OvmfPkg/NvVarsFileLib: disable in case PcdBootRestrictToFirmware is set

In case PcdBootRestrictToFirmware is set, disable loading EFI variables from NvVars file. Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> Reviewed-by: Ard Biesheuvel <ardb@kernel.org>
2023-05-05 07:17:25 +02:00 · 2023-05-05 07:17:25 +02:00 · 63887e272d
parent 41d7832db0
commit 63887e272d
2 changed files with 4 additions and 1 deletions
--- a/OvmfPkg/Library/NvVarsFileLib/NvVarsFileLib.c
+++ b/OvmfPkg/Library/NvVarsFileLib/NvVarsFileLib.c
@ -30,7 +30,9 @@ ConnectNvVarsToFileSystem (
 {
  EFI_STATUS  Status;

-  if (FeaturePcdGet (PcdSecureBootSupported)) {
+  if (FeaturePcdGet (PcdSecureBootSupported) ||
+      FeaturePcdGet (PcdBootRestrictToFirmware))
+  {
    return EFI_UNSUPPORTED;
  }

--- a/OvmfPkg/Library/NvVarsFileLib/NvVarsFileLib.inf
+++ b/OvmfPkg/Library/NvVarsFileLib/NvVarsFileLib.inf
@ -49,6 +49,7 @@

 [Pcd]
  gUefiOvmfPkgTokenSpaceGuid.PcdSecureBootSupported
+  gUefiOvmfPkgTokenSpaceGuid.PcdBootRestrictToFirmware

 [Guids]
  gEfiFileInfoGuid