From: "Leif Lindholm" <leif@nuviainc.com>
To: Ard Biesheuvel <ard.biesheuvel@arm.com>
Cc: devel@edk2.groups.io, masahisa.kojima@linaro.org
Subject: Re: [PATCH edk2-platforms 1/1] DeveloperBox: implement measured boot
Date: Mon, 6 Apr 2020 14:58:54 +0100 [thread overview]
Message-ID: <20200406135854.GH14075@vanye> (raw)
In-Reply-To: <20200304072543.6718-1-ard.biesheuvel@linaro.org>
On Wed, Mar 04, 2020 at 08:25:43 +0100, Ard Biesheuvel wrote:
> Enable the various components, library class resolutions and PCD defaults
> to enable measured boot based on a version 2 TPM. The TPM is exposed as
> having a memory mapped TIS frame, which is accomplished using the SPI
> command sequencer that is available on this platform. Note that this
> requires SCP firmware support.
Ideally, I'd like to see the corresponding SCP firmware added to
edk2-non-osi, but...:
Reviewed-by: Leif Lindholm <leif@nuviainc.com>
Apologies for tardiness.
> Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
> ---
> Platform/Socionext/DeveloperBox/DeveloperBox.dsc | 91 ++++++++++++++++++++
> Platform/Socionext/DeveloperBox/DeveloperBox.fdf | 11 +++
> Silicon/Socionext/SynQuacer/DeviceTree/DeveloperBox.dts | 4 +
> Silicon/Socionext/SynQuacer/DeviceTree/SynQuacer.dtsi | 7 ++
> Silicon/Socionext/SynQuacer/Include/Platform/MemoryMap.h | 4 +
> Silicon/Socionext/SynQuacer/Library/SynQuacerMemoryInitPeiLib/SynQuacerMemoryInitPeiLib.c | 3 +
> 6 files changed, 120 insertions(+)
>
> diff --git a/Platform/Socionext/DeveloperBox/DeveloperBox.dsc b/Platform/Socionext/DeveloperBox/DeveloperBox.dsc
> index 9f8cb68cdd26..cddd34e65389 100644
> --- a/Platform/Socionext/DeveloperBox/DeveloperBox.dsc
> +++ b/Platform/Socionext/DeveloperBox/DeveloperBox.dsc
> @@ -24,6 +24,7 @@ [Defines]
>
> DEFINE DEBUG_ON_UART1 = FALSE
> DEFINE SECURE_BOOT_ENABLE = FALSE
> + DEFINE TPM2_ENABLE = FALSE
> DEFINE X64EMU_ENABLE = FALSE
>
> !include Platform/Socionext/DeveloperBox/DeveloperBox.dsc.inc
> @@ -38,6 +39,16 @@ [LibraryClasses]
> PciExpressLib|MdePkg/Library/BasePciExpressLib/BasePciExpressLib.inf
> !endif
>
> +!if $(TPM2_ENABLE) == TRUE
> + Tpm2CommandLib|SecurityPkg/Library/Tpm2CommandLib/Tpm2CommandLib.inf
> + Tcg2PhysicalPresenceLib|SecurityPkg/Library/DxeTcg2PhysicalPresenceLib/DxeTcg2PhysicalPresenceLib.inf
> + Tcg2PpVendorLib|SecurityPkg/Library/Tcg2PpVendorLibNull/Tcg2PpVendorLibNull.inf
> + TpmMeasurementLib|SecurityPkg/Library/DxeTpmMeasurementLib/DxeTpmMeasurementLib.inf
> +!else
> + Tcg2PhysicalPresenceLib|OvmfPkg/Library/Tcg2PhysicalPresenceLibNull/DxeTcg2PhysicalPresenceLib.inf
> + TpmMeasurementLib|MdeModulePkg/Library/TpmMeasurementLibNull/TpmMeasurementLibNull.inf
> +!endif
> +
> [LibraryClasses.common.SEC]
> PcdLib|MdePkg/Library/BasePcdLibNull/BasePcdLibNull.inf
> BaseMemoryLib|MdePkg/Library/BaseMemoryLib/BaseMemoryLib.inf
> @@ -60,6 +71,19 @@ [LibraryClasses.common.PEIM]
> PeimEntryPoint|MdePkg/Library/PeimEntryPoint/PeimEntryPoint.inf
> MemoryInitPeiLib|Silicon/Socionext/SynQuacer/Library/SynQuacerMemoryInitPeiLib/SynQuacerMemoryInitPeiLib.inf
> PlatformPeiLib|Silicon/Socionext/SynQuacer/Library/SynQuacerPlatformPeiLib/SynQuacerPlatformPeiLib.inf
> + ResetSystemLib|MdeModulePkg/Library/PeiResetSystemLib/PeiResetSystemLib.inf
> +
> +!if $(TPM2_ENABLE) == TRUE
