)]}' { "commit": "837f6fce3b524f646b14ce4112770b378d779f42", "tree": "e72db54cd5b97e77164b265c802d43958db00cc3", "parents": [ "92fea5c9c1a42542f25b4f897ced7ae082e8c0c7" ], "author": { "name": "Jon Kohler", "email": "jon@nutanix.com", "time": "Wed May 27 13:16:53 2026 -0700" }, "committer": { "name": "mergify[bot]", "email": "37929162+mergify[bot]@users.noreply.github.com", "time": "Sat Jun 13 15:22:58 2026 +0000" }, "message": "OvmfPkg: Add WSMT ACPI table for SMM builds\n\nWindows uses the Windows SMM Security Mitigation Table to decide\nwhether SMM firmware advertises the communication-buffer protections\nneeded by VBS [1].\n\nWSMT ProtectionFlags represent a pinky promise that the underlying\nfirmware will implement various security practices [2].\n\nAdd a small DXE driver that installs a revision 1 WSMT table for the\nOvmfPkgIa32X64 and OvmfPkgX64 builds.\n\nWSMT ProtectionFlags are set to 0x3, asserting:\n EFI_WSMT_PROTECTION_FLAGS_FIXED_COMM_BUFFERS\n EFI_WSMT_PROTECTION_FLAGS_COMM_BUFFER_NESTED_PTR_PROTECTION\n\nNote, we are intentionally not asserting\nEFI_WSMT_PROTECTION_FLAGS_SYSTEM_RESOURCE_PROTECTION, as the QEMU side\nis not yet tuned up to enforce this protection.\n\nNote: when Windows Hypervisor Enforced Code Integrity is enabled,\nWindows msinfo -\u003e Virtualization-based security Available Security\nProperties will NOT include \"SMM Security Mitigations 1.0\", due to\nthe missing SYSTEM_RESOURCE_PROTECTION flag. Note, WSMT is required\nfor default enablement of HVCI [3], so we\u0027re taking a step in the right\ndirection here, but not yet 100% complete as of this patch.\n\nReferences:\n[1] https://learn.microsoft.com/en-us/windows-hardware/design/device-experiences/oem-vbs\n[2] https://learn.microsoft.com/en-us/windows-hardware/design/device-experiences/oem-uefi-wsmt\n[3] https://learn.microsoft.com/en-us/windows-hardware/design/device-experiences/oem-hvci-enablement#check-results-of-memory-integrity-default-enablement\n\nCc: Paolo Bonzini \u003cpbonzini@redhat.com\u003e\nSigned-off-by: Jon Kohler \u003cjon@nutanix.com\u003e\n", "tree_diff": [ { "type": "modify", "old_id": "89d7f7f8bf00ea896eef6dcc0feab2e2e8e7c37f", "old_mode": 33188, "old_path": "OvmfPkg/OvmfPkgIa32X64.dsc", "new_id": "0e11c5fba9b367f33feadaeb9162a58c8db5ed79", "new_mode": 33188, "new_path": "OvmfPkg/OvmfPkgIa32X64.dsc" }, { "type": "modify", "old_id": "1292f2ddf4244948f6d73d0cdbcbcbae055437f8", "old_mode": 33188, "old_path": "OvmfPkg/OvmfPkgIa32X64.fdf", "new_id": "adf98373e9a8adfed18e6743513ef4eeaab81d78", "new_mode": 33188, "new_path": "OvmfPkg/OvmfPkgIa32X64.fdf" }, { "type": "modify", "old_id": "29027fa63fcdb732f1b47d4a678a5c0ca827b518", "old_mode": 33188, "old_path": "OvmfPkg/OvmfPkgX64.dsc", "new_id": "2780fe4439bb1275368deaa1776e01c49531a179", "new_mode": 33188, "new_path": "OvmfPkg/OvmfPkgX64.dsc" }, { "type": "modify", "old_id": "545404fd697aba8ff8182f6b63aa61deefb03153", "old_mode": 33188, "old_path": "OvmfPkg/OvmfPkgX64.fdf", "new_id": "bf056fd1391dc6b8a16466268d64a8f5d0285488", "new_mode": 33188, "new_path": "OvmfPkg/OvmfPkgX64.fdf" }, { "type": "add", "old_id": "0000000000000000000000000000000000000000", "old_mode": 0, "old_path": "/dev/null", "new_id": "a4b5a10133ec422cb5cdc2b2aa73edd37714c384", "new_mode": 33188, "new_path": "OvmfPkg/WsmtDxe/WsmtDxe.c" }, { "type": "add", "old_id": "0000000000000000000000000000000000000000", "old_mode": 0, "old_path": "/dev/null", "new_id": "9e509f03dba5e7c5575a1d7ea1ebb7d435389247", "new_mode": 33188, "new_path": "OvmfPkg/WsmtDxe/WsmtDxe.inf" } ] }