public inbox for devel@edk2.groups.io
 help / color / mirror / Atom feed
* [PATCH edk2-platforms 1/1] DeveloperBox: implement measured boot
@ 2020-03-04  7:25 Ard Biesheuvel
  2020-04-06 13:58 ` Leif Lindholm
  0 siblings, 1 reply; 3+ messages in thread
From: Ard Biesheuvel @ 2020-03-04  7:25 UTC (permalink / raw)
  To: devel; +Cc: leif, masahisa.kojima, Ard Biesheuvel

Enable the various components, library class resolutions and PCD defaults
to enable measured boot based on a version 2 TPM. The TPM is exposed as
having a memory mapped TIS frame, which is accomplished using the SPI
command sequencer that is available on this platform. Note that this
requires SCP firmware support.

Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
---
 Platform/Socionext/DeveloperBox/DeveloperBox.dsc                                          | 91 ++++++++++++++++++++
 Platform/Socionext/DeveloperBox/DeveloperBox.fdf                                          | 11 +++
 Silicon/Socionext/SynQuacer/DeviceTree/DeveloperBox.dts                                   |  4 +
 Silicon/Socionext/SynQuacer/DeviceTree/SynQuacer.dtsi                                     |  7 ++
 Silicon/Socionext/SynQuacer/Include/Platform/MemoryMap.h                                  |  4 +
 Silicon/Socionext/SynQuacer/Library/SynQuacerMemoryInitPeiLib/SynQuacerMemoryInitPeiLib.c |  3 +
 6 files changed, 120 insertions(+)

diff --git a/Platform/Socionext/DeveloperBox/DeveloperBox.dsc b/Platform/Socionext/DeveloperBox/DeveloperBox.dsc
index 9f8cb68cdd26..cddd34e65389 100644
--- a/Platform/Socionext/DeveloperBox/DeveloperBox.dsc
+++ b/Platform/Socionext/DeveloperBox/DeveloperBox.dsc
@@ -24,6 +24,7 @@ [Defines]
 
   DEFINE DEBUG_ON_UART1          = FALSE
   DEFINE SECURE_BOOT_ENABLE      = FALSE
+  DEFINE TPM2_ENABLE             = FALSE
   DEFINE X64EMU_ENABLE           = FALSE
 
 !include Platform/Socionext/DeveloperBox/DeveloperBox.dsc.inc
@@ -38,6 +39,16 @@ [LibraryClasses]
   PciExpressLib|MdePkg/Library/BasePciExpressLib/BasePciExpressLib.inf
 !endif
 
+!if $(TPM2_ENABLE) == TRUE
+  Tpm2CommandLib|SecurityPkg/Library/Tpm2CommandLib/Tpm2CommandLib.inf
+  Tcg2PhysicalPresenceLib|SecurityPkg/Library/DxeTcg2PhysicalPresenceLib/DxeTcg2PhysicalPresenceLib.inf
+  Tcg2PpVendorLib|SecurityPkg/Library/Tcg2PpVendorLibNull/Tcg2PpVendorLibNull.inf
+  TpmMeasurementLib|SecurityPkg/Library/DxeTpmMeasurementLib/DxeTpmMeasurementLib.inf
+!else
+  Tcg2PhysicalPresenceLib|OvmfPkg/Library/Tcg2PhysicalPresenceLibNull/DxeTcg2PhysicalPresenceLib.inf
+  TpmMeasurementLib|MdeModulePkg/Library/TpmMeasurementLibNull/TpmMeasurementLibNull.inf
+!endif
+
 [LibraryClasses.common.SEC]
   PcdLib|MdePkg/Library/BasePcdLibNull/BasePcdLibNull.inf
   BaseMemoryLib|MdePkg/Library/BaseMemoryLib/BaseMemoryLib.inf
@@ -60,6 +71,19 @@ [LibraryClasses.common.PEIM]
   PeimEntryPoint|MdePkg/Library/PeimEntryPoint/PeimEntryPoint.inf
   MemoryInitPeiLib|Silicon/Socionext/SynQuacer/Library/SynQuacerMemoryInitPeiLib/SynQuacerMemoryInitPeiLib.inf
   PlatformPeiLib|Silicon/Socionext/SynQuacer/Library/SynQuacerPlatformPeiLib/SynQuacerPlatformPeiLib.inf
+  ResetSystemLib|MdeModulePkg/Library/PeiResetSystemLib/PeiResetSystemLib.inf
+
+!if $(TPM2_ENABLE) == TRUE
+  Tpm12DeviceLib|SecurityPkg/Library/Tpm12DeviceLibDTpm/Tpm12DeviceLibDTpm.inf
+  Tpm12CommandLib|SecurityPkg/Library/Tpm12CommandLib/Tpm12CommandLib.inf
+
+  Tpm2CommandLib|SecurityPkg/Library/Tpm2CommandLib/Tpm2CommandLib.inf
+  Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2DeviceLibDTpm.inf
+  Tcg2PhysicalPresenceLib|SecurityPkg/Library/DxeTcg2PhysicalPresenceLib/DxeTcg2PhysicalPresenceLib.inf
+  Tcg2PpVendorLib|SecurityPkg/Library/Tcg2PpVendorLibNull/Tcg2PpVendorLibNull.inf
+
+  BaseCryptLib|CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf
+!endif
 
 [LibraryClasses.common.DXE_CORE]
   PcdLib|MdePkg/Library/BasePcdLibNull/BasePcdLibNull.inf
@@ -92,6 +116,10 @@ [LibraryClasses.common.DXE_DRIVER]
   PciHostBridgeLib|Silicon/Socionext/SynQuacer/Library/SynQuacerPciHostBridgeLib/SynQuacerPciHostBridgeLib.inf
   NonDiscoverableDeviceRegistrationLib|MdeModulePkg/Library/NonDiscoverableDeviceRegistrationLib/NonDiscoverableDeviceRegistrationLib.inf
 
+!if $(TPM2_ENABLE) == TRUE
+  Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibTcg2/Tpm2DeviceLibTcg2.inf
+!endif
+
 [LibraryClasses.common.UEFI_APPLICATION]
   PerformanceLib|MdeModulePkg/Library/DxePerformanceLib/DxePerformanceLib.inf
   HiiLib|MdeModulePkg/Library/UefiHiiLib/UefiHiiLib.inf
@@ -183,13 +211,33 @@ [PcdsFixedAtBuild]
   gEfiSecurityPkgTokenSpaceGuid.PcdFixedMediaImageVerificationPolicy|0x04
   gEfiSecurityPkgTokenSpaceGuid.PcdRemovableMediaImageVerificationPolicy|0x04
 
+!if $(TPM2_ENABLE) == TRUE
+  gEfiSecurityPkgTokenSpaceGuid.PcdTpmBaseAddress|0x10000000
+!endif
+
 [PcdsDynamicExDefault.common.DEFAULT]
   gEfiSignedCapsulePkgTokenSpaceGuid.PcdEdkiiSystemFirmwareImageDescriptor|{0x0}|VOID*|0x100
   gEfiSignedCapsulePkgTokenSpaceGuid.PcdEdkiiSystemFirmwareFileGuid|{0xf7, 0x89, 0x9b, 0xe9, 0x20, 0xc1, 0x25, 0x4b, 0x4d, 0xb1, 0x83, 0x94, 0xed, 0xb0, 0xb4, 0xf5}
 
+!if $(TPM2_ENABLE) == TRUE
+  gEfiSecurityPkgTokenSpaceGuid.PcdTpmInstanceGuid|{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}
+  gEfiSecurityPkgTokenSpaceGuid.PcdTpm2InitializationPolicy|1
+  gEfiSecurityPkgTokenSpaceGuid.PcdTpm2SelfTestPolicy|1
+  gEfiSecurityPkgTokenSpaceGuid.PcdTpm2ScrtmPolicy|1
+  gEfiSecurityPkgTokenSpaceGuid.PcdTpmInitializationPolicy|1
+  gEfiSecurityPkgTokenSpaceGuid.PcdTpmScrtmPolicy|1
+  gEfiSecurityPkgTokenSpaceGuid.PcdTpm2HashMask|3
+  gEfiSecurityPkgTokenSpaceGuid.PcdTcg2HashAlgorithmBitmap|3
+!endif
+
 [PcdsDynamicHii]
   gSynQuacerTokenSpaceGuid.PcdPlatformSettings|L"SynQuacerPlatformSettings"|gSynQuacerPlatformFormSetGuid|0x0|0x0|NV,BS
 
+!if $(TPM2_ENABLE) == TRUE
+  gEfiSecurityPkgTokenSpaceGuid.PcdTcgPhysicalPresenceInterfaceVer|L"TCG2_VERSION"|gTcg2ConfigFormSetGuid|0x0|"1.3"|NV,BS
+  gEfiSecurityPkgTokenSpaceGuid.PcdTpm2AcpiTableRev|L"TCG2_VERSION"|gTcg2ConfigFormSetGuid|0x8|3|NV,BS
+!endif
+
 ################################################################################
 #
 # Components Section - list of all EDK II Modules needed by this Platform
@@ -217,6 +265,30 @@ [Components.common]
       NULL|MdeModulePkg/Library/LzmaCustomDecompressLib/LzmaCustomDecompressLib.inf
   }
 
