From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mga09.intel.com (mga09.intel.com [134.134.136.24]) by mx.groups.io with SMTP id smtpd.web10.36366.1679464740334915198 for ; Tue, 21 Mar 2023 22:59:02 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="unable to parse pub key" header.i=@intel.com header.s=intel header.b=V2Hg+a1Q; spf=pass (domain: intel.com, ip: 134.134.136.24, mailfrom: subash.lakkimsetti@intel.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1679464742; x=1711000742; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version:content-transfer-encoding; bh=raXrUeZYnUYp8ciHa/qTDeSHFaxkAnKmlZg7ZLb8vI8=; b=V2Hg+a1QTLYYqX0HXVbXQYhlF4somGsHAjyT5iGCUip4xkJY5Ib0DYLb NbIOfdmXdOnCE81pgN0KVdUhXsUZq4EvpUAW0nqpCGYIcs3wB1+vAgnL0 zqt1Z5tPYt1kX4NLnz5tgdGDS1tsV1s3cQfIWkVr6JBIW6iJGP9ZuLzBy TMggHNnrrQ3Dc6WV0Vu9w1jVDN2ihoc/foHScE/gBc/CHgV12bSC9+vRQ RTccd2bGOrAxOZQ/qI/bUztoCjka7d0u4MaF5Wk06wwB/L/tkbxUh4L0P MS/+l+/8p4tGwTkyXIcaCAsdvlOIGw0b9K1y4YYBsu/Bq2KySZFdDGneu A==; X-IronPort-AV: E=McAfee;i="6600,9927,10656"; a="340671534" X-IronPort-AV: E=Sophos;i="5.98,280,1673942400"; d="scan'208";a="340671534" Received: from orsmga001.jf.intel.com ([10.7.209.18]) by orsmga102.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 21 Mar 2023 22:59:02 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=McAfee;i="6600,9927,10656"; a="714294388" X-IronPort-AV: E=Sophos;i="5.98,280,1673942400"; d="scan'208";a="714294388" Received: from slakkim-mobl.amr.corp.intel.com ([10.213.186.211]) by orsmga001-auth.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 21 Mar 2023 22:59:01 -0700 From: "Subash Lakkimsetti" To: devel@edk2.groups.io Cc: Subash Lakkimsetti , Guo Dong , Ray Ni , Sean Rhodes , James Lu , Gua Guo Subject: [PATCH v1 2/6] UefiPayloadPkg: Add secureboot information HOBs Date: Tue, 21 Mar 2023 22:58:42 -0700 Message-Id: <5a76f4af09f346e3c755755b5855abb53b340e46.1679464590.git.subash.lakkimsetti@intel.com> X-Mailer: git-send-email 2.39.1.windows.1 In-Reply-To: References: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable From: Subash Lakkimsetti This patch add the HOB fpr secure and measured boot information. This is populated by bootloader phase and uefipayload pkg uses this info to sync the TPM info PCDs. Cc: Guo Dong Cc: Ray Ni Cc: Sean Rhodes Cc: James Lu Cc: Gua Guo Signed-off-by: Subash Lakkimsetti --- UefiPayloadPkg/BlSupportDxe/BlSupportDxe.c | 77 +++++++++++++++++++- UefiPayloadPkg/BlSupportDxe/BlSupportDxe.inf | 13 +++- UefiPayloadPkg/UefiPayloadPkg.dec | 4 +- UefiPayloadPkg/UefiPayloadPkg.dsc | 2 + 4 files changed, 92 insertions(+), 4 deletions(-) diff --git a/UefiPayloadPkg/BlSupportDxe/BlSupportDxe.c b/UefiPayloadPkg/Bl= SupportDxe/BlSupportDxe.c index 2e70c4533c..7415507ec6 100644 --- a/UefiPayloadPkg/BlSupportDxe/BlSupportDxe.c +++ b/UefiPayloadPkg/BlSupportDxe/BlSupportDxe.c @@ -2,11 +2,14 @@ This driver will report some MMIO/IO resources to dxe core, extract smbi= os and acpi=0D tables from bootloader.=0D =0D - Copyright (c) 2014 - 2021, Intel Corporation. All rights reserved.
=0D + Copyright (c) 2014 - 2023, Intel Corporation. All rights reserved.
