* [PATCH edk2-platforms 0/4] add MM based UEFI secure boot on SbsaQemu @ 2020-12-21 12:53 Masahisa Kojima 2020-12-21 12:53 ` [PATCH edk2-platforms 1/4] SbsaQemu: Build infrastructure for StandaloneMm image Masahisa Kojima ` (4 more replies) 0 siblings, 5 replies; 9+ messages in thread From: Masahisa Kojima @ 2020-12-21 12:53 UTC (permalink / raw) To: devel Cc: Masahisa Kojima, Ard Biesheuvel, Leif Lindholm, Graeme Gregory, Radoslaw Biernacki, Tanmay Jagdale, Shashi Mallela This patch series implment the UEFI secure boot on SbsaQemu. This patch requires following edk2 patches currently under review. - standalone MM version of VarCheckPolicyLib https://edk2.groups.io/g/devel/topic/patch_v2_1_1/79120932?p=,,,20,0,0,0::recentpostdate%2Fsticky,,,20,2,0,79120932 - standalone MM version of NorFlash driver https://edk2.groups.io/g/devel/topic/patch_0_2/79058286?p=,,,20,0,0,0::recentpostdate%2Fsticky,,,20,2,0,79058286 This patch series also require the following Trusted Firmware-A modification. https://review.trustedfirmware.org/c/TF-A/trusted-firmware-a/+/5797 Cc: Ard Biesheuvel <ard.biesheuvel@arm.com> Cc: Leif Lindholm <leif@nuviainc.com> Cc: Graeme Gregory <graeme@nuviainc.com> Cc: Radoslaw Biernacki <rad@semihalf.com> Cc: Tanmay Jagdale <tanmay.jagdale@linaro.org> Cc: Shashi Mallela <shashi.mallela@linaro.org> Masahisa Kojima (4): SbsaQemu: Build infrastructure for StandaloneMm image SbsaQemu: add MM based UEFI secure boot support SbsaQemu: add standalone MM build instruction SbsaQemu: fix typo Platform/Qemu/SbsaQemu/SbsaQemu.dsc | 44 +++-- .../Qemu/SbsaQemu/SbsaQemuStandaloneMm.dsc | 172 ++++++++++++++++++ Platform/Qemu/SbsaQemu/SbsaQemu.fdf | 84 ++++++++- .../Qemu/SbsaQemu/SbsaQemuStandaloneMm.fdf | 96 ++++++++++ .../Library/SbsaQemuLib/SbsaQemuLib.inf | 2 + .../Library/SbsaQemuLib/SbsaQemuMem.c | 37 +++- Platform/Qemu/SbsaQemu/Readme.md | 37 +++- 7 files changed, 452 insertions(+), 20 deletions(-) create mode 100644 Platform/Qemu/SbsaQemu/SbsaQemuStandaloneMm.dsc create mode 100644 Platform/Qemu/SbsaQemu/SbsaQemuStandaloneMm.fdf -- 2.17.1 ^ permalink raw reply [flat|nested] 9+ messages in thread
* [PATCH edk2-platforms 1/4] SbsaQemu: Build infrastructure for StandaloneMm image 2020-12-21 12:53 [PATCH edk2-platforms 0/4] add MM based UEFI secure boot on SbsaQemu Masahisa Kojima @ 2020-12-21 12:53 ` Masahisa Kojima 2020-12-21 12:53 ` [PATCH edk2-platforms 2/4] SbsaQemu: add MM based UEFI secure boot support Masahisa Kojima ` (3 subsequent siblings) 4 siblings, 0 replies; 9+ messages in thread From: Masahisa Kojima @ 2020-12-21 12:53 UTC (permalink / raw) To: devel Cc: Masahisa Kojima, Ard Biesheuvel, Leif Lindholm, Graeme Gregory, Radoslaw Biernacki, Tanmay Jagdale, Shashi Mallela Add the build infrastructure for compilation of StandaloneMm image. Signed-off-by: Masahisa Kojima <masahisa.kojima@linaro.org> --- Platform/Qemu/SbsaQemu/SbsaQemuStandaloneMm.dsc | 132 ++++++++++++++++++++ Platform/Qemu/SbsaQemu/SbsaQemu.fdf | 6 +- Platform/Qemu/SbsaQemu/SbsaQemuStandaloneMm.fdf | 93 ++++++++++++++ 3 files changed, 228 insertions(+), 3 deletions(-) diff --git a/Platform/Qemu/SbsaQemu/SbsaQemuStandaloneMm.dsc b/Platform/Qemu/SbsaQemu/SbsaQemuStandaloneMm.dsc new file mode 100644 index 000000000000..87f5ee351eaa --- /dev/null +++ b/Platform/Qemu/SbsaQemu/SbsaQemuStandaloneMm.dsc @@ -0,0 +1,132 @@ +# +# Copyright (c) 2020, Linaro Limited. All rights reserved. +# +# SPDX-License-Identifier: BSD-2-Clause-Patent +# + +################################################################################ +# +# Defines Section - statements that will be processed to create a Makefile. +# +################################################################################ +[Defines] + PLATFORM_NAME = SbsaQemuStandaloneMm + PLATFORM_GUID = A64CC0F5-7ACD-4975-BBE7-7EF6739C8668 + PLATFORM_VERSION = 1.0 + DSC_SPECIFICATION = 0x00010011 + OUTPUT_DIRECTORY = Build/$(PLATFORM_NAME) + SUPPORTED_ARCHITECTURES = AARCH64 + BUILD_TARGETS = DEBUG|RELEASE|NOOPT + SKUID_IDENTIFIER = DEFAULT + FLASH_DEFINITION = Platform/Qemu/SbsaQemu/SbsaQemuStandaloneMm.fdf + DEFINE DEBUG_MESSAGE = TRUE + + # LzmaF86 + DEFINE COMPRESSION_TOOL_GUID = D42AE6BD-1352-4bfb-909A-CA72A6EAE889 + +################################################################################ +# +# Library Class section - list of all Library Classes needed by this Platform. +# +################################################################################ +[LibraryClasses] + # + # Basic + # + BaseLib|MdePkg/Library/BaseLib/BaseLib.inf + BaseMemoryLib|MdePkg/Library/BaseMemoryLib/BaseMemoryLib.inf + DebugLib|MdePkg/Library/BaseDebugLibSerialPort/BaseDebugLibSerialPort.inf + DebugPrintErrorLevelLib|MdePkg/Library/BaseDebugPrintErrorLevelLib/BaseDebugPrintErrorLevelLib.inf + ExtractGuidedSectionLib|EmbeddedPkg/Library/PrePiExtractGuidedSectionLib/PrePiExtractGuidedSectionLib.inf + FvLib|StandaloneMmPkg/Library/FvLib/FvLib.inf + HobLib|StandaloneMmPkg/Library/StandaloneMmCoreHobLib/StandaloneMmCoreHobLib.inf + IoLib|MdePkg/Library/BaseIoLibIntrinsic/BaseIoLibIntrinsic.inf + MemLib|StandaloneMmPkg/Library/StandaloneMmMemLib/StandaloneMmMemLib.inf + MemoryAllocationLib|StandaloneMmPkg/Library/StandaloneMmCoreMemoryAllocationLib/StandaloneMmCoreMemoryAllocationLib.inf + PcdLib|MdePkg/Library/BasePcdLibNull/BasePcdLibNull.inf + PeCoffLib|MdePkg/Library/BasePeCoffLib/BasePeCoffLib.inf + PrintLib|MdePkg/Library/BasePrintLib/BasePrintLib.inf + ReportStatusCodeLib|MdePkg/Library/BaseReportStatusCodeLibNull/BaseReportStatusCodeLibNull.inf + + # + # Entry point + # + StandaloneMmDriverEntryPoint|MdePkg/Library/StandaloneMmDriverEntryPoint/StandaloneMmDriverEntryPoint.inf + + ArmLib|ArmPkg/Library/ArmLib/ArmBaseLib.inf + StandaloneMmMmuLib|ArmPkg/Library/StandaloneMmMmuLib/ArmMmuStandaloneMmLib.inf + ArmSvcLib|ArmPkg/Library/ArmSvcLib/ArmSvcLib.inf + CacheMaintenanceLib|ArmPkg/Library/ArmCacheMaintenanceLib/ArmCacheMaintenanceLib.inf + PeCoffExtraActionLib|StandaloneMmPkg/Library/StandaloneMmPeCoffExtraActionLib/StandaloneMmPeCoffExtraActionLib.inf + + # ARM PL011 UART Driver + PL011UartClockLib|ArmPlatformPkg/Library/PL011UartClockLib/PL011UartClockLib.inf + PL011UartLib|ArmPlatformPkg/Library/PL011UartLib/PL011UartLib.inf + SerialPortLib|ArmPlatformPkg/Library/PL011SerialPortLib/PL011SerialPortLib.inf + + StandaloneMmCoreEntryPoint|StandaloneMmPkg/Library/StandaloneMmCoreEntryPoint/StandaloneMmCoreEntryPoint.inf + + # + # It is not possible to prevent the ARM compiler for generic intrinsic functions. + # This library provides the instrinsic functions generate by a given compiler. + # And NULL mean link this library into all ARM images. + # + NULL|ArmPkg/Library/CompilerIntrinsicsLib/CompilerIntrinsicsLib.inf + +[LibraryClasses.common.MM_STANDALONE] + HobLib|StandaloneMmPkg/Library/StandaloneMmHobLib/StandaloneMmHobLib.inf + MmServicesTableLib|MdePkg/Library/StandaloneMmServicesTableLib/StandaloneMmServicesTableLib.inf + MemoryAllocationLib|StandaloneMmPkg/Library/StandaloneMmMemoryAllocationLib/StandaloneMmMemoryAllocationLib.inf + +################################################################################ +# +# Pcd Section - list of all EDK II PCD Entries defined by this Platform +# +################################################################################ +[PcdsFixedAtBuild] + gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x800000CF + gEfiMdePkgTokenSpaceGuid.PcdDebugPropertyMask|0xff + gEfiMdePkgTokenSpaceGuid.PcdReportStatusCodePropertyMask|0x0f + + ## PL011 - Serial Terminal + gEfiMdeModulePkgTokenSpaceGuid.PcdSerialRegisterBase|0x60040000 + gEfiMdePkgTokenSpaceGuid.PcdUartDefaultBaudRate|115200 + + gEfiMdePkgTokenSpaceGuid.PcdMaximumGuidedExtractHandler|0x2 + +################################################################################################### +# +# Components Section - list of the modules and components that will be processed by compilation +# tools and the EDK II tools to generate PE32/PE32+/Coff image files. +# +# Note: The EDK II DSC file is not used to specify how compiled binary images get placed +# into firmware volume images. This section is just a list of modules to compile from +# source into UEFI-compliant binaries. +# It is the FDF file that contains information on combining binary files into firmware +# volume images, whose concept is beyond UEFI and is described in PI specification. +# Binary modules do not need to be listed in this section, as they should be +# specified in the FDF file. For example: Shell binary (Shell_Full.efi), FAT binary (Fat.efi), +# Logo (Logo.bmp), and etc. +# There may also be modules listed in this section that are not required in the FDF file, +# When a module listed here is excluded from FDF file, then UEFI-compliant binary will be +# generated for it, but the binary will not be put into any firmware volume. +# +################################################################################################### +[Components.common] + # + # MM Core + # + StandaloneMmPkg/Core/StandaloneMmCore.inf + StandaloneMmPkg/Drivers/StandaloneMmCpu/AArch64/StandaloneMmCpu.inf + +################################################################################################### +# +# BuildOptions Section - Define the module specific tool chain flags that should be used as +# the default flags for a module. These flags are appended to any +# standard flags that are defined by the build process. They can be +# applied for any modules or only those modules with the specific +# module style (EDK or EDKII) specified in [Components] section. +# +################################################################################################### +[BuildOptions.AARCH64] + GCC:*_*_*_DLINK_FLAGS = -z common-page-size=0x1000 -march=armv8-a+nofp diff --git a/Platform/Qemu/SbsaQemu/SbsaQemu.fdf b/Platform/Qemu/SbsaQemu/SbsaQemu.fdf index 3bcf0bf0040a..47ada7df9f2c 100644 --- a/Platform/Qemu/SbsaQemu/SbsaQemu.fdf +++ b/Platform/Qemu/SbsaQemu/SbsaQemu.fdf @@ -21,10 +21,10 @@ [FD.SBSA_FLASH0] BaseAddress = 0x00000000 -Size = 0x00200000 +Size = 0x00400000 ErasePolarity = 1 BlockSize = 0x00001000 -NumBlocks = 0x200 +NumBlocks = 0x400 ################################################################################ # @@ -47,7 +47,7 @@ [FD.SBSA_FLASH0] FILE = Platform/Qemu/Sbsa/bl1.bin # and FIP (BL2 + BL31) -0x00008000|0x00020000 +0x00008000|0x00300000 FILE = Platform/Qemu/Sbsa/fip.bin ################################################################################ diff --git a/Platform/Qemu/SbsaQemu/SbsaQemuStandaloneMm.fdf b/Platform/Qemu/SbsaQemu/SbsaQemuStandaloneMm.fdf new file mode 100644 index 000000000000..a1acefcfb0a7 --- /dev/null +++ b/Platform/Qemu/SbsaQemu/SbsaQemuStandaloneMm.fdf @@ -0,0 +1,93 @@ +# +# Copyright (c) 2020, Linaro Limited. All rights reserved. +# +# SPDX-License-Identifier: BSD-2-Clause-Patent +# + +################################################################################ +# +# FD Section +# The [FD] Section is made up of the definition statements and a +# description of what goes into the Flash Device Image. Each FD section +# defines one flash "device" image. A flash device image may be one of +# the following: Removable media bootable image (like a boot floppy +# image,) an Option ROM image (that would be "flashed" into an add-in +# card,) a System "Flash" image (that would be burned into a system's +# flash) or an Update ("Capsule") image that will be used to update and +# existing system flash. +# +################################################################################ + +[FD.STANDALONE_MM] +BaseAddress = 0x20001000|gArmTokenSpaceGuid.PcdFdBaseAddress +Size = 0x00e00000|gArmTokenSpaceGuid.PcdFdSize # The size in bytes of the device (14MiB). +ErasePolarity = 1 + +BlockSize = 0x00001000 +NumBlocks = 0x0e00 + +0x00000000|0x00280000 +gArmTokenSpaceGuid.PcdFvBaseAddress|gArmTokenSpaceGuid.PcdFvSize +FV = FVMAIN_COMPACT + +[FV.FVMAIN_COMPACT] +FvAlignment = 16 +ERASE_POLARITY = 1 +MEMORY_MAPPED = TRUE +STICKY_WRITE = TRUE +LOCK_CAP = TRUE +LOCK_STATUS = TRUE +WRITE_DISABLED_CAP = TRUE +WRITE_ENABLED_CAP = TRUE +WRITE_STATUS = TRUE +WRITE_LOCK_CAP = TRUE +WRITE_LOCK_STATUS = TRUE +READ_DISABLED_CAP = TRUE +READ_ENABLED_CAP = TRUE +READ_STATUS = TRUE +READ_LOCK_CAP = TRUE +READ_LOCK_STATUS = TRUE + + INF StandaloneMmPkg/Core/StandaloneMmCore.inf + INF StandaloneMmPkg/Drivers/StandaloneMmCpu/AArch64/StandaloneMmCpu.inf + +################################################################################ +# +# Rules are use with the [FV] section's module INF type to define +# how an FFS file is created for a given INF file. The following Rule are the default +# rules for the different module type. User can add the customized rules to define the +# content of the FFS file. +# +################################################################################ + + +############################################################################ +# Example of a DXE_DRIVER FFS file with a Checksum encapsulation section # +############################################################################ +# +#[Rule.Common.DXE_DRIVER] +# FILE DRIVER = $(NAMED_GUID) { +# DXE_DEPEX DXE_DEPEX Optional $(INF_OUTPUT)/$(MODULE_NAME).depex +# COMPRESS PI_STD { +# GUIDED { +# PE32 PE32 $(INF_OUTPUT)/$(MODULE_NAME).efi +# UI STRING="$(MODULE_NAME)" Optional +# VERSION STRING="$(INF_VERSION)" Optional BUILD_NUM=$(BUILD_NUMBER) +# } +# } +# } +# +############################################################################ + +[Rule.Common.MM_CORE_STANDALONE] + FILE SEC = $(NAMED_GUID) RELOCS_STRIPPED FIXED { + PE32 PE32 Align = Auto $(INF_OUTPUT)/$(MODULE_NAME).efi + } + +[Rule.Common.MM_STANDALONE] + FILE MM_STANDALONE = $(NAMED_GUID) { + SMM_DEPEX SMM_DEPEX Optional $(INF_OUTPUT)/$(MODULE_NAME).depex + PE32 PE32 $(INF_OUTPUT)/$(MODULE_NAME).efi + UI STRING="$(MODULE_NAME)" Optional + VERSION STRING="$(INF_VERSION)" Optional BUILD_NUM=$(BUILD_NUMBER) + } -- 2.17.1 ^ permalink raw reply related [flat|nested] 9+ messages in thread
