ArmVirtPkg/ArmVirtXen: don't set Pcd*ImageVerificationPolicy

According to the

  PCDs not used by modules or in conditional directives

sections of all the build reports for

  {AARCH64,ARM} x {Xen} x {DEBUG,NOOPT,RELEASE} x {feat-1}

(6 builds in total), PcdOptionRomImageVerificationPolicy,
PcdFixedMediaImageVerificationPolicy, and
PcdRemovableMediaImageVerificationPolicy are not used in any of those
builds.

Restrict the settings to the ArmVirtQemu and ArmVirtQemuKernel platforms
(preserving the -D SECURE_BOOT_ENABLE restriction in the process).

("feat-1" stands for "-D HTTP_BOOT_ENABLE -D NETWORK_IP6_ENABLE -D
SECURE_BOOT_ENABLE -D TTY_TERMINAL", while "feat-0" stands for "".)

Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Cc: Julien Grall <julien.grall@linaro.org>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>

1 files changed, 7 insertions, 0 deletions

diff --git a/ArmVirtPkg/ArmVirtQemuKernel.dsc b/ArmVirtPkg/ArmVirtQemuKernel.dsc
index 46d8bac3ef..c3e0c9bf25 100644
--- a/ArmVirtPkg/ArmVirtQemuKernel.dsc
+++ b/ArmVirtPkg/ArmVirtQemuKernel.dsc
@@ -142,6 +142,13 @@
   #

   gEmbeddedTokenSpaceGuid.PcdPrePiCpuIoSize|16

 

+!if $(SECURE_BOOT_ENABLE) == TRUE

+  # override the default values from SecurityPkg to ensure images from all sources are verified in secure boot

+  gEfiSecurityPkgTokenSpaceGuid.PcdOptionRomImageVerificationPolicy|0x04

+  gEfiSecurityPkgTokenSpaceGuid.PcdFixedMediaImageVerificationPolicy|0x04

+  gEfiSecurityPkgTokenSpaceGuid.PcdRemovableMediaImageVerificationPolicy|0x04

+!endif

+

 [PcdsPatchableInModule.common]

   #

   # This will be overridden in the code