ArmVirtPkg/ArmVirtXen: don't set Pcd*ImageVerificationPolicy

According to the PCDs not used by modules or in conditional directives sections of all the build reports for {AARCH64,ARM} x {Xen} x {DEBUG,NOOPT,RELEASE} x {feat-1} (6 builds in total), PcdOptionRomImageVerificationPolicy, PcdFixedMediaImageVerificationPolicy, and PcdRemovableMediaImageVerificationPolicy are not used in any of those builds. Restrict the settings to the ArmVirtQemu and ArmVirtQemuKernel platforms (preserving the -D SECURE_BOOT_ENABLE restriction in the process). ("feat-1" stands for "-D HTTP_BOOT_ENABLE -D NETWORK_IP6_ENABLE -D SECURE_BOOT_ENABLE -D TTY_TERMINAL", while "feat-0" stands for "".) Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org> Cc: Julien Grall <julien.grall@linaro.org> Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Laszlo Ersek <lersek@redhat.com> Reviewed-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
2019-02-06 10:08:53 +01:00 · 2019-02-06 10:08:53 +01:00 · da06a2a2fa
parent c0b612b3a4
commit da06a2a2fa
3 changed files with 14 additions and 7 deletions
--- a/ArmVirtPkg/ArmVirt.dsc.inc
+++ b/ArmVirtPkg/ArmVirt.dsc.inc
@ -347,13 +347,6 @@
  gEmbeddedTokenSpaceGuid.PcdMemoryTypeEfiLoaderCode|20
  gEmbeddedTokenSpaceGuid.PcdMemoryTypeEfiLoaderData|0

-!if $(SECURE_BOOT_ENABLE) == TRUE
-  # override the default values from SecurityPkg to ensure images from all sources are verified in secure boot
-  gEfiSecurityPkgTokenSpaceGuid.PcdOptionRomImageVerificationPolicy|0x04
-  gEfiSecurityPkgTokenSpaceGuid.PcdFixedMediaImageVerificationPolicy|0x04
-  gEfiSecurityPkgTokenSpaceGuid.PcdRemovableMediaImageVerificationPolicy|0x04
-!endif
-
  #
  # Enable strict image permissions for all images. (This applies
  # only to images that were built with >= 4 KB section alignment.)
--- a/ArmVirtPkg/ArmVirtQemu.dsc
+++ b/ArmVirtPkg/ArmVirtQemu.dsc
@ -148,6 +148,13 @@
  #
  gEfiMdeModulePkgTokenSpaceGuid.PcdSetNxForStack|TRUE

+!if $(SECURE_BOOT_ENABLE) == TRUE
+  # override the default values from SecurityPkg to ensure images from all sources are verified in secure boot
+  gEfiSecurityPkgTokenSpaceGuid.PcdOptionRomImageVerificationPolicy|0x04
+  gEfiSecurityPkgTokenSpaceGuid.PcdFixedMediaImageVerificationPolicy|0x04
+  gEfiSecurityPkgTokenSpaceGuid.PcdRemovableMediaImageVerificationPolicy|0x04
+!endif
+
 [PcdsFixedAtBuild.AARCH64]
  # Clearing BIT0 in this PCD prevents installing a 32-bit SMBIOS entry point,
  # if the entry point version is >= 3.0. AARCH64 OSes cannot assume the
--- a/ArmVirtPkg/ArmVirtQemuKernel.dsc
+++ b/ArmVirtPkg/ArmVirtQemuKernel.dsc
@ -142,6 +142,13 @@
  #
  gEmbeddedTokenSpaceGuid.PcdPrePiCpuIoSize|16

+!if $(SECURE_BOOT_ENABLE) == TRUE
+  # override the default values from SecurityPkg to ensure images from all sources are verified in secure boot
+  gEfiSecurityPkgTokenSpaceGuid.PcdOptionRomImageVerificationPolicy|0x04
+  gEfiSecurityPkgTokenSpaceGuid.PcdFixedMediaImageVerificationPolicy|0x04
+  gEfiSecurityPkgTokenSpaceGuid.PcdRemovableMediaImageVerificationPolicy|0x04
+!endif
+
 [PcdsPatchableInModule.common]
  #
  # This will be overridden in the code