From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from foss.arm.com (foss.arm.com [217.140.110.172]) by mx.groups.io with SMTP id smtpd.web10.26735.1621876998609826722 for ; Mon, 24 May 2021 10:23:18 -0700 Authentication-Results: mx.groups.io; dkim=missing; spf=pass (domain: arm.com, ip: 217.140.110.172, mailfrom: sayanta.pattanayak@arm.com) Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id 4386D6D; Mon, 24 May 2021 10:23:18 -0700 (PDT) Received: from usa.arm.com (a077432.blr.arm.com [10.162.4.31]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPA id 144BF3F73B; Mon, 24 May 2021 10:23:16 -0700 (PDT) From: "Sayanta Pattanayak" To: devel@edk2.groups.io Cc: Ard Biesheuvel , Sami Mujawar Subject: [edk2-platforms][PATCH V1 3/3] Platform/Sgi: enable support for UEFI secure boot Date: Mon, 24 May 2021 22:53:00 +0530 Message-Id: <20210524172300.28754-4-sayanta.pattanayak@arm.com> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20210524172300.28754-1-sayanta.pattanayak@arm.com> References: <20210524172300.28754-1-sayanta.pattanayak@arm.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Enable the use of UEFI secure boot for Arm's Neoverse reference design platforms. The UEFI authenticated variable store uses NOR flash 2 which is accessible from Standalone MM context residing in a secure partition. Signed-off-by: Sayanta Pattanayak --- Platform/ARM/SgiPkg/SgiPlatform.dsc.inc | 31 +++++++++++++++++++ Platform/ARM/SgiPkg/SgiPlatformMm.dsc.inc | 32 ++++++++++++++++++++ Platform/ARM/SgiPkg/PlatformStandaloneMm.dsc | 15 +++++++++ Platform/ARM/SgiPkg/PlatformStandaloneMm2.dsc | 15 +++++++++ Platform/ARM/SgiPkg/PlatformStandaloneMm.fdf | 5 +++ Platform/ARM/SgiPkg/SgiPlatform.fdf | 9 +++++- 6 files changed, 106 insertions(+), 1 deletion(-) diff --git a/Platform/ARM/SgiPkg/SgiPlatform.dsc.inc b/Platform/ARM/SgiPk= g/SgiPlatform.dsc.inc index 091de0c99c74..e4aee7a09acf 100644 --- a/Platform/ARM/SgiPkg/SgiPlatform.dsc.inc +++ b/Platform/ARM/SgiPkg/SgiPlatform.dsc.inc @@ -6,6 +6,14 @@ =20 !include Platform/ARM/VExpressPkg/ArmVExpress.dsc.inc =20 +[Defines] + # To allow the use of secure storage, set this to TRUE. + DEFINE SECURE_STORAGE_ENABLE =3D FALSE + + # To allow the use of UEFI secure boot, set this to TRUE. + # Secure boot requires secure storage to be enabled as well. + DEFINE SECURE_BOOT_ENABLE =3D FALSE + [BuildOptions] *_*_*_CC_FLAGS =3D -D DISABLE_NEW_DEPRECATED_INTERFACES =20 @@ -22,6 +30,9 @@ NorFlashPlatformLib|Platform/ARM/SgiPkg/Library/NorFlashLib/NorFlashLi= b.inf HobLib|MdePkg/Library/DxeHobLib/DxeHobLib.inf TimerLib|ArmPkg/Library/ArmArchTimerLib/ArmArchTimerLib.inf +!if $(SECURE_BOOT_ENABLE) =3D=3D TRUE + MmUnblockMemoryLib|MdePkg/Library/MmUnblockMemoryLib/MmUnblockMemoryLi= bNull.inf +!endif =20 # Virtio Support VirtioLib|OvmfPkg/Library/VirtioLib/VirtioLib.inf @@ -84,6 +95,7 @@ [PcdsFeatureFlag.common] gArmSgiTokenSpaceGuid.PcdVirtioBlkSupported|TRUE gArmSgiTokenSpaceGuid.PcdVirtioNetSupported|TRUE + gEfiMdeModulePkgTokenSpaceGuid.PcdEnableVariableRuntimeCache|FALSE =20 [PcdsFixedAtBuild.common] gArmTokenSpaceGuid.PcdVFPEnabled|1 @@ -230,7 +242,15 @@ MdeModulePkg/Core/RuntimeDxe/RuntimeDxe.inf MdeModulePkg/Universal/CapsuleRuntimeDxe/CapsuleRuntimeDxe.inf MdeModulePkg/Universal/MonotonicCounterRuntimeDxe/MonotonicCounterRunt= imeDxe.inf +!if $(SECURE_BOOT_ENABLE) =3D=3D TRUE + MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf { + + NULL|SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificat= ionLib.inf + } + SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfig= Dxe.inf +!else MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf +!endif OvmfPkg/VirtioBlkDxe/VirtioBlk.inf =20 MdeModulePkg/Universal/Console/ConPlatformDxe/ConPlatformDxe.inf @@ -238,6 +258,9 @@ MdeModulePkg/Universal/Console/GraphicsConsoleDxe/GraphicsConsoleDxe.i= nf MdeModulePkg/Universal/Console/TerminalDxe/TerminalDxe.inf MdeModulePkg/Universal/SerialDxe/SerialDxe.inf +!if $(SECURE_STORAGE_ENABLE) =3D=3D TRUE + MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmmRuntimeDxe.inf +!else MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf { NULL|MdeModulePkg/Library/VarCheckUefiLib/VarCheckUefiLib.inf @@ -245,6 +268,7 @@ BaseMemoryLib|MdePkg/Library/BaseMemoryLib/BaseMemoryLib.inf } MdeModulePkg/Universal/FaultTolerantWriteDxe/FaultTolerantWriteDxe.inf +!endif =20 # # ACPI Support @@ -314,4 +338,11 @@ # MdeModulePkg/Bus/Pci/SataControllerDxe/SataControllerDxe.inf =20 +!if $(SECURE_STORAGE_ENABLE) =3D=3D TRUE + ArmPkg/Drivers/MmCommunicationDxe/MmCommunication.inf { + + NULL|StandaloneMmPkg/Library/VariableMmDependency/VariableMmDepend= ency.inf + } +!else ArmPkg/Drivers/MmCommunicationDxe/MmCommunication.inf +!endif diff --git a/Platform/ARM/SgiPkg/SgiPlatformMm.dsc.inc b/Platform/ARM/Sgi= Pkg/SgiPlatformMm.dsc.inc index 3389ff676a91..6839ec35da8a 100644 --- a/Platform/ARM/SgiPkg/SgiPlatformMm.dsc.inc +++ b/Platform/ARM/SgiPkg/SgiPlatformMm.dsc.inc @@ -59,6 +59,19 @@ HobLib|StandaloneMmPkg/Library/StandaloneMmHobLib/StandaloneMmHobLib.i= nf MmServicesTableLib|MdePkg/Library/StandaloneMmServicesTableLib/Standal= oneMmServicesTableLib.inf MemoryAllocationLib|StandaloneMmPkg/Library/StandaloneMmMemoryAllocati= onLib/StandaloneMmMemoryAllocationLib.inf +!if $(SECURE_STORAGE_ENABLE) =3D=3D TRUE + AuthVariableLib|SecurityPkg/Library/AuthVariableLib/AuthVariableLib.in= f + BaseCryptLib|CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf + IntrinsicLib|CryptoPkg/Library/IntrinsicLib/IntrinsicLib.inf + NorFlashPlatformLib|Platform/ARM/SgiPkg/Library/NorFlashLib/Standalone= MmNorFlashLib.inf + OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLib.inf + RngLib|MdePkg/Library/BaseRngLibTimerLib/BaseRngLibTimerLib.inf + PlatformSecureLib|SecurityPkg/Library/PlatformSecureLibNull/PlatformSe= cureLibNull.inf + SynchronizationLib|MdePkg/Library/BaseSynchronizationLib/BaseSynchroni= zationLib.inf + TimerLib|MdePkg/Library/BaseTimerLibNullTemplate/BaseTimerLibNullTempl= ate.inf + VarCheckLib|MdeModulePkg/Library/VarCheckLib/VarCheckLib.inf + SafeIntLib|MdePkg/Library/BaseSafeIntLib/BaseSafeIntLib.inf +!endif =20 ########################################################################= ######## # @@ -75,6 +88,12 @@ =20 gEfiMdePkgTokenSpaceGuid.PcdMaximumGuidedExtractHandler|0x2 =20 +!if $(SECURE_STORAGE_ENABLE) =3D=3D TRUE + gEfiMdeModulePkgTokenSpaceGuid.PcdMaxVariableSize|0x2000 + gEfiMdeModulePkgTokenSpaceGuid.PcdMaxAuthVariableSize|0x2800 + gEfiSecurityPkgTokenSpaceGuid.PcdUserPhysicalPresence|TRUE +!endif + ########################################################################= ########################### # # Components Section - list of the modules and components that will be p= rocessed by compilation @@ -101,6 +120,19 @@ =20 [Components.AARCH64] StandaloneMmPkg/Drivers/StandaloneMmCpu/AArch64/StandaloneMmCpu.inf +!if $(SECURE_STORAGE_ENABLE) =3D=3D TRUE + ArmPlatformPkg/Drivers/NorFlashDxe/NorFlashStandaloneMm.inf + MdeModulePkg/Universal/FaultTolerantWriteDxe/FaultTolerantWriteStandal= oneMm.inf + MdeModulePkg/Universal/Variable/RuntimeDxe/VariableStandaloneMm.inf { + + DevicePathLib|MdePkg/Library/UefiDevicePathLib/UefiDevicePathLib.i= nf + NULL|MdeModulePkg/Library/VarCheckUefiLib/VarCheckUefiLib.inf + NULL|MdeModulePkg/Library/VarCheckPolicyLib/VarCheckPolicyLibStand= aloneMm.inf + BaseMemoryLib|MdePkg/Library/BaseMemoryLib/BaseMemoryLib.inf + VariablePolicyLib|MdeModulePkg/Library/VariablePolicyLib/VariableP= olicyLib.inf + VariablePolicyHelperLib|MdeModulePkg/Library/VariablePolicyHelperL= ib/VariablePolicyHelperLib.inf + } +!endif =20 ########################################################################= ########################### # diff --git a/Platform/ARM/SgiPkg/PlatformStandaloneMm.dsc b/Platform/ARM/= SgiPkg/PlatformStandaloneMm.dsc index cdf8aaa88f03..2cb4895cfcff 100644 --- a/Platform/ARM/SgiPkg/PlatformStandaloneMm.dsc +++ b/Platform/ARM/SgiPkg/PlatformStandaloneMm.dsc @@ -39,3 +39,18 @@ [PcdsFixedAtBuild] ## PL011 - Serial Terminal gEfiMdeModulePkgTokenSpaceGuid.PcdSerialRegisterBase|0x7FF70000 + +!if $(SECURE_STORAGE_ENABLE) =3D=3D TRUE + ##Secure NOR Flash 2 + gArmSgiTokenSpaceGuid.PcdSmcCs2Base|0x10000000 + gArmSgiTokenSpaceGuid.PcdSysPeriphBase|0x1C000000 + gArmSgiTokenSpaceGuid.PcdSysPeriphSysRegBase|0x1C010000 + + ##Secure Variable Storage in NOR Flash 2 + gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageVariableBase|0x1000000= 0 + gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageVariableSize|0x0010000= 0 + gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageFtwWorkingBase|0x10100= 000 + gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageFtwWorkingSize|0x00100= 000 + gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageFtwSpareBase|0x1020000= 0 + gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageFtwSpareSize|0x0010000= 0 +!endif diff --git a/Platform/ARM/SgiPkg/PlatformStandaloneMm2.dsc b/Platform/ARM= /SgiPkg/PlatformStandaloneMm2.dsc