From: Leif Lindholm <leif.lindholm@linaro.org>
To: Ming Huang <ming.huang@linaro.org>
Cc: linaro-uefi@lists.linaro.org, edk2-devel@lists.01.org,
graeme.gregory@linaro.org, ard.biesheuvel@linaro.org,
michael.d.kinney@intel.com, lersek@redhat.com,
wanghuiqiang@huawei.com, huangming23@huawei.com,
zhangjinsong2@huawei.com, huangdaode@hisilicon.com,
john.garry@huawei.com, xinliang.liu@linaro.org,
zhangfeng56@huawei.com
Subject: Re: [PATCH edk2-platforms v1 08/12] Hisilicon/D06: Fix SBBR-SCT AuthVar issue
Date: Wed, 14 Nov 2018 00:18:05 +0000 [thread overview]
Message-ID: <20181114001805.sqyr64iwo55rypgp@bivouac.eciton.net> (raw)
In-Reply-To: <20181029033249.45363-9-ming.huang@linaro.org>
On Mon, Oct 29, 2018 at 11:32:45AM +0800, Ming Huang wrote:
> Enable secure boot to fix AuthVar issue:
> RT.SetVariable - Set Invalid Time Base Auth Variable – FAILURE;
> RT.SetVariable - Create one Time Base Auth Variable, the expect return
> status should be EFI_SUCCESS – FAILURE.
>
> Contributed-under: TianoCore Contribution Agreement 1.1
> Signed-off-by: Ming Huang <ming.huang@linaro.org>
> ---
> Silicon/Hisilicon/Hisilicon.dsc.inc | 16 ++++++++++++++++
> Platform/Hisilicon/D06/D06.dsc | 2 +-
> 2 files changed, 17 insertions(+), 1 deletion(-)
>
> diff --git a/Silicon/Hisilicon/Hisilicon.dsc.inc b/Silicon/Hisilicon/Hisilicon.dsc.inc
> index 3ac8e20232..6515c0d703 100644
> --- a/Silicon/Hisilicon/Hisilicon.dsc.inc
> +++ b/Silicon/Hisilicon/Hisilicon.dsc.inc
> @@ -89,8 +89,15 @@
>
> SemihostLib|ArmPkg/Library/SemihostLib/SemihostLib.inf
>
> +!if $(SECURE_BOOT_ENABLE) == TRUE
> + TpmMeasurementLib|SecurityPkg/Library/DxeTpmMeasurementLib/DxeTpmMeasurementLib.inf
> + AuthVariableLib|SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf
> + # re-use the UserPhysicalPresent() dummy implementation from the ovmf tree
> + PlatformSecureLib|OvmfPkg/Library/PlatformSecureLib/PlatformSecureLib.inf
The virtual machines and development boards can get away with this,
but it is not an appropriate action for a real platform.
Please implement a real PlatformSecureLib, doing a real
UserPhysicalPresent check, appropriate to the D06.
I don't expect this to happen in time for a 2018.11 Linaro release, so
you can drop it from the set. We can log the test failure as a known
issue for now.
/
Leif
> +!else
> TpmMeasurementLib|MdeModulePkg/Library/TpmMeasurementLibNull/TpmMeasurementLibNull.inf
> AuthVariableLib|MdeModulePkg/Library/AuthVariableLibNull/AuthVariableLibNull.inf
> +!endif
>
> # BDS Libraries
> FdtLib|EmbeddedPkg/Library/FdtLib/FdtLib.inf
> @@ -217,6 +224,9 @@
> !if $(TARGET) != RELEASE
> DebugLib|MdePkg/Library/DxeRuntimeDebugLibSerialPort/DxeRuntimeDebugLibSerialPort.inf
> !endif
> +!if $(SECURE_BOOT_ENABLE) == TRUE
> + BaseCryptLib|CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf
> +!endif
>
> [LibraryClasses.AARCH64]
> ArmGenericTimerCounterLib|ArmPkg/Library/ArmGenericTimerPhyCounterLib/ArmGenericTimerPhyCounterLib.inf
> @@ -326,6 +336,12 @@
> gEmbeddedTokenSpaceGuid.PcdTimerPeriod|10000
> gArmTokenSpaceGuid.PcdVFPEnabled|1
> gEfiMdePkgTokenSpaceGuid.PcdUartDefaultReceiveFifoDepth|32
> +!if $(SECURE_BOOT_ENABLE) == TRUE
> + # override the default values from SecurityPkg to ensure images from all sources are verified in secure boot
> + gEfiSecurityPkgTokenSpaceGuid.PcdOptionRomImageVerificationPolicy|0x04
> + gEfiSecurityPkgTokenSpaceGuid.PcdFixedMediaImageVerificationPolicy|0x04
> + gEfiSecurityPkgTokenSpaceGuid.PcdRemovableMediaImageVerificationPolicy|0x04
> +!endif
>
> [PcdsDynamicHii.common.DEFAULT]
> gEfiMdePkgTokenSpaceGuid.PcdPlatformBootTimeOut|L"Timeout"|gEfiGlobalVariableGuid|0x0|10 # Variable: L"Timeout"
> diff --git a/Platform/Hisilicon/D06/D06.dsc b/Platform/Hisilicon/D06/D06.dsc
> index b6ef9fedf0..8ee20342b1 100644
> --- a/Platform/Hisilicon/D06/D06.dsc
> +++ b/Platform/Hisilicon/D06/D06.dsc
> @@ -30,7 +30,7 @@
> FLASH_DEFINITION = Platform/Hisilicon/$(PLATFORM_NAME)/$(PLATFORM_NAME).fdf
> DEFINE NETWORK_IP6_ENABLE = FALSE
> DEFINE HTTP_BOOT_ENABLE = FALSE
> - DEFINE SECURE_BOOT_ENABLE = FALSE
> + DEFINE SECURE_BOOT_ENABLE = TRUE
>
> !include Silicon/Hisilicon/Hisilicon.dsc.inc
>
> --
> 2.18.0
>
next prev parent reply other threads:[~2018-11-14 0:18 UTC|newest]
Thread overview: 35+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-10-29 3:32 [PATCH edk2-platforms v1 00/12] Fix D06 SBSA/SBBR issue and improve Ming Huang
2018-10-29 3:32 ` [PATCH edk2-platforms v1 01/12] Silicon/Hisilicon/D06: Add watchdog to GTDT Ming Huang
2018-11-14 0:39 ` Leif Lindholm
2018-10-29 3:32 ` [PATCH edk2-platforms v1 02/12] Silicon/Hisilicon/D06: Drop _CID for fwts issue Ming Huang
2018-11-14 0:48 ` Leif Lindholm
2018-10-29 3:32 ` [PATCH edk2-platforms v1 03/12] Silicon/Hisilicon/D06: Fix fwts issue in Dbg2 Ming Huang
2018-11-14 0:50 ` Leif Lindholm
2018-10-29 3:32 ` [PATCH edk2-platforms v1 04/12] Silicon/Hisilicon/D06: Fix fwts issue in FADT Ming Huang
2018-11-14 0:50 ` Leif Lindholm
2018-10-29 3:32 ` [PATCH edk2-platforms v1 05/12] Hisilicon/D06: Move some functions to OemMiscLib Ming Huang
2018-11-14 0:04 ` Leif Lindholm
2018-11-14 14:30 ` Ming Huang
2018-10-29 3:32 ` [PATCH edk2-platforms v1 06/12] Silicon/Hisilicon: Modify for SBBR fwts SetTime_Func test case Ming Huang
[not found] ` <20181113235222.amykmhqlh5gltg7p@bivouac.eciton.net>
2018-11-14 14:31 ` Ming Huang
2018-11-14 17:20 ` Leif Lindholm
2018-10-29 3:32 ` [PATCH edk2-platforms v1 07/12] Hisilicon/D0x: Fix secure boot bug in FlashFvbDxe Ming Huang
2018-11-13 23:57 ` Leif Lindholm
2018-11-15 7:09 ` Ming Huang
2018-10-29 3:32 ` [PATCH edk2-platforms v1 08/12] Hisilicon/D06: Fix SBBR-SCT AuthVar issue Ming Huang
2018-11-14 0:18 ` Leif Lindholm [this message]
2018-11-14 14:31 ` Ming Huang
2018-10-29 3:32 ` [PATCH edk2-platforms v1 09/12] Silicon/Hisilicon/D06: Reserve ECAM resource in DSDT Ming Huang
2018-11-14 0:23 ` Leif Lindholm
2018-10-29 3:32 ` [PATCH edk2-platforms v1 10/12] Silicon/Hisilicon/D06: Modify GTDT timer flag Ming Huang
2018-11-14 0:24 ` Leif Lindholm
2018-10-29 3:32 ` [PATCH edk2-platforms v1 11/12] Hisilicon/D06: Modify Gic base Ming Huang
2018-11-14 0:29 ` Leif Lindholm
2018-11-14 14:31 ` Ming Huang
2018-10-29 3:32 ` [PATCH edk2-platforms v1 12/12] Silicon/Hisilicon/D06: Set TA as Node 0 for TA boot Ming Huang
2018-11-14 0:36 ` Leif Lindholm
2018-11-14 14:32 ` Ming Huang
2018-10-29 11:43 ` [PATCH edk2-platforms v1 00/12] Fix D06 SBSA/SBBR issue and improve Leif Lindholm
2018-10-29 15:01 ` Ming Huang
2018-10-29 16:14 ` Leif Lindholm
[not found] ` <5eaaf9d7-e76b-2e98-f4c8-bb0a27007cfc@huawei.com>
2018-10-30 9:37 ` Leif Lindholm
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-list from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20181114001805.sqyr64iwo55rypgp@bivouac.eciton.net \
--to=devel@edk2.groups.io \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox