From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from EUR03-VE1-obe.outbound.protection.outlook.com (EUR03-VE1-obe.outbound.protection.outlook.com [40.107.5.76]) by mx.groups.io with SMTP id smtpd.web11.10119.1621951252267369175 for ; Tue, 25 May 2021 07:00:53 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@armh.onmicrosoft.com header.s=selector2-armh-onmicrosoft-com header.b=pBDsYa3Z; spf=pass (domain: arm.com, ip: 40.107.5.76, mailfrom: sami.mujawar@arm.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector2-armh-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=BHAhB96JQlIxVu4YRR7GmiFMqtOWmPUoNHD2FXoQyLI=; b=pBDsYa3ZKYpoL3nnNgAsvX/lQ1Y7QWK2WcicN0Ha2M6K9zB6v3WbLF59A8Nv+wvv2/LHRcXkwXdMc3imbLUafInWZE/Iix3paVcDNSgzyHE3dwOzzwuky52K5cn5hReTSnevTpE8O64vlM6FbmQTh/5oU2N+SYHceWQ+qIQEeSg= Received: from AM6PR05CA0009.eurprd05.prod.outlook.com (2603:10a6:20b:2e::22) by AS8PR08MB6551.eurprd08.prod.outlook.com (2603:10a6:20b:319::13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4108.26; Tue, 25 May 2021 14:00:44 +0000 Received: from AM5EUR03FT009.eop-EUR03.prod.protection.outlook.com (2603:10a6:20b:2e:cafe::b3) by AM6PR05CA0009.outlook.office365.com (2603:10a6:20b:2e::22) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4173.20 via Frontend Transport; Tue, 25 May 2021 14:00:44 +0000 X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 63.35.35.123) smtp.mailfrom=arm.com; edk2.groups.io; dkim=pass (signature was verified) header.d=armh.onmicrosoft.com;edk2.groups.io; dmarc=pass action=none header.from=arm.com; Received-SPF: Pass (protection.outlook.com: domain of arm.com designates 63.35.35.123 as permitted sender) receiver=protection.outlook.com; client-ip=63.35.35.123; helo=64aa7808-outbound-1.mta.getcheckrecipient.com; Received: from 64aa7808-outbound-1.mta.getcheckrecipient.com (63.35.35.123) by AM5EUR03FT009.mail.protection.outlook.com (10.152.16.110) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4129.25 via Frontend Transport; Tue, 25 May 2021 14:00:44 +0000 Received: ("Tessian outbound 2cd7db0b285f:v92"); Tue, 25 May 2021 14:00:44 +0000 X-CheckRecipientChecked: true X-CR-MTA-CID: ff3c4276576a2766 X-CR-MTA-TID: 64aa7808 Received: from 1a7333e280f2.1 by 64aa7808-outbound-1.mta.getcheckrecipient.com id B5C354D1-1847-488E-9DD6-1658551C69B1.1; Tue, 25 May 2021 14:00:33 +0000 Received: from EUR01-DB5-obe.outbound.protection.outlook.com by 64aa7808-outbound-1.mta.getcheckrecipient.com with ESMTPS id 1a7333e280f2.1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384); Tue, 25 May 2021 14:00:33 