* [PATCH edk2-platforms 2/4] SbsaQemu: add MM based UEFI secure boot support 2020-12-21 12:53 [PATCH edk2-platforms 0/4] add MM based UEFI secure boot on SbsaQemu Masahisa Kojima 2020-12-21 12:53 ` [PATCH edk2-platforms 1/4] SbsaQemu: Build infrastructure for StandaloneMm image Masahisa Kojima @ 2020-12-21 12:53 ` Masahisa Kojima 2021-02-16 11:35 ` Masahisa Kojima 2020-12-21 12:53 ` [PATCH edk2-platforms 3/4] SbsaQemu: add standalone MM build instruction Masahisa Kojima ` (2 subsequent siblings) 4 siblings, 1 reply; 9+ messages in thread From: Masahisa Kojima @ 2020-12-21 12:53 UTC (permalink / raw) To: devel Cc: Masahisa Kojima, Ard Biesheuvel, Leif Lindholm, Graeme Gregory, Radoslaw Biernacki, Tanmay Jagdale, Shashi Mallela This implements support for UEFI secure boot on SbsaQemu using the standalone MM framework. This moves all of the software handling of the UEFI authenticated variable store into the standalone MM context residing in a secure partition. Secure variable storage is located at 0x01000000 in secure NOR Flash. Non-secure shared memory between UEFI and standalone MM is allocated at the top of DRAM. DRAM size of SbsaQemu varies depends on the QEMU parameter, the non-secure shared memory base address is passed from trusted-firmware through the device tree "/reserved-memory" node. Signed-off-by: Masahisa Kojima <masahisa.kojima@linaro.org> --- Platform/Qemu/SbsaQemu/SbsaQemu.dsc | 44 ++++++++--- Platform/Qemu/SbsaQemu/SbsaQemuStandaloneMm.dsc | 40 ++++++++++ Platform/Qemu/SbsaQemu/SbsaQemu.fdf | 82 ++++++++++++++++++-- Platform/Qemu/SbsaQemu/SbsaQemuStandaloneMm.fdf | 7 +- Silicon/Qemu/SbsaQemu/Library/SbsaQemuLib/SbsaQemuLib.inf | 2 + Silicon/Qemu/SbsaQemu/Library/SbsaQemuLib/SbsaQemuMem.c | 37 ++++++++- 6 files changed, 192 insertions(+), 20 deletions(-) diff --git a/Platform/Qemu/SbsaQemu/SbsaQemu.dsc b/Platform/Qemu/SbsaQemu/SbsaQemu.dsc index f6af3f9111ee..83e7cd21e0c6 100644 --- a/Platform/Qemu/SbsaQemu/SbsaQemu.dsc +++ b/Platform/Qemu/SbsaQemu/SbsaQemu.dsc @@ -27,6 +27,8 @@ [Defines] DEFINE DEBUG_PRINT_ERROR_LEVEL = 0x8000004F + DEFINE SECURE_BOOT_ENABLE = FALSE + # # Network definition # @@ -148,12 +150,10 @@ [LibraryClasses.common] # Secure Boot dependencies # TpmMeasurementLib|SecurityPkg/Library/DxeTpmMeasurementLib/DxeTpmMeasurementLib.inf - AuthVariableLib|SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf # re-use the UserPhysicalPresent() dummy implementation from the ovmf tree PlatformSecureLib|OvmfPkg/Library/PlatformSecureLib/PlatformSecureLib.inf - VarCheckLib|MdeModulePkg/Library/VarCheckLib/VarCheckLib.inf VariablePolicyLib|MdeModulePkg/Library/VariablePolicyLib/VariablePolicyLib.inf VariablePolicyHelperLib|MdeModulePkg/Library/VariablePolicyHelperLib/VariablePolicyHelperLib.inf @@ -167,6 +167,7 @@ [LibraryClasses.common] ArmPlatformLib|ArmPlatformPkg/Library/ArmPlatformLibNull/ArmPlatformLibNull.inf TimerLib|ArmPkg/Library/ArmArchTimerLib/ArmArchTimerLib.inf + NorFlashPlatformLib|Silicon/Qemu/SbsaQemu/Library/SbsaQemuNorFlashLib/SbsaQemuNorFlashLib.inf CapsuleLib|MdeModulePkg/Library/DxeCapsuleLibNull/DxeCapsuleLibNull.inf @@ -296,6 +297,8 @@ [PcdsFeatureFlag.common] gEfiMdeModulePkgTokenSpaceGuid.PcdConOutGopSupport|TRUE gEfiMdeModulePkgTokenSpaceGuid.PcdConOutUgaSupport|FALSE + gEfiMdeModulePkgTokenSpaceGuid.PcdEnableVariableRuntimeCache|FALSE + [PcdsFixedAtBuild.common] gEfiMdePkgTokenSpaceGuid.PcdMaximumUnicodeStringLength|1000000 gEfiMdePkgTokenSpaceGuid.PcdMaximumAsciiStringLength|1000000 @@ -511,6 +514,10 @@ [PcdsDynamicDefault.common] gEfiMdeModulePkgTokenSpaceGuid.PcdSmbiosVersion|0x0300 gEfiMdeModulePkgTokenSpaceGuid.PcdSmbiosDocRev|0x0 + gArmTokenSpaceGuid.PcdMmBufferBase|0x10000000000 + gArmTokenSpaceGuid.PcdMmBufferSize|0x00200000 + + ################################################################################ # # Components Section - list of all EDK II Modules needed by this Platform @@ -564,7 +571,6 @@ [Components.common] ArmPlatformPkg/MemoryInitPei/MemoryInitPeim.inf ArmPkg/Drivers/CpuPei/CpuPei.inf - MdeModulePkg/Core/DxeIplPeim/DxeIpl.inf { <LibraryClasses> NULL|MdeModulePkg/Library/LzmaCustomDecompressLib/LzmaCustomDecompressLib.inf @@ -588,24 +594,40 @@ [Components.common] # ArmPkg/Drivers/CpuDxe/CpuDxe.inf MdeModulePkg/Core/RuntimeDxe/RuntimeDxe.inf - MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf { - <LibraryClasses> - NULL|MdeModulePkg/Library/VarCheckUefiLib/VarCheckUefiLib.inf - # don't use unaligned CopyMem () on the UEFI varstore NOR flash region - BaseMemoryLib|MdePkg/Library/BaseMemoryLib/BaseMemoryLib.inf - } MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf { <LibraryClasses> +!if $(SECURE_BOOT_ENABLE) == TRUE NULL|SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.inf +!endif } - SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf MdeModulePkg/Universal/CapsuleRuntimeDxe/CapsuleRuntimeDxe.inf - MdeModulePkg/Universal/FaultTolerantWriteDxe/FaultTolerantWriteDxe.inf MdeModulePkg/Universal/MonotonicCounterRuntimeDxe/MonotonicCounterRuntimeDxe.inf MdeModulePkg/Universal/ResetSystemRuntimeDxe/ResetSystemRuntimeDxe.inf EmbeddedPkg/RealTimeClockRuntimeDxe/RealTimeClockRuntimeDxe.inf EmbeddedPkg/MetronomeDxe/MetronomeDxe.inf + # + # Variable services + # +!if $(SECURE_BOOT_ENABLE) == FALSE + MdeModulePkg/Universal/FaultTolerantWriteDxe/FaultTolerantWriteDxe.inf + MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf { + <LibraryClasses> + NULL|MdeModulePkg/Library/VarCheckUefiLib/VarCheckUefiLib.inf + AuthVariableLib|MdeModulePkg/Library/AuthVariableLibNull/AuthVariableLibNull.inf + VarCheckLib|MdeModulePkg/Library/VarCheckLib/VarCheckLib.inf + # don't use unaligned CopyMem () on the UEFI varstore NOR flash region + BaseMemoryLib|MdePkg/Library/BaseMemoryLib/BaseMemoryLib.inf + } +!else + ArmPkg/Drivers/MmCommunicationDxe/MmCommunication.inf { + <LibraryClasses> + NULL|StandaloneMmPkg/Library/VariableMmDependency/VariableMmDependency.inf + } + MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmmRuntimeDxe.inf + SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf +!endif + MdeModulePkg/Universal/Console/ConPlatformDxe/ConPlatformDxe.inf MdeModulePkg/Universal/Console/ConSplitterDxe/ConSplitterDxe.inf MdeModulePkg/Universal/Console/GraphicsConsoleDxe/GraphicsConsoleDxe.inf diff --git a/Platform/Qemu/SbsaQemu/SbsaQemuStandaloneMm.dsc b/Platform/Qemu/SbsaQemu/SbsaQemuStandaloneMm.dsc index 87f5ee351eaa..9e438bc5b6b6 100644 --- a/Platform/Qemu/SbsaQemu/SbsaQemuStandaloneMm.dsc +++ b/Platform/Qemu/SbsaQemu/SbsaQemuStandaloneMm.dsc @@ -77,6 +77,19 @@ [LibraryClasses.common.MM_STANDALONE] HobLib|StandaloneMmPkg/Library/StandaloneMmHobLib/StandaloneMmHobLib.inf MmServicesTableLib|MdePkg/Library/StandaloneMmServicesTableLib/StandaloneMmServicesTableLib.inf MemoryAllocationLib|StandaloneMmPkg/Library/StandaloneMmMemoryAllocationLib/StandaloneMmMemoryAllocationLib.inf + AuthVariableLib|SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf + BaseCryptLib|CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf + IntrinsicLib|CryptoPkg/Library/IntrinsicLib/IntrinsicLib.inf + NorFlashPlatformLib|Silicon/Qemu/SbsaQemu/Library/SbsaQemuNorFlashLib/SbsaQemuNorFlashLib.inf + OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLib.inf + RngLib|MdePkg/Library/BaseRngLibTimerLib/BaseRngLibTimerLib.inf + PlatformSecureLib|SecurityPkg/Library/PlatformSecureLibNull/PlatformSecureLibNull.inf + SynchronizationLib|MdePkg/Library/BaseSynchronizationLib/BaseSynchronizationLib.inf + TimerLib|ArmPkg/Library/ArmArchTimerLib/ArmArchTimerLib.inf + TimerLib|MdePkg/Library/BaseTimerLibNullTemplate/BaseTimerLibNullTemplate.inf + VarCheckLib|MdeModulePkg/Library/VarCheckLib/VarCheckLib.inf + SafeIntLib|MdePkg/Library/BaseSafeIntLib/BaseSafeIntLib.inf + ArmGenericTimerCounterLib|ArmPkg/Library/ArmGenericTimerPhyCounterLib/ArmGenericTimerPhyCounterLib.inf ################################################################################ # @@ -94,6 +107,20 @@ [PcdsFixedAtBuild] gEfiMdePkgTokenSpaceGuid.PcdMaximumGuidedExtractHandler|0x2 + gArmTokenSpaceGuid.PcdFdBaseAddress|0x01000000 + gArmTokenSpaceGuid.PcdFdSize|0x000C0000 + + gEfiMdeModulePkgTokenSpaceGuid.PcdMaxVariableSize|0x2000 + gEfiSecurityPkgTokenSpaceGuid.PcdUserPhysicalPresence|TRUE + gEfiMdeModulePkgTokenSpaceGuid.PcdMaxAuthVariableSize|0x2800 + + gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageVariableBase|0x01000000 + gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageVariableSize|0x00040000 + gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageFtwWorkingBase|0x01040000 + gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageFtwWorkingSize|0x00040000 + gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageFtwSpareBase|0x01080000 + gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageFtwSpareSize|0x00040000 + ################################################################################################### # # Components Section - list of the modules and components that will be processed by compilation @@ -118,6 +145,19 @@ [Components.common] # StandaloneMmPkg/Core/StandaloneMmCore.inf StandaloneMmPkg/Drivers/StandaloneMmCpu/AArch64/StandaloneMmCpu.inf + ArmPlatformPkg/Drivers/NorFlashDxe/NorFlashStandaloneMm.inf + MdeModulePkg/Universal/FaultTolerantWriteDxe/FaultTolerantWriteStandaloneMm.inf + + MdeModulePkg/Universal/Variable/RuntimeDxe/VariableStandaloneMm.inf { + <LibraryClasses> + DevicePathLib|MdePkg/Library/UefiDevicePathLib/UefiDevicePathLib.inf + NULL|MdeModulePkg/Library/VarCheckUefiLib/VarCheckUefiLib.inf + NULL|MdeModulePkg/Library/VarCheckPolicyLib/VarCheckPolicyLibStandaloneMm.inf + # don't use unaligned CopyMem () on the UEFI varstore NOR flash region + BaseMemoryLib|MdePkg/Library/BaseMemoryLib/BaseMemoryLib.inf + VariablePolicyLib|MdeModulePkg/Library/VariablePolicyLib/VariablePolicyLib.inf + VariablePolicyHelperLib|MdeModulePkg/Library/VariablePolicyHelperLib/VariablePolicyHelperLib.inf + } ################################################################################################### # diff --git a/Platform/Qemu/SbsaQemu/SbsaQemu.fdf b/Platform/Qemu/SbsaQemu/SbsaQemu.fdf index 47ada7df9f2c..2373594f1fbc 100644 --- a/Platform/Qemu/SbsaQemu/SbsaQemu.fdf +++ b/Platform/Qemu/SbsaQemu/SbsaQemu.fdf @@ -21,10 +21,10 @@ [FD.SBSA_FLASH0] BaseAddress = 0x00000000 -Size = 0x00400000 +Size = 0x01100000 ErasePolarity = 1 BlockSize = 0x00001000 -NumBlocks = 0x400 +NumBlocks = 0x1100 ################################################################################ # @@ -50,6 +50,66 @@ [FD.SBSA_FLASH0] 0x00008000|0x00300000 FILE = Platform/Qemu/Sbsa/fip.bin +!if $(SECURE_BOOT_ENABLE) +## Place for Secure Variables. +# Must be aligned to Flash Block size 0x40000 +0x01000000|0x00040000 +gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageVariableBase|gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageVariableSize +#NV_VARIABLE_STORE +DATA = { + ## This is the EFI_FIRMWARE_VOLUME_HEADER + # ZeroVector [] + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + # FileSystemGuid: gEfiSystemNvDataFvGuid = + # { 0xFFF12B8D, 0x7696, 0x4C8B, + # { 0xA9, 0x85, 0x27, 0x47, 0x07, 0x5B, 0x4F, 0x50 }} + 0x8D, 0x2B, 0xF1, 0xFF, 0x96, 0x76, 0x8B, 0x4C, + 0xA9, 0x85, 0x27, 0x47, 0x07, 0x5B, 0x4F, 0x50, + # FvLength: 0xC0000 + 0x00, 0x00, 0x0C, 0x00, 0x00, 0x00, 0x00, 0x00, + # Signature "_FVH" # Attributes + 0x5f, 0x46, 0x56, 0x48, 0xff, 0xfe, 0x04, 0x00, + # HeaderLength # CheckSum # ExtHeaderOffset #Reserved #Revision + 0x48, 0x00, 0x28, 0x09, 0x00, 0x00, 0x00, 0x02, + # Blockmap[0]: 0x3 Blocks * 0x40000 Bytes / Block + 0x3, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, + # Blockmap[1]: End + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + ## This is the VARIABLE_STORE_HEADER + # It is compatible with SECURE_BOOT_ENABLE == FALSE as well. + # Signature: gEfiAuthenticatedVariableGuid = + # { 0xaaf32c78, 0x947b, 0x439a, + # { 0xa1, 0x80, 0x2e, 0x14, 0x4e, 0xc3, 0x77, 0x92 }} + 0x78, 0x2c, 0xf3, 0xaa, 0x7b, 0x94, 0x9a, 0x43, + 0xa1, 0x80, 0x2e, 0x14, 0x4e, 0xc3, 0x77, 0x92, + # Size: 0x40000 (gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageVariableSize) - + # 0x48 (size of EFI_FIRMWARE_VOLUME_HEADER) = 0x3ffb8 + # This can speed up the Variable Dispatch a bit. + 0xB8, 0xFF, 0x03, 0x00, + # FORMATTED: 0x5A #HEALTHY: 0xFE #Reserved: UINT16 #Reserved1: UINT32 + 0x5A, 0xFE, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 +} + +0x01040000|0x00040000 +gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageFtwWorkingBase|gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageFtwWorkingSize +#NV_FTW_WORKING +DATA = { + # EFI_FAULT_TOLERANT_WORKING_BLOCK_HEADER->Signature = gEdkiiWorkingBlockSignatureGuid = + # { 0x9e58292b, 0x7c68, 0x497d, { 0xa0, 0xce, 0x65, 0x0, 0xfd, 0x9f, 0x1b, 0x95 }} + 0x2b, 0x29, 0x58, 0x9e, 0x68, 0x7c, 0x7d, 0x49, + 0xa0, 0xce, 0x65, 0x0, 0xfd, 0x9f, 0x1b, 0x95, + # Crc:UINT32 #WorkingBlockValid:1, WorkingBlockInvalid:1, Reserved + 0x5b, 0xe7, 0xc6, 0x86, 0xFE, 0xFF, 0xFF, 0xFF, + # WriteQueueSize: UINT64 + 0xE0, 0xFF, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00 +} + +0x01080000|0x00040000 +gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageFtwSpareBase|gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageFtwSpareSize +#NV_FTW_SPARE +!endif + ################################################################################ # # FD Section for FLASH1 @@ -169,15 +229,25 @@ [FV.FvMain] INF MdeModulePkg/Core/RuntimeDxe/RuntimeDxe.inf INF MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf INF MdeModulePkg/Universal/CapsuleRuntimeDxe/CapsuleRuntimeDxe.inf - INF MdeModulePkg/Universal/FaultTolerantWriteDxe/FaultTolerantWriteDxe.inf - INF MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf - INF SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf INF MdeModulePkg/Universal/MonotonicCounterRuntimeDxe/MonotonicCounterRuntimeDxe.inf INF MdeModulePkg/Universal/ResetSystemRuntimeDxe/ResetSystemRuntimeDxe.inf INF EmbeddedPkg/RealTimeClockRuntimeDxe/RealTimeClockRuntimeDxe.inf INF EmbeddedPkg/MetronomeDxe/MetronomeDxe.inf INF MdeModulePkg/Universal/HiiDatabaseDxe/HiiDatabaseDxe.inf + # + # Variable services + # +!if $(SECURE_BOOT_ENABLE) == FALSE + INF ArmPlatformPkg/Drivers/NorFlashDxe/NorFlashDxe.inf + INF MdeModulePkg/Universal/FaultTolerantWriteDxe/FaultTolerantWriteDxe.inf + INF MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf +!else + INF ArmPkg/Drivers/MmCommunicationDxe/MmCommunication.inf + INF MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmmRuntimeDxe.inf + INF SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf +!endif + # # Multiple Console IO support # @@ -189,7 +259,6 @@ [FV.FvMain] INF ArmPkg/Drivers/ArmGic/ArmGicDxe.inf INF ArmPkg/Drivers/TimerDxe/TimerDxe.inf - INF ArmPlatformPkg/Drivers/NorFlashDxe/NorFlashDxe.inf INF MdeModulePkg/Universal/WatchdogTimerDxe/WatchdogTimer.inf # @@ -287,6 +356,7 @@ [FV.FVMAIN_COMPACT] INF ArmPlatformPkg/MemoryInitPei/MemoryInitPeim.inf INF ArmPkg/Drivers/CpuPei/CpuPei.inf INF MdeModulePkg/Universal/PCD/Pei/Pcd.inf + INF MdeModulePkg/Core/DxeIplPeim/DxeIpl.inf # IDE/AHCI Support diff --git a/Platform/Qemu/SbsaQemu/SbsaQemuStandaloneMm.fdf b/Platform/Qemu/SbsaQemu/SbsaQemuStandaloneMm.fdf index a1acefcfb0a7..0fd2e9964c7e 100644 --- a/Platform/Qemu/SbsaQemu/SbsaQemuStandaloneMm.fdf +++ b/Platform/Qemu/SbsaQemu/SbsaQemuStandaloneMm.fdf @@ -19,8 +19,8 @@ ################################################################################ [FD.STANDALONE_MM] -BaseAddress = 0x20001000|gArmTokenSpaceGuid.PcdFdBaseAddress -Size = 0x00e00000|gArmTokenSpaceGuid.PcdFdSize # The size in bytes of the device (14MiB). +BaseAddress = 0x20001000 +Size = 0x00e00000 ErasePolarity = 1 BlockSize = 0x00001000 @@ -49,6 +49,9 @@ [FV.FVMAIN_COMPACT] READ_LOCK_STATUS = TRUE INF StandaloneMmPkg/Core/StandaloneMmCore.inf + INF ArmPlatformPkg/Drivers/NorFlashDxe/NorFlashStandaloneMm.inf + INF MdeModulePkg/Universal/FaultTolerantWriteDxe/FaultTolerantWriteStandaloneMm.inf + INF MdeModulePkg/Universal/Variable/RuntimeDxe/VariableStandaloneMm.inf INF StandaloneMmPkg/Drivers/StandaloneMmCpu/AArch64/StandaloneMmCpu.inf ################################################################################ diff --git a/Silicon/Qemu/SbsaQemu/Library/SbsaQemuLib/SbsaQemuLib.inf b/Silicon/Qemu/SbsaQemu/Library/SbsaQemuLib/SbsaQemuLib.inf index c067a80cc715..1d7f12202ecc 100644 --- a/Silicon/Qemu/SbsaQemu/Library/SbsaQemuLib/SbsaQemuLib.inf +++ b/Silicon/Qemu/SbsaQemu/Library/SbsaQemuLib/SbsaQemuLib.inf @@ -40,6 +40,8 @@ [Pcd] gArmTokenSpaceGuid.PcdSystemMemoryBase gArmTokenSpaceGuid.PcdSystemMemorySize gArmVirtSbsaQemuPlatformTokenSpaceGuid.PcdDeviceTreeBaseAddress + gArmTokenSpaceGuid.PcdMmBufferBase + gArmTokenSpaceGuid.PcdMmBufferSize [FixedPcd] gArmTokenSpaceGuid.PcdFdBaseAddress diff --git a/Silicon/Qemu/SbsaQemu/Library/SbsaQemuLib/SbsaQemuMem.c b/Silicon/Qemu/SbsaQemu/Library/SbsaQemuLib/SbsaQemuMem.c index 8c2eb0b6a028..fa164ff455f5 100644 --- a/Silicon/Qemu/SbsaQemu/Library/SbsaQemuLib/SbsaQemuMem.c +++ b/Silicon/Qemu/SbsaQemu/Library/SbsaQemuLib/SbsaQemuMem.c @@ -25,15 +25,20 @@ SbsaQemuLibConstructor ( { VOID *DeviceTreeBase; INT32 Node, Prev; - UINT64 NewBase, CurBase; + UINT64 NewBase, CurBase, NsBufBase; UINT64 NewSize, CurSize; + UINT32 NsBufSize; CONST CHAR8 *Type; INT32 Len; CONST UINT64 *RegProp; RETURN_STATUS PcdStatus; + INT32 ParentOffset; + INT32 Offset; NewBase = 0; NewSize = 0; + NsBufBase = 0; + NsBufSize = 0; DeviceTreeBase = (VOID *)(UINTN)PcdGet64 (PcdDeviceTreeBaseAddress); ASSERT (DeviceTreeBase != NULL); @@ -73,9 +78,39 @@ SbsaQemuLibConstructor ( } } + // StandaloneMM non-secure shared buffer is allocated at the top of + // the system memory by trusted-firmware using "/reserved-memory" node. + ParentOffset = fdt_path_offset(DeviceTreeBase, "/reserved-memory"); + if (ParentOffset < 0) { + DEBUG ((DEBUG_ERROR, "%a: reserved-memory node not found\n", + __FUNCTION__)); + } + Offset = fdt_subnode_offset(DeviceTreeBase, ParentOffset, "ns-buf-spm-mm"); + if (Offset < 0) { + DEBUG ((DEBUG_ERROR, "%a: ns-buf-spm-mm node not found\n", + __FUNCTION__)); + } + // Get the 'reg' property of this node. 8 byte quantities for base address + // and 4 byte quantities for size. + RegProp = fdt_getprop (DeviceTreeBase, Offset, "reg", &Len); + if (RegProp != 0 && Len == (sizeof (UINT64) + sizeof(UINT32))) { + NsBufBase = fdt64_to_cpu (ReadUnaligned64 (RegProp)); + NsBufSize = fdt32_to_cpu (ReadUnaligned32 ((UINT32 *)(RegProp + 1))); + + DEBUG ((DEBUG_INFO, "%a: ns buf @ 0x%lx - 0x%lx\n", + __FUNCTION__, NsBufBase, NsBufBase + NsBufSize - 1)); + } else { + DEBUG ((DEBUG_ERROR, "%a: Failed to parse FDT reserved-memory node Len %d\n", + __FUNCTION__, Len)); + } + + NewSize -= NsBufSize; + // Make sure the start of DRAM matches our expectation ASSERT (FixedPcdGet64 (PcdSystemMemoryBase) == NewBase); PcdStatus = PcdSet64S (PcdSystemMemorySize, NewSize); + PcdStatus = PcdSet64S (PcdMmBufferBase, NsBufBase); + PcdStatus = PcdSet64S (PcdMmBufferSize, (UINT64)NsBufSize); ASSERT_RETURN_ERROR (PcdStatus); return RETURN_SUCCESS; -- 2.17.1 ^ permalink raw reply related [flat|nested] 9+ messages in thread
* Re: [PATCH edk2-platforms 2/4] SbsaQemu: add MM based UEFI secure boot support 2020-12-21 12:53 ` [PATCH edk2-platforms 2/4] SbsaQemu: add MM based UEFI secure boot support Masahisa Kojima @ 2021-02-16 11:35 ` Masahisa Kojima 2021-02-16 16:14 ` Graeme Gregory 0 siblings, 1 reply; 9+ messages in thread From: Masahisa Kojima @ 2021-02-16 11:35 UTC (permalink / raw) To: edk2-devel-groups-io, Ard Biesheuvel Cc: Leif Lindholm, Graeme Gregory, Radoslaw Biernacki, Tanmay Jagdale, Shashi Mallela Hi Ard, I am encountering strange behavior when I apply this patch "SbsaQemu: add MM based UEFI secure boot support". When I start linux kernel, booting secondary cores failed. # I don't store any secure boot keys, so UEFI Secure Boot itself is disabled. --- linux kernel log --- [ 0.124805] Remapping and enabling EFI services. [ 0.132850] smp: Bringing up secondary CPUs ... [ 1.294478] CPU1: failed to come online [ 1.295647] CPU1: failed in unknown state : 0x0 [ 2.426489] CPU2: failed to come online [ 2.427112] CPU2: failed in unknown state : 0x0 [ 3.567428] CPU3: failed to come online [ 3.567912] CPU3: failed in unknown state : 0x0 [ 3.569010] smp: Brought up 1 node, 1 CPU [ 3.569555] SMP: Total of 1 processors activated. [ 3.570395] CPU features: detected: GIC system register CPU interface [ 3.571183] CPU features: detected: 32-bit EL0 Support [ 3.587378] CPU: All CPU(s) started at EL2 --- In my check, arch/arm64/kernel/smp.c::secondary_start_kernel() is never called, so wait_for_completion_timeout() is timed out. https://github.com/torvalds/linux/blob/v5.11/arch/arm64/kernel/smp.c#L138 If I set "SECURE_BOOT_ENABLE=FALSE" in edk2 build(non-secure side) and load the same STANDALONE_MM.fd(Secure Payload) and tf-a binary, secondary cores boot successfully. Major difference between success and failure cases is the existence of UEFI secure variable accesses through Standalone MM framework. If edk2 accesses UEFI secure variable through Standalone MM, secondary cores boot fails. I don't come up with any possible reason. # As a reference, there is no issue on Developerbox. Do you have any idea about this error? Thanks, Masahisa On Mon, 21 Dec 2020 at 21:52, Masahisa Kojima <masahisa.kojima@linaro.org> wrote: > > This implements support for UEFI secure boot on SbsaQemu using > the standalone MM framework. This moves all of the software handling > of the UEFI authenticated variable store into the standalone MM > context residing in a secure partition. > > Secure variable storage is located at 0x01000000 in secure NOR Flash. > > Non-secure shared memory between UEFI and standalone MM > is allocated at the top of DRAM. > DRAM size of SbsaQemu varies depends on the QEMU parameter, > the non-secure shared memory base address is passed from > trusted-firmware through the device tree "/reserved-memory" node. > > Signed-off-by: Masahisa Kojima <masahisa.kojima@linaro.org> > --- > Platform/Qemu/SbsaQemu/SbsaQemu.dsc | 44 ++++++++--- > Platform/Qemu/SbsaQemu/SbsaQemuStandaloneMm.dsc | 40 ++++++++++ > Platform/Qemu/SbsaQemu/SbsaQemu.fdf | 82 ++++++++++++++++++-- > Platform/Qemu/SbsaQemu/SbsaQemuStandaloneMm.fdf | 7 +- > Silicon/Qemu/SbsaQemu/Library/SbsaQemuLib/SbsaQemuLib.inf | 2 + > Silicon/Qemu/SbsaQemu/Library/SbsaQemuLib/SbsaQemuMem.c | 37 ++++++++- > 6 files changed, 192 insertions(+), 20 deletions(-) > > diff --git a/Platform/Qemu/SbsaQemu/SbsaQemu.dsc b/Platform/Qemu/SbsaQemu/SbsaQemu.dsc > index f6af3f9111ee..83e7cd21e0c6 100644 > --- a/Platform/Qemu/SbsaQemu/SbsaQemu.dsc > +++ b/Platform/Qemu/SbsaQemu/SbsaQemu.dsc > @@ -27,6 +27,8 @@ [Defines] > > DEFINE DEBUG_PRINT_ERROR_LEVEL = 0x8000004F > > + DEFINE SECURE_BOOT_ENABLE = FALSE > + > # > # Network definition > # > @@ -148,12 +150,10 @@ [LibraryClasses.common] > # Secure Boot dependencies > # > TpmMeasurementLib|SecurityPkg/Library/DxeTpmMeasurementLib/DxeTpmMeasurementLib.inf > - AuthVariableLib|SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf > > # re-use the UserPhysicalPresent() dummy implementation from the ovmf tree > PlatformSecureLib|OvmfPkg/Library/PlatformSecureLib/PlatformSecureLib.inf > > - VarCheckLib|MdeModulePkg/Library/VarCheckLib/VarCheckLib.inf > VariablePolicyLib|MdeModulePkg/Library/VariablePolicyLib/VariablePolicyLib.inf > VariablePolicyHelperLib|MdeModulePkg/Library/VariablePolicyHelperLib/VariablePolicyHelperLib.inf > > @@ -167,6 +167,7 @@ [LibraryClasses.common] > ArmPlatformLib|ArmPlatformPkg/Library/ArmPlatformLibNull/ArmPlatformLibNull.inf > > TimerLib|ArmPkg/Library/ArmArchTimerLib/ArmArchTimerLib.inf > + > NorFlashPlatformLib|Silicon/Qemu/SbsaQemu/Library/SbsaQemuNorFlashLib/SbsaQemuNorFlashLib.inf > > CapsuleLib|MdeModulePkg/Library/DxeCapsuleLibNull/DxeCapsuleLibNull.inf > @@ -296,6 +297,8 @@ [PcdsFeatureFlag.common] > gEfiMdeModulePkgTokenSpaceGuid.PcdConOutGopSupport|TRUE > gEfiMdeModulePkgTokenSpaceGuid.PcdConOutUgaSupport|FALSE > > + gEfiMdeModulePkgTokenSpaceGuid.PcdEnableVariableRuntimeCache|FALSE > + > [PcdsFixedAtBuild.common] > gEfiMdePkgTokenSpaceGuid.PcdMaximumUnicodeStringLength|1000000 > gEfiMdePkgTokenSpaceGuid.PcdMaximumAsciiStringLength|1000000 > @@ -511,6 +514,10 @@ [PcdsDynamicDefault.common] > gEfiMdeModulePkgTokenSpaceGuid.PcdSmbiosVersion|0x0300 > gEfiMdeModulePkgTokenSpaceGuid.PcdSmbiosDocRev|0x0 > > + gArmTokenSpaceGuid.PcdMmBufferBase|0x10000000000 > + gArmTokenSpaceGuid.PcdMmBufferSize|0x00200000 > + > + > ################################################################################ > # > # Components Section - list of all EDK II Modules needed by this Platform > @@ -564,7 +571,6 @@ [Components.common] > ArmPlatformPkg/MemoryInitPei/MemoryInitPeim.inf > ArmPkg/Drivers/CpuPei/CpuPei.inf > > - > MdeModulePkg/Core/DxeIplPeim/DxeIpl.inf { > <LibraryClasses> > NULL|MdeModulePkg/Library/LzmaCustomDecompressLib/LzmaCustomDecompressLib.inf > @@ -588,24 +594,40 @@ [Components.common] > # > ArmPkg/Drivers/CpuDxe/CpuDxe.inf > MdeModulePkg/Core/RuntimeDxe/RuntimeDxe.inf > - MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf { > - <LibraryClasses> > - NULL|MdeModulePkg/Library/VarCheckUefiLib/VarCheckUefiLib.inf > - # don't use unaligned CopyMem () on the UEFI varstore NOR flash region > - BaseMemoryLib|MdePkg/Library/BaseMemoryLib/BaseMemoryLib.inf > - } > MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf { > <LibraryClasses> > +!if $(SECURE_BOOT_ENABLE) == TRUE > NULL|SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.inf > +!endif > } > - SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf > MdeModulePkg/Universal/CapsuleRuntimeDxe/CapsuleRuntimeDxe.inf > - MdeModulePkg/Universal/FaultTolerantWriteDxe/FaultTolerantWriteDxe.inf > MdeModulePkg/Universal/MonotonicCounterRuntimeDxe/MonotonicCounterRuntimeDxe.inf > MdeModulePkg/Universal/ResetSystemRuntimeDxe/ResetSystemRuntimeDxe.inf > EmbeddedPkg/RealTimeClockRuntimeDxe/RealTimeClockRuntimeDxe.inf > EmbeddedPkg/MetronomeDxe/MetronomeDxe.inf > > + # > + # Variable services > + # > +!if $(SECURE_BOOT_ENABLE) == FALSE > + MdeModulePkg/Universal/FaultTolerantWriteDxe/FaultTolerantWriteDxe.inf > + MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf { > + <LibraryClasses> > + NULL|MdeModulePkg/Library/VarCheckUefiLib/VarCheckUefiLib.inf > + AuthVariableLib|MdeModulePkg/Library/AuthVariableLibNull/AuthVariableLibNull.inf > + VarCheckLib|MdeModulePkg/Library/VarCheckLib/VarCheckLib.inf > + # don't use unaligned CopyMem () on the UEFI varstore NOR flash region > + BaseMemoryLib|MdePkg/Library/BaseMemoryLib/BaseMemoryLib.inf > + } > +!else > + ArmPkg/Drivers/MmCommunicationDxe/MmCommunication.inf { > + <LibraryClasses> > + NULL|StandaloneMmPkg/Library/VariableMmDependency/VariableMmDependency.inf > + } > + MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmmRuntimeDxe.inf > + SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf > +!endif > + > MdeModulePkg/Universal/Console/ConPlatformDxe/ConPlatformDxe.inf > MdeModulePkg/Universal/Console/ConSplitterDxe/ConSplitterDxe.inf > MdeModulePkg/Universal/Console/GraphicsConsoleDxe/GraphicsConsoleDxe.inf > diff --git a/Platform/Qemu/SbsaQemu/SbsaQemuStandaloneMm.dsc b/Platform/Qemu/SbsaQemu/SbsaQemuStandaloneMm.dsc > index 87f5ee351eaa..9e438bc5b6b6 100644 > --- a/Platform/Qemu/SbsaQemu/SbsaQemuStandaloneMm.dsc > +++ b/Platform/Qemu/SbsaQemu/SbsaQemuStandaloneMm.dsc > @@ -77,6 +77,19 @@ [LibraryClasses.common.MM_STANDALONE] > HobLib|StandaloneMmPkg/Library/StandaloneMmHobLib/StandaloneMmHobLib.inf > MmServicesTableLib|MdePkg/Library/StandaloneMmServicesTableLib/StandaloneMmServicesTableLib.inf > MemoryAllocationLib|StandaloneMmPkg/Library/StandaloneMmMemoryAllocationLib/StandaloneMmMemoryAllocationLib.inf > + AuthVariableLib|SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf > + BaseCryptLib|CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf > + IntrinsicLib|CryptoPkg/Library/IntrinsicLib/IntrinsicLib.inf > + NorFlashPlatformLib|Silicon/Qemu/SbsaQemu/Library/SbsaQemuNorFlashLib/SbsaQemuNorFlashLib.inf > + OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLib.inf > + RngLib|MdePkg/Library/BaseRngLibTimerLib/BaseRngLibTimerLib.inf > + PlatformSecureLib|SecurityPkg/Library/PlatformSecureLibNull/PlatformSecureLibNull.inf > + SynchronizationLib|MdePkg/Library/BaseSynchronizationLib/BaseSynchronizationLib.inf > + TimerLib|ArmPkg/Library/ArmArchTimerLib/ArmArchTimerLib.inf > + TimerLib|MdePkg/Library/BaseTimerLibNullTemplate/BaseTimerLibNullTemplate.inf > + VarCheckLib|MdeModulePkg/Library/VarCheckLib/VarCheckLib.inf > + SafeIntLib|MdePkg/Library/BaseSafeIntLib/BaseSafeIntLib.inf > + ArmGenericTimerCounterLib|ArmPkg/Library/ArmGenericTimerPhyCounterLib/ArmGenericTimerPhyCounterLib.inf > > ################################################################################ > # > @@ -94,6 +107,20 @@ [PcdsFixedAtBuild] > > gEfiMdePkgTokenSpaceGuid.PcdMaximumGuidedExtractHandler|0x2 > > + gArmTokenSpaceGuid.PcdFdBaseAddress|0x01000000 > + gArmTokenSpaceGuid.PcdFdSize|0x000C0000 > + > + gEfiMdeModulePkgTokenSpaceGuid.PcdMaxVariableSize|0x2000 > + gEfiSecurityPkgTokenSpaceGuid.PcdUserPhysicalPresence|TRUE > + gEfiMdeModulePkgTokenSpaceGuid.PcdMaxAuthVariableSize|0x2800 > + > + gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageVariableBase|0x01000000 > + gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageVariableSize|0x00040000 > + gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageFtwWorkingBase|0x01040000 > + gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageFtwWorkingSize|0x00040000 > + gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageFtwSpareBase|0x01080000 > + gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageFtwSpareSize|0x00040000 > + > ################################################################################################### > # > # Components Section - list of the modules and components that will be processed by compilation > @@ -118,6 +145,19 @@ [Components.common] > # > StandaloneMmPkg/Core/StandaloneMmCore.inf > StandaloneMmPkg/Drivers/StandaloneMmCpu/AArch64/StandaloneMmCpu.inf > + ArmPlatformPkg/Drivers/NorFlashDxe/NorFlashStandaloneMm.inf > + MdeModulePkg/Universal/FaultTolerantWriteDxe/FaultTolerantWriteStandaloneMm.inf > + > + MdeModulePkg/Universal/Variable/RuntimeDxe/VariableStandaloneMm.inf { > + <LibraryClasses> > + DevicePathLib|MdePkg/Library/UefiDevicePathLib/UefiDevicePathLib.inf > + NULL|MdeModulePkg/Library/VarCheckUefiLib/VarCheckUefiLib.inf > + NULL|MdeModulePkg/Library/VarCheckPolicyLib/VarCheckPolicyLibStandaloneMm.inf > + # don't use unaligned CopyMem () on the UEFI varstore NOR flash region > + BaseMemoryLib|MdePkg/Library/BaseMemoryLib/BaseMemoryLib.inf > + VariablePolicyLib|MdeModulePkg/Library/VariablePolicyLib/VariablePolicyLib.inf > + VariablePolicyHelperLib|MdeModulePkg/Library/VariablePolicyHelperLib/VariablePolicyHelperLib.inf > + } > > ################################################################################################### > # > diff --git a/Platform/Qemu/SbsaQemu/SbsaQemu.fdf b/Platform/Qemu/SbsaQemu/SbsaQemu.fdf > index 47ada7df9f2c..2373594f1fbc 100644 > --- a/Platform/Qemu/SbsaQemu/SbsaQemu.fdf > +++ b/Platform/Qemu/SbsaQemu/SbsaQemu.fdf > @@ -21,10 +21,10 @@ > > [FD.SBSA_FLASH0] > BaseAddress = 0x00000000 > -Size = 0x00400000 > +Size = 0x01100000 > ErasePolarity = 1 > BlockSize = 0x00001000 > -NumBlocks = 0x400 > +NumBlocks = 0x1100 > > ################################################################################ > # > @@ -50,6 +50,66 @@ [FD.SBSA_FLASH0] > 0x00008000|0x00300000 > FILE = Platform/Qemu/Sbsa/fip.bin > > +!if $(SECURE_BOOT_ENABLE) > +## Place for Secure Variables. > +# Must be aligned to Flash Block size 0x40000 > +0x01000000|0x00040000 > +gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageVariableBase|gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageVariableSize > +#NV_VARIABLE_STORE > +DATA = { > + ## This is the EFI_FIRMWARE_VOLUME_HEADER > + # ZeroVector [] > + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, > + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, > + # FileSystemGuid: gEfiSystemNvDataFvGuid = > + # { 0xFFF12B8D, 0x7696, 0x4C8B, > + # { 0xA9, 0x85, 0x27, 0x47, 0x07, 0x5B, 0x4F, 0x50 }} > + 0x8D, 0x2B, 0xF1, 0xFF, 0x96, 0x76, 0x8B, 0x4C, > + 0xA9, 0x85, 0x27, 0x47, 0x07, 0x5B, 0x4F, 0x50, > + # FvLength: 0xC0000 > + 0x00, 0x00, 0x0C, 0x00, 0x00, 0x00, 0x00, 0x00, > + # Signature "_FVH" # Attributes > + 0x5f, 0x46, 0x56, 0x48, 0xff, 0xfe, 0x04, 0x00, > + # HeaderLength # CheckSum # ExtHeaderOffset #Reserved #Revision > + 0x48, 0x00, 0x28, 0x09, 0x00, 0x00, 0x00, 0x02, > + # Blockmap[0]: 0x3 Blocks * 0x40000 Bytes / Block > + 0x3, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, > + # Blockmap[1]: End > + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, > + ## This is the VARIABLE_STORE_HEADER > + # It is compatible with SECURE_BOOT_ENABLE == FALSE as well. > + # Signature: gEfiAuthenticatedVariableGuid = > + # { 0xaaf32c78, 0x947b, 0x439a, > + # { 0xa1, 0x80, 0x2e, 0x14, 0x4e, 0xc3, 0x77, 0x92 }} > + 0x78, 0x2c, 0xf3, 0xaa, 0x7b, 0x94, 0x9a, 0x43, > + 0xa1, 0x80, 0x2e, 0x14, 0x4e, 0xc3, 0x77, 0x92, > + # Size: 0x40000 (gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageVariableSize) - > + # 0x48 (size of EFI_FIRMWARE_VOLUME_HEADER) = 0x3ffb8 > + # This can speed up the Variable Dispatch a bit. > + 0xB8, 0xFF, 0x03, 0x00, > + # FORMATTED: 0x5A #HEALTHY: 0xFE #Reserved: UINT16 #Reserved1: UINT32 > + 0x5A, 0xFE, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 > +} > + > +0x01040000|0x00040000 > +gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageFtwWorkingBase|gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageFtwWorkingSize > +#NV_FTW_WORKING > +DATA = { > + # EFI_FAULT_TOLERANT_WORKING_BLOCK_HEADER->Signature = gEdkiiWorkingBlockSignatureGuid = > + # { 0x9e58292b, 0x7c68, 0x497d, { 0xa0, 0xce, 0x65, 0x0, 0xfd, 0x9f, 0x1b, 0x95 }} > + 0x2b, 0x29, 0x58, 0x9e, 0x68, 0x7c, 0x7d, 0x49, > + 0xa0, 0xce, 0x65, 0x0, 0xfd, 0x9f, 0x1b, 0x95, > + # Crc:UINT32 #WorkingBlockValid:1, WorkingBlockInvalid:1, Reserved > + 0x5b, 0xe7, 0xc6, 0x86, 0xFE, 0xFF, 0xFF, 0xFF, > + # WriteQueueSize: UINT64 > + 0xE0, 0xFF, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00 > +} > + > +0x01080000|0x00040000 > +gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageFtwSpareBase|gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageFtwSpareSize > +#NV_FTW_SPARE > +!endif > + > ################################################################################ > # > # FD Section for FLASH1 > @@ -169,15 +229,25 @@ [FV.FvMain] > INF MdeModulePkg/Core/RuntimeDxe/RuntimeDxe.inf > INF MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf > INF MdeModulePkg/Universal/CapsuleRuntimeDxe/CapsuleRuntimeDxe.inf > - INF MdeModulePkg/Universal/FaultTolerantWriteDxe/FaultTolerantWriteDxe.inf > - INF MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf > - INF SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf > INF MdeModulePkg/Universal/MonotonicCounterRuntimeDxe/MonotonicCounterRuntimeDxe.inf > INF MdeModulePkg/Universal/ResetSystemRuntimeDxe/ResetSystemRuntimeDxe.inf > INF EmbeddedPkg/RealTimeClockRuntimeDxe/RealTimeClockRuntimeDxe.inf > INF EmbeddedPkg/MetronomeDxe/MetronomeDxe.inf > INF MdeModulePkg/Universal/HiiDatabaseDxe/HiiDatabaseDxe.inf > > + # > + # Variable services > + # > +!if $(SECURE_BOOT_ENABLE) == FALSE > + INF ArmPlatformPkg/Drivers/NorFlashDxe/NorFlashDxe.inf > + INF MdeModulePkg/Universal/FaultTolerantWriteDxe/FaultTolerantWriteDxe.inf > + INF MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf > +!else > + INF ArmPkg/Drivers/MmCommunicationDxe/MmCommunication.inf > + INF MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmmRuntimeDxe.inf > + INF SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf > +!endif > + > # > # Multiple Console IO support > # > @@ -189,7 +259,6 @@ [FV.FvMain] > > INF ArmPkg/Drivers/ArmGic/ArmGicDxe.inf > INF ArmPkg/Drivers/TimerDxe/TimerDxe.inf > - INF ArmPlatformPkg/Drivers/NorFlashDxe/NorFlashDxe.inf > INF MdeModulePkg/Universal/WatchdogTimerDxe/WatchdogTimer.inf > > # > @@ -287,6 +356,7 @@ [FV.FVMAIN_COMPACT] > INF ArmPlatformPkg/MemoryInitPei/MemoryInitPeim.inf > INF ArmPkg/Drivers/CpuPei/CpuPei.inf > INF MdeModulePkg/Universal/PCD/Pei/Pcd.inf > + > INF MdeModulePkg/Core/DxeIplPeim/DxeIpl.inf > > # IDE/AHCI Support > diff --git a/Platform/Qemu/SbsaQemu/SbsaQemuStandaloneMm.fdf b/Platform/Qemu/SbsaQemu/SbsaQemuStandaloneMm.fdf > index a1acefcfb0a7..0fd2e9964c7e 100644 > --- a/Platform/Qemu/SbsaQemu/SbsaQemuStandaloneMm.fdf > +++ b/Platform/Qemu/SbsaQemu/SbsaQemuStandaloneMm.fdf > @@ -19,8 +19,8 @@ > ################################################################################ > > [FD.STANDALONE_MM] > -BaseAddress = 0x20001000|gArmTokenSpaceGuid.PcdFdBaseAddress > -Size = 0x00e00000|gArmTokenSpaceGuid.PcdFdSize # The size in bytes of the device (14MiB). > +BaseAddress = 0x20001000 > +Size = 0x00e00000 > ErasePolarity = 1 > > BlockSize = 0x00001000 > @@ -49,6 +49,9 @@ [FV.FVMAIN_COMPACT] > READ_LOCK_STATUS = TRUE > > INF StandaloneMmPkg/Core/StandaloneMmCore.inf > + INF ArmPlatformPkg/Drivers/NorFlashDxe/NorFlashStandaloneMm.inf > + INF MdeModulePkg/Universal/FaultTolerantWriteDxe/FaultTolerantWriteStandaloneMm.inf > + INF MdeModulePkg/Universal/Variable/RuntimeDxe/VariableStandaloneMm.inf > INF StandaloneMmPkg/Drivers/StandaloneMmCpu/AArch64/StandaloneMmCpu.inf > > ################################################################################ > diff --git a/Silicon/Qemu/SbsaQemu/Library/SbsaQemuLib/SbsaQemuLib.inf b/Silicon/Qemu/SbsaQemu/Library/SbsaQemuLib/SbsaQemuLib.inf > index c067a80cc715..1d7f12202ecc 100644 > --- a/Silicon/Qemu/SbsaQemu/Library/SbsaQemuLib/SbsaQemuLib.inf > +++ b/Silicon/Qemu/SbsaQemu/Library/SbsaQemuLib/SbsaQemuLib.inf > @@ -40,6 +40,8 @@ [Pcd] > gArmTokenSpaceGuid.PcdSystemMemoryBase > gArmTokenSpaceGuid.PcdSystemMemorySize > gArmVirtSbsaQemuPlatformTokenSpaceGuid.PcdDeviceTreeBaseAddress > + gArmTokenSpaceGuid.PcdMmBufferBase > + gArmTokenSpaceGuid.PcdMmBufferSize > > [FixedPcd] > gArmTokenSpaceGuid.PcdFdBaseAddress > diff --git a/Silicon/Qemu/SbsaQemu/Library/SbsaQemuLib/SbsaQemuMem.c b/Silicon/Qemu/SbsaQemu/Library/SbsaQemuLib/SbsaQemuMem.c > index 8c2eb0b6a028..fa164ff455f5 100644 > --- a/Silicon/Qemu/SbsaQemu/Library/SbsaQemuLib/SbsaQemuMem.c > +++ b/Silicon/Qemu/SbsaQemu/Library/SbsaQemuLib/SbsaQemuMem.c > @@ -25,15 +25,20 @@ SbsaQemuLibConstructor ( > { > VOID *DeviceTreeBase; > INT32 Node, Prev; > - UINT64 NewBase, CurBase; > + UINT64 NewBase, CurBase, NsBufBase; > UINT64 NewSize, CurSize; > + UINT32 NsBufSize; > CONST CHAR8 *Type; > INT32 Len; > CONST UINT64 *RegProp; > RETURN_STATUS PcdStatus; > + INT32 ParentOffset; > + INT32 Offset; > > NewBase = 0; > NewSize = 0; > + NsBufBase = 0; > + NsBufSize = 0; > > DeviceTreeBase = (VOID *)(UINTN)PcdGet64 (PcdDeviceTreeBaseAddress); > ASSERT (DeviceTreeBase != NULL); > @@ -73,9 +78,39 @@ SbsaQemuLibConstructor ( > } > } > > + // StandaloneMM non-secure shared buffer is allocated at the top of > + // the system memory by trusted-firmware using "/reserved-memory" node. > + ParentOffset = fdt_path_offset(DeviceTreeBase, "/reserved-memory"); > + if (ParentOffset < 0) { > + DEBUG ((DEBUG_ERROR, "%a: reserved-memory node not found\n", > + __FUNCTION__)); > + } > + Offset = fdt_subnode_offset(DeviceTreeBase, ParentOffset, "ns-buf-spm-mm"); > + if (Offset < 0) { > + DEBUG ((DEBUG_ERROR, "%a: ns-buf-spm-mm node not found\n", > + __FUNCTION__)); > + } > + // Get the 'reg' property of this node. 8 byte quantities for base address > + // and 4 byte quantities for size. > + RegProp = fdt_getprop (DeviceTreeBase, Offset, "reg", &Len); > + if (RegProp != 0 && Len == (sizeof (UINT64) + sizeof(UINT32))) { > + NsBufBase = fdt64_to_cpu (ReadUnaligned64 (RegProp)); > + NsBufSize = fdt32_to_cpu (ReadUnaligned32 ((UINT32 *)(RegProp + 1))); > + > + DEBUG ((DEBUG_INFO, "%a: ns buf @ 0x%lx - 0x%lx\n", > + __FUNCTION__, NsBufBase, NsBufBase + NsBufSize - 1)); > + } else { > + DEBUG ((DEBUG_ERROR, "%a: Failed to parse FDT reserved-memory node Len %d\n", > + __FUNCTION__, Len)); > + } > + > + NewSize -= NsBufSize; > + > // Make sure the start of DRAM matches our expectation > ASSERT (FixedPcdGet64 (PcdSystemMemoryBase) == NewBase); > PcdStatus = PcdSet64S (PcdSystemMemorySize, NewSize); > + PcdStatus = PcdSet64S (PcdMmBufferBase, NsBufBase); > + PcdStatus = PcdSet64S (PcdMmBufferSize, (UINT64)NsBufSize); > ASSERT_RETURN_ERROR (PcdStatus); > > return RETURN_SUCCESS; > -- > 2.17.1 > ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [PATCH edk2-platforms 2/4] SbsaQemu: add MM based UEFI secure boot support 2021-02-16 11:35 ` Masahisa Kojima @ 2021-02-16 16:14 ` Graeme Gregory 2021-02-17 5:38 ` Masahisa Kojima 0 siblings, 1 reply; 9+ messages in thread From: Graeme Gregory @ 2021-02-16 16:14 UTC (permalink / raw) To: Masahisa Kojima, edk2-devel-groups-io, Ard Biesheuvel Cc: Leif Lindholm, Radoslaw Biernacki, Tanmay Jagdale, Shashi Mallela On 16/02/2021 11:35, Masahisa Kojima wrote: > Hi Ard, > > I am encountering strange behavior when I apply this patch > "SbsaQemu: add MM based UEFI secure boot support". > When I start linux kernel, booting secondary cores failed. > # I don't store any secure boot keys, so UEFI Secure Boot itself > is disabled. > > --- linux kernel log --- > [ 0.124805] Remapping and enabling EFI services. > [ 0.132850] smp: Bringing up secondary CPUs ... > [ 1.294478] CPU1: failed to come online > [ 1.295647] CPU1: failed in unknown state : 0x0 > [ 2.426489] CPU2: failed to come online > [ 2.427112] CPU2: failed in unknown state : 0x0 > [ 3.567428] CPU3: failed to come online > [ 3.567912] CPU3: failed in unknown state : 0x0 > [ 3.569010] smp: Brought up 1 node, 1 CPU > [ 3.569555] SMP: Total of 1 processors activated. > [ 3.570395] CPU features: detected: GIC system register CPU interface > [ 3.571183] CPU features: detected: 32-bit EL0 Support > [ 3.587378] CPU: All CPU(s) started at EL2 > --- > In my check, arch/arm64/kernel/smp.c::secondary_start_kernel() is never > called, so wait_for_completion_timeout() is timed out. > https://github.com/torvalds/linux/blob/v5.11/arch/arm64/kernel/smp.c#L138 > > > If I set "SECURE_BOOT_ENABLE=FALSE" in edk2 build(non-secure side) > and load the same STANDALONE_MM.fd(Secure Payload) and tf-a binary, > secondary cores boot successfully. > Major difference between success and failure cases is the > existence of UEFI secure variable accesses through Standalone MM framework. > If edk2 accesses UEFI secure variable through Standalone MM, secondary cores > boot fails. I don't come up with any possible reason. > # As a reference, there is no issue on Developerbox. > > Do you have any idea about this error? > I don't suppose that we have managed to have conflicting changes and the memory I used for the expanded PSCI state table for upto 512 cores in arm-tf is also the memory you are using for secure MM? Graeme > Thanks, > Masahisa > > On Mon, 21 Dec 2020 at 21:52, Masahisa Kojima > <masahisa.kojima@linaro.org> wrote: >> >> This implements support for UEFI secure boot on SbsaQemu using >> the standalone MM framework. This moves all of the software handling >> of the UEFI authenticated variable store into the standalone MM >> context residing in a secure partition. >> >> Secure variable storage is located at 0x01000000 in secure NOR Flash. >> >> Non-secure shared memory between UEFI and standalone MM >> is allocated at the top of DRAM. >> DRAM size of SbsaQemu varies depends on the QEMU parameter, >> the non-secure shared memory base address is passed from >> trusted-firmware through the device tree "/reserved-memory" node. >> >> Signed-off-by: Masahisa Kojima <masahisa.kojima@linaro.org> >> --- >> Platform/Qemu/SbsaQemu/SbsaQemu.dsc | 44 ++++++++--- >> Platform/Qemu/SbsaQemu/SbsaQemuStandaloneMm.dsc | 40 ++++++++++ >> Platform/Qemu/SbsaQemu/SbsaQemu.fdf | 82 ++++++++++++++++++-- >> Platform/Qemu/SbsaQemu/SbsaQemuStandaloneMm.fdf | 7 +- >> Silicon/Qemu/SbsaQemu/Library/SbsaQemuLib/SbsaQemuLib.inf | 2 + >> Silicon/Qemu/SbsaQemu/Library/SbsaQemuLib/SbsaQemuMem.c | 37 ++++++++- >> 6 files changed, 192 insertions(+), 20 deletions(-) >> >> diff --git a/Platform/Qemu/SbsaQemu/SbsaQemu.dsc b/Platform/Qemu/SbsaQemu/SbsaQemu.dsc >> index f6af3f9111ee..83e7cd21e0c6 100644 >> --- a/Platform/Qemu/SbsaQemu/SbsaQemu.dsc >> +++ b/Platform/Qemu/SbsaQemu/SbsaQemu.dsc >> @@ -27,6 +27,8 @@ [Defines] >> >> DEFINE DEBUG_PRINT_ERROR_LEVEL = 0x8000004F >> >> + DEFINE SECURE_BOOT_ENABLE = FALSE >> + >> # >> # Network definition >> # >> @@ -148,12 +150,10 @@ [LibraryClasses.common] >> # Secure Boot dependencies >> # >> TpmMeasurementLib|SecurityPkg/Library/DxeTpmMeasurementLib/DxeTpmMeasurementLib.inf >> - AuthVariableLib|SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf >> >> # re-use the UserPhysicalPresent() dummy implementation from the ovmf tree >> PlatformSecureLib|OvmfPkg/Library/PlatformSecureLib/PlatformSecureLib.inf >> >> - VarCheckLib|MdeModulePkg/Library/VarCheckLib/VarCheckLib.inf >> VariablePolicyLib|MdeModulePkg/Library/VariablePolicyLib/VariablePolicyLib.inf >> VariablePolicyHelperLib|MdeModulePkg/Library/VariablePolicyHelperLib/VariablePolicyHelperLib.inf >> >> @@ -167,6 +167,7 @@ [LibraryClasses.common] >> ArmPlatformLib|ArmPlatformPkg/Library/ArmPlatformLibNull/ArmPlatformLibNull.inf >> >> TimerLib|ArmPkg/Library/ArmArchTimerLib/ArmArchTimerLib.inf >> + >> NorFlashPlatformLib|Silicon/Qemu/SbsaQemu/Library/SbsaQemuNorFlashLib/SbsaQemuNorFlashLib.inf >> >> CapsuleLib|MdeModulePkg/Library/DxeCapsuleLibNull/DxeCapsuleLibNull.inf >> @@ -296,6 +297,8 @@ [PcdsFeatureFlag.common] >> gEfiMdeModulePkgTokenSpaceGuid.PcdConOutGopSupport|TRUE >> gEfiMdeModulePkgTokenSpaceGuid.PcdConOutUgaSupport|FALSE >> >> + gEfiMdeModulePkgTokenSpaceGuid.PcdEnableVariableRuntimeCache|FALSE >> + >> [PcdsFixedAtBuild.common] >> gEfiMdePkgTokenSpaceGuid.PcdMaximumUnicodeStringLength|1000000 >> gEfiMdePkgTokenSpaceGuid.PcdMaximumAsciiStringLength|1000000 >> @@ -511,6 +514,10 @@ [PcdsDynamicDefault.common] >> gEfiMdeModulePkgTokenSpaceGuid.PcdSmbiosVersion|0x0300 >> gEfiMdeModulePkgTokenSpaceGuid.PcdSmbiosDocRev|0x0 >> >> + gArmTokenSpaceGuid.PcdMmBufferBase|0x10000000000 >> + gArmTokenSpaceGuid.PcdMmBufferSize|0x00200000 >> + >> + >> ################################################################################ >> # >> # Components Section - list of all EDK II Modules needed by this Platform >> @@ -564,7 +571,6 @@ [Components.common] >> ArmPlatformPkg/MemoryInitPei/MemoryInitPeim.inf >> ArmPkg/Drivers/CpuPei/CpuPei.inf >> >> - >> MdeModulePkg/Core/DxeIplPeim/DxeIpl.inf { >> <LibraryClasses> >> NULL|MdeModulePkg/Library/LzmaCustomDecompressLib/LzmaCustomDecompressLib.inf >> @@ -588,24 +594,40 @@ [Components.common] >> # >> ArmPkg/Drivers/CpuDxe/CpuDxe.inf >> MdeModulePkg/Core/RuntimeDxe/RuntimeDxe.inf >> - MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf { >> - <LibraryClasses> >> - NULL|MdeModulePkg/Library/VarCheckUefiLib/VarCheckUefiLib.inf >> - # don't use unaligned CopyMem () on the UEFI varstore NOR flash region >> - BaseMemoryLib|MdePkg/Library/BaseMemoryLib/BaseMemoryLib.inf >> - } >> MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf { >> <LibraryClasses> >> +!if $(SECURE_BOOT_ENABLE) == TRUE >> NULL|SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.inf >> +!endif >> } >> - SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf >> MdeModulePkg/Universal/CapsuleRuntimeDxe/CapsuleRuntimeDxe.inf >> - MdeModulePkg/Universal/FaultTolerantWriteDxe/FaultTolerantWriteDxe.inf >> MdeModulePkg/Universal/MonotonicCounterRuntimeDxe/MonotonicCounterRuntimeDxe.inf >> MdeModulePkg/Universal/ResetSystemRuntimeDxe/ResetSystemRuntimeDxe.inf >> EmbeddedPkg/RealTimeClockRuntimeDxe/RealTimeClockRuntimeDxe.inf >> EmbeddedPkg/MetronomeDxe/MetronomeDxe.inf >> >> + # >> + # Variable services >> + # >> +!if $(SECURE_BOOT_ENABLE) == FALSE >> + MdeModulePkg/Universal/FaultTolerantWriteDxe/FaultTolerantWriteDxe.inf >> + MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf { >> + <LibraryClasses> >> + NULL|MdeModulePkg/Library/VarCheckUefiLib/VarCheckUefiLib.inf >> + AuthVariableLib|MdeModulePkg/Library/AuthVariableLibNull/AuthVariableLibNull.inf >> + VarCheckLib|MdeModulePkg/Library/VarCheckLib/VarCheckLib.inf >> + # don't use unaligned CopyMem () on the UEFI varstore NOR flash region >> + BaseMemoryLib|MdePkg/Library/BaseMemoryLib/BaseMemoryLib.inf >> + } >> +!else >> + ArmPkg/Drivers/MmCommunicationDxe/MmCommunication.inf { >> + <LibraryClasses> >> + NULL|StandaloneMmPkg/Library/VariableMmDependency/VariableMmDependency.inf >> + } >> + MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmmRuntimeDxe.inf >> + SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf >> +!endif >> + >> MdeModulePkg/Universal/Console/ConPlatformDxe/ConPlatformDxe.inf >> MdeModulePkg/Universal/Console/ConSplitterDxe/ConSplitterDxe.inf >> MdeModulePkg/Universal/Console/GraphicsConsoleDxe/GraphicsConsoleDxe.inf >> diff --git a/Platform/Qemu/SbsaQemu/SbsaQemuStandaloneMm.dsc b/Platform/Qemu/SbsaQemu/SbsaQemuStandaloneMm.dsc >> index 87f5ee351eaa..9e438bc5b6b6 100644 >> --- a/Platform/Qemu/SbsaQemu/SbsaQemuStandaloneMm.dsc >> +++ b/Platform/Qemu/SbsaQemu/SbsaQemuStandaloneMm.dsc >> @@ -77,6 +77,19 @@ [LibraryClasses.common.MM_STANDALONE] >> HobLib|StandaloneMmPkg/Library/StandaloneMmHobLib/StandaloneMmHobLib.inf >> MmServicesTableLib|MdePkg/Library/StandaloneMmServicesTableLib/StandaloneMmServicesTableLib.inf >> MemoryAllocationLib|StandaloneMmPkg/Library/StandaloneMmMemoryAllocationLib/StandaloneMmMemoryAllocationLib.inf >> + AuthVariableLib|SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf >> + BaseCryptLib|CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf >> + IntrinsicLib|CryptoPkg/Library/IntrinsicLib/IntrinsicLib.inf >> + NorFlashPlatformLib|Silicon/Qemu/SbsaQemu/Library/SbsaQemuNorFlashLib/SbsaQemuNorFlashLib.inf >> + OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLib.inf >> + RngLib|MdePkg/Library/BaseRngLibTimerLib/BaseRngLibTimerLib.inf >> + PlatformSecureLib|SecurityPkg/Library/PlatformSecureLibNull/PlatformSecureLibNull.inf >> + SynchronizationLib|MdePkg/Library/BaseSynchronizationLib/BaseSynchronizationLib.inf >> + TimerLib|ArmPkg/Library/ArmArchTimerLib/ArmArchTimerLib.inf >> + TimerLib|MdePkg/Library/BaseTimerLibNullTemplate/BaseTimerLibNullTemplate.inf >> + VarCheckLib|MdeModulePkg/Library/VarCheckLib/VarCheckLib.inf >> + SafeIntLib|MdePkg/Library/BaseSafeIntLib/BaseSafeIntLib.inf >> + ArmGenericTimerCounterLib|ArmPkg/Library/ArmGenericTimerPhyCounterLib/ArmGenericTimerPhyCounterLib.inf >> >> ################################################################################ >> # >> @@ -94,6 +107,20 @@ [PcdsFixedAtBuild] >> >> gEfiMdePkgTokenSpaceGuid.PcdMaximumGuidedExtractHandler|0x2 >> >> + gArmTokenSpaceGuid.PcdFdBaseAddress|0x01000000 >> + gArmTokenSpaceGuid.PcdFdSize|0x000C0000 >> + >> + gEfiMdeModulePkgTokenSpaceGuid.PcdMaxVariableSize|0x2000 >> + gEfiSecurityPkgTokenSpaceGuid.PcdUserPhysicalPresence|TRUE >> + gEfiMdeModulePkgTokenSpaceGuid.PcdMaxAuthVariableSize|0x2800 >> + >> + gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageVariableBase|0x01000000 >> + gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageVariableSize|0x00040000 >> + gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageFtwWorkingBase|0x01040000 >> + gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageFtwWorkingSize|0x00040000 >> + gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageFtwSpareBase|0x01080000 >> + gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageFtwSpareSize|0x00040000 >> + >> ################################################################################################### >> # >> # Components Section - list of the modules and components that will be processed by compilation >> @@ -118,6 +145,19 @@ [Components.common] >> # >> StandaloneMmPkg/Core/StandaloneMmCore.inf >> StandaloneMmPkg/Drivers/StandaloneMmCpu/AArch64/StandaloneMmCpu.inf >> + ArmPlatformPkg/Drivers/NorFlashDxe/NorFlashStandaloneMm.inf >> + MdeModulePkg/Universal/FaultTolerantWriteDxe/FaultTolerantWriteStandaloneMm.inf >> + >> + MdeModulePkg/Universal/Variable/RuntimeDxe/VariableStandaloneMm.inf { >> + <LibraryClasses> >> + DevicePathLib|MdePkg/Library/UefiDevicePathLib/UefiDevicePathLib.inf >> + NULL|MdeModulePkg/Library/VarCheckUefiLib/VarCheckUefiLib.inf >> + NULL|MdeModulePkg/Library/VarCheckPolicyLib/VarCheckPolicyLibStandaloneMm.inf >> + # don't use unaligned CopyMem () on the UEFI varstore NOR flash region >> + BaseMemoryLib|MdePkg/Library/BaseMemoryLib/BaseMemoryLib.inf >> + VariablePolicyLib|MdeModulePkg/Library/VariablePolicyLib/VariablePolicyLib.inf >> + VariablePolicyHelperLib|MdeModulePkg/Library/VariablePolicyHelperLib/VariablePolicyHelperLib.inf >> + } >> >> ################################################################################################### >> # >> diff --git a/Platform/Qemu/SbsaQemu/SbsaQemu.fdf b/Platform/Qemu/SbsaQemu/SbsaQemu.fdf >> index 47ada7df9f2c..2373594f1fbc 100644 >> --- a/Platform/Qemu/SbsaQemu/SbsaQemu.fdf >> +++ b/Platform/Qemu/SbsaQemu/SbsaQemu.fdf >> @@ -21,10 +21,10 @@ >> >> [FD.SBSA_FLASH0] >> BaseAddress = 0x00000000 >> -Size = 0x00400000 >> +Size = 0x01100000 >> ErasePolarity = 1 >> BlockSize = 0x00001000 >> -NumBlocks = 0x400 >> +NumBlocks = 0x1100 >> >> ################################################################################ >> # >> @@ -50,6 +50,66 @@ [FD.SBSA_FLASH0] >> 0x00008000|0x00300000 >> FILE = Platform/Qemu/Sbsa/fip.bin >> >> +!if $(SECURE_BOOT_ENABLE) >> +## Place for Secure Variables. >> +# Must be aligned to Flash Block size 0x40000 >> +0x01000000|0x00040000 >> +gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageVariableBase|gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageVariableSize >> +#NV_VARIABLE_STORE >> +DATA = { >> + ## This is the EFI_FIRMWARE_VOLUME_HEADER >> + # ZeroVector [] >> + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, >> + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, >> + # FileSystemGuid: gEfiSystemNvDataFvGuid = >> + # { 0xFFF12B8D, 0x7696, 0x4C8B, >> + # { 0xA9, 0x85, 0x27, 0x47, 0x07, 0x5B, 0x4F, 0x50 }} >> + 0x8D, 0x2B, 0xF1, 0xFF, 0x96, 0x76, 0x8B, 0x4C, >> + 0xA9, 0x85, 0x27, 0x47, 0x07, 0x5B, 0x4F, 0x50, >> + # FvLength: 0xC0000 >> + 0x00, 0x00, 0x0C, 0x00, 0x00, 0x00, 0x00, 0x00, >> + # Signature "_FVH" # Attributes >> + 0x5f, 0x46, 0x56, 0x48, 0xff, 0xfe, 0x04, 0x00, >> + # HeaderLength # CheckSum # ExtHeaderOffset #Reserved #Revision >> + 0x48, 0x00, 0x28, 0x09, 0x00, 0x00, 0x00, 0x02, >> + # Blockmap[0]: 0x3 Blocks * 0x40000 Bytes / Block >> + 0x3, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, >> + # Blockmap[1]: End >> + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, >> + ## This is the VARIABLE_STORE_HEADER >> + # It is compatible with SECURE_BOOT_ENABLE == FALSE as well. >> + # Signature: gEfiAuthenticatedVariableGuid = >> + # { 0xaaf32c78, 0x947b, 0x439a, >> + # { 0xa1, 0x80, 0x2e, 0x14, 0x4e, 0xc3, 0x77, 0x92 }} >> + 0x78, 0x2c, 0xf3, 0xaa, 0x7b, 0x94, 0x9a, 0x43, >> + 0xa1, 0x80, 0x2e, 0x14, 0x4e, 0xc3, 0x77, 0x92, >> + # Size: 0x40000 (gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageVariableSize) - >> + # 0x48 (size of EFI_FIRMWARE_VOLUME_HEADER) = 0x3ffb8 >> + # This can speed up the Variable Dispatch a bit. >> + 0xB8, 0xFF, 0x03, 0x00, >> + # FORMATTED: 0x5A #HEALTHY: 0xFE #Reserved: UINT16 #Reserved1: UINT32 >> + 0x5A, 0xFE, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 >> +} >> + >> +0x01040000|0x00040000 >> +gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageFtwWorkingBase|gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageFtwWorkingSize >> +#NV_FTW_WORKING >> +DATA = { >> + # EFI_FAULT_TOLERANT_WORKING_BLOCK_HEADER->Signature = gEdkiiWorkingBlockSignatureGuid = >> + # { 0x9e58292b, 0x7c68, 0x497d, { 0xa0, 0xce, 0x65, 0x0, 0xfd, 0x9f, 0x1b, 0x95 }} >> + 0x2b, 0x29, 0x58, 0x9e, 0x68, 0x7c, 0x7d, 0x49, >> + 0xa0, 0xce, 0x65, 0x0, 0xfd, 0x9f, 0x1b, 0x95, >> + # Crc:UINT32 #WorkingBlockValid:1, WorkingBlockInvalid:1, Reserved >> + 0x5b, 0xe7, 0xc6, 0x86, 0xFE, 0xFF, 0xFF, 0xFF, >> + # WriteQueueSize: UINT64 >> + 0xE0, 0xFF, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00 >> +} >> + >> +0x01080000|0x00040000 >> +gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageFtwSpareBase|gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageFtwSpareSize >> +#NV_FTW_SPARE >> +!endif >> + >> ################################################################################ >> # >> # FD Section for FLASH1 >> @@ -169,15 +229,25 @@ [FV.FvMain] >> INF MdeModulePkg/Core/RuntimeDxe/RuntimeDxe.inf >> INF MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf >> INF MdeModulePkg/Universal/CapsuleRuntimeDxe/CapsuleRuntimeDxe.inf >> - INF MdeModulePkg/Universal/FaultTolerantWriteDxe/FaultTolerantWriteDxe.inf >> - INF MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf >> - INF SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf >> INF MdeModulePkg/Universal/MonotonicCounterRuntimeDxe/MonotonicCounterRuntimeDxe.inf >> INF MdeModulePkg/Universal/ResetSystemRuntimeDxe/ResetSystemRuntimeDxe.inf >> INF EmbeddedPkg/RealTimeClockRuntimeDxe/RealTimeClockRuntimeDxe.inf >> INF EmbeddedPkg/MetronomeDxe/MetronomeDxe.inf >> INF MdeModulePkg/Universal/HiiDatabaseDxe/HiiDatabaseDxe.inf >> >> + # >> + # Variable services >> + # >> +!if $(SECURE_BOOT_ENABLE) == FALSE >> + INF ArmPlatformPkg/Drivers/NorFlashDxe/NorFlashDxe.inf >> + INF MdeModulePkg/Universal/FaultTolerantWriteDxe/FaultTolerantWriteDxe.inf >> + INF MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf >> +!else >> + INF ArmPkg/Drivers/MmCommunicationDxe/MmCommunication.inf >> + INF MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmmRuntimeDxe.inf >> + INF SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf >> +!endif >> + >> # >> # Multiple Console IO support >> # >> @@ -189,7 +259,6 @@ [FV.FvMain] >> >> INF ArmPkg/Drivers/ArmGic/ArmGicDxe.inf >> INF ArmPkg/Drivers/TimerDxe/TimerDxe.inf >> - INF ArmPlatformPkg/Drivers/NorFlashDxe/NorFlashDxe.inf >> INF MdeModulePkg/Universal/WatchdogTimerDxe/WatchdogTimer.inf >> >> # >> @@ -287,6 +356,7 @@ [FV.FVMAIN_COMPACT] >> INF ArmPlatformPkg/MemoryInitPei/MemoryInitPeim.inf >> INF ArmPkg/Drivers/CpuPei/CpuPei.inf >> INF MdeModulePkg/Universal/PCD/Pei/Pcd.inf >> + >> INF MdeModulePkg/Core/DxeIplPeim/DxeIpl.inf >> >> # IDE/AHCI Support >> diff --git a/Platform/Qemu/SbsaQemu/SbsaQemuStandaloneMm.fdf b/Platform/Qemu/SbsaQemu/SbsaQemuStandaloneMm.fdf >> index a1acefcfb0a7..0fd2e9964c7e 100644 >> --- a/Platform/Qemu/SbsaQemu/SbsaQemuStandaloneMm.fdf >> +++ b/Platform/Qemu/SbsaQemu/SbsaQemuStandaloneMm.fdf >> @@ -19,8 +19,8 @@ >> ################################################################################ >> >> [FD.STANDALONE_MM] >> -BaseAddress = 0x20001000|gArmTokenSpaceGuid.PcdFdBaseAddress >> -Size = 0x00e00000|gArmTokenSpaceGuid.PcdFdSize # The size in bytes of the device (14MiB). >> +BaseAddress = 0x20001000 >> +Size = 0x00e00000 >> ErasePolarity = 1 >> >> BlockSize = 0x00001000 >> @@ -49,6 +49,9 @@ [FV.FVMAIN_COMPACT] >> READ_LOCK_STATUS = TRUE >> >> INF StandaloneMmPkg/Core/StandaloneMmCore.inf >> + INF ArmPlatformPkg/Drivers/NorFlashDxe/NorFlashStandaloneMm.inf >> + INF MdeModulePkg/Universal/FaultTolerantWriteDxe/FaultTolerantWriteStandaloneMm.inf >> + INF MdeModulePkg/Universal/Variable/RuntimeDxe/VariableStandaloneMm.inf >> INF StandaloneMmPkg/Drivers/StandaloneMmCpu/AArch64/StandaloneMmCpu.inf >> >> ################################################################################ >> diff --git a/Silicon/Qemu/SbsaQemu/Library/SbsaQemuLib/SbsaQemuLib.inf b/Silicon/Qemu/SbsaQemu/Library/SbsaQemuLib/SbsaQemuLib.inf >> index c067a80cc715..1d7f12202ecc 100644 >> --- a/Silicon/Qemu/SbsaQemu/Library/SbsaQemuLib/SbsaQemuLib.inf >> +++ b/Silicon/Qemu/SbsaQemu/Library/SbsaQemuLib/SbsaQemuLib.inf >> @@ -40,6 +40,8 @@ [Pcd] >> gArmTokenSpaceGuid.PcdSystemMemoryBase >> gArmTokenSpaceGuid.PcdSystemMemorySize >> gArmVirtSbsaQemuPlatformTokenSpaceGuid.PcdDeviceTreeBaseAddress >> + gArmTokenSpaceGuid.PcdMmBufferBase >> + gArmTokenSpaceGuid.PcdMmBufferSize >> >> [FixedPcd] >> gArmTokenSpaceGuid.PcdFdBaseAddress >> diff --git a/Silicon/Qemu/SbsaQemu/Library/SbsaQemuLib/SbsaQemuMem.c b/Silicon/Qemu/SbsaQemu/Library/SbsaQemuLib/SbsaQemuMem.c >> index 8c2eb0b6a028..fa164ff455f5 100644 >> --- a/Silicon/Qemu/SbsaQemu/Library/SbsaQemuLib/SbsaQemuMem.c >> +++ b/Silicon/Qemu/SbsaQemu/Library/SbsaQemuLib/SbsaQemuMem.c >> @@ -25,15 +25,20 @@ SbsaQemuLibConstructor ( >> { >> VOID *DeviceTreeBase; >> INT32 Node, Prev; >> - UINT64 NewBase, CurBase; >> + UINT64 NewBase, CurBase, NsBufBase; >> UINT64 NewSize, CurSize; >> + UINT32 NsBufSize; >> CONST CHAR8 *Type; >> INT32 Len; >> CONST UINT64 *RegProp; >> RETURN_STATUS PcdStatus; >> + INT32 ParentOffset; >> + INT32 Offset; >> >> NewBase = 0; >> NewSize = 0; >> + NsBufBase = 0; >> + NsBufSize = 0; >> >> DeviceTreeBase = (VOID *)(UINTN)PcdGet64 (PcdDeviceTreeBaseAddress); >> ASSERT (DeviceTreeBase != NULL); >> @@ -73,9 +78,39 @@ SbsaQemuLibConstructor ( >> } >> } >> >> + // StandaloneMM non-secure shared buffer is allocated at the top of >> + // the system memory by trusted-firmware using "/reserved-memory" node. >> + ParentOffset = fdt_path_offset(DeviceTreeBase, "/reserved-memory"); >> + if (ParentOffset < 0) { >> + DEBUG ((DEBUG_ERROR, "%a: reserved-memory node not found\n", >> + __FUNCTION__)); >> + } >> + Offset = fdt_subnode_offset(DeviceTreeBase, ParentOffset, "ns-buf-spm-mm"); >> + if (Offset < 0) { >> + DEBUG ((DEBUG_ERROR, "%a: ns-buf-spm-mm node not found\n", >> + __FUNCTION__)); >> + } >> + // Get the 'reg' property of this node. 8 byte quantities for base address >> + // and 4 byte quantities for size. >> + RegProp = fdt_getprop (DeviceTreeBase, Offset, "reg", &Len); >> + if (RegProp != 0 && Len == (sizeof (UINT64) + sizeof(UINT32))) { >> + NsBufBase = fdt64_to_cpu (ReadUnaligned64 (RegProp)); >> + NsBufSize = fdt32_to_cpu (ReadUnaligned32 ((UINT32 *)(RegProp + 1))); >> + >> + DEBUG ((DEBUG_INFO, "%a: ns buf @ 0x%lx - 0x%lx\n", >> + __FUNCTION__, NsBufBase, NsBufBase + NsBufSize - 1)); >> + } else { >> + DEBUG ((DEBUG_ERROR, "%a: Failed to parse FDT reserved-memory node Len %d\n", >> + __FUNCTION__, Len)); >> + } >> + >> + NewSize -= NsBufSize; >> + >> // Make sure the start of DRAM matches our expectation >> ASSERT (FixedPcdGet64 (PcdSystemMemoryBase) == NewBase); >> PcdStatus = PcdSet64S (PcdSystemMemorySize, NewSize); >> + PcdStatus = PcdSet64S (PcdMmBufferBase, NsBufBase); >> + PcdStatus = PcdSet64S (PcdMmBufferSize, (UINT64)NsBufSize); >> ASSERT_RETURN_ERROR (PcdStatus); >> >> return RETURN_SUCCESS; >> -- >> 2.17.1 >> ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [PATCH edk2-platforms 2/4] SbsaQemu: add MM based UEFI secure boot support 2021-02-16 16:14 ` Graeme Gregory @ 2021-02-17 5:38 ` Masahisa Kojima 0 siblings, 0 replies; 9+ messages in thread From: Masahisa Kojima @ 2021-02-17 5:38 UTC (permalink / raw) To: Graeme Gregory Cc: edk2-devel-groups-io, Ard Biesheuvel, Leif Lindholm, Radoslaw Biernacki, Tanmay Jagdale, Shashi Mallela On Wed, 17 Feb 2021 at 01:15, Graeme Gregory <graeme@nuviainc.com> wrote: > > On 16/02/2021 11:35, Masahisa Kojima wrote: > > Hi Ard, > > > > I am encountering strange behavior when I apply this patch > > "SbsaQemu: add MM based UEFI secure boot support". > > When I start linux kernel, booting secondary cores failed. > > # I don't store any secure boot keys, so UEFI Secure Boot itself > > is disabled. > > > > --- linux kernel log --- > > [ 0.124805] Remapping and enabling EFI services. > > [ 0.132850] smp: Bringing up secondary CPUs ... > > [ 1.294478] CPU1: failed to come online > > [ 1.295647] CPU1: failed in unknown state : 0x0 > > [ 2.426489] CPU2: failed to come online > > [ 2.427112] CPU2: failed in unknown state : 0x0 > > [ 3.567428] CPU3: failed to come online > > [ 3.567912] CPU3: failed in unknown state : 0x0 > > [ 3.569010] smp: Brought up 1 node, 1 CPU > > [ 3.569555] SMP: Total of 1 processors activated. > > [ 3.570395] CPU features: detected: GIC system register CPU interface > > [ 3.571183] CPU features: detected: 32-bit EL0 Support > > [ 3.587378] CPU: All CPU(s) started at EL2 > > --- > > In my check, arch/arm64/kernel/smp.c::secondary_start_kernel() is never > > called, so wait_for_completion_timeout() is timed out. > > https://github.com/torvalds/linux/blob/v5.11/arch/arm64/kernel/smp.c#L138 > > > > > > If I set "SECURE_BOOT_ENABLE=FALSE" in edk2 build(non-secure side) > > and load the same STANDALONE_MM.fd(Secure Payload) and tf-a binary, > > secondary cores boot successfully. > > Major difference between success and failure cases is the > > existence of UEFI secure variable accesses through Standalone MM framework. > > If edk2 accesses UEFI secure variable through Standalone MM, secondary cores > > boot fails. I don't come up with any possible reason. > > # As a reference, there is no issue on Developerbox. > > > > Do you have any idea about this error? > > > > I don't suppose that we have managed to have conflicting changes and the > memory I used for the expanded PSCI state table for upto 512 cores in > arm-tf is also the memory you are using for secure MM? Hi Graeme, Thank you for your comment. I think PSCI state table for 512 cores you are pointing is located at 0x20000000 - 0x20001FFF(8KiB). # 8byte function pointer and (8bytes * 512 cores) state table I realized this area, current StandaloneMM uses the following region. 0x0100_0000 - 0x010f_ffff(1MiB) Secure Flash : store UEFI variables 0x2000_2000 - 0x2030_1fff(3MiB) SRAM : Secure Payload Code(BL32) 0x2030_2000 - 0x22b0_2000(40MiB) SRAM : BL32 Heap(8MiB) and Stack(32MiB[64KiB * 512cores]) 0x3dcd_1000 - 0x3fcD_0fff(32MiB) SRAM : EL3->S-EL0 shared memory 0x3fcf_e000 - 0x3fcf_efff(4KiB) SRAM : spm shim exception vectors 0x100_3fe0_0000 - 0x100_3fff_ffff(2MiB) NS DRAM : shared buffer for non-secure world I run QEMU with "-smp 4", PSCI calls seems to be successfully completed in tf-a. pwr_domain_on() called from linux kernel three times with mpidr 1, 2 and 3. Thanks, Masahisa > > Graeme > > > Thanks, > > Masahisa > > > > On Mon, 21 Dec 2020 at 21:52, Masahisa Kojima > > <masahisa.kojima@linaro.org> wrote: > >> > >> This implements support for UEFI secure boot on SbsaQemu using > >> the standalone MM framework. This moves all of the software handling > >> of the UEFI authenticated variable store into the standalone MM > >> context residing in a secure partition. > >> > >> Secure variable storage is located at 0x01000000 in secure NOR Flash. > >> > >> Non-secure shared memory between UEFI and standalone MM > >> is allocated at the top of DRAM. > >> DRAM size of SbsaQemu varies depends on the QEMU parameter, > >> the non-secure shared memory base address is passed from > >> trusted-firmware through the device tree "/reserved-memory" node. > >> > >> Signed-off-by: Masahisa Kojima <masahisa.kojima@linaro.org> > >> --- > >> Platform/Qemu/SbsaQemu/SbsaQemu.dsc | 44 ++++++++--- > >> Platform/Qemu/SbsaQemu/SbsaQemuStandaloneMm.dsc | 40 ++++++++++ > >> Platform/Qemu/SbsaQemu/SbsaQemu.fdf | 82 ++++++++++++++++++-- > >> Platform/Qemu/SbsaQemu/SbsaQemuStandaloneMm.fdf | 7 +- > >> Silicon/Qemu/SbsaQemu/Library/SbsaQemuLib/SbsaQemuLib.inf | 2 + > >> Silicon/Qemu/SbsaQemu/Library/SbsaQemuLib/SbsaQemuMem.c | 37 ++++++++- > >> 6 files changed, 192 insertions(+), 20 deletions(-) > >> > >> diff --git a/Platform/Qemu/SbsaQemu/SbsaQemu.dsc b/Platform/Qemu/SbsaQemu/SbsaQemu.dsc > >> index f6af3f9111ee..83e7cd21e0c6 100644 > >> --- a/Platform/Qemu/SbsaQemu/SbsaQemu.dsc > >> +++ b/Platform/Qemu/SbsaQemu/SbsaQemu.dsc > >> @@ -27,6 +27,8 @@ [Defines] > >> > >> DEFINE DEBUG_PRINT_ERROR_LEVEL = 0x8000004F > >> > >> + DEFINE SECURE_BOOT_ENABLE = FALSE > >> + > >> # > >> # Network definition > >> # > >> @@ -148,12 +150,10 @@ [LibraryClasses.common] > >> # Secure Boot dependencies > >> # > >> TpmMeasurementLib|SecurityPkg/Library/DxeTpmMeasurementLib/DxeTpmMeasurementLib.inf > >> - AuthVariableLib|SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf > >> > >> # re-use the UserPhysicalPresent() dummy implementation from the ovmf tree > >> PlatformSecureLib|OvmfPkg/Library/PlatformSecureLib/PlatformSecureLib.inf > >> > >> - VarCheckLib|MdeModulePkg/Library/VarCheckLib/VarCheckLib.inf > >> VariablePolicyLib|MdeModulePkg/Library/VariablePolicyLib/VariablePolicyLib.inf > >> VariablePolicyHelperLib|MdeModulePkg/Library/VariablePolicyHelperLib/VariablePolicyHelperLib.inf > >> > >> @@ -167,6 +167,7 @@ [LibraryClasses.common] > >> ArmPlatformLib|ArmPlatformPkg/Library/ArmPlatformLibNull/ArmPlatformLibNull.inf > >> > >> TimerLib|ArmPkg/Library/ArmArchTimerLib/ArmArchTimerLib.inf > >> + > >> NorFlashPlatformLib|Silicon/Qemu/SbsaQemu/Library/SbsaQemuNorFlashLib/SbsaQemuNorFlashLib.inf > >> > >> CapsuleLib|MdeModulePkg/Library/DxeCapsuleLibNull/DxeCapsuleLibNull.inf > >> @@ -296,6 +297,8 @@ [PcdsFeatureFlag.common] > >> gEfiMdeModulePkgTokenSpaceGuid.PcdConOutGopSupport|TRUE > >> gEfiMdeModulePkgTokenSpaceGuid.PcdConOutUgaSupport|FALSE > >> > >> + gEfiMdeModulePkgTokenSpaceGuid.PcdEnableVariableRuntimeCache|FALSE > >> + > >> [PcdsFixedAtBuild.common] > >> gEfiMdePkgTokenSpaceGuid.PcdMaximumUnicodeStringLength|1000000 > >> gEfiMdePkgTokenSpaceGuid.PcdMaximumAsciiStringLength|1000000 > >> @@ -511,6 +514,10 @@ [PcdsDynamicDefault.common] > >> gEfiMdeModulePkgTokenSpaceGuid.PcdSmbiosVersion|0x0300 > >> gEfiMdeModulePkgTokenSpaceGuid.PcdSmbiosDocRev|0x0 > >> > >> + gArmTokenSpaceGuid.PcdMmBufferBase|0x10000000000 > >> + gArmTokenSpaceGuid.PcdMmBufferSize|0x00200000 > >> + > >> + > >> ################################################################################ > >> # > >> # Components Section - list of all EDK II Modules needed by this Platform > >> @@ -564,7 +571,6 @@ [Components.common] > >> ArmPlatformPkg/MemoryInitPei/MemoryInitPeim.inf > >> ArmPkg/Drivers/CpuPei/CpuPei.inf > >> > >> - > >> MdeModulePkg/Core/DxeIplPeim/DxeIpl.inf { > >> <LibraryClasses> > >> NULL|MdeModulePkg/Library/LzmaCustomDecompressLib/LzmaCustomDecompressLib.inf > >> @@ -588,24 +594,40 @@ [Components.common] > >> # > >> ArmPkg/Drivers/CpuDxe/CpuDxe.inf > >> MdeModulePkg/Core/RuntimeDxe/RuntimeDxe.inf > >> - MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf { > >> - <LibraryClasses> > >> - NULL|MdeModulePkg/Library/VarCheckUefiLib/VarCheckUefiLib.inf > >> - # don't use unaligned CopyMem () on the UEFI varstore NOR flash region > >> - BaseMemoryLib|MdePkg/Library/BaseMemoryLib/BaseMemoryLib.inf > >> - } > >> MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf { > >> <LibraryClasses> > >> +!if $(SECURE_BOOT_ENABLE) == TRUE > >> NULL|SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.inf > >> +!endif > >> } > >> - SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf > >> MdeModulePkg/Universal/CapsuleRuntimeDxe/CapsuleRuntimeDxe.inf > >> - MdeModulePkg/Universal/FaultTolerantWriteDxe/FaultTolerantWriteDxe.inf > >> MdeModulePkg/Universal/MonotonicCounterRuntimeDxe/MonotonicCounterRuntimeDxe.inf > >> MdeModulePkg/Universal/ResetSystemRuntimeDxe/ResetSystemRuntimeDxe.inf > >> EmbeddedPkg/RealTimeClockRuntimeDxe/RealTimeClockRuntimeDxe.inf > >> EmbeddedPkg/MetronomeDxe/MetronomeDxe.inf > >> > >> + # > >> + # Variable services > >> + # > >> +!if $(SECURE_BOOT_ENABLE) == FALSE > >> + MdeModulePkg/Universal/FaultTolerantWriteDxe/FaultTolerantWriteDxe.inf > >> + MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf { > >> + <LibraryClasses> > >> + NULL|MdeModulePkg/Library/VarCheckUefiLib/VarCheckUefiLib.inf > >> + AuthVariableLib|MdeModulePkg/Library/AuthVariableLibNull/AuthVariableLibNull.inf > >> + VarCheckLib|MdeModulePkg/Library/VarCheckLib/VarCheckLib.inf > >> + # don't use unaligned CopyMem () on the UEFI varstore NOR flash region > >> + BaseMemoryLib|MdePkg/Library/BaseMemoryLib/BaseMemoryLib.inf > >> + } > >> +!else > >> + ArmPkg/Drivers/MmCommunicationDxe/MmCommunication.inf { > >> + <LibraryClasses> > >> + NULL|StandaloneMmPkg/Library/VariableMmDependency/VariableMmDependency.inf > >> + } > >> + MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmmRuntimeDxe.inf > >> + SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf > >> +!endif > >> + > >> MdeModulePkg/Universal/Console/ConPlatformDxe/ConPlatformDxe.inf > >> MdeModulePkg/Universal/Console/ConSplitterDxe/ConSplitterDxe.inf > >> MdeModulePkg/Universal/Console/GraphicsConsoleDxe/GraphicsConsoleDxe.inf > >> diff --git a/Platform/Qemu/SbsaQemu/SbsaQemuStandaloneMm.dsc b/Platform/Qemu/SbsaQemu/SbsaQemuStandaloneMm.dsc > >> index 87f5ee351eaa..9e438bc5b6b6 100644 > >> --- a/Platform/Qemu/SbsaQemu/SbsaQemuStandaloneMm.dsc > >> +++ b/Platform/Qemu/SbsaQemu/SbsaQemuStandaloneMm.dsc > >> @@ -77,6 +77,19 @@ [LibraryClasses.common.MM_STANDALONE] > >> HobLib|StandaloneMmPkg/Library/StandaloneMmHobLib/StandaloneMmHobLib.inf > >> MmServicesTableLib|MdePkg/Library/StandaloneMmServicesTableLib/StandaloneMmServicesTableLib.inf > >> MemoryAllocationLib|StandaloneMmPkg/Library/StandaloneMmMemoryAllocationLib/StandaloneMmMemoryAllocationLib.inf > >> + AuthVariableLib|SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf > >> + BaseCryptLib|CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf > >> + IntrinsicLib|CryptoPkg/Library/IntrinsicLib/IntrinsicLib.inf > >> + NorFlashPlatformLib|Silicon/Qemu/SbsaQemu/Library/SbsaQemuNorFlashLib/SbsaQemuNorFlashLib.inf > >> + OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLib.inf > >> + RngLib|MdePkg/Library/BaseRngLibTimerLib/BaseRngLibTimerLib.inf > >> + PlatformSecureLib|SecurityPkg/Library/PlatformSecureLibNull/PlatformSecureLibNull.inf > >> + SynchronizationLib|MdePkg/Library/BaseSynchronizationLib/BaseSynchronizationLib.inf > >> + TimerLib|ArmPkg/Library/ArmArchTimerLib/ArmArchTimerLib.inf > >> + TimerLib|MdePkg/Library/BaseTimerLibNullTemplate/BaseTimerLibNullTemplate.inf > >> + VarCheckLib|MdeModulePkg/Library/VarCheckLib/VarCheckLib.inf > >> + SafeIntLib|MdePkg/Library/BaseSafeIntLib/BaseSafeIntLib.inf > >> + ArmGenericTimerCounterLib|ArmPkg/Library/ArmGenericTimerPhyCounterLib/ArmGenericTimerPhyCounterLib.inf > >> > >> ################################################################################ > >> # > >> @@ -94,6 +107,20 @@ [PcdsFixedAtBuild] > >> > >> gEfiMdePkgTokenSpaceGuid.PcdMaximumGuidedExtractHandler|0x2 > >> > >> + gArmTokenSpaceGuid.PcdFdBaseAddress|0x01000000 > >> + gArmTokenSpaceGuid.PcdFdSize|0x000C0000 > >> + > >> + gEfiMdeModulePkgTokenSpaceGuid.PcdMaxVariableSize|0x2000 > >> + gEfiSecurityPkgTokenSpaceGuid.PcdUserPhysicalPresence|TRUE > >> + gEfiMdeModulePkgTokenSpaceGuid.PcdMaxAuthVariableSize|0x2800 > >> + > >> + gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageVariableBase|0x01000000 > >> + gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageVariableSize|0x00040000 > >> + gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageFtwWorkingBase|0x01040000 > >> + gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageFtwWorkingSize|0x00040000 > >> + gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageFtwSpareBase|0x01080000 > >> + gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageFtwSpareSize|0x00040000 > >> + > >> ################################################################################################### > >> # > >> # Components Section - list of the modules and components that will be processed by compilation > >> @@ -118,6 +145,19 @@ [Components.common] > >> # > >> StandaloneMmPkg/Core/StandaloneMmCore.inf > >> StandaloneMmPkg/Drivers/StandaloneMmCpu/AArch64/StandaloneMmCpu.inf > >> + ArmPlatformPkg/Drivers/NorFlashDxe/NorFlashStandaloneMm.inf > >> + MdeModulePkg/Universal/FaultTolerantWriteDxe/FaultTolerantWriteStandaloneMm.inf > >> + > >> + MdeModulePkg/Universal/Variable/RuntimeDxe/VariableStandaloneMm.inf { > >> + <LibraryClasses> > >> + DevicePathLib|MdePkg/Library/UefiDevicePathLib/UefiDevicePathLib.inf > >> + NULL|MdeModulePkg/Library/VarCheckUefiLib/VarCheckUefiLib.inf > >> + NULL|MdeModulePkg/Library/VarCheckPolicyLib/VarCheckPolicyLibStandaloneMm.inf > >> + # don't use unaligned CopyMem () on the UEFI varstore NOR flash region > >> + BaseMemoryLib|MdePkg/Library/BaseMemoryLib/BaseMemoryLib.inf > >> + VariablePolicyLib|MdeModulePkg/Library/VariablePolicyLib/VariablePolicyLib.inf > >> + VariablePolicyHelperLib|MdeModulePkg/Library/VariablePolicyHelperLib/VariablePolicyHelperLib.inf > >> + } > >> > >> ################################################################################################### > >> # > >> diff --git a/Platform/Qemu/SbsaQemu/SbsaQemu.fdf b/Platform/Qemu/SbsaQemu/SbsaQemu.fdf > >> index 47ada7df9f2c..2373594f1fbc 100644 > >> --- a/Platform/Qemu/SbsaQemu/SbsaQemu.fdf > >> +++ b/Platform/Qemu/SbsaQemu/SbsaQemu.fdf > >> @@ -21,10 +21,10 @@ > >> > >> [FD.SBSA_FLASH0] > >> BaseAddress = 0x00000000 > >> -Size = 0x00400000 > >> +Size = 0x01100000 > >> ErasePolarity = 1 > >> BlockSize = 0x00001000 > >> -NumBlocks = 0x400 > >> +NumBlocks = 0x1100 > >> > >> ################################################################################ > >> # > >> @@ -50,6 +50,66 @@ [FD.SBSA_FLASH0] > >> 0x00008000|0x00300000 > >> FILE = Platform/Qemu/Sbsa/fip.bin > >> > >> +!if $(SECURE_BOOT_ENABLE) > >> +## Place for Secure Variables. > >> +# Must be aligned to Flash Block size 0x40000 > >> +0x01000000|0x00040000 > >> +gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageVariableBase|gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageVariableSize > >> +#NV_VARIABLE_STORE > >> +DATA = { > >> + ## This is the EFI_FIRMWARE_VOLUME_HEADER > >> + # ZeroVector [] > >> + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, > >> + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, > >> + # FileSystemGuid: gEfiSystemNvDataFvGuid = > >> + # { 0xFFF12B8D, 0x7696, 0x4C8B, > >> + # { 0xA9, 0x85, 0x27, 0x47, 0x07, 0x5B, 0x4F, 0x50 }} > >> + 0x8D, 0x2B, 0xF1, 0xFF, 0x96, 0x76, 0x8B, 0x4C, > >> + 0xA9, 0x85, 0x27, 0x47, 0x07, 0x5B, 0x4F, 0x50, > >> + # FvLength: 0xC0000 > >> + 0x00, 0x00, 0x0C, 0x00, 0x00, 0x00, 0x00, 0x00, > >> + # Signature "_FVH" # Attributes > >> + 0x5f, 0x46, 0x56, 0x48, 0xff, 0xfe, 0x04, 0x00, > >> + # HeaderLength # CheckSum # ExtHeaderOffset #Reserved #Revision > >> + 0x48, 0x00, 0x28, 0x09, 0x00, 0x00, 0x00, 0x02, > >> + # Blockmap[0]: 0x3 Blocks * 0x40000 Bytes / Block > >> + 0x3, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, > >> + # Blockmap[1]: End > >> + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, > >> + ## This is the VARIABLE_STORE_HEADER > >> + # It is compatible with SECURE_BOOT_ENABLE == FALSE as well. > >> + # Signature: gEfiAuthenticatedVariableGuid = > >> + # { 0xaaf32c78, 0x947b, 0x439a, > >> + # { 0xa1, 0x80, 0x2e, 0x14, 0x4e, 0xc3, 0x77, 0x92 }} > >> + 0x78, 0x2c, 0xf3, 0xaa, 0x7b, 0x94, 0x9a, 0x43, > >> + 0xa1, 0x80, 0x2e, 0x14, 0x4e, 0xc3, 0x77, 0x92, > >> + # Size: 0x40000 (gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageVariableSize) - > >> + # 0x48 (size of EFI_FIRMWARE_VOLUME_HEADER) = 0x3ffb8 > >> + # This can speed up the Variable Dispatch a bit. > >> + 0xB8, 0xFF, 0x03, 0x00, > >> + # FORMATTED: 0x5A #HEALTHY: 0xFE #Reserved: UINT16 #Reserved1: UINT32 > >> + 0x5A, 0xFE, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 > >> +} > >> + > >> +0x01040000|0x00040000 > >> +gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageFtwWorkingBase|gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageFtwWorkingSize > >> +#NV_FTW_WORKING > >> +DATA = { > >> + # EFI_FAULT_TOLERANT_WORKING_BLOCK_HEADER->Signature = gEdkiiWorkingBlockSignatureGuid = > >> + # { 0x9e58292b, 0x7c68, 0x497d, { 0xa0, 0xce, 0x65, 0x0, 0xfd, 0x9f, 0x1b, 0x95 }} > >> + 0x2b, 0x29, 0x58, 0x9e, 0x68, 0x7c, 0x7d, 0x49, > >> + 0xa0, 0xce, 0x65, 0x0, 0xfd, 0x9f, 0x1b, 0x95, > >> + # Crc:UINT32 #WorkingBlockValid:1, WorkingBlockInvalid:1, Reserved > >> + 0x5b, 0xe7, 0xc6, 0x86, 0xFE, 0xFF, 0xFF, 0xFF, > >> + # WriteQueueSize: UINT64 > >> + 0xE0, 0xFF, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00 > >> +} > >> + > >> +0x01080000|0x00040000 > >> +gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageFtwSpareBase|gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageFtwSpareSize > >> +#NV_FTW_SPARE > >> +!endif > >> + > >> ################################################################################ > >> # > >> # FD Section for FLASH1 > >> @@ -169,15 +229,25 @@ [FV.FvMain] > >> INF MdeModulePkg/Core/RuntimeDxe/RuntimeDxe.inf > >> INF MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf > >> INF MdeModulePkg/Universal/CapsuleRuntimeDxe/CapsuleRuntimeDxe.inf > >> - INF MdeModulePkg/Universal/FaultTolerantWriteDxe/FaultTolerantWriteDxe.inf > >> - INF MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf > >> - INF SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf > >> INF MdeModulePkg/Universal/MonotonicCounterRuntimeDxe/MonotonicCounterRuntimeDxe.inf > >> INF MdeModulePkg/Universal/ResetSystemRuntimeDxe/ResetSystemRuntimeDxe.inf > >> INF