIj2Q5xudpbCiYvikdeYVnMFTpn4xddZ96xsq?= =?us-ascii?Q?/nIRt6YCMrCkDfydSGp7PmRO8UcLaED6vdxJFZVtigmqLvZR37bi8l4Is7jL?= =?us-ascii?Q?i+DCuu7ifeLBhF48FDVMQfmi0er0QbmzfEiSaGYy6T12WMcL4iptz7vc46aq?= =?us-ascii?Q?k6BKXhuj2rbwwxmoUPuQs6YpPrZwQyBG11HEtqxeCrPYEEWsUaPFLU4ujHn8?= =?us-ascii?Q?bg/+/IxrSXKPSPt3BkGQhknnhwNhlLxf5S55ckjuvUfQnIZ8egDxYXadSuLK?= =?us-ascii?Q?502q2vfBRG36gw8q2a8CymT3zbB1z4g/yt5MtK5xrmAyDeLO90789gtGARRd?= =?us-ascii?Q?0rzsKjG8lPDUVx8egb1w6htKiT8ZTCl6yfyyEaCLukdpB0jywLgvcVNED4uh?= =?us-ascii?Q?aElqwY4X+l/ppuv/GgVpDm06HpbVhaZeYAU+SYiwUpyOb8wuvGDKv5BaaWmf?= =?us-ascii?Q?vhTu/mqtCQTWOgbF7cnZLgP8TffIR8gPC0kLBYsrh8G6gyFhh92a1mRM4cMk?= =?us-ascii?Q?9TUEwrJhacqNUxUJFA0TqP2yx8Eo1m/Koae1IGSyRL2jbs1UVKnKh5sY/jZl?= =?us-ascii?Q?ixkA8p8Mn4fr9lKKGYs6l3hjZrPMWZyee45LiVUPhdt8RbpJqvrKoTmqEink?= =?us-ascii?Q?BkO9vd90tnIkx3PXDBpedcml3/l06ditGHA8P620ala7okEYJHvKMOoIew6T?= =?us-ascii?Q?dHRox9NkKdhjMrRLP2zi2twiWy1Wjc/aa+e14pqGxWyp8OYcrDDfy4wa9gkQ?= =?us-ascii?Q?9AkPqXshdwaMuxaSyl5byNR8FROsWZVhcF0WtRMu+tv0zzm4uP4JdBBnCWlr?= =?us-ascii?Q?da2uTR+Ykpa56xr0dKnumN4fTUZsUyuq4xeP0VrSPIZ+brxGDXvlr7iRk8Ov?= =?us-ascii?Q?U3duBHjAMFgmT3shjBdBtj1ru8HFwnsT0mVuecMAwPsUprKMFNzEDWijSNua?= =?us-ascii?Q?7U9hCfUUElNZaUYszeY=3D?= MIME-Version: 1.0 X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: MW4PR11MB5872.namprd11.prod.outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: ac642c58-c274-44e1-8db3-08db4e018ef8 X-MS-Exchange-CrossTenant-originalarrivaltime: 06 May 2023 07:14:40.3553 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 46c98d88-e344-4ed4-8496-4ed7712e255d X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: dlP9+WoGXoSAC6rfcZubY1Yi+J3z3VWy68PuofujI2SFSsAadoSz6qmnGIUeCeMrNwdpBsgplELmFt7pqNjLHQ== X-MS-Exchange-Transport-CrossTenantHeadersStamped: DS0PR11MB8082 Return-Path: jiewen.yao@intel.com X-OriginatorOrg: intel.com Content-Language: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Reviewed-by: Jiewen Yao > -----Original Message----- > From: Gerd Hoffmann > Sent: Friday, April 21, 2023 2:56 PM > To: devel@edk2.groups.io > Cc: Boeuf, Sebastien ; Pawel Polawski > ; Ard Biesheuvel ; > Yao, Jiewen ; Justen, Jordan L > ; Gerd Hoffmann ; Oliver > Steffen > Subject: [PATCH v2 1/1] OvmfPkg: replace > SECURE_BOOT_FEATURE_ENABLED with PcdSecureBootSupported >=20 > Drop the '-D SECURE_BOOT_FEATURE_ENABLED' compile time option, > use a new FeaturePcd instead. >=20 > Signed-off-by: Gerd Hoffmann > --- > OvmfPkg/OvmfPkg.dec | 3 +++ > OvmfPkg/CloudHv/CloudHvX64.dsc | 10 +--------- > OvmfPkg/IntelTdx/IntelTdxX64.dsc | 10 +--------- > OvmfPkg/Microvm/MicrovmX64.dsc | 10 +--------- > OvmfPkg/OvmfPkgIa32.dsc | 10 +--------- > OvmfPkg/OvmfPkgIa32X64.dsc | 10 +--------- > OvmfPkg/OvmfPkgX64.dsc | 10 +--------- > OvmfPkg/Library/NvVarsFileLib/NvVarsFileLib.inf | 2 ++ > OvmfPkg/PlatformPei/PlatformPei.inf | 1 + > OvmfPkg/Library/NvVarsFileLib/NvVarsFileLib.c | 11 ++++------- > OvmfPkg/PlatformPei/Platform.c | 7 ++++--- > 11 files changed, 20 insertions(+), 64 deletions(-) >=20 > diff --git a/OvmfPkg/OvmfPkg.dec b/OvmfPkg/OvmfPkg.dec > index 749fbd3b6bf4..03ae29e7b034 100644 > --- a/OvmfPkg/OvmfPkg.dec > +++ b/OvmfPkg/OvmfPkg.dec > @@ -488,6 +488,9 @@ [PcdsFeatureFlag] > # used by OVMF, the varstore pflash chip, LockBox etc). >=20 > gUefiOvmfPkgTokenSpaceGuid.PcdSmmSmramRequire|FALSE|BOOLEAN|0x > 1e >=20 > + ## This feature flag indicates the firmware build supports secure boot= . > + > gUefiOvmfPkgTokenSpaceGuid.PcdSecureBootSupported|FALSE|BOOLEAN| > 0x6d > + > ## Informs modules (including pre-DXE-phase modules) whether the > platform > # firmware contains a CSM (Compatibility Support Module). > # > diff --git a/OvmfPkg/CloudHv/CloudHvX64.dsc > b/OvmfPkg/CloudHv/CloudHvX64.dsc > index cc2dd925bc94..2a1139daaa19 100644 > --- a/OvmfPkg/CloudHv/CloudHvX64.dsc > +++ b/OvmfPkg/CloudHv/CloudHvX64.dsc > @@ -93,15 +93,6 @@ [BuildOptions] > INTEL:*_*_*_CC_FLAGS =3D /D DISABLE_NEW_DEPRECATED_INTERFACES > GCC:*_*_*_CC_FLAGS =3D -D DISABLE_NEW_DEPRECATED_INTERFACES >=20 > - # > - # SECURE_BOOT_FEATURE_ENABLED > - # > -!if $(SECURE_BOOT_ENABLE) =3D=3D TRUE > - MSFT:*_*_*_CC_FLAGS =3D /D SECURE_BOOT_FEATURE_ENABLED > - INTEL:*_*_*_CC_FLAGS =3D /D SECURE_BOOT_FEATURE_ENABLED > - GCC:*_*_*_CC_FLAGS =3D -D SECURE_BOOT_FEATURE_ENABLED > -!endif > - > !include NetworkPkg/NetworkBuildOptions.dsc.inc >=20 > [BuildOptions.common.EDKII.DXE_RUNTIME_DRIVER] > @@ -477,6 +468,7 @@ [PcdsFeatureFlag] >=20 > gEfiMdeModulePkgTokenSpaceGuid.PcdEnableVariableRuntimeCache|FALSE > !endif > !if $(SECURE_BOOT_ENABLE) =3D=3D TRUE > + gUefiOvmfPkgTokenSpaceGuid.PcdSecureBootSupported|TRUE > gEfiMdeModulePkgTokenSpaceGuid.PcdRequireSelfSignedPk|TRUE > !endif >=20 > diff --git a/OvmfPkg/IntelTdx/IntelTdxX64.dsc > b/OvmfPkg/IntelTdx/IntelTdxX64.dsc > index f73440905540..d4403f11a7c6 100644 > --- a/OvmfPkg/IntelTdx/IntelTdxX64.dsc > +++ b/OvmfPkg/IntelTdx/IntelTdxX64.dsc > @@ -90,15 +90,6 @@ [BuildOptions] > INTEL:*_*_*_CC_FLAGS =3D /D TDX_PEI_LESS_BOOT > GCC:*_*_*_CC_FLAGS =3D -D TDX_PEI_LESS_BOOT >=20 > - # > - # SECURE_BOOT_FEATURE_ENABLED > - # > -!if $(SECURE_BOOT_ENABLE) =3D=3D TRUE > - MSFT:*_*_*_CC_FLAGS =3D /D SECURE_BOOT_FEATURE_ENABLED > - INTEL:*_*_*_CC_FLAGS =3D /D SECURE_BOOT_FEATURE_ENABLED > - GCC:*_*_*_CC_FLAGS =3D -D SECURE_BOOT_FEATURE_ENABLED > -!endif > - > [BuildOptions.common.EDKII.DXE_RUNTIME_DRIVER] > GCC:*_*_*_DLINK_FLAGS =3D -z common-page-size=3D0x1000 > XCODE:*_*_*_DLINK_FLAGS =3D -seg1addr 0x1000 -segalign 0x1000 > @@ -387,6 +378,7 @@ [PcdsFeatureFlag] > gUefiOvmfPkgTokenSpaceGuid.PcdCsmEnable|TRUE > !endif > !if $(SECURE_BOOT_ENABLE) =3D=3D TRUE > + gUefiOvmfPkgTokenSpaceGuid.PcdSecureBootSupported|TRUE > gEfiMdeModulePkgTokenSpaceGuid.PcdRequireSelfSignedPk|TRUE > !endif >=20 > diff --git a/OvmfPkg/Microvm/MicrovmX64.dsc > b/OvmfPkg/Microvm/MicrovmX64.dsc > index e9aab515592f..6fc11cc4d192 100644 > --- a/OvmfPkg/Microvm/MicrovmX64.dsc > +++ b/OvmfPkg/Microvm/MicrovmX64.dsc > @@ -91,15 +91,6 @@ [BuildOptions] > INTEL:*_*_*_CC_FLAGS =3D /D DISABLE_NEW_DEPRECATED_INTERFACES > GCC:*_*_*_CC_FLAGS =3D -D DISABLE_NEW_DEPRECATED_INTERFACES >=20 > - # > - # SECURE_BOOT_FEATURE_ENABLED > - # > -!if $(SECURE_BOOT_ENABLE) =3D=3D TRUE > - MSFT:*_*_*_CC_FLAGS =3D /D SECURE_BOOT_FEATURE_ENABLED > - INTEL:*_*_*_CC_FLAGS =3D /D SECURE_BOOT_FEATURE_ENABLED > - GCC:*_*_*_CC_FLAGS =3D -D SECURE_BOOT_FEATURE_ENABLED > -!endif > - > !include NetworkPkg/NetworkBuildOptions.dsc.inc >=20 > [BuildOptions.common.EDKII.DXE_RUNTIME_DRIVER] > @@ -473,6 +464,7 @@ [PcdsFeatureFlag] > gEfiMdeModulePkgTokenSpaceGuid.PcdConOutUgaSupport|FALSE > gEfiMdeModulePkgTokenSpaceGuid.PcdInstallAcpiSdtProtocol|TRUE > !if $(SECURE_BOOT_ENABLE) =3D=3D TRUE > + gUefiOvmfPkgTokenSpaceGuid.PcdSecureBootSupported|TRUE > gEfiMdeModulePkgTokenSpaceGuid.PcdRequireSelfSignedPk|TRUE > !endif >=20 > diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc > index 86177bb94899..16916ec58247 100644 > --- a/OvmfPkg/OvmfPkgIa32.dsc > +++ b/OvmfPkg/OvmfPkgIa32.dsc > @@ -94,15 +94,6 @@ [BuildOptions] > INTEL:*_*_*_CC_FLAGS =3D /D DISABLE_NEW_DEPRECATED_INTERFACES > GCC:*_*_*_CC_FLAGS =3D -D DISABLE_NEW_DEPRECATED_INTERFACES >=20 > - # > - # SECURE_BOOT_FEATURE_ENABLED > - # > -!if $(SECURE_BOOT_ENABLE) =3D=3D TRUE > - MSFT:*_*_*_CC_FLAGS =3D /D SECURE_BOOT_FEATURE_ENABLED > - INTEL:*_*_*_CC_FLAGS =3D /D SECURE_BOOT_FEATURE_ENABLED > - GCC:*_*_*_CC_FLAGS =3D -D SECURE_BOOT_FEATURE_ENABLED > -!endif > - > !include NetworkPkg/NetworkBuildOptions.dsc.inc >=20 > [BuildOptions.common.EDKII.DXE_RUNTIME_DRIVER] > @@ -484,6 +475,7 @@ [PcdsFeatureFlag] >=20 > gEfiMdeModulePkgTokenSpaceGuid.PcdEnableVariableRuntimeCache|FALSE > !endif > !if $(SECURE_BOOT_ENABLE) =3D=3D TRUE > + gUefiOvmfPkgTokenSpaceGuid.PcdSecureBootSupported|TRUE > gEfiMdeModulePkgTokenSpaceGuid.PcdRequireSelfSignedPk|TRUE > !endif >=20 > diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc > index 065b54450647..936d763269c1 100644 > --- a/OvmfPkg/OvmfPkgIa32X64.dsc > +++ b/OvmfPkg/OvmfPkgIa32X64.dsc > @@ -98,15 +98,6 @@ [BuildOptions] > INTEL:*_*_*_CC_FLAGS =3D /D DISABLE_NEW_DEPRECATED_INTERFACES > GCC:*_*_*_CC_FLAGS =3D -D DISABLE_NEW_DEPRECATED_INTERFACES >=20 > - # > - # SECURE_BOOT_FEATURE_ENABLED > - # > -!if $(SECURE_BOOT_ENABLE) =3D=3D TRUE > - MSFT:*_*_*_CC_FLAGS =3D /D SECURE_BOOT_FEATURE_ENABLED > - INTEL:*_*_*_CC_FLAGS =3D /D SECURE_BOOT_FEATURE_ENABLED > - GCC:*_*_*_CC_FLAGS =3D -D SECURE_BOOT_FEATURE_ENABLED > -!endif > - > !include NetworkPkg/NetworkBuildOptions.dsc.inc >=20 > [BuildOptions.common.EDKII.DXE_RUNTIME_DRIVER] > @@ -490,6 +481,7 @@ [PcdsFeatureFlag] >=20 > gEfiMdeModulePkgTokenSpaceGuid.PcdEnableVariableRuntimeCache|FALSE > !endif > !if $(SECURE_BOOT_ENABLE) =3D=3D TRUE > + gUefiOvmfPkgTokenSpaceGuid.PcdSecureBootSupported|TRUE > gEfiMdeModulePkgTokenSpaceGuid.PcdRequireSelfSignedPk|TRUE > !endif >=20 > diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc > index 3d405cd4ade0..1c763b27def1 100644 > --- a/OvmfPkg/OvmfPkgX64.dsc > +++ b/OvmfPkg/OvmfPkgX64.dsc > @@ -112,15 +112,6 @@ [BuildOptions] > INTEL:*_*_*_CC_FLAGS =3D /D TDX_GUEST_SUPPORTED > GCC:*_*_*_CC_FLAGS =3D -D TDX_GUEST_SUPPORTED >=20 > - # > - # SECURE_BOOT_FEATURE_ENABLED > - # > -!if $(SECURE_BOOT_ENABLE) =3D=3D TRUE > - MSFT:*_*_*_CC_FLAGS =3D /D SECURE_BOOT_FEATURE_ENABLED > - INTEL:*_*_*_CC_FLAGS =3D /D SECURE_BOOT_FEATURE_ENABLED > - GCC:*_*_*_CC_FLAGS =3D -D SECURE_BOOT_FEATURE_ENABLED > -!endif > - > !include NetworkPkg/NetworkBuildOptions.dsc.inc >=20 > [BuildOptions.common.EDKII.DXE_RUNTIME_DRIVER] > @@ -511,6 +502,7 @@ [PcdsFeatureFlag] >=20 > gEfiMdeModulePkgTokenSpaceGuid.PcdEnableVariableRuntimeCache|FALSE > !endif > !if $(SECURE_BOOT_ENABLE) =3D=3D TRUE > + gUefiOvmfPkgTokenSpaceGuid.PcdSecureBootSupported|TRUE > gEfiMdeModulePkgTokenSpaceGuid.PcdRequireSelfSignedPk|TRUE > !endif >=20 > diff --git a/OvmfPkg/Library/NvVarsFileLib/NvVarsFileLib.inf > b/OvmfPkg/Library/NvVarsFileLib/NvVarsFileLib.inf > index 8cda78d0d0b4..f152c5504661 100644 > --- a/OvmfPkg/Library/NvVarsFileLib/NvVarsFileLib.inf > +++ b/OvmfPkg/Library/NvVarsFileLib/NvVarsFileLib.inf > @@ -47,6 +47,8 @@ [LibraryClasses] > [Protocols] > gEfiSimpleFileSystemProtocolGuid ## CONSUMES >=20 > +[Pcd] > + gUefiOvmfPkgTokenSpaceGuid.PcdSecureBootSupported >=20 > [Guids] > gEfiFileInfoGuid > diff --git a/OvmfPkg/PlatformPei/PlatformPei.inf > b/OvmfPkg/PlatformPei/PlatformPei.inf > index 1fadadeb5565..3934aeed9514 100644 > --- a/OvmfPkg/PlatformPei/PlatformPei.inf > +++ b/OvmfPkg/PlatformPei/PlatformPei.inf > @@ -94,6 +94,7 @@ [Pcd] > gUefiOvmfPkgTokenSpaceGuid.PcdQ35SmramAtDefaultSmbase > gUefiOvmfPkgTokenSpaceGuid.PcdXenPvhStartOfDayStructPtr > gUefiOvmfPkgTokenSpaceGuid.PcdXenPvhStartOfDayStructPtrSize > + gUefiOvmfPkgTokenSpaceGuid.PcdSecureBootSupported > gEfiMdePkgTokenSpaceGuid.PcdGuidedExtractHandlerTableAddress > gEfiMdePkgTokenSpaceGuid.PcdPciExpressBaseAddress > gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageFtwSpareSize > diff --git a/OvmfPkg/Library/NvVarsFileLib/NvVarsFileLib.c > b/OvmfPkg/Library/NvVarsFileLib/NvVarsFileLib.c > index 72289da35819..d4139b911528 100644 > --- a/OvmfPkg/Library/NvVarsFileLib/NvVarsFileLib.c > +++ b/OvmfPkg/Library/NvVarsFileLib/NvVarsFileLib.c > @@ -28,14 +28,12 @@ ConnectNvVarsToFileSystem ( > IN EFI_HANDLE FsHandle > ) > { > - #ifdef SECURE_BOOT_FEATURE_ENABLED > - > - return EFI_UNSUPPORTED; > - > - #else > - > EFI_STATUS Status; >=20 > + if (FeaturePcdGet (PcdSecureBootSupported)) { > + return EFI_UNSUPPORTED; > + } > + > // > // We might fail to load the variable, since the file system initially > // will not have the NvVars file. > @@ -52,7 +50,6 @@ ConnectNvVarsToFileSystem ( > } >=20 > return Status; > - #endif > } >=20 > /** > diff --git a/OvmfPkg/PlatformPei/Platform.c > b/OvmfPkg/PlatformPei/Platform.c > index cc9384ba5c4e..c56247e294f2 100644 > --- a/OvmfPkg/PlatformPei/Platform.c > +++ b/OvmfPkg/PlatformPei/Platform.c > @@ -222,9 +222,10 @@ ReserveEmuVariableNvStore ( > VariableStore =3D > (EFI_PHYSICAL_ADDRESS)(UINTN)PlatformReserveEmuVariableNvStore (); > PcdStatus =3D PcdSet64S (PcdEmuVariableNvStoreReserved, VariableSt= ore); >=20 > - #ifdef SECURE_BOOT_FEATURE_ENABLED > - PlatformInitEmuVariableNvStore ((VOID *)(UINTN)VariableStore); > - #endif > + if (FeaturePcdGet (PcdSecureBootSupported)) { > + // restore emulated VarStore from pristine ROM copy > + PlatformInitEmuVariableNvStore ((VOID *)(UINTN)VariableStore); > + } >=20 > ASSERT_RETURN_ERROR (PcdStatus); > } > -- > 2.40.0