> + Tpm12DeviceLib|SecurityPkg/Library/Tpm12DeviceLibDTpm/Tpm12DeviceLibDTpm.inf
> + Tpm12CommandLib|SecurityPkg/Library/Tpm12CommandLib/Tpm12CommandLib.inf
> +
> + Tpm2CommandLib|SecurityPkg/Library/Tpm2CommandLib/Tpm2CommandLib.inf
> + Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2DeviceLibDTpm.inf
> + Tcg2PhysicalPresenceLib|SecurityPkg/Library/DxeTcg2PhysicalPresenceLib/DxeTcg2PhysicalPresenceLib.inf
> + Tcg2PpVendorLib|SecurityPkg/Library/Tcg2PpVendorLibNull/Tcg2PpVendorLibNull.inf
> +
> + BaseCryptLib|CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf
> +!endif
>
> [LibraryClasses.common.DXE_CORE]
> PcdLib|MdePkg/Library/BasePcdLibNull/BasePcdLibNull.inf
> @@ -92,6 +116,10 @@ [LibraryClasses.common.DXE_DRIVER]
> PciHostBridgeLib|Silicon/Socionext/SynQuacer/Library/SynQuacerPciHostBridgeLib/SynQuacerPciHostBridgeLib.inf
> NonDiscoverableDeviceRegistrationLib|MdeModulePkg/Library/NonDiscoverableDeviceRegistrationLib/NonDiscoverableDeviceRegistrationLib.inf
>
> +!if $(TPM2_ENABLE) == TRUE
> + Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibTcg2/Tpm2DeviceLibTcg2.inf
> +!endif
> +
> [LibraryClasses.common.UEFI_APPLICATION]
> PerformanceLib|MdeModulePkg/Library/DxePerformanceLib/DxePerformanceLib.inf
> HiiLib|MdeModulePkg/Library/UefiHiiLib/UefiHiiLib.inf
> @@ -183,13 +211,33 @@ [PcdsFixedAtBuild]
> gEfiSecurityPkgTokenSpaceGuid.PcdFixedMediaImageVerificationPolicy|0x04
> gEfiSecurityPkgTokenSpaceGuid.PcdRemovableMediaImageVerificationPolicy|0x04
>
> +!if $(TPM2_ENABLE) == TRUE
> + gEfiSecurityPkgTokenSpaceGuid.PcdTpmBaseAddress|0x10000000
> +!endif
> +
> [PcdsDynamicExDefault.common.DEFAULT]
> gEfiSignedCapsulePkgTokenSpaceGuid.PcdEdkiiSystemFirmwareImageDescriptor|{0x0}|VOID*|0x100
> gEfiSignedCapsulePkgTokenSpaceGuid.PcdEdkiiSystemFirmwareFileGuid|{0xf7, 0x89, 0x9b, 0xe9, 0x20, 0xc1, 0x25, 0x4b, 0x4d, 0xb1, 0x83, 0x94, 0xed, 0xb0, 0xb4, 0xf5}
>
> +!if $(TPM2_ENABLE) == TRUE
> + gEfiSecurityPkgTokenSpaceGuid.PcdTpmInstanceGuid|{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}
> + gEfiSecurityPkgTokenSpaceGuid.PcdTpm2InitializationPolicy|1
> + gEfiSecurityPkgTokenSpaceGuid.PcdTpm2SelfTestPolicy|1
> + gEfiSecurityPkgTokenSpaceGuid.PcdTpm2ScrtmPolicy|1
> + gEfiSecurityPkgTokenSpaceGuid.PcdTpmInitializationPolicy|1
> + gEfiSecurityPkgTokenSpaceGuid.PcdTpmScrtmPolicy|1
> + gEfiSecurityPkgTokenSpaceGuid.PcdTpm2HashMask|3
> + gEfiSecurityPkgTokenSpaceGuid.PcdTcg2HashAlgorithmBitmap|3
> +!endif
> +
> [PcdsDynamicHii]
> gSynQuacerTokenSpaceGuid.PcdPlatformSettings|L"SynQuacerPlatformSettings"|gSynQuacerPlatformFormSetGuid|0x0|0x0|NV,BS
>
> +!if $(TPM2_ENABLE) == TRUE
> + gEfiSecurityPkgTokenSpaceGuid.PcdTcgPhysicalPresenceInterfaceVer|L"TCG2_VERSION"|gTcg2ConfigFormSetGuid|0x0|"1.3"|NV,BS
> + gEfiSecurityPkgTokenSpaceGuid.PcdTpm2AcpiTableRev|L"TCG2_VERSION"|gTcg2ConfigFormSetGuid|0x8|3|NV,BS
> +!endif
> +
> ################################################################################
> #
> # Components Section - list of all EDK II Modules needed by this Platform
> @@ -217,6 +265,30 @@ [Components.common]
> NULL|MdeModulePkg/Library/LzmaCustomDecompressLib/LzmaCustomDecompressLib.inf
> }
>
> +!if $(TPM2_ENABLE) == TRUE
> + MdeModulePkg/Universal/ResetSystemPei/ResetSystemPei.inf {
> + <LibraryClasses>
> + ResetSystemLib|ArmPkg/Library/ArmSmcPsciResetSystemLib/ArmSmcPsciResetSystemLib.inf
> + }
> + SecurityPkg/Tcg/Tcg2Config/Tcg2ConfigPei.inf
> + SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.inf {
> + <LibraryClasses>
> + HashLib|SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRouterPei.inf
> + NULL|SecurityPkg/Library/HashInstanceLibSha1/HashInstanceLibSha1.inf
> + NULL|SecurityPkg/Library/HashInstanceLibSha256/HashInstanceLibSha256.inf
> + NULL|SecurityPkg/Library/HashInstanceLibSha384/HashInstanceLibSha384.inf
> + NULL|SecurityPkg/Library/HashInstanceLibSha512/HashInstanceLibSha512.inf
> + NULL|SecurityPkg/Library/HashInstanceLibSm3/HashInstanceLibSm3.inf
> + <PcdsFixedAtBuild>
> + gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8048004F
> + }
> +
> + SecurityPkg/Tcg/Tcg2Config/Tcg2ConfigDxe.inf {
> + <PcdsFixedAtBuild>
> + gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8048004F
> + }
> +!endif
> +
> #
> # DXE
> #
> @@ -245,6 +317,9 @@ [Components.common]
> <LibraryClasses>
> !if $(SECURE_BOOT_ENABLE) == TRUE
> NULL|SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.inf
> +!endif
> +!if $(TPM2_ENABLE) == TRUE
> + NULL|SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLib.inf
> !endif
> }
> ArmPkg/Drivers/TimerDxe/TimerDxe.inf
> @@ -302,6 +377,22 @@ [Components.common]
> SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
> !endif
>
> +!if $(TPM2_ENABLE) == TRUE
> + SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.inf {
> + <LibraryClasses>
> + Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibRouter/Tpm2DeviceLibRouterDxe.inf
> + NULL|SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2InstanceLibDTpm.inf
> + HashLib|SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRouterDxe.inf
> + NULL|SecurityPkg/Library/HashInstanceLibSha1/HashInstanceLibSha1.inf
> + NULL|SecurityPkg/Library/HashInstanceLibSha256/HashInstanceLibSha256.inf
> + NULL|SecurityPkg/Library/HashInstanceLibSha384/HashInstanceLibSha384.inf
> + NULL|SecurityPkg/Library/HashInstanceLibSha512/HashInstanceLibSha512.inf
> + NULL|SecurityPkg/Library/HashInstanceLibSm3/HashInstanceLibSm3.inf
> + <PcdsFixedAtBuild>
> + gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8048004F
> + }
> +!endif
> +
> #
> # UEFI application (Shell Embedded Boot Loader)
> #
> diff --git a/Platform/Socionext/DeveloperBox/DeveloperBox.fdf b/Platform/Socionext/DeveloperBox/DeveloperBox.fdf
> index da9290fd92a2..5dd5e4b5c0c1 100644
> --- a/Platform/Socionext/DeveloperBox/DeveloperBox.fdf
> +++ b/Platform/Socionext/DeveloperBox/DeveloperBox.fdf
> @@ -130,6 +130,11 @@ [FV.FvMain]
> INF SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
> !endif
>
> +!if $(TPM2_ENABLE) == TRUE
> + INF SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.inf
> + INF SecurityPkg/Tcg/Tcg2Config/Tcg2ConfigDxe.inf
> +!endif
> +
> #
> # UEFI applications
> #
> @@ -293,6 +298,12 @@ [FV.FVMAIN_COMPACT]
> INF RuleOverride = FMP_IMAGE_DESC Platform/Socionext/DeveloperBox/SystemFirmwareDescriptor/SystemFirmwareDescriptor.inf
> INF MdeModulePkg/Core/DxeIplPeim/DxeIpl.inf
>
> +!if $(TPM2_ENABLE) == TRUE
> + INF MdeModulePkg/Universal/ResetSystemPei/ResetSystemPei.inf
> + INF SecurityPkg/Tcg/Tcg2Config/Tcg2ConfigPei.inf
> + INF SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.inf
> +!endif
> +
> FILE FV_IMAGE = 9E21FD93-9C72-4c15-8C4B-E77F1DB2D792 {
> SECTION GUIDED EE4E5898-3914-4259-9D6E-DC7BD79403CF PROCESSING_REQUIRED = TRUE {
> SECTION FV_IMAGE = FVMAIN
> diff --git a/Silicon/Socionext/SynQuacer/DeviceTree/DeveloperBox.dts b/Silicon/Socionext/SynQuacer/DeviceTree/DeveloperBox.dts
> index c4bdae258c3c..e77a372393fb 100644
> --- a/Silicon/Socionext/SynQuacer/DeviceTree/DeveloperBox.dts
> +++ b/Silicon/Socionext/SynQuacer/DeviceTree/DeveloperBox.dts
> @@ -27,6 +27,10 @@
> };
> };
>
> +&tpm {
> + status = "okay";
> +};
> +
> &gpio {
> gpio-line-names = "DSW3-PIN1", "DSW3-PIN2", "DSW3-PIN3", "DSW3-PIN4",
> "DSW3-PIN5", "DSW3-PIN6", "DSW3-PIN7", "DSW3-PIN8",
> diff --git a/Silicon/Socionext/SynQuacer/DeviceTree/SynQuacer.dtsi b/Silicon/Socionext/SynQuacer/DeviceTree/SynQuacer.dtsi
> index b11e4303edd8..2ee3821fca0b 100644
> --- a/Silicon/Socionext/SynQuacer/DeviceTree/SynQuacer.dtsi
> +++ b/Silicon/Socionext/SynQuacer/DeviceTree/SynQuacer.dtsi
> @@ -553,6 +553,7 @@
> socionext,set-aces;
> #address-cells = <1>;
> #size-cells = <0>;
> + status = "disabled";
> };
>
> clk_i2c: i2c_pclk {
> @@ -573,6 +574,12 @@
> #size-cells = <0>;
> };
>
> + tpm: tpm_tis@10000000 {
> + compatible = "socionext,synquacer-tpm-mmio";
> + reg = <0x0 0x10000000 0x0 0x5000>;
> + status = "disabled";
> + };
> +
> firmware {
> optee {
> compatible = "linaro,optee-tz";
> diff --git a/Silicon/Socionext/SynQuacer/Include/Platform/MemoryMap.h b/Silicon/Socionext/SynQuacer/Include/Platform/MemoryMap.h
> index 29c5f73f2057..a7a4232eb864 100644
> --- a/Silicon/Socionext/SynQuacer/Include/Platform/MemoryMap.h
> +++ b/Silicon/Socionext/SynQuacer/Include/Platform/MemoryMap.h
> @@ -82,4 +82,8 @@
> #define SYNQUACER_SPI1_BASE 0x54810000
> #define SYNQUACER_SPI1_SIZE SIZE_4KB
>
> +// SPI controller #1 MMIO Region
> +#define SYNQUACER_SPI1_MMIO_BASE 0x10000000
> +#define SYNQUACER_SPI1_MMIO_SIZE SIZE_1MB
> +
> #endif
> diff --git a/Silicon/Socionext/SynQuacer/Library/SynQuacerMemoryInitPeiLib/SynQuacerMemoryInitPeiLib.c b/Silicon/Socionext/SynQuacer/Library/SynQuacerMemoryInitPeiLib/SynQuacerMemoryInitPeiLib.c
> index 3da32ea6816a..2db88ec53926 100644
> --- a/Silicon/Socionext/SynQuacer/Library/SynQuacerMemoryInitPeiLib/SynQuacerMemoryInitPeiLib.c
> +++ b/Silicon/Socionext/SynQuacer/Library/SynQuacerMemoryInitPeiLib/SynQuacerMemoryInitPeiLib.c
> @@ -115,6 +115,9 @@ STATIC CONST ARM_MEMORY_REGION_DESCRIPTOR mVirtualMemoryTable[] = {
>
> // DesignWare FUART
> ARM_DEVICE_REGION (SYNQUACER_UART1_BASE, SYNQUACER_UART1_SIZE),
> +
> + // SPI#1 MMIO
> + ARM_DEVICE_REGION (SYNQUACER_SPI1_MMIO_BASE, SYNQUACER_SPI1_MMIO_SIZE),
> };
>
> STATIC
> --
> 2.17.1
>
next prev parent reply other threads:[~2020-04-06 13:58 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-03-04 7:25 [PATCH edk2-platforms 1/1] DeveloperBox: implement measured boot Ard Biesheuvel
2020-04-06 13:58 ` Leif Lindholm [this message]
2020-04-06 14:33 ` Ard Biesheuvel
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-list from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200406135854.GH14075@vanye \
--to=devel@edk2.groups.io \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox