[edk2-devel] [PATCH 2/3] OvmfPkg/AmdSev: stop using PlatformBootManagerLibGrub
James Bottomley
jejb at linux.ibm.com
Thu May 4 14:16:05 UTC 2023
On Thu, 2023-05-04 at 15:32 +0200, Gerd Hoffmann wrote:
> Use PlatformBootManagerLib with PcdBootRestrictToFirmware
> set to TRUE instead.
>
> Signed-off-by: Gerd Hoffmann <kraxel at redhat.com>
> ---
> OvmfPkg/AmdSev/AmdSevX64.dsc | 10 ++++++++--
> 1 file changed, 8 insertions(+), 2 deletions(-)
>
> diff --git a/OvmfPkg/AmdSev/AmdSevX64.dsc
> b/OvmfPkg/AmdSev/AmdSevX64.dsc
> index 943c4eed9831..b32049194d39 100644
> --- a/OvmfPkg/AmdSev/AmdSevX64.dsc
> +++ b/OvmfPkg/AmdSev/AmdSevX64.dsc
> @@ -153,6 +153,7 @@ [LibraryClasses]
>
> UefiDriverEntryPoint|MdePkg/Library/UefiDriverEntryPoint/UefiDriverEn
> tryPoint.inf
>
> UefiApplicationEntryPoint|MdePkg/Library/UefiApplicationEntryPoint/Ue
> fiApplicationEntryPoint.inf
>
> DevicePathLib|MdePkg/Library/UefiDevicePathLibDevicePathProtocol/Uefi
> DevicePathLibDevicePathProtocol.inf
> + NvVarsFileLib|OvmfPkg/Library/NvVarsFileLib/NvVarsFileLib.inf
All additions apart from this look fine, but this one is a security
risk: EFI variables represent an unmeasured configuration for SEV boot
and, as such, can be used to influence the boot and potentially reveal
boot secrets, so the AmdSevPkg was designed to have read only EFI
variables that couldn't be subject to outside influence.
James
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#104009): https://edk2.groups.io/g/devel/message/104009
Mute This Topic: https://groups.io/mt/98683761/1813853
Group Owner: devel+owner at edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [edk2-devel-archive at redhat.com]
-=-=-=-=-=-=-=-=-=-=-=-
More information about the edk2-devel-archive
mailing list