From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-wr1-f49.google.com (mail-wr1-f49.google.com [209.85.221.49]) by mx.groups.io with SMTP id smtpd.web11.2257.1582627511279247632 for ; Tue, 25 Feb 2020 02:45:11 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@linaro.org header.s=google header.b=jl1ly9+i; spf=pass (domain: linaro.org, ip: 209.85.221.49, mailfrom: ard.biesheuvel@linaro.org) Received: by mail-wr1-f49.google.com with SMTP id w12so14134409wrt.2 for ; Tue, 25 Feb 2020 02:45:11 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=SlB0py2HrG7xNpEauwvt0x8xSp0VMcgY9iLpIhIrRG8=; b=jl1ly9+ixjJ3nEJhvaJ3wH89AWRwMF3cqAl+bPDYndRmsDFXJLWDnX/a/NbBTpi4GL 7zKZLOd8+NeFjprjK+76jOUEC0XqG4NdY8ArZg+5svGeDFUGenL5RBedDsp88chIdcTD X+VCRP/PBL5rUQpxs0r0rq8jYMS7nokrld/bFm2abb/o6EGLRndOvu5EBJUpuYWoUR00 J2mn9M3Tr0qYJ5PQdHj8Ibud0HPWCqdAW3Y7tozyi+zb5t/OVXAj5GxhqLWlk5MrvzBi 2vsysSzipkT+i0sPMSkCdAmE7T/0Gyl9meeLd80rt337xSb7qydzUwB6Bb/ZNwo8J3UK inPA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=SlB0py2HrG7xNpEauwvt0x8xSp0VMcgY9iLpIhIrRG8=; b=GcXoEcc8GaQ/eO21E1HPr27K5rmQs1JBIwuzRy2LYdPMpFIWjemQqY1+fWTNiHkbpG Pi7OvsCGolWfc7AthwGH58v9rxUdR4oC/0+z0BVz+nXRmrc7dIT92WiGKjO0p5IhTtCG oc1riz+Or9IU1j1L5AQd+lUu+Z7eBYM80e+cheUSuBAICYQybm8D8OBM3S+PsneSK+62 rPJhIil+POi0huN3p5jXUxMfPx5QAMOij7pVX9H6jegFdwzH6stkq1I/xDs4dwgOawpc /0VCJP5A6Vvpvyn6TkYo2EZM95qJTRs4Nzez2UmJXU/fy22D2YfoHRDsfP2+f8qFUVMH 1nIA== X-Gm-Message-State: APjAAAVhAcLpSCb28BDTpi+P4NbFPBheDJ3gKX6MR8OAYOWu8QY50gw5 QK8cRe9G5gYcpmL1+sQX41Gk5LNrdJfBwA== X-Google-Smtp-Source: APXvYqx10oazA5MIF6gMFkhcgHYMRPA1yr9h2zxgdGg45+gz75ySkUJIKBzdj0iBs9R8dBSO9I/tyw== X-Received: by 2002:a05:6000:ca:: with SMTP id q10mr10777830wrx.78.1582627509538; Tue, 25 Feb 2020 02:45:09 -0800 (PST) Return-Path: Received: from e123331-lin.home ([2a01:cb1d:112:6f00:816e:ff0d:fb69:f613]) by smtp.gmail.com with ESMTPSA id g14sm13218913wrv.58.2020.02.25.02.45.08 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 25 Feb 2020 02:45:08 -0800 (PST) From: "Ard Biesheuvel" To: devel@edk2.groups.io Cc: Ard Biesheuvel , lersek@redhat.com, eric.auger@redhat.com, philmd@redhat.com, marcandre.lureau@redhat.com, stefanb@linux.ibm.com, leif@nuviainc.com Subject: [PATCH v2 5/5] ArmVirtPkg/ArmVirtQemu: add optional support for TPM2 measured boot Date: Tue, 25 Feb 2020 11:44:49 +0100 Message-Id: <20200225104449.22453-6-ard.biesheuvel@linaro.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20200225104449.22453-1-ard.biesheuvel@linaro.org> References: <20200225104449.22453-1-ard.biesheuvel@linaro.org> Duplicate the TPM2_ENABLE and TPM2_CONFIG_ENABLE build time flags that already exist in OvmfPkg, and wire them up in the .DSC and .FDF so that setting those flags produces a ArmVirtQemu build that implements measured boot using a TPM provided by QEMU and described in the device tree. Note that the TPM2 driver stack relies on a PEI phase being implemented, so there is no point in enabling this for ArmVirtQemuKernel or ArmVirtXen. Also note that, despite ArmVirtQemuKernel being unaffected by this patch, ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc is being modified, for keeping the contexts of the referring !include directives simple. Signed-off-by: Ard Biesheuvel --- ArmVirtPkg/ArmVirtQemu.dsc | 75 ++++++++++++++++++++ ArmVirtPkg/ArmVirtQemu.fdf | 6 ++ ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc | 10 +++ 3 files changed, 91 insertions(+) diff --git a/ArmVirtPkg/ArmVirtQemu.dsc b/ArmVirtPkg/ArmVirtQemu.dsc index 7ae6702ac1f0..e8ea711e1a17 100644 --- a/ArmVirtPkg/ArmVirtQemu.dsc +++ b/ArmVirtPkg/ArmVirtQemu.dsc @@ -29,6 +29,8 @@ [Defines] # DEFINE TTY_TERMINAL = FALSE DEFINE SECURE_BOOT_ENABLE = FALSE + DEFINE TPM2_ENABLE = FALSE + DEFINE TPM2_CONFIG_ENABLE = FALSE # # Network definition @@ -74,12 +76,32 @@ [LibraryClasses.common] PciSegmentLib|MdePkg/Library/BasePciSegmentLibPci/BasePciSegmentLibPci.inf PciHostBridgeLib|ArmVirtPkg/Library/FdtPciHostBridgeLib/FdtPciHostBridgeLib.inf +!if $(TPM2_ENABLE) == TRUE + Tpm2CommandLib|SecurityPkg/Library/Tpm2CommandLib/Tpm2CommandLib.inf + Tcg2PhysicalPresenceLib|OvmfPkg/Library/Tcg2PhysicalPresenceLibQemu/DxeTcg2PhysicalPresenceLib.inf + Tcg2PpVendorLib|SecurityPkg/Library/Tcg2PpVendorLibNull/Tcg2PpVendorLibNull.inf + TpmMeasurementLib|SecurityPkg/Library/DxeTpmMeasurementLib/DxeTpmMeasurementLib.inf +!else + Tcg2PhysicalPresenceLib|OvmfPkg/Library/Tcg2PhysicalPresenceLibNull/DxeTcg2PhysicalPresenceLib.inf + TpmMeasurementLib|MdeModulePkg/Library/TpmMeasurementLibNull/TpmMeasurementLibNull.inf +!endif + [LibraryClasses.common.PEIM] ArmVirtMemInfoLib|ArmVirtPkg/Library/QemuVirtMemInfoLib/QemuVirtMemInfoPeiLib.inf + ResetSystemLib|MdeModulePkg/Library/PeiResetSystemLib/PeiResetSystemLib.inf + +!if $(TPM2_ENABLE) == TRUE + BaseCryptLib|CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf + Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2DeviceLibDTpm.inf +!endif [LibraryClasses.common.DXE_DRIVER] ReportStatusCodeLib|MdeModulePkg/Library/DxeReportStatusCodeLib/DxeReportStatusCodeLib.inf +!if $(TPM2_ENABLE) == TRUE + Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibTcg2/Tpm2DeviceLibTcg2.inf +!endif + [LibraryClasses.common.UEFI_DRIVER] UefiScsiLib|MdePkg/Library/UefiScsiLib/UefiScsiLib.inf @@ -100,6 +122,8 @@ [PcdsFeatureFlag.common] gEfiMdeModulePkgTokenSpaceGuid.PcdTurnOffUsbLegacySupport|TRUE + gArmVirtTokenSpaceGuid.PcdTpm2SupportEnabled|$(TPM2_ENABLE) + [PcdsFixedAtBuild.common] !if $(ARCH) == AARCH64 gArmTokenSpaceGuid.PcdVFPEnabled|1 @@ -237,9 +261,20 @@ [PcdsDynamicDefault.common] gEfiMdeModulePkgTokenSpaceGuid.PcdSmbiosDocRev|0x0 gUefiOvmfPkgTokenSpaceGuid.PcdQemuSmbiosValidated|FALSE +!if $(TPM2_ENABLE) == TRUE + gEfiSecurityPkgTokenSpaceGuid.PcdTpmInstanceGuid|{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00} + gEfiSecurityPkgTokenSpaceGuid.PcdTpmBaseAddress|0x0 + gEfiSecurityPkgTokenSpaceGuid.PcdTpm2HashMask|0 +!endif + [PcdsDynamicHii] gArmVirtTokenSpaceGuid.PcdForceNoAcpi|L"ForceNoAcpi"|gArmVirtVariableGuid|0x0|FALSE|NV,BS +!if $(TPM2_CONFIG_ENABLE) == TRUE + gEfiSecurityPkgTokenSpaceGuid.PcdTcgPhysicalPresenceInterfaceVer|L"TCG2_VERSION"|gTcg2ConfigFormSetGuid|0x0|"1.3"|NV,BS + gEfiSecurityPkgTokenSpaceGuid.PcdTpm2AcpiTableRev|L"TCG2_VERSION"|gTcg2ConfigFormSetGuid|0x8|3|NV,BS +!endif + ################################################################################ # # Components Section - list of all EDK II Modules needed by this Platform @@ -261,6 +296,23 @@ [Components.common] MdeModulePkg/Universal/Variable/Pei/VariablePei.inf +!if $(TPM2_ENABLE) == TRUE + MdeModulePkg/Universal/ResetSystemPei/ResetSystemPei.inf { + + ResetSystemLib|ArmVirtPkg/Library/ArmVirtPsciResetSystemPeiLib/ArmVirtPsciResetSystemPeiLib.inf + } + OvmfPkg/Tcg/Tcg2Config/Tcg2ConfigPei.inf + SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.inf { + + HashLib|SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRouterPei.inf + NULL|SecurityPkg/Library/HashInstanceLibSha1/HashInstanceLibSha1.inf + NULL|SecurityPkg/Library/HashInstanceLibSha256/HashInstanceLibSha256.inf + NULL|SecurityPkg/Library/HashInstanceLibSha384/HashInstanceLibSha384.inf + NULL|SecurityPkg/Library/HashInstanceLibSha512/HashInstanceLibSha512.inf + NULL|SecurityPkg/Library/HashInstanceLibSm3/HashInstanceLibSm3.inf + } +!endif + MdeModulePkg/Core/DxeIplPeim/DxeIpl.inf { NULL|MdeModulePkg/Library/LzmaCustomDecompressLib/LzmaCustomDecompressLib.inf @@ -295,6 +347,9 @@ [Components.common] MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf { NULL|SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.inf +!if $(TPM2_ENABLE) == TRUE + NULL|SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLib.inf +!endif } SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf @@ -430,6 +485,26 @@ [Components.common] MdeModulePkg/Bus/Usb/UsbKbDxe/UsbKbDxe.inf MdeModulePkg/Bus/Usb/UsbMassStorageDxe/UsbMassStorageDxe.inf + # + # TPM2 support + # +!if $(TPM2_ENABLE) == TRUE + SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.inf { + + HashLib|SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRouterDxe.inf + Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibRouter/Tpm2DeviceLibRouterDxe.inf + NULL|SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2InstanceLibDTpm.inf + NULL|SecurityPkg/Library/HashInstanceLibSha1/HashInstanceLibSha1.inf + NULL|SecurityPkg/Library/HashInstanceLibSha256/HashInstanceLibSha256.inf + NULL|SecurityPkg/Library/HashInstanceLibSha384/HashInstanceLibSha384.inf + NULL|SecurityPkg/Library/HashInstanceLibSha512/HashInstanceLibSha512.inf + NULL|SecurityPkg/Library/HashInstanceLibSm3/HashInstanceLibSm3.inf + } +!if $(TPM2_CONFIG_ENABLE) == TRUE + SecurityPkg/Tcg/Tcg2Config/Tcg2ConfigDxe.inf +!endif +!endif + # # ACPI Support # diff --git a/ArmVirtPkg/ArmVirtQemu.fdf b/ArmVirtPkg/ArmVirtQemu.fdf index 2c8936a1ae15..b5e2253295fe 100644 --- a/ArmVirtPkg/ArmVirtQemu.fdf +++ b/ArmVirtPkg/ArmVirtQemu.fdf @@ -113,6 +113,12 @@ [FV.FVMAIN_COMPACT] INF MdeModulePkg/Universal/Variable/Pei/VariablePei.inf INF MdeModulePkg/Core/DxeIplPeim/DxeIpl.inf +!if $(TPM2_ENABLE) == TRUE + INF MdeModulePkg/Universal/ResetSystemPei/ResetSystemPei.inf + INF OvmfPkg/Tcg/Tcg2Config/Tcg2ConfigPei.inf + INF SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.inf +!endif + FILE FV_IMAGE = 9E21FD93-9C72-4c15-8C4B-E77F1DB2D792 { SECTION GUIDED EE4E5898-3914-4259-9D6E-DC7BD79403CF PROCESSING_REQUIRED = TRUE { SECTION FV_IMAGE = FVMAIN diff --git a/ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc b/ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc index 31f615a9d0f9..d481e4b2b8fb 100644 --- a/ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc +++ b/ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc @@ -182,3 +182,13 @@ [FV.FvMain] # Ramdisk support # INF MdeModulePkg/Universal/Disk/RamDiskDxe/RamDiskDxe.inf + + # + # TPM2 support + # +!if $(TPM2_ENABLE) == TRUE + INF SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.inf +!if $(TPM2_CONFIG_ENABLE) == TRUE + INF SecurityPkg/Tcg/Tcg2Config/Tcg2ConfigDxe.inf +!endif +!endif -- 2.17.1