OvmfPkg/VirtHstiDxe: add code flash check

Detects qemu config issue: code pflash is writable. Checked for both PC and Q35. Cc: Ard Biesheuvel <ardb+tianocore@kernel.org> Cc: Jiewen Yao <jiewen.yao@intel.com> Cc: Konstantin Kostiuk <kkostiuk@redhat.com> Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> Reviewed-by: Jiewen Yao <Jiewen.yao@intel.com>
2024-04-22 12:47:28 +02:00 · 2024-04-22 12:47:28 +02:00 · 506740982b
parent ddc43e7a41
commit 506740982b
4 changed files with 55 additions and 0 deletions
--- a/OvmfPkg/VirtHstiDxe/QemuCommon.c
+++ b/OvmfPkg/VirtHstiDxe/QemuCommon.c
@ -0,0 +1,36 @@
+/** @file
+
+SPDX-License-Identifier: BSD-2-Clause-Patent
+
+**/
+
+#include <Library/BaseLib.h>
+#include <Library/DebugLib.h>
+
+#include "VirtHstiDxe.h"
+
+VOID
+VirtHstiQemuCommonInit (
+  VIRT_ADAPTER_INFO_PLATFORM_SECURITY  *VirtHsti
+  )
+{
+  VirtHstiSetSupported (VirtHsti, 0, VIRT_HSTI_BYTE0_READONLY_CODE_FLASH);
+}
+
+VOID
+VirtHstiQemuCommonVerify (
+  VOID
+  )
+{
+  CHAR16  *ErrorMsg;
+
+  switch (VirtHstiQemuFirmwareFlashCheck (PcdGet32 (PcdBfvBase))) {
+    case QEMU_FIRMWARE_FLASH_WRITABLE:
+      ErrorMsg = L"qemu code pflash is writable";
+      break;
+    default:
+      ErrorMsg = NULL;
+  }
+
+  VirtHstiTestResult (ErrorMsg, 0, VIRT_HSTI_BYTE0_READONLY_CODE_FLASH);
+}
--- a/OvmfPkg/VirtHstiDxe/VirtHstiDxe.c
+++ b/OvmfPkg/VirtHstiDxe/VirtHstiDxe.c
@ -104,9 +104,11 @@ VirtHstiOnReadyToBoot (
  switch (VirtHstiGetHostBridgeDevId ()) {
    case INTEL_82441_DEVICE_ID:
      VirtHstiQemuPCVerify ();
+      VirtHstiQemuCommonVerify ();
      break;
    case INTEL_Q35_MCH_DEVICE_ID:
      VirtHstiQemuQ35Verify ();
+      VirtHstiQemuCommonVerify ();
      break;
    default:
      ASSERT (FALSE);
@ -142,9 +144,11 @@ VirtHstiDxeEntrypoint (
  switch (DevId) {
    case INTEL_82441_DEVICE_ID:
      VirtHsti = VirtHstiQemuPCInit ();
+      VirtHstiQemuCommonInit (VirtHsti);
      break;
    case INTEL_Q35_MCH_DEVICE_ID:
      VirtHsti = VirtHstiQemuQ35Init ();
+      VirtHstiQemuCommonInit (VirtHsti);
      break;
    default:
      DEBUG ((DEBUG_INFO, "%a: unknown platform (0x%x)\n", __func__, DevId));
--- a/OvmfPkg/VirtHstiDxe/VirtHstiDxe.h
+++ b/OvmfPkg/VirtHstiDxe/VirtHstiDxe.h
@ -8,6 +8,7 @@ SPDX-License-Identifier: BSD-2-Clause-Patent

 #define VIRT_HSTI_BYTE0_SMM_SMRAM_LOCK         BIT0
 #define VIRT_HSTI_BYTE0_SMM_SECURE_VARS_FLASH  BIT1
+#define VIRT_HSTI_BYTE0_READONLY_CODE_FLASH    BIT2

 typedef struct {
  // ADAPTER_INFO_PLATFORM_SECURITY
@ -67,6 +68,18 @@ VirtHstiQemuPCVerify (
  VOID
  );

+/* QemuCommon.c */
+
+VOID
+VirtHstiQemuCommonInit (
+  VIRT_ADAPTER_INFO_PLATFORM_SECURITY  *VirtHsti
+  );
+
+VOID
+VirtHstiQemuCommonVerify (
+  VOID
+  );
+
 /* Flash.c */

 #define QEMU_FIRMWARE_FLASH_UNKNOWN    0
--- a/OvmfPkg/VirtHstiDxe/VirtHstiDxe.inf
+++ b/OvmfPkg/VirtHstiDxe/VirtHstiDxe.inf
@ -22,6 +22,7 @@
  VirtHstiDxe.c
  QemuPC.c
  QemuQ35.c
+  QemuCommon.c
  Flash.c

 [Packages]
@ -48,6 +49,7 @@
  gUefiOvmfPkgTokenSpaceGuid.PcdSmmSmramRequire

 [Pcd]
+  gUefiOvmfPkgTokenSpaceGuid.PcdBfvBase
  gUefiOvmfPkgTokenSpaceGuid.PcdOvmfFlashNvStorageVariableBase

 [Depex]