OvmfPkg/VirtHstiDxe: do not load driver in confidential guests

The VirtHstiDxe does not work in confidential guests. There also isn't anything we can reasonably test, neither flash storage nor SMM mode will be used in that case. So just skip driver load when running in a confidential guest. Cc: Ard Biesheuvel <[email protected]> Cc: Jiewen Yao <[email protected]> Fixes: 5067409 ("OvmfPkg/VirtHstiDxe: add code flash check") Signed-off-by: Gerd Hoffmann <[email protected]> Tested-by: Srikanth Aithal <[email protected]> Reviewed-by: Jiewen Yao <[email protected]>
Wenxing-hou · Apr 25, 2024 · 66c2421 · 66c2421
1 parent 90b6725
commit 66c2421
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 0 deletions.
diff --git a/OvmfPkg/VirtHstiDxe/VirtHstiDxe.c b/OvmfPkg/VirtHstiDxe/VirtHstiDxe.c
@@ -17,6 +17,7 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
 #include <Library/MemoryAllocationLib.h>
 #include <Library/UefiBootServicesTableLib.h>
 #include <Library/UefiLib.h>
+#include <Library/PcdLib.h>
 #include <Library/PlatformInitLib.h>
 
 #include <IndustryStandard/Hsti.h>
@@ -140,6 +141,11 @@ VirtHstiDxeEntrypoint (
   EFI_STATUS                           Status;
   EFI_EVENT                            Event;
 
+  if (PcdGet64 (PcdConfidentialComputingGuestAttr)) {
+    DEBUG ((DEBUG_INFO, "%a: confidential guest\n", __func__));
+    return EFI_UNSUPPORTED;
+  }
+
   DevId = VirtHstiGetHostBridgeDevId ();
   switch (DevId) {
     case INTEL_82441_DEVICE_ID:

diff --git a/OvmfPkg/VirtHstiDxe/VirtHstiDxe.inf b/OvmfPkg/VirtHstiDxe/VirtHstiDxe.inf
@@ -49,6 +49,7 @@
   gUefiOvmfPkgTokenSpaceGuid.PcdSmmSmramRequire
 
 [Pcd]
+  gEfiMdePkgTokenSpaceGuid.PcdConfidentialComputingGuestAttr
   gUefiOvmfPkgTokenSpaceGuid.PcdBfvBase
   gUefiOvmfPkgTokenSpaceGuid.PcdOvmfFlashNvStorageVariableBase