+!if $(TPM2_ENABLE) == TRUE
+  MdeModulePkg/Universal/ResetSystemPei/ResetSystemPei.inf {
+    <LibraryClasses>
+      ResetSystemLib|ArmPkg/Library/ArmSmcPsciResetSystemLib/ArmSmcPsciResetSystemLib.inf
+  }
+  SecurityPkg/Tcg/Tcg2Config/Tcg2ConfigPei.inf
+  SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.inf {
+    <LibraryClasses>
+      HashLib|SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRouterPei.inf
+      NULL|SecurityPkg/Library/HashInstanceLibSha1/HashInstanceLibSha1.inf
+      NULL|SecurityPkg/Library/HashInstanceLibSha256/HashInstanceLibSha256.inf
+      NULL|SecurityPkg/Library/HashInstanceLibSha384/HashInstanceLibSha384.inf
+      NULL|SecurityPkg/Library/HashInstanceLibSha512/HashInstanceLibSha512.inf
+      NULL|SecurityPkg/Library/HashInstanceLibSm3/HashInstanceLibSm3.inf
+    <PcdsFixedAtBuild>
+      gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8048004F
+  }
+
+  SecurityPkg/Tcg/Tcg2Config/Tcg2ConfigDxe.inf {
+    <PcdsFixedAtBuild>
+      gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8048004F
+  }
+!endif
+
   #
   # DXE
   #
@@ -245,6 +317,9 @@ [Components.common]
     <LibraryClasses>
 !if $(SECURE_BOOT_ENABLE) == TRUE
       NULL|SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.inf
+!endif
+!if $(TPM2_ENABLE) == TRUE
+      NULL|SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLib.inf
 !endif
   }
   ArmPkg/Drivers/TimerDxe/TimerDxe.inf
@@ -302,6 +377,22 @@ [Components.common]
   SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
 !endif
 
+!if $(TPM2_ENABLE) == TRUE
+  SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.inf {
+    <LibraryClasses>
+      Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibRouter/Tpm2DeviceLibRouterDxe.inf
+      NULL|SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2InstanceLibDTpm.inf
+      HashLib|SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRouterDxe.inf
+      NULL|SecurityPkg/Library/HashInstanceLibSha1/HashInstanceLibSha1.inf
+      NULL|SecurityPkg/Library/HashInstanceLibSha256/HashInstanceLibSha256.inf
+      NULL|SecurityPkg/Library/HashInstanceLibSha384/HashInstanceLibSha384.inf
+      NULL|SecurityPkg/Library/HashInstanceLibSha512/HashInstanceLibSha512.inf
+      NULL|SecurityPkg/Library/HashInstanceLibSm3/HashInstanceLibSm3.inf
+    <PcdsFixedAtBuild>
+      gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8048004F
+  }
+!endif
+
   #
   # UEFI application (Shell Embedded Boot Loader)
   #
diff --git a/Platform/Socionext/DeveloperBox/DeveloperBox.fdf b/Platform/Socionext/DeveloperBox/DeveloperBox.fdf
index da9290fd92a2..5dd5e4b5c0c1 100644
--- a/Platform/Socionext/DeveloperBox/DeveloperBox.fdf
+++ b/Platform/Socionext/DeveloperBox/DeveloperBox.fdf
@@ -130,6 +130,11 @@ [FV.FvMain]
   INF SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
 !endif
 
+!if $(TPM2_ENABLE) == TRUE
+  INF  SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.inf
+  INF  SecurityPkg/Tcg/Tcg2Config/Tcg2ConfigDxe.inf
+!endif
+
   #
   # UEFI applications
   #
@@ -293,6 +298,12 @@ [FV.FVMAIN_COMPACT]
   INF RuleOverride = FMP_IMAGE_DESC Platform/Socionext/DeveloperBox/SystemFirmwareDescriptor/SystemFirmwareDescriptor.inf
   INF MdeModulePkg/Core/DxeIplPeim/DxeIpl.inf
 
+!if $(TPM2_ENABLE) == TRUE
+  INF MdeModulePkg/Universal/ResetSystemPei/ResetSystemPei.inf
+  INF SecurityPkg/Tcg/Tcg2Config/Tcg2ConfigPei.inf
+  INF SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.inf
+!endif
+
   FILE FV_IMAGE = 9E21FD93-9C72-4c15-8C4B-E77F1DB2D792 {
     SECTION GUIDED EE4E5898-3914-4259-9D6E-DC7BD79403CF PROCESSING_REQUIRED = TRUE {
       SECTION FV_IMAGE = FVMAIN
diff --git a/Silicon/Socionext/SynQuacer/DeviceTree/DeveloperBox.dts b/Silicon/Socionext/SynQuacer/DeviceTree/DeveloperBox.dts
index c4bdae258c3c..e77a372393fb 100644
--- a/Silicon/Socionext/SynQuacer/DeviceTree/DeveloperBox.dts
+++ b/Silicon/Socionext/SynQuacer/DeviceTree/DeveloperBox.dts
@@ -27,6 +27,10 @@
     };
 };
 
