OvmfPkg/NvVarsFileLib: Shortcut ConnectNvVarsToFileSystem in secure-boot

mxu9 · mergify[bot] · commit 70165fa6e282 · 2022-09-06T07:21:42.000Z
OvmfPkg/Library/NvVarsFileLib allows loading variables into emulated
varstore from a on-disk NvVars file.  We can't allow that when secure
boot is active.  So check secure-boot feature and shortcut the
ConnectNvVarsToFileSystem() function when sb is enabled.

Cc: Erdem Aktas &lt;erdemaktas@google.com&gt;
Cc: James Bottomley &lt;jejb@linux.ibm.com&gt;
Cc: Jiewen Yao &lt;jiewen.yao@intel.com&gt;
Cc: Tom Lendacky &lt;thomas.lendacky@amd.com&gt;
Cc: Gerd Hoffmann &lt;kraxel@redhat.com&gt;
Suggested-by: Gerd Hoffmann &lt;kraxel@redhat.com&gt;
Acked-by: Gerd Hoffmann &lt;kraxel@redhat.com&gt;
Signed-off-by: Min Xu &lt;min.m.xu@intel.com&gt;
Reviewed-by: Jiewen Yao &lt;jiewen.yao@intel.com&gt;
diff --git a/OvmfPkg/Library/NvVarsFileLib/NvVarsFileLib.c b/OvmfPkg/Library/NvVarsFileLib/NvVarsFileLib.c
@@ -28,6 +28,12 @@ ConnectNvVarsToFileSystem (
   IN EFI_HANDLE  FsHandle
   )
 {
+ #ifdef SECURE_BOOT_FEATURE_ENABLED
+
+  return EFI_UNSUPPORTED;
+
+ #else
+
   EFI_STATUS  Status;
 
   //
@@ -46,6 +52,7 @@ ConnectNvVarsToFileSystem (
   }
 
   return Status;
+ #endif
 }
 
 /**

Original file line number	Diff line number	Diff line change
`@@ -28,6 +28,12 @@ ConnectNvVarsToFileSystem (`
`28`	`28`	`IN EFI_HANDLE FsHandle`
`29`	`29`	`)`
`30`	`30`	`{`
	`31`	`+ #ifdef SECURE_BOOT_FEATURE_ENABLED`
	`32`	`+`
	`33`	`+ return EFI_UNSUPPORTED;`
	`34`	`+`
	`35`	`+ #else`
	`36`	`+`
`31`	`37`	`EFI_STATUS Status;`
`32`	`38`
`33`	`39`	`//`
`@@ -46,6 +52,7 @@ ConnectNvVarsToFileSystem (`
`46`	`52`	`}`
`47`	`53`
`48`	`54`	`return Status;`
	`55`	`+ #endif`
`49`	`56`	`}`
`50`	`57`
`51`	`58`	`/**`