From: Ard Biesheuvel <ard.biesheuvel@linaro.org>
To: edk2-devel@lists.01.org
Subject: [PATCH edk2-platforms 7/7] Platform/DeveloperBox: add MM based UEFI secure boot support
Date: Fri, 4 Jan 2019 15:43:36 +0100 [thread overview]
Message-ID: <20190104144336.8941-8-ard.biesheuvel@linaro.org> (raw)
In-Reply-To: <20190104144336.8941-1-ard.biesheuvel@linaro.org>
This implements support for UEFI secure boot on DeveloperBox using
the standalone MM framework. This moves all of the software handling
of the UEFI authenticated variable store into the standalone MM
context residing in a secure partition.
Note that SynQuacer as configured today is not a truly secure
platform, since the NOR flash registers are accessible to the
non-secure world. However, from a software point of view, all
of the required pieces are in place. (In particular, it is no
longer possible for the OS to stub out authentication checks
in the validation code residing in RuntimeServicesCode regions)
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
---
Platform/Socionext/DeveloperBox/DeveloperBox.dsc | 23 +++++++++++++++++++-
Platform/Socionext/DeveloperBox/DeveloperBox.fdf | 13 +++++++++++
2 files changed, 35 insertions(+), 1 deletion(-)
diff --git a/Platform/Socionext/DeveloperBox/DeveloperBox.dsc b/Platform/Socionext/DeveloperBox/DeveloperBox.dsc
index 666bd2716336..d244048c5a6b 100644
--- a/Platform/Socionext/DeveloperBox/DeveloperBox.dsc
+++ b/Platform/Socionext/DeveloperBox/DeveloperBox.dsc
@@ -28,6 +28,8 @@ [Defines]
FLASH_DEFINITION = Platform/Socionext/DeveloperBox/DeveloperBox.fdf
BUILD_NUMBER = 1
+ DEFINE SECURE_BOOT_ENABLE = FALSE
+
!include Platform/Socionext/DeveloperBox/DeveloperBox.dsc.inc
[BuildOptions.common.EDKII.DXE_CORE,BuildOptions.common.EDKII.DXE_DRIVER,BuildOptions.common.EDKII.UEFI_DRIVER,BuildOptions.common.EDKII.UEFI_APPLICATION]
@@ -165,6 +167,13 @@ [PcdsFixedAtBuild]
g96BoardsTokenSpaceGuid.PcdGpioPinK|24
g96BoardsTokenSpaceGuid.PcdGpioPinL|25
+ gArmTokenSpaceGuid.PcdMmBufferBase|0xFFC00000
+ gArmTokenSpaceGuid.PcdMmBufferSize|0x00200000
+
+ gEfiSecurityPkgTokenSpaceGuid.PcdOptionRomImageVerificationPolicy|0x04
+ gEfiSecurityPkgTokenSpaceGuid.PcdFixedMediaImageVerificationPolicy|0x04
+ gEfiSecurityPkgTokenSpaceGuid.PcdRemovableMediaImageVerificationPolicy|0x04
+
[PcdsDynamicExDefault.common.DEFAULT]
gEfiSignedCapsulePkgTokenSpaceGuid.PcdEdkiiSystemFirmwareImageDescriptor|{0x0}|VOID*|0x100
gEfiSignedCapsulePkgTokenSpaceGuid.PcdEdkiiSystemFirmwareFileGuid|{0xf7, 0x89, 0x9b, 0xe9, 0x20, 0xc1, 0x25, 0x4b, 0x4d, 0xb1, 0x83, 0x94, 0xed, 0xb0, 0xb4, 0xf5}
@@ -223,7 +232,13 @@ [Components.common]
}
MdeModulePkg/Universal/ResetSystemRuntimeDxe/ResetSystemRuntimeDxe.inf
MdeModulePkg/Core/RuntimeDxe/RuntimeDxe.inf
- MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf
+ MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf {
+!if $(SECURE_BOOT_ENABLE) == TRUE
+ <LibraryClasses>
+ NULL|SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.inf
+!endif
+ }
+
ArmPkg/Drivers/TimerDxe/TimerDxe.inf
ArmPkg/Drivers/GenericWatchdogDxe/GenericWatchdogDxe.inf
MdeModulePkg/Universal/CapsuleRuntimeDxe/CapsuleRuntimeDxe.inf
@@ -251,6 +266,7 @@ [Components.common]
# Variable services
#
Silicon/Socionext/SynQuacer/Drivers/Fip006Dxe/Fip006Dxe.inf
+!if $(SECURE_BOOT_ENABLE) == FALSE
MdeModulePkg/Universal/FaultTolerantWriteDxe/FaultTolerantWriteDxe.inf
MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf {
<LibraryClasses>
@@ -260,6 +276,11 @@ [Components.common]
TpmMeasurementLib|MdeModulePkg/Library/TpmMeasurementLibNull/TpmMeasurementLibNull.inf
VarCheckLib|MdeModulePkg/Library/VarCheckLib/VarCheckLib.inf
}
+!else
+ ArmPkg/Drivers/MmCommunicationDxe/MmCommunication.inf
+ MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmmRuntimeDxe.inf
+ SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
+!endif
#
# UEFI application (Shell Embedded Boot Loader)
diff --git a/Platform/Socionext/DeveloperBox/DeveloperBox.fdf b/Platform/Socionext/DeveloperBox/DeveloperBox.fdf
index 4a234a36525e..7be40380efb4 100644
--- a/Platform/Socionext/DeveloperBox/DeveloperBox.fdf
+++ b/Platform/Socionext/DeveloperBox/DeveloperBox.fdf
@@ -51,7 +51,11 @@ [FD.SPI_NOR_IMAGE]
################################################################################
0x00000000|0x00078000
+!if $(SECURE_BOOT_ENABLE) == FALSE
FILE = Platform/Socionext/DeveloperBox/fip_all_arm_tf.bin
+!else
+FILE = Platform/Socionext/DeveloperBox/fip_all_arm_tf_mm.bin
+!endif
0x00078000|0x00008000
FILE = $(OUTPUT_DIRECTORY)/$(TARGET)_$(TOOL_CHAIN_TAG)/$(ARCH)/Silicon/Socionext/SynQuacer/Stage2Tables/Stage2Tables/OUTPUT/Stage2Tables.bin
@@ -122,9 +126,15 @@ [FV.FvMain]
#
# Variable services
#
+!if $(SECURE_BOOT_ENABLE) == FALSE
INF Silicon/Socionext/SynQuacer/Drivers/Fip006Dxe/Fip006Dxe.inf
INF MdeModulePkg/Universal/FaultTolerantWriteDxe/FaultTolerantWriteDxe.inf
INF MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf
+!else
+ INF ArmPkg/Drivers/MmCommunicationDxe/MmCommunication.inf
+ INF MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmmRuntimeDxe.inf
+ INF SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
+!endif
#
# UEFI applications
@@ -328,6 +338,9 @@ [FV.CapsuleDispatchFv]
READ_LOCK_CAP = TRUE
READ_LOCK_STATUS = TRUE
+!if $(SECURE_BOOT_ENABLE) == TRUE
+ INF Silicon/Socionext/SynQuacer/Drivers/Fip006Dxe/Fip006Dxe.inf
+!endif
INF SignedCapsulePkg/Universal/SystemFirmwareUpdate/SystemFirmwareUpdateDxe.inf
[FV.SystemFirmwareUpdateCargo]
--
2.17.1
next prev parent reply other threads:[~2019-01-04 14:43 UTC|newest]
Thread overview: 24+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-01-04 14:43 [PATCH edk2-platforms 0/7] Silicon/SynQuacer: implement SMM based secure boot Ard Biesheuvel
2019-01-04 14:43 ` [PATCH edk2-platforms 1/7] Silicon/SynQuacer/Fip006Dxe: drop block I/O and disk I/O routines Ard Biesheuvel
2019-01-17 9:50 ` Leif Lindholm
2019-01-17 10:59 ` Ard Biesheuvel
2019-01-04 14:43 ` [PATCH edk2-platforms 2/7] Silicon/SynQuacer/Fip006Dxe: factor out DXE specific pieces Ard Biesheuvel
2019-01-17 10:10 ` Leif Lindholm
2019-01-17 11:27 ` Ard Biesheuvel
2019-01-21 16:16 ` Ard Biesheuvel
2019-01-21 16:46 ` Leif Lindholm
2019-01-21 16:47 ` Ard Biesheuvel
2019-01-21 16:53 ` Leif Lindholm
2019-01-04 14:43 ` [PATCH edk2-platforms 3/7] Silicon/SynQuacer/Fip006Dxe: implement standalone MM variant Ard Biesheuvel
2019-01-04 14:43 ` [PATCH edk2-platforms 4/7] Silicon/SynQuacer/Fip006Dxe: use proper accessor for unaligned access Ard Biesheuvel
2019-01-04 14:43 ` [PATCH edk2-platforms 5/7] Platform/DeveloperBox: create shared .DSC include file Ard Biesheuvel
2019-01-04 14:43 ` [PATCH edk2-platforms 6/7] Platform/DeveloperBox: add .DSC/.FDF description of MM components Ard Biesheuvel
2019-01-17 11:04 ` Leif Lindholm
2019-01-17 11:10 ` Ard Biesheuvel
2019-01-17 12:08 ` Leif Lindholm
2019-01-17 12:18 ` Ard Biesheuvel
2019-01-21 16:57 ` Ard Biesheuvel
2019-01-21 17:03 ` Leif Lindholm
2019-01-04 14:43 ` Ard Biesheuvel [this message]
2019-01-17 11:14 ` [PATCH edk2-platforms 0/7] Silicon/SynQuacer: implement SMM based secure boot Leif Lindholm
2019-01-21 17:40 ` Ard Biesheuvel
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-list from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190104144336.8941-8-ard.biesheuvel@linaro.org \
--to=devel@edk2.groups.io \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox