OvmfPkg/VirtHstiDxe: add varstore flash check

Detects qemu config issue: vars pflash is not in secure mode (write access restricted to smm). Applies to Q35 with SMM only. Cc: Ard Biesheuvel <ardb+tianocore@kernel.org> Cc: Jiewen Yao <jiewen.yao@intel.com> Cc: Konstantin Kostiuk <kkostiuk@redhat.com> Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> Reviewed-by: Jiewen Yao <Jiewen.yao@intel.com>
2024-04-22 12:47:27 +02:00
parent 538b8944c1
commit ddc43e7a41
4 changed files with 122 additions and 1 deletions
--- a/OvmfPkg/VirtHstiDxe/VirtHstiDxe.h
+++ b/OvmfPkg/VirtHstiDxe/VirtHstiDxe.h
@@ -6,7 +6,8 @@ SPDX-License-Identifier: BSD-2-Clause-Patent

 #define VIRT_HSTI_SECURITY_FEATURE_SIZE  2

-#define VIRT_HSTI_BYTE0_SMM_SMRAM_LOCK  BIT0
+#define VIRT_HSTI_BYTE0_SMM_SMRAM_LOCK         BIT0
+#define VIRT_HSTI_BYTE0_SMM_SECURE_VARS_FLASH  BIT1

 typedef struct {
  // ADAPTER_INFO_PLATFORM_SECURITY
@@ -65,3 +66,16 @@ VOID
 VirtHstiQemuPCVerify (
  VOID
  );
+
+/* Flash.c */
+
+#define QEMU_FIRMWARE_FLASH_UNKNOWN    0
+#define QEMU_FIRMWARE_FLASH_IS_ROM     1
+#define QEMU_FIRMWARE_FLASH_IS_RAM     2
+#define QEMU_FIRMWARE_FLASH_READ_ONLY  3
+#define QEMU_FIRMWARE_FLASH_WRITABLE   4
+
+UINT32
+VirtHstiQemuFirmwareFlashCheck (
+  UINT32  Address
+  );