=0D SPDX-License-Identifier: BSD-2-Clause-Patent=0D =0D **/=0D #include "BlSupportDxe.h"=0D +#include =0D +#include =0D +#include =0D =0D /**=0D Reserve MMIO/IO resource in GCD=0D @@ -86,6 +89,73 @@ ReserveResourceInGcd ( return Status;=0D }=0D =0D +/**=0D +Sync the Secure boot hob info and TPM PCD as per the information passed fr= om Bootloader.=0D +**/=0D +EFI_STATUS=0D +BlSupportSecurityPcdSync (=0D + VOID=0D + )=0D +{=0D + EFI_STATUS Status;=0D + EFI_HOB_GUID_TYPE *GuidHob;=0D + UNIVERSAL_SECURE_BOOT_INFO *SecurebootInfoHob;=0D + UINTN Size;=0D +=0D + GuidHob =3D GetFirstGuidHob (&gUniversalPayloadSecureBootInfoGuid);=0D + if (GuidHob =3D=3D NULL) {=0D + DEBUG ((DEBUG_ERROR, "gUniversalPayloadSecureBootInfoGuid Not Found!\n= "));=0D + return EFI_UNSUPPORTED;=0D + }=0D +=0D + SecurebootInfoHob =3D (UNIVERSAL_SECURE_BOOT_INFO *)GET_GUID_HOB_DATA (G= uidHob);=0D +=0D + // Sync the Hash mask for TPM 2.0 as per active PCR banks.=0D + // Make sure that the current PCR allocations, the TPM supported PCRs,=0D + // and the PcdTpm2HashMask are all in agreement.=0D + Status =3D PcdSet32S (PcdTpm2HashMask, SecurebootInfoHob->TpmPcrActivePc= rBanks);=0D + ASSERT_EFI_ERROR (Status);=0D + DEBUG ((DEBUG_INFO, "TpmPcrActivePcrBanks 0x%x \n", SecurebootInfoHob->T= pmPcrActivePcrBanks));=0D +=0D + // Set the Firmware debugger PCD=0D + Status =3D PcdSetBoolS (PcdFirmwareDebuggerInitialized, SecurebootInfoHo= b->FirmwareDebuggerInitialized);=0D + ASSERT_EFI_ERROR (Status);=0D + DEBUG ((DEBUG_INFO, " FirmwareDebugger Initialized 0x%x \n", SecurebootI= nfoHob->FirmwareDebuggerInitialized));=0D +=0D + // Set the TPM Type instance GUID=0D + if (SecurebootInfoHob->MeasuredBootEnabled) {=0D + if (SecurebootInfoHob->TpmType =3D=3D TPM_TYPE_20) {=0D + DEBUG ((DEBUG_INFO, "%a: TPM2 detected\n", __FUNCTION__));=0D + Size =3D sizeof (gEfiTpmDeviceInstanceTpm20DtpmGuid);=0D + Status =3D PcdSetPtrS (=0D + PcdTpmInstanceGuid,=0D + &Size,=0D + &gEfiTpmDeviceInstanceTpm20DtpmGuid=0D + );=0D + } else if (SecurebootInfoHob->TpmType =3D=3D TPM_TYPE_12) {=0D + DEBUG ((DEBUG_INFO, "%a: TPM1.2 detected\n", __FUNCTION__));=0D + Size =3D sizeof (gEfiTpmDeviceInstanceTpm12Guid);=0D + Status =3D PcdSetPtrS (=0D + PcdTpmInstanceGuid,=0D + &Size,=0D + &gEfiTpmDeviceInstanceTpm12Guid=0D + );=0D + } else {=0D + DEBUG ((DEBUG_INFO, "%a: No TPM detected\n", __FUNCTION__));=0D + Size =3D sizeof (gEfiTpmDeviceInstanceNoneGuid);=0D + Status =3D PcdSetPtrS (=0D + PcdTpmInstanceGuid,=0D + &Size,=0D + &gEfiTpmDeviceInstanceNoneGuid=0D + );=0D + }=0D +=0D + ASSERT_EFI_ERROR (Status);=0D + }=0D +=0D + return Status;=0D +}=0D +=0D /**=0D Main entry for the bootloader support DXE module.=0D =0D @@ -144,5 +214,10 @@ BlDxeEntryPoint ( ASSERT_EFI_ERROR (Status);=0D }=0D =0D + //=0D + // Sync Bootloader info for TPM=0D + //=0D + BlSupportSecurityPcdSync ();=0D +=0D return EFI_SUCCESS;=0D }=0D diff --git a/UefiPayloadPkg/BlSupportDxe/BlSupportDxe.inf b/UefiPayloadPkg/= BlSupportDxe/BlSupportDxe.inf index 96d85d2b1d..162167e6bb 100644 --- a/UefiPayloadPkg/BlSupportDxe/BlSupportDxe.inf +++ b/UefiPayloadPkg/BlSupportDxe/BlSupportDxe.inf @@ -3,7 +3,7 @@ #=0D # Report some MMIO/IO resources to dxe core, extract smbios and acpi table= s=0D #=0D -# Copyright (c) 2014 - 2021, Intel Corporation. All rights reserved.
= =0D +# Copyright (c) 2014 - 2023, Intel Corporation. All rights reserved.
= =0D #=0D # SPDX-License-Identifier: BSD-2-Clause-Patent=0D #=0D @@ -30,6 +30,7 @@ [Packages]=0D MdePkg/MdePkg.dec=0D MdeModulePkg/MdeModulePkg.dec=0D + SecurityPkg/SecurityPkg.dec=0D UefiPayloadPkg/UefiPayloadPkg.dec=0D =0D [LibraryClasses]=0D @@ -44,6 +45,10 @@ [Guids]=0D gUefiAcpiBoardInfoGuid=0D gEfiGraphicsInfoHobGuid=0D + gUniversalPayloadSecureBootInfoGuid=0D + gEfiTpmDeviceInstanceTpm20DtpmGuid=0D + gEfiTpmDeviceInstanceTpm12Guid=0D + gEfiTpmDeviceInstanceNoneGuid=0D =0D [Pcd]=0D gEfiMdeModulePkgTokenSpaceGuid.PcdVideoHorizontalResolution=0D @@ -52,6 +57,10 @@ gEfiMdeModulePkgTokenSpaceGuid.PcdSetupVideoVerticalResolution=0D gEfiMdePkgTokenSpaceGuid.PcdPciExpressBaseAddress=0D gEfiMdePkgTokenSpaceGuid.PcdPciExpressBaseSize=0D -=0D + ## SOMETIMES_CONSUMES=0D + ## SOMETIMES_PRODUCES=0D + gEfiSecurityPkgTokenSpaceGuid.PcdTpm2HashMask=0D + gEfiSecurityPkgTokenSpaceGuid.PcdFirmwareDebuggerInitialized=0D + gEfiSecurityPkgTokenSpaceGuid.PcdTpmInstanceGuid=0D [Depex]=0D TRUE=0D diff --git a/UefiPayloadPkg/UefiPayloadPkg.dec b/UefiPayloadPkg/UefiPayload= Pkg.dec index 7d61d6eeae..20981af295 100644 --- a/UefiPayloadPkg/UefiPayloadPkg.dec +++ b/UefiPayloadPkg/UefiPayloadPkg.dec @@ -3,7 +3,7 @@ #=0D # Provides drivers and definitions to create uefi payload for bootloaders.= =0D #=0D -# Copyright (c) 2014 - 2021, Intel Corporation. All rights reserved.
=0D +# Copyright (c) 2014 - 2023, Intel Corporation. All rights reserved.
=0D # SPDX-License-Identifier: BSD-2-Clause-Patent=0D #=0D ##=0D @@ -42,6 +42,8 @@ gSpiFlashInfoGuid =3D { 0x2d4aac1b, 0x91a5, 0x4cd5, { 0x9b, 0x5c,= 0xb4, 0x0f, 0x5d, 0x28, 0x51, 0xa1 } }=0D gSmmRegisterInfoGuid =3D { 0xaa9bd7a7, 0xcafb, 0x4499, { 0xa4, 0xa9,= 0xb, 0x34, 0x6b, 0x40, 0xa6, 0x22 } }=0D gS3CommunicationGuid =3D { 0x88e31ba1, 0x1856, 0x4b8b, { 0xbb, 0xdf,= 0xf8, 0x16, 0xdd, 0x94, 0xa, 0xef } }=0D + gUniversalPayloadSecureBootInfoGuid =3D { 0xd970f847, 0x07dd, 0x4b2= 4, { 0x9e, 0x1e, 0xae, 0x6c, 0x80, 0x9b, 0x1d, 0x38 } }=0D +=0D =0D [Ppis]=0D gEfiPayLoadHobBasePpiGuid =3D { 0xdbe23aa1, 0xa342, 0x4b97, {0x85, 0xb6,= 0xb2, 0x26, 0xf1, 0x61, 0x73, 0x89} }=0D diff --git a/UefiPayloadPkg/UefiPayloadPkg.dsc b/UefiPayloadPkg/UefiPayload= Pkg.dsc index bca5d3f335..2f5c70ec9c 100644 --- a/UefiPayloadPkg/UefiPayloadPkg.dsc +++ b/UefiPayloadPkg/UefiPayloadPkg.dsc @@ -579,6 +579,8 @@ =0D gPcAtChipsetPkgTokenSpaceGuid.PcdRtcIndexRegister|$(RTC_INDEX_REGISTER)= =0D gPcAtChipsetPkgTokenSpaceGuid.PcdRtcTargetRegister|$(RTC_TARGET_REGISTER= )=0D + gEfiSecurityPkgTokenSpaceGuid.PcdFirmwareDebuggerInitialized|FALSE=0D + gEfiSecurityPkgTokenSpaceGuid.PcdTpmInstanceGuid|{0x5a, 0xf2, 0x6b, 0x28= , 0xc3, 0xc2, 0x8c, 0x40, 0xb3, 0xb4, 0x25, 0xe6, 0x75, 0x8b, 0x73, 0x17}=0D =0D ##########################################################################= ######=0D #=0D --=20 2.39.1.windows.1