* [PATCH edk2-platforms v2 0/3] Platform/ARM/SgiPkg: Implement StandaloneMm based secure boot
@ 2019-03-12 16:06 Jagadeesh Ujja
2019-03-12 16:06 ` [PATCH edk2-platforms v2 1/3] Platform/ARM/Sgi: define nor2 flash controller memory map Jagadeesh Ujja
` (3 more replies)
0 siblings, 4 replies; 11+ messages in thread
From: Jagadeesh Ujja @ 2019-03-12 16:06 UTC (permalink / raw)
To: edk2-devel, leif.lindholm, ard.biesheuvel
Changes since v1:
- Addressed all the comments from Ard Biesheuvel.
Integrating various pieces together so that the authenticated variable store
runs entirely in standalone MM context residing in a secure partition.
This primarily involves adding all required library and drivers to platform
specific .DSC and .FDF files. This creates separate Nor flash region which
is visible to only StandaoneMm drivers, this Nor Flash will co-exist along
with general Nor flash region.
Jagadeesh Ujja (3):
Platform/ARM/Sgi: define nor2 flash controller memory map
Platform/ARM/Sgi: allow MM_STANDALONE modules to use
NorFlashPlatformLib
Platform/ARM/SgiPkg: add MM based UEFI secure boot support
Platform/ARM/SgiPkg/Include/SgiPlatform.h | 4 ++
Platform/ARM/SgiPkg/Library/NorFlashLib/StandaloneMmNorFlashLib.c | 63 ++++++++++++++++++++
Platform/ARM/SgiPkg/Library/NorFlashLib/StandaloneMmNorFlashLib.inf | 33 ++++++++++
Platform/ARM/SgiPkg/PlatformStandaloneMm.dsc | 34 ++++++++++-
Platform/ARM/SgiPkg/PlatformStandaloneMm.fdf | 5 ++
Platform/ARM/SgiPkg/SgiPlatform.dsc | 18 +++++-
Platform/ARM/SgiPkg/SgiPlatform.fdf | 7 ++-
7 files changed, 161 insertions(+), 3 deletions(-)
create mode 100644 Platform/ARM/SgiPkg/Library/NorFlashLib/StandaloneMmNorFlashLib.c
create mode 100644 Platform/ARM/SgiPkg/Library/NorFlashLib/StandaloneMmNorFlashLib.inf
--
2.7.4
In-Reply-To:
^ permalink raw reply [flat|nested] 11+ messages in thread
* [PATCH edk2-platforms v2 1/3] Platform/ARM/Sgi: define nor2 flash controller memory map
2019-03-12 16:06 [PATCH edk2-platforms v2 0/3] Platform/ARM/SgiPkg: Implement StandaloneMm based secure boot Jagadeesh Ujja
@ 2019-03-12 16:06 ` Jagadeesh Ujja
2019-03-12 16:06 ` [PATCH edk2-platforms v2 2/3] Platform/ARM/Sgi: allow MM_STANDALONE modules to use NorFlashPlatformLib Jagadeesh Ujja
` (2 subsequent siblings)
3 siblings, 0 replies; 11+ messages in thread
From: Jagadeesh Ujja @ 2019-03-12 16:06 UTC (permalink / raw)
To: edk2-devel, leif.lindholm, ard.biesheuvel
Add the definitions of NOR2 flash controller memory map. The NO2 flash
can be used as an additional non-volatile storage by non-secure code or
used as a non-volatile storage for secure variables by the StandaloneMM.
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Jagadeesh Ujja <jagadeesh.ujja@arm.com>
Reviewed-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
---
Platform/ARM/SgiPkg/Include/SgiPlatform.h | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/Platform/ARM/SgiPkg/Include/SgiPlatform.h b/Platform/ARM/SgiPkg/Include/SgiPlatform.h
index b9a662a..2a7b79d 100644
--- a/Platform/ARM/SgiPkg/Include/SgiPlatform.h
+++ b/Platform/ARM/SgiPkg/Include/SgiPlatform.h
@@ -27,6 +27,10 @@
#define SGI_EXP_SMC_CS1_BASE 0x0C000000
#define SGI_EXP_SMC_CS1_SZ SIZE_64MB
+// Expansion AXI - SMC Chip Select 2
+#define SGI_EXP_SMC_CS2_BASE 0x10000000
+#define SGI_EXP_SMC_CS2_SZ SIZE_64MB
+
// Expansion AXI - SMSC 91C111 (Ethernet)
#define SGI_EXP_SMSC91X_BASE 0x18000000
#define SGI_EXP_SMSC91X_SZ SIZE_64MB
--
2.7.4
^ permalink raw reply related [flat|nested] 11+ messages in thread
* [PATCH edk2-platforms v2 2/3] Platform/ARM/Sgi: allow MM_STANDALONE modules to use NorFlashPlatformLib
2019-03-12 16:06 [PATCH edk2-platforms v2 0/3] Platform/ARM/SgiPkg: Implement StandaloneMm based secure boot Jagadeesh Ujja
2019-03-12 16:06 ` [PATCH edk2-platforms v2 1/3] Platform/ARM/Sgi: define nor2 flash controller memory map Jagadeesh Ujja
@ 2019-03-12 16:06 ` Jagadeesh Ujja
2019-03-12 16:06 ` [PATCH edk2-platforms v2 3/3] Platform/ARM/SgiPkg: add MM based UEFI secure boot support Jagadeesh Ujja
2019-03-15 8:19 ` [PATCH edk2-platforms v2 0/3] Platform/ARM/SgiPkg: Implement StandaloneMm based secure boot Jagadeesh Ujja
3 siblings, 0 replies; 11+ messages in thread
From: Jagadeesh Ujja @ 2019-03-12 16:06 UTC (permalink / raw)
To: edk2-devel, leif.lindholm, ard.biesheuvel
“NorFlashPlatformLib” library can be used by MM_STANDALONE drivers as
well. When used in MM mode, the third instance of the NOR flash is used as
the non-volatile storage. This NOR flash instance is partitioned into
two regions - first 4MB space is used for secure boot and next 3MB for
secure variable storage
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Jagadeesh Ujja <jagadeesh.ujja@arm.com>
---
Platform/ARM/SgiPkg/Library/NorFlashLib/StandaloneMmNorFlashLib.c | 63 ++++++++++++++++++++
Platform/ARM/SgiPkg/Library/NorFlashLib/StandaloneMmNorFlashLib.inf | 33 ++++++++++
2 files changed, 96 insertions(+)
diff --git a/Platform/ARM/SgiPkg/Library/NorFlashLib/StandaloneMmNorFlashLib.c b/Platform/ARM/SgiPkg/Library/NorFlashLib/StandaloneMmNorFlashLib.c
new file mode 100644
index 0000000..06e3f97
--- /dev/null
+++ b/Platform/ARM/SgiPkg/Library/NorFlashLib/StandaloneMmNorFlashLib.c
@@ -0,0 +1,63 @@
+/** @file
+
+ Copyright (c) 2019, ARM Ltd. All rights reserved.
+
+ This program and the accompanying materials are licensed and made available
+ under the terms and conditions of the BSD License which accompanies this
+ distribution. The full text of the license may be found at
+ http://opensource.org/licenses/bsd-license.php
+
+ THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
+ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
+
+ **/
+
+#include <PiMm.h>
+#include <Library/DebugLib.h>
+#include <Library/IoLib.h>
+#include <Library/NorFlashPlatformLib.h>
+#include <SgiPlatform.h>
+
+STATIC NOR_FLASH_DESCRIPTION mNorFlashDevices[] = {
+ {
+ // Secure Boot storage space of 4MB
+ SGI_EXP_SMC_CS2_BASE,
+ SGI_EXP_SMC_CS2_BASE,
+ SIZE_256KB * 16,
+ SIZE_256KB,
+ },
+ {
+ //Secure variable storage space of 1MB*3
+ SGI_EXP_SMC_CS2_BASE,
+ SGI_EXP_SMC_CS2_BASE + SIZE_256KB * 16,
+ SIZE_256KB * 12,
+ SIZE_256KB,
+ },
+};
+
+EFI_STATUS
+NorFlashPlatformInitialization (
+ VOID
+ )
+{
+ UINT64 SysRegFlash;
+
+ SysRegFlash = SGI_EXP_SYSPH_SYSTEM_REGISTERS + SGI_SYSPH_SYS_REG_FLASH;
+ MmioOr32 (SysRegFlash, SGI_SYSPH_SYS_REG_FLASH_RWEN);
+ return EFI_SUCCESS;
+}
+
+EFI_STATUS
+NorFlashPlatformGetDevices (
+ OUT NOR_FLASH_DESCRIPTION **NorFlashDevices,
+ OUT UINT32 *Count
+ )
+{
+ if ((NorFlashDevices == NULL) || (Count == NULL)) {
+ return EFI_INVALID_PARAMETER;
+ }
+
+ *NorFlashDevices = mNorFlashDevices;
+ *Count = ARRAY_SIZE (mNorFlashDevices);
+ return EFI_SUCCESS;
+}
diff --git a/Platform/ARM/SgiPkg/Library/NorFlashLib/StandaloneMmNorFlashLib.inf b/Platform/ARM/SgiPkg/Library/NorFlashLib/StandaloneMmNorFlashLib.inf
new file mode 100644
index 0000000..d24eb21
--- /dev/null
+++ b/Platform/ARM/SgiPkg/Library/NorFlashLib/StandaloneMmNorFlashLib.inf
@@ -0,0 +1,33 @@
+#/** @file
+#
+# Copyright (c) 2019, ARM Ltd. All rights reserved.
+
+# This program and the accompanying materials are licensed and made available
+# under the terms and conditions of the BSD License which accompanies this
+# distribution. The full text of the license may be found at
+# http://opensource.org/licenses/bsd-license.php
+#
+# THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
+# WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
+#
+#**/
+
+[Defines]
+ INF_VERSION = 0x0001001A
+ BASE_NAME = NorFlashSgiLib
+ FILE_GUID = 2ce22190-b933-4d1e-99ba-8bf1f0768255
+ MODULE_TYPE = BASE
+ LIBRARY_CLASS = NorFlashPlatformLib
+
+[Sources.common]
+ StandaloneMmNorFlashLib.c
+
+[Packages]
+ ArmPlatformPkg/ArmPlatformPkg.dec
+ MdePkg/MdePkg.dec
+ Platform/ARM/SgiPkg/SgiPlatform.dec
+
+[LibraryClasses]
+ BaseLib
+ DebugLib
+ IoLib
--
2.7.4
^ permalink raw reply related [flat|nested] 11+ messages in thread
* [PATCH edk2-platforms v2 3/3] Platform/ARM/SgiPkg: add MM based UEFI secure boot support
2019-03-12 16:06 [PATCH edk2-platforms v2 0/3] Platform/ARM/SgiPkg: Implement StandaloneMm based secure boot Jagadeesh Ujja
2019-03-12 16:06 ` [PATCH edk2-platforms v2 1/3] Platform/ARM/Sgi: define nor2 flash controller memory map Jagadeesh Ujja
2019-03-12 16:06 ` [PATCH edk2-platforms v2 2/3] Platform/ARM/Sgi: allow MM_STANDALONE modules to use NorFlashPlatformLib Jagadeesh Ujja
@ 2019-03-12 16:06 ` Jagadeesh Ujja
2019-03-15 12:21 ` Ard Biesheuvel
2019-03-15 8:19 ` [PATCH edk2-platforms v2 0/3] Platform/ARM/SgiPkg: Implement StandaloneMm based secure boot Jagadeesh Ujja
3 siblings, 1 reply; 11+ messages in thread
From: Jagadeesh Ujja @ 2019-03-12 16:06 UTC (permalink / raw)
To: edk2-devel, leif.lindholm, ard.biesheuvel
This implements support for UEFI secure boot on SGI platforms using
the standalone MM framework. This moves all of the software handling
of the UEFI authenticated variable store into the standalone MM
context residing in a secure partition.
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Jagadeesh Ujja <jagadeesh.ujja@arm.com>
---
Platform/ARM/SgiPkg/PlatformStandaloneMm.dsc | 34 +++++++++++++++++++-
Platform/ARM/SgiPkg/PlatformStandaloneMm.fdf | 5 +++
Platform/ARM/SgiPkg/SgiPlatform.dsc | 18 ++++++++++-
Platform/ARM/SgiPkg/SgiPlatform.fdf | 7 +++-
4 files changed, 61 insertions(+), 3 deletions(-)
diff --git a/Platform/ARM/SgiPkg/PlatformStandaloneMm.dsc b/Platform/ARM/SgiPkg/PlatformStandaloneMm.dsc
index 49fc919..b6aa90b 100644
--- a/Platform/ARM/SgiPkg/PlatformStandaloneMm.dsc
+++ b/Platform/ARM/SgiPkg/PlatformStandaloneMm.dsc
@@ -26,6 +26,7 @@
SKUID_IDENTIFIER = DEFAULT
FLASH_DEFINITION = Platform/ARM/SgiPkg/PlatformStandaloneMm.fdf
DEFINE DEBUG_MESSAGE = TRUE
+ DEFINE SECURE_BOOT_ENABLE = FALSE
# LzmaF86
DEFINE COMPRESSION_TOOL_GUID = D42AE6BD-1352-4bfb-909A-CA72A6EAE889
@@ -83,7 +84,17 @@
HobLib|StandaloneMmPkg/Library/StandaloneMmHobLib/StandaloneMmHobLib.inf
MmServicesTableLib|MdePkg/Library/StandaloneMmServicesTableLib/StandaloneMmServicesTableLib.inf
MemoryAllocationLib|StandaloneMmPkg/Library/StandaloneMmMemoryAllocationLib/StandaloneMmMemoryAllocationLib.inf
-
+!if $(SECURE_BOOT_ENABLE) == TRUE
+ AuthVariableLib|SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf
+ BaseCryptLib|CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf
+ IntrinsicLib|CryptoPkg/Library/IntrinsicLib/IntrinsicLib.inf
+ NorFlashPlatformLib|Platform/ARM/SgiPkg/Library/NorFlashLib/StandaloneMmNorFlashLib.inf
+ OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLib.inf
+ PlatformSecureLib|SecurityPkg/Library/PlatformSecureLibNull/PlatformSecureLibNull.inf
+ SynchronizationLib|MdePkg/Library/BaseSynchronizationLib/BaseSynchronizationLib.inf
+ TimerLib|MdePkg/Library/BaseTimerLibNullTemplate/BaseTimerLibNullTemplate.inf
+ VarCheckLib|MdeModulePkg/Library/VarCheckLib/VarCheckLib.inf
+!endif
################################################################################
#
# Pcd Section - list of all EDK II PCD Entries defined by this Platform
@@ -100,6 +111,21 @@
gEfiMdePkgTokenSpaceGuid.PcdMaximumGuidedExtractHandler|0x2
+!if $(SECURE_BOOT_ENABLE) == TRUE
+ #Secure Storage
+ gEfiMdeModulePkgTokenSpaceGuid.PcdMaxVariableSize|0x2000
+ gEfiSecurityPkgTokenSpaceGuid.PcdUserPhysicalPresence|TRUE
+ gEfiMdeModulePkgTokenSpaceGuid.PcdMaxAuthVariableSize|0x2800
+
+ ## NV Storage - 1MB*3 in NOR2 Flash
+ gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageVariableBase|0x10400000
+ gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageVariableSize|0x00100000
+ gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageFtwWorkingBase|0x10500000
+ gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageFtwWorkingSize|0x00100000
+ gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageFtwSpareBase|0x10600000
+ gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageFtwSpareSize|0x00100000
+!endif
+
###################################################################################################
#
# Components Section - list of the modules and components that will be processed by compilation
@@ -125,6 +151,12 @@
StandaloneMmPkg/Core/StandaloneMmCore.inf
[Components.AARCH64]
+!if $(SECURE_BOOT_ENABLE) == TRUE
+ ArmPlatformPkg/Drivers/NorFlashDxe/NorFlashStandaloneMm.inf
+ MdeModulePkg/Universal/FaultTolerantWriteDxe/FaultTolerantWriteStandaloneMm.inf
+ MdeModulePkg/Universal/Variable/RuntimeDxe/VariableStandaloneMm.inf
+!endif
+
StandaloneMmPkg/Drivers/StandaloneMmCpu/AArch64/StandaloneMmCpu.inf
###################################################################################################
diff --git a/Platform/ARM/SgiPkg/PlatformStandaloneMm.fdf b/Platform/ARM/SgiPkg/PlatformStandaloneMm.fdf
index 810460c..8c05a03 100644
--- a/Platform/ARM/SgiPkg/PlatformStandaloneMm.fdf
+++ b/Platform/ARM/SgiPkg/PlatformStandaloneMm.fdf
@@ -55,6 +55,11 @@ READ_LOCK_CAP = TRUE
READ_LOCK_STATUS = TRUE
INF StandaloneMmPkg/Core/StandaloneMmCore.inf
+!if $(SECURE_BOOT_ENABLE) == TRUE
+ INF ArmPlatformPkg/Drivers/NorFlashDxe/NorFlashStandaloneMm.inf
+ INF MdeModulePkg/Universal/FaultTolerantWriteDxe/FaultTolerantWriteStandaloneMm.inf
+ INF MdeModulePkg/Universal/Variable/RuntimeDxe/VariableStandaloneMm.inf
+!endif
INF StandaloneMmPkg/Drivers/StandaloneMmCpu/AArch64/StandaloneMmCpu.inf
################################################################################
diff --git a/Platform/ARM/SgiPkg/SgiPlatform.dsc b/Platform/ARM/SgiPkg/SgiPlatform.dsc
index bdb4ecb..4ddeb65 100644
--- a/Platform/ARM/SgiPkg/SgiPlatform.dsc
+++ b/Platform/ARM/SgiPkg/SgiPlatform.dsc
@@ -26,6 +26,7 @@
SKUID_IDENTIFIER = DEFAULT
FLASH_DEFINITION = Platform/ARM/SgiPkg/SgiPlatform.fdf
BUILD_NUMBER = 1
+ DEFINE SECURE_BOOT_ENABLE = FALSE
!include Platform/ARM/VExpressPkg/ArmVExpress.dsc.inc
@@ -260,7 +261,15 @@
MdeModulePkg/Core/RuntimeDxe/RuntimeDxe.inf
MdeModulePkg/Universal/CapsuleRuntimeDxe/CapsuleRuntimeDxe.inf
MdeModulePkg/Universal/MonotonicCounterRuntimeDxe/MonotonicCounterRuntimeDxe.inf
+!if $(SECURE_BOOT_ENABLE) == TRUE
+ MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf {
+ <LibraryClasses>
+ NULL|SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.inf
+ }
+ SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
+!else
MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf
+!endif
OvmfPkg/VirtioBlkDxe/VirtioBlk.inf
MdeModulePkg/Universal/Console/ConPlatformDxe/ConPlatformDxe.inf
@@ -268,6 +277,9 @@
MdeModulePkg/Universal/Console/GraphicsConsoleDxe/GraphicsConsoleDxe.inf
MdeModulePkg/Universal/Console/TerminalDxe/TerminalDxe.inf
MdeModulePkg/Universal/SerialDxe/SerialDxe.inf
+!if $(SECURE_BOOT_ENABLE) == TRUE
+ MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmmRuntimeDxe.inf
+!else
MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf {
<LibraryClasses>
NULL|MdeModulePkg/Library/VarCheckUefiLib/VarCheckUefiLib.inf
@@ -275,6 +287,7 @@
BaseMemoryLib|MdePkg/Library/BaseMemoryLib/BaseMemoryLib.inf
}
MdeModulePkg/Universal/FaultTolerantWriteDxe/FaultTolerantWriteDxe.inf
+!endif
#
# ACPI Support
@@ -344,4 +357,7 @@
#
MdeModulePkg/Bus/Pci/SataControllerDxe/SataControllerDxe.inf
- ArmPkg/Drivers/MmCommunicationDxe/MmCommunication.inf
+ ArmPkg/Drivers/MmCommunicationDxe/MmCommunication.inf {
+ <LibraryClasses>
+ NULL|StandaloneMmPkg/Library/VariableMmDependency/VariableMmDependency.inf
+ }
diff --git a/Platform/ARM/SgiPkg/SgiPlatform.fdf b/Platform/ARM/SgiPkg/SgiPlatform.fdf
index 7916a52..aff0be5 100644
--- a/Platform/ARM/SgiPkg/SgiPlatform.fdf
+++ b/Platform/ARM/SgiPkg/SgiPlatform.fdf
@@ -96,10 +96,15 @@ READ_LOCK_STATUS = TRUE
INF EmbeddedPkg/ResetRuntimeDxe/ResetRuntimeDxe.inf
INF MdeModulePkg/Core/RuntimeDxe/RuntimeDxe.inf
INF MdeModulePkg/Universal/CapsuleRuntimeDxe/CapsuleRuntimeDxe.inf
- INF MdeModulePkg/Universal/FaultTolerantWriteDxe/FaultTolerantWriteDxe.inf
INF MdeModulePkg/Universal/MonotonicCounterRuntimeDxe/MonotonicCounterRuntimeDxe.inf
INF MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf
+!if $(SECURE_BOOT_ENABLE) == TRUE
+ INF SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
+ INF MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmmRuntimeDxe.inf
+!else
+ INF MdeModulePkg/Universal/FaultTolerantWriteDxe/FaultTolerantWriteDxe.inf
INF MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf
+!endif
#
# ACPI Support
--
2.7.4
^ permalink raw reply related [flat|nested] 11+ messages in thread
* Re: [PATCH edk2-platforms v2 0/3] Platform/ARM/SgiPkg: Implement StandaloneMm based secure boot
2019-03-12 16:06 [PATCH edk2-platforms v2 0/3] Platform/ARM/SgiPkg: Implement StandaloneMm based secure boot Jagadeesh Ujja
` (2 preceding siblings ...)
2019-03-12 16:06 ` [PATCH edk2-platforms v2 3/3] Platform/ARM/SgiPkg: add MM based UEFI secure boot support Jagadeesh Ujja
@ 2019-03-15 8:19 ` Jagadeesh Ujja
2019-03-15 11:36 ` Ard Biesheuvel
3 siblings, 1 reply; 11+ messages in thread
From: Jagadeesh Ujja @ 2019-03-15 8:19 UTC (permalink / raw)
To: edk2-devel, Leif Lindholm, Ard Biesheuvel
hi Ard/Leif
Please let me know if you have any comments on this patch set
thanks
Jagadeesh
On Tue, Mar
On Tue, Mar 12, 2019 at 9:45 PM Jagadeesh Ujja <jagadeesh.ujja@arm.com> wrote:
>
> Changes since v1:
> - Addressed all the comments from Ard Biesheuvel.
>
> Integrating various pieces together so that the authenticated variable store
> runs entirely in standalone MM context residing in a secure partition.
> This primarily involves adding all required library and drivers to platform
> specific .DSC and .FDF files. This creates separate Nor flash region which
> is visible to only StandaoneMm drivers, this Nor Flash will co-exist along
> with general Nor flash region.
>
> Jagadeesh Ujja (3):
> Platform/ARM/Sgi: define nor2 flash controller memory map
> Platform/ARM/Sgi: allow MM_STANDALONE modules to use
> NorFlashPlatformLib
> Platform/ARM/SgiPkg: add MM based UEFI secure boot support
>
> Platform/ARM/SgiPkg/Include/SgiPlatform.h | 4 ++
> Platform/ARM/SgiPkg/Library/NorFlashLib/StandaloneMmNorFlashLib.c | 63 ++++++++++++++++++++
> Platform/ARM/SgiPkg/Library/NorFlashLib/StandaloneMmNorFlashLib.inf | 33 ++++++++++
> Platform/ARM/SgiPkg/PlatformStandaloneMm.dsc | 34 ++++++++++-
> Platform/ARM/SgiPkg/PlatformStandaloneMm.fdf | 5 ++
> Platform/ARM/SgiPkg/SgiPlatform.dsc | 18 +++++-
> Platform/ARM/SgiPkg/SgiPlatform.fdf | 7 ++-
> 7 files changed, 161 insertions(+), 3 deletions(-)
> create mode 100644 Platform/ARM/SgiPkg/Library/NorFlashLib/StandaloneMmNorFlashLib.c
> create mode 100644 Platform/ARM/SgiPkg/Library/NorFlashLib/StandaloneMmNorFlashLib.inf
>
> --
> 2.7.4
>
> In-Reply-To:
>
> _______________________________________________
> edk2-devel mailing list
> edk2-devel@lists.01.org
> https://lists.01.org/mailman/listinfo/edk2-devel
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [PATCH edk2-platforms v2 0/3] Platform/ARM/SgiPkg: Implement StandaloneMm based secure boot
2019-03-15 8:19 ` [PATCH edk2-platforms v2 0/3] Platform/ARM/SgiPkg: Implement StandaloneMm based secure boot Jagadeesh Ujja
@ 2019-03-15 11:36 ` Ard Biesheuvel
0 siblings, 0 replies; 11+ messages in thread
From: Ard Biesheuvel @ 2019-03-15 11:36 UTC (permalink / raw)
To: Jagadeesh Ujja; +Cc: edk2-devel@lists.01.org, Leif Lindholm
On Fri, 15 Mar 2019 at 09:19, Jagadeesh Ujja <jagadeesh.ujja@arm.com> wrote:
>
> hi Ard/Leif
>
> Please let me know if you have any comments on this patch set
>
I'll have a look, but we need the updated NorFlashDxe in
ArmPlatformPkg before we can merge this anyway.
>
> On Tue, Mar
> On Tue, Mar 12, 2019 at 9:45 PM Jagadeesh Ujja <jagadeesh.ujja@arm.com> wrote:
> >
> > Changes since v1:
> > - Addressed all the comments from Ard Biesheuvel.
> >
> > Integrating various pieces together so that the authenticated variable store
> > runs entirely in standalone MM context residing in a secure partition.
> > This primarily involves adding all required library and drivers to platform
> > specific .DSC and .FDF files. This creates separate Nor flash region which
> > is visible to only StandaoneMm drivers, this Nor Flash will co-exist along
> > with general Nor flash region.
> >
> > Jagadeesh Ujja (3):
> > Platform/ARM/Sgi: define nor2 flash controller memory map
> > Platform/ARM/Sgi: allow MM_STANDALONE modules to use
> > NorFlashPlatformLib
> > Platform/ARM/SgiPkg: add MM based UEFI secure boot support
> >
> > Platform/ARM/SgiPkg/Include/SgiPlatform.h | 4 ++
> > Platform/ARM/SgiPkg/Library/NorFlashLib/StandaloneMmNorFlashLib.c | 63 ++++++++++++++++++++
> > Platform/ARM/SgiPkg/Library/NorFlashLib/StandaloneMmNorFlashLib.inf | 33 ++++++++++
> > Platform/ARM/SgiPkg/PlatformStandaloneMm.dsc | 34 ++++++++++-
> > Platform/ARM/SgiPkg/PlatformStandaloneMm.fdf | 5 ++
> > Platform/ARM/SgiPkg/SgiPlatform.dsc | 18 +++++-
> > Platform/ARM/SgiPkg/SgiPlatform.fdf | 7 ++-
> > 7 files changed, 161 insertions(+), 3 deletions(-)
> > create mode 100644 Platform/ARM/SgiPkg/Library/NorFlashLib/StandaloneMmNorFlashLib.c
> > create mode 100644 Platform/ARM/SgiPkg/Library/NorFlashLib/StandaloneMmNorFlashLib.inf
> >
> > --
> > 2.7.4
> >
> > In-Reply-To:
> >
> > _______________________________________________
> > edk2-devel mailing list
> > edk2-devel@lists.01.org
> > https://lists.01.org/mailman/listinfo/edk2-devel
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [PATCH edk2-platforms v2 3/3] Platform/ARM/SgiPkg: add MM based UEFI secure boot support
2019-03-12 16:06 ` [PATCH edk2-platforms v2 3/3] Platform/ARM/SgiPkg: add MM based UEFI secure boot support Jagadeesh Ujja
@ 2019-03-15 12:21 ` Ard Biesheuvel
2019-03-15 12:30 ` Thomas Abraham
0 siblings, 1 reply; 11+ messages in thread
From: Ard Biesheuvel @ 2019-03-15 12:21 UTC (permalink / raw)
To: Jagadeesh Ujja; +Cc: edk2-devel@lists.01.org, Leif Lindholm
On Tue, 12 Mar 2019 at 17:06, Jagadeesh Ujja <jagadeesh.ujja@arm.com> wrote:
>
> This implements support for UEFI secure boot on SGI platforms using
> the standalone MM framework. This moves all of the software handling
> of the UEFI authenticated variable store into the standalone MM
> context residing in a secure partition.
>
> Contributed-under: TianoCore Contribution Agreement 1.1
> Signed-off-by: Jagadeesh Ujja <jagadeesh.ujja@arm.com>
> ---
> Platform/ARM/SgiPkg/PlatformStandaloneMm.dsc | 34 +++++++++++++++++++-
> Platform/ARM/SgiPkg/PlatformStandaloneMm.fdf | 5 +++
> Platform/ARM/SgiPkg/SgiPlatform.dsc | 18 ++++++++++-
> Platform/ARM/SgiPkg/SgiPlatform.fdf | 7 +++-
> 4 files changed, 61 insertions(+), 3 deletions(-)
>
> diff --git a/Platform/ARM/SgiPkg/PlatformStandaloneMm.dsc b/Platform/ARM/SgiPkg/PlatformStandaloneMm.dsc
> index 49fc919..b6aa90b 100644
> --- a/Platform/ARM/SgiPkg/PlatformStandaloneMm.dsc
> +++ b/Platform/ARM/SgiPkg/PlatformStandaloneMm.dsc
> @@ -26,6 +26,7 @@
> SKUID_IDENTIFIER = DEFAULT
> FLASH_DEFINITION = Platform/ARM/SgiPkg/PlatformStandaloneMm.fdf
> DEFINE DEBUG_MESSAGE = TRUE
> + DEFINE SECURE_BOOT_ENABLE = FALSE
>
Maybe I wasn't clear before, but I don't see the point of building the
MM component without secure boot enabled. So can we drop this from
this side?
For the non-secure side, it is a different matter, obviously.
> # LzmaF86
> DEFINE COMPRESSION_TOOL_GUID = D42AE6BD-1352-4bfb-909A-CA72A6EAE889
> @@ -83,7 +84,17 @@
> HobLib|StandaloneMmPkg/Library/StandaloneMmHobLib/StandaloneMmHobLib.inf
> MmServicesTableLib|MdePkg/Library/StandaloneMmServicesTableLib/StandaloneMmServicesTableLib.inf
> MemoryAllocationLib|StandaloneMmPkg/Library/StandaloneMmMemoryAllocationLib/StandaloneMmMemoryAllocationLib.inf
> -
> +!if $(SECURE_BOOT_ENABLE) == TRUE
> + AuthVariableLib|SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf
> + BaseCryptLib|CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf
> + IntrinsicLib|CryptoPkg/Library/IntrinsicLib/IntrinsicLib.inf
> + NorFlashPlatformLib|Platform/ARM/SgiPkg/Library/NorFlashLib/StandaloneMmNorFlashLib.inf
> + OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLib.inf
> + PlatformSecureLib|SecurityPkg/Library/PlatformSecureLibNull/PlatformSecureLibNull.inf
> + SynchronizationLib|MdePkg/Library/BaseSynchronizationLib/BaseSynchronizationLib.inf
> + TimerLib|MdePkg/Library/BaseTimerLibNullTemplate/BaseTimerLibNullTemplate.inf
> + VarCheckLib|MdeModulePkg/Library/VarCheckLib/VarCheckLib.inf
> +!endif
> ################################################################################
> #
> # Pcd Section - list of all EDK II PCD Entries defined by this Platform
> @@ -100,6 +111,21 @@
>
> gEfiMdePkgTokenSpaceGuid.PcdMaximumGuidedExtractHandler|0x2
>
> +!if $(SECURE_BOOT_ENABLE) == TRUE
> + #Secure Storage
> + gEfiMdeModulePkgTokenSpaceGuid.PcdMaxVariableSize|0x2000
> + gEfiSecurityPkgTokenSpaceGuid.PcdUserPhysicalPresence|TRUE
> + gEfiMdeModulePkgTokenSpaceGuid.PcdMaxAuthVariableSize|0x2800
> +
> + ## NV Storage - 1MB*3 in NOR2 Flash
> + gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageVariableBase|0x10400000
> + gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageVariableSize|0x00100000
> + gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageFtwWorkingBase|0x10500000
> + gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageFtwWorkingSize|0x00100000
> + gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageFtwSpareBase|0x10600000
> + gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageFtwSpareSize|0x00100000
> +!endif
> +
> ###################################################################################################
> #
> # Components Section - list of the modules and components that will be processed by compilation
> @@ -125,6 +151,12 @@
> StandaloneMmPkg/Core/StandaloneMmCore.inf
>
> [Components.AARCH64]
> +!if $(SECURE_BOOT_ENABLE) == TRUE
> + ArmPlatformPkg/Drivers/NorFlashDxe/NorFlashStandaloneMm.inf
> + MdeModulePkg/Universal/FaultTolerantWriteDxe/FaultTolerantWriteStandaloneMm.inf
> + MdeModulePkg/Universal/Variable/RuntimeDxe/VariableStandaloneMm.inf
> +!endif
> +
> StandaloneMmPkg/Drivers/StandaloneMmCpu/AArch64/StandaloneMmCpu.inf
>
> ###################################################################################################
> diff --git a/Platform/ARM/SgiPkg/PlatformStandaloneMm.fdf b/Platform/ARM/SgiPkg/PlatformStandaloneMm.fdf
> index 810460c..8c05a03 100644
> --- a/Platform/ARM/SgiPkg/PlatformStandaloneMm.fdf
> +++ b/Platform/ARM/SgiPkg/PlatformStandaloneMm.fdf
> @@ -55,6 +55,11 @@ READ_LOCK_CAP = TRUE
> READ_LOCK_STATUS = TRUE
>
> INF StandaloneMmPkg/Core/StandaloneMmCore.inf
> +!if $(SECURE_BOOT_ENABLE) == TRUE
> + INF ArmPlatformPkg/Drivers/NorFlashDxe/NorFlashStandaloneMm.inf
> + INF MdeModulePkg/Universal/FaultTolerantWriteDxe/FaultTolerantWriteStandaloneMm.inf
> + INF MdeModulePkg/Universal/Variable/RuntimeDxe/VariableStandaloneMm.inf
> +!endif
> INF StandaloneMmPkg/Drivers/StandaloneMmCpu/AArch64/StandaloneMmCpu.inf
>
> ################################################################################
> diff --git a/Platform/ARM/SgiPkg/SgiPlatform.dsc b/Platform/ARM/SgiPkg/SgiPlatform.dsc
> index bdb4ecb..4ddeb65 100644
> --- a/Platform/ARM/SgiPkg/SgiPlatform.dsc
> +++ b/Platform/ARM/SgiPkg/SgiPlatform.dsc
> @@ -26,6 +26,7 @@
> SKUID_IDENTIFIER = DEFAULT
> FLASH_DEFINITION = Platform/ARM/SgiPkg/SgiPlatform.fdf
> BUILD_NUMBER = 1
> + DEFINE SECURE_BOOT_ENABLE = FALSE
>
> !include Platform/ARM/VExpressPkg/ArmVExpress.dsc.inc
>
> @@ -260,7 +261,15 @@
> MdeModulePkg/Core/RuntimeDxe/RuntimeDxe.inf
> MdeModulePkg/Universal/CapsuleRuntimeDxe/CapsuleRuntimeDxe.inf
> MdeModulePkg/Universal/MonotonicCounterRuntimeDxe/MonotonicCounterRuntimeDxe.inf
> +!if $(SECURE_BOOT_ENABLE) == TRUE
> + MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf {
> + <LibraryClasses>
> + NULL|SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.inf
> + }
> + SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
> +!else
> MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf
> +!endif
> OvmfPkg/VirtioBlkDxe/VirtioBlk.inf
>
> MdeModulePkg/Universal/Console/ConPlatformDxe/ConPlatformDxe.inf
> @@ -268,6 +277,9 @@
> MdeModulePkg/Universal/Console/GraphicsConsoleDxe/GraphicsConsoleDxe.inf
> MdeModulePkg/Universal/Console/TerminalDxe/TerminalDxe.inf
> MdeModulePkg/Universal/SerialDxe/SerialDxe.inf
> +!if $(SECURE_BOOT_ENABLE) == TRUE
> + MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmmRuntimeDxe.inf
> +!else
> MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf {
> <LibraryClasses>
> NULL|MdeModulePkg/Library/VarCheckUefiLib/VarCheckUefiLib.inf
> @@ -275,6 +287,7 @@
> BaseMemoryLib|MdePkg/Library/BaseMemoryLib/BaseMemoryLib.inf
> }
> MdeModulePkg/Universal/FaultTolerantWriteDxe/FaultTolerantWriteDxe.inf
> +!endif
>
> #
> # ACPI Support
> @@ -344,4 +357,7 @@
> #
> MdeModulePkg/Bus/Pci/SataControllerDxe/SataControllerDxe.inf
>
> - ArmPkg/Drivers/MmCommunicationDxe/MmCommunication.inf
> + ArmPkg/Drivers/MmCommunicationDxe/MmCommunication.inf {
> + <LibraryClasses>
> + NULL|StandaloneMmPkg/Library/VariableMmDependency/VariableMmDependency.inf
> + }
> diff --git a/Platform/ARM/SgiPkg/SgiPlatform.fdf b/Platform/ARM/SgiPkg/SgiPlatform.fdf
> index 7916a52..aff0be5 100644
> --- a/Platform/ARM/SgiPkg/SgiPlatform.fdf
> +++ b/Platform/ARM/SgiPkg/SgiPlatform.fdf
> @@ -96,10 +96,15 @@ READ_LOCK_STATUS = TRUE
> INF EmbeddedPkg/ResetRuntimeDxe/ResetRuntimeDxe.inf
> INF MdeModulePkg/Core/RuntimeDxe/RuntimeDxe.inf
> INF MdeModulePkg/Universal/CapsuleRuntimeDxe/CapsuleRuntimeDxe.inf
> - INF MdeModulePkg/Universal/FaultTolerantWriteDxe/FaultTolerantWriteDxe.inf
> INF MdeModulePkg/Universal/MonotonicCounterRuntimeDxe/MonotonicCounterRuntimeDxe.inf
> INF MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf
> +!if $(SECURE_BOOT_ENABLE) == TRUE
> + INF SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
> + INF MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmmRuntimeDxe.inf
> +!else
> + INF MdeModulePkg/Universal/FaultTolerantWriteDxe/FaultTolerantWriteDxe.inf
> INF MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf
> +!endif
>
> #
> # ACPI Support
> --
> 2.7.4
>
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [PATCH edk2-platforms v2 3/3] Platform/ARM/SgiPkg: add MM based UEFI secure boot support
2019-03-15 12:21 ` Ard Biesheuvel
@ 2019-03-15 12:30 ` Thomas Abraham
2019-03-15 12:34 ` Ard Biesheuvel
0 siblings, 1 reply; 11+ messages in thread
From: Thomas Abraham @ 2019-03-15 12:30 UTC (permalink / raw)
To: Ard Biesheuvel; +Cc: Jagadeesh Ujja, edk2-devel@lists.01.org
On Fri, Mar 15, 2019 at 5:51 PM Ard Biesheuvel
<ard.biesheuvel@linaro.org> wrote:
>
> On Tue, 12 Mar 2019 at 17:06, Jagadeesh Ujja <jagadeesh.ujja@arm.com> wrote:
> >
> > This implements support for UEFI secure boot on SGI platforms using
> > the standalone MM framework. This moves all of the software handling
> > of the UEFI authenticated variable store into the standalone MM
> > context residing in a secure partition.
> >
> > Contributed-under: TianoCore Contribution Agreement 1.1
> > Signed-off-by: Jagadeesh Ujja <jagadeesh.ujja@arm.com>
> > ---
> > Platform/ARM/SgiPkg/PlatformStandaloneMm.dsc | 34 +++++++++++++++++++-
> > Platform/ARM/SgiPkg/PlatformStandaloneMm.fdf | 5 +++
> > Platform/ARM/SgiPkg/SgiPlatform.dsc | 18 ++++++++++-
> > Platform/ARM/SgiPkg/SgiPlatform.fdf | 7 +++-
> > 4 files changed, 61 insertions(+), 3 deletions(-)
> >
> > diff --git a/Platform/ARM/SgiPkg/PlatformStandaloneMm.dsc b/Platform/ARM/SgiPkg/PlatformStandaloneMm.dsc
> > index 49fc919..b6aa90b 100644
> > --- a/Platform/ARM/SgiPkg/PlatformStandaloneMm.dsc
> > +++ b/Platform/ARM/SgiPkg/PlatformStandaloneMm.dsc
> > @@ -26,6 +26,7 @@
> > SKUID_IDENTIFIER = DEFAULT
> > FLASH_DEFINITION = Platform/ARM/SgiPkg/PlatformStandaloneMm.fdf
> > DEFINE DEBUG_MESSAGE = TRUE
> > + DEFINE SECURE_BOOT_ENABLE = FALSE
> >
>
> Maybe I wasn't clear before, but I don't see the point of building the
> MM component without secure boot enabled. So can we drop this from
> this side?
Hi Ard,
On the SGI platforms, the MM component is used for platform RAS error
handling as well and secure boot is not mandatory in such a build. So
the build of MM component is being kept independent of secure boot.
Thanks,
Thomas.
>
> For the non-secure side, it is a different matter, obviously.
>
> > # LzmaF86
> > DEFINE COMPRESSION_TOOL_GUID = D42AE6BD-1352-4bfb-909A-CA72A6EAE889
> > @@ -83,7 +84,17 @@
> > HobLib|StandaloneMmPkg/Library/StandaloneMmHobLib/StandaloneMmHobLib.inf
> > MmServicesTableLib|MdePkg/Library/StandaloneMmServicesTableLib/StandaloneMmServicesTableLib.inf
> > MemoryAllocationLib|StandaloneMmPkg/Library/StandaloneMmMemoryAllocationLib/StandaloneMmMemoryAllocationLib.inf
> > -
> > +!if $(SECURE_BOOT_ENABLE) == TRUE
> > + AuthVariableLib|SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf
> > + BaseCryptLib|CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf
> > + IntrinsicLib|CryptoPkg/Library/IntrinsicLib/IntrinsicLib.inf
> > + NorFlashPlatformLib|Platform/ARM/SgiPkg/Library/NorFlashLib/StandaloneMmNorFlashLib.inf
> > + OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLib.inf
> > + PlatformSecureLib|SecurityPkg/Library/PlatformSecureLibNull/PlatformSecureLibNull.inf
> > + SynchronizationLib|MdePkg/Library/BaseSynchronizationLib/BaseSynchronizationLib.inf
> > + TimerLib|MdePkg/Library/BaseTimerLibNullTemplate/BaseTimerLibNullTemplate.inf
> > + VarCheckLib|MdeModulePkg/Library/VarCheckLib/VarCheckLib.inf
> > +!endif
> > ################################################################################
> > #
> > # Pcd Section - list of all EDK II PCD Entries defined by this Platform
> > @@ -100,6 +111,21 @@
> >
> > gEfiMdePkgTokenSpaceGuid.PcdMaximumGuidedExtractHandler|0x2
> >
> > +!if $(SECURE_BOOT_ENABLE) == TRUE
> > + #Secure Storage
> > + gEfiMdeModulePkgTokenSpaceGuid.PcdMaxVariableSize|0x2000
> > + gEfiSecurityPkgTokenSpaceGuid.PcdUserPhysicalPresence|TRUE
> > + gEfiMdeModulePkgTokenSpaceGuid.PcdMaxAuthVariableSize|0x2800
> > +
> > + ## NV Storage - 1MB*3 in NOR2 Flash
> > + gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageVariableBase|0x10400000
> > + gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageVariableSize|0x00100000
> > + gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageFtwWorkingBase|0x10500000
> > + gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageFtwWorkingSize|0x00100000
> > + gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageFtwSpareBase|0x10600000
> > + gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageFtwSpareSize|0x00100000
> > +!endif
> > +
> > ###################################################################################################
> > #
> > # Components Section - list of the modules and components that will be processed by compilation
> > @@ -125,6 +151,12 @@
> > StandaloneMmPkg/Core/StandaloneMmCore.inf
> >
> > [Components.AARCH64]
> > +!if $(SECURE_BOOT_ENABLE) == TRUE
> > + ArmPlatformPkg/Drivers/NorFlashDxe/NorFlashStandaloneMm.inf
> > + MdeModulePkg/Universal/FaultTolerantWriteDxe/FaultTolerantWriteStandaloneMm.inf
> > + MdeModulePkg/Universal/Variable/RuntimeDxe/VariableStandaloneMm.inf
> > +!endif
> > +
> > StandaloneMmPkg/Drivers/StandaloneMmCpu/AArch64/StandaloneMmCpu.inf
> >
> > ###################################################################################################
> > diff --git a/Platform/ARM/SgiPkg/PlatformStandaloneMm.fdf b/Platform/ARM/SgiPkg/PlatformStandaloneMm.fdf
> > index 810460c..8c05a03 100644
> > --- a/Platform/ARM/SgiPkg/PlatformStandaloneMm.fdf
> > +++ b/Platform/ARM/SgiPkg/PlatformStandaloneMm.fdf
> > @@ -55,6 +55,11 @@ READ_LOCK_CAP = TRUE
> > READ_LOCK_STATUS = TRUE
> >
> > INF StandaloneMmPkg/Core/StandaloneMmCore.inf
> > +!if $(SECURE_BOOT_ENABLE) == TRUE
> > + INF ArmPlatformPkg/Drivers/NorFlashDxe/NorFlashStandaloneMm.inf
> > + INF MdeModulePkg/Universal/FaultTolerantWriteDxe/FaultTolerantWriteStandaloneMm.inf
> > + INF MdeModulePkg/Universal/Variable/RuntimeDxe/VariableStandaloneMm.inf
> > +!endif
> > INF StandaloneMmPkg/Drivers/StandaloneMmCpu/AArch64/StandaloneMmCpu.inf
> >
> > ################################################################################
> > diff --git a/Platform/ARM/SgiPkg/SgiPlatform.dsc b/Platform/ARM/SgiPkg/SgiPlatform.dsc
> > index bdb4ecb..4ddeb65 100644
> > --- a/Platform/ARM/SgiPkg/SgiPlatform.dsc
> > +++ b/Platform/ARM/SgiPkg/SgiPlatform.dsc
> > @@ -26,6 +26,7 @@
> > SKUID_IDENTIFIER = DEFAULT
> > FLASH_DEFINITION = Platform/ARM/SgiPkg/SgiPlatform.fdf
> > BUILD_NUMBER = 1
> > + DEFINE SECURE_BOOT_ENABLE = FALSE
> >
> > !include Platform/ARM/VExpressPkg/ArmVExpress.dsc.inc
> >
> > @@ -260,7 +261,15 @@
> > MdeModulePkg/Core/RuntimeDxe/RuntimeDxe.inf
> > MdeModulePkg/Universal/CapsuleRuntimeDxe/CapsuleRuntimeDxe.inf
> > MdeModulePkg/Universal/MonotonicCounterRuntimeDxe/MonotonicCounterRuntimeDxe.inf
> > +!if $(SECURE_BOOT_ENABLE) == TRUE
> > + MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf {
> > + <LibraryClasses>
> > + NULL|SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.inf
> > + }
> > + SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
> > +!else
> > MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf
> > +!endif
> > OvmfPkg/VirtioBlkDxe/VirtioBlk.inf
> >
> > MdeModulePkg/Universal/Console/ConPlatformDxe/ConPlatformDxe.inf
> > @@ -268,6 +277,9 @@
> > MdeModulePkg/Universal/Console/GraphicsConsoleDxe/GraphicsConsoleDxe.inf
> > MdeModulePkg/Universal/Console/TerminalDxe/TerminalDxe.inf
> > MdeModulePkg/Universal/SerialDxe/SerialDxe.inf
> > +!if $(SECURE_BOOT_ENABLE) == TRUE
> > + MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmmRuntimeDxe.inf
> > +!else
> > MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf {
> > <LibraryClasses>
> > NULL|MdeModulePkg/Library/VarCheckUefiLib/VarCheckUefiLib.inf
> > @@ -275,6 +287,7 @@
> > BaseMemoryLib|MdePkg/Library/BaseMemoryLib/BaseMemoryLib.inf
> > }
> > MdeModulePkg/Universal/FaultTolerantWriteDxe/FaultTolerantWriteDxe.inf
> > +!endif
> >
> > #
> > # ACPI Support
> > @@ -344,4 +357,7 @@
> > #
> > MdeModulePkg/Bus/Pci/SataControllerDxe/SataControllerDxe.inf
> >
> > - ArmPkg/Drivers/MmCommunicationDxe/MmCommunication.inf
> > + ArmPkg/Drivers/MmCommunicationDxe/MmCommunication.inf {
> > + <LibraryClasses>
> > + NULL|StandaloneMmPkg/Library/VariableMmDependency/VariableMmDependency.inf
> > + }
> > diff --git a/Platform/ARM/SgiPkg/SgiPlatform.fdf b/Platform/ARM/SgiPkg/SgiPlatform.fdf
> > index 7916a52..aff0be5 100644
> > --- a/Platform/ARM/SgiPkg/SgiPlatform.fdf
> > +++ b/Platform/ARM/SgiPkg/SgiPlatform.fdf
> > @@ -96,10 +96,15 @@ READ_LOCK_STATUS = TRUE
> > INF EmbeddedPkg/ResetRuntimeDxe/ResetRuntimeDxe.inf
> > INF MdeModulePkg/Core/RuntimeDxe/RuntimeDxe.inf
> > INF MdeModulePkg/Universal/CapsuleRuntimeDxe/CapsuleRuntimeDxe.inf
> > - INF MdeModulePkg/Universal/FaultTolerantWriteDxe/FaultTolerantWriteDxe.inf
> > INF MdeModulePkg/Universal/MonotonicCounterRuntimeDxe/MonotonicCounterRuntimeDxe.inf
> > INF MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf
> > +!if $(SECURE_BOOT_ENABLE) == TRUE
> > + INF SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
> > + INF MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmmRuntimeDxe.inf
> > +!else
> > + INF MdeModulePkg/Universal/FaultTolerantWriteDxe/FaultTolerantWriteDxe.inf
> > INF MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf
> > +!endif
> >
> > #
> > # ACPI Support
> > --
> > 2.7.4
> >
> _______________________________________________
> edk2-devel mailing list
> edk2-devel@lists.01.org
> https://lists.01.org/mailman/listinfo/edk2-devel
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [PATCH edk2-platforms v2 3/3] Platform/ARM/SgiPkg: add MM based UEFI secure boot support
2019-03-15 12:30 ` Thomas Abraham
@ 2019-03-15 12:34 ` Ard Biesheuvel
2019-03-15 12:47 ` Thomas Abraham
0 siblings, 1 reply; 11+ messages in thread
From: Ard Biesheuvel @ 2019-03-15 12:34 UTC (permalink / raw)
To: Thomas Abraham; +Cc: Jagadeesh Ujja, edk2-devel@lists.01.org
On Fri, 15 Mar 2019 at 13:30, Thomas Abraham <thomas.abraham@arm.com> wrote:
>
> On Fri, Mar 15, 2019 at 5:51 PM Ard Biesheuvel
> <ard.biesheuvel@linaro.org> wrote:
> >
> > On Tue, 12 Mar 2019 at 17:06, Jagadeesh Ujja <jagadeesh.ujja@arm.com> wrote:
> > >
> > > This implements support for UEFI secure boot on SGI platforms using
> > > the standalone MM framework. This moves all of the software handling
> > > of the UEFI authenticated variable store into the standalone MM
> > > context residing in a secure partition.
> > >
> > > Contributed-under: TianoCore Contribution Agreement 1.1
> > > Signed-off-by: Jagadeesh Ujja <jagadeesh.ujja@arm.com>
> > > ---
> > > Platform/ARM/SgiPkg/PlatformStandaloneMm.dsc | 34 +++++++++++++++++++-
> > > Platform/ARM/SgiPkg/PlatformStandaloneMm.fdf | 5 +++
> > > Platform/ARM/SgiPkg/SgiPlatform.dsc | 18 ++++++++++-
> > > Platform/ARM/SgiPkg/SgiPlatform.fdf | 7 +++-
> > > 4 files changed, 61 insertions(+), 3 deletions(-)
> > >
> > > diff --git a/Platform/ARM/SgiPkg/PlatformStandaloneMm.dsc b/Platform/ARM/SgiPkg/PlatformStandaloneMm.dsc
> > > index 49fc919..b6aa90b 100644
> > > --- a/Platform/ARM/SgiPkg/PlatformStandaloneMm.dsc
> > > +++ b/Platform/ARM/SgiPkg/PlatformStandaloneMm.dsc
> > > @@ -26,6 +26,7 @@
> > > SKUID_IDENTIFIER = DEFAULT
> > > FLASH_DEFINITION = Platform/ARM/SgiPkg/PlatformStandaloneMm.fdf
> > > DEFINE DEBUG_MESSAGE = TRUE
> > > + DEFINE SECURE_BOOT_ENABLE = FALSE
> > >
> >
> > Maybe I wasn't clear before, but I don't see the point of building the
> > MM component without secure boot enabled. So can we drop this from
> > this side?
>
> Hi Ard,
>
> On the SGI platforms, the MM component is used for platform RAS error
> handling as well and secure boot is not mandatory in such a build. So
> the build of MM component is being kept independent of secure boot.
>
Hi Thomas,
When building the MM side of the platform without secure boot, the
only MM modules that are included are
> > > INF StandaloneMmPkg/Core/StandaloneMmCore.inf
> > > INF StandaloneMmPkg/Drivers/StandaloneMmCpu/AArch64/StandaloneMmCpu.inf
neither of which implement RAS handling. So are you saying this is
functionality that runs in MM context, but it has not been upstreamed
yet?
>
> >
> > For the non-secure side, it is a different matter, obviously.
> >
> > > # LzmaF86
> > > DEFINE COMPRESSION_TOOL_GUID = D42AE6BD-1352-4bfb-909A-CA72A6EAE889
> > > @@ -83,7 +84,17 @@
> > > HobLib|StandaloneMmPkg/Library/StandaloneMmHobLib/StandaloneMmHobLib.inf
> > > MmServicesTableLib|MdePkg/Library/StandaloneMmServicesTableLib/StandaloneMmServicesTableLib.inf
> > > MemoryAllocationLib|StandaloneMmPkg/Library/StandaloneMmMemoryAllocationLib/StandaloneMmMemoryAllocationLib.inf
> > > -
> > > +!if $(SECURE_BOOT_ENABLE) == TRUE
> > > + AuthVariableLib|SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf
> > > + BaseCryptLib|CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf
> > > + IntrinsicLib|CryptoPkg/Library/IntrinsicLib/IntrinsicLib.inf
> > > + NorFlashPlatformLib|Platform/ARM/SgiPkg/Library/NorFlashLib/StandaloneMmNorFlashLib.inf
> > > + OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLib.inf
> > > + PlatformSecureLib|SecurityPkg/Library/PlatformSecureLibNull/PlatformSecureLibNull.inf
> > > + SynchronizationLib|MdePkg/Library/BaseSynchronizationLib/BaseSynchronizationLib.inf
> > > + TimerLib|MdePkg/Library/BaseTimerLibNullTemplate/BaseTimerLibNullTemplate.inf
> > > + VarCheckLib|MdeModulePkg/Library/VarCheckLib/VarCheckLib.inf
> > > +!endif
> > > ################################################################################
> > > #
> > > # Pcd Section - list of all EDK II PCD Entries defined by this Platform
> > > @@ -100,6 +111,21 @@
> > >
> > > gEfiMdePkgTokenSpaceGuid.PcdMaximumGuidedExtractHandler|0x2
> > >
> > > +!if $(SECURE_BOOT_ENABLE) == TRUE
> > > + #Secure Storage
> > > + gEfiMdeModulePkgTokenSpaceGuid.PcdMaxVariableSize|0x2000
> > > + gEfiSecurityPkgTokenSpaceGuid.PcdUserPhysicalPresence|TRUE
> > > + gEfiMdeModulePkgTokenSpaceGuid.PcdMaxAuthVariableSize|0x2800
> > > +
> > > + ## NV Storage - 1MB*3 in NOR2 Flash
> > > + gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageVariableBase|0x10400000
> > > + gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageVariableSize|0x00100000
> > > + gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageFtwWorkingBase|0x10500000
> > > + gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageFtwWorkingSize|0x00100000
> > > + gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageFtwSpareBase|0x10600000
> > > + gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageFtwSpareSize|0x00100000
> > > +!endif
> > > +
> > > ###################################################################################################
> > > #
> > > # Components Section - list of the modules and components that will be processed by compilation
> > > @@ -125,6 +151,12 @@
> > > StandaloneMmPkg/Core/StandaloneMmCore.inf
> > >
> > > [Components.AARCH64]
> > > +!if $(SECURE_BOOT_ENABLE) == TRUE
> > > + ArmPlatformPkg/Drivers/NorFlashDxe/NorFlashStandaloneMm.inf
> > > + MdeModulePkg/Universal/FaultTolerantWriteDxe/FaultTolerantWriteStandaloneMm.inf
> > > + MdeModulePkg/Universal/Variable/RuntimeDxe/VariableStandaloneMm.inf
> > > +!endif
> > > +
> > > StandaloneMmPkg/Drivers/StandaloneMmCpu/AArch64/StandaloneMmCpu.inf
> > >
> > > ###################################################################################################
> > > diff --git a/Platform/ARM/SgiPkg/PlatformStandaloneMm.fdf b/Platform/ARM/SgiPkg/PlatformStandaloneMm.fdf
> > > index 810460c..8c05a03 100644
> > > --- a/Platform/ARM/SgiPkg/PlatformStandaloneMm.fdf
> > > +++ b/Platform/ARM/SgiPkg/PlatformStandaloneMm.fdf
> > > @@ -55,6 +55,11 @@ READ_LOCK_CAP = TRUE
> > > READ_LOCK_STATUS = TRUE
> > >
> > > INF StandaloneMmPkg/Core/StandaloneMmCore.inf
> > > +!if $(SECURE_BOOT_ENABLE) == TRUE
> > > + INF ArmPlatformPkg/Drivers/NorFlashDxe/NorFlashStandaloneMm.inf
> > > + INF MdeModulePkg/Universal/FaultTolerantWriteDxe/FaultTolerantWriteStandaloneMm.inf
> > > + INF MdeModulePkg/Universal/Variable/RuntimeDxe/VariableStandaloneMm.inf
> > > +!endif
> > > INF StandaloneMmPkg/Drivers/StandaloneMmCpu/AArch64/StandaloneMmCpu.inf
> > >
> > > ################################################################################
> > > diff --git a/Platform/ARM/SgiPkg/SgiPlatform.dsc b/Platform/ARM/SgiPkg/SgiPlatform.dsc
> > > index bdb4ecb..4ddeb65 100644
> > > --- a/Platform/ARM/SgiPkg/SgiPlatform.dsc
> > > +++ b/Platform/ARM/SgiPkg/SgiPlatform.dsc
> > > @@ -26,6 +26,7 @@
> > > SKUID_IDENTIFIER = DEFAULT
> > > FLASH_DEFINITION = Platform/ARM/SgiPkg/SgiPlatform.fdf
> > > BUILD_NUMBER = 1
> > > + DEFINE SECURE_BOOT_ENABLE = FALSE
> > >
> > > !include Platform/ARM/VExpressPkg/ArmVExpress.dsc.inc
> > >
> > > @@ -260,7 +261,15 @@
> > > MdeModulePkg/Core/RuntimeDxe/RuntimeDxe.inf
> > > MdeModulePkg/Universal/CapsuleRuntimeDxe/CapsuleRuntimeDxe.inf
> > > MdeModulePkg/Universal/MonotonicCounterRuntimeDxe/MonotonicCounterRuntimeDxe.inf
> > > +!if $(SECURE_BOOT_ENABLE) == TRUE
> > > + MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf {
> > > + <LibraryClasses>
> > > + NULL|SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.inf
> > > + }
> > > + SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
> > > +!else
> > > MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf
> > > +!endif
> > > OvmfPkg/VirtioBlkDxe/VirtioBlk.inf
> > >
> > > MdeModulePkg/Universal/Console/ConPlatformDxe/ConPlatformDxe.inf
> > > @@ -268,6 +277,9 @@
> > > MdeModulePkg/Universal/Console/GraphicsConsoleDxe/GraphicsConsoleDxe.inf
> > > MdeModulePkg/Universal/Console/TerminalDxe/TerminalDxe.inf
> > > MdeModulePkg/Universal/SerialDxe/SerialDxe.inf
> > > +!if $(SECURE_BOOT_ENABLE) == TRUE
> > > + MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmmRuntimeDxe.inf
> > > +!else
> > > MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf {
> > > <LibraryClasses>
> > > NULL|MdeModulePkg/Library/VarCheckUefiLib/VarCheckUefiLib.inf
> > > @@ -275,6 +287,7 @@
> > > BaseMemoryLib|MdePkg/Library/BaseMemoryLib/BaseMemoryLib.inf
> > > }
> > > MdeModulePkg/Universal/FaultTolerantWriteDxe/FaultTolerantWriteDxe.inf
> > > +!endif
> > >
> > > #
> > > # ACPI Support
> > > @@ -344,4 +357,7 @@
> > > #
> > > MdeModulePkg/Bus/Pci/SataControllerDxe/SataControllerDxe.inf
> > >
> > > - ArmPkg/Drivers/MmCommunicationDxe/MmCommunication.inf
> > > + ArmPkg/Drivers/MmCommunicationDxe/MmCommunication.inf {
> > > + <LibraryClasses>
> > > + NULL|StandaloneMmPkg/Library/VariableMmDependency/VariableMmDependency.inf
> > > + }
> > > diff --git a/Platform/ARM/SgiPkg/SgiPlatform.fdf b/Platform/ARM/SgiPkg/SgiPlatform.fdf
> > > index 7916a52..aff0be5 100644
> > > --- a/Platform/ARM/SgiPkg/SgiPlatform.fdf
> > > +++ b/Platform/ARM/SgiPkg/SgiPlatform.fdf
> > > @@ -96,10 +96,15 @@ READ_LOCK_STATUS = TRUE
> > > INF EmbeddedPkg/ResetRuntimeDxe/ResetRuntimeDxe.inf
> > > INF MdeModulePkg/Core/RuntimeDxe/RuntimeDxe.inf
> > > INF MdeModulePkg/Universal/CapsuleRuntimeDxe/CapsuleRuntimeDxe.inf
> > > - INF MdeModulePkg/Universal/FaultTolerantWriteDxe/FaultTolerantWriteDxe.inf
> > > INF MdeModulePkg/Universal/MonotonicCounterRuntimeDxe/MonotonicCounterRuntimeDxe.inf
> > > INF MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf
> > > +!if $(SECURE_BOOT_ENABLE) == TRUE
> > > + INF SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
> > > + INF MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmmRuntimeDxe.inf
> > > +!else
> > > + INF MdeModulePkg/Universal/FaultTolerantWriteDxe/FaultTolerantWriteDxe.inf
> > > INF MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf
> > > +!endif
> > >
> > > #
> > > # ACPI Support
> > > --
> > > 2.7.4
> > >
> > _______________________________________________
> > edk2-devel mailing list
> > edk2-devel@lists.01.org
> > https://lists.01.org/mailman/listinfo/edk2-devel
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [PATCH edk2-platforms v2 3/3] Platform/ARM/SgiPkg: add MM based UEFI secure boot support
2019-03-15 12:34 ` Ard Biesheuvel
@ 2019-03-15 12:47 ` Thomas Abraham
2019-03-15 12:51 ` Ard Biesheuvel
0 siblings, 1 reply; 11+ messages in thread
From: Thomas Abraham @ 2019-03-15 12:47 UTC (permalink / raw)
To: Ard Biesheuvel; +Cc: edk2-devel@lists.01.org
On Fri, Mar 15, 2019 at 6:12 PM Ard Biesheuvel
<ard.biesheuvel@linaro.org> wrote:
>
> On Fri, 15 Mar 2019 at 13:30, Thomas Abraham <thomas.abraham@arm.com> wrote:
> >
> > On Fri, Mar 15, 2019 at 5:51 PM Ard Biesheuvel
> > <ard.biesheuvel@linaro.org> wrote:
> > >
> > > On Tue, 12 Mar 2019 at 17:06, Jagadeesh Ujja <jagadeesh.ujja@arm.com> wrote:
> > > >
> > > > This implements support for UEFI secure boot on SGI platforms using
> > > > the standalone MM framework. This moves all of the software handling
> > > > of the UEFI authenticated variable store into the standalone MM
> > > > context residing in a secure partition.
> > > >
> > > > Contributed-under: TianoCore Contribution Agreement 1.1
> > > > Signed-off-by: Jagadeesh Ujja <jagadeesh.ujja@arm.com>
> > > > ---
> > > > Platform/ARM/SgiPkg/PlatformStandaloneMm.dsc | 34 +++++++++++++++++++-
> > > > Platform/ARM/SgiPkg/PlatformStandaloneMm.fdf | 5 +++
> > > > Platform/ARM/SgiPkg/SgiPlatform.dsc | 18 ++++++++++-
> > > > Platform/ARM/SgiPkg/SgiPlatform.fdf | 7 +++-
> > > > 4 files changed, 61 insertions(+), 3 deletions(-)
> > > >
> > > > diff --git a/Platform/ARM/SgiPkg/PlatformStandaloneMm.dsc b/Platform/ARM/SgiPkg/PlatformStandaloneMm.dsc
> > > > index 49fc919..b6aa90b 100644
> > > > --- a/Platform/ARM/SgiPkg/PlatformStandaloneMm.dsc
> > > > +++ b/Platform/ARM/SgiPkg/PlatformStandaloneMm.dsc
> > > > @@ -26,6 +26,7 @@
> > > > SKUID_IDENTIFIER = DEFAULT
> > > > FLASH_DEFINITION = Platform/ARM/SgiPkg/PlatformStandaloneMm.fdf
> > > > DEFINE DEBUG_MESSAGE = TRUE
> > > > + DEFINE SECURE_BOOT_ENABLE = FALSE
> > > >
> > >
> > > Maybe I wasn't clear before, but I don't see the point of building the
> > > MM component without secure boot enabled. So can we drop this from
> > > this side?
> >
> > Hi Ard,
> >
> > On the SGI platforms, the MM component is used for platform RAS error
> > handling as well and secure boot is not mandatory in such a build. So
> > the build of MM component is being kept independent of secure boot.
> >
>
> Hi Thomas,
>
> When building the MM side of the platform without secure boot, the
> only MM modules that are included are
>
> > > > INF StandaloneMmPkg/Core/StandaloneMmCore.inf
> > > > INF StandaloneMmPkg/Drivers/StandaloneMmCpu/AArch64/StandaloneMmCpu.inf
>
> neither of which implement RAS handling. So are you saying this is
> functionality that runs in MM context, but it has not been upstreamed
> yet?
Hi Ard,
Yes, this functionality is yet to be upstreamed and there is work
happening in that direction. So the MM build is being kept independent
of secure boot feature.
Thanks,
Thomas.
>
>
>
> >
> > >
> > > For the non-secure side, it is a different matter, obviously.
> > >
> > > > # LzmaF86
> > > > DEFINE COMPRESSION_TOOL_GUID = D42AE6BD-1352-4bfb-909A-CA72A6EAE889
> > > > @@ -83,7 +84,17 @@
> > > > HobLib|StandaloneMmPkg/Library/StandaloneMmHobLib/StandaloneMmHobLib.inf
> > > > MmServicesTableLib|MdePkg/Library/StandaloneMmServicesTableLib/StandaloneMmServicesTableLib.inf
> > > > MemoryAllocationLib|StandaloneMmPkg/Library/StandaloneMmMemoryAllocationLib/StandaloneMmMemoryAllocationLib.inf
> > > > -
> > > > +!if $(SECURE_BOOT_ENABLE) == TRUE
> > > > + AuthVariableLib|SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf
> > > > + BaseCryptLib|CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf
> > > > + IntrinsicLib|CryptoPkg/Library/IntrinsicLib/IntrinsicLib.inf
> > > > + NorFlashPlatformLib|Platform/ARM/SgiPkg/Library/NorFlashLib/StandaloneMmNorFlashLib.inf
> > > > + OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLib.inf
> > > > + PlatformSecureLib|SecurityPkg/Library/PlatformSecureLibNull/PlatformSecureLibNull.inf
> > > > + SynchronizationLib|MdePkg/Library/BaseSynchronizationLib/BaseSynchronizationLib.inf
> > > > + TimerLib|MdePkg/Library/BaseTimerLibNullTemplate/BaseTimerLibNullTemplate.inf
> > > > + VarCheckLib|MdeModulePkg/Library/VarCheckLib/VarCheckLib.inf
> > > > +!endif
> > > > ################################################################################
> > > > #
> > > > # Pcd Section - list of all EDK II PCD Entries defined by this Platform
> > > > @@ -100,6 +111,21 @@
> > > >
> > > > gEfiMdePkgTokenSpaceGuid.PcdMaximumGuidedExtractHandler|0x2
> > > >
> > > > +!if $(SECURE_BOOT_ENABLE) == TRUE
> > > > + #Secure Storage
> > > > + gEfiMdeModulePkgTokenSpaceGuid.PcdMaxVariableSize|0x2000
> > > > + gEfiSecurityPkgTokenSpaceGuid.PcdUserPhysicalPresence|TRUE
> > > > + gEfiMdeModulePkgTokenSpaceGuid.PcdMaxAuthVariableSize|0x2800
> > > > +
> > > > + ## NV Storage - 1MB*3 in NOR2 Flash
> > > > + gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageVariableBase|0x10400000
> > > > + gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageVariableSize|0x00100000
> > > > + gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageFtwWorkingBase|0x10500000
> > > > + gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageFtwWorkingSize|0x00100000
> > > > + gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageFtwSpareBase|0x10600000
> > > > + gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageFtwSpareSize|0x00100000
> > > > +!endif
> > > > +
> > > > ###################################################################################################
> > > > #
> > > > # Components Section - list of the modules and components that will be processed by compilation
> > > > @@ -125,6 +151,12 @@
> > > > StandaloneMmPkg/Core/StandaloneMmCore.inf
> > > >
> > > > [Components.AARCH64]
> > > > +!if $(SECURE_BOOT_ENABLE) == TRUE
> > > > + ArmPlatformPkg/Drivers/NorFlashDxe/NorFlashStandaloneMm.inf
> > > > + MdeModulePkg/Universal/FaultTolerantWriteDxe/FaultTolerantWriteStandaloneMm.inf
> > > > + MdeModulePkg/Universal/Variable/RuntimeDxe/VariableStandaloneMm.inf
> > > > +!endif
> > > > +
> > > > StandaloneMmPkg/Drivers/StandaloneMmCpu/AArch64/StandaloneMmCpu.inf
> > > >
> > > > ###################################################################################################
> > > > diff --git a/Platform/ARM/SgiPkg/PlatformStandaloneMm.fdf b/Platform/ARM/SgiPkg/PlatformStandaloneMm.fdf
> > > > index 810460c..8c05a03 100644
> > > > --- a/Platform/ARM/SgiPkg/PlatformStandaloneMm.fdf
> > > > +++ b/Platform/ARM/SgiPkg/PlatformStandaloneMm.fdf
> > > > @@ -55,6 +55,11 @@ READ_LOCK_CAP = TRUE
> > > > READ_LOCK_STATUS = TRUE
> > > >
> > > > INF StandaloneMmPkg/Core/StandaloneMmCore.inf
> > > > +!if $(SECURE_BOOT_ENABLE) == TRUE
> > > > + INF ArmPlatformPkg/Drivers/NorFlashDxe/NorFlashStandaloneMm.inf
> > > > + INF MdeModulePkg/Universal/FaultTolerantWriteDxe/FaultTolerantWriteStandaloneMm.inf
> > > > + INF MdeModulePkg/Universal/Variable/RuntimeDxe/VariableStandaloneMm.inf
> > > > +!endif
> > > > INF StandaloneMmPkg/Drivers/StandaloneMmCpu/AArch64/StandaloneMmCpu.inf
> > > >
> > > > ################################################################################
> > > > diff --git a/Platform/ARM/SgiPkg/SgiPlatform.dsc b/Platform/ARM/SgiPkg/SgiPlatform.dsc
> > > > index bdb4ecb..4ddeb65 100644
> > > > --- a/Platform/ARM/SgiPkg/SgiPlatform.dsc
> > > > +++ b/Platform/ARM/SgiPkg/SgiPlatform.dsc
> > > > @@ -26,6 +26,7 @@
> > > > SKUID_IDENTIFIER = DEFAULT
> > > > FLASH_DEFINITION = Platform/ARM/SgiPkg/SgiPlatform.fdf
> > > > BUILD_NUMBER = 1
> > > > + DEFINE SECURE_BOOT_ENABLE = FALSE
> > > >
> > > > !include Platform/ARM/VExpressPkg/ArmVExpress.dsc.inc
> > > >
> > > > @@ -260,7 +261,15 @@
> > > > MdeModulePkg/Core/RuntimeDxe/RuntimeDxe.inf
> > > > MdeModulePkg/Universal/CapsuleRuntimeDxe/CapsuleRuntimeDxe.inf
> > > > MdeModulePkg/Universal/MonotonicCounterRuntimeDxe/MonotonicCounterRuntimeDxe.inf
> > > > +!if $(SECURE_BOOT_ENABLE) == TRUE
> > > > + MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf {
> > > > + <LibraryClasses>
> > > > + NULL|SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.inf
> > > > + }
> > > > + SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
> > > > +!else
> > > > MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf
> > > > +!endif
> > > > OvmfPkg/VirtioBlkDxe/VirtioBlk.inf
> > > >
> > > > MdeModulePkg/Universal/Console/ConPlatformDxe/ConPlatformDxe.inf
> > > > @@ -268,6 +277,9 @@
> > > > MdeModulePkg/Universal/Console/GraphicsConsoleDxe/GraphicsConsoleDxe.inf
> > > > MdeModulePkg/Universal/Console/TerminalDxe/TerminalDxe.inf
> > > > MdeModulePkg/Universal/SerialDxe/SerialDxe.inf
> > > > +!if $(SECURE_BOOT_ENABLE) == TRUE
> > > > + MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmmRuntimeDxe.inf
> > > > +!else
> > > > MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf {
> > > > <LibraryClasses>
> > > > NULL|MdeModulePkg/Library/VarCheckUefiLib/VarCheckUefiLib.inf
> > > > @@ -275,6 +287,7 @@
> > > > BaseMemoryLib|MdePkg/Library/BaseMemoryLib/BaseMemoryLib.inf
> > > > }
> > > > MdeModulePkg/Universal/FaultTolerantWriteDxe/FaultTolerantWriteDxe.inf
> > > > +!endif
> > > >
> > > > #
> > > > # ACPI Support
> > > > @@ -344,4 +357,7 @@
> > > > #
> > > > MdeModulePkg/Bus/Pci/SataControllerDxe/SataControllerDxe.inf
> > > >
> > > > - ArmPkg/Drivers/MmCommunicationDxe/MmCommunication.inf
> > > > + ArmPkg/Drivers/MmCommunicationDxe/MmCommunication.inf {
> > > > + <LibraryClasses>
> > > > + NULL|StandaloneMmPkg/Library/VariableMmDependency/VariableMmDependency.inf
> > > > + }
> > > > diff --git a/Platform/ARM/SgiPkg/SgiPlatform.fdf b/Platform/ARM/SgiPkg/SgiPlatform.fdf
> > > > index 7916a52..aff0be5 100644
> > > > --- a/Platform/ARM/SgiPkg/SgiPlatform.fdf
> > > > +++ b/Platform/ARM/SgiPkg/SgiPlatform.fdf
> > > > @@ -96,10 +96,15 @@ READ_LOCK_STATUS = TRUE
> > > > INF EmbeddedPkg/ResetRuntimeDxe/ResetRuntimeDxe.inf
> > > > INF MdeModulePkg/Core/RuntimeDxe/RuntimeDxe.inf
> > > > INF MdeModulePkg/Universal/CapsuleRuntimeDxe/CapsuleRuntimeDxe.inf
> > > > - INF MdeModulePkg/Universal/FaultTolerantWriteDxe/FaultTolerantWriteDxe.inf
> > > > INF MdeModulePkg/Universal/MonotonicCounterRuntimeDxe/MonotonicCounterRuntimeDxe.inf
> > > > INF MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf
> > > > +!if $(SECURE_BOOT_ENABLE) == TRUE
> > > > + INF SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
> > > > + INF MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmmRuntimeDxe.inf
> > > > +!else
> > > > + INF MdeModulePkg/Universal/FaultTolerantWriteDxe/FaultTolerantWriteDxe.inf
> > > > INF MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf
> > > > +!endif
> > > >
> > > > #
> > > > # ACPI Support
> > > > --
> > > > 2.7.4
> > > >
> > > _______________________________________________
> > > edk2-devel mailing list
> > > edk2-devel@lists.01.org
> > > https://lists.01.org/mailman/listinfo/edk2-devel
> _______________________________________________
> edk2-devel mailing list
> edk2-devel@lists.01.org
> https://lists.01.org/mailman/listinfo/edk2-devel
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [PATCH edk2-platforms v2 3/3] Platform/ARM/SgiPkg: add MM based UEFI secure boot support
2019-03-15 12:47 ` Thomas Abraham
@ 2019-03-15 12:51 ` Ard Biesheuvel
0 siblings, 0 replies; 11+ messages in thread
From: Ard Biesheuvel @ 2019-03-15 12:51 UTC (permalink / raw)
To: Thomas Abraham; +Cc: edk2-devel@lists.01.org
On Fri, 15 Mar 2019 at 13:47, Thomas Abraham <thomas.abraham@arm.com> wrote:
>
> On Fri, Mar 15, 2019 at 6:12 PM Ard Biesheuvel
> <ard.biesheuvel@linaro.org> wrote:
> >
> > On Fri, 15 Mar 2019 at 13:30, Thomas Abraham <thomas.abraham@arm.com> wrote:
> > >
> > > On Fri, Mar 15, 2019 at 5:51 PM Ard Biesheuvel
> > > <ard.biesheuvel@linaro.org> wrote:
> > > >
> > > > On Tue, 12 Mar 2019 at 17:06, Jagadeesh Ujja <jagadeesh.ujja@arm.com> wrote:
> > > > >
> > > > > This implements support for UEFI secure boot on SGI platforms using
> > > > > the standalone MM framework. This moves all of the software handling
> > > > > of the UEFI authenticated variable store into the standalone MM
> > > > > context residing in a secure partition.
> > > > >
> > > > > Contributed-under: TianoCore Contribution Agreement 1.1
> > > > > Signed-off-by: Jagadeesh Ujja <jagadeesh.ujja@arm.com>
> > > > > ---
> > > > > Platform/ARM/SgiPkg/PlatformStandaloneMm.dsc | 34 +++++++++++++++++++-
> > > > > Platform/ARM/SgiPkg/PlatformStandaloneMm.fdf | 5 +++
> > > > > Platform/ARM/SgiPkg/SgiPlatform.dsc | 18 ++++++++++-
> > > > > Platform/ARM/SgiPkg/SgiPlatform.fdf | 7 +++-
> > > > > 4 files changed, 61 insertions(+), 3 deletions(-)
> > > > >
> > > > > diff --git a/Platform/ARM/SgiPkg/PlatformStandaloneMm.dsc b/Platform/ARM/SgiPkg/PlatformStandaloneMm.dsc
> > > > > index 49fc919..b6aa90b 100644
> > > > > --- a/Platform/ARM/SgiPkg/PlatformStandaloneMm.dsc
> > > > > +++ b/Platform/ARM/SgiPkg/PlatformStandaloneMm.dsc
> > > > > @@ -26,6 +26,7 @@
> > > > > SKUID_IDENTIFIER = DEFAULT
> > > > > FLASH_DEFINITION = Platform/ARM/SgiPkg/PlatformStandaloneMm.fdf
> > > > > DEFINE DEBUG_MESSAGE = TRUE
> > > > > + DEFINE SECURE_BOOT_ENABLE = FALSE
> > > > >
> > > >
> > > > Maybe I wasn't clear before, but I don't see the point of building the
> > > > MM component without secure boot enabled. So can we drop this from
> > > > this side?
> > >
> > > Hi Ard,
> > >
> > > On the SGI platforms, the MM component is used for platform RAS error
> > > handling as well and secure boot is not mandatory in such a build. So
> > > the build of MM component is being kept independent of secure boot.
> > >
> >
> > Hi Thomas,
> >
> > When building the MM side of the platform without secure boot, the
> > only MM modules that are included are
> >
> > > > > INF StandaloneMmPkg/Core/StandaloneMmCore.inf
> > > > > INF StandaloneMmPkg/Drivers/StandaloneMmCpu/AArch64/StandaloneMmCpu.inf
> >
> > neither of which implement RAS handling. So are you saying this is
> > functionality that runs in MM context, but it has not been upstreamed
> > yet?
>
> Hi Ard,
>
> Yes, this functionality is yet to be upstreamed and there is work
> happening in that direction. So the MM build is being kept independent
> of secure boot feature.
>
OK, fair enough.
I will look in more detail once the NorFlashDxe changes are reviewed and merged.
^ permalink raw reply [flat|nested] 11+ messages in thread
end of thread, other threads:[~2019-03-15 12:51 UTC | newest]
Thread overview: 11+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2019-03-12 16:06 [PATCH edk2-platforms v2 0/3] Platform/ARM/SgiPkg: Implement StandaloneMm based secure boot Jagadeesh Ujja
2019-03-12 16:06 ` [PATCH edk2-platforms v2 1/3] Platform/ARM/Sgi: define nor2 flash controller memory map Jagadeesh Ujja
2019-03-12 16:06 ` [PATCH edk2-platforms v2 2/3] Platform/ARM/Sgi: allow MM_STANDALONE modules to use NorFlashPlatformLib Jagadeesh Ujja
2019-03-12 16:06 ` [PATCH edk2-platforms v2 3/3] Platform/ARM/SgiPkg: add MM based UEFI secure boot support Jagadeesh Ujja
2019-03-15 12:21 ` Ard Biesheuvel
2019-03-15 12:30 ` Thomas Abraham
2019-03-15 12:34 ` Ard Biesheuvel
2019-03-15 12:47 ` Thomas Abraham
2019-03-15 12:51 ` Ard Biesheuvel
2019-03-15 8:19 ` [PATCH edk2-platforms v2 0/3] Platform/ARM/SgiPkg: Implement StandaloneMm based secure boot Jagadeesh Ujja
2019-03-15 11:36 ` Ard Biesheuvel
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox