From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received-SPF: Pass (sender SPF authorized) identity=mailfrom; client-ip=192.55.52.93; helo=mga11.intel.com; envelope-from=chao.b.zhang@intel.com; receiver=edk2-devel@lists.01.org Received: from mga11.intel.com (mga11.intel.com [192.55.52.93]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id 1635E21E25686 for ; Wed, 24 Jan 2018 20:48:24 -0800 (PST) X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from orsmga005.jf.intel.com ([10.7.209.41]) by fmsmga102.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 24 Jan 2018 20:53:53 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.46,409,1511856000"; d="scan'208";a="196103067" Received: from czhan46-mobl1.ccr.corp.intel.com ([10.239.192.90]) by orsmga005.jf.intel.com with ESMTP; 24 Jan 2018 20:53:52 -0800 From: "Zhang, Chao B" To: edk2-devel@lists.01.org Date: Thu, 25 Jan 2018 12:53:47 +0800 Message-Id: <20180125045350.22372-1-chao.b.zhang@intel.com> X-Mailer: git-send-email 2.11.0.windows.1 Subject: [PATCH] Enable RSA2048SHA256 to replace CCG SignedSection solution X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 25 Jan 2018 04:48:25 -0000 --- KabylakePlatSamplePkg/PlatformPkg.dsc | 13 +++++++++-- KabylakePlatSamplePkg/PlatformPkg.fdf | 36 +++++++++++++++-------------- KabylakePlatSamplePkg/PlatformPkgConfig.dsc | 2 +- 3 files changed, 31 insertions(+), 20 deletions(-) diff --git a/KabylakePlatSamplePkg/PlatformPkg.dsc b/KabylakePlatSamplePkg/PlatformPkg.dsc index fb085b9..125e018 100644 --- a/KabylakePlatSamplePkg/PlatformPkg.dsc +++ b/KabylakePlatSamplePkg/PlatformPkg.dsc @@ -1114,6 +1114,8 @@ gPlatformModuleTokenSpaceGuid.PcdWsmtProtectionFlags|0x07 gUefiCpuPkgTokenSpaceGuid.PcdCpuMsegSize|0x8c0000 +gEfiSecurityPkgTokenSpaceGuid.PcdRsa2048Sha256PublicKeyBuffer|{0x91, 0x29, 0xc4, 0xbd, 0xea, 0x6d, 0xda, 0xb3, 0xaa, 0x6f, 0x50, 0x16, 0xfc, 0xdb, 0x4b, 0x7e, 0x3c, 0xd6, 0xdc, 0xa4, 0x7a, 0x0e, 0xdd, 0xe6, 0x15, 0x8c, 0x73, 0x96, 0xa2, 0xd4, 0xa6, 0x4d} + [PcdsFixedAtBuild.IA32] !if gPlatformModuleTokenSpaceGuid.PcdFspWrapperEnable == TRUE gEfiMdeModulePkgTokenSpaceGuid.PcdVpdBaseAddress|0x0 @@ -1445,6 +1447,11 @@ gPlatformModuleTokenSpaceGuid.PcdWsmtProtectionFlags|0x07 NULL|$(CLIENT_COMMON_PACKAGE)/Library/PeiSignedSectionVerificationLib/PeiSignedSectionVerificationLib.inf } + + MdeModulePkg/Universal/SectionExtractionPei/SectionExtractionPei.inf { + + NULL|SecurityPkg\Library\PeiRsa2048Sha256GuidedSectionExtractLib\PeiRsa2048Sha256GuidedSectionExtractLib.inf + } !endif !if gSiPkgTokenSpaceGuid.PcdS3Enable == TRUE @@ -1575,7 +1582,8 @@ $(CLIENT_COMMON_PACKAGE)/Universal/DebugServicePei/DebugServicePei.inf { gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x80080046 !if gPlatformModuleTokenSpaceGuid.PcdSecureBootEnable == TRUE - NULL|$(CLIENT_COMMON_PACKAGE)/Library/DxeSignedSectionVerificationLib/DxeSignedSectionVerificationLib.inf + # NULL|$(CLIENT_COMMON_PACKAGE)/Library/DxeSignedSectionVerificationLib/DxeSignedSectionVerificationLib.inf + NULL|SecurityPkg\Library\DxeRsa2048Sha256GuidedSectionExtractLib\DxeRsa2048Sha256GuidedSectionExtractLib.inf !endif !if gPlatformModuleTokenSpaceGuid.PcdDxeCrc32SectionEnable == TRUE NULL|MdeModulePkg/Library/DxeCrc32GuidedSectionExtractLib/DxeCrc32GuidedSectionExtractLib.inf @@ -1600,7 +1608,8 @@ $(CLIENT_COMMON_PACKAGE)/Universal/DebugServicePei/DebugServicePei.inf { gEfiMdeModulePkgTokenSpaceGuid.PcdPropertiesTableEnable|FALSE !if gPlatformModuleTokenSpaceGuid.PcdSecureBootEnable == TRUE - NULL|$(CLIENT_COMMON_PACKAGE)/Library/DxeSignedSectionVerificationLib/DxeSignedSectionVerificationLib.inf + #NULL|$(CLIENT_COMMON_PACKAGE)/Library/DxeSignedSectionVerificationLib/DxeSignedSectionVerificationLib.inf + NULL|SecurityPkg\Library\DxeRsa2048Sha256GuidedSectionExtractLib\DxeRsa2048Sha256GuidedSectionExtractLib.inf !endif !if gPlatformModuleTokenSpaceGuid.PcdDxeCrc32SectionEnable == TRUE NULL|MdeModulePkg/Library/DxeCrc32GuidedSectionExtractLib/DxeCrc32GuidedSectionExtractLib.inf diff --git a/KabylakePlatSamplePkg/PlatformPkg.fdf b/KabylakePlatSamplePkg/PlatformPkg.fdf index d2e8ee3..9d3fa5d 100644 --- a/KabylakePlatSamplePkg/PlatformPkg.fdf +++ b/KabylakePlatSamplePkg/PlatformPkg.fdf @@ -406,7 +406,7 @@ INF $(PLATFORM_FEATURES_PATH)/Amt/AmtStatusCodePei/AmtStatusCodePei.inf INF $(PLATFORM_PACKAGE)/BiosInfo/BiosInfo.inf # AdvancedFeaturesContent !if gPlatformModuleTokenSpaceGuid.PcdSecureBootEnable == TRUE -INF $(PLATFORM_PACKAGE)/Override/$(CLIENT_COMMON_PACKAGE)/Universal/BiosInfoChecker/BiosInfoChecker.inf +#INF $(PLATFORM_PACKAGE)/Override/$(CLIENT_COMMON_PACKAGE)/Universal/BiosInfoChecker/BiosInfoChecker.inf !endif !if gSiPkgTokenSpaceGuid.PcdSleEnable == FALSE @@ -462,12 +462,13 @@ INF $(PLATFORM_PACKAGE)/Platform/MsegSmramPei/MsegSmramPei.inf INF MdeModulePkg/Core/DxeIplPeim/DxeIpl.inf !if gPlatformModuleTokenSpaceGuid.PcdSecureBootEnable == TRUE -INF $(CLIENT_COMMON_PACKAGE)/Universal/SignedSectionPei/SignedSectionPei.inf -!if gPlatformModuleTokenSpaceGuid.PcdPubKeyHashBinEnable == TRUE -FILE RAW = 31C17ABE-6071-435e-BAA4-0B8A8C3649F3 { - $(PLATFORM_PACKAGE)/Tools/ToolScripts/SignFv/pubkeyhash.bin - } -!endif # PcdPubKeyHashBinEnable +INF MdeModulePkg/Universal/SectionExtractionPei/SectionExtractionPei.inf +#INF $(CLIENT_COMMON_PACKAGE)/Universal/SignedSectionPei/SignedSectionPei.inf +#!if gPlatformModuleTokenSpaceGuid.PcdPubKeyHashBinEnable == TRUE +#FILE RAW = 31C17ABE-6071-435e-BAA4-0B8A8C3649F3 { +# $(PLATFORM_PACKAGE)/Tools/ToolScripts/SignFv/pubkeyhash.bin +# } +#!endif # PcdPubKeyHashBinEnable !endif # PcdSecureBootEnable !if gPlatformModuleTokenSpaceGuid.PcdTpmEnable == TRUE @@ -604,7 +605,7 @@ APRIORI PEI { !endif !if gPlatformModuleTokenSpaceGuid.PcdSecureBootEnable == TRUE - INF $(PLATFORM_PACKAGE)/Override/$(CLIENT_COMMON_PACKAGE)/Universal/BiosInfoChecker/BiosInfoChecker.inf # RPPO-SKL-0031: RoyalParkOverrideContent + #INF $(PLATFORM_PACKAGE)/Override/$(CLIENT_COMMON_PACKAGE)/Universal/BiosInfoChecker/BiosInfoChecker.inf # RPPO-SKL-0031: RoyalParkOverrideContent !endif INF MdeModulePkg/Core/DxeIplPeim/DxeIpl.inf !endif @@ -619,7 +620,7 @@ INF $(PLATFORM_FEATURES_PATH)/Amt/AmtStatusCodePei/AmtStatusCodePei.inf INF $(PLATFORM_PACKAGE)/BiosInfo/BiosInfo.inf !if gPlatformModuleTokenSpaceGuid.PcdSecureBootEnable == TRUE -INF $(PLATFORM_PACKAGE)/Override/$(CLIENT_COMMON_PACKAGE)/Universal/BiosInfoChecker/BiosInfoChecker.inf +#INF $(PLATFORM_PACKAGE)/Override/$(CLIENT_COMMON_PACKAGE)/Universal/BiosInfoChecker/BiosInfoChecker.inf !endif !if gSiPkgTokenSpaceGuid.PcdSleEnable == TRUE @@ -692,12 +693,13 @@ INF $(PLATFORM_FEATURES_PATH)/OverClocking/OverClockInit/PeiOverClock.inf !if gPlatformModuleTokenSpaceGuid.PcdSecureBootEnable == TRUE # ROYAL_PARK_PORTING - Porting Required -INF RuleOverride = LzmaCompress $(CLIENT_COMMON_PACKAGE)/Universal/SignedSectionPei/SignedSectionPei.inf -!if gPlatformModuleTokenSpaceGuid.PcdPubKeyHashBinEnable == TRUE -FILE RAW = 31C17ABE-6071-435e-BAA4-0B8A8C3649F3 { - $(PLATFORM_PACKAGE)/Tools/ToolScripts/SignFv/pubkeyhash.bin - } -!endif +INF MdeModulePkg/Universal/SectionExtractionPei/SectionExtractionPei.inf +#INF RuleOverride = LzmaCompress $(CLIENT_COMMON_PACKAGE)/Universal/SignedSectionPei/SignedSectionPei.inf +#!if gPlatformModuleTokenSpaceGuid.PcdPubKeyHashBinEnable == TRUE +#FILE RAW = 31C17ABE-6071-435e-BAA4-0B8A8C3649F3 { +# $(PLATFORM_PACKAGE)/Tools/ToolScripts/SignFv/pubkeyhash.bin +# } +#!endif !endif !if gSiPkgTokenSpaceGuid.PcdSvBuild == TRUE @@ -1174,7 +1176,7 @@ READ_LOCK_STATUS = TRUE FILE FV_IMAGE = 4E35FD93-9C72-4c15-8C4B-E77F1DB2D792 { !if gPlatformModuleTokenSpaceGuid.PcdLzmaEnable == TRUE !if gPlatformModuleTokenSpaceGuid.PcdSecureBootEnable == TRUE - SECTION GUIDED 0f9d89e8-9259-4f76-a5af-0c89e34023df PROCESSING_REQUIRED = TRUE { + SECTION GUIDED A7717414-C616-4977-9420-844712A735BF AUTH_STATUS_VALID = TRUE { SECTION GUIDED EE4E5898-3914-4259-9D6E-DC7BD79403CF PROCESSING_REQUIRED = TRUE { SECTION FV_IMAGE = FVMAIN2 } @@ -2497,7 +2499,7 @@ READ_LOCK_STATUS = TRUE FILE FV_IMAGE = 9E21FD93-9C72-4c15-8C4B-E77F1DB2D792 { !if gPlatformModuleTokenSpaceGuid.PcdLzmaEnable == TRUE !if gPlatformModuleTokenSpaceGuid.PcdSecureBootEnable == TRUE - SECTION GUIDED 0f9d89e8-9259-4f76-a5af-0c89e34023df PROCESSING_REQUIRED = TRUE { + SECTION GUIDED A7717414-C616-4977-9420-844712A735BF AUTH_STATUS_VALID = TRUE { SECTION GUIDED EE4E5898-3914-4259-9D6E-DC7BD79403CF PROCESSING_REQUIRED = TRUE { SECTION FV_IMAGE = FVMAIN } diff --git a/KabylakePlatSamplePkg/PlatformPkgConfig.dsc b/KabylakePlatSamplePkg/PlatformPkgConfig.dsc index fd2d368..755e66c 100644 --- a/KabylakePlatSamplePkg/PlatformPkgConfig.dsc +++ b/KabylakePlatSamplePkg/PlatformPkgConfig.dsc @@ -117,7 +117,7 @@ gPlatformModuleTokenSpaceGuid.PcdNvmeEnable|TRUE gSiPkgTokenSpaceGuid.PcdOverclockEnable|TRUE gPlatformModuleTokenSpaceGuid.PcdPciHotplugEnable|TRUE - gPlatformModuleTokenSpaceGuid.PcdPerformanceEnable|FALSE + gPlatformModuleTokenSpaceGuid.PcdPerformanceEnable|TRUE gPlatformModuleTokenSpaceGuid.PcdIntelFpdtEnable|FALSE gPlatformModuleTokenSpaceGuid.PcdPostCodeStatusCodeEnable|TRUE gSiPkgTokenSpaceGuid.PcdPowerOnEnable|FALSE # SI:RestrictedContent -- 1.9.5.msysgit.1