public inbox for devel@edk2.groups.io
 help / color / mirror / Atom feed
From: "levi.yun" <yeoreum.yun@arm.com>
To: devel@edk2.groups.io
Cc: yeoreum.yun@arm.com, sami.mujawar@arm.com,
	pierre.gondois@arm.com, nd@arm.com, thomas.abraham@arm.com
Subject: [edk2-devel] [PATCH edk2-platform v2 2/3] Platform/Arm: Enable UEFI Secure Variable support for FVP
Date: Fri, 15 Mar 2024 10:59:35 +0000	[thread overview]
Message-ID: <20240315105936.499262-3-yeoreum.yun@arm.com> (raw)
In-Reply-To: <20240315105936.499262-2-yeoreum.yun@arm.com>

UEFI Secure variable support can be enabled using Standalone MM
for FVP RevC model.

The following steps enable UEFI variable service using StandaloneMm:
  1. Add MmComminucationDxe.
      - Enables communication with StandaloneMm.
        The PcdMmBufferBase & PcdBufferSize definitions are used
        as the NS Shared Buffer for communication.
  2. Use VariableSmmRuntimeDxe
       - Use Standalone MM instance of Variable Runtime Dxe.
  3. Disable caching of variable data as this is cached on the
     normal world side. This is done to prevent arbitrary accesses.
     Therefore, set PcdEnableVariableRuntimeCache to FALSE.
  4. Although MmUnblockMemoryLib is required for supporting variable
     caching (which we disabled), we need a NULL instance of the
     MmUnblockMemoryLib for the build to succeed.
     Also, the Arm implementation does not support modification of
     the StandaloneMm memory map from normal world, so we have no
     real need for MmUnblockMemoryLib.

Signed-off-by: levi.yun <yeoreum.yun@arm.com>
---
 Platform/ARM/VExpressPkg/ArmVExpress-FVP-AArch64.dsc | 49 +++++++++++++++++++-
 Platform/ARM/VExpressPkg/ArmVExpress-FVP-AArch64.fdf |  9 ++++
 2 files changed, 57 insertions(+), 1 deletion(-)

diff --git a/Platform/ARM/VExpressPkg/ArmVExpress-FVP-AArch64.dsc b/Platform/ARM/VExpressPkg/ArmVExpress-FVP-AArch64.dsc
index f70a4d52ba06f570e017ab5286f06d87193753e5..92e6ebc70aeb887b8c610c256b5fece9b9b87664 100644
--- a/Platform/ARM/VExpressPkg/ArmVExpress-FVP-AArch64.dsc
+++ b/Platform/ARM/VExpressPkg/ArmVExpress-FVP-AArch64.dsc
@@ -25,6 +25,15 @@ [Defines]
   SKUID_IDENTIFIER               = DEFAULT
   FLASH_DEFINITION               = Platform/ARM/VExpressPkg/ArmVExpress-FVP-AArch64.fdf
 
+  # To allow the use of ueif secure variable feature, set this to TRUE.
+  DEFINE ENABLE_UEFI_SECURE_VARIABLE = FALSE
+
+!if $(ENABLE_UEFI_SECURE_VARIABLE) == TRUE
+  DEFINE ENABLE_STMM             = TRUE
+!else
+  DEFINE ENABLE_STMM             = FALSE
+!endif
+
 !ifndef ARM_FVP_RUN_NORFLASH
   DEFINE EDK2_SKIP_PEICORE=1
 !endif
@@ -53,6 +62,10 @@ [LibraryClasses.common]
   FileExplorerLib|MdeModulePkg/Library/FileExplorerLib/FileExplorerLib.inf
 !endif
 
+!if $(ENABLE_STMM) == TRUE
+  MmUnblockMemoryLib|MdePkg/Library/MmUnblockMemoryLib/MmUnblockMemoryLibNull.inf
+!endif
+
   DtPlatformDtbLoaderLib|Platform/ARM/VExpressPkg/Library/ArmVExpressDtPlatformDtbLoaderLib/ArmVExpressDtPlatformDtbLoaderLib.inf
 
 [LibraryClasses.common.DXE_RUNTIME_DRIVER]
@@ -71,7 +84,9 @@ [LibraryClasses.common.UEFI_DRIVER, LibraryClasses.common.UEFI_APPLICATION, Libr
 
 [BuildOptions]
   GCC:*_*_AARCH64_PLATFORM_FLAGS == -I$(WORKSPACE)/Platform/ARM/VExpressPkg/Include/Platform/RTSM
-
+!if $(ENABLE_UEFI_SECURE_VARIABLE) == TRUE
+  GCC:*_*_*_CC_FLAGS = -DENABLE_UEFI_SECURE_VARIABLE
+!endif
 
 ################################################################################
 #
@@ -85,6 +100,11 @@ [PcdsFeatureFlag.common]
   #  It could be set FALSE to save size.
   gEfiMdeModulePkgTokenSpaceGuid.PcdConOutGopSupport|TRUE
 
