OvmfPkg: inherit Image Verification Policy defaults from SecurityPkg

Secure Boot support was originally addded to OvmfPkg on 2012-Mar-09, in
SVN r13093 (git 8cee3de7e9f4), titled

  OvmfPkg: Enable secure-boot support when SECURE_BOOT_ENABLE==TRUE

At that time the image verification policies in
SecurityPkg/SecurityPkg.dec were:

- option ROM image:      0x00 (ALWAYS_EXECUTE)
- removable media image: 0x05 (QUERY_USER_ON_SECURITY_VIOLATION)
- fixed media image:     0x05 (QUERY_USER_ON_SECURITY_VIOLATION)

The author of SVN r13093 apparently didn't want to depend on the
SecurityPkg defaults for the latter two image origins, plus the
ALWAYS_EXECUTE policy for option ROM images must have been deemed too lax.
For this reason SVN r13093 immediately spelled out 0x05
(QUERY_USER_ON_SECURITY_VIOLATION) within OvmfPkg for all three image
origins.

Fast forward to 2013-Aug-28: policy 0x05
(QUERY_USER_ON_SECURITY_VIOLATION) had been forbidden in the UEFI spec,
and SVN r14607 (git db44ea6c4e09) reflected this in the source code:

- The policies for the latter two image origins were switched from 0x05 to
  0x04 (DENY_EXECUTE_ON_SECURITY_VIOLATION) in SecurityPkg,

- the patch changed the default policy for option ROM images too, from
  0x00 (ALWAYS_EXECUTE) to 0x04 (DENY_EXECUTE_ON_SECURITY_VIOLATION),

- any other client DSC files, including OvmfPkg's, underwent a whole-sale
  0x05 (QUERY_USER_ON_SECURITY_VIOLATION) -> 0x04
  (DENY_EXECUTE_ON_SECURITY_VIOLATION) replacement too.

The practical result of that patch for OvmfPkg was that the explicit 0x04
settings would equal the strict SecurityPkg defaults exactly.

And that's what we have today: the "override the default values from
SecurityPkg" comments in OvmfPkg's DSC files are stale, in practice.

It is extremely unlikely that SecurityPkg would change the defaults from
0x04 (DENY_EXECUTE_ON_SECURITY_VIOLATION) any time in the future, so let's
just inherit those in OvmfPkg.

Cc: Jordan Justen <jordan.l.justen@intel.com>
Cc: Fu Siyuan <siyuan.fu@intel.com>
Cc: Chao Zhang <chao.b.zhang@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Fu Siyuan <siyuan.fu@intel.com>
Reviewed-by: Jordan Justen <jordan.l.justen@intel.com>
Reviewed-by: Chao Zhang <chao.b.zhang@intel.com>

git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@19613 6f19259b-4bc3-4df7-8a09-765794883524
This commit is contained in:
Laszlo Ersek 2016-01-07 18:48:13 +00:00 committed by lersek
parent 1d3fa1bd38
commit 65d2bf4223
3 changed files with 0 additions and 21 deletions

View File

@ -381,13 +381,6 @@
gUefiCpuPkgTokenSpaceGuid.PcdCpuSmmApSyncTimeout|100000
!endif
!if $(SECURE_BOOT_ENABLE) == TRUE
# override the default values from SecurityPkg to ensure images from all sources are verified in secure boot
gEfiSecurityPkgTokenSpaceGuid.PcdOptionRomImageVerificationPolicy|0x04
gEfiSecurityPkgTokenSpaceGuid.PcdFixedMediaImageVerificationPolicy|0x04
gEfiSecurityPkgTokenSpaceGuid.PcdRemovableMediaImageVerificationPolicy|0x04
!endif
# IRQs 5, 9, 10, 11 are level-triggered
gPcAtChipsetPkgTokenSpaceGuid.Pcd8259LegacyModeEdgeLevel|0x0E20

View File

@ -387,13 +387,6 @@
gUefiCpuPkgTokenSpaceGuid.PcdCpuSmmApSyncTimeout|100000
!endif
!if $(SECURE_BOOT_ENABLE) == TRUE
# override the default values from SecurityPkg to ensure images from all sources are verified in secure boot
gEfiSecurityPkgTokenSpaceGuid.PcdOptionRomImageVerificationPolicy|0x04
gEfiSecurityPkgTokenSpaceGuid.PcdFixedMediaImageVerificationPolicy|0x04
gEfiSecurityPkgTokenSpaceGuid.PcdRemovableMediaImageVerificationPolicy|0x04
!endif
# IRQs 5, 9, 10, 11 are level-triggered
gPcAtChipsetPkgTokenSpaceGuid.Pcd8259LegacyModeEdgeLevel|0x0E20

View File

@ -386,13 +386,6 @@
gUefiCpuPkgTokenSpaceGuid.PcdCpuSmmApSyncTimeout|100000
!endif
!if $(SECURE_BOOT_ENABLE) == TRUE
# override the default values from SecurityPkg to ensure images from all sources are verified in secure boot
gEfiSecurityPkgTokenSpaceGuid.PcdOptionRomImageVerificationPolicy|0x04
gEfiSecurityPkgTokenSpaceGuid.PcdFixedMediaImageVerificationPolicy|0x04
gEfiSecurityPkgTokenSpaceGuid.PcdRemovableMediaImageVerificationPolicy|0x04
!endif
# IRQs 5, 9, 10, 11 are level-triggered
gPcAtChipsetPkgTokenSpaceGuid.Pcd8259LegacyModeEdgeLevel|0x0E20