mirror of https://github.com/acidanthera/audk.git
66c24219ad
The VirtHstiDxe does not work in confidential guests. There also isn't
anything we can reasonably test, neither flash storage nor SMM mode will
be used in that case. So just skip driver load when running in a
confidential guest.
Cc: Ard Biesheuvel <ardb+tianocore@kernel.org>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Fixes:
|
||
|---|---|---|
| .. | ||
| Flash.c | ||
| QemuCommon.c | ||
| QemuPC.c | ||
| QemuQ35.c | ||
| README.md | ||
| VirtHstiDxe.c | ||
| VirtHstiDxe.h | ||
| VirtHstiDxe.inf | ||
README.md
virtual machine platform hsti driver
This driver supports three tests.
VIRT_HSTI_BYTE0_SMM_SMRAM_LOCK
Verify the SMM memory is properly locked down.
Supported platforms:
- Qemu Q35 (SMM_REQUIRE=TRUE builds).
VIRT_HSTI_BYTE0_SMM_SECURE_VARS_FLASH
Verify the variable store is not writable for normal (not SMM) code.
Supported platforms:
- Qemu Q35 (SMM_REQUIRE=TRUE builds).
VIRT_HSTI_BYTE0_READONLY_CODE_FLASH
Verify the firmware code is not writable for the guest.
Supported platforms:
- Qemu Q35
- Qemu PC
qemu flash configuration
With qemu being configured properly flash behavior should be this:
| configuration | OVMF_CODE.fd | OVMF_VARS.fd |
|---|---|---|
| SMM_REQUIRE=TRUE, SMM mode | read-only | writable |
| SMM_REQUIRE=TRUE, normal mode | read-only (1) | read-only (2) |
| SMM_REQUIRE=FALSE | read-only (3) | writable |
VIRT_HSTI_BYTE0_READONLY_CODE_FLASH will verify (1) + (3). VIRT_HSTI_BYTE0_SMM_SECURE_VARS_FLASH will verify (2).
qemu command line for SMM_REQUIRE=TRUE builds
qemu-system-x86-64 -M q35,smm=on,pflash0=code,pflash1=vars \
-blockdev node-name=code,driver=file,filename=OVMF_CODE.fd,read-only=on \
-blockdev node-name=vars,driver=file,filename=OVMF_VARS.fd \
-global driver=cfi.pflash01,property=secure,value=on \
[ ... more options here ... ]