[edk2-devel] [PATCH 1/3] OvmfPkg/PlatformBootManagerLib: add PcdBootRestrictToFirmware

Thu, 04 May 2023 06:33:05 -0700 

Add new PCD PcdBootRestrictToFirmware.  When set to TRUE restrict
boot options to EFI applications embedded into the firmware image.

Behavior should be identical to the PlatformBootManagerLibGrub
library variant.

Signed-off-by: Gerd Hoffmann <kra...@redhat.com>
---
 OvmfPkg/OvmfPkg.dec                           |  3 +
 .../PlatformBootManagerLib.inf                |  2 +
 .../PlatformBootManagerLib/BdsPlatform.c      | 70 +++++++++++++++++--
 3 files changed, 71 insertions(+), 4 deletions(-)

diff --git a/OvmfPkg/OvmfPkg.dec b/OvmfPkg/OvmfPkg.dec
index 749fbd3b6bf4..9801e40ecf4e 100644
--- a/OvmfPkg/OvmfPkg.dec
+++ b/OvmfPkg/OvmfPkg.dec
@@ -422,6 +422,9 @@ [PcdsFixedAtBuild]
   #  check to decide whether to abort dispatch of the driver it is linked into.
   gUefiOvmfPkgTokenSpaceGuid.PcdEntryPointOverrideFwCfgVarName|""|VOID*|0x68
 
+  ## Restrict boot to EFI applications in firmware volumes.
+  gUefiOvmfPkgTokenSpaceGuid.PcdBootRestrictToFirmware|FALSE|BOOLEAN|0x6c
+
 [PcdsDynamic, PcdsDynamicEx]
   gUefiOvmfPkgTokenSpaceGuid.PcdEmuVariableEvent|0|UINT64|2
   gUefiOvmfPkgTokenSpaceGuid.PcdOvmfFlashVariablesEnable|FALSE|BOOLEAN|0x10
diff --git a/OvmfPkg/Library/PlatformBootManagerLib/PlatformBootManagerLib.inf 
b/OvmfPkg/Library/PlatformBootManagerLib/PlatformBootManagerLib.inf
index c249a3cf1e35..6b396eac7daf 100644
--- a/OvmfPkg/Library/PlatformBootManagerLib/PlatformBootManagerLib.inf
+++ b/OvmfPkg/Library/PlatformBootManagerLib/PlatformBootManagerLib.inf
@@ -61,6 +61,7 @@ [Pcd]
   gUefiOvmfPkgTokenSpaceGuid.PcdEmuVariableEvent
   gUefiOvmfPkgTokenSpaceGuid.PcdOvmfFlashVariablesEnable
   gUefiOvmfPkgTokenSpaceGuid.PcdOvmfHostBridgePciDevId
+  gUefiOvmfPkgTokenSpaceGuid.PcdBootRestrictToFirmware
   gEfiMdeModulePkgTokenSpaceGuid.PcdAcpiS3Enable
   gEfiMdePkgTokenSpaceGuid.PcdPlatformBootTimeOut
   gEfiMdePkgTokenSpaceGuid.PcdUartDefaultBaudRate         ## CONSUMES
@@ -84,3 +85,4 @@ [Guids]
   gEfiGlobalVariableGuid
   gRootBridgesConnectedEventGroupGuid
   gUefiShellFileGuid
+  gGrubFileGuid
diff --git a/OvmfPkg/Library/PlatformBootManagerLib/BdsPlatform.c 
b/OvmfPkg/Library/PlatformBootManagerLib/BdsPlatform.c
index a90076c9e672..903602d5312d 100644
--- a/OvmfPkg/Library/PlatformBootManagerLib/BdsPlatform.c
+++ b/OvmfPkg/Library/PlatformBootManagerLib/BdsPlatform.c
@@ -290,6 +290,46 @@ RemoveStaleFvFileOptions (
   EfiBootManagerFreeLoadOptions (BootOptions, BootOptionCount);
 }
 
+VOID
+RestrictBootOptionsToFirmware (
+  VOID
+  )
+{
+  EFI_BOOT_MANAGER_LOAD_OPTION  *BootOptions;
+  UINTN                         BootOptionCount;
+  UINTN                         Index;
+
+  BootOptions = EfiBootManagerGetLoadOptions (
+                  &BootOptionCount,
+                  LoadOptionTypeBoot
+                  );
+
+  for (Index = 0; Index < BootOptionCount; ++Index) {
+    EFI_DEVICE_PATH_PROTOCOL  *Node1;
+
+    //
+    // If the device path starts with Fv(...),
+    // then keep the boot option.
+    //
+    Node1 = BootOptions[Index].FilePath;
+    if (((DevicePathType (Node1) == MEDIA_DEVICE_PATH) &&
+         (DevicePathSubType (Node1) == MEDIA_PIWG_FW_VOL_DP)))
+    {
+      continue;
+    }
+
+    //
+    // Delete the boot option.
+    //
+    EfiBootManagerDeleteLoadOptionVariable (
+      BootOptions[Index].OptionNumber,
+      LoadOptionTypeBoot
+      );
+  }
+
+  EfiBootManagerFreeLoadOptions (BootOptions, BootOptionCount);
+}
+
 VOID
 PlatformRegisterOptionsAndKeys (
   VOID
@@ -485,7 +525,9 @@ PlatformBootManagerBeforeConsole (
     Status
     ));
 
-  PlatformRegisterOptionsAndKeys ();
+  if (!FeaturePcdGet (PcdBootRestrictToFirmware)) {
+    PlatformRegisterOptionsAndKeys ();
+  }
 
   //
   // Install both VIRTIO_DEVICE_PROTOCOL and (dependent) EFI_RNG_PROTOCOL
@@ -1707,9 +1749,12 @@ PlatformBootManagerAfterConsole (
   //
   // Perform some platform specific connect sequence
   //
-  PlatformBdsConnectSequence ();
-
-  EfiBootManagerRefreshAllBootOption ();
+  if (FeaturePcdGet (PcdBootRestrictToFirmware)) {
+    RestrictBootOptionsToFirmware ();
+  } else {
+    PlatformBdsConnectSequence ();
+    EfiBootManagerRefreshAllBootOption ();
+  }
 
   //
   // Register UEFI Shell
@@ -1720,6 +1765,15 @@ PlatformBootManagerAfterConsole (
     LOAD_OPTION_ACTIVE
     );
 
+  //
+  // Register Grub
+  //
+  PlatformRegisterFvBootOption (
+    &gGrubFileGuid,
+    L"Grub Bootloader",
+    LOAD_OPTION_ACTIVE
+    );
+
   RemoveStaleFvFileOptions ();
   SetBootOrderFromQemu ();
 
@@ -1888,6 +1942,14 @@ PlatformBootManagerUnableToBoot (
   EFI_BOOT_MANAGER_LOAD_OPTION  BootManagerMenu;
   UINTN                         Index;
 
+  if (FeaturePcdGet (PcdBootRestrictToFirmware)) {
+    AsciiPrint (
+      "%a: No bootable option was found.\n",
+      gEfiCallerBaseName
+      );
+    CpuDeadLoop ();
+  }
+
   //
   // BootManagerMenu doesn't contain the correct information when return status
   // is EFI_NOT_FOUND.
-- 
2.40.1



-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#103997): https://edk2.groups.io/g/devel/message/103997
Mute This Topic: https://groups.io/mt/98683758/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Reply via email to