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=ZRiX4NAM+wFFaWlYNCn7m0xy4jACaVhKVJnx2bN/ADLR5I4VaWVYyacVv7e7UGIqbhcjd4j5qDeJjntkVlQbw1wShR5uHjF8sYEep/mHm9OQY6bglzuSZ++BReUEhfDZDd1nTCWApbakZqFQXQZczvZrWSAIKkbBsAEe5mqRacQLiQaM1LCYZJe+kb11dg7sccxtke1ocBaOkXqSjeTvYI1fMPpVYDEAzUQifmTQUIWaEHyOA5vpXl1pjz9u+E7LwcSgkFjMoGsonJkf9dc9A99HO5W5ovHR8srY4pOSCs1fk3i5gSUwqX+tBzNz8vI8BU/2xcFLKUApLmIXOOvdPA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=BHAhB96JQlIxVu4YRR7GmiFMqtOWmPUoNHD2FXoQyLI=; b=IQdFMckdnKBfpXuT3mUxlLcJibRjlY9nNKBp+UCpf6IBZ3DTgrrO9qvhvLurgUdnv6oXxLiRILJug6UuQ8DxBswSWSDrFxFi4YauNr4tXOSQRRe5/Nd8FCjE+CKHRexdUozQWKiqyFeFrn0/soakFTVeNo5GU66z1kDpM0x0CNJQPUsjOhcsrDtRH0x06KYNoYYQS9tRrFVTpixwtsxnPV0L8fUYVr0IMvXnJYhRc1ESYhF6MPPJX3SS6UVDlspfdfJOST0/ae9ofG9Ht7Mpul6QqbRAWgLgtO4c9HWkifa0WdO4Vhh/u8LzqKbY8MOAT07YjRiOiwNkJvI0A2OLqA== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=arm.com; dmarc=pass action=none header.from=arm.com; dkim=pass header.d=arm.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector2-armh-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=BHAhB96JQlIxVu4YRR7GmiFMqtOWmPUoNHD2FXoQyLI=; b=pBDsYa3ZKYpoL3nnNgAsvX/lQ1Y7QWK2WcicN0Ha2M6K9zB6v3WbLF59A8Nv+wvv2/LHRcXkwXdMc3imbLUafInWZE/Iix3paVcDNSgzyHE3dwOzzwuky52K5cn5hReTSnevTpE8O64vlM6FbmQTh/5oU2N+SYHceWQ+qIQEeSg= Authentication-Results-Original: arm.com; dkim=none (message not signed) header.d=none;arm.com; dmarc=none action=none header.from=arm.com; Received: from AS8PR08MB6806.eurprd08.prod.outlook.com (2603:10a6:20b:39b::12) by AS8PR08MB6806.eurprd08.prod.outlook.com (2603:10a6:20b:39b::12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4150.23; Tue, 25 May 2021 14:00:32 +0000 Received: from AS8PR08MB6806.eurprd08.prod.outlook.com ([fe80::80cb:878d:c8f1:2688]) by AS8PR08MB6806.eurprd08.prod.outlook.com ([fe80::80cb:878d:c8f1:2688%7]) with mapi id 15.20.4150.027; Tue, 25 May 2021 14:00:32 +0000 Subject: Re: [edk2-platforms][PATCH V1 3/3] Platform/Sgi: enable support for UEFI secure boot To: Sayanta Pattanayak , devel@edk2.groups.io Cc: Ard Biesheuvel , nd@arm.com References: <20210524172300.28754-1-sayanta.pattanayak@arm.com> <20210524172300.28754-4-sayanta.pattanayak@arm.com> From: "Sami Mujawar" Message-ID: <540101a6-dad9-0b69-8477-62ee2f369825@arm.com> Date: Tue, 25 May 2021 15:00:30 +0100 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.0.1 In-Reply-To: <20210524172300.28754-4-sayanta.pattanayak@arm.com> X-Originating-IP: [217.140.106.52] X-ClientProxiedBy: LO2P265CA0164.GBRP265.PROD.OUTLOOK.COM (2603:10a6:600:9::32) To AS8PR08MB6806.eurprd08.prod.outlook.com (2603:10a6:20b:39b::12) MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 Received: from [10.1.196.43] (217.140.106.52) by LO2P265CA0164.GBRP265.PROD.OUTLOOK.COM (2603:10a6:600:9::32) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4150.24 via Frontend Transport; Tue, 25 May 2021 14:00:31 +0000 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 19fb7b84-d5ef-4c5f-fc53-08d91f857d7d X-MS-TrafficTypeDiagnostic: AS8PR08MB6806:|AS8PR08MB6551: X-MS-Exchange-Transport-Forked: True X-Microsoft-Antispam-PRVS: x-checkrecipientrouted: true NoDisclaimer: true X-MS-Oob-TLC-OOBClassifiers: OLM:9508;OLM:9508; X-MS-Exchange-SenderADCheck: 1 X-Microsoft-Antispam-Untrusted: BCL:0; X-Microsoft-Antispam-Message-Info-Original: czN9flxkqB353yFvQ6lxua8SQHggyjX4R3WtL5J6a3FgfD5PkmMsLhWpfi8iZ3OqBPtzttTNWUAl2LKHcoamyRdzGMJ3iXUCxHQRIInQHj/tL9lbAlyS8uPcjtGqN+C2zNYolbYF7LssUK+nBc0z/jHjRN/29Wg2GcOaXnrePvaEgk1AhgJcmvgbyMJM3WKfBn/2RonnRDxz245MkXCe4+2KVaojFGqIV/T+CLyZjLUanuPMea79fD4JYa/KPrdpKWurae3VqLWZUfUbG9wfMMfhqnoY8n+4+bOXR+89zNju/5TFeK+rPb6MTVnFYuOFlhRUroD3PxGNFJbXxrU29iR7q01aCL6M93KQB42sGj3TsRuLxvtkKH+zJHwXgp5UOh8I4K4X9yDJslWg6fV/Fgt8PcN8j6Ra/4ziUGe7GG+Op+krSGb/hU3i/SDa5CM1p05voDqPXyZPsK7jCWVzrkKohL3H2C1+7GpqBWV996M2w9Rbc/hGGIQqiiYUEHXbhg6FfPo2G11EJ3Jh2zfytNj0gh/QK+QzpZt9IjgBwTgset5udePI83jG3ibyrc18pjS0uHZPhWvJjPRvNizzDQr7iI5lAjj/jYod/0xF6Fc62M5VMaqLN0YN1XchTky1KQT15X/K+z4eOoWK8PW+1ZghSQkscBUA7c0Lan2BrK9DMcm/GMutLrZ2GATvR3AW7VAanSfPwE09TBp/k+m4TIRdHcVA/BWF9hXIihqkN+kefzgevEIZ8E79nDDliHmn94uTWZxWLlpAYN3WXcjy4O0y/XPkRZJkRAg+TgedDyZeRooVb6iswrITPUqrg2++6Cv2pOkoTzZBljMA+oN0Og== X-Forefront-Antispam-Report-Untrusted: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:AS8PR08MB6806.eurprd08.prod.outlook.com;PTR:;CAT:NONE;SFS:(4636009)(136003)(39860400002)(346002)(376002)(366004)(396003)(53546011)(6486002)(83380400001)(44832011)(8676002)(36756003)(30864003)(16526019)(38100700002)(26005)(52116002)(186003)(38350700002)(966005)(316002)(31686004)(86362001)(66946007)(4326008)(19627235002)(66556008)(478600001)(5660300002)(956004)(2616005)(16576012)(31696002)(66476007)(2906002)(8936002)(43740500002)(45980500001);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData: +F9MVFXLe34DmmdMwEMe0bpR8jaae7uDHtJq2DbFEXp8injyrTWht4DRztkkxU7HQuL/QttBwzsI29qYK+rwpBxPQuy94eXHkykGpoxOjb6ZH87i/CPiXHE6dWSy4KA3BpipvzaP4jKsnaTGBtOVv5Cp0lZszVkAymN50UCv74nUkYUklnBaqITBHtHIqYG5gosiFDPloKpAfSdXMFfmXP7hO8QYUl6Q1wUwGNYD5zEPQDNcpKhJ2pmteDIqy/RzF3NrOYKQiClqiqnZT9a3Ixvu+7dIYbWVkF+YJPn3Uw0RowMzrZWlp9qK7HHtq7z3G1DA8KB7osD194Odc92S/4/Q6Uh+rKEd025XcBLSqQzS/fP0wb3a8L8FvCGHHFqf0R9fECUHzq8SB3Jl33co/OKR/gFkOaUagQLWPQgY8Tb/HBHySSTRXE3ErfAn5lCBIhXB+5snGJ6Wcn6vORFwYycuXlN2qykv6CpSfZOYRUYr4Zr9eE0SDpD4SPt5e/Wj+ZwdrmbIJzIRneexsN72y5XhFl9bcJfzgszozzuAgiO9nmImCdt+dYzLYyhUqDxcvqAisaHc5jXcz1z5s6kMTiVkcpDQFVQwC8rff948vsvFV9w0MMVo5P0Rj4G9d+EQwEJil8r7o6YJn1WGmcmb55xNQjoKVBJvFS6IRnllu89IDcIG7klqfXFPKlXn/BgJRPHjfeuOr7sfPQ7H7/xFuRqfvxp4vwnb4bL0NSZamykL1wuqkaP4LHJ94DJNNBXZ X-MS-Exchange-Transport-CrossTenantHeadersStamped: AS8PR08MB6806 Original-Authentication-Results: arm.com; dkim=none (message not signed) header.d=none;arm.com; dmarc=none action=none header.from=arm.com; Return-Path: Sami.Mujawar@arm.com X-EOPAttributedMessage: 0 X-MS-Exchange-Transport-CrossTenantHeadersStripped: AM5EUR03FT009.eop-EUR03.prod.protection.outlook.com X-MS-Office365-Filtering-Correlation-Id-Prvs: 33d56617-f3c6-4244-9cd3-08d91f8575ff X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: PQqoc27eDnu7As6p8PKXKWoy1tqPrRCNfFu4FkX44EJpUwUqSJMquDdfeH2JUKwaDjFaNDZgxJ1qQIRGjWQYJCQQso847BKX0HmCpCTmL8b/jjpBcaBCnN8zpa98pk6oGPQUu9KFJtmRvbbxQPgcp+wv59KGUHHPrjWBXiiJdlrD8uTP7XLEQfL5ppuaLxjIEwcbJsh/FJTS6rpUoxNsvviUtEeERcyZXzdKnO5zs3U0CAj87z8+KWzjDJfDFn43k4+h3dgUkzSjLKDFMzMA0L3PzrNC9Wsrb+44QbgcnhcCrYTKrdE3/K5trHKPWQo4Pp/MMv1s505jSVvEPg7pID+p9LU5sV21t2io93j4zjHAWmJMqkzLFANQIoDsvaDzs+lSUlVads0dPXRp36Rm1sM8T3C9r8CqTtaETvZaLKy9IKWw7DIhfpwb+eoAt7CPuVQdqlYItaoggmyVtl3BeazO0WjjR5sKZ1J16JKTQimr+u2JLiVD4rZSCWi1WOSSstX1i96adEI7wtSCFfGFOwa20Hzx+WoFk+QqvkV93gvhQh7rMLKh0SjwB2il4lmIVYlZ41bUlg2YK4JT0jBJSfRD1s+GcS+sTXsYixt7IuOU/Df/Qh+UdcXem6s7aMqwB0GNZwT+bw8TAFDl78DrRF4SrygRb87puMiPdRn1SYk7VG9vBydXMQ9sOZ2tsqBVLqFL+niwurthMcHP9ElxceqVbqVYn72xlwJ+o9bULxKOs2+6q0DGO/e9xcnCAwZDdu1G3R8trZnpagMhWWq51xlw7o0jYQiGsKYEDpdopY+XFKvtgMHQtLgz98XWfm2i X-Forefront-Antispam-Report: CIP:63.35.35.123;CTRY:IE;LANG:en;SCL:1;SRV:;IPV:CAL;SFV:NSPM;H:64aa7808-outbound-1.mta.getcheckrecipient.com;PTR:ec2-63-35-35-123.eu-west-1.compute.amazonaws.com;CAT:NONE;SFS:(4636009)(46966006)(36840700001)(31696002)(26005)(70206006)(31686004)(86362001)(966005)(44832011)(356005)(6486002)(70586007)(2616005)(956004)(53546011)(36756003)(4326008)(498600001)(30864003)(336012)(8676002)(19627235002)(83380400001)(16576012)(8936002)(82310400003)(2906002)(36860700001)(16526019)(186003)(5660300002)(81166007)(47076005)(43740500002);DIR:OUT;SFP:1101; X-OriginatorOrg: arm.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 25 May 2021 14:00:44.5406 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: 19fb7b84-d5ef-4c5f-fc53-08d91f857d7d X-MS-Exchange-CrossTenant-Id: f34e5979-57d9-4aaa-ad4d-b122a662184d X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=f34e5979-57d9-4aaa-ad4d-b122a662184d;Ip=[63.35.35.123];Helo=[64aa7808-outbound-1.mta.getcheckrecipient.com] X-MS-Exchange-CrossTenant-AuthSource: AM5EUR03FT009.eop-EUR03.prod.protection.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: AS8PR08MB6551 Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit Content-Language: en-GB Hi Sayanta, Thank you for this patch. Please find my response inline marked [SAMI]. Regards, Sami Mujawar On 24/05/2021 06:23 PM, Sayanta Pattanayak wrote: > Enable the use of UEFI secure boot for Arm's Neoverse reference design > platforms. The UEFI authenticated variable store uses NOR flash 2 which > is accessible from Standalone MM context residing in a secure partition. > > Signed-off-by: Sayanta Pattanayak > --- > Platform/ARM/SgiPkg/SgiPlatform.dsc.inc | 31 +++++++++++++++++++ > Platform/ARM/SgiPkg/SgiPlatformMm.dsc.inc | 32 ++++++++++++++++++++ > Platform/ARM/SgiPkg/PlatformStandaloneMm.dsc | 15 +++++++++ > Platform/ARM/SgiPkg/PlatformStandaloneMm2.dsc | 15 +++++++++ > Platform/ARM/SgiPkg/PlatformStandaloneMm.fdf | 5 +++ > Platform/ARM/SgiPkg/SgiPlatform.fdf | 9 +++++- > 6 files changed, 106 insertions(+), 1 deletion(-) > > diff --git a/Platform/ARM/SgiPkg/SgiPlatform.dsc.inc b/Platform/ARM/SgiPkg/SgiPlatform.dsc.inc > index 091de0c99c74..e4aee7a09acf 100644 > --- a/Platform/ARM/SgiPkg/SgiPlatform.dsc.inc > +++ b/Platform/ARM/SgiPkg/SgiPlatform.dsc.inc > @@ -6,6 +6,14 @@ > > !include Platform/ARM/VExpressPkg/ArmVExpress.dsc.inc > > +[Defines] > + # To allow the use of secure storage, set this to TRUE. > + DEFINE SECURE_STORAGE_ENABLE = FALSE > + > + # To allow the use of UEFI secure boot, set this to TRUE. > + # Secure boot requires secure storage to be enabled as well. > + DEFINE SECURE_BOOT_ENABLE = FALSE > + > [BuildOptions] > *_*_*_CC_FLAGS = -D DISABLE_NEW_DEPRECATED_INTERFACES > > @@ -22,6 +30,9 @@ > NorFlashPlatformLib|Platform/ARM/SgiPkg/Library/NorFlashLib/NorFlashLib.inf > HobLib|MdePkg/Library/DxeHobLib/DxeHobLib.inf > TimerLib|ArmPkg/Library/ArmArchTimerLib/ArmArchTimerLib.inf > +!if $(SECURE_BOOT_ENABLE) == TRUE > + MmUnblockMemoryLib|MdePkg/Library/MmUnblockMemoryLib/MmUnblockMemoryLibNull.inf > +!endif > > # Virtio Support > VirtioLib|OvmfPkg/Library/VirtioLib/VirtioLib.inf > @@ -84,6 +95,7 @@ > [PcdsFeatureFlag.common] > gArmSgiTokenSpaceGuid.PcdVirtioBlkSupported|TRUE > gArmSgiTokenSpaceGuid.PcdVirtioNetSupported|TRUE > + gEfiMdeModulePkgTokenSpaceGuid.PcdEnableVariableRuntimeCache|FALSE > > [PcdsFixedAtBuild.common] > gArmTokenSpaceGuid.PcdVFPEnabled|1 > @@ -230,7 +242,15 @@ > MdeModulePkg/Core/RuntimeDxe/RuntimeDxe.inf > MdeModulePkg/Universal/CapsuleRuntimeDxe/CapsuleRuntimeDxe.inf > MdeModulePkg/Universal/MonotonicCounterRuntimeDxe/MonotonicCounterRuntimeDxe.inf > +!if $(SECURE_BOOT_ENABLE) == TRUE > + MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf { > + > + NULL|SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.inf > + } > + SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf > +!else > MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf > +!endif > OvmfPkg/VirtioBlkDxe/VirtioBlk.inf > > MdeModulePkg/Universal/Console/ConPlatformDxe/ConPlatformDxe.inf > @@ -238,6 +258,9 @@ > MdeModulePkg/Universal/Console/GraphicsConsoleDxe/GraphicsConsoleDxe.inf > MdeModulePkg/Universal/Console/TerminalDxe/TerminalDxe.inf > MdeModulePkg/Universal/SerialDxe/SerialDxe.inf > +!if $(SECURE_STORAGE_ENABLE) == TRUE > + MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmmRuntimeDxe.inf > +!else > MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf { > > NULL|MdeModulePkg/Library/VarCheckUefiLib/VarCheckUefiLib.inf > @@ -245,6 +268,7 @@ > BaseMemoryLib|MdePkg/Library/BaseMemoryLib/BaseMemoryLib.inf > } > MdeModulePkg/Universal/FaultTolerantWriteDxe/FaultTolerantWriteDxe.inf > +!endif > > # > # ACPI Support > @@ -314,4 +338,11 @@ > # > MdeModulePkg/Bus/Pci/SataControllerDxe/SataControllerDxe.inf > > +!if $(SECURE_STORAGE_ENABLE) == TRUE > + ArmPkg/Drivers/MmCommunicationDxe/MmCommunication.inf { > + > + NULL|StandaloneMmPkg/Library/VariableMmDependency/VariableMmDependency.inf > + } > +!else > ArmPkg/Drivers/MmCommunicationDxe/MmCommunication.inf > +!endif > diff --git a/Platform/ARM/SgiPkg/SgiPlatformMm.dsc.inc b/Platform/ARM/SgiPkg/SgiPlatformMm.dsc.inc > index 3389ff676a91..6839ec35da8a 100644 > --- a/Platform/ARM/SgiPkg/SgiPlatformMm.dsc.inc > +++ b/Platform/ARM/SgiPkg/SgiPlatformMm.dsc.inc > @@ -59,6 +59,19 @@ > HobLib|StandaloneMmPkg/Library/StandaloneMmHobLib/StandaloneMmHobLib.inf > MmServicesTableLib|MdePkg/Library/StandaloneMmServicesTableLib/StandaloneMmServicesTableLib.inf > MemoryAllocationLib|StandaloneMmPkg/Library/StandaloneMmMemoryAllocationLib/StandaloneMmMemoryAllocationLib.inf > +!if $(SECURE_STORAGE_ENABLE) == TRUE > + AuthVariableLib|SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf > + BaseCryptLib|CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf > + IntrinsicLib|CryptoPkg/Library/IntrinsicLib/IntrinsicLib.inf > + NorFlashPlatformLib|Platform/ARM/SgiPkg/Library/NorFlashLib/StandaloneMmNorFlashLib.inf > + OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLib.inf > + RngLib|MdePkg/Library/BaseRngLibTimerLib/BaseRngLibTimerLib.inf [SAMI] There is a recent patch series that adds ARMv8.5 FEAT_RNG support to BaseRngLib see https://github.com/tianocore/edk2/commit/9301e5644cef5a5234f71b178373dd508cabb9ee. Can this be used instead of BaseRngLibTimerLib? BaseRngLibTimerLib is for non-production use so it would be good to avoid. Indeed, this would require that Sgi platforms are ARMv8.5 or above. If not, then can we conditionally use BaseRngLibTimerLib for platforms that do not support FEAT_RNG. [/SAMI] > + PlatformSecureLib|SecurityPkg/Library/PlatformSecureLibNull/PlatformSecureLibNull.inf > + SynchronizationLib|MdePkg/Library/BaseSynchronizationLib/BaseSynchronizationLib.inf > + TimerLib|MdePkg/Library/BaseTimerLibNullTemplate/BaseTimerLibNullTemplate.inf > + VarCheckLib|MdeModulePkg/Library/VarCheckLib/VarCheckLib.inf > + SafeIntLib|MdePkg/Library/BaseSafeIntLib/BaseSafeIntLib.inf > +!endif > > ################################################################################ > # > @@ -75,6 +88,12 @@ > > gEfiMdePkgTokenSpaceGuid.PcdMaximumGuidedExtractHandler|0x2 > > +!if $(SECURE_STORAGE_ENABLE) == TRUE > + gEfiMdeModulePkgTokenSpaceGuid.PcdMaxVariableSize|0x2000 > + gEfiMdeModulePkgTokenSpaceGuid.PcdMaxAuthVariableSize|0x2800 > + gEfiSecurityPkgTokenSpaceGuid.PcdUserPhysicalPresence|TRUE > +!endif > + > ################################################################################################### > # > # Components Section - list of the modules and components that will be processed by compilation > @@ -101,6 +120,19 @@ > > [Components.AARCH64] > StandaloneMmPkg/Drivers/StandaloneMmCpu/AArch64/StandaloneMmCpu.inf > +!if $(SECURE_STORAGE_ENABLE) == TRUE > + ArmPlatformPkg/Drivers/NorFlashDxe/NorFlashStandaloneMm.inf > + MdeModulePkg/Universal/FaultTolerantWriteDxe/FaultTolerantWriteStandaloneMm.inf > + MdeModulePkg/Universal/Variable/RuntimeDxe/VariableStandaloneMm.inf { > + > + DevicePathLib|MdePkg/Library/UefiDevicePathLib/UefiDevicePathLib.inf > + NULL|MdeModulePkg/Library/VarCheckUefiLib/VarCheckUefiLib.inf > + NULL|MdeModulePkg/Library/VarCheckPolicyLib/VarCheckPolicyLibStandaloneMm.inf > + BaseMemoryLib|MdePkg/Library/BaseMemoryLib/BaseMemoryLib.inf > + VariablePolicyLib|MdeModulePkg/Library/VariablePolicyLib/VariablePolicyLib.inf > + VariablePolicyHelperLib|MdeModulePkg/Library/VariablePolicyHelperLib/VariablePolicyHelperLib.inf > + } > +!endif > > ################################################################################################### > # > diff --git a/Platform/ARM/SgiPkg/PlatformStandaloneMm.dsc b/Platform/ARM/SgiPkg/PlatformStandaloneMm.dsc > index cdf8aaa88f03..2cb4895cfcff 100644 > --- a/Platform/ARM/SgiPkg/PlatformStandaloneMm.dsc > +++ b/Platform/ARM/SgiPkg/PlatformStandaloneMm.dsc > @@ -39,3 +39,18 @@ > [PcdsFixedAtBuild] > ## PL011 - Serial Terminal > gEfiMdeModulePkgTokenSpaceGuid.PcdSerialRegisterBase|0x7FF70000 > + > +!if $(SECURE_STORAGE_ENABLE) == TRUE > + ##Secure NOR Flash 2 > + gArmSgiTokenSpaceGuid.PcdSmcCs2Base|0x10000000 > + gArmSgiTokenSpaceGuid.PcdSysPeriphBase|0x1C000000 > + gArmSgiTokenSpaceGuid.PcdSysPeriphSysRegBase|0x1C010000 > + > + ##Secure Variable Storage in NOR Flash 2 > + gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageVariableBase|0x10000000 > + gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageVariableSize|0x00100000 > + gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageFtwWorkingBase|0x10100000 > + gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageFtwWorkingSize|0x00100000 > + gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageFtwSpareBase|0x10200000 > + gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageFtwSpareSize|0x00100000 > +!endif > diff --git a/Platform/ARM/SgiPkg/PlatformStandaloneMm2.dsc b/Platform/ARM/SgiPkg/PlatformStandaloneMm2.dsc > index bb359a15cc0d..46c2ae3529d1 100644 > --- a/Platform/ARM/SgiPkg/PlatformStandaloneMm2.dsc > +++ b/Platform/ARM/SgiPkg/PlatformStandaloneMm2.dsc > @@ -38,3 +38,18 @@ > [PcdsFixedAtBuild] > ## PL011 - Serial Terminal > gEfiMdeModulePkgTokenSpaceGuid.PcdSerialRegisterBase|0x0EF80000 > + > +!if $(SECURE_STORAGE_ENABLE) == TRUE > + ##Secure NOR Flash 2 > + gArmSgiTokenSpaceGuid.PcdSmcCs2Base|0x1054000000 > + gArmSgiTokenSpaceGuid.PcdSysPeriphBase|0x0C000000 > + gArmSgiTokenSpaceGuid.PcdSysPeriphSysRegBase|0x0C010000 > + > + ##Secure Variable Storage in NOR Flash 2 > + gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageVariableBase64|0x1054000000 > + gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageVariableSize|0x00100000 > + gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageFtwWorkingBase64|0x1054100000 > + gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageFtwWorkingSize|0x00100000 > + gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageFtwSpareBase64|0x1054200000 > + gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageFtwSpareSize|0x00100000 > +!endif > diff --git a/Platform/ARM/SgiPkg/PlatformStandaloneMm.fdf b/Platform/ARM/SgiPkg/PlatformStandaloneMm.fdf > index 5a0772cd8522..474c9c0ce764 100644 > --- a/Platform/ARM/SgiPkg/PlatformStandaloneMm.fdf > +++ b/Platform/ARM/SgiPkg/PlatformStandaloneMm.fdf > @@ -49,6 +49,11 @@ READ_LOCK_CAP = TRUE > READ_LOCK_STATUS = TRUE > > INF StandaloneMmPkg/Core/StandaloneMmCore.inf > +!if $(SECURE_STORAGE_ENABLE) == TRUE > + INF ArmPlatformPkg/Drivers/NorFlashDxe/NorFlashStandaloneMm.inf > + INF MdeModulePkg/Universal/FaultTolerantWriteDxe/FaultTolerantWriteStandaloneMm.inf > + INF MdeModulePkg/Universal/Variable/RuntimeDxe/VariableStandaloneMm.inf > +!endif > INF StandaloneMmPkg/Drivers/StandaloneMmCpu/AArch64/StandaloneMmCpu.inf > > ################################################################################ > diff --git a/Platform/ARM/SgiPkg/SgiPlatform.fdf b/Platform/ARM/SgiPkg/SgiPlatform.fdf > index e11d943d6efc..d94e4633e36c 100644 > --- a/Platform/ARM/SgiPkg/SgiPlatform.fdf > +++ b/Platform/ARM/SgiPkg/SgiPlatform.fdf > @@ -90,10 +90,17 @@ READ_LOCK_STATUS = TRUE > INF EmbeddedPkg/ResetRuntimeDxe/ResetRuntimeDxe.inf > INF MdeModulePkg/Core/RuntimeDxe/RuntimeDxe.inf > INF MdeModulePkg/Universal/CapsuleRuntimeDxe/CapsuleRuntimeDxe.inf > - INF MdeModulePkg/Universal/FaultTolerantWriteDxe/FaultTolerantWriteDxe.inf > INF MdeModulePkg/Universal/MonotonicCounterRuntimeDxe/MonotonicCounterRuntimeDxe.inf > INF MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf > +!if $(SECURE_BOOT_ENABLE) == TRUE > + INF SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf > +!endif > +!if $(SECURE_STORAGE_ENABLE) == TRUE > + INF MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmmRuntimeDxe.inf > +!else > + INF MdeModulePkg/Universal/FaultTolerantWriteDxe/FaultTolerantWriteDxe.inf > INF MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf > +!endif > > # > # ACPI Support