From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-wr1-f67.google.com (mail-wr1-f67.google.com [209.85.221.67]) by mx.groups.io with SMTP id smtpd.web12.8146.1583306751153492417 for ; Tue, 03 Mar 2020 23:25:51 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@linaro.org header.s=google header.b=koRfiE7X; spf=pass (domain: linaro.org, ip: 209.85.221.67, mailfrom: ard.biesheuvel@linaro.org) Received: by mail-wr1-f67.google.com with SMTP id z11so1011136wro.9 for ; Tue, 03 Mar 2020 23:25:50 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id; bh=yJ8A3ZspDDDLlH6Xt+JyG3BeyeaUl1XKzpFO1vlhO6Y=; b=koRfiE7XpGQe4L1T3kJQl7ZLVECj3+4UBMvxO4m5LI63Hi0E+jqvgg/B2JUoYp1Uwr 7sKyXTBrjicyJpC0zRdIFboOarawAnVqx+rTS3M7/gjor4apNLReTe40jBZfHjim4Nep ARwzv3Cir+1XYD9R848pE8Gs8udYvx+Nbob0Jbei1X25MhAg7JFJQ4Mkn14JtbewxLqr uqaR9p92vNM0xKDIE6FKrrTI194JKMf4LYW4m8lbnihMNx9HE3FDShsKsNgONjo1Nf6B J2PxVAE2IG/LxfBUlMn6pP4UKiaUFuwPxOU1cCYgP4Yu+wthUox3BM30sLDJ2ElUX9vg q34w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=yJ8A3ZspDDDLlH6Xt+JyG3BeyeaUl1XKzpFO1vlhO6Y=; b=MY2RmBNjT25muV3Cjr7lUkJGNa6rKYVbOBl4ktFxDKoPJnrljPjAE5c5bom5F2o3hr d9wKx7law8lMTCdNsc6N6hPCzch9m4xNoeu4j43lri0h+5T/nf60JX3Svj8XIFmHvY0E jCtqKbKSXJ6wIbh2UwqzZm61FoInSc3fqWwT45RdVORNVVcqRHxw1ZZGM4vjPTHSqwvH FkxPV53mQdW1Ur+k79yih4YlZr/EzP4PG4gmwXKZ50qYy3Q8l4YvLj+DcImSdx5nuwqG KLWqk0/OZPcTh3gEkq85KB26Zto1LlWWiU/p4dQ2n9RStESbnteagowyN36YkLggyz+W jqPw== X-Gm-Message-State: ANhLgQ1iUNb3k8zhegO+SHTVm3ld8K8tQd9ZVNRThnEC3zhhY5Zok1XR XCMuiHWgghcZBF+KyseWfFtaOqcOez/fXg== X-Google-Smtp-Source: ADFU+vsYi5VTggPxYwg8wD1BviOV0vgQvBnaAlPQDmiZjlL0kjcWcYXmK7t+hW9rS7xUAJvUR3BaLA== X-Received: by 2002:adf:f0cd:: with SMTP id x13mr2481400wro.69.1583306749245; Tue, 03 Mar 2020 23:25:49 -0800 (PST) Return-Path: Received: from e123331-lin.home ([2a01:cb1d:112:6f00:816e:ff0d:fb69:f613]) by smtp.gmail.com with ESMTPSA id b197sm2876976wmd.10.2020.03.03.23.25.48 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 03 Mar 2020 23:25:48 -0800 (PST) From: "Ard Biesheuvel" To: devel@edk2.groups.io Cc: leif@nuviainc.com, masahisa.kojima@linaro.org, Ard Biesheuvel Subject: [PATCH edk2-platforms 1/1] DeveloperBox: implement measured boot Date: Wed, 4 Mar 2020 08:25:43 +0100 Message-Id: <20200304072543.6718-1-ard.biesheuvel@linaro.org> X-Mailer: git-send-email 2.17.1 Enable the various components, library class resolutions and PCD defaults to enable measured boot based on a version 2 TPM. The TPM is exposed as having a memory mapped TIS frame, which is accomplished using the SPI command sequencer that is available on this platform. Note that this requires SCP firmware support. Signed-off-by: Ard Biesheuvel --- Platform/Socionext/DeveloperBox/DeveloperBox.dsc | 91 ++++++++++++++++++++ Platform/Socionext/DeveloperBox/DeveloperBox.fdf | 11 +++ Silicon/Socionext/SynQuacer/DeviceTree/DeveloperBox.dts | 4 + Silicon/Socionext/SynQuacer/DeviceTree/SynQuacer.dtsi | 7 ++ Silicon/Socionext/SynQuacer/Include/Platform/MemoryMap.h | 4 + Silicon/Socionext/SynQuacer/Library/SynQuacerMemoryInitPeiLib/SynQuacerMemoryInitPeiLib.c | 3 + 6 files changed, 120 insertions(+) diff --git a/Platform/Socionext/DeveloperBox/DeveloperBox.dsc b/Platform/Socionext/DeveloperBox/DeveloperBox.dsc index 9f8cb68cdd26..cddd34e65389 100644 --- a/Platform/Socionext/DeveloperBox/DeveloperBox.dsc +++ b/Platform/Socionext/DeveloperBox/DeveloperBox.dsc @@ -24,6 +24,7 @@ [Defines] DEFINE DEBUG_ON_UART1 = FALSE DEFINE SECURE_BOOT_ENABLE = FALSE + DEFINE TPM2_ENABLE = FALSE DEFINE X64EMU_ENABLE = FALSE !include Platform/Socionext/DeveloperBox/DeveloperBox.dsc.inc @@ -38,6 +39,16 @@ [LibraryClasses] PciExpressLib|MdePkg/Library/BasePciExpressLib/BasePciExpressLib.inf !endif +!if $(TPM2_ENABLE) == TRUE + Tpm2CommandLib|SecurityPkg/Library/Tpm2CommandLib/Tpm2CommandLib.inf + Tcg2PhysicalPresenceLib|SecurityPkg/Library/DxeTcg2PhysicalPresenceLib/DxeTcg2PhysicalPresenceLib.inf + Tcg2PpVendorLib|SecurityPkg/Library/Tcg2PpVendorLibNull/Tcg2PpVendorLibNull.inf + TpmMeasurementLib|SecurityPkg/Library/DxeTpmMeasurementLib/DxeTpmMeasurementLib.inf +!else + Tcg2PhysicalPresenceLib|OvmfPkg/Library/Tcg2PhysicalPresenceLibNull/DxeTcg2PhysicalPresenceLib.inf + TpmMeasurementLib|MdeModulePkg/Library/TpmMeasurementLibNull/TpmMeasurementLibNull.inf +!endif + [LibraryClasses.common.SEC] PcdLib|MdePkg/Library/BasePcdLibNull/BasePcdLibNull.inf BaseMemoryLib|MdePkg/Library/BaseMemoryLib/BaseMemoryLib.inf @@ -60,6 +71,19 @@ [LibraryClasses.common.PEIM] PeimEntryPoint|MdePkg/Library/PeimEntryPoint/PeimEntryPoint.inf MemoryInitPeiLib|Silicon/Socionext/SynQuacer/Library/SynQuacerMemoryInitPeiLib/SynQuacerMemoryInitPeiLib.inf PlatformPeiLib|Silicon/Socionext/SynQuacer/Library/SynQuacerPlatformPeiLib/SynQuacerPlatformPeiLib.inf + ResetSystemLib|MdeModulePkg/Library/PeiResetSystemLib/PeiResetSystemLib.inf + +!if $(TPM2_ENABLE) == TRUE + Tpm12DeviceLib|SecurityPkg/Library/Tpm12DeviceLibDTpm/Tpm12DeviceLibDTpm.inf + Tpm12CommandLib|SecurityPkg/Library/Tpm12CommandLib/Tpm12CommandLib.inf + + Tpm2CommandLib|SecurityPkg/Library/Tpm2CommandLib/Tpm2CommandLib.inf + Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2DeviceLibDTpm.inf + Tcg2PhysicalPresenceLib|SecurityPkg/Library/DxeTcg2PhysicalPresenceLib/DxeTcg2PhysicalPresenceLib.inf + Tcg2PpVendorLib|SecurityPkg/Library/Tcg2PpVendorLibNull/Tcg2PpVendorLibNull.inf + + BaseCryptLib|CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf +!endif [LibraryClasses.common.DXE_CORE] PcdLib|MdePkg/Library/BasePcdLibNull/BasePcdLibNull.inf @@ -92,6 +116,10 @@ [LibraryClasses.common.DXE_DRIVER] PciHostBridgeLib|Silicon/Socionext/SynQuacer/Library/SynQuacerPciHostBridgeLib/SynQuacerPciHostBridgeLib.inf NonDiscoverableDeviceRegistrationLib|MdeModulePkg/Library/NonDiscoverableDeviceRegistrationLib/NonDiscoverableDeviceRegistrationLib.inf +!if $(TPM2_ENABLE) == TRUE + Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibTcg2/Tpm2DeviceLibTcg2.inf +!endif + [LibraryClasses.common.UEFI_APPLICATION] PerformanceLib|MdeModulePkg/Library/DxePerformanceLib/DxePerformanceLib.inf HiiLib|MdeModulePkg/Library/UefiHiiLib/UefiHiiLib.inf @@ -183,13 +211,33 @@ [PcdsFixedAtBuild] gEfiSecurityPkgTokenSpaceGuid.PcdFixedMediaImageVerificationPolicy|0x04 gEfiSecurityPkgTokenSpaceGuid.PcdRemovableMediaImageVerificationPolicy|0x04 +!if $(TPM2_ENABLE) == TRUE + gEfiSecurityPkgTokenSpaceGuid.PcdTpmBaseAddress|0x10000000 +!endif + [PcdsDynamicExDefault.common.DEFAULT] gEfiSignedCapsulePkgTokenSpaceGuid.PcdEdkiiSystemFirmwareImageDescriptor|{0x0}|VOID*|0x100 gEfiSignedCapsulePkgTokenSpaceGuid.PcdEdkiiSystemFirmwareFileGuid|{0xf7, 0x89, 0x9b, 0xe9, 0x20, 0xc1, 0x25, 0x4b, 0x4d, 0xb1, 0x83, 0x94, 0xed, 0xb0, 0xb4, 0xf5} +!if $(TPM2_ENABLE) == TRUE + gEfiSecurityPkgTokenSpaceGuid.PcdTpmInstanceGuid|{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00} + gEfiSecurityPkgTokenSpaceGuid.PcdTpm2InitializationPolicy|1 + gEfiSecurityPkgTokenSpaceGuid.PcdTpm2SelfTestPolicy|1 + gEfiSecurityPkgTokenSpaceGuid.PcdTpm2ScrtmPolicy|1 + gEfiSecurityPkgTokenSpaceGuid.PcdTpmInitializationPolicy|1 + gEfiSecurityPkgTokenSpaceGuid.PcdTpmScrtmPolicy|1 + gEfiSecurityPkgTokenSpaceGuid.PcdTpm2HashMask|3 + gEfiSecurityPkgTokenSpaceGuid.PcdTcg2HashAlgorithmBitmap|3 +!endif + [PcdsDynamicHii] gSynQuacerTokenSpaceGuid.PcdPlatformSettings|L"SynQuacerPlatformSettings"|gSynQuacerPlatformFormSetGuid|0x0|0x0|NV,BS +!if $(TPM2_ENABLE) == TRUE + gEfiSecurityPkgTokenSpaceGuid.PcdTcgPhysicalPresenceInterfaceVer|L"TCG2_VERSION"|gTcg2ConfigFormSetGuid|0x0|"1.3"|NV,BS + gEfiSecurityPkgTokenSpaceGuid.PcdTpm2AcpiTableRev|L"TCG2_VERSION"|gTcg2ConfigFormSetGuid|0x8|3|NV,BS +!endif + ################################################################################ # # Components Section - list of all EDK II Modules needed by this Platform @@ -217,6 +265,30 @@ [Components.common] NULL|MdeModulePkg/Library/LzmaCustomDecompressLib/LzmaCustomDecompressLib.inf } +!if $(TPM2_ENABLE) == TRUE + MdeModulePkg/Universal/ResetSystemPei/ResetSystemPei.inf { + + ResetSystemLib|ArmPkg/Library/ArmSmcPsciResetSystemLib/ArmSmcPsciResetSystemLib.inf + } + SecurityPkg/Tcg/Tcg2Config/Tcg2ConfigPei.inf + SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.inf { + + HashLib|SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRouterPei.inf + NULL|SecurityPkg/Library/HashInstanceLibSha1/HashInstanceLibSha1.inf + NULL|SecurityPkg/Library/HashInstanceLibSha256/HashInstanceLibSha256.inf + NULL|SecurityPkg/Library/HashInstanceLibSha384/HashInstanceLibSha384.inf + NULL|SecurityPkg/Library/HashInstanceLibSha512/HashInstanceLibSha512.inf + NULL|SecurityPkg/Library/HashInstanceLibSm3/HashInstanceLibSm3.inf + + gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8048004F + } + + SecurityPkg/Tcg/Tcg2Config/Tcg2ConfigDxe.inf { + + gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8048004F + } +!endif + # # DXE # @@ -245,6 +317,9 @@ [Components.common] !if $(SECURE_BOOT_ENABLE) == TRUE NULL|SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.inf +!endif +!if $(TPM2_ENABLE) == TRUE + NULL|SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLib.inf !endif } ArmPkg/Drivers/TimerDxe/TimerDxe.inf @@ -302,6 +377,22 @@ [Components.common] SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf !endif +!if $(TPM2_ENABLE) == TRUE + SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.inf { + + Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibRouter/Tpm2DeviceLibRouterDxe.inf + NULL|SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2InstanceLibDTpm.inf + HashLib|SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRouterDxe.inf + NULL|SecurityPkg/Library/HashInstanceLibSha1/HashInstanceLibSha1.inf + NULL|SecurityPkg/Library/HashInstanceLibSha256/HashInstanceLibSha256.inf + NULL|SecurityPkg/Library/HashInstanceLibSha384/HashInstanceLibSha384.inf + NULL|SecurityPkg/Library/HashInstanceLibSha512/HashInstanceLibSha512.inf + NULL|SecurityPkg/Library/HashInstanceLibSm3/HashInstanceLibSm3.inf + + gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8048004F + } +!endif + # # UEFI application (Shell Embedded Boot Loader) # diff --git a/Platform/Socionext/DeveloperBox/DeveloperBox.fdf b/Platform/Socionext/DeveloperBox/DeveloperBox.fdf index da9290fd92a2..5dd5e4b5c0c1 100644 --- a/Platform/Socionext/DeveloperBox/DeveloperBox.fdf +++ b/Platform/Socionext/DeveloperBox/DeveloperBox.fdf @@ -130,6 +130,11 @@ [FV.FvMain] INF SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf !endif +!if $(TPM2_ENABLE) == TRUE + INF SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.inf + INF SecurityPkg/Tcg/Tcg2Config/Tcg2ConfigDxe.inf +!endif + # # UEFI applications # @@ -293,6 +298,12 @@ [FV.FVMAIN_COMPACT] INF RuleOverride = FMP_IMAGE_DESC Platform/Socionext/DeveloperBox/SystemFirmwareDescriptor/SystemFirmwareDescriptor.inf INF MdeModulePkg/Core/DxeIplPeim/DxeIpl.inf +!if $(TPM2_ENABLE) == TRUE + INF MdeModulePkg/Universal/ResetSystemPei/ResetSystemPei.inf + INF SecurityPkg/Tcg/Tcg2Config/Tcg2ConfigPei.inf + INF SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.inf +!endif + FILE FV_IMAGE = 9E21FD93-9C72-4c15-8C4B-E77F1DB2D792 { SECTION GUIDED EE4E5898-3914-4259-9D6E-DC7BD79403CF PROCESSING_REQUIRED = TRUE { SECTION FV_IMAGE = FVMAIN diff --git a/Silicon/Socionext/SynQuacer/DeviceTree/DeveloperBox.dts b/Silicon/Socionext/SynQuacer/DeviceTree/DeveloperBox.dts index c4bdae258c3c..e77a372393fb 100644 --- a/Silicon/Socionext/SynQuacer/DeviceTree/DeveloperBox.dts +++ b/Silicon/Socionext/SynQuacer/DeviceTree/DeveloperBox.dts @@ -27,6 +27,10 @@ }; }; +&tpm { + status = "okay"; +}; + &gpio { gpio-line-names = "DSW3-PIN1", "DSW3-PIN2", "DSW3-PIN3", "DSW3-PIN4", "DSW3-PIN5", "DSW3-PIN6", "DSW3-PIN7", "DSW3-PIN8", diff --git a/Silicon/Socionext/SynQuacer/DeviceTree/SynQuacer.dtsi b/Silicon/Socionext/SynQuacer/DeviceTree/SynQuacer.dtsi index b11e4303edd8..2ee3821fca0b 100644 --- a/Silicon/Socionext/SynQuacer/DeviceTree/SynQuacer.dtsi +++ b/Silicon/Socionext/SynQuacer/DeviceTree/SynQuacer.dtsi @@ -553,6 +553,7 @@ socionext,set-aces; #address-cells = <1>; #size-cells = <0>; + status = "disabled"; }; clk_i2c: i2c_pclk { @@ -573,6 +574,12 @@ #size-cells = <0>; }; + tpm: tpm_tis@10000000 { + compatible = "socionext,synquacer-tpm-mmio"; + reg = <0x0 0x10000000 0x0 0x5000>; + status = "disabled"; + }; + firmware { optee { compatible = "linaro,optee-tz"; diff --git a/Silicon/Socionext/SynQuacer/Include/Platform/MemoryMap.h b/Silicon/Socionext/SynQuacer/Include/Platform/MemoryMap.h index 29c5f73f2057..a7a4232eb864 100644 --- a/Silicon/Socionext/SynQuacer/Include/Platform/MemoryMap.h +++ b/Silicon/Socionext/SynQuacer/Include/Platform/MemoryMap.h @@ -82,4 +82,8 @@ #define SYNQUACER_SPI1_BASE 0x54810000 #define SYNQUACER_SPI1_SIZE SIZE_4KB +// SPI controller #1 MMIO Region +#define SYNQUACER_SPI1_MMIO_BASE 0x10000000 +#define SYNQUACER_SPI1_MMIO_SIZE SIZE_1MB + #endif diff --git a/Silicon/Socionext/SynQuacer/Library/SynQuacerMemoryInitPeiLib/SynQuacerMemoryInitPeiLib.c b/Silicon/Socionext/SynQuacer/Library/SynQuacerMemoryInitPeiLib/SynQuacerMemoryInitPeiLib.c index 3da32ea6816a..2db88ec53926 100644 --- a/Silicon/Socionext/SynQuacer/Library/SynQuacerMemoryInitPeiLib/SynQuacerMemoryInitPeiLib.c +++ b/Silicon/Socionext/SynQuacer/Library/SynQuacerMemoryInitPeiLib/SynQuacerMemoryInitPeiLib.c @@ -115,6 +115,9 @@ STATIC CONST ARM_MEMORY_REGION_DESCRIPTOR mVirtualMemoryTable[] = { // DesignWare FUART ARM_DEVICE_REGION (SYNQUACER_UART1_BASE, SYNQUACER_UART1_SIZE), + + // SPI#1 MMIO + ARM_DEVICE_REGION (SYNQUACER_SPI1_MMIO_BASE, SYNQUACER_SPI1_MMIO_SIZE), }; STATIC -- 2.17.1