From 506740982bba199f12e75f6cfda510c30aa4e7c6 Mon Sep 17 00:00:00 2001 From: Gerd Hoffmann Date: Mon, 22 Apr 2024 12:47:28 +0200 Subject: [PATCH] OvmfPkg/VirtHstiDxe: add code flash check Detects qemu config issue: code pflash is writable. Checked for both PC and Q35. Cc: Ard Biesheuvel Cc: Jiewen Yao Cc: Konstantin Kostiuk Signed-off-by: Gerd Hoffmann Reviewed-by: Jiewen Yao --- OvmfPkg/VirtHstiDxe/QemuCommon.c | 36 +++++++++++++++++++++++++++++ OvmfPkg/VirtHstiDxe/VirtHstiDxe.c | 4 ++++ OvmfPkg/VirtHstiDxe/VirtHstiDxe.h | 13 +++++++++++ OvmfPkg/VirtHstiDxe/VirtHstiDxe.inf | 2 ++ 4 files changed, 55 insertions(+) create mode 100644 OvmfPkg/VirtHstiDxe/QemuCommon.c diff --git a/OvmfPkg/VirtHstiDxe/QemuCommon.c b/OvmfPkg/VirtHstiDxe/QemuCommon.c new file mode 100644 index 0000000000..4ab3fe2d6e --- /dev/null +++ b/OvmfPkg/VirtHstiDxe/QemuCommon.c @@ -0,0 +1,36 @@ +/** @file + +SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ + +#include +#include + +#include "VirtHstiDxe.h" + +VOID +VirtHstiQemuCommonInit ( + VIRT_ADAPTER_INFO_PLATFORM_SECURITY *VirtHsti + ) +{ + VirtHstiSetSupported (VirtHsti, 0, VIRT_HSTI_BYTE0_READONLY_CODE_FLASH); +} + +VOID +VirtHstiQemuCommonVerify ( + VOID + ) +{ + CHAR16 *ErrorMsg; + + switch (VirtHstiQemuFirmwareFlashCheck (PcdGet32 (PcdBfvBase))) { + case QEMU_FIRMWARE_FLASH_WRITABLE: + ErrorMsg = L"qemu code pflash is writable"; + break; + default: + ErrorMsg = NULL; + } + + VirtHstiTestResult (ErrorMsg, 0, VIRT_HSTI_BYTE0_READONLY_CODE_FLASH); +} diff --git a/OvmfPkg/VirtHstiDxe/VirtHstiDxe.c b/OvmfPkg/VirtHstiDxe/VirtHstiDxe.c index 74e5e6bd9d..b6e53a1219 100644 --- a/OvmfPkg/VirtHstiDxe/VirtHstiDxe.c +++ b/OvmfPkg/VirtHstiDxe/VirtHstiDxe.c @@ -104,9 +104,11 @@ VirtHstiOnReadyToBoot ( switch (VirtHstiGetHostBridgeDevId ()) { case INTEL_82441_DEVICE_ID: VirtHstiQemuPCVerify (); + VirtHstiQemuCommonVerify (); break; case INTEL_Q35_MCH_DEVICE_ID: VirtHstiQemuQ35Verify (); + VirtHstiQemuCommonVerify (); break; default: ASSERT (FALSE); @@ -142,9 +144,11 @@ VirtHstiDxeEntrypoint ( switch (DevId) { case INTEL_82441_DEVICE_ID: VirtHsti = VirtHstiQemuPCInit (); + VirtHstiQemuCommonInit (VirtHsti); break; case INTEL_Q35_MCH_DEVICE_ID: VirtHsti = VirtHstiQemuQ35Init (); + VirtHstiQemuCommonInit (VirtHsti); break; default: DEBUG ((DEBUG_INFO, "%a: unknown platform (0x%x)\n", __func__, DevId)); diff --git a/OvmfPkg/VirtHstiDxe/VirtHstiDxe.h b/OvmfPkg/VirtHstiDxe/VirtHstiDxe.h index ceff41c037..f8bdcfe8f2 100644 --- a/OvmfPkg/VirtHstiDxe/VirtHstiDxe.h +++ b/OvmfPkg/VirtHstiDxe/VirtHstiDxe.h @@ -8,6 +8,7 @@ SPDX-License-Identifier: BSD-2-Clause-Patent #define VIRT_HSTI_BYTE0_SMM_SMRAM_LOCK BIT0 #define VIRT_HSTI_BYTE0_SMM_SECURE_VARS_FLASH BIT1 +#define VIRT_HSTI_BYTE0_READONLY_CODE_FLASH BIT2 typedef struct { // ADAPTER_INFO_PLATFORM_SECURITY @@ -67,6 +68,18 @@ VirtHstiQemuPCVerify ( VOID ); +/* QemuCommon.c */ + +VOID +VirtHstiQemuCommonInit ( + VIRT_ADAPTER_INFO_PLATFORM_SECURITY *VirtHsti + ); + +VOID +VirtHstiQemuCommonVerify ( + VOID + ); + /* Flash.c */ #define QEMU_FIRMWARE_FLASH_UNKNOWN 0 diff --git a/OvmfPkg/VirtHstiDxe/VirtHstiDxe.inf b/OvmfPkg/VirtHstiDxe/VirtHstiDxe.inf index b6bdd1f22e..9514933011 100644 --- a/OvmfPkg/VirtHstiDxe/VirtHstiDxe.inf +++ b/OvmfPkg/VirtHstiDxe/VirtHstiDxe.inf @@ -22,6 +22,7 @@ VirtHstiDxe.c QemuPC.c QemuQ35.c + QemuCommon.c Flash.c [Packages] @@ -48,6 +49,7 @@ gUefiOvmfPkgTokenSpaceGuid.PcdSmmSmramRequire [Pcd] + gUefiOvmfPkgTokenSpaceGuid.PcdBfvBase gUefiOvmfPkgTokenSpaceGuid.PcdOvmfFlashNvStorageVariableBase [Depex]