diff options
| author | Brijesh Singh <brijesh.singh@amd.com> | 2017-10-05 15:16:41 -0500 |
|---|---|---|
| committer | Laszlo Ersek <lersek@redhat.com> | 2017-10-17 21:28:26 +0200 |
| commit | 071f1d19ddbc4abaaccbddfc7d6fcc5677f9b5c3 (patch) | |
| tree | 613606109d69d3682585d996601449a11f170394 /Omap35xxPkg | |
| parent | 65c77f02104cf0cf7bd224df3a5fc08795df9aad (diff) | |
| download | edk2-071f1d19ddbc4abaaccbddfc7d6fcc5677f9b5c3.zip edk2-071f1d19ddbc4abaaccbddfc7d6fcc5677f9b5c3.tar.gz edk2-071f1d19ddbc4abaaccbddfc7d6fcc5677f9b5c3.tar.bz2 | |
SecurityPkg: make PcdOptionRomImageVerificationPolicy dynamic
By default the image verification policy for option ROM images is 0x4
(DENY_EXECUTE_ON_SECURITY_VIOLATION) but the following OvmfPkg commit:
1fea9ddb4e3f OvmfPkg: execute option ROM images regardless of Secure Boot
set it to 0x0 (ALWAYS_EXECUTE). This is fine because typically option
ROMs comes from host-side and most of the time cloud provider (i.e
hypervisor) have full access over a guest anyway. But when secure boot
is enabled, we would like to deny the execution of option ROM when
SEV is active. Having dynamic Pcd will give us flexibility to set the
security policy at the runtime.
Fixes: https://bugzilla.tianocore.org/show_bug.cgi?id=728
Cc: Chao Zhang <chao.b.zhang@intel.com>
Cc: Jordan Justen <jordan.l.justen@intel.com>
Cc: Laszlo Ersek <lersek@redhat.com>
Cc: Tom Lendacky <thomas.lendacky@amd.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Brijesh Singh <brijesh.singh@amd.com>
Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
Reviewed-by: Long Qin <qin.long@intel.com>
Diffstat (limited to 'Omap35xxPkg')
0 files changed, 0 insertions, 0 deletions