index bb359a15cc0d..46c2ae3529d1 100644 --- a/Platform/ARM/SgiPkg/PlatformStandaloneMm2.dsc +++ b/Platform/ARM/SgiPkg/PlatformStandaloneMm2.dsc @@ -38,3 +38,18 @@ [PcdsFixedAtBuild] ## PL011 - Serial Terminal gEfiMdeModulePkgTokenSpaceGuid.PcdSerialRegisterBase|0x0EF80000 + +!if $(SECURE_STORAGE_ENABLE) =3D=3D TRUE + ##Secure NOR Flash 2 + gArmSgiTokenSpaceGuid.PcdSmcCs2Base|0x1054000000 + gArmSgiTokenSpaceGuid.PcdSysPeriphBase|0x0C000000 + gArmSgiTokenSpaceGuid.PcdSysPeriphSysRegBase|0x0C010000 + + ##Secure Variable Storage in NOR Flash 2 + gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageVariableBase64|0x10540= 00000 + gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageVariableSize|0x0010000= 0 + gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageFtwWorkingBase64|0x105= 4100000 + gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageFtwWorkingSize|0x00100= 000 + gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageFtwSpareBase64|0x10542= 00000 + gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageFtwSpareSize|0x0010000= 0 +!endif diff --git a/Platform/ARM/SgiPkg/PlatformStandaloneMm.fdf b/Platform/ARM/= SgiPkg/PlatformStandaloneMm.fdf index 5a0772cd8522..474c9c0ce764 100644 --- a/Platform/ARM/SgiPkg/PlatformStandaloneMm.fdf +++ b/Platform/ARM/SgiPkg/PlatformStandaloneMm.fdf @@ -49,6 +49,11 @@ READ_LOCK_CAP =3D TRUE READ_LOCK_STATUS =3D TRUE =20 INF StandaloneMmPkg/Core/StandaloneMmCore.inf +!if $(SECURE_STORAGE_ENABLE) =3D=3D TRUE + INF ArmPlatformPkg/Drivers/NorFlashDxe/NorFlashStandaloneMm.inf + INF MdeModulePkg/Universal/FaultTolerantWriteDxe/FaultTolerantWriteSta= ndaloneMm.inf + INF MdeModulePkg/Universal/Variable/RuntimeDxe/VariableStandaloneMm.in= f +!endif INF StandaloneMmPkg/Drivers/StandaloneMmCpu/AArch64/StandaloneMmCpu.in= f =20 ########################################################################= ######## diff --git a/Platform/ARM/SgiPkg/SgiPlatform.fdf b/Platform/ARM/SgiPkg/Sg= iPlatform.fdf index e11d943d6efc..d94e4633e36c 100644 --- a/Platform/ARM/SgiPkg/SgiPlatform.fdf +++ b/Platform/ARM/SgiPkg/SgiPlatform.fdf @@ -90,10 +90,17 @@ READ_LOCK_STATUS =3D TRUE INF EmbeddedPkg/ResetRuntimeDxe/ResetRuntimeDxe.inf INF MdeModulePkg/Core/RuntimeDxe/RuntimeDxe.inf INF MdeModulePkg/Universal/CapsuleRuntimeDxe/CapsuleRuntimeDxe.inf - INF MdeModulePkg/Universal/FaultTolerantWriteDxe/FaultTolerantWriteDxe= .inf INF MdeModulePkg/Universal/MonotonicCounterRuntimeDxe/MonotonicCounter= RuntimeDxe.inf INF MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf +!if $(SECURE_BOOT_ENABLE) =3D=3D TRUE + INF SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootCo= nfigDxe.inf +!endif +!if $(SECURE_STORAGE_ENABLE) =3D=3D TRUE + INF MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmmRuntimeDxe.i= nf +!else + INF MdeModulePkg/Universal/FaultTolerantWriteDxe/FaultTolerantWriteDxe= .inf INF MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf +!endif =20 # # ACPI Support --=20 2.17.1