From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by spool.mail.gandi.net (Postfix) with ESMTPS id 585F77803E3 for ; Fri, 15 Mar 2024 10:59:42 +0000 (UTC) DKIM-Signature: a=rsa-sha256; bh=DjbtVMBwH056zN3RVivbyOV52YlNr1uoNY6aKb54qi0=; c=relaxed/simple; d=groups.io; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References:MIME-Version:Precedence:List-Subscribe:List-Help:Sender:List-Id:Mailing-List:Delivered-To:Resent-Date:Reply-To:List-Unsubscribe-Post:List-Unsubscribe:Content-Transfer-Encoding; s=20240206; t=1710500381; v=1; b=gOAAnAQSHfWfhBJ7gIEtMzgHn9vZ3ocreBKYZGQ2XKbzvQOcy6I0SAqsFUZQJhSzrPRN6DA7 BmfH95FVHYkef5FEfjtpSRb6mvYfEnr34rsqlodnnVHFFE/tgklM/d/1Z0ypnp3iN5JzaDQD03G eC/F5SvFzByxnoNToQdW9uY85tOy1Pa5drN4Q2HKb419m+TzRP3JMsG2rhZhggdTfXRkF6T7B98 PfoAtsz51MSR6ilWFN6edQ0FCAMKGI2FSz+DMrpt5oG7YcQg2YCsyYu0f4dHfHxoSHw5TNVcEMe 7vYs3zcO/wAmVs6jxXNYJy4CtpCcU581sWvuFPstnaCFw== X-Received: by 127.0.0.2 with SMTP id xODhYY7687511xdq0Qysw5mQ; Fri, 15 Mar 2024 03:59:41 -0700 X-Received: from foss.arm.com (foss.arm.com [217.140.110.172]) by mx.groups.io with SMTP id smtpd.web11.19120.1710500380360271491 for ; Fri, 15 Mar 2024 03:59:40 -0700 X-Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id 675C5DA7; Fri, 15 Mar 2024 04:00:15 -0700 (PDT) X-Received: from e129823.cambridge.arm.com (e129823.arm.com [10.1.197.6]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPA id 09E5F3F762; Fri, 15 Mar 2024 03:59:38 -0700 (PDT) From: "levi.yun" To: devel@edk2.groups.io Cc: yeoreum.yun@arm.com, sami.mujawar@arm.com, pierre.gondois@arm.com, nd@arm.com, thomas.abraham@arm.com Subject: [edk2-devel] [PATCH edk2-platform v2 2/3] Platform/Arm: Enable UEFI Secure Variable support for FVP Date: Fri, 15 Mar 2024 10:59:35 +0000 Message-Id: <20240315105936.499262-3-yeoreum.yun@arm.com> In-Reply-To: <20240315105936.499262-2-yeoreum.yun@arm.com> References: <20240315105936.499262-1-yeoreum.yun@arm.com> <20240315105936.499262-2-yeoreum.yun@arm.com> MIME-Version: 1.0 Precedence: Bulk List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Resent-Date: Fri, 15 Mar 2024 03:59:40 -0700 Reply-To: devel@edk2.groups.io,yeoreum.yun@arm.com List-Unsubscribe-Post: List-Unsubscribe=One-Click List-Unsubscribe: X-Gm-Message-State: mgeWbx7LcXlM600YQl7WmWyDx7686176AA= Content-Transfer-Encoding: quoted-printable X-GND-Status: LEGIT Authentication-Results: spool.mail.gandi.net; dkim=pass header.d=groups.io header.s=20240206 header.b=gOAAnAQS; dmarc=fail reason="SPF not aligned (relaxed), DKIM not aligned (relaxed)" header.from=arm.com (policy=none); spf=pass (spool.mail.gandi.net: domain of bounce@groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce@groups.io UEFI Secure variable support can be enabled using Standalone MM for FVP RevC model. The following steps enable UEFI variable service using StandaloneMm: 1. Add MmComminucationDxe. - Enables communication with StandaloneMm. The PcdMmBufferBase & PcdBufferSize definitions are used as the NS Shared Buffer for communication. 2. Use VariableSmmRuntimeDxe - Use Standalone MM instance of Variable Runtime Dxe. 3. Disable caching of variable data as this is cached on the normal world side. This is done to prevent arbitrary accesses. Therefore, set PcdEnableVariableRuntimeCache to FALSE. 4. Although MmUnblockMemoryLib is required for supporting variable caching (which we disabled), we need a NULL instance of the MmUnblockMemoryLib for the build to succeed. Also, the Arm implementation does not support modification of the StandaloneMm memory map from normal world, so we have no real need for MmUnblockMemoryLib. Signed-off-by: levi.yun --- Platform/ARM/VExpressPkg/ArmVExpress-FVP-AArch64.dsc | 49 ++++++++++++++++= +++- Platform/ARM/VExpressPkg/ArmVExpress-FVP-AArch64.fdf | 9 ++++ 2 files changed, 57 insertions(+), 1 deletion(-) diff --git a/Platform/ARM/VExpressPkg/ArmVExpress-FVP-AArch64.dsc b/Platfor= m/ARM/VExpressPkg/ArmVExpress-FVP-AArch64.dsc index f70a4d52ba06f570e017ab5286f06d87193753e5..92e6ebc70aeb887b8c610c256b5= fece9b9b87664 100644 --- a/Platform/ARM/VExpressPkg/ArmVExpress-FVP-AArch64.dsc +++ b/Platform/ARM/VExpressPkg/ArmVExpress-FVP-AArch64.dsc @@ -25,6 +25,15 @@ [Defines] SKUID_IDENTIFIER =3D DEFAULT=0D FLASH_DEFINITION =3D Platform/ARM/VExpressPkg/ArmVExpress-= FVP-AArch64.fdf=0D =0D + # To allow the use of ueif secure variable feature, set this to TRUE.=0D + DEFINE ENABLE_UEFI_SECURE_VARIABLE =3D FALSE=0D +=0D +!if $(ENABLE_UEFI_SECURE_VARIABLE) =3D=3D TRUE=0D + DEFINE ENABLE_STMM =3D TRUE=0D +!else=0D + DEFINE ENABLE_STMM =3D FALSE=0D +!endif=0D +=0D !ifndef ARM_FVP_RUN_NORFLASH=0D DEFINE EDK2_SKIP_PEICORE=3D1=0D !endif=0D @@ -53,6 +62,10 @@ [LibraryClasses.common] FileExplorerLib|MdeModulePkg/Library/FileExplorerLib/FileExplorerLib.inf= =0D !endif=0D =0D +!if $(ENABLE_STMM) =3D=3D TRUE=0D + MmUnblockMemoryLib|MdePkg/Library/MmUnblockMemoryLib/MmUnblockMemoryLibN= ull.inf=0D +!endif=0D +=0D DtPlatformDtbLoaderLib|Platform/ARM/VExpressPkg/Library/ArmVExpressDtPla= tformDtbLoaderLib/ArmVExpressDtPlatformDtbLoaderLib.inf=0D =0D [LibraryClasses.common.DXE_RUNTIME_DRIVER]=0D @@ -71,7 +84,9 @@ [LibraryClasses.common.UEFI_DRIVER, LibraryClasses.common= .UEFI_APPLICATION, Libr =0D [BuildOptions]=0D GCC:*_*_AARCH64_PLATFORM_FLAGS =3D=3D -I$(WORKSPACE)/Platform/ARM/VExpre= ssPkg/Include/Platform/RTSM=0D -=0D +!if $(ENABLE_UEFI_SECURE_VARIABLE) =3D=3D TRUE=0D + GCC:*_*_*_CC_FLAGS =3D -DENABLE_UEFI_SECURE_VARIABLE=0D +!endif=0D =0D ##########################################################################= ######=0D #=0D @@ -85,6 +100,11 @@ [PcdsFeatureFlag.common] # It could be set FALSE to save size.=0D gEfiMdeModulePkgTokenSpaceGuid.PcdConOutGopSupport|TRUE=0D =0D +!if $(ENABLE_UEFI_SECURE_VARIABLE) =3D=3D TRUE=0D + ## Disable Runtime Variable Cache.=0D + gEfiMdeModulePkgTokenSpaceGuid.PcdEnableVariableRuntimeCache|FALSE=0D +!endif=0D +=0D [PcdsFixedAtBuild.common]=0D # Only one core enters UEFI, and PSCI is implemented in EL3 by ATF=0D gArmPlatformTokenSpaceGuid.PcdCoreCount|1=0D @@ -92,12 +112,26 @@ [PcdsFixedAtBuild.common] #=0D # NV Storage PCDs. Use base of 0x0C000000 for NOR1=0D #=0D +!if $(ENABLE_UEFI_SECURE_VARIABLE) =3D=3D FALSE=0D gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageVariableBase|0x0FFC0000= =0D gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageVariableSize|0x00010000= =0D gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageFtwWorkingBase|0x0FFD000= 0=0D gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageFtwWorkingSize|0x0001000= 0=0D gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageFtwSpareBase|0x0FFE0000= =0D gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageFtwSpareSize|0x00010000= =0D +!endif=0D +=0D + #=0D + # Set the base address and size of the buffer used=0D + # by MM_COMMUNICATE for communication between the=0D + # Normal world edk2 and the StandaloneMm image at S-EL0.=0D + # This buffer is allocated in TF-A.=0D + #=0D +!if $(ENABLE_STMM) =3D=3D TRUE=0D + ## MM Communicate=0D + gArmTokenSpaceGuid.PcdMmBufferBase|0xFF600000=0D + gArmTokenSpaceGuid.PcdMmBufferSize|0x10000=0D +!endif=0D =0D gArmTokenSpaceGuid.PcdVFPEnabled|1=0D =0D @@ -252,6 +286,10 @@ [Components.common] MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf=0D !endif=0D MdeModulePkg/Universal/CapsuleRuntimeDxe/CapsuleRuntimeDxe.inf=0D +=0D +!if $(ENABLE_UEFI_SECURE_VARIABLE) =3D=3D TRUE=0D + MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmmRuntimeDxe.inf=0D +!else=0D MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf {=0D =0D NULL|EmbeddedPkg/Library/NvVarStoreFormattedLib/NvVarStoreFormattedL= ib.inf=0D @@ -259,6 +297,8 @@ [Components.common] BaseMemoryLib|MdePkg/Library/BaseMemoryLib/BaseMemoryLib.inf=0D }=0D MdeModulePkg/Universal/FaultTolerantWriteDxe/FaultTolerantWriteDxe.inf=0D +!endif=0D +=0D MdeModulePkg/Universal/MonotonicCounterRuntimeDxe/MonotonicCounterRuntim= eDxe.inf=0D MdeModulePkg/Universal/ResetSystemRuntimeDxe/ResetSystemRuntimeDxe.inf=0D EmbeddedPkg/RealTimeClockRuntimeDxe/RealTimeClockRuntimeDxe.inf=0D @@ -368,3 +408,10 @@ [Components.common] # SATA Controller=0D #=0D MdeModulePkg/Bus/Pci/SataControllerDxe/SataControllerDxe.inf=0D +=0D +!if $(ENABLE_STMM) =3D=3D TRUE=0D + ArmPkg/Drivers/MmCommunicationDxe/MmCommunication.inf {=0D + =0D + NULL|StandaloneMmPkg/Library/VariableMmDependency/VariableMmDependen= cy.inf=0D + }=0D +!endif=0D diff --git a/Platform/ARM/VExpressPkg/ArmVExpress-FVP-AArch64.fdf b/Platfor= m/ARM/VExpressPkg/ArmVExpress-FVP-AArch64.fdf index e836691ddf6f9fd7e9abff97a560af6886b14ccb..612535caa7ee518a0bb083461f2= 573e182c78281 100644 --- a/Platform/ARM/VExpressPkg/ArmVExpress-FVP-AArch64.fdf +++ b/Platform/ARM/VExpressPkg/ArmVExpress-FVP-AArch64.fdf @@ -80,8 +80,14 @@ [FV.FvMain] !if $(SECURE_BOOT_ENABLE) =3D=3D TRUE=0D INF SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConf= igDxe.inf=0D !endif=0D +=0D +!if $(ENABLE_UEFI_SECURE_VARIABLE) =3D=3D TRUE=0D + INF MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmmRuntimeDxe.inf= =0D +!else=0D INF MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf=0D INF MdeModulePkg/Universal/FaultTolerantWriteDxe/FaultTolerantWriteDxe.i= nf=0D +!endif=0D +=0D INF MdeModulePkg/Universal/MonotonicCounterRuntimeDxe/MonotonicCounterRu= ntimeDxe.inf=0D INF MdeModulePkg/Universal/ResetSystemRuntimeDxe/ResetSystemRuntimeDxe.i= nf=0D INF EmbeddedPkg/RealTimeClockRuntimeDxe/RealTimeClockRuntimeDxe.inf=0D @@ -168,6 +174,9 @@ [FV.FvMain] INF MdeModulePkg/Universal/BdsDxe/BdsDxe.inf=0D INF MdeModulePkg/Application/UiApp/UiApp.inf=0D =0D +!if $(ENABLE_STMM) =3D=3D TRUE=0D + INF ArmPkg/Drivers/MmCommunicationDxe/MmCommunication.inf=0D +!endif=0D =0D #=0D # PCI Support=0D -- Guid("CE165669-3EF3-493F-B85D-6190EE5B9759") -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#116810): https://edk2.groups.io/g/devel/message/116810 Mute This Topic: https://groups.io/mt/104945006/7686176 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io] -=-=-=-=-=-=-=-=-=-=-=-