From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from mail.byosoft.com.cn (mail.byosoft.com.cn [58.240.74.242])
 by mx.groups.io with SMTP id smtpd.web11.12854.1600220968352151339
 for <devel@edk2.groups.io>;
 Tue, 15 Sep 2020 18:49:29 -0700
Authentication-Results: mx.groups.io;
 dkim=missing; spf=none, err=permanent DNS error (domain: byosoft.com.cn, ip: 58.240.74.242, mailfrom: gaoliming@byosoft.com.cn)
Received: from DESKTOPS6D0PVI ([58.246.60.130])
	(envelope-sender <gaoliming@byosoft.com.cn>)
	by 192.168.6.13 with ESMTP
	for <afish@apple.com>; Wed, 16 Sep 2020 09:49:23 +0800
X-WM-Sender: gaoliming@byosoft.com.cn
X-WM-AuthFlag: YES
X-WM-AuthUser: gaoliming@byosoft.com.cn
From: "gaoliming" <gaoliming@byosoft.com.cn>
To: <devel@edk2.groups.io>,
	<divneil.r.wadhawan@intel.com>
Cc: "'Ni, Ray'" <ray.ni@intel.com>,
	"'Andrew Fish'" <afish@apple.com>,
	"'Justen, Jordan L'" <jordan.l.justen@intel.com>,
	"'Kinney, Michael D'" <michael.d.kinney@intel.com>
References: <DM6PR11MB4315D6E0A8C5D4D0BB5FA2FACB2C0@DM6PR11MB4315.namprd11.prod.outlook.com>
In-Reply-To: <DM6PR11MB4315D6E0A8C5D4D0BB5FA2FACB2C0@DM6PR11MB4315.namprd11.prod.outlook.com>
Subject: =?UTF-8?B?5Zue5aSNOiBbZWRrMi1kZXZlbF0gW1BBVENIXSBFbXVsYXRvclBrZzogRW5hYmxlIHN1cHBvcnQgZm9yIFNlY3VyZSBCb290?=
Date: Wed, 16 Sep 2020 09:49:22 +0800
Message-ID: <009201d68bcb$99a026c0$cce07440$@byosoft.com.cn>
MIME-Version: 1.0
X-Mailer: Microsoft Outlook 16.0
Thread-Index: AQK4j9c5u/RBN8qu0aRddF1s91aZvqemdnmg
Content-Type: text/plain;
	charset="gb2312"
Content-Transfer-Encoding: quoted-printable
Content-Language: zh-cn

I think SECURE_BOOT_ENABLE flag is fine. It controls more security related
features. And, this flag is also used in OVMF DSC.=20

So, this change is good to me. Reviewed-by: Liming Gao
<gaoliming@byosoft.com.cn>

Ray, Andrew: have you any other comment?=20

Thanks
Liming
> -----=D3=CA=BC=FE=D4=AD=BC=FE-----
> =B7=A2=BC=FE=C8=CB: bounce+27952+65013+4905953+8761045@groups.io
> <bounce+27952+65013+4905953+8761045@groups.io> =B4=FA=B1=ED Wadhawan,
> Divneil R
> =B7=A2=CB=CD=CA=B1=BC=E4: 2020=C4=EA9=D4=C24=C8=D5 2:17
> =CA=D5=BC=FE=C8=CB: devel@edk2.groups.io
> =B3=AD=CB=CD: Ni, Ray <ray.ni@intel.com>; Andrew Fish (afish@apple.com)
> <afish@apple.com>; Justen, Jordan L <jordan.l.justen@intel.com>; Kinney,
> Michael D <michael.d.kinney@intel.com>; Wadhawan, Divneil R
> <divneil.r.wadhawan@intel.com>
> =D6=F7=CC=E2: [edk2-devel] [PATCH] EmulatorPkg: Enable support for Secur=
e Boot
>=20
> SECURE_BOOT_ENABLE feature flag is introduced to enable Secure Boot.
> The following gets enabled with this patch:
> o Secure Boot Menu in "Device Manager" for enrolling keys
> o Storage space for Authenticated Variables
> o Authenticated execution of 3rd party images
>=20
> Signed-off-by: Divneil Rai Wadhawan <divneil.r.wadhawan@intel.com>
> ---
>  EmulatorPkg/EmulatorPkg.dsc | 40
> +++++++++++++++++++++++++++++++++++--
>  EmulatorPkg/EmulatorPkg.fdf | 21 +++++++++++++++----
>  2 files changed, 55 insertions(+), 6 deletions(-)
>=20
> diff --git a/EmulatorPkg/EmulatorPkg.dsc b/EmulatorPkg/EmulatorPkg.dsc
> index 86a6271735..6591c3e824 100644
> --- a/EmulatorPkg/EmulatorPkg.dsc
> +++ b/EmulatorPkg/EmulatorPkg.dsc
> @@ -32,6 +32,7 @@
>    DEFINE NETWORK_TLS_ENABLE       =3D FALSE
>    DEFINE NETWORK_HTTP_BOOT_ENABLE =3D FALSE
>    DEFINE NETWORK_ISCSI_ENABLE     =3D FALSE
> +  DEFINE SECURE_BOOT_ENABLE       =3D FALSE
>=20
>  [SkuIds]
>    0|DEFAULT
> @@ -106,12 +107,20 @@
>    LockBoxLib|MdeModulePkg/Library/LockBoxNullLib/LockBoxNullLib.inf
>=20
> CpuExceptionHandlerLib|MdeModulePkg/Library/CpuExceptionHandlerLibNu
> ll/CpuExceptionHandlerLibNull.inf
>=20
> TpmMeasurementLib|MdeModulePkg/Library/TpmMeasurementLibNull/Tpm
> MeasurementLibNull.inf
> -
> AuthVariableLib|MdeModulePkg/Library/AuthVariableLibNull/AuthVariableLi
> bNull.inf
>    VarCheckLib|MdeModulePkg/Library/VarCheckLib/VarCheckLib.inf
>    SortLib|MdeModulePkg/Library/BaseSortLib/BaseSortLib.inf
>    ShellLib|ShellPkg/Library/UefiShellLib/UefiShellLib.inf
>    FileHandleLib|MdePkg/Library/UefiFileHandleLib/UefiFileHandleLib.inf
>=20
> +  !if $(SECURE_BOOT_ENABLE) =3D=3D TRUE
> +    IntrinsicLib|CryptoPkg/Library/IntrinsicLib/IntrinsicLib.inf
> +    OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf
> +
> PlatformSecureLib|SecurityPkg/Library/PlatformSecureLibNull/PlatformSecu=
r
> eLibNull.inf
> +
> AuthVariableLib|SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf
> +  !else
> +
> AuthVariableLib|MdeModulePkg/Library/AuthVariableLibNull/AuthVariableLi
> bNull.inf
> +  !endif
> +
>  [LibraryClasses.common.SEC]
>=20
> PeiServicesLib|EmulatorPkg/Library/SecPeiServicesLib/SecPeiServicesLib.i=
nf
>    PcdLib|MdePkg/Library/BasePcdLibNull/BasePcdLibNull.inf
> @@ -162,7 +171,20 @@
>    TimerLib|EmulatorPkg/Library/DxeCoreTimerLib/DxeCoreTimerLib.inf
>    EmuThunkLib|EmulatorPkg/Library/DxeEmuLib/DxeEmuLib.inf
>=20
> -[LibraryClasses.common.DXE_RUNTIME_DRIVER,
> LibraryClasses.common.UEFI_DRIVER, LibraryClasses.common.DXE_DRIVER,
> LibraryClasses.common.UEFI_APPLICATION]
> +[LibraryClasses.common.DXE_DRIVER]
> +  HobLib|MdePkg/Library/DxeHobLib/DxeHobLib.inf
> +  PcdLib|MdePkg/Library/DxePcdLib/DxePcdLib.inf
> +
> MemoryAllocationLib|MdePkg/Library/UefiMemoryAllocationLib/UefiMemor
> yAllocationLib.inf
> +
> ReportStatusCodeLib|MdeModulePkg/Library/DxeReportStatusCodeLib/DxeR
> eportStatusCodeLib.inf
> +  EmuThunkLib|EmulatorPkg/Library/DxeEmuLib/DxeEmuLib.inf
> +
> PeCoffExtraActionLib|EmulatorPkg/Library/DxeEmuPeCoffExtraActionLib/Dxe
> EmuPeCoffExtraActionLib.inf
> +
> ReportStatusCodeLib|MdeModulePkg/Library/DxeReportStatusCodeLib/DxeR
> eportStatusCodeLib.inf
> +  TimerLib|EmulatorPkg/Library/DxeTimerLib/DxeTimerLib.inf
> +  !if $(SECURE_BOOT_ENABLE) =3D=3D TRUE
> +    BaseCryptLib|CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf
> +  !endif
> +
> +[LibraryClasses.common.DXE_RUNTIME_DRIVER,
> LibraryClasses.common.UEFI_DRIVER,
> LibraryClasses.common.UEFI_APPLICATION]
>    HobLib|MdePkg/Library/DxeHobLib/DxeHobLib.inf
>    PcdLib|MdePkg/Library/DxePcdLib/DxePcdLib.inf
>=20
> MemoryAllocationLib|MdePkg/Library/UefiMemoryAllocationLib/UefiMemor
> yAllocationLib.inf
> @@ -171,6 +193,9 @@
>=20
> PeCoffExtraActionLib|EmulatorPkg/Library/DxeEmuPeCoffExtraActionLib/Dxe
> EmuPeCoffExtraActionLib.inf
>=20
> ReportStatusCodeLib|MdeModulePkg/Library/DxeReportStatusCodeLib/DxeR
> eportStatusCodeLib.inf
>    TimerLib|EmulatorPkg/Library/DxeTimerLib/DxeTimerLib.inf
> +  !if $(SECURE_BOOT_ENABLE) =3D=3D TRUE
> +    BaseCryptLib|CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf
> +  !endif
>=20
>  [PcdsFeatureFlag]
>    gEfiMdeModulePkgTokenSpaceGuid.PcdDxeIplSwitchToLongMode|FALSE
> @@ -190,6 +215,10 @@
>    gEmulatorPkgTokenSpaceGuid.PcdEmuFirmwareFdSize|0x002a0000
>    gEmulatorPkgTokenSpaceGuid.PcdEmuFirmwareBlockSize|0x10000
>=20
> gEmulatorPkgTokenSpaceGuid.PcdEmuFirmwareVolume|L"../FV/FV_RECOVE
> RY.fd"
> +  !if $(SECURE_BOOT_ENABLE) =3D=3D TRUE
> +    gEfiMdeModulePkgTokenSpaceGuid.PcdMaxAuthVariableSize|0x2800
> +    gEfiSecurityPkgTokenSpaceGuid.PcdUserPhysicalPresence|TRUE
> +  !endif
>=20
>    gEmulatorPkgTokenSpaceGuid.PcdEmuMemorySize|L"64!64"
>=20
> @@ -315,6 +344,13 @@
>    EmulatorPkg/PlatformSmbiosDxe/PlatformSmbiosDxe.inf
>    EmulatorPkg/TimerDxe/Timer.inf
>=20
> +  !if $(SECURE_BOOT_ENABLE) =3D=3D TRUE
> +
> SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigD
> xe.inf
> +    MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf {
> +    <LibraryClasses>
> +
> NULL|SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib=
.i
> nf
> +  }
> +  !endif
>=20
>    MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf
> {
>      <LibraryClasses>
> diff --git a/EmulatorPkg/EmulatorPkg.fdf b/EmulatorPkg/EmulatorPkg.fdf
> index 295f6f1db8..4bf592e778 100644
> --- a/EmulatorPkg/EmulatorPkg.fdf
> +++ b/EmulatorPkg/EmulatorPkg.fdf
> @@ -46,10 +46,16 @@ DATA =3D {
>    # Blockmap[1]: End
>    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
>    ## This is the VARIABLE_STORE_HEADER
> -  #Signature: gEfiVariableGuid =3D
> -  #  { 0xddcf3616, 0x3275, 0x4164, { 0x98, 0xb6, 0xfe, 0x85, 0x70, 0x7f=
,
> 0xfe, 0x7d }}
> -  0x16, 0x36, 0xcf, 0xdd, 0x75, 0x32, 0x64, 0x41,
> -  0x98, 0xb6, 0xfe, 0x85, 0x70, 0x7f, 0xfe, 0x7d,
> +  !if $(SECURE_BOOT_ENABLE) =3D=3D FALSE
> +    #Signature: gEfiVariableGuid =3D
> +    #  { 0xddcf3616, 0x3275, 0x4164, { 0x98, 0xb6, 0xfe, 0x85, 0x70,
0x7f,
> 0xfe, 0x7d }}
> +    0x16, 0x36, 0xcf, 0xdd, 0x75, 0x32, 0x64, 0x41,
> +    0x98, 0xb6, 0xfe, 0x85, 0x70, 0x7f, 0xfe, 0x7d,
> +  !else
> +    # Signature: gEfiAuthenticatedVariableGuid =3D { 0xaaf32c78, 0x947b=
,
> 0x439a, { 0xa1, 0x80, 0x2e, 0x14, 0x4e, 0xc3, 0x77, 0x92 } }
> +    0x78, 0x2c, 0xf3, 0xaa, 0x7b, 0x94, 0x9a, 0x43,
> +    0xa1, 0x80, 0x2e, 0x14, 0x4e, 0xc3, 0x77, 0x92,
> +  !endif
>    #Size: 0xc000
> (gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageVariableSize) - 0x48
> (size of EFI_FIRMWARE_VOLUME_HEADER) =3D 0xBFB8
>    # This can speed up the Variable Dispatch a bit.
>    0xB8, 0xBF, 0x00, 0x00,
> @@ -186,6 +192,13 @@ INF  RuleOverride =3D UI
> MdeModulePkg/Application/UiApp/UiApp.inf
>  INF
> MdeModulePkg/Application/BootManagerMenuApp/BootManagerMenuApp.i
> nf
>  INF  MdeModulePkg/Universal/DriverSampleDxe/DriverSampleDxe.inf
>=20
> +#
> +# Secure Boot Key Enroll
> +#
> +!if $(SECURE_BOOT_ENABLE) =3D=3D TRUE
> +INF
> SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigD
> xe.inf
> +!endif
> +
>  #
>  # Network stack drivers
>  #
> --
> 2.24.1.windows.2
>=20
>=20