From: Ming Huang <ming.huang@linaro.org>
To: Leif Lindholm <leif.lindholm@linaro.org>
Cc: linaro-uefi@lists.linaro.org, edk2-devel@lists.01.org,
graeme.gregory@linaro.org, ard.biesheuvel@linaro.org,
michael.d.kinney@intel.com, lersek@redhat.com,
wanghuiqiang@huawei.com, huangming23@huawei.com,
zhangjinsong2@huawei.com, huangdaode@hisilicon.com,
john.garry@huawei.com, xinliang.liu@linaro.org,
zhangfeng56@huawei.com
Subject: Re: [PATCH edk2-platforms v1 08/12] Hisilicon/D06: Fix SBBR-SCT AuthVar issue
Date: Wed, 14 Nov 2018 22:31:23 +0800 [thread overview]
Message-ID: <43b660a8-37d8-94ec-a15c-97524abe7ec2@linaro.org> (raw)
In-Reply-To: <20181114001805.sqyr64iwo55rypgp@bivouac.eciton.net>
On 11/14/2018 8:18 AM, Leif Lindholm wrote:
> On Mon, Oct 29, 2018 at 11:32:45AM +0800, Ming Huang wrote:
>> Enable secure boot to fix AuthVar issue:
>> RT.SetVariable - Set Invalid Time Base Auth Variable – FAILURE;
>> RT.SetVariable - Create one Time Base Auth Variable, the expect return
>> status should be EFI_SUCCESS – FAILURE.
>>
>> Contributed-under: TianoCore Contribution Agreement 1.1
>> Signed-off-by: Ming Huang <ming.huang@linaro.org>
>> ---
>> Silicon/Hisilicon/Hisilicon.dsc.inc | 16 ++++++++++++++++
>> Platform/Hisilicon/D06/D06.dsc | 2 +-
>> 2 files changed, 17 insertions(+), 1 deletion(-)
>>
>> diff --git a/Silicon/Hisilicon/Hisilicon.dsc.inc b/Silicon/Hisilicon/Hisilicon.dsc.inc
>> index 3ac8e20232..6515c0d703 100644
>> --- a/Silicon/Hisilicon/Hisilicon.dsc.inc
>> +++ b/Silicon/Hisilicon/Hisilicon.dsc.inc
>> @@ -89,8 +89,15 @@
>>
>> SemihostLib|ArmPkg/Library/SemihostLib/SemihostLib.inf
>>
>> +!if $(SECURE_BOOT_ENABLE) == TRUE
>> + TpmMeasurementLib|SecurityPkg/Library/DxeTpmMeasurementLib/DxeTpmMeasurementLib.inf
>> + AuthVariableLib|SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf
>
>> + # re-use the UserPhysicalPresent() dummy implementation from the ovmf tree
>> + PlatformSecureLib|OvmfPkg/Library/PlatformSecureLib/PlatformSecureLib.inf
>
> The virtual machines and development boards can get away with this,
> but it is not an appropriate action for a real platform.
> Please implement a real PlatformSecureLib, doing a real
> UserPhysicalPresent check, appropriate to the D06.
>
> I don't expect this to happen in time for a 2018.11 Linaro release, so
> you can drop it from the set. We can log the test failure as a known
> issue for now.
Ok, I will drop this patch in v2.
>
> /
> Leif
>
>> +!else
>> TpmMeasurementLib|MdeModulePkg/Library/TpmMeasurementLibNull/TpmMeasurementLibNull.inf
>> AuthVariableLib|MdeModulePkg/Library/AuthVariableLibNull/AuthVariableLibNull.inf
>> +!endif
>>
>> # BDS Libraries
>> FdtLib|EmbeddedPkg/Library/FdtLib/FdtLib.inf
>> @@ -217,6 +224,9 @@
>> !if $(TARGET) != RELEASE
>> DebugLib|MdePkg/Library/DxeRuntimeDebugLibSerialPort/DxeRuntimeDebugLibSerialPort.inf
>> !endif
>> +!if $(SECURE_BOOT_ENABLE) == TRUE
>> + BaseCryptLib|CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf
>> +!endif
>>
>> [LibraryClasses.AARCH64]
>> ArmGenericTimerCounterLib|ArmPkg/Library/ArmGenericTimerPhyCounterLib/ArmGenericTimerPhyCounterLib.inf
>> @@ -326,6 +336,12 @@
>> gEmbeddedTokenSpaceGuid.PcdTimerPeriod|10000
>> gArmTokenSpaceGuid.PcdVFPEnabled|1
>> gEfiMdePkgTokenSpaceGuid.PcdUartDefaultReceiveFifoDepth|32
>> +!if $(SECURE_BOOT_ENABLE) == TRUE
>> + # override the default values from SecurityPkg to ensure images from all sources are verified in secure boot
>> + gEfiSecurityPkgTokenSpaceGuid.PcdOptionRomImageVerificationPolicy|0x04
>> + gEfiSecurityPkgTokenSpaceGuid.PcdFixedMediaImageVerificationPolicy|0x04
>> + gEfiSecurityPkgTokenSpaceGuid.PcdRemovableMediaImageVerificationPolicy|0x04
>> +!endif
>>
>> [PcdsDynamicHii.common.DEFAULT]
>> gEfiMdePkgTokenSpaceGuid.PcdPlatformBootTimeOut|L"Timeout"|gEfiGlobalVariableGuid|0x0|10 # Variable: L"Timeout"
>> diff --git a/Platform/Hisilicon/D06/D06.dsc b/Platform/Hisilicon/D06/D06.dsc
>> index b6ef9fedf0..8ee20342b1 100644
>> --- a/Platform/Hisilicon/D06/D06.dsc
>> +++ b/Platform/Hisilicon/D06/D06.dsc
>> @@ -30,7 +30,7 @@
>> FLASH_DEFINITION = Platform/Hisilicon/$(PLATFORM_NAME)/$(PLATFORM_NAME).fdf
>> DEFINE NETWORK_IP6_ENABLE = FALSE
>> DEFINE HTTP_BOOT_ENABLE = FALSE
>> - DEFINE SECURE_BOOT_ENABLE = FALSE
>> + DEFINE SECURE_BOOT_ENABLE = TRUE
>>
>> !include Silicon/Hisilicon/Hisilicon.dsc.inc
>>
>> --
>> 2.18.0
>>
next prev parent reply other threads:[~2018-11-14 14:31 UTC|newest]
Thread overview: 35+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-10-29 3:32 [PATCH edk2-platforms v1 00/12] Fix D06 SBSA/SBBR issue and improve Ming Huang
2018-10-29 3:32 ` [PATCH edk2-platforms v1 01/12] Silicon/Hisilicon/D06: Add watchdog to GTDT Ming Huang
2018-11-14 0:39 ` Leif Lindholm
2018-10-29 3:32 ` [PATCH edk2-platforms v1 02/12] Silicon/Hisilicon/D06: Drop _CID for fwts issue Ming Huang
2018-11-14 0:48 ` Leif Lindholm
2018-10-29 3:32 ` [PATCH edk2-platforms v1 03/12] Silicon/Hisilicon/D06: Fix fwts issue in Dbg2 Ming Huang
2018-11-14 0:50 ` Leif Lindholm
2018-10-29 3:32 ` [PATCH edk2-platforms v1 04/12] Silicon/Hisilicon/D06: Fix fwts issue in FADT Ming Huang
2018-11-14 0:50 ` Leif Lindholm
2018-10-29 3:32 ` [PATCH edk2-platforms v1 05/12] Hisilicon/D06: Move some functions to OemMiscLib Ming Huang
2018-11-14 0:04 ` Leif Lindholm
2018-11-14 14:30 ` Ming Huang
2018-10-29 3:32 ` [PATCH edk2-platforms v1 06/12] Silicon/Hisilicon: Modify for SBBR fwts SetTime_Func test case Ming Huang
[not found] ` <20181113235222.amykmhqlh5gltg7p@bivouac.eciton.net>
2018-11-14 14:31 ` Ming Huang
2018-11-14 17:20 ` Leif Lindholm
2018-10-29 3:32 ` [PATCH edk2-platforms v1 07/12] Hisilicon/D0x: Fix secure boot bug in FlashFvbDxe Ming Huang
2018-11-13 23:57 ` Leif Lindholm
2018-11-15 7:09 ` Ming Huang
2018-10-29 3:32 ` [PATCH edk2-platforms v1 08/12] Hisilicon/D06: Fix SBBR-SCT AuthVar issue Ming Huang
2018-11-14 0:18 ` Leif Lindholm
2018-11-14 14:31 ` Ming Huang [this message]
2018-10-29 3:32 ` [PATCH edk2-platforms v1 09/12] Silicon/Hisilicon/D06: Reserve ECAM resource in DSDT Ming Huang
2018-11-14 0:23 ` Leif Lindholm
2018-10-29 3:32 ` [PATCH edk2-platforms v1 10/12] Silicon/Hisilicon/D06: Modify GTDT timer flag Ming Huang
2018-11-14 0:24 ` Leif Lindholm
2018-10-29 3:32 ` [PATCH edk2-platforms v1 11/12] Hisilicon/D06: Modify Gic base Ming Huang
2018-11-14 0:29 ` Leif Lindholm
2018-11-14 14:31 ` Ming Huang
2018-10-29 3:32 ` [PATCH edk2-platforms v1 12/12] Silicon/Hisilicon/D06: Set TA as Node 0 for TA boot Ming Huang
2018-11-14 0:36 ` Leif Lindholm
2018-11-14 14:32 ` Ming Huang
2018-10-29 11:43 ` [PATCH edk2-platforms v1 00/12] Fix D06 SBSA/SBBR issue and improve Leif Lindholm
2018-10-29 15:01 ` Ming Huang
2018-10-29 16:14 ` Leif Lindholm
[not found] ` <5eaaf9d7-e76b-2e98-f4c8-bb0a27007cfc@huawei.com>
2018-10-30 9:37 ` Leif Lindholm
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-list from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=43b660a8-37d8-94ec-a15c-97524abe7ec2@linaro.org \
--to=devel@edk2.groups.io \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox