On Thu, May 04, 2023 at 10:16:05AM -0400, James Bottomley wrote: > On Thu, 2023-05-04 at 15:32 +0200, Gerd Hoffmann wrote: > > Use PlatformBootManagerLib with PcdBootRestrictToFirmware > > set to TRUE instead. > > > > Signed-off-by: Gerd Hoffmann <kra...@redhat.com> > > --- > > OvmfPkg/AmdSev/AmdSevX64.dsc | 10 ++++++++-- > > 1 file changed, 8 insertions(+), 2 deletions(-) > > > > diff --git a/OvmfPkg/AmdSev/AmdSevX64.dsc > > b/OvmfPkg/AmdSev/AmdSevX64.dsc > > index 943c4eed9831..b32049194d39 100644 > > --- a/OvmfPkg/AmdSev/AmdSevX64.dsc > > +++ b/OvmfPkg/AmdSev/AmdSevX64.dsc > > @@ -153,6 +153,7 @@ [LibraryClasses] > > > > UefiDriverEntryPoint|MdePkg/Library/UefiDriverEntryPoint/UefiDriverEn > > tryPoint.inf > > > > UefiApplicationEntryPoint|MdePkg/Library/UefiApplicationEntryPoint/Ue > > fiApplicationEntryPoint.inf > > > > DevicePathLib|MdePkg/Library/UefiDevicePathLibDevicePathProtocol/Uefi > > DevicePathLibDevicePathProtocol.inf > > + NvVarsFileLib|OvmfPkg/Library/NvVarsFileLib/NvVarsFileLib.inf > > All additions apart from this look fine, but this one is a security > risk: EFI variables represent an unmeasured configuration for SEV boot > and, as such, can be used to influence the boot and potentially reveal > boot secrets, so the AmdSevPkg was designed to have read only EFI > variables that couldn't be subject to outside influence.
NvVarsFileLib gets disabled already case PcdSecureBootSupported is set. Is that good enough? If not I can extend that to also check PcdBootRestrictToFirmware. take care, Gerd -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#104030): https://edk2.groups.io/g/devel/message/104030 Mute This Topic: https://groups.io/mt/98683761/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
