tyler.durden
/
audk
mirror of https://github.com/acidanthera/audk.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

OvmfPkg/PlatformBootManagerLib: add PcdBootRestrictToFirmware 

Add new PCD PcdBootRestrictToFirmware.  When set to TRUE restrict
boot options to EFI applications embedded into the firmware image.

Behavior should be identical to the PlatformBootManagerLibGrub
library variant.

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Acked-by: Jiewen Yao <Jiewen.yao@intel.com>
Acked-by: Ard Biesheuvel <ardb@kernel.org>
This commit is contained in:
Gerd Hoffmann 2023-05-05 07:17:24 +02:00 committed by mergify[bot]
parent e6447d2a08
commit 41d7832db0
3 changed files with 71 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

70
OvmfPkg/Library/PlatformBootManagerLib/BdsPlatform.c
View File

@ -290,6 +290,46 @@ RemoveStaleFvFileOptions (
EfiBootManagerFreeLoadOptions (BootOptions, BootOptionCount);
}
VOID
RestrictBootOptionsToFirmware (
VOID
)
{
EFI_BOOT_MANAGER_LOAD_OPTION *BootOptions;
UINTN BootOptionCount;
UINTN Index;
BootOptions = EfiBootManagerGetLoadOptions (
&BootOptionCount,
LoadOptionTypeBoot
);
for (Index = 0; Index < BootOptionCount; ++Index) {
EFI_DEVICE_PATH_PROTOCOL *Node1;
//
// If the device path starts with Fv(...),
// then keep the boot option.
//
Node1 = BootOptions[Index].FilePath;
if (((DevicePathType (Node1) == MEDIA_DEVICE_PATH) &&
(DevicePathSubType (Node1) == MEDIA_PIWG_FW_VOL_DP)))
{
continue;
}
//
// Delete the boot option.
//
EfiBootManagerDeleteLoadOptionVariable (
BootOptions[Index].OptionNumber,
LoadOptionTypeBoot
);
}
EfiBootManagerFreeLoadOptions (BootOptions, BootOptionCount);
}
VOID
PlatformRegisterOptionsAndKeys (
VOID
@ -485,7 +525,9 @@ PlatformBootManagerBeforeConsole (
Status
));
PlatformRegisterOptionsAndKeys ();
if (!FeaturePcdGet (PcdBootRestrictToFirmware)) {
PlatformRegisterOptionsAndKeys ();
}
//
// Install both VIRTIO_DEVICE_PROTOCOL and (dependent) EFI_RNG_PROTOCOL
@ -1754,9 +1796,12 @@ PlatformBootManagerAfterConsole (
//
// Perform some platform specific connect sequence
//
PlatformBdsConnectSequence ();
EfiBootManagerRefreshAllBootOption ();
if (FeaturePcdGet (PcdBootRestrictToFirmware)) {
RestrictBootOptionsToFirmware ();
} else {
PlatformBdsConnectSequence ();
EfiBootManagerRefreshAllBootOption ();
}
//
// Register UEFI Shell
@ -1767,6 +1812,15 @@ PlatformBootManagerAfterConsole (
LOAD_OPTION_ACTIVE
);
//
// Register Grub
//
PlatformRegisterFvBootOption (
&gGrubFileGuid,
L"Grub Bootloader",
LOAD_OPTION_ACTIVE
);
RemoveStaleFvFileOptions ();
SetBootOrderFromQemu ();
@ -1935,6 +1989,14 @@ PlatformBootManagerUnableToBoot (
EFI_BOOT_MANAGER_LOAD_OPTION BootManagerMenu;
UINTN Index;
if (FeaturePcdGet (PcdBootRestrictToFirmware)) {
AsciiPrint (
"%a: No bootable option was found.\n",
gEfiCallerBaseName
);
CpuDeadLoop ();
}
//
// BootManagerMenu doesn't contain the correct information when return status
// is EFI_NOT_FOUND.

2
OvmfPkg/Library/PlatformBootManagerLib/PlatformBootManagerLib.inf
View File

@ -61,6 +61,7 @@
gUefiOvmfPkgTokenSpaceGuid.PcdEmuVariableEvent
gUefiOvmfPkgTokenSpaceGuid.PcdOvmfFlashVariablesEnable
gUefiOvmfPkgTokenSpaceGuid.PcdOvmfHostBridgePciDevId
gUefiOvmfPkgTokenSpaceGuid.PcdBootRestrictToFirmware
gEfiMdeModulePkgTokenSpaceGuid.PcdAcpiS3Enable
gEfiMdePkgTokenSpaceGuid.PcdPlatformBootTimeOut
gEfiMdePkgTokenSpaceGuid.PcdUartDefaultBaudRate ## CONSUMES
@ -84,3 +85,4 @@
gEfiGlobalVariableGuid
gRootBridgesConnectedEventGroupGuid
gUefiShellFileGuid
gGrubFileGuid

3
OvmfPkg/OvmfPkg.dec
View File

@ -422,6 +422,9 @@
# check to decide whether to abort dispatch of the driver it is linked into.
gUefiOvmfPkgTokenSpaceGuid.PcdEntryPointOverrideFwCfgVarName|""|VOID*|0x68
## Restrict boot to EFI applications in firmware volumes.
gUefiOvmfPkgTokenSpaceGuid.PcdBootRestrictToFirmware|FALSE|BOOLEAN|0x6c
[PcdsDynamic, PcdsDynamicEx]
gUefiOvmfPkgTokenSpaceGuid.PcdEmuVariableEvent|0|UINT64|2
gUefiOvmfPkgTokenSpaceGuid.PcdOvmfFlashVariablesEnable|FALSE|BOOLEAN|0x10