| 1 |
|
|---|
| 2 | # virtual machine platform hsti driver
|
|---|
| 3 |
|
|---|
| 4 | This driver supports three tests.
|
|---|
| 5 |
|
|---|
| 6 | ## VIRT_HSTI_BYTE0_SMM_SMRAM_LOCK
|
|---|
| 7 |
|
|---|
| 8 | Verify the SMM memory is properly locked down.
|
|---|
| 9 |
|
|---|
| 10 | Supported platforms:
|
|---|
| 11 | * Qemu Q35 (SMM_REQUIRE=TRUE builds).
|
|---|
| 12 |
|
|---|
| 13 | ## VIRT_HSTI_BYTE0_SMM_SECURE_VARS_FLASH
|
|---|
| 14 |
|
|---|
| 15 | Verify the variable store is not writable for normal (not SMM) code.
|
|---|
| 16 |
|
|---|
| 17 | Supported platforms:
|
|---|
| 18 | * Qemu Q35 (SMM_REQUIRE=TRUE builds).
|
|---|
| 19 |
|
|---|
| 20 | ## VIRT_HSTI_BYTE0_READONLY_CODE_FLASH
|
|---|
| 21 |
|
|---|
| 22 | Verify the firmware code is not writable for the guest.
|
|---|
| 23 |
|
|---|
| 24 | Supported platforms:
|
|---|
| 25 | * Qemu Q35
|
|---|
| 26 | * Qemu PC
|
|---|
| 27 |
|
|---|
| 28 | # qemu flash configuration
|
|---|
| 29 |
|
|---|
| 30 | With qemu being configured properly flash behavior should be this:
|
|---|
| 31 |
|
|---|
| 32 | configuration | OVMF_CODE.fd | OVMF_VARS.fd
|
|---|
| 33 | -------------------------------|----------------|---------------
|
|---|
| 34 | SMM_REQUIRE=TRUE, SMM mode | read-only | writable
|
|---|
| 35 | SMM_REQUIRE=TRUE, normal mode | read-only (1) | read-only (2)
|
|---|
| 36 | SMM_REQUIRE=FALSE | read-only (3) | writable
|
|---|
| 37 |
|
|---|
| 38 | VIRT_HSTI_BYTE0_READONLY_CODE_FLASH will verify (1) + (3).
|
|---|
| 39 | VIRT_HSTI_BYTE0_SMM_SECURE_VARS_FLASH will verify (2).
|
|---|
| 40 |
|
|---|
| 41 | ## qemu command line for SMM_REQUIRE=TRUE builds
|
|---|
| 42 | ```
|
|---|
| 43 | qemu-system-x86-64 -M q35,smm=on,pflash0=code,pflash1=vars \
|
|---|
| 44 | -blockdev node-name=code,driver=file,filename=OVMF_CODE.fd,read-only=on \
|
|---|
| 45 | -blockdev node-name=vars,driver=file,filename=OVMF_VARS.fd \
|
|---|
| 46 | -global driver=cfi.pflash01,property=secure,value=on \
|
|---|
| 47 | [ ... more options here ... ]
|
|---|
| 48 | ```
|
|---|
