From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mga06.intel.com (mga06.intel.com [134.134.136.31]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id 71FB182244 for ; Tue, 21 Feb 2017 22:38:44 -0800 (PST) Received: from fmsmga005.fm.intel.com ([10.253.24.32]) by orsmga104.jf.intel.com with ESMTP; 21 Feb 2017 22:38:44 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.35,193,1484035200"; d="scan'208";a="68139640" Received: from fmsmsx104.amr.corp.intel.com ([10.18.124.202]) by fmsmga005.fm.intel.com with ESMTP; 21 Feb 2017 22:38:43 -0800 Received: from shsmsx102.ccr.corp.intel.com (10.239.4.154) by fmsmsx104.amr.corp.intel.com (10.18.124.202) with Microsoft SMTP Server (TLS) id 14.3.248.2; Tue, 21 Feb 2017 22:38:43 -0800 Received: from shsmsx101.ccr.corp.intel.com ([169.254.1.177]) by shsmsx102.ccr.corp.intel.com ([169.254.2.88]) with mapi id 14.03.0248.002; Wed, 22 Feb 2017 14:38:40 +0800 From: "Wei, David" To: "Lu, ShifeiX A" , "edk2-devel@lists.01.org" Thread-Topic: [edk2] [Patch][edk2-platforms/devel-MinnowBoard3] Enable Secure Boot. Thread-Index: AQHSjNXQdBRahRP5bECHwnHgHAQXtaF0ktOg Date: Wed, 22 Feb 2017 06:38:40 +0000 Message-ID: <89954A0B46707A448411A627AD4EEE3468EFC8E4@SHSMSX101.ccr.corp.intel.com> References: In-Reply-To: Accept-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [10.239.127.40] MIME-Version: 1.0 Subject: Re: [Patch][edk2-platforms/devel-MinnowBoard3] Enable Secure Boot. X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 22 Feb 2017 06:38:44 -0000 Content-Language: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Reviewed-by: zwei4 =20 Thanks, David Wei =20 -----Original Message----- From: edk2-devel [mailto:edk2-devel-bounces@lists.01.org] On Behalf Of lush= ifex Sent: Wednesday, February 22, 2017 2:35 PM To: edk2-devel@lists.01.org Cc: Wei, David Subject: [edk2] [Patch][edk2-platforms/devel-MinnowBoard3] Enable Secure Bo= ot. Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: lushifex --- .../PlatformSecureDefaultsLib.c | 952 -----------------= ---- .../PlatformSecureDefaultsLib.inf | 69 -- .../Common/PlatformSettings/PlatformDxe/Platform.c | 17 +- .../PlatformSettings/PlatformDxe/PlatformDxe.inf | 3 +- .../PlatformSetupDxe/PlatformSetupDxe.c | 39 +- .../PlatformSetupDxe/PlatformSetupDxe.inf | 3 +- .../PlatformSettings/PlatformSetupDxe/Security.vfi | 37 +- .../PlatformSetupDxe/SetupInfoRecords.c | 89 +- .../PlatformSetupDxe/VfrStrings.uni | Bin 315770 -> 311660 = bytes .../BroxtonPlatformPkg/PlatformDsc/Components.dsc | 18 +- .../PlatformDsc/LibraryClasses.dsc | 2 - Platform/BroxtonPlatformPkg/PlatformPkg.fdf | 11 +- 12 files changed, 69 insertions(+), 1171 deletions(-) delete mode 100644 Platform/BroxtonPlatformPkg/Common/Library/PlatformSecu= reDefaultsLib/PlatformSecureDefaultsLib.c delete mode 100644 Platform/BroxtonPlatformPkg/Common/Library/PlatformSecu= reDefaultsLib/PlatformSecureDefaultsLib.inf diff --git a/Platform/BroxtonPlatformPkg/Common/Library/PlatformSecureDefau= ltsLib/PlatformSecureDefaultsLib.c b/Platform/BroxtonPlatformPkg/Common/Lib= rary/PlatformSecureDefaultsLib/PlatformSecureDefaultsLib.c deleted file mode 100644 index 2cdd01d..0000000 --- a/Platform/BroxtonPlatformPkg/Common/Library/PlatformSecureDefaultsLib/= PlatformSecureDefaultsLib.c +++ /dev/null @@ -1,952 +0,0 @@ -/** @file - IPC based PlatformFvbLib library instance. - - Copyright (c) 2009 - 2016, Intel Corporation. All rights reserved.
- - This program and the accompanying materials - are licensed and made available under the terms and conditions of the BS= D License - which accompanies this distribution. The full text of the license may b= e found at - http://opensource.org/licenses/bsd-license.php. - - THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS, - WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMP= LIED. - -**/ - -#include "Library/PlatformSecureDefaultsLib.h" -#include -#include - -EFI_GUID mUefiImageSecurityDBGuid =3D EFI_IMAGE_SECURITY_DATABASE_G= UID; -EFI_GUID mUefiCertTypeRsa2048Guid =3D EFI_CERT_RSA2048_GUID; - -#define WIN_CERT_UEFI_RSA2048_SIZE 256 -#define EFI_SECURE_BOOT_ENABLE_NAME L"SecureBootEnable" - -extern EFI_GUID mUefiCertTypeRsa2048Guid; -extern EFI_GUID gEfiSecureBootEnableDisableGuid; - -EFI_GUID gOwnerSignatureGUID =3D {0x77fa9abd, 0x0359, 0x4d32, {0xb= d, 0x60, 0x28, 0xf4, 0xe7, 0x8f, 0x78, 0x4b}}; -static EFI_GUID gDbxUpdateImageGuid =3D {0xa3d48bb3, 0x350f, 0x4bcd, 0xa4= , 0xad, 0x44, 0x5b, 0x93, 0x9f, 0x6d, 0x9c }; - -/** - Create a time based data payload by concatenating the EFI_VARIABLE_AUTHE= NTICATION_2 - descriptor with the input data. NO authentication is required in this fu= nction. - - @param[in, out] DataSize On input, the size of Data bu= ffer in bytes. - On output, the size of data r= eturned in Data - buffer in bytes. - @param[in, out] Data On input, Pointer to data buf= fer to be wrapped or - pointer to NULL to wrap an em= pty payload. - On output, Pointer to the new= payload date buffer allocated from pool, - it's caller's responsibility = to free the memory when finish using it. - - @retval EFI_SUCCESS Create time based payload suc= cessfully. - @retval EFI_OUT_OF_RESOURCES There are not enough memory r= esourses to create time based payload. - @retval EFI_INVALID_PARAMETER The parameter is invalid. - @retval Others Unexpected error happens. - -**/ -EFI_STATUS -CreateTimeBasedPayload ( - IN OUT UINTN *DataSize, - IN OUT UINT8 **Data - ) -{ - EFI_STATUS Status; - UINT8 *NewData; - UINT8 *Payload; - UINTN PayloadSize; - EFI_VARIABLE_AUTHENTICATION_2 *DescriptorData; - UINTN DescriptorSize; - EFI_TIME Time; - - if (Data =3D=3D NULL || DataSize =3D=3D NULL) { - return EFI_INVALID_PARAMETER; - } - - // - // In Setup mode or Custom mode, the variable does not need to be signed= but the - // parameters to the SetVariable() call still need to be prepared as aut= henticated - // variable. So we create EFI_VARIABLE_AUTHENTICATED_2 descriptor withou= t certificate - // data in it. - // - Payload =3D *Data; - PayloadSize =3D *DataSize; - - DescriptorSize =3D OFFSET_OF (EFI_VARIABLE_AUTHENTICATION_2, AuthInfo= ) + OFFSET_OF (WIN_CERTIFICATE_UEFI_GUID, CertData); - NewData =3D (UINT8 *) AllocateZeroPool (DescriptorSize + PayloadSize); - if (NewData =3D=3D NULL) { - return EFI_OUT_OF_RESOURCES; - } - - if ((Payload !