EmbeddedPkg/RealTimeClockRuntimeDxe/RealTimeClockRuntimeDxe.inf > >> INF EmbeddedPkg/MetronomeDxe/MetronomeDxe.inf > >> INF MdeModulePkg/Universal/HiiDatabaseDxe/HiiDatabaseDxe.inf > >> > >> + # > >> + # Variable services > >> + # > >> +!if $(SECURE_BOOT_ENABLE) == FALSE > >> + INF ArmPlatformPkg/Drivers/NorFlashDxe/NorFlashDxe.inf > >> + INF MdeModulePkg/Universal/FaultTolerantWriteDxe/FaultTolerantWriteDxe.inf > >> + INF MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf > >> +!else > >> + INF ArmPkg/Drivers/MmCommunicationDxe/MmCommunication.inf > >> + INF MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmmRuntimeDxe.inf > >> + INF SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf > >> +!endif > >> + > >> # > >> # Multiple Console IO support > >> # > >> @@ -189,7 +259,6 @@ [FV.FvMain] > >> > >> INF ArmPkg/Drivers/ArmGic/ArmGicDxe.inf > >> INF ArmPkg/Drivers/TimerDxe/TimerDxe.inf > >> - INF ArmPlatformPkg/Drivers/NorFlashDxe/NorFlashDxe.inf > >> INF MdeModulePkg/Universal/WatchdogTimerDxe/WatchdogTimer.inf > >> > >> # > >> @@ -287,6 +356,7 @@ [FV.FVMAIN_COMPACT] > >> INF ArmPlatformPkg/MemoryInitPei/MemoryInitPeim.inf > >> INF ArmPkg/Drivers/CpuPei/CpuPei.inf > >> INF MdeModulePkg/Universal/PCD/Pei/Pcd.inf > >> + > >> INF MdeModulePkg/Core/DxeIplPeim/DxeIpl.inf > >> > >> # IDE/AHCI Support > >> diff --git a/Platform/Qemu/SbsaQemu/SbsaQemuStandaloneMm.fdf b/Platform/Qemu/SbsaQemu/SbsaQemuStandaloneMm.fdf > >> index a1acefcfb0a7..0fd2e9964c7e 100644 > >> --- a/Platform/Qemu/SbsaQemu/SbsaQemuStandaloneMm.fdf > >> +++ b/Platform/Qemu/SbsaQemu/SbsaQemuStandaloneMm.fdf > >> @@ -19,8 +19,8 @@ > >> ################################################################################ > >> > >> [FD.STANDALONE_MM] > >> -BaseAddress = 0x20001000|gArmTokenSpaceGuid.PcdFdBaseAddress > >> -Size = 0x00e00000|gArmTokenSpaceGuid.PcdFdSize # The size in bytes of the device (14MiB). > >> +BaseAddress = 0x20001000 > >> +Size = 0x00e00000 > >> ErasePolarity = 1 > >> > >> BlockSize = 0x00001000 > >> @@ -49,6 +49,9 @@ [FV.FVMAIN_COMPACT] > >> READ_LOCK_STATUS = TRUE > >> > >> INF StandaloneMmPkg/Core/StandaloneMmCore.inf > >> + INF ArmPlatformPkg/Drivers/NorFlashDxe/NorFlashStandaloneMm.inf > >> + INF MdeModulePkg/Universal/FaultTolerantWriteDxe/FaultTolerantWriteStandaloneMm.inf > >> + INF MdeModulePkg/Universal/Variable/RuntimeDxe/VariableStandaloneMm.inf > >> INF StandaloneMmPkg/Drivers/StandaloneMmCpu/AArch64/StandaloneMmCpu.inf > >> > >> ################################################################################ > >> diff --git a/Silicon/Qemu/SbsaQemu/Library/SbsaQemuLib/SbsaQemuLib.inf b/Silicon/Qemu/SbsaQemu/Library/SbsaQemuLib/SbsaQemuLib.inf > >> index c067a80cc715..1d7f12202ecc 100644 > >> --- a/Silicon/Qemu/SbsaQemu/Library/SbsaQemuLib/SbsaQemuLib.inf > >> +++ b/Silicon/Qemu/SbsaQemu/Library/SbsaQemuLib/SbsaQemuLib.inf > >> @@ -40,6 +40,8 @@ [Pcd] > >> gArmTokenSpaceGuid.PcdSystemMemoryBase > >> gArmTokenSpaceGuid.PcdSystemMemorySize > >> gArmVirtSbsaQemuPlatformTokenSpaceGuid.PcdDeviceTreeBaseAddress > >> + gArmTokenSpaceGuid.PcdMmBufferBase > >> + gArmTokenSpaceGuid.PcdMmBufferSize > >> > >> [FixedPcd] > >> gArmTokenSpaceGuid.PcdFdBaseAddress > >> diff --git a/Silicon/Qemu/SbsaQemu/Library/SbsaQemuLib/SbsaQemuMem.c b/Silicon/Qemu/SbsaQemu/Library/SbsaQemuLib/SbsaQemuMem.c > >> index 8c2eb0b6a028..fa164ff455f5 100644 > >> --- a/Silicon/Qemu/SbsaQemu/Library/SbsaQemuLib/SbsaQemuMem.c > >> +++ b/Silicon/Qemu/SbsaQemu/Library/SbsaQemuLib/SbsaQemuMem.c > >> @@ -25,15 +25,20 @@ SbsaQemuLibConstructor ( > >> { > >> VOID *DeviceTreeBase; > >> INT32 Node, Prev; > >> - UINT64 NewBase, CurBase; > >> + UINT64 NewBase, CurBase, NsBufBase; > >> UINT64 NewSize, CurSize; > >> + UINT32 NsBufSize; > >> CONST CHAR8 *Type; > >> INT32 Len; > >> CONST UINT64 *RegProp; > >> RETURN_STATUS PcdStatus; > >> + INT32 ParentOffset; > >> + INT32 Offset; > >> > >> NewBase = 0; > >> NewSize = 0; > >> + NsBufBase = 0; > >> + NsBufSize = 0; > >> > >> DeviceTreeBase = (VOID *)(UINTN)PcdGet64 (PcdDeviceTreeBaseAddress); > >> ASSERT (DeviceTreeBase != NULL); > >> @@ -73,9 +78,39 @@ SbsaQemuLibConstructor ( > >> } > >> } > >> > >> + // StandaloneMM non-secure shared buffer is allocated at the top of > >> + // the system memory by trusted-firmware using "/reserved-memory" node. > >> + ParentOffset = fdt_path_offset(DeviceTreeBase, "/reserved-memory"); > >> + if (ParentOffset < 0) { > >> + DEBUG ((DEBUG_ERROR, "%a: reserved-memory node not found\n", > >> + __FUNCTION__)); > >> + } > >> + Offset = fdt_subnode_offset(DeviceTreeBase, ParentOffset, "ns-buf-spm-mm"); > >> + if (Offset < 0) { > >> + DEBUG ((DEBUG_ERROR, "%a: ns-buf-spm-mm node not found\n", > >> + __FUNCTION__)); > >> + } > >> + // Get the 'reg' property of this node. 8 byte quantities for base address > >> + // and 4 byte quantities for size. > >> + RegProp = fdt_getprop (DeviceTreeBase, Offset, "reg", &Len); > >> + if (RegProp != 0 && Len == (sizeof (UINT64) + sizeof(UINT32))) { > >> + NsBufBase = fdt64_to_cpu (ReadUnaligned64 (RegProp)); > >> + NsBufSize = fdt32_to_cpu (ReadUnaligned32 ((UINT32 *)(RegProp + 1))); > >> + > >> + DEBUG ((DEBUG_INFO, "%a: ns buf @ 0x%lx - 0x%lx\n", > >> + __FUNCTION__, NsBufBase, NsBufBase + NsBufSize - 1)); > >> + } else { > >> + DEBUG ((DEBUG_ERROR, "%a: Failed to parse FDT reserved-memory node Len %d\n", > >> + __FUNCTION__, Len)); > >> + } > >> + > >> + NewSize -= NsBufSize; > >> + > >> // Make sure the start of DRAM matches our expectation > >> ASSERT (FixedPcdGet64 (PcdSystemMemoryBase) == NewBase); > >> PcdStatus = PcdSet64S (PcdSystemMemorySize, NewSize); > >> + PcdStatus = PcdSet64S (PcdMmBufferBase, NsBufBase); > >> + PcdStatus = PcdSet64S (PcdMmBufferSize, (UINT64)NsBufSize); > >> ASSERT_RETURN_ERROR (PcdStatus); > >> > >> return RETURN_SUCCESS; > >> -- > >> 2.17.1 > >> > ^ permalink raw reply [flat|nested] 9+ messages in thread
* [PATCH edk2-platforms 3/4] SbsaQemu: add standalone MM build instruction 2020-12-21 12:53 [PATCH edk2-platforms 0/4] add MM based UEFI secure boot on SbsaQemu Masahisa Kojima 2020-12-21 12:53 ` [PATCH edk2-platforms 1/4] SbsaQemu: Build infrastructure for StandaloneMm image Masahisa Kojima 2020-12-21 12:53 ` [PATCH edk2-platforms 2/4] SbsaQemu: add MM based UEFI secure boot support Masahisa Kojima @ 2020-12-21 12:53 ` Masahisa Kojima 2020-12-21 12:53 ` [PATCH edk2-platforms 4/4] SbsaQemu: fix typo Masahisa Kojima 2021-01-04 17:17 ` [PATCH edk2-platforms 0/4] add MM based UEFI secure boot on SbsaQemu Ard Biesheuvel 4 siblings, 0 replies; 9+ messages in thread From: Masahisa Kojima @ 2020-12-21 12:53 UTC (permalink / raw) To: devel Cc: Masahisa Kojima, Ard Biesheuvel, Leif Lindholm, Graeme Gregory, Radoslaw Biernacki, Tanmay Jagdale, Shashi Mallela This commit adds the standalone MM build instruction to enable UEFI secure boot. Signed-off-by: Masahisa Kojima <masahisa.kojima@linaro.org> --- Platform/Qemu/SbsaQemu/Readme.md | 35 ++++++++++++++++++++ 1 file changed, 35 insertions(+) diff --git a/Platform/Qemu/SbsaQemu/Readme.md b/Platform/Qemu/SbsaQemu/Readme.md index 63786d9d0fd3..cdee8b41507e 100644 --- a/Platform/Qemu/SbsaQemu/Readme.md +++ b/Platform/Qemu/SbsaQemu/Readme.md @@ -104,6 +104,41 @@ Create a directory $WORKSPACE that would hold source code of the components. truncate -s 256M SBSA_FLASH[01].fd ``` +## Build UEFI with standalone MM based UEFI secure boot + +1. Compile standalone MM image + + ``` + cd $WORKSPACE + build -b RELEASE -a AARCH64 -t GCC5 -p edk2-platforms/Platform/Qemu/SbsaQemu/SbsaQemuStandaloneMM.dsc + ``` + +2. Compile TF-A with BL32(Secure Payload) + + Detailed build instructions can be found on the following link: + https://git.trustedfirmware.org/TF-A/trusted-firmware-a.git/tree/docs/plat/qemu-sbsa.rst + + Then copy `bl1.bin` and `fip.bin` to the the edk2-non-osi directory: + +3. Compile UEFI with UEFI secure boot enabled + + ``` + cd $WORKSPACE + build -b RELEASE -a AARCH64 -t GCC5 -p edk2-platforms/Platform/Qemu/SbsaQemu/SbsaQemu.dsc -DSECURE_BOOT_ENABLE=TRUE + ``` + + Copy SBSA_FLASH0.fd and SBSA_FLASH1.fd to top $WORKSPACE directory. + Then extend the file size to match the machine flash size. + ``` + cp Build/SbsaQemu/RELEASE_GCC5/FV/SBSA_FLASH[01].fd . + truncate -s 256M SBSA_FLASH[01].fd + ``` + + To keep the UEFI variable storage after the succeeding build, use `dd` instead of `cp`. + ``` + dd if=./Build/SbsaQemu/RELEASE_GCC5/FV/SBSA_FLASH0.fd of=./SBSA_FLASH0.fd conv=notrunc bs=2M count=8 + ``` + # Running The resulting SBSA_FLASH0.fd file will contain Secure flash0 image (TF-A code). -- 2.17.1 ^ permalink raw reply related [flat|nested] 9+ messages in thread
* [PATCH edk2-platforms 4/4] SbsaQemu: fix typo 2020-12-21 12:53 [PATCH edk2-platforms 0/4] add MM based UEFI secure boot on SbsaQemu Masahisa Kojima ` (2 preceding siblings ...) 2020-12-21 12:53 ` [PATCH edk2-platforms 3/4] SbsaQemu: add standalone MM build instruction Masahisa Kojima @ 2020-12-21 12:53 ` Masahisa Kojima 2021-01-04 17:17 ` [PATCH edk2-platforms 0/4] add MM based UEFI secure boot on SbsaQemu Ard Biesheuvel 4 siblings, 0 replies; 9+ messages in thread From: Masahisa Kojima @ 2020-12-21 12:53 UTC (permalink / raw) To: devel Cc: Masahisa Kojima, Ard Biesheuvel, Leif Lindholm, Graeme Gregory, Radoslaw Biernacki, Tanmay Jagdale, Shashi Mallela Fix typo in Readme.md Signed-off-by: Masahisa Kojima <masahisa.kojima@linaro.org> --- Platform/Qemu/SbsaQemu/Readme.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Platform/Qemu/SbsaQemu/Readme.md b/Platform/Qemu/SbsaQemu/Readme.md index cdee8b41507e..abee24df0e9d 100644 --- a/Platform/Qemu/SbsaQemu/Readme.md +++ b/Platform/Qemu/SbsaQemu/Readme.md @@ -97,7 +97,7 @@ Create a directory $WORKSPACE that would hold source code of the components. cd $WORKSPACE build -b RELEASE -a AARCH64 -t GCC5 -p edk2-platforms/Platform/Qemu/SbsaQemu/SbsaQemu.dsc ``` - Copy SBSA_FLASH0.fd and SBSA_FLASH0.fd to top $WORKSPACE directory. + Copy SBSA_FLASH0.fd and SBSA_FLASH1.fd to top $WORKSPACE directory. Then extend the file size to match the machine flash size. ``` cp Build/SbsaQemu/RELEASE_GCC5/FV/SBSA_FLASH[01].fd . -- 2.17.1 ^ permalink raw reply related [flat|nested] 9+ messages in thread
* Re: [PATCH edk2-platforms 0/4] add MM based UEFI secure boot on SbsaQemu 2020-12-21 12:53 [PATCH edk2-platforms 0/4] add MM based UEFI secure boot on SbsaQemu Masahisa Kojima ` (3 preceding siblings ...) 2020-12-21 12:53 ` [PATCH edk2-platforms 4/4] SbsaQemu: fix typo Masahisa Kojima @ 2021-01-04 17:17 ` Ard Biesheuvel 4 siblings, 0 replies; 9+ messages in thread From: Ard Biesheuvel @ 2021-01-04 17:17 UTC (permalink / raw) To: Masahisa Kojima, devel Cc: Leif Lindholm, Graeme Gregory, Radoslaw Biernacki, Tanmay Jagdale, Shashi Mallela On 12/21/20 1:53 PM, Masahisa Kojima wrote: > This patch series implment the UEFI secure boot on SbsaQemu. > > This patch requires following edk2 patches currently under review. > - standalone MM version of VarCheckPolicyLib > https://edk2.groups.io/g/devel/topic/patch_v2_1_1/79120932?p=,,,20,0,0,0::recentpostdate%2Fsticky,,,20,2,0,79120932 > > - standalone MM version of NorFlash driver > https://edk2.groups.io/g/devel/topic/patch_0_2/79058286?p=,,,20,0,0,0::recentpostdate%2Fsticky,,,20,2,0,79058286 > > > This patch series also require the following Trusted Firmware-A modification. > https://review.trustedfirmware.org/c/TF-A/trusted-firmware-a/+/5797 > > Cc: Ard Biesheuvel <ard.biesheuvel@arm.com> > Cc: Leif Lindholm <leif@nuviainc.com> > Cc: Graeme Gregory <graeme@nuviainc.com> > Cc: Radoslaw Biernacki <rad@semihalf.com> > Cc: Tanmay Jagdale <tanmay.jagdale@linaro.org> > Cc: Shashi Mallela <shashi.mallela@linaro.org> > > Masahisa Kojima (4): > SbsaQemu: Build infrastructure for StandaloneMm image > SbsaQemu: add MM based UEFI secure boot support > SbsaQemu: add standalone MM build instruction > SbsaQemu: fix typo > Thanks for this - it is very useful to have Standalone MM based variable services wired up on a ARM emulator. The patches look ok to me, but I'd like others to chime in as well please, either with a Reviewed-by or Tested-by (or both) Thanks, Ard. > Platform/Qemu/SbsaQemu/SbsaQemu.dsc | 44 +++-- > .../Qemu/SbsaQemu/SbsaQemuStandaloneMm.dsc | 172 ++++++++++++++++++ > Platform/Qemu/SbsaQemu/SbsaQemu.fdf | 84 ++++++++- > .../Qemu/SbsaQemu/SbsaQemuStandaloneMm.fdf | 96 ++++++++++ > .../Library/SbsaQemuLib/SbsaQemuLib.inf | 2 + > .../Library/SbsaQemuLib/SbsaQemuMem.c | 37 +++- > Platform/Qemu/SbsaQemu/Readme.md | 37 +++- > 7 files changed, 452 insertions(+), 20 deletions(-) > create mode 100644 Platform/Qemu/SbsaQemu/SbsaQemuStandaloneMm.dsc > create mode 100644 Platform/Qemu/SbsaQemu/SbsaQemuStandaloneMm.fdf > ^ permalink raw reply [flat|nested] 9+ messages in thread
end of thread, other threads:[~2021-02-17 5:38 UTC | newest] Thread overview: 9+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2020-12-21 12:53 [PATCH edk2-platforms 0/4] add MM based UEFI secure boot on SbsaQemu Masahisa Kojima 2020-12-21 12:53 ` [PATCH edk2-platforms 1/4] SbsaQemu: Build infrastructure for StandaloneMm image Masahisa Kojima 2020-12-21 12:53 ` [PATCH edk2-platforms 2/4] SbsaQemu: add MM based UEFI secure boot support Masahisa Kojima 2021-02-16 11:35 ` Masahisa Kojima 2021-02-16 16:14 ` Graeme Gregory 2021-02-17 5:38 ` Masahisa Kojima 2020-12-21 12:53 ` [PATCH edk2-platforms 3/4] SbsaQemu: add standalone MM build instruction Masahisa Kojima 2020-12-21 12:53 ` [PATCH edk2-platforms 4/4] SbsaQemu: fix typo Masahisa Kojima 2021-01-04 17:17 ` [PATCH edk2-platforms 0/4] add MM based UEFI secure boot on SbsaQemu Ard Biesheuvel
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox