OvmfPkg: replace SECURE_BOOT_FEATURE_ENABLED with PcdSecureBootSupported

Drop the '-D SECURE_BOOT_FEATURE_ENABLED' compile time option,
use a new FeaturePcd instead.

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>

diff --git a/OvmfPkg/CloudHv/CloudHvX64.dsc b/OvmfPkg/CloudHv/CloudHvX64.dsc
index cc2dd925bc940ea8eb21f8df5afd6bd4254aed6c..2a1139daaa19bc8b052b5091ba4c692ee9758bf6 100644 (file)
--- a/OvmfPkg/CloudHv/CloudHvX64.dsc
+++ b/OvmfPkg/CloudHv/CloudHvX64.dsc
@@ -93,15 +93,6 @@
   INTEL:*_*_*_CC_FLAGS = /D DISABLE_NEW_DEPRECATED_INTERFACES\r
   GCC:*_*_*_CC_FLAGS = -D DISABLE_NEW_DEPRECATED_INTERFACES\r
 \r
-  #\r
-  # SECURE_BOOT_FEATURE_ENABLED\r
-  #\r
-!if $(SECURE_BOOT_ENABLE) == TRUE\r
-  MSFT:*_*_*_CC_FLAGS = /D SECURE_BOOT_FEATURE_ENABLED\r
-  INTEL:*_*_*_CC_FLAGS = /D SECURE_BOOT_FEATURE_ENABLED\r
-  GCC:*_*_*_CC_FLAGS = -D SECURE_BOOT_FEATURE_ENABLED\r
-!endif\r
-\r
 !include NetworkPkg/NetworkBuildOptions.dsc.inc\r
 \r
 [BuildOptions.common.EDKII.DXE_RUNTIME_DRIVER]\r
@@ -477,6 +468,7 @@
   gEfiMdeModulePkgTokenSpaceGuid.PcdEnableVariableRuntimeCache|FALSE\r
 !endif\r
 !if $(SECURE_BOOT_ENABLE) == TRUE\r
+  gUefiOvmfPkgTokenSpaceGuid.PcdSecureBootSupported|TRUE\r
   gEfiMdeModulePkgTokenSpaceGuid.PcdRequireSelfSignedPk|TRUE\r
 !endif\r
 \r

diff --git a/OvmfPkg/IntelTdx/IntelTdxX64.dsc b/OvmfPkg/IntelTdx/IntelTdxX64.dsc
index f73440905540085902fd6c18dcb81f16cb31edf1..d4403f11a7c6f41ed7e416445c59fb6787f0addd 100644 (file)
--- a/OvmfPkg/IntelTdx/IntelTdxX64.dsc
+++ b/OvmfPkg/IntelTdx/IntelTdxX64.dsc
@@ -90,15 +90,6 @@
   INTEL:*_*_*_CC_FLAGS = /D TDX_PEI_LESS_BOOT\r
   GCC:*_*_*_CC_FLAGS = -D TDX_PEI_LESS_BOOT\r
 \r
-  #\r
-  # SECURE_BOOT_FEATURE_ENABLED\r
-  #\r
-!if $(SECURE_BOOT_ENABLE) == TRUE\r
-  MSFT:*_*_*_CC_FLAGS = /D SECURE_BOOT_FEATURE_ENABLED\r
-  INTEL:*_*_*_CC_FLAGS = /D SECURE_BOOT_FEATURE_ENABLED\r
-  GCC:*_*_*_CC_FLAGS = -D SECURE_BOOT_FEATURE_ENABLED\r
-!endif\r
-\r
 [BuildOptions.common.EDKII.DXE_RUNTIME_DRIVER]\r
   GCC:*_*_*_DLINK_FLAGS = -z common-page-size=0x1000\r
   XCODE:*_*_*_DLINK_FLAGS = -seg1addr 0x1000 -segalign 0x1000\r
@@ -387,6 +378,7 @@
   gUefiOvmfPkgTokenSpaceGuid.PcdCsmEnable|TRUE\r
 !endif\r
 !if $(SECURE_BOOT_ENABLE) == TRUE\r
+  gUefiOvmfPkgTokenSpaceGuid.PcdSecureBootSupported|TRUE\r
   gEfiMdeModulePkgTokenSpaceGuid.PcdRequireSelfSignedPk|TRUE\r
 !endif\r
 \r