+&tpm {
+    status = "okay";
+};
+
 &gpio {
     gpio-line-names = "DSW3-PIN1",  "DSW3-PIN2",  "DSW3-PIN3",    "DSW3-PIN4",
                       "DSW3-PIN5",  "DSW3-PIN6",  "DSW3-PIN7",    "DSW3-PIN8",
diff --git a/Silicon/Socionext/SynQuacer/DeviceTree/SynQuacer.dtsi b/Silicon/Socionext/SynQuacer/DeviceTree/SynQuacer.dtsi
index b11e4303edd8..2ee3821fca0b 100644
--- a/Silicon/Socionext/SynQuacer/DeviceTree/SynQuacer.dtsi
+++ b/Silicon/Socionext/SynQuacer/DeviceTree/SynQuacer.dtsi
@@ -553,6 +553,7 @@
         socionext,set-aces;
         #address-cells = <1>;
         #size-cells = <0>;
+        status = "disabled";
     };
 
     clk_i2c: i2c_pclk {
@@ -573,6 +574,12 @@
         #size-cells = <0>;
     };
 
+    tpm: tpm_tis@10000000 {
+        compatible = "socionext,synquacer-tpm-mmio";
+        reg = <0x0 0x10000000 0x0 0x5000>;
+        status = "disabled";
+    };
+
     firmware {
         optee {
             compatible = "linaro,optee-tz";
diff --git a/Silicon/Socionext/SynQuacer/Include/Platform/MemoryMap.h b/Silicon/Socionext/SynQuacer/Include/Platform/MemoryMap.h
index 29c5f73f2057..a7a4232eb864 100644
--- a/Silicon/Socionext/SynQuacer/Include/Platform/MemoryMap.h
+++ b/Silicon/Socionext/SynQuacer/Include/Platform/MemoryMap.h
@@ -82,4 +82,8 @@
 #define SYNQUACER_SPI1_BASE             0x54810000
 #define SYNQUACER_SPI1_SIZE             SIZE_4KB
 
+// SPI controller #1 MMIO Region
+#define SYNQUACER_SPI1_MMIO_BASE        0x10000000
+#define SYNQUACER_SPI1_MMIO_SIZE        SIZE_1MB
+
 #endif
diff --git a/Silicon/Socionext/SynQuacer/Library/SynQuacerMemoryInitPeiLib/SynQuacerMemoryInitPeiLib.c b/Silicon/Socionext/SynQuacer/Library/SynQuacerMemoryInitPeiLib/SynQuacerMemoryInitPeiLib.c
index 3da32ea6816a..2db88ec53926 100644
--- a/Silicon/Socionext/SynQuacer/Library/SynQuacerMemoryInitPeiLib/SynQuacerMemoryInitPeiLib.c
+++ b/Silicon/Socionext/SynQuacer/Library/SynQuacerMemoryInitPeiLib/SynQuacerMemoryInitPeiLib.c
@@ -115,6 +115,9 @@ STATIC CONST ARM_MEMORY_REGION_DESCRIPTOR mVirtualMemoryTable[] = {
 
   // DesignWare FUART
   ARM_DEVICE_REGION (SYNQUACER_UART1_BASE, SYNQUACER_UART1_SIZE),
+
+  // SPI#1 MMIO
+  ARM_DEVICE_REGION (SYNQUACER_SPI1_MMIO_BASE, SYNQUACER_SPI1_MMIO_SIZE),
 };
 
 STATIC
-- 
2.17.1


^ permalink raw reply related	[flat|nested] 3+ messages in thread

* Re: [PATCH edk2-platforms 1/1] DeveloperBox: implement measured boot
  2020-03-04  7:25 [PATCH edk2-platforms 1/1] DeveloperBox: implement measured boot Ard Biesheuvel
@ 2020-04-06 13:58 ` Leif Lindholm
  2020-04-06 14:33   ` Ard Biesheuvel
  0 siblings, 1 reply; 3+ messages in thread
From: Leif Lindholm @ 2020-04-06 13:58 UTC (permalink / raw)
  To: Ard Biesheuvel; +Cc: devel, masahisa.kojima

On Wed, Mar 04, 2020 at 08:25:43 +0100, Ard Biesheuvel wrote:
> Enable the various components, library class resolutions and PCD defaults
> to enable measured boot based on a version 2 TPM. The TPM is exposed as
> having a memory mapped TIS frame, which is accomplished using the SPI
> command sequencer that is available on this platform. Note that this
> requires SCP firmware support.

Ideally, I'd like to see the corresponding SCP firmware added to
edk2-non-osi, but...:
Reviewed-by: Leif Lindholm <leif@nuviainc.com>

Apologies for tardiness.

> Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
> ---
>  Platform/Socionext/DeveloperBox/DeveloperBox.dsc                                          | 91 ++++++++++++++++++++
>  Platform/Socionext/DeveloperBox/DeveloperBox.fdf                                          | 11 +++
>  Silicon/Socionext/SynQuacer/DeviceTree/DeveloperBox.dts                                   |  4 +
>  Silicon/Socionext/SynQuacer/DeviceTree/SynQuacer.dtsi                                     |  7 ++
>  Silicon/Socionext/SynQuacer/Include/Platform/MemoryMap.h                                  |  4 +
>  Silicon/Socionext/SynQuacer/Library/SynQuacerMemoryInitPeiLib/SynQuacerMemoryInitPeiLib.c |  3 +
>  6 files changed, 120 insertions(+)
> 
> diff --git a/Platform/Socionext/DeveloperBox/DeveloperBox.dsc b/Platform/Socionext/DeveloperBox/DeveloperBox.dsc
> index 9f8cb68cdd26..cddd34e65389 100644
> --- a/Platform/Socionext/DeveloperBox/DeveloperBox.dsc
> +++ b/Platform/Socionext/DeveloperBox/DeveloperBox.dsc
> @@ -24,6 +24,7 @@ [Defines]
>  
>    DEFINE DEBUG_ON_UART1          = FALSE
>    DEFINE SECURE_BOOT_ENABLE      = FALSE
> +  DEFINE TPM2_ENABLE             = FALSE
>    DEFINE X64EMU_ENABLE           = FALSE
>  
>  !include Platform/Socionext/DeveloperBox/DeveloperBox.dsc.inc
> @@ -38,6 +39,16 @@ [LibraryClasses]
>    PciExpressLib|MdePkg/Library/BasePciExpressLib/BasePciExpressLib.inf
>  !endif
>  
> +!if $(TPM2_ENABLE) == TRUE
> +  Tpm2CommandLib|SecurityPkg/Library/Tpm2CommandLib/Tpm2CommandLib.inf
> +  Tcg2PhysicalPresenceLib|SecurityPkg/Library/DxeTcg2PhysicalPresenceLib/DxeTcg2PhysicalPresenceLib.inf
> +  Tcg2PpVendorLib|SecurityPkg/Library/Tcg2PpVendorLibNull/Tcg2PpVendorLibNull.inf
> +  TpmMeasurementLib|SecurityPkg/Library/DxeTpmMeasurementLib/DxeTpmMeasurementLib.inf
> +!else
> +  Tcg2PhysicalPresenceLib|OvmfPkg/Library/Tcg2PhysicalPresenceLibNull/DxeTcg2PhysicalPresenceLib.inf
> +  TpmMeasurementLib|MdeModulePkg/Library/TpmMeasurementLibNull/TpmMeasurementLibNull.inf
> +!endif
> +
>  [LibraryClasses.common.SEC]
>    PcdLib|MdePkg/Library/BasePcdLibNull/BasePcdLibNull.inf
>    BaseMemoryLib|MdePkg/Library/BaseMemoryLib/BaseMemoryLib.inf
> @@ -60,6 +71,19 @@ [LibraryClasses.common.PEIM]
>    PeimEntryPoint|MdePkg/Library/PeimEntryPoint/PeimEntryPoint.inf
>    MemoryInitPeiLib|Silicon/Socionext/SynQuacer/Library/SynQuacerMemoryInitPeiLib/SynQuacerMemoryInitPeiLib.inf
>    PlatformPeiLib|Silicon/Socionext/SynQuacer/Library/SynQuacerPlatformPeiLib/SynQuacerPlatformPeiLib.inf
> +  ResetSystemLib|MdeModulePkg/Library/PeiResetSystemLib/PeiResetSystemLib.inf
> +
> +!if $(TPM2_ENABLE) == TRUE
> +  Tpm12DeviceLib|SecurityPkg/Library/Tpm12DeviceLibDTpm/Tpm12DeviceLibDTpm.inf
> +  Tpm12CommandLib|SecurityPkg/Library/Tpm12CommandLib/Tpm12CommandLib.inf
> +
> +  Tpm2CommandLib|SecurityPkg/Library/Tpm2CommandLib/Tpm2CommandLib.inf
> +  Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2DeviceLibDTpm.inf
> +  Tcg2PhysicalPresenceLib|SecurityPkg/Library/DxeTcg2PhysicalPresenceLib/DxeTcg2PhysicalPresenceLib.inf
> +  Tcg2PpVendorLib|SecurityPkg/Library/Tcg2PpVendorLibNull/Tcg2PpVendorLibNull.inf
> +
> +  BaseCryptLib|CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf
> +!endif
>  
>  [LibraryClasses.common.DXE_CORE]
>    PcdLib|MdePkg/Library/BasePcdLibNull/BasePcdLibNull.inf
> @@ -92,6 +116,10 @@ [LibraryClasses.common.DXE_DRIVER]
>    PciHostBridgeLib|Silicon/Socionext/SynQuacer/Library/SynQuacerPciHostBridgeLib/SynQuacerPciHostBridgeLib.inf
>    NonDiscoverableDeviceRegistrationLib|MdeModulePkg/Library/NonDiscoverableDeviceRegistrationLib/NonDiscoverableDeviceRegistrationLib.inf
>  
> +!if $(TPM2_ENABLE) == TRUE
> +  Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibTcg2/Tpm2DeviceLibTcg2.inf
> +!endif
> +
>  [LibraryClasses.common.UEFI_APPLICATION]
>    PerformanceLib|MdeModulePkg/Library/DxePerformanceLib/DxePerformanceLib.inf
>    HiiLib|MdeModulePkg/Library/UefiHiiLib/UefiHiiLib.inf
> @@ -183,13 +211,33 @@ [PcdsFixedAtBuild]
>    gEfiSecurityPkgTokenSpaceGuid.PcdFixedMediaImageVerificationPolicy|0x04
>    gEfiSecurityPkgTokenSpaceGuid.PcdRemovableMediaImageVerificationPolicy|0x04
>  
> +!if $(TPM2_ENABLE) == TRUE
> +  gEfiSecurityPkgTokenSpaceGuid.PcdTpmBaseAddress|0x10000000
> +!endif
> +
>  [PcdsDynamicExDefault.common.DEFAULT]
>    gEfiSignedCapsulePkgTokenSpaceGuid.PcdEdkiiSystemFirmwareImageDescriptor|{0x0}|VOID*|0x100
>    gEfiSignedCapsulePkgTokenSpaceGuid.PcdEdkiiSystemFirmwareFileGuid|{0xf7, 0x89, 0x9b, 0xe9, 0x20, 0xc1, 0x25, 0x4b, 0x4d, 0xb1, 0x83, 0x94, 0xed, 0xb0, 0xb4, 0xf5}
>  
> +!if $(TPM2_ENABLE) == TRUE
> +  gEfiSecurityPkgTokenSpaceGuid.PcdTpmInstanceGuid|{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}
> +  gEfiSecurityPkgTokenSpaceGuid.PcdTpm2InitializationPolicy|1
> +  gEfiSecurityPkgTokenSpaceGuid.PcdTpm2SelfTestPolicy|1
> +  gEfiSecurityPkgTokenSpaceGuid.PcdTpm2ScrtmPolicy|1
> +  gEfiSecurityPkgTokenSpaceGuid.PcdTpmInitializationPolicy|1
> +  gEfiSecurityPkgTokenSpaceGuid.PcdTpmScrtmPolicy|1
> +  gEfiSecurityPkgTokenSpaceGuid.PcdTpm2HashMask|3
> +  gEfiSecurityPkgTokenSpaceGuid.PcdTcg2HashAlgorithmBitmap|3
> +!endif
> +
>  [PcdsDynamicHii]
>    gSynQuacerTokenSpaceGuid.PcdPlatformSettings|L"SynQuacerPlatformSettings"|gSynQuacerPlatformFormSetGuid|0x0|0x0|NV,BS
>  
> +!if $(TPM2_ENABLE) == TRUE
> +  gEfiSecurityPkgTokenSpaceGuid.PcdTcgPhysicalPresenceInterfaceVer|L"TCG2_VERSION"|gTcg2ConfigFormSetGuid|0x0|"1.3"|NV,BS
> +  gEfiSecurityPkgTokenSpaceGuid.PcdTpm2AcpiTableRev|L"TCG2_VERSION"|gTcg2ConfigFormSetGuid|0x8|3|NV,BS
> +!endif
> +
>  ################################################################################
>  #
>  # Components Section - list of all EDK II Modules needed by this Platform
> @@ -217,6 +265,30 @@ [Components.common]
>        NULL|MdeModulePkg/Library/LzmaCustomDecompressLib/LzmaCustomDecompressLib.inf
>    }
>  
> +!if $(TPM2_ENABLE) == TRUE
> +  MdeModulePkg/Universal/ResetSystemPei/ResetSystemPei.inf {
> +    <LibraryClasses>
> +      ResetSystemLib|ArmPkg/Library/ArmSmcPsciResetSystemLib/ArmSmcPsciResetSystemLib.inf
> +  }
> +  SecurityPkg/Tcg/Tcg2Config/Tcg2ConfigPei.inf
> +  SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.inf {
> +    <LibraryClasses>
> +      HashLib|SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRouterPei.inf
> +      NULL|SecurityPkg/Library/HashInstanceLibSha1/HashInstanceLibSha1.inf
> +      NULL|SecurityPkg/Library/HashInstanceLibSha256/HashInstanceLibSha256.inf
> +      NULL|SecurityPkg/Library/HashInstanceLibSha384/HashInstanceLibSha384.inf
> +      NULL|SecurityPkg/Library/HashInstanceLibSha512/HashInstanceLibSha512.inf
> +      NULL|SecurityPkg/Library/HashInstanceLibSm3/HashInstanceLibSm3.inf
> +    <PcdsFixedAtBuild>
> +      gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8048004F
> +  }
> +
> +  SecurityPkg/Tcg/Tcg2Config/Tcg2ConfigDxe.inf {
> +    <PcdsFixedAtBuild>
> +      gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8048004F
> +  }
> +!endif
> +
>    #
>    # DXE
>    #
> @@ -245,6 +317,9 @@ [Components.common]
>      <LibraryClasses>
>  !if $(SECURE_BOOT_ENABLE) == TRUE
>        NULL|SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.inf
> +!endif
> +!if $(TPM2_ENABLE) == TRUE
> +      NULL|SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLib.inf
>  !endif
>    }
>    ArmPkg/Drivers/TimerDxe/TimerDxe.inf
> @@ -302,6 +377,22 @@ [Components.common]
>    SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
>  !endif
>  
> +!if $(TPM2_ENABLE) == TRUE
> +  SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.inf {
> +    <LibraryClasses>
> +      Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibRouter/Tpm2DeviceLibRouterDxe.inf
> +      NULL|SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2InstanceLibDTpm.inf
> +      HashLib|SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRouterDxe.inf
> +      NULL|SecurityPkg/Library/HashInstanceLibSha1/HashInstanceLibSha1.inf
> +      NULL|SecurityPkg/Library/HashInstanceLibSha256/HashInstanceLibSha256.inf
> +      NULL|SecurityPkg/Library/HashInstanceLibSha384/HashInstanceLibSha384.inf
> +      NULL|SecurityPkg/Library/HashInstanceLibSha512/HashInstanceLibSha512.inf
> +      NULL|SecurityPkg/Library/HashInstanceLibSm3/HashInstanceLibSm3.inf
> +    <PcdsFixedAtBuild>
> +      gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8048004F
> +  }
> +!endif
> +
>    #
>    # UEFI application (Shell Embedded Boot Loader)
>    #
> diff --git a/Platform/Socionext/DeveloperBox/DeveloperBox.fdf b/Platform/Socionext/DeveloperBox/DeveloperBox.fdf
> index da9290fd92a2..5dd5e4b5c0c1 100644
> --- a/Platform/Socionext/DeveloperBox/DeveloperBox.fdf
> +++ b/Platform/Socionext/DeveloperBox/DeveloperBox.fdf
> @@ -130,6 +130,11 @@ [FV.FvMain]
>    INF SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
>  !endif
>  
> +!if $(TPM2_ENABLE) == TRUE
> +  INF  SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.inf
> +  INF  SecurityPkg/Tcg/Tcg2Config/Tcg2ConfigDxe.inf
> +!endif
> +
>    #
>    # UEFI applications
>    #
> @@ -293,6 +298,12 @@ [FV.FVMAIN_COMPACT]
>    INF RuleOverride = FMP_IMAGE_DESC Platform/Socionext/DeveloperBox/SystemFirmwareDescriptor/SystemFirmwareDescriptor.inf
>    INF MdeModulePkg/Core/DxeIplPeim/DxeIpl.inf
>  
> +!if $(TPM2_ENABLE) == TRUE
> +  INF MdeModulePkg/Universal/ResetSystemPei/ResetSystemPei.inf
> +  INF SecurityPkg/Tcg/Tcg2Config/Tcg2ConfigPei.inf
> +  INF SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.inf
> +!endif
> +
>    FILE FV_IMAGE = 9E21FD93-9C72-4c15-8C4B-E77F1DB2D792 {
>      SECTION GUIDED EE4E5898-3914-4259-9D6E-DC7BD79403CF PROCESSING_REQUIRED = TRUE {
>        SECTION FV_IMAGE = FVMAIN
> diff --git a/Silicon/Socionext/SynQuacer/DeviceTree/DeveloperBox.dts b/Silicon/Socionext/SynQuacer/DeviceTree/DeveloperBox.dts
> index c4bdae258c3c..e77a372393fb 100644
> --- a/Silicon/Socionext/SynQuacer/DeviceTree/DeveloperBox.dts
> +++ b/Silicon/Socionext/SynQuacer/DeviceTree/DeveloperBox.dts
> @@ -27,6 +27,10 @@
>      };
>  };
>  
> +&tpm {
> +    status = "okay";
> +};
> +
>  &gpio {
>      gpio-line-names = "DSW3-PIN1",  "DSW3-PIN2",  "DSW3-PIN3",    "DSW3-PIN4",
>                        "DSW3-PIN5",  "DSW3-PIN6",  "DSW3-PIN7",    "DSW3-PIN8",
> diff --git a/Silicon/Socionext/SynQuacer/DeviceTree/SynQuacer.dtsi b/Silicon/Socionext/SynQuacer/DeviceTree/SynQuacer.dtsi
> index b11e4303edd8..2ee3821fca0b 100644
> --- a/Silicon/Socionext/SynQuacer/DeviceTree/SynQuacer.dtsi
> +++ b/Silicon/Socionext/SynQuacer/DeviceTree/SynQuacer.dtsi
> @@ -553,6 +553,7 @@
>          socionext,set-aces;
>          #address-cells = <1>;
>          #size-cells = <0>;
> +        status = "disabled";
>      };
>  
>      clk_i2c: i2c_pclk {
> @@ -573,6 +574,12 @@
>          #size-cells = <0>;
>      };
>  
> +    tpm: tpm_tis@10000000 {
> +        compatible = "socionext,synquacer-tpm-mmio";
> +        reg = <0x0 0x10000000 0x0 0x5000>;
> +        status = "disabled";
> +    };
> +
>      firmware {
>          optee {
>              compatible = "linaro,optee-tz";
> diff --git a/Silicon/Socionext/SynQuacer/Include/Platform/MemoryMap.h b/Silicon/Socionext/SynQuacer/Include/Platform/MemoryMap.h
> index 29c5f73f2057..a7a4232eb864 100644
> --- a/Silicon/Socionext/SynQuacer/Include/Platform/MemoryMap.h
> +++ b/Silicon/Socionext/SynQuacer/Include/Platform/MemoryMap.h
> @@ -82,4 +82,8 @@
>  #define SYNQUACER_SPI1_BASE             0x54810000
>  #define SYNQUACER_SPI1_SIZE             SIZE_4KB
>  
> +// SPI controller #1 MMIO Region
> +#define SYNQUACER_SPI1_MMIO_BASE        0x10000000
> +#define SYNQUACER_SPI1_MMIO_SIZE        SIZE_1MB
> +
>  #endif
> diff --git a/Silicon/Socionext/SynQuacer/Library/SynQuacerMemoryInitPeiLib/SynQuacerMemoryInitPeiLib.c b/Silicon/Socionext/SynQuacer/Library/SynQuacerMemoryInitPeiLib/SynQuacerMemoryInitPeiLib.c
> index 3da32ea6816a..2db88ec53926 100644
> --- a/Silicon/Socionext/SynQuacer/Library/SynQuacerMemoryInitPeiLib/SynQuacerMemoryInitPeiLib.c
> +++ b/Silicon/Socionext/SynQuacer/Library/SynQuacerMemoryInitPeiLib/SynQuacerMemoryInitPeiLib.c
> @@ -115,6 +115,9 @@ STATIC CONST ARM_MEMORY_REGION_DESCRIPTOR mVirtualMemoryTable[] = {
>  
>    // DesignWare FUART
>    ARM_DEVICE_REGION (SYNQUACER_UART1_BASE, SYNQUACER_UART1_SIZE),
> +
> +  // SPI#1 MMIO
> +  ARM_DEVICE_REGION (SYNQUACER_SPI1_MMIO_BASE, SYNQUACER_SPI1_MMIO_SIZE),
>  };
>  
>  STATIC
> -- 
> 2.17.1
> 

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [PATCH edk2-platforms 1/1] DeveloperBox: implement measured boot
  2020-04-06 13:58 ` Leif Lindholm
@ 2020-04-06 14:33   ` Ard Biesheuvel
  0 siblings, 0 replies; 3+ messages in thread
From: Ard Biesheuvel @ 2020-04-06 14:33 UTC (permalink / raw)
  To: Leif Lindholm; +Cc: devel, masahisa.kojima

On 4/6/20 3:58 PM, Leif Lindholm wrote:
> On Wed, Mar 04, 2020 at 08:25:43 +0100, Ard Biesheuvel wrote:
>> Enable the various components, library class resolutions and PCD defaults
>> to enable measured boot based on a version 2 TPM. The TPM is exposed as
>> having a memory mapped TIS frame, which is accomplished using the SPI
>> command sequencer that is available on this platform. Note that this
>> requires SCP firmware support.
> 
> Ideally, I'd like to see the corresponding SCP firmware added to
> edk2-non-osi, but...:
> Reviewed-by: Leif Lindholm <leif@nuviainc.com>
> 
> Apologies for tardiness.
> 

Thanks

Pushed as 1d59c5b912d9..b93aa851aab6

^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2020-04-06 14:33 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2020-03-04  7:25 [PATCH edk2-platforms 1/1] DeveloperBox: implement measured boot Ard Biesheuvel
2020-04-06 13:58 ` Leif Lindholm
2020-04-06 14:33   ` Ard Biesheuvel

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox