refs/heads/master - edk2

commit: 837f6fce3b524f646b14ce4112770b378d779f42
[log]
author: Jon Kohler <jon@nutanix.com>
Wed May 27 13:16:53 2026 -0700
committer: mergify[bot] <37929162+mergify[bot]@users.noreply.github.com>
Sat Jun 13 15:22:58 2026 +0000
tree: e72db54cd5b97e77164b265c802d43958db00cc3
parent: 92fea5c9c1a42542f25b4f897ced7ae082e8c0c7 [diff]

OvmfPkg: Add WSMT ACPI table for SMM builds Windows uses the Windows SMM Security Mitigation Table to decide whether SMM firmware advertises the communication-buffer protections needed by VBS [1]. WSMT ProtectionFlags represent a pinky promise that the underlying firmware will implement various security practices [2]. Add a small DXE driver that installs a revision 1 WSMT table for the OvmfPkgIa32X64 and OvmfPkgX64 builds. WSMT ProtectionFlags are set to 0x3, asserting: EFI_WSMT_PROTECTION_FLAGS_FIXED_COMM_BUFFERS EFI_WSMT_PROTECTION_FLAGS_COMM_BUFFER_NESTED_PTR_PROTECTION Note, we are intentionally not asserting EFI_WSMT_PROTECTION_FLAGS_SYSTEM_RESOURCE_PROTECTION, as the QEMU side is not yet tuned up to enforce this protection. Note: when Windows Hypervisor Enforced Code Integrity is enabled, Windows msinfo -> Virtualization-based security Available Security Properties will NOT include "SMM Security Mitigations 1.0", due to the missing SYSTEM_RESOURCE_PROTECTION flag. Note, WSMT is required for default enablement of HVCI [3], so we're taking a step in the right direction here, but not yet 100% complete as of this patch. References: [1] https://learn.microsoft.com/en-us/windows-hardware/design/device-experiences/oem-vbs [2] https://learn.microsoft.com/en-us/windows-hardware/design/device-experiences/oem-uefi-wsmt [3] https://learn.microsoft.com/en-us/windows-hardware/design/device-experiences/oem-hvci-enablement#check-results-of-memory-integrity-default-enablement Cc: Paolo Bonzini <pbonzini@redhat.com> Signed-off-by: Jon Kohler <jon@nutanix.com>