diff options
author | Gerd Hoffmann <kraxel@redhat.com> | 2023-05-05 07:17:24 +0200 |
---|---|---|
committer | mergify[bot] <37929162+mergify[bot]@users.noreply.github.com> | 2023-05-10 13:39:41 +0000 |
commit | 41d7832db02d082405ccc1edf38208b7a5cb8d87 (patch) | |
tree | 892ae2ff7cc89b0007239137265acd297a42786e /OvmfPkg | |
parent | e6447d2a08f5ca585816d093e79a01dad3781f98 (diff) | |
download | edk2-41d7832db02d082405ccc1edf38208b7a5cb8d87.zip edk2-41d7832db02d082405ccc1edf38208b7a5cb8d87.tar.gz edk2-41d7832db02d082405ccc1edf38208b7a5cb8d87.tar.bz2 |
OvmfPkg/PlatformBootManagerLib: add PcdBootRestrictToFirmware
Add new PCD PcdBootRestrictToFirmware. When set to TRUE restrict
boot options to EFI applications embedded into the firmware image.
Behavior should be identical to the PlatformBootManagerLibGrub
library variant.
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Acked-by: Jiewen Yao <Jiewen.yao@intel.com>
Acked-by: Ard Biesheuvel <ardb@kernel.org>
Diffstat (limited to 'OvmfPkg')
-rw-r--r-- | OvmfPkg/Library/PlatformBootManagerLib/BdsPlatform.c | 70 | ||||
-rw-r--r-- | OvmfPkg/Library/PlatformBootManagerLib/PlatformBootManagerLib.inf | 2 | ||||
-rw-r--r-- | OvmfPkg/OvmfPkg.dec | 3 |
3 files changed, 71 insertions, 4 deletions
diff --git a/OvmfPkg/Library/PlatformBootManagerLib/BdsPlatform.c b/OvmfPkg/Library/PlatformBootManagerLib/BdsPlatform.c index 3b7dc53..8dc2bbf 100644 --- a/OvmfPkg/Library/PlatformBootManagerLib/BdsPlatform.c +++ b/OvmfPkg/Library/PlatformBootManagerLib/BdsPlatform.c @@ -291,6 +291,46 @@ RemoveStaleFvFileOptions ( }
VOID
+RestrictBootOptionsToFirmware (
+ VOID
+ )
+{
+ EFI_BOOT_MANAGER_LOAD_OPTION *BootOptions;
+ UINTN BootOptionCount;
+ UINTN Index;
+
+ BootOptions = EfiBootManagerGetLoadOptions (
+ &BootOptionCount,
+ LoadOptionTypeBoot
+ );
+
+ for (Index = 0; Index < BootOptionCount; ++Index) {
+ EFI_DEVICE_PATH_PROTOCOL *Node1;
+
+ //
+ // If the device path starts with Fv(...),
+ // then keep the boot option.
+ //
+ Node1 = BootOptions[Index].FilePath;
+ if (((DevicePathType (Node1) == MEDIA_DEVICE_PATH) &&
+ (DevicePathSubType (Node1) == MEDIA_PIWG_FW_VOL_DP)))
+ {
+ continue;
+ }
+
+ //
+ // Delete the boot option.
+ //
+ EfiBootManagerDeleteLoadOptionVariable (
+ BootOptions[Index].OptionNumber,
+ LoadOptionTypeBoot
+ );
+ }
+
+ EfiBootManagerFreeLoadOptions (BootOptions, BootOptionCount);
+}
+
+VOID
PlatformRegisterOptionsAndKeys (
VOID
)
@@ -485,7 +525,9 @@ PlatformBootManagerBeforeConsole ( Status
));
- PlatformRegisterOptionsAndKeys ();
+ if (!FeaturePcdGet (PcdBootRestrictToFirmware)) {
+ PlatformRegisterOptionsAndKeys ();
+ }
//
// Install both VIRTIO_DEVICE_PROTOCOL and (dependent) EFI_RNG_PROTOCOL
@@ -1754,9 +1796,12 @@ PlatformBootManagerAfterConsole ( //
// Perform some platform specific connect sequence
//
- PlatformBdsConnectSequence ();
-
- EfiBootManagerRefreshAllBootOption ();
+ if (FeaturePcdGet (PcdBootRestrictToFirmware)) {
+ RestrictBootOptionsToFirmware ();
+ } else {
+ PlatformBdsConnectSequence ();
+ EfiBootManagerRefreshAllBootOption ();
+ }
//
// Register UEFI Shell
@@ -1767,6 +1812,15 @@ PlatformBootManagerAfterConsole ( LOAD_OPTION_ACTIVE
);
+ //
+ // Register Grub
+ //
+ PlatformRegisterFvBootOption (
+ &gGrubFileGuid,
+ L"Grub Bootloader",
+ LOAD_OPTION_ACTIVE
+ );
+
RemoveStaleFvFileOptions ();
SetBootOrderFromQemu ();
@@ -1935,6 +1989,14 @@ PlatformBootManagerUnableToBoot ( EFI_BOOT_MANAGER_LOAD_OPTION BootManagerMenu;
UINTN Index;
+ if (FeaturePcdGet (PcdBootRestrictToFirmware)) {
+ AsciiPrint (
+ "%a: No bootable option was found.\n",
+ gEfiCallerBaseName
+ );
+ CpuDeadLoop ();
+ }
+
//
// BootManagerMenu doesn't contain the correct information when return status
// is EFI_NOT_FOUND.
diff --git a/OvmfPkg/Library/PlatformBootManagerLib/PlatformBootManagerLib.inf b/OvmfPkg/Library/PlatformBootManagerLib/PlatformBootManagerLib.inf index c249a3c..6b396ea 100644 --- a/OvmfPkg/Library/PlatformBootManagerLib/PlatformBootManagerLib.inf +++ b/OvmfPkg/Library/PlatformBootManagerLib/PlatformBootManagerLib.inf @@ -61,6 +61,7 @@ gUefiOvmfPkgTokenSpaceGuid.PcdEmuVariableEvent
gUefiOvmfPkgTokenSpaceGuid.PcdOvmfFlashVariablesEnable
gUefiOvmfPkgTokenSpaceGuid.PcdOvmfHostBridgePciDevId
+ gUefiOvmfPkgTokenSpaceGuid.PcdBootRestrictToFirmware
gEfiMdeModulePkgTokenSpaceGuid.PcdAcpiS3Enable
gEfiMdePkgTokenSpaceGuid.PcdPlatformBootTimeOut
gEfiMdePkgTokenSpaceGuid.PcdUartDefaultBaudRate ## CONSUMES
@@ -84,3 +85,4 @@ gEfiGlobalVariableGuid
gRootBridgesConnectedEventGroupGuid
gUefiShellFileGuid
+ gGrubFileGuid
diff --git a/OvmfPkg/OvmfPkg.dec b/OvmfPkg/OvmfPkg.dec index 03ae29e..cc5a4ce 100644 --- a/OvmfPkg/OvmfPkg.dec +++ b/OvmfPkg/OvmfPkg.dec @@ -422,6 +422,9 @@ # check to decide whether to abort dispatch of the driver it is linked into.
gUefiOvmfPkgTokenSpaceGuid.PcdEntryPointOverrideFwCfgVarName|""|VOID*|0x68
+ ## Restrict boot to EFI applications in firmware volumes.
+ gUefiOvmfPkgTokenSpaceGuid.PcdBootRestrictToFirmware|FALSE|BOOLEAN|0x6c
+
[PcdsDynamic, PcdsDynamicEx]
gUefiOvmfPkgTokenSpaceGuid.PcdEmuVariableEvent|0|UINT64|2
gUefiOvmfPkgTokenSpaceGuid.PcdOvmfFlashVariablesEnable|FALSE|BOOLEAN|0x10
|