summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--OvmfPkg/OvmfPkg.dec10
-rw-r--r--OvmfPkg/OvmfPkgIa32.dsc4
-rw-r--r--OvmfPkg/OvmfPkgIa32X64.dsc4
-rw-r--r--OvmfPkg/OvmfPkgX64.dsc4
4 files changed, 22 insertions, 0 deletions
diff --git a/OvmfPkg/OvmfPkg.dec b/OvmfPkg/OvmfPkg.dec
index 049f6edd05..47b0e69629 100644
--- a/OvmfPkg/OvmfPkg.dec
+++ b/OvmfPkg/OvmfPkg.dec
@@ -117,3 +117,13 @@
gUefiOvmfPkgTokenSpaceGuid.PcdSecureBootEnable|FALSE|BOOLEAN|3
gUefiOvmfPkgTokenSpaceGuid.PcdQemuBootOrderPciTranslation|TRUE|BOOLEAN|0x1c
gUefiOvmfPkgTokenSpaceGuid.PcdQemuBootOrderMmioTranslation|FALSE|BOOLEAN|0x1d
+
+ ## This feature flag enables SMM/SMRAM support. Note that it also requires
+ # such support from the underlying QEMU instance; if that support is not
+ # present, the firmware will reject continuing after a certain point.
+ #
+ # The flag also acts as a general "security switch"; when TRUE, many
+ # components will change behavior, with the goal of preventing a malicious
+ # runtime OS from tampering with firmware structures (special memory ranges
+ # used by OVMF, the varstore pflash chip, LockBox etc).
+ gUefiOvmfPkgTokenSpaceGuid.PcdSmmSmramRequire|FALSE|BOOLEAN|0x1e
diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc
index 77fd21cd59..74f6e784f3 100644
--- a/OvmfPkg/OvmfPkgIa32.dsc
+++ b/OvmfPkg/OvmfPkgIa32.dsc
@@ -36,6 +36,7 @@
DEFINE SECURE_BOOT_ENABLE = FALSE
DEFINE NETWORK_IP6_ENABLE = FALSE
DEFINE HTTP_BOOT_ENABLE = FALSE
+ DEFINE SMM_REQUIRE = FALSE
[BuildOptions]
GCC:*_UNIXGCC_*_CC_FLAGS = -DMDEPKG_NDEBUG
@@ -310,6 +311,9 @@
!if $(SECURE_BOOT_ENABLE) == TRUE
gUefiOvmfPkgTokenSpaceGuid.PcdSecureBootEnable|TRUE
!endif
+!if $(SMM_REQUIRE) == TRUE
+ gUefiOvmfPkgTokenSpaceGuid.PcdSmmSmramRequire|TRUE
+!endif
[PcdsFixedAtBuild]
gEfiMdeModulePkgTokenSpaceGuid.PcdStatusCodeMemorySize|1
diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc
index 47cc311165..cdf4e0cb90 100644
--- a/OvmfPkg/OvmfPkgIa32X64.dsc
+++ b/OvmfPkg/OvmfPkgIa32X64.dsc
@@ -36,6 +36,7 @@
DEFINE SECURE_BOOT_ENABLE = FALSE
DEFINE NETWORK_IP6_ENABLE = FALSE
DEFINE HTTP_BOOT_ENABLE = FALSE
+ DEFINE SMM_REQUIRE = FALSE
[BuildOptions]
GCC:*_UNIXGCC_*_CC_FLAGS = -DMDEPKG_NDEBUG
@@ -315,6 +316,9 @@
!if $(SECURE_BOOT_ENABLE) == TRUE
gUefiOvmfPkgTokenSpaceGuid.PcdSecureBootEnable|TRUE
!endif
+!if $(SMM_REQUIRE) == TRUE
+ gUefiOvmfPkgTokenSpaceGuid.PcdSmmSmramRequire|TRUE
+!endif
[PcdsFixedAtBuild]
gEfiMdeModulePkgTokenSpaceGuid.PcdStatusCodeMemorySize|1
diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc
index 44b9c792e1..2b0ad9d05d 100644
--- a/OvmfPkg/OvmfPkgX64.dsc
+++ b/OvmfPkg/OvmfPkgX64.dsc
@@ -36,6 +36,7 @@
DEFINE SECURE_BOOT_ENABLE = FALSE
DEFINE NETWORK_IP6_ENABLE = FALSE
DEFINE HTTP_BOOT_ENABLE = FALSE
+ DEFINE SMM_REQUIRE = FALSE
[BuildOptions]
GCC:*_UNIXGCC_*_CC_FLAGS = -DMDEPKG_NDEBUG
@@ -315,6 +316,9 @@
!if $(SECURE_BOOT_ENABLE) == TRUE
gUefiOvmfPkgTokenSpaceGuid.PcdSecureBootEnable|TRUE
!endif
+!if $(SMM_REQUIRE) == TRUE
+ gUefiOvmfPkgTokenSpaceGuid.PcdSmmSmramRequire|TRUE
+!endif
[PcdsFixedAtBuild]
gEfiMdeModulePkgTokenSpaceGuid.PcdStatusCodeMemorySize|1
generated by cgit v1.2.3 (git 2.25.1) at 2025-02-08 05:18:14 +0000