=3D NULL) && (PayloadSize !=3D 0)) { - CopyMem (NewData + DescriptorSize, Payload, PayloadSize); - } - - DescriptorData =3D (EFI_VARIABLE_AUTHENTICATION_2 *) (NewData); - - ZeroMem (&Time, sizeof (EFI_TIME)); - Status =3D gRT->GetTime (&Time, NULL); - if (EFI_ERROR (Status)) { - FreePool(NewData); - return Status; - } - Time.Pad1 =3D 0; - Time.Nanosecond =3D 0; - Time.TimeZone =3D 0; - Time.Daylight =3D 0; - Time.Pad2 =3D 0; - CopyMem (&DescriptorData->TimeStamp, &Time, sizeof (EFI_TIME)); - - DescriptorData->AuthInfo.Hdr.dwLength =3D OFFSET_OF (WIN_CERTIFI= CATE_UEFI_GUID, CertData); - DescriptorData->AuthInfo.Hdr.wRevision =3D 0x0200; - DescriptorData->AuthInfo.Hdr.wCertificateType =3D WIN_CERT_TYPE_EFI_GUID= ; - CopyGuid (&DescriptorData->AuthInfo.CertType, &gEfiCertPkcs7Guid); - - if (Payload !=3D NULL) { - FreePool(Payload); - } - - *DataSize =3D DescriptorSize + PayloadSize; - *Data =3D NewData; - return EFI_SUCCESS; -} - - -/** - Generate the PK signature list from the X509 Certificate storing file (.= cer) - - @param[in] X509Data FileHandle of X509 Certificate s= toring file. - @param[in] X509DataSize The size of fileHandle of X509 C= ertificate storing file. - @param[out] PkCert Point to the data buffer to stor= e the signature list. - - @retval EFI_UNSUPPORTED Unsupported Key Length. - @retval EFI_OUT_OF_RESOURCES There are not enough memory reso= urses to form the signature list. - -**/ -EFI_STATUS -CreatePkX509SignatureList ( - IN UINT8 *X509Data, - IN UINTN X509DataSize, - OUT EFI_SIGNATURE_LIST **PkCert - ) -{ - EFI_STATUS Status; - EFI_SIGNATURE_DATA *PkCertData; - - PkCertData =3D NULL; - Status =3D EFI_SUCCESS; - ASSERT (X509Data !=3D NULL); - - // - // Allocate space for PK certificate list and initialize it. - // Create PK database entry with SignatureHeaderSize equals 0. - // - *PkCert =3D (EFI_SIGNATURE_LIST *) AllocateZeroPool ( - sizeof (EFI_SIGNATURE_LIST) + sizeof (EFI_SIGNATURE_DATA) - = 1 - + X509DataSize - ); - if (*PkCert =3D=3D NULL) { - Status =3D EFI_OUT_OF_RESOURCES; - goto ON_EXIT; - } - - (*PkCert)->SignatureListSize =3D (UINT32) (sizeof (EFI_SIGNATURE_LIST) - + sizeof (EFI_SIGNATURE_DATA) - 1 - + X509DataSize); - (*PkCert)->SignatureSize =3D (UINT32) (sizeof (EFI_SIGNATURE_DATA)= - 1 + X509DataSize); - (*PkCert)->SignatureHeaderSize =3D 0; - CopyGuid (&(*PkCert)->SignatureType, &gEfiCertX509Guid); - PkCertData =3D (EFI_SIGNATURE_DATA *) ((UINTN) (*PkC= ert) - + sizeof (EFI_SI= GNATURE_LIST) - + (*PkCert)->Sig= natureHeaderSize); - CopyGuid (&PkCertData->SignatureOwner, &gEfiGlobalVariableGuid); - // - // Fill the PK database with PKpub data from X509 certificate file. - // - CopyMem (&(PkCertData->SignatureData[0]), X509Data, X509DataSize); - -ON_EXIT: - - if (EFI_ERROR(Status) && *PkCert !=3D NULL) { - FreePool (*PkCert); - *PkCert =3D NULL; - } - - return Status; -} - - -EFI_STATUS -EnrollPlatformKey ( - IN VOID *Buf, - IN UINTN BufSize - ) -{ - EFI_STATUS Status; - UINT32 Attr; - UINTN DataSize; - EFI_SIGNATURE_LIST *PkCert; - - PkCert =3D NULL; - - // - // Prase the selected PK file and generature PK certificate list. - // - Status =3D CreatePkX509SignatureList ( - Buf, - BufSize, - &PkCert - ); - - if (EFI_ERROR (Status)) { - goto ON_EXIT; - } - ASSERT (PkCert !=3D NULL); - - // - // Set Platform Key variable. - // - Attr =3D EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_RUNTIME_ACCESS - | EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_TIME_BASED_AUTH= ENTICATED_WRITE_ACCESS; - DataSize =3D PkCert->SignatureListSize; - Status =3D CreateTimeBasedPayload (&DataSize, (UINT8 **) &PkCert); - if (EFI_ERROR (Status)) { - DEBUG ((EFI_D_ERROR, "Fail to create time-based data payload: %r", Sta= tus)); - goto ON_EXIT; - } - - Status =3D gRT->SetVariable ( - EFI_PLATFORM_KEY_NAME, - &gEfiGlobalVariableGuid, - Attr, - DataSize, - PkCert - ); - if (EFI_ERROR (Status)) { - if (Status =3D=3D EFI_OUT_OF_RESOURCES) { - DEBUG ((EFI_D_ERROR, "Enroll PK failed with out of resource.\n")); - } - goto ON_EXIT; - } - -ON_EXIT: - - if (PkCert !=3D NULL) { - FreePool (PkCert); - } - - return Status; -} - - -/** - Enroll a new KEK item from X509 certificate file. - - @param[in] PrivateData The module's private data. - - @retval EFI_SUCCESS New X509 is enrolled successfully. - @retval EFI_INVALID_PARAMETER The parameter is invalid. - @retval EFI_UNSUPPORTED Unsupported command. - @retval EFI_OUT_OF_RESOURCES Could not allocate needed resources. - -**/ -EFI_STATUS -EnrollX509ToKek ( - VOID *X509Data, - UINTN X509DataSize - ) -{ - EFI_STATUS Status; - EFI_SIGNATURE_DATA *KEKSigData; - EFI_SIGNATURE_LIST *KekSigList; - UINTN DataSize; - UINTN KekSigListSize; - UINT32 Attr; - - KekSigList =3D NULL; - KekSigListSize =3D 0; - DataSize =3D 0; - KEKSigData =3D NULL; - - ASSERT (X509Data !=3D NULL); - - KekSigListSize =3D sizeof (EFI_SIGNATURE_LIST) + sizeof (EFI_SIGNATURE_D= ATA) - 1 + X509DataSize; - KekSigList =3D (EFI_SIGNATURE_LIST *) AllocateZeroPool (KekSigListSize); - if (KekSigList =3D=3D NULL) { - Status =3D EFI_OUT_OF_RESOURCES; - goto ON_EXIT; - } - - // - // Fill Certificate Database parameters. - // - KekSigList->SignatureListSize =3D (UINT32) KekSigListSize; - KekSigList->SignatureHeaderSize =3D 0; - KekSigList->SignatureSize =3D (UINT32) (sizeof (EFI_SIGNATURE_DATA) - 1 = + X509DataSize); - CopyGuid (&KekSigList->SignatureType, &gEfiCertX509Guid); - - KEKSigData =3D (EFI_SIGNATURE_DATA *) ((UINT8 *) KekSigList + sizeof (EF= I_SIGNATURE_LIST)); - CopyGuid (&KEKSigData->SignatureOwner, &gOwnerSignatureGUID); - CopyMem (KEKSigData->SignatureData, X509Data, X509DataSize); - - // - // Check if KEK been already existed. - // If true, use EFI_VARIABLE_APPEND_WRITE attribute to append the - // new kek to original variable - // - Attr =3D EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_RUNTIME_ACCESS - | EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_TIME_BASED_AUTH= ENTICATED_WRITE_ACCESS; - Status =3D CreateTimeBasedPayload (&KekSigListSize, (UINT8 **) &KekSigLi= st); - if (EFI_ERROR (Status)) { - DEBUG ((EFI_D_ERROR, "Fail to create time-based data payload: %r", Sta= tus)); - goto ON_EXIT; - } - - Status =3D gRT->GetVariable( - EFI_KEY_EXCHANGE_KEY_NAME, - &gEfiGlobalVariableGuid, - NULL, - &DataSize, - NULL - ); - if (Status =3D=3D EFI_BUFFER_TOO_SMALL) { - Attr |=3D EFI_VARIABLE_APPEND_WRITE; - } else if (Status !=3D EFI_NOT_FOUND) { - goto ON_EXIT; - } - - Status =3D gRT->SetVariable( - EFI_KEY_EXCHANGE_KEY_NAME, - &gEfiGlobalVariableGuid, - Attr, - KekSigListSize, - KekSigList - ); - if (EFI_ERROR (Status)) { - goto ON_EXIT; - } - -ON_EXIT: - - if (KekSigList !=3D NULL) { - FreePool (KekSigList); - } - - return Status; -} - - -/** - Enroll new KEK into the System without PK's authentication. - The SignatureOwner GUID will be Private->SignatureGUID. - - @param[in] PrivateData The module's private data. - - @retval EFI_SUCCESS New KEK enrolled successful. - @retval EFI_INVALID_PARAMETER The parameter is invalid. - @retval others Fail to enroll KEK data. - -**/ -EFI_STATUS -EnrollKeyExchangeKey ( - IN VOID *DataBuf, - IN UINTN BufSize - ) -{ - return EnrollX509ToKek (DataBuf, BufSize); -} - - -EFI_STATUS -EnrollX509toForbSigDB ( - IN CHAR16 *VariableName, - IN VOID *X509Data, - IN UINTN X509DataSize - ) -{ - EFI_STATUS Status; - VOID *Data; - UINTN SigDBSize; - UINT32 Attr; - UINTN DataSize; - - SigDBSize =3D 0; - DataSize =3D 0; - Data =3D NULL; - - ASSERT (X509Data !=3D NULL); - - SigDBSize =3D X509DataSize; - - Data =3D AllocateZeroPool (SigDBSize); - if (Data =3D=3D NULL) { - Status =3D EFI_OUT_OF_RESOURCES; - goto ON_EXIT; - } - - CopyMem ((UINT8 *) Data, X509Data, X509DataSize); - - Attr =3D EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_RUNTIME_ACCESS - | EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_TIME_BASED_AUTH= ENTICATED_WRITE_ACCESS; - - // - // Check if signature database entry has been already existed. - // If true, use EFI_VARIABLE_APPEND_WRITE attribute to append the - // new signature data to original variable - // - Status =3D gRT->GetVariable( - VariableName, - &gEfiImageSecurityDatabaseGuid, - NULL, - &DataSize, - NULL - ); - if (Status =3D=3D EFI_BUFFER_TOO_SMALL) { - Attr |=3D EFI_VARIABLE_APPEND_WRITE; - } else if (Status !=3D EFI_NOT_FOUND) { - goto ON_EXIT; - } - - Status =3D gRT->SetVariable( - VariableName, - &gEfiImageSecurityDatabaseGuid, - Attr, - SigDBSize, - Data - ); - - if (EFI_ERROR (Status)) { - goto ON_EXIT; - } - -ON_EXIT: - - if (Data !=3D NULL) { - FreePool (Data); - } - - return Status; -} - - -/** - Enroll X509 certificate into Forbidden Database (DBX) without - KEK's authentication. - - @param[in] VariableName Variable name of signature database, m= ust be - @param[in] *DataBuf Pointer to Data Buffer - @param[in] BufSize Data Buffer size - - @retval EFI_SUCCESS New X509 is enrolled successfully. - @retval EFI_OUT_OF_RESOURCES Could not allocate needed resources. - -**/ -EFI_STATUS -EnrollKeyForbiddenSignatureDatabase ( - IN CHAR16 *VariableName, - IN VOID *DataBuf, - IN UINTN BufSize - ) -{ - return EnrollX509toForbSigDB (VariableName, DataBuf, BufSize); -} - - -/** - Enroll a new X509 certificate into Signature Database (DB or DBX) withou= t - KEK's authentication. - - @param[in] PrivateData The module's private data. - @param[in] VariableName Variable name of signature database, m= ust be - EFI_IMAGE_SECURITY_DATABASE or EFI_IMA= GE_SECURITY_DATABASE1. - - @retval EFI_SUCCESS New X509 is enrolled successfully. - @retval EFI_OUT_OF_RESOURCES Could not allocate needed resources. - -**/ -EFI_STATUS -EnrollX509toSigDB ( - IN CHAR16 *VariableName, - IN VOID *X509Data, - IN UINTN X509DataSize - ) -{ - EFI_STATUS Status; - EFI_SIGNATURE_LIST *SigDBCert; - EFI_SIGNATURE_DATA *SigDBCertData; - VOID *Data; - UINTN DataSize; - UINTN SigDBSize; - UINT32 Attr; - - SigDBSize =3D 0; - DataSize =3D 0; - SigDBCert =3D NULL; - SigDBCertData =3D NULL; - Data =3D NULL; - - ASSERT (X509Data !=3D NULL); - - SigDBSize =3D sizeof (EFI_SIGNATURE_LIST) + sizeof (EFI_SIGNATURE_DATA) = - 1 + X509DataSize; - - Data =3D AllocateZeroPool (SigDBSize); - if (Data =3D=3D NULL) { - Status =3D EFI_OUT_OF_RESOURCES; - goto ON_EXIT; - } - - // - // Fill Certificate Database parameters. - // - SigDBCert =3D (EFI_SIGNATURE_LIST *) Data; - SigDBCert->SignatureListSize =3D (UINT32) SigDBSize; - SigDBCert->SignatureHeaderSize =3D 0; - SigDBCert->SignatureSize =3D (UINT32) (sizeof (EFI_SIGNATURE_DATA) - 1 += X509DataSize); - CopyGuid (&SigDBCert->SignatureType, &gEfiCertX509Guid); - - SigDBCertData =3D (EFI_SIGNATURE_DATA *) ((UINT8 *) SigDBCert + sizeof (= EFI_SIGNATURE_LIST)); - CopyGuid (&SigDBCertData->SignatureOwner, &gOwnerSignatureGUID); - CopyMem ((UINT8 *) (SigDBCertData->SignatureData), X509Data, X509DataSiz= e); - - // - // Check if signature database entry has been already existed. - // If true, use EFI_VARIABLE_APPEND_WRITE attribute to append the - // new signature data to original variable - // - Attr =3D EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_RUNTIME_ACCESS - | EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_TIME_BASED_AUTH= ENTICATED_WRITE_ACCESS; - Status =3D CreateTimeBasedPayload (&SigDBSize, (UINT8 **) &Data); - if (EFI_ERROR (Status)) { - DEBUG ((EFI_D_ERROR, "Fail to create time-based data payload: %r", Sta= tus)); - goto ON_EXIT; - } - - Status =3D gRT->GetVariable( - VariableName, - &gEfiImageSecurityDatabaseGuid, - NULL, - &DataSize, - NULL - ); - if (Status =3D=3D EFI_BUFFER_TOO_SMALL) { - Attr |=3D EFI_VARIABLE_APPEND_WRITE; - } else if (Status !=3D EFI_NOT_FOUND) { - goto ON_EXIT; - } - - Status =3D gRT->SetVariable( - VariableName, - &gEfiImageSecurityDatabaseGuid, - Attr, - SigDBSize, - Data - ); - if (EFI_ERROR (Status)) { - goto ON_EXIT; - } - -ON_EXIT: - - if (Data !=3D NULL) { - FreePool (Data); - } - - return Status; -} - - -EFI_STATUS -EnrollSignatureDatabase ( - IN CHAR16 *VariableName, - IN VOID *DataBuf, - IN UINTN BufSize - ) -{ - return EnrollX509toSigDB (VariableName, DataBuf, BufSize); -} - - -/** - Function to Load Secure Keys given the binary GUID - - @param[in] VendorGuid GUID of the Variable. - @param[in] VariableName Name of the Variable. - @param[in] VendorGuid GUID of the Variable. - - @retval EFI_SUCCESS Set the variable successfully. - @retval Others Set variable failed. - -**/ -EFI_STATUS -SetSecureVariabeKeys ( - IN EFI_GUID *ImageGuid, - IN CHAR16 *VariableName, - IN EFI_GUID *VendorGuid - ) -{ - EFI_STATUS Status; - EFI_FIRMWARE_VOLUME2_PROTOCOL *Fv; - UINTN FvProtocolCount; - EFI_HANDLE *FvHandles; - UINTN Index1; - UINT32 AuthenticationStatus; - UINT8 *Buffer=3DNULL; - UINTN BufferSize=3D0; - UINT32 Attr; - - Attr =3D EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_RUNTIME_ACCESS | EFI_V= ARIABLE_BOOTSERVICE_ACCESS; - - FvHandles =3D NULL; - - Status =3D gBS->LocateHandleBuffer ( - ByProtocol, - &gEfiFirmwareVolume2ProtocolGuid, - NULL, - &FvProtocolCount, - &FvHandles - ); - - if (!EFI_ERROR (Status)) { - for (Index1 =3D 0; Index1 < FvProtocolCount; Index1++) { - Status =3D gBS->HandleProtocol ( - FvHandles[Index1], - &gEfiFirmwareVolume2ProtocolGuid, - (VOID **) &Fv - ); - BufferSize=3D 0; - - Status =3D Fv->ReadSection ( - Fv, - ImageGuid, - EFI_SECTION_RAW, - 0, - (VOID **) &Buffer, - &BufferSize, - &AuthenticationStatus - ); - - if (!EFI_ERROR (Status)) { - Status =3D EFI_SUCCESS; - break; - } - } - } - - if (Buffer =3D=3D NULL) - return EFI_UNSUPPORTED; - if (StrCmp (VariableName, L"PK") =3D=3D 0){ - Status =3D EnrollPlatformKey (Buffer, BufferSize); - } else if (StrCmp (VariableName, L"KEK") =3D=3D 0) { - Status =3D EnrollKeyExchangeKey (Buffer, BufferSize); - } else if (CompareGuid (ImageGuid, &gDbxUpdateImageGuid)) { - Status =3D EnrollKeyForbiddenSignatureDatabase (VariableName,Buffer, B= ufferSize); - } else { - Status =3D EnrollSignatureDatabase (VariableName, Buffer, BufferSize); - } - return Status; -} - - -/** - Internal function to Update User Mode to Setup Mode given its name and G= UID, no authentication - required. - - @param[in] VariableName Name of the Variable. - @param[in] VendorGuid GUID of the Variable. - - @retval EFI_SUCCESS Updated to Setup Mode successful= ly. - @retval Others The driver failed to start the d= evice. - -**/ -EFI_STATUS -UpdateSetupModetoUserMode ( - IN CHAR16 *VariableName, - IN EFI_GUID *VendorGuid - ) -{ - EFI_STATUS Status; - VOID* Variable; - UINT8 SetupMode; - UINT8 SecureBootEnable; - - SetupMode =3D 0; - SecureBootEnable =3D 1; - - GetVariable2 (VariableName, VendorGuid, &Variable, NULL); - if (Variable =3D=3D NULL) { - return EFI_SUCCESS; - } - - Status =3D gRT->SetVariable ( - VariableName, - VendorGuid, - EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_A= CCESS, - 1, - &SetupMode - ); - - if (!EFI_ERROR (Status)) { - Status =3D gRT->SetVariable ( - EFI_SECURE_BOOT_ENABLE_NAME, - &gEfiSecureBootEnableDisableGuid, - EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_A= CCESS, - sizeof (UINT8), - &SecureBootEnable - ); - } - return Status; -} - - -/** - Enrolls PK, KEK, Db and Dbx. - - Note: Setup variable uses UEFI Runtime Services. - Do not call this function from PEI. - -**/ -VOID -EnrollKeys ( - VOID - ) -{ - EFI_STATUS Status; - UINT8 SecureBootCstMde; - UINTN DataSize; - SYSTEM_CONFIGURATION SystemConfiguration; - UINTN VarSize; - - EFI_GUID KekImageGuid =3D { 0x5d354a1f, 0x98d7, 0x4938, 0x8f, 0x18, 0x= f8, 0x4e, 0x1c, 0x89, 0xb2, 0xed }; - EFI_GUID Db1ImageGuid =3D { 0x4de09060, 0x5864, 0x471a, 0xb3, 0x52, 0x= d4, 0x50, 0x6e, 0xd7, 0xbb, 0xb0 }; - EFI_GUID DbxImageGuid =3D { 0x96b44e98, 0x6c49, 0x4c03, 0xa8, 0xa4, 0x= 77, 0x93, 0xef, 0x41, 0x68, 0x5a }; - EFI_GUID PkImageGuid =3D { 0xc43024ad, 0x8cb8, 0x4393, 0x8a, 0xe1, 0x= f3, 0x5c, 0xbf, 0xc7, 0xcd, 0x56 }; - EFI_GUID Db2ImageGuid =3D { 0x0f97c7a2, 0xba0c, 0x4e8a, 0x90, 0xf9, 0x= b1, 0xcc, 0x40, 0x57, 0x01, 0xf8 }; - EFI_GUID Db3ImageGuid =3D { 0x774491b2, 0x85ff, 0x47b0, 0x89, 0xa4, 0x= cc, 0xd8, 0xb3, 0x99, 0xaa, 0xd4 }; - EFI_GUID Kek2ImageGuid =3D { 0xE989363D, 0x449F, 0x4b32, 0x96, 0xB0, 0x= B2, 0x71, 0x73, 0x44, 0xD0, 0xEE }; - EFI_GUID Db4ImageGuid =3D { 0xB69B054C, 0x7EA4, 0x4f13, 0xB7, 0xFF, 0x= 72, 0xC6, 0x32, 0x3B, 0xC8, 0x5A }; - EFI_GUID Db5ImageGuid =3D { 0xB8FA2839, 0xE0C1, 0x4368, 0xA5, 0x1B, 0x= 5F, 0x4A, 0x21, 0x74, 0x61, 0x29 }; - EFI_GUID Db6ImageGuid =3D { 0x758FBB84, 0xEF4C, 0x4acf, 0xB1, 0xA6, 0x= E8, 0x44, 0xD5, 0xFF, 0x6B, 0xA6 }; - - VarSize =3D sizeof (SYSTEM_CONFIGURATION); - Status =3D gRT->GetVariable ( - L"Setup", - &gEfiSetupVariableGuid, - NULL, - &VarSize, - &SystemConfiguration - ); - - ASSERT_EFI_ERROR (Status); - - // - // Enroll Key Exchange Key - // - SetSecureVariabeKeys (&KekImageGuid, EFI_KEY_EXCHANGE_KEY_NAME, &gEfiGlo= balVariableGuid); - if (!(SystemConfiguration.UseProductKey)) { - SetSecureVariabeKeys (&Kek2ImageGuid, EFI_KEY_EXCHANGE_KEY_NAME, &gEfi= GlobalVariableGuid); - // - // Enroll Authenticated database. - // - SetSecureVariabeKeys (&Db1ImageGuid, EFI_IMAGE_SECURITY_DATABASE, &gEf= iImageSecurityDatabaseGuid); - SetSecureVariabeKeys (&Db4ImageGuid, EFI_IMAGE_SECURITY_DATABASE, &gEf= iImageSecurityDatabaseGuid); - SetSecureVariabeKeys (&Db5ImageGuid, EFI_IMAGE_SECURITY_DATABASE, &gEf= iImageSecurityDatabaseGuid); - SetSecureVariabeKeys (&Db6ImageGuid, EFI_IMAGE_SECURITY_DATABASE, &gEf= iImageSecurityDatabaseGuid); - // - // Enroll Platform Key - 219_Microsoft_UEFI_Logo_Test_KEK.cer for WOS = and common_PK.x509.cer for AOS - // - SetSecureVariabeKeys (&PkImageGuid, EFI_PLATFORM_KEY_NAME, &gEfiGlobal= VariableGuid); - } else { - // - // Enroll Platform Key - KEK_MSFTproductionKekCA.cer - // - SetSecureVariabeKeys (&KekImageGuid, EFI_PLATFORM_KEY_NAME, &gEfiGloba= lVariableGuid); - } - SetSecureVariabeKeys (&Db2ImageGuid, EFI_IMAGE_SECURITY_DATABASE, &gEfiI= mageSecurityDatabaseGuid); - SetSecureVariabeKeys (&Db3ImageGuid, EFI_IMAGE_SECURITY_DATABASE, &gEfiI= mageSecurityDatabaseGuid); - // - //Enroll Forbidden Database - // - SetSecureVariabeKeys (&DbxImageGuid, EFI_IMAGE_SECURITY_DATABASE1, &gEfi= ImageSecurityDatabaseGuid); - SetSecureVariabeKeys (&gDbxUpdateImageGuid, EFI_IMAGE_SECURITY_DATABASE1= , &gEfiImageSecurityDatabaseGuid); - - // - // If secure boot mode in custom mode, change to standard mode. - // - Status =3D gRT->GetVariable ( - EFI_CUSTOM_MODE_NAME, - &gEfiCustomModeEnableGuid, - NULL, - &DataSize, - &SecureBootCstMde - ); - - if (SecureBootCstMde) { - SecureBootCstMde =3D !SecureBootCstMde; - Status =3D gRT->SetVariable ( - EFI_CUSTOM_MODE_NAME, - &gEfiCustomModeEnableGuid, - EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_A= CCESS, - sizeof (UINT8), - &SecureBootCstMde - ); - } -} - - -/** - Internal function to delete a Variable given its name and GUID, no authe= ntication - required. - - @param[in] VariableName Name of the Variable. - @param[in] VendorGuid GUID of the Variable. - - @retval EFI_SUCCESS Variable deleted successfully. - @retval Others The driver failed to start the = device. - -**/ -EFI_STATUS -DeleteVariable ( - IN CHAR16 *VariableName, - IN EFI_GUID *VendorGuid - ) -{ - EFI_STATUS Status; - VOID* Variable; - UINT8 *Data; - UINTN DataSize; - UINT32 Attr; - - GetVariable2 (VariableName, VendorGuid, &Variable, NULL); - if (Variable =3D=3D NULL) { - return EFI_SUCCESS; - } - - Data =3D NULL; - DataSize =3D 0; - Attr =3D EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_RUNTIME_ACCESS | E= FI_VARIABLE_BOOTSERVICE_ACCESS - | EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS; - - Status =3D CreateTimeBasedPayload (&DataSize, &Data); - if (EFI_ERROR (Status)) { - DEBUG ((EFI_D_ERROR, "Fail to create time-based data payload: %r", Sta= tus)); - return Status; - } - - Status =3D gRT->SetVariable ( - VariableName, - VendorGuid, - Attr, - DataSize, - Data - ); - if (Data !=3D NULL) { - FreePool (Data); - } - return Status; -} - - -/** - Internal function to Update User Mode to Setup Mode given its name and G= UID, no authentication - required. - - @param[in] VariableName Name of the Variable. - @param[in] VendorGuid GUID of the Variable. - - @retval EFI_SUCCESS Updated to Setup Mode successfu= lly. - @retval Others The driver failed to start the = device. - -**/ -EFI_STATUS -UpdateUserModetoSetupMode ( - IN CHAR16 *VariableName, - IN EFI_GUID *VendorGuid - ) -{ - EFI_STATUS Status; - VOID* Variable; - UINT8 SetupMode; - UINT8 SecureBootDisable; - - SetupMode =3D 1; - SecureBootDisable =3D 0; - - GetVariable2 (VariableName, VendorGuid, &Variable, NULL); - if (Variable =3D=3D NULL) { - return EFI_SUCCESS; - } - - Status =3D gRT->SetVariable ( - VariableName, - VendorGuid, - EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_A= CCESS, - 1, - &SetupMode - ); - - if (!EFI_ERROR (Status)) { - GetVariable2 (EFI_SECURE_BOOT_ENABLE_NAME, &gEfiSecureBootEnableDisabl= eGuid, &Variable, NULL); - Status =3D gRT->SetVariable ( - EFI_SECURE_BOOT_ENABLE_NAME, - &gEfiSecureBootEnableDisableGuid, - EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_A= CCESS, - sizeof (UINT8), - &SecureBootDisable - ); - } - return Status; -} - - -/** - Deletes PK, KEK, Db and Dbx. - -**/ -VOID -DeleteKeys ( - ) -{ - // - // 1. Clear PK. - // - DeleteVariable (EFI_PLATFORM_KEY_NAME, &gEfiGlobalVariableGuid); - - // - // 2. Update "SetupMode" variable to SETUP_MODE. - // - UpdateUserModetoSetupMode (EFI_SETUP_MODE_NAME, &gEfiGlobalVariableGuid)= ; - - // - // 3. Clear KEK, DB and DBX. - // - DeleteVariable (EFI_KEY_EXCHANGE_KEY_NAME, &gEfiGlobalVariableGuid); - DeleteVariable (EFI_IMAGE_SECURITY_DATABASE, &gEfiImageSecurityDatabaseG= uid); - DeleteVariable (EFI_IMAGE_SECURITY_DATABASE1, &gEfiImageSecurityDatabase= Guid); -} - - -/** - Enable Custom Mode. - -**/ - VOID - EnableCustomMode ( - ) -{ - UINT8 CustomMode; - EFI_STATUS Status; - - CustomMode =3D 1; - - Status =3D gRT->SetVariable ( - EFI_CUSTOM_MODE_NAME, - &gEfiCustomModeEnableGuid, - EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_ACC= ESS, - sizeof (UINT8), - &CustomMode - ); - -} - diff --git a/Platform/BroxtonPlatformPkg/Common/Library/PlatformSecureDefau= ltsLib/PlatformSecureDefaultsLib.inf b/Platform/BroxtonPlatformPkg/Common/L= ibrary/PlatformSecureDefaultsLib/PlatformSecureDefaultsLib.inf deleted file mode 100644 index 72a001d..0000000 --- a/Platform/BroxtonPlatformPkg/Common/Library/PlatformSecureDefaultsLib/= PlatformSecureDefaultsLib.inf +++ /dev/null @@ -1,69 +0,0 @@ -## @file -# NULL PlatformFvbLib library instance. -# This library handles hooks for the EMU Variable FVB driver. -# -# Copyright (c) 2006 - 2016, Intel Corporation. All rights reserved.
-# -# This program and the accompanying materials -# are licensed and made available under the terms and conditions of the B= SD License -# which accompanies this distribution. The full text of the license may b= e found at -# http://opensource.org/licenses/bsd-license.php. -# -# THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS, -# WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IM= PLIED. -# -## - -[Defines] - INF_VERSION =3D 0x00010005 - BASE_NAME =3D PlatformSecureDefaultsLib - FILE_GUID =3D 402B0508-781A-4016-A1D7-9740FFE001A0 - MODULE_TYPE =3D BASE - VERSION_STRING =3D 1.0 - LIBRARY_CLASS =3D PlatformSecureDefaultsLib | DXE_DRIVE= R DXE_RUNTIME_DRIVER - -# -# The following information is for reference only and not required by the = build tools. -# -# VALID_ARCHITECTURES =3D IA32 X64 IPF EBC -# - -[Sources] - PlatformSecureDefaultsLib.c - -[Packages] - MdePkg/MdePkg.dec - MdeModulePkg/MdeModulePkg.dec - IntelFrameworkPkg/IntelFrameworkPkg.dec - IntelFrameworkModulePkg/IntelFrameworkModulePkg.dec - SecurityPkg/SecurityPkg.dec - BroxtonPlatformPkg/PlatformPkg.dec - BroxtonSiPkg/BroxtonSiPkg.dec - -[LibraryClasses] - DebugLib - DxeServicesTableLib - UefiBootServicesTableLib - DevicePathLib - BaseMemoryLib - BaseLib - IoLib - TimerLib - MemoryAllocationLib - PcdLib - -[Protocols] - gEfiFirmwareVolume2ProtocolGuid - -[Guids] - gEfiGlobalVariableGuid ## PRODUCES ## Variable Gu= id - gEfiSetupVariableGuid - gEfiVariableGuid - gEfiImageSecurityDatabaseGuid - gEfiCertX509Guid - gEfiCertPkcs7Guid - gEfiCustomModeEnableGuid - -[Depex] - TRUE - diff --git a/Platform/BroxtonPlatformPkg/Common/PlatformSettings/PlatformDx= e/Platform.c b/Platform/BroxtonPlatformPkg/Common/PlatformSettings/Platform= Dxe/Platform.c index 02dcc27..187eb21 100644 --- a/Platform/BroxtonPlatformPkg/Common/PlatformSettings/PlatformDxe/Platf= orm.c +++ b/Platform/BroxtonPlatformPkg/Common/PlatformSettings/PlatformDxe/Platf= orm.c @@ -1,7 +1,7 @@ /** @file Platform Initialization Driver. =20 - Copyright (c) 1999 - 2016, Intel Corporation. All rights reserved.
