From f29160a89699ddbe3dbc03d29857fd6fa2719e8e Mon Sep 17 00:00:00 2001
From: Gerd Hoffmann <kraxel@redhat.com>
Date: Mon, 22 Apr 2024 12:47:29 +0200
Subject: OvmfPkg/VirtHstiDxe: add README.md

Cc: Ard Biesheuvel <ardb+tianocore@kernel.org>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Konstantin Kostiuk <kkostiuk@redhat.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Jiewen Yao <Jiewen.yao@intel.com>
---
 OvmfPkg/VirtHstiDxe/README.md | 48 +++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 48 insertions(+)
 create mode 100644 OvmfPkg/VirtHstiDxe/README.md

(limited to 'OvmfPkg')

diff --git a/OvmfPkg/VirtHstiDxe/README.md b/OvmfPkg/VirtHstiDxe/README.md
new file mode 100644
index 0000000..c3975b8
--- /dev/null
+++ b/OvmfPkg/VirtHstiDxe/README.md
@@ -0,0 +1,48 @@
+
+# virtual machine platform hsti driver
+
+This driver supports three tests.
+
+## VIRT_HSTI_BYTE0_SMM_SMRAM_LOCK
+
+Verify the SMM memory is properly locked down.
+
+Supported platforms:
+ * Qemu Q35 (SMM_REQUIRE=TRUE builds).
+
+## VIRT_HSTI_BYTE0_SMM_SECURE_VARS_FLASH
+
+Verify the variable store is not writable for normal (not SMM) code.
+
+Supported platforms:
+ * Qemu Q35 (SMM_REQUIRE=TRUE builds).
+
+## VIRT_HSTI_BYTE0_READONLY_CODE_FLASH
+
+Verify the firmware code is not writable for the guest.
+
+Supported platforms:
+ * Qemu Q35
+ * Qemu PC
+
+# qemu flash configuration
+
+With qemu being configured properly flash behavior should be this:
+
+configuration                  |  OVMF_CODE.fd  |  OVMF_VARS.fd
+-------------------------------|----------------|---------------
+SMM_REQUIRE=TRUE, SMM mode     |  read-only     |  writable
+SMM_REQUIRE=TRUE, normal mode  |  read-only (1) |  read-only (2)
+SMM_REQUIRE=FALSE              |  read-only (3) |  writable
+
+VIRT_HSTI_BYTE0_READONLY_CODE_FLASH will verify (1) + (3).
+VIRT_HSTI_BYTE0_SMM_SECURE_VARS_FLASH will verify (2).
+
+## qemu command line for SMM_REQUIRE=TRUE builds
+```
+qemu-system-x86-64 -M q35,smm=on,pflash0=code,pflash1=vars \
+  -blockdev node-name=code,driver=file,filename=OVMF_CODE.fd,read-only=on \
+  -blockdev node-name=vars,driver=file,filename=OVMF_VARS.fd \
+  -global driver=cfi.pflash01,property=secure,value=on \
+  [ ... more options here ... ]
+```
-- 
cgit v1.1