From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from mga17.intel.com (mga17.intel.com [192.55.52.151])
 by mx.groups.io with SMTP id smtpd.web11.3155.1684367809597397300
 for <devel@edk2.groups.io>;
 Wed, 17 May 2023 16:56:51 -0700
Authentication-Results: mx.groups.io;
 dkim=fail reason="unable to parse pub key" header.i=@intel.com header.s=intel header.b=T5oYddXz;
 spf=pass (domain: intel.com, ip: 192.55.52.151, mailfrom: subash.lakkimsetti@intel.com)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;
  d=intel.com; i=@intel.com; q=dns/txt; s=Intel;
  t=1684367811; x=1715903811;
  h=from:to:cc:subject:date:message-id:in-reply-to:
   references:mime-version:content-transfer-encoding;
  bh=QkUQKUPD3ugCkAwNNKIHMTVMs2GKpR2KufbUvwVmp/8=;
  b=T5oYddXzRfzRmTjJo5qYFlzLnU0J2k/OW4kC7xUiuWrEY4A6vyM7Aq2w
   9k8FhMPagRhRCpTMK+GUXWaXZ0pFzcyggkeQHqKyXLa1Qz4W+SQtZRNtk
   A23OwVnjVdQra0DHohnGPSu8K8NR11IAeLvmYcNLqcf89HF4yA7OK/cLn
   RTlj5/2OhQrC8eTbsnIDZxYbZfx/5p/ntrsAG7a9P55bYGLuRAQL0smRz
   4EuNjRbB3QAfRucXfWYT+zWVAaEkRqjyDzIRHEuRDw7EIhPT/Bgt6iQfi
   d4KriXqcHQ9S2VOyS+dRUHdUhl2DhxyWoXJwXehQMrr217EoCXSxqghwM
   w==;
X-IronPort-AV: E=McAfee;i="6600,9927,10713"; a="332276028"
X-IronPort-AV: E=Sophos;i="5.99,283,1677571200"; 
   d="scan'208";a="332276028"
Received: from orsmga005.jf.intel.com ([10.7.209.41])
  by fmsmga107.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 17 May 2023 16:56:40 -0700
X-ExtLoop1: 1
X-IronPort-AV: E=McAfee;i="6600,9927,10713"; a="876208952"
X-IronPort-AV: E=Sophos;i="5.99,283,1677571200"; 
   d="scan'208";a="876208952"
Received: from slakkim-mobl.amr.corp.intel.com ([10.212.56.110])
  by orsmga005-auth.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 17 May 2023 16:56:39 -0700
From: "Subash Lakkimsetti" <subash.lakkimsetti@intel.com>
To: devel@edk2.groups.io
Cc: Subash Lakkimsetti <subash.lakkimsetti@intel.com>,
	Guo Dong <guo.dong@intel.com>,
	Ray Ni <ray.ni@intel.com>,
	Sean Rhodes <sean@starlabs.systems>,
	James Lu <james.lu@intel.com>,
	Gua Guo <gua.guo@intel.com>
Subject: [PATCH v2 4/6] UefiPayloadPkg: Add secure boot configurations
Date: Wed, 17 May 2023 16:55:32 -0700
Message-Id: <80f7425d9598d3196a4dee6544bc5a80f9f8e447.1684367408.git.subash.lakkimsetti@intel.com>
X-Mailer: git-send-email 2.39.1.windows.1
In-Reply-To: <cover.1684367408.git.subash.lakkimsetti@intel.com>
References: <cover.1684367408.git.subash.lakkimsetti@intel.com>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable

From: Subash Lakkimsetti <subash.lakkimsetti@intel.com>

Add the required modules for secure boot in
UefiPayloadPkg. SECURE_BOOT_ENABLE flag added to control
the secure boot feature. Security modules are added
as seperate FV.

Cc: Guo Dong <guo.dong@intel.com>
Cc: Ray Ni <ray.ni@intel.com>
Cc: Sean Rhodes <sean@starlabs.systems>
Cc: James Lu <james.lu@intel.com>
Cc: Gua Guo <gua.guo@intel.com>
Signed-off-by: Subash Lakkimsetti <subash.lakkimsetti@intel.com>
---
 UefiPayloadPkg/UefiPayloadPkg.dsc       | 50 ++++++++++++++++++++++++-
 UefiPayloadPkg/UefiPayloadPkg.fdf       | 29 ++++++++++++++
 UefiPayloadPkg/UniversalPayloadBuild.py |  1 +
 3 files changed, 79 insertions(+), 1 deletion(-)

diff --git a/UefiPayloadPkg/UefiPayloadPkg.dsc b/UefiPayloadPkg/UefiPayload=
Pkg.dsc
index 0e7093cc7d..df078a1b28 100644
--- a/UefiPayloadPkg/UefiPayloadPkg.dsc
+++ b/UefiPayloadPkg/UefiPayloadPkg.dsc
@@ -133,6 +133,11 @@
 =0D
   DEFINE MULTIPLE_DEBUG_PORT_SUPPORT =3D FALSE=0D
 =0D
+  #=0D
+  # Security=0D
+  #=0D
+  DEFINE SECURE_BOOT_ENABLE       =3D FALSE=0D
+=0D
 [BuildOptions]=0D
   *_*_*_CC_FLAGS                 =3D -D DISABLE_NEW_DEPRECATED_INTERFACES=
=0D
 !if $(USE_CBMEM_FOR_CONSOLE) =3D=3D FALSE=0D
@@ -290,7 +295,20 @@
   DebugLib|MdeModulePkg/Library/PeiDxeDebugLibReportStatusCode/PeiDxeDebug=
LibReportStatusCode.inf=0D
   LockBoxLib|MdeModulePkg/Library/LockBoxNullLib/LockBoxNullLib.inf=0D
   FileExplorerLib|MdeModulePkg/Library/FileExplorerLib/FileExplorerLib.inf=
=0D
+=0D
+!if $(SECURE_BOOT_ENABLE) =3D=3D TRUE=0D
+  RngLib|MdePkg/Library/BaseRngLibTimerLib/BaseRngLibTimerLib.inf=0D
+  IntrinsicLib|CryptoPkg/Library/IntrinsicLib/IntrinsicLib.inf=0D
+  OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf=0D
+  PlatformSecureLib|SecurityPkg/Library/PlatformSecureLibNull/PlatformSecu=
reLibNull.inf=0D
+  AuthVariableLib|SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf=
=0D
+  SecureBootVariableLib|SecurityPkg/Library/SecureBootVariableLib/SecureBo=
otVariableLib.inf=0D
+  PlatformPKProtectionLib|SecurityPkg/Library/PlatformPKProtectionLibVarPo=
licy/PlatformPKProtectionLibVarPolicy.inf=0D
+  SecureBootVariableProvisionLib|SecurityPkg/Library/SecureBootVariablePro=
visionLib/SecureBootVariableProvisionLib.inf=0D
+!else=0D
   AuthVariableLib|MdeModulePkg/Library/AuthVariableLibNull/AuthVariableLib=
Null.inf=0D
+!endif=0D
+=0D
 !if $(VARIABLE_SUPPORT) =3D=3D "EMU"=0D
   TpmMeasurementLib|MdeModulePkg/Library/TpmMeasurementLibNull/TpmMeasurem=
entLibNull.inf=0D
 !elseif $(VARIABLE_SUPPORT) =3D=3D "SPI"=0D
@@ -406,6 +424,16 @@
   BaseCryptLib|CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf=0D
 !endif=0D
 =0D
+[LibraryClasses.common.DXE_DRIVER, LibraryClasses.common.UEFI_DRIVER, Libr=
aryClasses.common.UEFI_APPLICATION]=0D
+!if $(SECURE_BOOT_ENABLE) =3D=3D TRUE=0D
+  BaseCryptLib|CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf=0D
+!endif=0D
+=0D
+[LibraryClasses.common.DXE_RUNTIME_DRIVER]=0D
+!if $(SECURE_BOOT_ENABLE) =3D=3D TRUE=0D
+  BaseCryptLib|CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf=0D
+!endif=0D
+=0D
 ##########################################################################=
######=0D
 #=0D
 # Pcd Section - list of all EDK II PCD Entries defined by this Platform.=0D
@@ -475,6 +503,16 @@
   gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.TlsGet.Family  =
                          | PCD_CRYPTO_SERVICE_ENABLE_FAMILY=0D
 !endif=0D
 =0D
+!if $(SECURE_BOOT_ENABLE) =3D=3D TRUE=0D
+  gEfiMdeModulePkgTokenSpaceGuid.PcdMaxAuthVariableSize|0x2800=0D
+  gEfiSecurityPkgTokenSpaceGuid.PcdUserPhysicalPresence|TRUE=0D
+=0D
+  # override the default values from SecurityPkg to ensure images from all=
 sources are verified in secure boot=0D
+  gEfiSecurityPkgTokenSpaceGuid.PcdOptionRomImageVerificationPolicy|0x04=0D
+  gEfiSecurityPkgTokenSpaceGuid.PcdFixedMediaImageVerificationPolicy|0x04=
=0D
+  gEfiSecurityPkgTokenSpaceGuid.PcdRemovableMediaImageVerificationPolicy|0=
x04=0D
+!endif=0D
+=0D
 [PcdsPatchableInModule.X64]=0D
 !if $(NETWORK_DRIVER_ENABLE) =3D=3D TRUE=0D
   gEfiNetworkPkgTokenSpaceGuid.PcdAllowHttpConnections|TRUE=0D
@@ -635,8 +673,18 @@
   # Components that produce the architectural protocols=0D
   #=0D
 !if $(SECURITY_STUB_ENABLE) =3D=3D TRUE=0D
-  MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf=0D
+  MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf {=0D
+      <LibraryClasses>=0D
+!if $(SECURE_BOOT_ENABLE) =3D=3D TRUE=0D
+      NULL|SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificatio=
nLib.inf=0D
 !endif=0D
+  }=0D
+!endif=0D
+=0D
+!if $(SECURE_BOOT_ENABLE) =3D=3D TRUE=0D
+  SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDx=
e.inf=0D
+!endif=0D
+=0D
   UefiCpuPkg/CpuDxe/CpuDxe.inf=0D
   MdeModulePkg/Universal/BdsDxe/BdsDxe.inf=0D
 !if $(BOOTSPLASH_IMAGE)=0D
diff --git a/UefiPayloadPkg/UefiPayloadPkg.fdf b/UefiPayloadPkg/UefiPayload=
Pkg.fdf
index f8c2aa8c4a..d1f76b1e56 100644
--- a/UefiPayloadPkg/UefiPayloadPkg.fdf
+++ b/UefiPayloadPkg/UefiPayloadPkg.fdf
@@ -201,6 +201,10 @@ INF PcAtChipsetPkg/PcatRealTimeClockRuntimeDxe/PcatRea=
lTimeClockRuntimeDxe.inf
   INF MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmmRuntimeDxe.inf=
=0D
 !endif=0D
 =0D
+!if $(SECURE_BOOT_ENABLE) =3D=3D TRUE=0D
+  INF SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConf=
igDxe.inf=0D
+!endif=0D
+=0D
 INF UefiCpuPkg/CpuIo2Dxe/CpuIo2Dxe.inf=0D
 INF MdeModulePkg/Universal/DevicePathDxe/DevicePathDxe.inf=0D
 !if $(MEMORY_TEST) =3D=3D "GENERIC"=0D
@@ -324,6 +328,31 @@ INF ShellPkg/DynamicCommand/DpDynamicCommand/DpDynamic=
Command.inf
 INF ShellPkg/Application/Shell/Shell.inf=0D
 !endif=0D
 =0D
+[FV.SECFV]=0D
+FvNameGuid         =3D 2700E2F3-19D2-4E2D-9F13-BC891B9FC62C=0D
+BlockSize          =3D $(FD_BLOCK_SIZE)=0D
+FvForceRebase      =3D FALSE=0D
+FvAlignment        =3D 16=0D
+ERASE_POLARITY     =3D 1=0D
+MEMORY_MAPPED      =3D TRUE=0D
+STICKY_WRITE       =3D TRUE=0D
+LOCK_CAP           =3D TRUE=0D
+LOCK_STATUS        =3D TRUE=0D
+WRITE_DISABLED_CAP =3D TRUE=0D
+WRITE_ENABLED_CAP  =3D TRUE=0D
+WRITE_STATUS       =3D TRUE=0D
+WRITE_LOCK_CAP     =3D TRUE=0D
+WRITE_LOCK_STATUS  =3D TRUE=0D
+READ_DISABLED_CAP  =3D TRUE=0D
+READ_ENABLED_CAP   =3D TRUE=0D
+READ_STATUS        =3D TRUE=0D
+READ_LOCK_CAP      =3D TRUE=0D
+READ_LOCK_STATUS   =3D TRUE=0D
+=0D
+!if $(SECURE_BOOT_ENABLE) =3D=3D TRUE=0D
+INF SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfig=
Dxe.inf=0D
+!endif=0D
+=0D
 =0D
 ##########################################################################=
######=0D
 #=0D
diff --git a/UefiPayloadPkg/UniversalPayloadBuild.py b/UefiPayloadPkg/Unive=
rsalPayloadBuild.py
index 416946a431..4a8b76bacc 100644
--- a/UefiPayloadPkg/UniversalPayloadBuild.py
+++ b/UefiPayloadPkg/UniversalPayloadBuild.py
@@ -118,6 +118,7 @@ def BuildUniversalPayload(Args):
             ['uefi_fv',    os.path.join(BuildDir, "{}_{}".format (BuildTar=
get, ToolChain), os.path.normpath("FV/DXEFV.Fv"))    ],=0D
             ['bds_fv',     os.path.join(BuildDir, "{}_{}".format (BuildTar=
get, ToolChain), os.path.normpath("FV/BDSFV.Fv"))    ],=0D
             ['network_fv', os.path.join(BuildDir, "{}_{}".format (BuildTar=
get, ToolChain), os.path.normpath("FV/NETWORKFV.Fv"))    ],=0D
+            ['security_fv', os.path.join(BuildDir, "{}_{}".format (BuildTa=
rget, ToolChain), os.path.normpath("FV/SECFV.Fv"))    ],=0D
         ]=0D
         AddSectionName =3D '.upld_info'=0D
         ReplaceFv (EntryOutputDir, UpldInfoFile, AddSectionName, Alignment=
 =3D 4)=0D
--=20
2.39.1.windows.1