diff --git a/OvmfPkg/Library/NvVarsFileLib/NvVarsFileLib.c b/OvmfPkg/Library/NvVarsFileLib/NvVarsFileLib.c
index 72289da35819acdf138bdd4bcaef138e55a7956b..d4139b911528a52dc457fd9b047a52e1e96df988 100644 (file)
--- a/OvmfPkg/Library/NvVarsFileLib/NvVarsFileLib.c
+++ b/OvmfPkg/Library/NvVarsFileLib/NvVarsFileLib.c
@@ -28,14 +28,12 @@ ConnectNvVarsToFileSystem (
   IN EFI_HANDLE  FsHandle\r
   )\r
 {\r
- #ifdef SECURE_BOOT_FEATURE_ENABLED\r
-\r
-  return EFI_UNSUPPORTED;\r
-\r
- #else\r
-\r
   EFI_STATUS  Status;\r
 \r
+  if (FeaturePcdGet (PcdSecureBootSupported)) {\r
+    return EFI_UNSUPPORTED;\r
+  }\r
+\r
   //\r
   // We might fail to load the variable, since the file system initially\r
   // will not have the NvVars file.\r
@@ -52,7 +50,6 @@ ConnectNvVarsToFileSystem (
   }\r
 \r
   return Status;\r
- #endif\r
 }\r
 \r
 /**\r

diff --git a/OvmfPkg/Library/NvVarsFileLib/NvVarsFileLib.inf b/OvmfPkg/Library/NvVarsFileLib/NvVarsFileLib.inf
index 8cda78d0d0b4e0c31c30b2c493106aec5bff6af4..f152c5504661f96a7f54f8b6a2c17fa0f1224668 100644 (file)
--- a/OvmfPkg/Library/NvVarsFileLib/NvVarsFileLib.inf
+++ b/OvmfPkg/Library/NvVarsFileLib/NvVarsFileLib.inf
@@ -47,6 +47,8 @@
 [Protocols]\r
   gEfiSimpleFileSystemProtocolGuid              ## CONSUMES\r
 \r
+[Pcd]\r
+  gUefiOvmfPkgTokenSpaceGuid.PcdSecureBootSupported\r
 \r
 [Guids]\r
   gEfiFileInfoGuid\r

diff --git a/OvmfPkg/Microvm/MicrovmX64.dsc b/OvmfPkg/Microvm/MicrovmX64.dsc
index e9aab515592ffcec5e25ce2f81c40c2c512483bf..6fc11cc4d192b71d14e47bbfdaada1ede3cd2e58 100644 (file)
--- a/OvmfPkg/Microvm/MicrovmX64.dsc
+++ b/OvmfPkg/Microvm/MicrovmX64.dsc
@@ -91,15 +91,6 @@
   INTEL:*_*_*_CC_FLAGS = /D DISABLE_NEW_DEPRECATED_INTERFACES\r
   GCC:*_*_*_CC_FLAGS = -D DISABLE_NEW_DEPRECATED_INTERFACES\r
 \r
-  #\r
-  # SECURE_BOOT_FEATURE_ENABLED\r
-  #\r
-!if $(SECURE_BOOT_ENABLE) == TRUE\r
-  MSFT:*_*_*_CC_FLAGS = /D SECURE_BOOT_FEATURE_ENABLED\r
-  INTEL:*_*_*_CC_FLAGS = /D SECURE_BOOT_FEATURE_ENABLED\r
-  GCC:*_*_*_CC_FLAGS = -D SECURE_BOOT_FEATURE_ENABLED\r
-!endif\r
-\r
 !include NetworkPkg/NetworkBuildOptions.dsc.inc\r
 \r
 [BuildOptions.common.EDKII.DXE_RUNTIME_DRIVER]\r
@@ -473,6 +464,7 @@
   gEfiMdeModulePkgTokenSpaceGuid.PcdConOutUgaSupport|FALSE\r
   gEfiMdeModulePkgTokenSpaceGuid.PcdInstallAcpiSdtProtocol|TRUE\r
 !if $(SECURE_BOOT_ENABLE) == TRUE\r
+  gUefiOvmfPkgTokenSpaceGuid.PcdSecureBootSupported|TRUE\r
   gEfiMdeModulePkgTokenSpaceGuid.PcdRequireSelfSignedPk|TRUE\r
 !endif\r
 \r

diff --git a/OvmfPkg/OvmfPkg.dec b/OvmfPkg/OvmfPkg.dec
index 749fbd3b6bf437de7cd66d0bf2661196631b04f0..03ae29e7b034fb7e44c7474c0008a38886e27544 100644 (file)
--- a/OvmfPkg/OvmfPkg.dec
+++ b/OvmfPkg/OvmfPkg.dec
@@ -488,6 +488,9 @@
   #  used by OVMF, the varstore pflash chip, LockBox etc).\r
   gUefiOvmfPkgTokenSpaceGuid.PcdSmmSmramRequire|FALSE|BOOLEAN|0x1e\r
 \r
+  ## This feature flag indicates the firmware build supports secure boot.\r
+  gUefiOvmfPkgTokenSpaceGuid.PcdSecureBootSupported|FALSE|BOOLEAN|0x6d\r
+\r
   ## Informs modules (including pre-DXE-phase modules) whether the platform\r
   #  firmware contains a CSM (Compatibility Support Module).\r
   #\r

diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc
index 0ee97c35b05cdb377184df4692a99e8481dc8791..e33805ddc22c1d6ecb7a29e45405415d98700e34 100644 (file)
--- a/OvmfPkg/OvmfPkgIa32.dsc
+++ b/OvmfPkg/OvmfPkgIa32.dsc
@@ -96,15 +96,6 @@
   INTEL:*_*_*_CC_FLAGS = /D DISABLE_NEW_DEPRECATED_INTERFACES\r
   GCC:*_*_*_CC_FLAGS = -D DISABLE_NEW_DEPRECATED_INTERFACES\r
 \r
-  #\r
-  # SECURE_BOOT_FEATURE_ENABLED\r
-  #\r
-!if $(SECURE_BOOT_ENABLE) == TRUE\r
-  MSFT:*_*_*_CC_FLAGS = /D SECURE_BOOT_FEATURE_ENABLED\r
-  INTEL:*_*_*_CC_FLAGS = /D SECURE_BOOT_FEATURE_ENABLED\r
-  GCC:*_*_*_CC_FLAGS = -D SECURE_BOOT_FEATURE_ENABLED\r
-!endif\r
-\r
 !include NetworkPkg/NetworkBuildOptions.dsc.inc\r
 \r
 [BuildOptions.common.EDKII.DXE_RUNTIME_DRIVER]\r
@@ -486,6 +477,7 @@
   gEfiMdeModulePkgTokenSpaceGuid.PcdEnableVariableRuntimeCache|FALSE\r
 !endif\r
 !if $(SECURE_BOOT_ENABLE) == TRUE\r
+  gUefiOvmfPkgTokenSpaceGuid.PcdSecureBootSupported|TRUE\r
   gEfiMdeModulePkgTokenSpaceGuid.PcdRequireSelfSignedPk|TRUE\r
 !endif\r
 \r

diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc
index 19c197a4075cf424fcf6fbf20992ae872411e1b7..6c2c33ec0f4b4ecf2b855954dbadf0f6e6931f2d 100644 (file)
--- a/OvmfPkg/OvmfPkgIa32X64.dsc
+++ b/OvmfPkg/OvmfPkgIa32X64.dsc
@@ -100,15 +100,6 @@
   INTEL:*_*_*_CC_FLAGS = /D DISABLE_NEW_DEPRECATED_INTERFACES\r
   GCC:*_*_*_CC_FLAGS = -D DISABLE_NEW_DEPRECATED_INTERFACES\r
 \r
-  #\r
-  # SECURE_BOOT_FEATURE_ENABLED\r
-  #\r
-!if $(SECURE_BOOT_ENABLE) == TRUE\r
-  MSFT:*_*_*_CC_FLAGS = /D SECURE_BOOT_FEATURE_ENABLED\r
-  INTEL:*_*_*_CC_FLAGS = /D SECURE_BOOT_FEATURE_ENABLED\r
-  GCC:*_*_*_CC_FLAGS = -D SECURE_BOOT_FEATURE_ENABLED\r
-!endif\r
-\r
 !include NetworkPkg/NetworkBuildOptions.dsc.inc\r
 \r
 [BuildOptions.common.EDKII.DXE_RUNTIME_DRIVER]\r
@@ -492,6 +483,7 @@
   gEfiMdeModulePkgTokenSpaceGuid.PcdEnableVariableRuntimeCache|FALSE\r
 !endif\r
 !if $(SECURE_BOOT_ENABLE) == TRUE\r
+  gUefiOvmfPkgTokenSpaceGuid.PcdSecureBootSupported|TRUE\r
   gEfiMdeModulePkgTokenSpaceGuid.PcdRequireSelfSignedPk|TRUE\r
 !endif\r
 \r

diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc
index c5ab0df7848700709d80e139f47affce27a57fb7..ac4d4593456331f9c3c272696a0ea9715e96f638 100644 (file)
--- a/OvmfPkg/OvmfPkgX64.dsc
+++ b/OvmfPkg/OvmfPkgX64.dsc
@@ -114,15 +114,6 @@
   INTEL:*_*_*_CC_FLAGS = /D TDX_GUEST_SUPPORTED\r
   GCC:*_*_*_CC_FLAGS = -D TDX_GUEST_SUPPORTED\r
 \r
-  #\r
-  # SECURE_BOOT_FEATURE_ENABLED\r
-  #\r
-!if $(SECURE_BOOT_ENABLE) == TRUE\r
-  MSFT:*_*_*_CC_FLAGS = /D SECURE_BOOT_FEATURE_ENABLED\r
-  INTEL:*_*_*_CC_FLAGS = /D SECURE_BOOT_FEATURE_ENABLED\r
-  GCC:*_*_*_CC_FLAGS = -D SECURE_BOOT_FEATURE_ENABLED\r
-!endif\r
-\r
 !include NetworkPkg/NetworkBuildOptions.dsc.inc\r
 \r
 [BuildOptions.common.EDKII.DXE_RUNTIME_DRIVER]\r
@@ -513,6 +504,7 @@
   gEfiMdeModulePkgTokenSpaceGuid.PcdEnableVariableRuntimeCache|FALSE\r
 !endif\r
 !if $(SECURE_BOOT_ENABLE) == TRUE\r
+  gUefiOvmfPkgTokenSpaceGuid.PcdSecureBootSupported|TRUE\r
   gEfiMdeModulePkgTokenSpaceGuid.PcdRequireSelfSignedPk|TRUE\r
 !endif\r
 \r

diff --git a/OvmfPkg/PlatformPei/Platform.c b/OvmfPkg/PlatformPei/Platform.c
index cc9384ba5c4e2c6c36fdd8d966bc43800838c94b..c56247e294f243d67cb5d4fc73220069b5b33782 100644 (file)
--- a/OvmfPkg/PlatformPei/Platform.c
+++ b/OvmfPkg/PlatformPei/Platform.c
@@ -222,9 +222,10 @@ ReserveEmuVariableNvStore (
   VariableStore = (EFI_PHYSICAL_ADDRESS)(UINTN)PlatformReserveEmuVariableNvStore ();\r
   PcdStatus     = PcdSet64S (PcdEmuVariableNvStoreReserved, VariableStore);\r
 \r
- #ifdef SECURE_BOOT_FEATURE_ENABLED\r
-  PlatformInitEmuVariableNvStore ((VOID *)(UINTN)VariableStore);\r
- #endif\r
+  if (FeaturePcdGet (PcdSecureBootSupported)) {\r
+    // restore emulated VarStore from pristine ROM copy\r
+    PlatformInitEmuVariableNvStore ((VOID *)(UINTN)VariableStore);\r
+  }\r
 \r
   ASSERT_RETURN_ERROR (PcdStatus);\r
 }\r

diff --git a/OvmfPkg/PlatformPei/PlatformPei.inf b/OvmfPkg/PlatformPei/PlatformPei.inf
index 1fadadeb55657da42e04a3e01e76d079cbd70382..3934aeed95148570918729342ad0fb7a0bfccb22 100644 (file)
--- a/OvmfPkg/PlatformPei/PlatformPei.inf
+++ b/OvmfPkg/PlatformPei/PlatformPei.inf
@@ -94,6 +94,7 @@
   gUefiOvmfPkgTokenSpaceGuid.PcdQ35SmramAtDefaultSmbase\r
   gUefiOvmfPkgTokenSpaceGuid.PcdXenPvhStartOfDayStructPtr\r
   gUefiOvmfPkgTokenSpaceGuid.PcdXenPvhStartOfDayStructPtrSize\r
+  gUefiOvmfPkgTokenSpaceGuid.PcdSecureBootSupported\r
   gEfiMdePkgTokenSpaceGuid.PcdGuidedExtractHandlerTableAddress\r
   gEfiMdePkgTokenSpaceGuid.PcdPciExpressBaseAddress\r
   gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageFtwSpareSize\r