+!if $(ENABLE_UEFI_SECURE_VARIABLE) == TRUE
+  ## Disable Runtime Variable Cache.
+  gEfiMdeModulePkgTokenSpaceGuid.PcdEnableVariableRuntimeCache|FALSE
+!endif
+
 [PcdsFixedAtBuild.common]
   # Only one core enters UEFI, and PSCI is implemented in EL3 by ATF
   gArmPlatformTokenSpaceGuid.PcdCoreCount|1
@@ -92,12 +112,26 @@ [PcdsFixedAtBuild.common]
   #
   # NV Storage PCDs. Use base of 0x0C000000 for NOR1
   #
+!if $(ENABLE_UEFI_SECURE_VARIABLE) == FALSE
   gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageVariableBase|0x0FFC0000
   gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageVariableSize|0x00010000
   gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageFtwWorkingBase|0x0FFD0000
   gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageFtwWorkingSize|0x00010000
   gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageFtwSpareBase|0x0FFE0000
   gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageFtwSpareSize|0x00010000
+!endif
+
+  #
+  # Set the base address and size of the buffer used
+  # by MM_COMMUNICATE for communication between the
+  # Normal world edk2 and the StandaloneMm image at S-EL0.
+  # This buffer is allocated in TF-A.
+  #
+!if $(ENABLE_STMM) == TRUE
+  ## MM Communicate
+  gArmTokenSpaceGuid.PcdMmBufferBase|0xFF600000
+  gArmTokenSpaceGuid.PcdMmBufferSize|0x10000
+!endif
 
   gArmTokenSpaceGuid.PcdVFPEnabled|1
 
@@ -252,6 +286,10 @@ [Components.common]
   MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf
 !endif
   MdeModulePkg/Universal/CapsuleRuntimeDxe/CapsuleRuntimeDxe.inf
+
+!if $(ENABLE_UEFI_SECURE_VARIABLE) == TRUE
+  MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmmRuntimeDxe.inf
+!else
   MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf {
     <LibraryClasses>
       NULL|EmbeddedPkg/Library/NvVarStoreFormattedLib/NvVarStoreFormattedLib.inf
@@ -259,6 +297,8 @@ [Components.common]
       BaseMemoryLib|MdePkg/Library/BaseMemoryLib/BaseMemoryLib.inf
   }
   MdeModulePkg/Universal/FaultTolerantWriteDxe/FaultTolerantWriteDxe.inf
+!endif
+
   MdeModulePkg/Universal/MonotonicCounterRuntimeDxe/MonotonicCounterRuntimeDxe.inf
   MdeModulePkg/Universal/ResetSystemRuntimeDxe/ResetSystemRuntimeDxe.inf
   EmbeddedPkg/RealTimeClockRuntimeDxe/RealTimeClockRuntimeDxe.inf
@@ -368,3 +408,10 @@ [Components.common]
   # SATA Controller
   #
   MdeModulePkg/Bus/Pci/SataControllerDxe/SataControllerDxe.inf
+
+!if $(ENABLE_STMM) == TRUE
+  ArmPkg/Drivers/MmCommunicationDxe/MmCommunication.inf {
+    <LibraryClasses>
+      NULL|StandaloneMmPkg/Library/VariableMmDependency/VariableMmDependency.inf
+  }
+!endif
diff --git a/Platform/ARM/VExpressPkg/ArmVExpress-FVP-AArch64.fdf b/Platform/ARM/VExpressPkg/ArmVExpress-FVP-AArch64.fdf
index e836691ddf6f9fd7e9abff97a560af6886b14ccb..612535caa7ee518a0bb083461f2573e182c78281 100644
--- a/Platform/ARM/VExpressPkg/ArmVExpress-FVP-AArch64.fdf
+++ b/Platform/ARM/VExpressPkg/ArmVExpress-FVP-AArch64.fdf
@@ -80,8 +80,14 @@ [FV.FvMain]
 !if $(SECURE_BOOT_ENABLE) == TRUE
   INF SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
 !endif
+
+!if $(ENABLE_UEFI_SECURE_VARIABLE) == TRUE
+  INF MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmmRuntimeDxe.inf
+!else
   INF MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf
   INF MdeModulePkg/Universal/FaultTolerantWriteDxe/FaultTolerantWriteDxe.inf
+!endif
+
   INF MdeModulePkg/Universal/MonotonicCounterRuntimeDxe/MonotonicCounterRuntimeDxe.inf
   INF MdeModulePkg/Universal/ResetSystemRuntimeDxe/ResetSystemRuntimeDxe.inf
   INF EmbeddedPkg/RealTimeClockRuntimeDxe/RealTimeClockRuntimeDxe.inf
@@ -168,6 +174,9 @@ [FV.FvMain]
   INF MdeModulePkg/Universal/BdsDxe/BdsDxe.inf
   INF MdeModulePkg/Application/UiApp/UiApp.inf
 
+!if $(ENABLE_STMM) == TRUE
+  INF ArmPkg/Drivers/MmCommunicationDxe/MmCommunication.inf
+!endif
 
   #
   # PCI Support
--
Guid("CE165669-3EF3-493F-B85D-6190EE5B9759")



-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#116810): https://edk2.groups.io/g/devel/message/116810
Mute This Topic: https://groups.io/mt/104945006/7686176
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io]
-=-=-=-=-=-=-=-=-=-=-=-



  reply	other threads:[~2024-03-15 10:59 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2024-03-15 10:59 [edk2-devel] [PATCH edk2-platform v2 0/3] StandloneMm support for FVP levi.yun
2024-03-15 10:59 ` [edk2-devel] [PATCH edk2-platform v2 1/3] Platform/Arm: FVP: Add a NorFlashLib instance for StandaloneMm levi.yun
2024-03-15 10:59   ` levi.yun [this message]
2024-03-15 10:59     ` [edk2-devel] [PATCH edk2-platform v2 3/3] Platform/Arm: Add Standalone MM support for FVP levi.yun

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-list from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20240315105936.499262-3-yeoreum.yun@arm.com \
    --to=devel@edk2.groups.io \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox