From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received-SPF: Pass (sender SPF authorized) identity=mailfrom; client-ip=2a00:1450:4864:20::342; helo=mail-wm1-x342.google.com; envelope-from=leif.lindholm@linaro.org; receiver=edk2-devel@lists.01.org Received: from mail-wm1-x342.google.com (mail-wm1-x342.google.com [IPv6:2a00:1450:4864:20::342]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id E74BF21A07A80 for ; Mon, 19 Nov 2018 10:13:21 -0800 (PST) Received: by mail-wm1-x342.google.com with SMTP id y139so6281824wmc.5 for ; Mon, 19 Nov 2018 10:13:21 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to:user-agent; bh=wsjO2GbOWx7FJPis3fO2zSR+gvvV/pYEmAL2zWDxRrE=; b=SbSmIHm2vaMb/hcruE3P6Iz67x0rLCozGUD9nTBqLLUrRIZt8Ie5VAA04k/5lp7beK YANYoygVN0cORPNedlFn1118JJKQHr/kBNrjPXO7pElNN1j7vTPJ61EYuLbrrjwidOqK oR7QBIdQv3HBtSQIuW+1GghJR0Cth9VM4mnQ4= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to:user-agent; bh=wsjO2GbOWx7FJPis3fO2zSR+gvvV/pYEmAL2zWDxRrE=; b=cwXLDoxU2ML7qgQyCgW7E4FPzxGZRog4DmKeJDPFJPHDGTpxqB4Cw0OXngeVZESDvy fOe2k17aaEx8yppjC9FsiysyX2xgtfBCOWSFaSoYNxxKx4Mk4J6y+AjXTpY1qNTUO/Y/ 3NwCotBKQ38XJAj5jlVSRoOYu/eubxTD74C5WC5GMYjAC3WGeY4BxXLRIkuQlFiWake3 g6FRFSx2KeyvAbvUhoP9H8W4dE4ooOH3PB7Br0GoobqE9hzkEnju0q5tZgJh0vVWtBJ6 Mju8dDr2MHLLf3tnHdppgdHOFe4iPb6Zka4imEda6aNN5F4KW0z5bKm6wbppF3kJESUB Eyqw== X-Gm-Message-State: AA+aEWYY+P4+jpAV7VmUIbsKEXNUG5rbZRcq9/h988IgGYywFCG3YxFZ 62WmYEnBxaNYgRvmXyTztaeCVw== X-Google-Smtp-Source: AJdET5eZAy8VOl6Kk9p2FCyDKKiwTWO5D1SuQ0eAv4pFzw2gSMZ8EF/HOclWVkwOrHY5wzW3f7SACQ== X-Received: by 2002:a1c:d14d:: with SMTP id i74mr7747389wmg.100.1542651200350; Mon, 19 Nov 2018 10:13:20 -0800 (PST) Received: from bivouac.eciton.net (bivouac.eciton.net. [2a00:1098:0:86:1000:23:0:2]) by smtp.gmail.com with ESMTPSA id n15sm7168731wrt.21.2018.11.19.10.13.18 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Mon, 19 Nov 2018 10:13:19 -0800 (PST) Date: Mon, 19 Nov 2018 18:13:16 +0000 From: Leif Lindholm To: Ming Huang Cc: linaro-uefi@lists.linaro.org, edk2-devel@lists.01.org, graeme.gregory@linaro.org, ard.biesheuvel@linaro.org, michael.d.kinney@intel.com, lersek@redhat.com, wanghuiqiang@huawei.com, huangming23@huawei.com, zhangjinsong2@huawei.com, huangdaode@hisilicon.com, john.garry@huawei.com, xinliang.liu@linaro.org, zhangfeng56@huawei.com Message-ID: <20181119181316.4bj5f6ynl7hq4s24@bivouac.eciton.net> References: <20181116065702.30559-1-ming.huang@linaro.org> <20181116065702.30559-8-ming.huang@linaro.org> MIME-Version: 1.0 In-Reply-To: <20181116065702.30559-8-ming.huang@linaro.org> User-Agent: NeoMutt/20170113 (1.7.2) Subject: Re: [PATCH edk2-platforms v2 07/15] Hisilicon/D0x: Fix secure boot bug in FlashFvbDxe X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 19 Nov 2018 18:13:22 -0000 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Fri, Nov 16, 2018 at 02:56:54PM +0800, Ming Huang wrote: > When SECURE_BOOT_ENABLE is TRUE, FlashFvbDxe should use > gEfiAuthenticatedVariableGuid, When SECURE_BOOT_ENABLE > is FALSE, gEfiVariableGuid should be used. > Other platforms seem to resolve this by doing something like: !if $(SECURE_BOOT_ENABLE) ... AuthVariableLib|SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf !else AuthVariableLib|MdeModulePkg/Library/AuthVariableLibNull/AuthVariableLibNull.inf !endif Can the same mechanism be used here instead? I _really_ don't like the idea of adding vendor-specific Pcds to determine whether Secure Boot is enabled. / Leif > Contributed-under: TianoCore Contribution Agreement 1.1 > Signed-off-by: Ming Huang > --- > Silicon/Hisilicon/HisiPkg.dec | 1 + > Platform/Hisilicon/D03/D03.dsc | 5 +++++ > Platform/Hisilicon/D05/D05.dsc | 5 +++++ > Platform/Hisilicon/D06/D06.dsc | 5 +++++ > Silicon/Hisilicon/Drivers/FlashFvbDxe/FlashFvbDxe.inf | 2 ++ > Silicon/Hisilicon/Drivers/FlashFvbDxe/FlashFvbDxe.c | 14 ++++++++++++-- > 6 files changed, 30 insertions(+), 2 deletions(-) > > diff --git a/Silicon/Hisilicon/HisiPkg.dec b/Silicon/Hisilicon/HisiPkg.dec > index 404a3ae4af9d..af9359e4d0e0 100644 > --- a/Silicon/Hisilicon/HisiPkg.dec > +++ b/Silicon/Hisilicon/HisiPkg.dec > @@ -278,6 +278,7 @@ [PcdsFixedAtBuild] > > gHisiTokenSpaceGuid.Pcdsoctype|0|UINT32|0x00000061 > gHisiTokenSpaceGuid.PcdSerDesFlowCtrlFlag|0|UINT32|0x40000056 > + gHisiTokenSpaceGuid.PcdIsSecureBoot|FALSE|BOOLEAN|0x40000058 > > [PcdsFeatureFlag] > gHisiTokenSpaceGuid.PcdIsItsSupported|FALSE|BOOLEAN|0x00000065 > diff --git a/Platform/Hisilicon/D03/D03.dsc b/Platform/Hisilicon/D03/D03.dsc > index aa1da5d61f83..ba3096672db0 100644 > --- a/Platform/Hisilicon/D03/D03.dsc > +++ b/Platform/Hisilicon/D03/D03.dsc > @@ -281,6 +281,11 @@ [PcdsFixedAtBuild.common] > gHisiTokenSpaceGuid.PcdHb0Rb2IoSize|0xffff #64K > > gHisiTokenSpaceGuid.Pcdsoctype|0x1610 > + !if $(SECURE_BOOT_ENABLE) == TRUE > + gHisiTokenSpaceGuid.PcdIsSecureBoot|TRUE > + !else > + gHisiTokenSpaceGuid.PcdIsSecureBoot|FALSE > + !endif > > ################################################################################ > # > diff --git a/Platform/Hisilicon/D05/D05.dsc b/Platform/Hisilicon/D05/D05.dsc > index 1040466633ef..b8500cef8742 100644 > --- a/Platform/Hisilicon/D05/D05.dsc > +++ b/Platform/Hisilicon/D05/D05.dsc > @@ -422,6 +422,11 @@ [PcdsFixedAtBuild.common] > gHisiTokenSpaceGuid.PcdHb1Rb7IoSize|0x10000 #64K > > gHisiTokenSpaceGuid.Pcdsoctype|0x1610 > + !if $(SECURE_BOOT_ENABLE) == TRUE > + gHisiTokenSpaceGuid.PcdIsSecureBoot|TRUE > + !else > + gHisiTokenSpaceGuid.PcdIsSecureBoot|FALSE > + !endif > > ################################################################################ > # > diff --git a/Platform/Hisilicon/D06/D06.dsc b/Platform/Hisilicon/D06/D06.dsc > index 1a479c160e80..b6ef9fedf0a7 100644 > --- a/Platform/Hisilicon/D06/D06.dsc > +++ b/Platform/Hisilicon/D06/D06.dsc > @@ -243,6 +243,11 @@ [PcdsFixedAtBuild.common] > > gEfiMdeModulePkgTokenSpaceGuid.PcdSrIovSupport|FALSE > gArmTokenSpaceGuid.PcdPciIoTranslation|0x0 > + !if $(SECURE_BOOT_ENABLE) == TRUE > + gHisiTokenSpaceGuid.PcdIsSecureBoot|TRUE > + !else > + gHisiTokenSpaceGuid.PcdIsSecureBoot|FALSE > + !endif > > ################################################################################ > # > diff --git a/Silicon/Hisilicon/Drivers/FlashFvbDxe/FlashFvbDxe.inf b/Silicon/Hisilicon/Drivers/FlashFvbDxe/FlashFvbDxe.inf > index f8be4741ef7c..47965a707032 100644 > --- a/Silicon/Hisilicon/Drivers/FlashFvbDxe/FlashFvbDxe.inf > +++ b/Silicon/Hisilicon/Drivers/FlashFvbDxe/FlashFvbDxe.inf > @@ -44,6 +44,7 @@ [LibraryClasses] > UefiRuntimeLib > > [Guids] > + gEfiAuthenticatedVariableGuid > gEfiSystemNvDataFvGuid > gEfiVariableGuid > > @@ -62,6 +63,7 @@ [Pcd.common] > gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageFtwSpareSize > > gArmPlatformTokenSpaceGuid.PcdNorFlashCheckBlockLocked > + gHisiTokenSpaceGuid.PcdIsSecureBoot > gHisiTokenSpaceGuid.PcdSFCMEM0BaseAddress > > [Depex] > diff --git a/Silicon/Hisilicon/Drivers/FlashFvbDxe/FlashFvbDxe.c b/Silicon/Hisilicon/Drivers/FlashFvbDxe/FlashFvbDxe.c > index e18cc9e06ec2..309941d6fe4d 100644 > --- a/Silicon/Hisilicon/Drivers/FlashFvbDxe/FlashFvbDxe.c > +++ b/Silicon/Hisilicon/Drivers/FlashFvbDxe/FlashFvbDxe.c > @@ -189,7 +189,11 @@ InitializeFvAndVariableStoreHeaders ( > // VARIABLE_STORE_HEADER > // > VariableStoreHeader = (VARIABLE_STORE_HEADER*)((UINTN)Headers + (UINTN)FirmwareVolumeHeader->HeaderLength); > - CopyGuid (&VariableStoreHeader->Signature, &gEfiVariableGuid); > + if (PcdGetBool (PcdIsSecureBoot)) { > + CopyGuid (&VariableStoreHeader->Signature, &gEfiAuthenticatedVariableGuid); > + } else { > + CopyGuid (&VariableStoreHeader->Signature, &gEfiVariableGuid); > + } > VariableStoreHeader->Size = PcdGet32(PcdFlashNvStorageVariableSize) - FirmwareVolumeHeader->HeaderLength; > VariableStoreHeader->Format = VARIABLE_STORE_FORMATTED; > VariableStoreHeader->State = VARIABLE_STORE_HEALTHY; > @@ -220,6 +224,7 @@ ValidateFvHeader ( > VARIABLE_STORE_HEADER* VariableStoreHeader; > UINTN VariableStoreLength; > UINTN FvLength; > + EFI_GUID *Guid; > > FwVolHeader = (EFI_FIRMWARE_VOLUME_HEADER*)Instance->RegionBaseAddress; > > @@ -258,7 +263,12 @@ ValidateFvHeader ( > VariableStoreHeader = (VARIABLE_STORE_HEADER*)((UINTN)FwVolHeader + (UINTN)FwVolHeader->HeaderLength); > > // Check the Variable Store Guid > - if ( CompareGuid (&VariableStoreHeader->Signature, &gEfiVariableGuid) == FALSE ) > + if (PcdGetBool (PcdIsSecureBoot)) { > + Guid = &gEfiAuthenticatedVariableGuid; > + } else { > + Guid = &gEfiVariableGuid; > + } > + if (CompareGuid (&VariableStoreHeader->Signature, Guid) == FALSE) > { > DEBUG ((EFI_D_ERROR, "ValidateFvHeader: Variable Store Guid non-compatible\n")); > return EFI_NOT_FOUND; > -- > 2.9.5 >