From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <leif.lindholm@linaro.org>
Received-SPF: Pass (sender SPF authorized) identity=mailfrom;
 client-ip=2a00:1450:4864:20::441; helo=mail-wr1-x441.google.com;
 envelope-from=leif.lindholm@linaro.org; receiver=edk2-devel@lists.01.org 
Received: from mail-wr1-x441.google.com (mail-wr1-x441.google.com
 [IPv6:2a00:1450:4864:20::441])
 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
 (No client certificate requested)
 by ml01.01.org (Postfix) with ESMTPS id 31FF421188C38
 for <edk2-devel@lists.01.org>; Tue, 13 Nov 2018 16:18:09 -0800 (PST)
Received: by mail-wr1-x441.google.com with SMTP id e3-v6so15335721wrs.5
 for <edk2-devel@lists.01.org>; Tue, 13 Nov 2018 16:18:09 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google;
 h=date:from:to:cc:subject:message-id:references:mime-version
 :content-disposition:content-transfer-encoding:in-reply-to
 :user-agent; bh=mMb8ZytxXZShsocxtf3FvXR2OIDQatjcmdyjljBPdHg=;
 b=d2TfjkPvfZlW1ZmQFpYmOIDPtRWYphhie5IPFbgecYOHZB+rh8ST9cxlcBLh7e12+D
 nhj2pHGYG70Ptgfmf6GZOYx7iR2dyDJ8J9ryzI5h8FnStlg/zzSRxknKJr74BM85ARfy
 SePprkMvKU156+r/zcsDXraWlm1dSvQYwPokk=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:date:from:to:cc:subject:message-id:references
 :mime-version:content-disposition:content-transfer-encoding
 :in-reply-to:user-agent;
 bh=mMb8ZytxXZShsocxtf3FvXR2OIDQatjcmdyjljBPdHg=;
 b=iSDSd8l6nQHUw7UW0xbquW7wPbPOs8M/jjkLzfJO0X5V847iLTEVRvfvQK6IzcYFlr
 CMzISkqsHG0OBnZjYGNQpEQyiKWPdwM1BGkCVOLsOE3HuEunxUYv5dv+gBX/k0fKf1xU
 XZmJj/O9XZhq5d3UjiCthNYE7SuqlBwVxDYrUPvOGl8SRGkIW0TF/FAU+9gnmiX910No
 Ffu6GmOnPQGbDYYto4SMG0LbgktIJrzru1npWQis/+b+xYX9Gm+urAgBBb7wTlTDlh0O
 wp+9C1HgBENc0Re/Q8tHPALoC07G8NGcvOtLsokR5sWrrCzmX7OpAI1zQug4H257rLKd
 18LA==
X-Gm-Message-State: AGRZ1gIaQydlWueFfIdfzYqQRJo2IytUnnJ6QH1rWhKhtF6o7zLY4fKP
 Wz0Xu8jnARFxV/90NGXr9OAkMw==
X-Google-Smtp-Source: AJdET5fF38voMVjVF+mXmD5dJn89eKl1rrM1m9UjAHNutSBRtF8csHTFTijn6kBc7WBiDeUgAB8RTg==
X-Received: by 2002:adf:ae1a:: with SMTP id
 x26-v6mr7368121wrc.189.1542154688483; 
 Tue, 13 Nov 2018 16:18:08 -0800 (PST)
Received: from bivouac.eciton.net (bivouac.eciton.net.
 [2a00:1098:0:86:1000:23:0:2])
 by smtp.gmail.com with ESMTPSA id j195-v6sm466301wmf.13.2018.11.13.16.18.06
 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256);
 Tue, 13 Nov 2018 16:18:07 -0800 (PST)
Date: Wed, 14 Nov 2018 00:18:05 +0000
From: Leif Lindholm <leif.lindholm@linaro.org>
To: Ming Huang <ming.huang@linaro.org>
Cc: linaro-uefi@lists.linaro.org, edk2-devel@lists.01.org,
 graeme.gregory@linaro.org, ard.biesheuvel@linaro.org,
 michael.d.kinney@intel.com, lersek@redhat.com,
 wanghuiqiang@huawei.com, huangming23@huawei.com,
 zhangjinsong2@huawei.com, huangdaode@hisilicon.com,
 john.garry@huawei.com, xinliang.liu@linaro.org, zhangfeng56@huawei.com
Message-ID: <20181114001805.sqyr64iwo55rypgp@bivouac.eciton.net>
References: <20181029033249.45363-1-ming.huang@linaro.org>
 <20181029033249.45363-9-ming.huang@linaro.org>
MIME-Version: 1.0
In-Reply-To: <20181029033249.45363-9-ming.huang@linaro.org>
User-Agent: NeoMutt/20170113 (1.7.2)
Subject: Re: [PATCH edk2-platforms v1 08/12] Hisilicon/D06: Fix SBBR-SCT AuthVar issue
X-BeenThere: edk2-devel@lists.01.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: EDK II Development  <edk2-devel.lists.01.org>
List-Unsubscribe: <https://lists.01.org/mailman/options/edk2-devel>,
 <mailto:edk2-devel-request@lists.01.org?subject=unsubscribe>
List-Archive: <http://lists.01.org/pipermail/edk2-devel/>
List-Post: <mailto:edk2-devel@lists.01.org>
List-Help: <mailto:edk2-devel-request@lists.01.org?subject=help>
List-Subscribe: <https://lists.01.org/mailman/listinfo/edk2-devel>,
 <mailto:edk2-devel-request@lists.01.org?subject=subscribe>
X-List-Received-Date: Wed, 14 Nov 2018 00:18:10 -0000
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: 8bit

On Mon, Oct 29, 2018 at 11:32:45AM +0800, Ming Huang wrote:
> Enable secure boot to fix AuthVar issue:
> RT.SetVariable - Set Invalid Time Base Auth Variable – FAILURE;
> RT.SetVariable - Create one Time Base Auth Variable, the expect return
> status should be EFI_SUCCESS – FAILURE.
> 
> Contributed-under: TianoCore Contribution Agreement 1.1
> Signed-off-by: Ming Huang <ming.huang@linaro.org>
> ---
>  Silicon/Hisilicon/Hisilicon.dsc.inc | 16 ++++++++++++++++
>  Platform/Hisilicon/D06/D06.dsc      |  2 +-
>  2 files changed, 17 insertions(+), 1 deletion(-)
> 
> diff --git a/Silicon/Hisilicon/Hisilicon.dsc.inc b/Silicon/Hisilicon/Hisilicon.dsc.inc
> index 3ac8e20232..6515c0d703 100644
> --- a/Silicon/Hisilicon/Hisilicon.dsc.inc
> +++ b/Silicon/Hisilicon/Hisilicon.dsc.inc
> @@ -89,8 +89,15 @@
>  
>    SemihostLib|ArmPkg/Library/SemihostLib/SemihostLib.inf
>  
> +!if $(SECURE_BOOT_ENABLE) == TRUE
> +  TpmMeasurementLib|SecurityPkg/Library/DxeTpmMeasurementLib/DxeTpmMeasurementLib.inf
> +  AuthVariableLib|SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf

> +  # re-use the UserPhysicalPresent() dummy implementation from the ovmf tree
> +  PlatformSecureLib|OvmfPkg/Library/PlatformSecureLib/PlatformSecureLib.inf

The virtual machines and development boards can get away with this,
but it is not an appropriate action for a real platform.
Please implement a real PlatformSecureLib, doing a real
UserPhysicalPresent check, appropriate to the D06.

I don't expect this to happen in time for a 2018.11 Linaro release, so
you can drop it from the set. We can log the test failure as a known
issue for now.

/
    Leif

> +!else
>    TpmMeasurementLib|MdeModulePkg/Library/TpmMeasurementLibNull/TpmMeasurementLibNull.inf
>    AuthVariableLib|MdeModulePkg/Library/AuthVariableLibNull/AuthVariableLibNull.inf
> +!endif
>  
>    # BDS Libraries
>    FdtLib|EmbeddedPkg/Library/FdtLib/FdtLib.inf
> @@ -217,6 +224,9 @@
>  !if $(TARGET) != RELEASE
>    DebugLib|MdePkg/Library/DxeRuntimeDebugLibSerialPort/DxeRuntimeDebugLibSerialPort.inf
>  !endif
> +!if $(SECURE_BOOT_ENABLE) == TRUE
> +  BaseCryptLib|CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf
> +!endif
>  
>  [LibraryClasses.AARCH64]
>    ArmGenericTimerCounterLib|ArmPkg/Library/ArmGenericTimerPhyCounterLib/ArmGenericTimerPhyCounterLib.inf
> @@ -326,6 +336,12 @@
>    gEmbeddedTokenSpaceGuid.PcdTimerPeriod|10000
>    gArmTokenSpaceGuid.PcdVFPEnabled|1
>    gEfiMdePkgTokenSpaceGuid.PcdUartDefaultReceiveFifoDepth|32
> +!if $(SECURE_BOOT_ENABLE) == TRUE
> +  # override the default values from SecurityPkg to ensure images from all sources are verified in secure boot
> +  gEfiSecurityPkgTokenSpaceGuid.PcdOptionRomImageVerificationPolicy|0x04
> +  gEfiSecurityPkgTokenSpaceGuid.PcdFixedMediaImageVerificationPolicy|0x04
> +  gEfiSecurityPkgTokenSpaceGuid.PcdRemovableMediaImageVerificationPolicy|0x04
> +!endif
>  
>  [PcdsDynamicHii.common.DEFAULT]
>    gEfiMdePkgTokenSpaceGuid.PcdPlatformBootTimeOut|L"Timeout"|gEfiGlobalVariableGuid|0x0|10 # Variable: L"Timeout"
> diff --git a/Platform/Hisilicon/D06/D06.dsc b/Platform/Hisilicon/D06/D06.dsc
> index b6ef9fedf0..8ee20342b1 100644
> --- a/Platform/Hisilicon/D06/D06.dsc
> +++ b/Platform/Hisilicon/D06/D06.dsc
> @@ -30,7 +30,7 @@
>    FLASH_DEFINITION               = Platform/Hisilicon/$(PLATFORM_NAME)/$(PLATFORM_NAME).fdf
>    DEFINE NETWORK_IP6_ENABLE      = FALSE
>    DEFINE HTTP_BOOT_ENABLE        = FALSE
> -  DEFINE SECURE_BOOT_ENABLE      = FALSE
> +  DEFINE SECURE_BOOT_ENABLE      = TRUE
>  
>  !include Silicon/Hisilicon/Hisilicon.dsc.inc
>  
> -- 
> 2.18.0
>