+ Copyright (c) 1999 - 2017, Intel Corporation. All rights reserved.
=20 This program and the accompanying materials are licensed and made available under the terms and conditions of the BS= D License @@ -641,7 +641,7 @@ InitPlatformResolution ( PcdSet32S (PcdVideoVerticalResolution, PanelResolution[mSystemConfigurat= ion.IgdFlatPanel].VerticalResolution); } =20 -VOID=20 +VOID OverrideSdCardPresence ( VOID ) @@ -670,7 +670,7 @@ OverrideSdCardPresence ( } else { P2sbMmioBar &=3D B_P2SB_BAR_BA; } - =20 + Gpio177PadConfigDW0RegAdd =3D P2SB_MMIO_ADDR (P2sbMmioBar, SOUTHWEST, 0x= 5D0); Gpio177RxState =3D MmioRead32(Gpio177PadConfigDW0RegAdd) & BIT1; DEBUG ((DEBUG_INFO, "Gpio177PadConfigDW0RegAdd: 0x%X\n", Gpio177PadConfi= gDW0RegAdd)); @@ -868,11 +868,6 @@ InitializePlatform ( =20 FdoEnabledGuidHob =3D GetFirstGuidHob (&gFdoModeEnabledHobGuid); if (FdoEnabledGuidHob !=3D NULL) { - // - // Secure boot must be disabled in Flash Descriptor Override (FDO) boo= t - // - EnableCustomMode (); - DeleteKeys (); } =20 #if (ENBDT_PF_ENABLE =3D=3D 1) //BXTP @@ -916,9 +911,9 @@ InitializePlatform ( &EfiExitBootServicesEvent ); =20 - =20 - OverrideSdCardPresence();=20 - =20 + + OverrideSdCardPresence(); + return EFI_SUCCESS; } =20 diff --git a/Platform/BroxtonPlatformPkg/Common/PlatformSettings/PlatformDx= e/PlatformDxe.inf b/Platform/BroxtonPlatformPkg/Common/PlatformSettings/Pla= tformDxe/PlatformDxe.inf index c2714a6..cf8ca08 100644 --- a/Platform/BroxtonPlatformPkg/Common/PlatformSettings/PlatformDxe/Platf= ormDxe.inf +++ b/Platform/BroxtonPlatformPkg/Common/PlatformSettings/PlatformDxe/Platf= ormDxe.inf @@ -1,7 +1,7 @@ ## @file # Component description file for platform DXE driver # -# Copyright (c) 1999 - 2016, Intel Corporation. All rights reserved.
+# Copyright (c) 1999 - 2017, Intel Corporation. All rights reserved.
# # This program and the accompanying materials # are licensed and made available under the terms and conditions of the B= SD License @@ -50,7 +50,6 @@ UefiBootServicesTableLib UefiDriverEntryPoint UefiRuntimeServicesTableLib - PlatformSecureDefaultsLib DxeServicesTableLib DebugLib HiiLib diff --git a/Platform/BroxtonPlatformPkg/Common/PlatformSettings/PlatformSe= tupDxe/PlatformSetupDxe.c b/Platform/BroxtonPlatformPkg/Common/PlatformSett= ings/PlatformSetupDxe/PlatformSetupDxe.c index 02b03ff..5cbe136 100644 --- a/Platform/BroxtonPlatformPkg/Common/PlatformSettings/PlatformSetupDxe/= PlatformSetupDxe.c +++ b/Platform/BroxtonPlatformPkg/Common/PlatformSettings/PlatformSetupDxe/= PlatformSetupDxe.c @@ -13,7 +13,7 @@ 4. It save all the mapping info in NV variables which will be consumed by platform override protocol driver to publish the platform override= protocol. =20 - Copyright (c) 2007 - 2016, Intel Corporation. All rights reserved.
+ Copyright (c) 2007 - 2017, Intel Corporation. All rights reserved.
=20 This program and the accompanying materials are licensed and made available under the terms and conditions of the BS= D License @@ -508,43 +508,6 @@ SystemConfigCallback ( if (Key.UnicodeChar =3D=3D CHAR_CARRIAGE_RETURN) { =20 } - } else if (KeyValue =3D=3D 0x1237 /*KEY_CLEAR_KEK_AND_PK*/ ) { - // - //Delete PK, KEK, DB, DBx - // - EnableCustomMode (); - DeleteKeys (); - StrCpyS (StringBuffer1, 200, L"Clear Keys Completed"); - StrCpyS (StringBuffer2, 200, L"Please Restart System"); - - // - // Popup a menu to notice user - // - do { - CreatePopUp (EFI_LIGHTGRAY | EFI_BACKGROUND_BLUE, &Key, StringBu= ffer1, StringBuffer2, NULL); - } while ((Key.ScanCode !=3D SCAN_ESC) && (Key.UnicodeChar !=3D CHA= R_CARRIAGE_RETURN)); - - gRT->ResetSystem (EfiResetCold, EFI_SUCCESS, 0, NULL); - } else if (KeyValue =3D=3D 0x1238 /*KEY_LOAD_DEFAULTS_KEYS*/ ) { - // - // Enroll PK, KEK, DB and DBx - // - EnrollKeys (); - StrCpyS (StringBuffer1, 200, L"Restore Keys Completed"); - StrCpyS (StringBuffer2, 200, L"Please Restart System"); - - // - // Popup a notification menu - // - do { - CreatePopUp(EFI_LIGHTGRAY | EFI_BACKGROUND_BLUE, &Key, StringBuf= fer1, StringBuffer2, NULL); - } while ((Key.ScanCode !=3D SCAN_ESC) && (Key.UnicodeChar !=3D CHA= R_CARRIAGE_RETURN)); - - // - // Reset the system - // - gRT->ResetSystem (EfiResetCold, EFI_SUCCESS, 0, NULL); - } else if (KeyValue =3D=3D 0x1239) { // // Popup a notification menu diff --git a/Platform/BroxtonPlatformPkg/Common/PlatformSettings/PlatformSe= tupDxe/PlatformSetupDxe.inf b/Platform/BroxtonPlatformPkg/Common/PlatformSe= ttings/PlatformSetupDxe/PlatformSetupDxe.inf index 09a16c8..0cbcb71 100644 --- a/Platform/BroxtonPlatformPkg/Common/PlatformSettings/PlatformSetupDxe/= PlatformSetupDxe.inf +++ b/Platform/BroxtonPlatformPkg/Common/PlatformSettings/PlatformSetupDxe/= PlatformSetupDxe.inf @@ -16,7 +16,7 @@ # 4. It save all the mapping info in NV variables for the following boot, # which will be consumed by GetDriver API of the produced the platform= override protocol. # -# Copyright (c) 2007 - 2016, Intel Corporation. All rights reserved.
+# Copyright (c) 2007 - 2017, Intel Corporation. All rights reserved.
# # This program and the accompanying materials # are licensed and made available under the terms and conditions of the B= SD License @@ -92,7 +92,6 @@ BiosIdLib CpuIA32Lib IoLib - PlatformSecureDefaultsLib BaseIpcLib HeciMsgLib SteppingLib diff --git a/Platform/BroxtonPlatformPkg/Common/PlatformSettings/PlatformSe= tupDxe/Security.vfi b/Platform/BroxtonPlatformPkg/Common/PlatformSettings/P= latformSetupDxe/Security.vfi index f79e81b..9d0855e 100644 --- a/Platform/BroxtonPlatformPkg/Common/PlatformSettings/PlatformSetupDxe/= Security.vfi +++ b/Platform/BroxtonPlatformPkg/Common/PlatformSettings/PlatformSetupDxe/= Security.vfi @@ -107,39 +107,6 @@ form formid =3D SECURITY_CONFIGURATION_FORM_ID, endif; endif; =20 - subtitle text =3D STRING_TOKEN(STR_NULL_STRING); - - - subtitle text =3D STRING_TOKEN(STR_NULL_STRING); - - oneof varid =3D Setup.SecureBootCustomMode, - prompt =3D STRING_TOKEN(STR_SECURE_BOOT_MODE_PROMPT), - help =3D STRING_TOKEN(STR_SECURE_BOOT_MODE_HELP), - option text =3D STRING_TOKEN(STR_SB_STANDARD_MODE), value=3D0x00, flag= s =3D DEFAULT | MANUFACTURING; - option text =3D STRING_TOKEN(STR_SB_CUSTOM_MODE), value=3D0x01, flags = =3D 0; - endoneof; - oneof varid =3D Setup.UseProductKey, - prompt =3D STRING_TOKEN(STR_SECURE_BOOT_PRO_KEY_PROMPT), - help =3D STRING_TOKEN(STR_SECURE_BOOT_PRO_KEY_HELP), - option text =3D STRING_TOKEN(STR_DEV_KEY), value=3D0x00, flags =3D DEF= AULT | RESET_REQUIRED; - option text =3D STRING_TOKEN(STR_PRO_KEY), value=3D0x01, flags =3D RES= ET_REQUIRED; - endoneof; - text - help =3D STRING_TOKEN(STR_CLEAR_ALL_KEYS_HELP), - text =3D STRING_TOKEN(STR_CLEAR_ALL_KEYS), - text =3D STRING_TOKEN(STR_NULL_STRING), - flags =3D INTERACTIVE, - key =3D 0x1237; //KEY_CLEAR_KEK_AND_PK; - - text - help =3D STRING_TOKEN(STR_LOAD_DEFAULTS_KEYS_HELP), - text =3D STRING_TOKEN(STR_LOAD_DEFAULTS_KEYS), - text =3D STRING_TOKEN(STR_NULL_STRING), - flags =3D INTERACTIVE, - key =3D 0x1238; //KEY_LOAD_DEFAULTS_KEYS; - - subtitle text =3D STRING_TOKEN(STR_NULL_STRING); - // //TPM related // @@ -154,7 +121,7 @@ form formid =3D SECURITY_CONFIGURATION_FORM_ID, option text =3D STRING_TOKEN(STR_TPM_DTPM_2_0), value =3D 0x03, flags = =3D RESET_REQUIRED; endoneof; =20 - suppressif NOT ideqval Setup.TPM =3D=3D 1;=20 + suppressif NOT ideqval Setup.TPM =3D=3D 1; oneof varid =3D Setup.TPMSupportedBanks, prompt =3D STRING_TOKEN(STR_TPM2_PCR_ALLOCATE_PROMPT), help =3D STRING_TOKEN(STR_TPM2_PCR_ALLOCATE_HELP), @@ -164,6 +131,6 @@ form formid =3D SECURITY_CONFIGURATION_FORM_ID, option text =3D STRING_TOKEN(STR_TPM2_PCR_ALLOCATE_BOTH), value =3D = TPM2_SUPPORTED_BANK_BOTH, flags =3D RESET_REQUIRED; endoneof; endif; - =20 + endform; =20 diff --git a/Platform/BroxtonPlatformPkg/Common/PlatformSettings/PlatformSe= tupDxe/SetupInfoRecords.c b/Platform/BroxtonPlatformPkg/Common/PlatformSett= ings/PlatformSetupDxe/SetupInfoRecords.c index 8f7a534..d504995 100644 --- a/Platform/BroxtonPlatformPkg/Common/PlatformSettings/PlatformSetupDxe/= SetupInfoRecords.c +++ b/Platform/BroxtonPlatformPkg/Common/PlatformSettings/PlatformSetupDxe/= SetupInfoRecords.c @@ -1,7 +1,7 @@ /** @file To retrieve various platform info data for Setup menu. =20 - Copyright (c) 1999 - 2016, Intel Corporation. All rights reserved.
+ Copyright (c) 1999 - 2017, Intel Corporation. All rights reserved.
=20 This program and the accompanying materials are licensed and made available under the terms and conditions of the BS= D License @@ -47,8 +47,6 @@ #include "ScAccess.h" #include "SetupMode.h" =20 -#define EFI_CUSTOM_MODE_NAME L"CustomMode" -extern EFI_GUID gEfiCustomModeEnableGuid; =20 #define LEFT_JUSTIFY 0x01 #define PREFIX_SIGN 0x02 @@ -65,7 +63,6 @@ EFI_GUID mProcessorProducerGuid; EFI_HII_HANDLE mHiiHandle; SYSTEM_CONFIGURATION mSystemConfiguration; EFI_PLATFORM_INFO_HOB *mPlatformInfo; -UINT8 mUseProductKey =3D 0; =20 #define memset SetMem =20 @@ -1720,14 +1717,30 @@ SetupInfo ( =20 VOID CheckSystemConfigLoad ( - SYSTEM_CONFIGURATION *SystemConfigPtr + SYSTEM_CONFIGURATION *SystemConfigPtr ) { EFI_STATUS Status; SEC_OPERATION_PROTOCOL *SeCOp; SEC_INFOMATION SeCInfo; + UINT8 SecureBoot; + UINTN DataSize; + + DataSize =3D sizeof (SecureBoot); + Status =3D gRT->GetVariable ( + EFI_SECURE_BOOT_MODE_NAME, + &gEfiGlobalVariableGuid, + NULL, + &DataSize, + &SecureBoot + ); + + if (EFI_ERROR (Status)) { + SystemConfigPtr->SecureBoot =3D 0; + } else { + SystemConfigPtr->SecureBoot =3D SecureBoot; + } =20 - mUseProductKey =3D SystemConfigPtr->UseProductKey; Status =3D gBS->LocateProtocol ( &gEfiSeCOperationProtocolGuid, NULL, @@ -1787,7 +1800,7 @@ CheckTPMActivePcrBanks ( =20 VOID CheckSystemConfigSave ( - SYSTEM_CONFIGURATION *SystemConfigPtr + SYSTEM_CONFIGURATION *SystemConfigPtr ) { EFI_STATUS Status; @@ -1795,51 +1808,7 @@ CheckSystemConfigSave ( SEC_INFOMATION SeCInfo; UINT8 SecureBootCfg; UINTN DataSize; - UINT8 CustomMode; - - if (mUseProductKey !=3D SystemConfigPtr->UseProductKey) { - EnableCustomMode (); - DeleteKeys (); - EnrollKeys (); - } - DataSize =3D sizeof (CustomMode); - Status =3D gRT->GetVariable ( - EFI_CUSTOM_MODE_NAME, - &gEfiCustomModeEnableGuid, - NULL, - &DataSize, - &CustomMode - ); - - if (EFI_ERROR (Status)) { - DeleteKeys (); - EnrollKeys (); - DataSize =3D sizeof (CustomMode); - Status =3D gRT->GetVariable ( - EFI_CUSTOM_MODE_NAME, - &gEfiCustomModeEnableGuid, - NULL, - &DataSize, - &CustomMode - ); - } - - if (CustomMode !=3D SystemConfigPtr->SecureBootCustomMode) { - if (CustomMode =3D=3D 1) { - DeleteKeys (); - EnrollKeys (); - CustomMode =3D 0; - } else { - CustomMode =3D 1; - Status =3D gRT->SetVariable ( - EFI_CUSTOM_MODE_NAME, - &gEfiCustomModeEnableGuid, - EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE= _ACCESS, - sizeof (UINT8), - &CustomMode - ); - } - } + BOOLEAN SecureBootNotFound; =20 Status =3D gBS->LocateProtocol ( &gEfiSeCOperationProtocolGuid, @@ -1861,6 +1830,8 @@ CheckSystemConfigSave ( // // Secure Boot configuration changes // + DataSize =3D sizeof (SecureBootCfg); + SecureBootNotFound =3D FALSE; Status =3D gRT->GetVariable ( EFI_SECURE_BOOT_ENABLE_NAME, &gEfiSecureBootEnableDisableGuid, @@ -1870,12 +1841,22 @@ CheckSystemConfigSave ( ); =20 if (EFI_ERROR (Status)) { - SecureBootCfg =3D 0; + SecureBootNotFound =3D TRUE; + } + + if (SecureBootNotFound) { + Status =3D gRT->GetVariable ( + EFI_SECURE_BOOT_ENABLE_NAME, + &gEfiSecureBootEnableDisableGuid, + NULL, + &DataSize, + &SecureBootCfg + ); + ASSERT_EFI_ERROR (Status); } =20 if ((SecureBootCfg) !=3D SystemConfigPtr->SecureBoot) { SecureBootCfg =3D !SecureBootCfg; - Status =3D gRT->SetVariable ( EFI_SECURE_BOOT_ENABLE_NAME, &gEfiSecureBootEnableDisableGuid, diff --git a/Platform/BroxtonPlatformPkg/Common/PlatformSettings/PlatformSe= tupDxe/VfrStrings.uni b/Platform/BroxtonPlatformPkg/Common/PlatformSettings= /PlatformSetupDxe/VfrStrings.uni index 47b84ee6a0ac53bef15b322024a47c9935285ffb..9ff9a80ba62edb19ac8982991e2= dcc364d1df52a 100644 GIT binary patch delta 42 zcmV+_0M-Bcq7&?b6Oh6MHvlXEAd}HFBZ2CL>H&r70=3D4P`rpuSC=3DK&74tlR_6^p{B# AVgLXD delta 1706 zcmbtUOHUI~6h1T45?dqk{B6MsT=3Dz;R z_HrJ02(S~7l}cj3gNXm>TErG)Z$kv|ce=3D`yE_aB|dHHag6|Rscd%`ESq`VaB;|0{a zaw9f=3DC|YeF3K-qW6XJH0W6)(I53#%=3DYt@!^5ofTbE@l@bU&SA(SUxCe{8$=3DnyoVY_ z(NDc#%gss}8{s}?ODFeNTl1ti`EapR?{4yT!ryhV#x`mB`ImP9A!zDVxHXYZA@ GpT7a+n_%An diff --git a/Platform/BroxtonPlatformPkg/PlatformDsc/Components.dsc b/Platf= orm/BroxtonPlatformPkg/PlatformDsc/Components.dsc index eb47ea0..d3be2da 100644 --- a/Platform/BroxtonPlatformPkg/PlatformDsc/Components.dsc +++ b/Platform/BroxtonPlatformPkg/PlatformDsc/Components.dsc @@ -234,6 +234,16 @@ !endif =20 # + # Secure Boot + # +!if $(SECURE_BOOT_ENABLE) =3D=3D TRUE + SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDx= e.inf { + + PlatformSecureLib|SecurityPkg/Library/PlatformSecureLibNull/Platform= SecureLibNull.inf + } +!endif + + # # SMM # MdeModulePkg/Core/PiSmmCore/PiSmmIpl.inf @@ -367,10 +377,10 @@ $(PLATFORM_SI_PACKAGE)/SouthCluster/Sdio/Dxe/MMC/MmcHostDxe/MmcHostDxe.i= nf =20 $(PLATFORM_SI_PACKAGE)/SouthCluster/Sdio/Dxe/MMC/MmcMediaDeviceDxe/MmcMe= diaDeviceDxe.inf - =20 + $(PLATFORM_SI_PACKAGE)/SouthCluster/Sdio/Dxe/SD/SdControllerDxe/SdContro= llerDxe.inf $(PLATFORM_SI_PACKAGE)/SouthCluster/Sdio/Dxe/SD/SdMediaDeviceDxe/SdMedia= DeviceDxe.inf - =20 + =20 !if $(ACPI50_ENABLE) =3D=3D TRUE MdeModulePkg/Universal/SmmCommunicationBufferDxe/SmmCommunicationBuffe= rDxe.inf @@ -474,12 +484,12 @@ PcAtChipsetPkg/8259InterruptControllerDxe/8259.inf =20 $(PLATFORM_PACKAGE_COMMON)/Features/UsbDeviceDxe/UsbDeviceDxe.inf - =20 + # # USB TypeC # $(PLATFORM_PACKAGE_COMMON)/Acpi/UsbTypeCDxe/UsbTypeCDxe.inf - =20 + # # Application # diff --git a/Platform/BroxtonPlatformPkg/PlatformDsc/LibraryClasses.dsc b/P= latform/BroxtonPlatformPkg/PlatformDsc/LibraryClasses.dsc index c2424f0..971dc4a 100644 --- a/Platform/BroxtonPlatformPkg/PlatformDsc/LibraryClasses.dsc +++ b/Platform/BroxtonPlatformPkg/PlatformDsc/LibraryClasses.dsc @@ -237,8 +237,6 @@ !if $(SECURE_BOOT_ENABLE) =3D=3D TRUE BaseCryptLib|CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf !endif - - PlatformSecureDefaultsLib|$(PLATFORM_PACKAGE_COMMON)/Library/PlatformSe= cureDefaultsLib/PlatformSecureDefaultsLib.inf SmmCpuPlatformHookLib|UefiCpuPkg/Library/SmmCpuPlatformHookLibNull/SmmC= puPlatformHookLibNull.inf =20 BasePlatformCmosLib|$(PLATFORM_PACKAGE_COMMON)/Library/PlatformCmosLib/= PlatformCmosLib.inf diff --git a/Platform/BroxtonPlatformPkg/PlatformPkg.fdf b/Platform/Broxton= PlatformPkg/PlatformPkg.fdf index a5a3555..2476407 100644 --- a/Platform/BroxtonPlatformPkg/PlatformPkg.fdf +++ b/Platform/BroxtonPlatformPkg/PlatformPkg.fdf @@ -450,7 +450,7 @@ APRIORI DXE { =20 INF $(PLATFORM_SI_PACKAGE)/SouthCluster/Sdio/Dxe/SD/SdControllerDxe/SdCo= ntrollerDxe.inf INF $(PLATFORM_SI_PACKAGE)/SouthCluster/Sdio/Dxe/SD/SdMediaDeviceDxe/SdM= ediaDeviceDxe.inf - =20 + INF IntelFrameworkModulePkg/Universal/Acpi/AcpiS3SaveDxe/AcpiS3SaveDxe.i= nf =20 # @@ -575,6 +575,13 @@ APRIORI DXE { INF $(PLATFORM_PACKAGE_COMMON)/PnpDxe/PnpDxe.inf =20 # + # Secure Boot + # +!if $(SECURE_BOOT_ENABLE) =3D=3D TRUE + INF SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConf= igDxe.inf +!endif + + # # SMM # INF MdeModulePkg/Core/PiSmmCore/PiSmmIpl.inf @@ -710,7 +717,7 @@ APRIORI DXE { SECTION PE32 =3D ShellBinPkg/UefiShell/$(IA32_X64_LC)/Shell.efi } =20 - INF $(PLATFORM_PACKAGE_COMMON)/Features/UsbDeviceDxe/UsbDeviceDxe.inf =20 + INF $(PLATFORM_PACKAGE_COMMON)/Features/UsbDeviceDxe/UsbDeviceDxe.inf =20 # # USB TypeC --=20 2.7.0.windows.1 _______________________________________________ edk2-devel mailing list edk2-devel@lists.01.org https://lists.01.org/mailman/listinfo/edk2-devel