Re: [PATCH v1 5/6] Uefipayloadpkg Enable TPM measured boot

public inbox for devel@edk2.groups.io
 help / color / mirror / Atom feed

From: "Guo, Gua" <gua.guo@intel.com>
To: "Lakkimsetti, Subash" <subash.lakkimsetti@intel.com>,
	"devel@edk2.groups.io" <devel@edk2.groups.io>
Cc: "Dong, Guo" <guo.dong@intel.com>, "Ni, Ray" <ray.ni@intel.com>,
	"Rhodes, Sean" <sean@starlabs.systems>,
	"Lu, James" <james.lu@intel.com>,
	"Rudolph, Patrick" <patrick.rudolph@9elements.com>
Subject: Re: [PATCH v1 5/6] Uefipayloadpkg Enable TPM measured boot
Date: Wed, 22 Mar 2023 22:55:28 +0000	[thread overview]
Message-ID: <BL1PR11MB5478D409919FA3D155BD2423EF869@BL1PR11MB5478.namprd11.prod.outlook.com> (raw)
In-Reply-To: <c0e08b94e628cbbc4012df98df83efc4b81cf3ce.1679464590.git.subash.lakkimsetti@intel.com>

>From Uefi UPL side


Currently, SPI have silicon dependency so native is not support on UniversalPayload, please use SECURITY_SUPPORT
+------------------------------+
| UefiUPL.elf                   |
+------------------------------+
| .upld_info                     |
+------------------------------+
| .upld.uefi_fv                |
+------------------------------+
| .upld.bds_fv                 |
+------------------------------+
| .upld.security_fv          |<------------ SECURITY_SUPPORT (Use this macro to decide include it or not and default value is false)
+------------------------------+

Thanks,
Gua

-----Original Message-----
From: Lakkimsetti, Subash <subash.lakkimsetti@intel.com> 
Sent: Wednesday, March 22, 2023 1:59 PM
To: devel@edk2.groups.io
Cc: Lakkimsetti, Subash <subash.lakkimsetti@intel.com>; Dong, Guo <guo.dong@intel.com>; Ni, Ray <ray.ni@intel.com>; Rhodes, Sean <sean@starlabs.systems>; Lu, James <james.lu@intel.com>; Guo, Gua <gua.guo@intel.com>; Rudolph, Patrick <patrick.rudolph@9elements.com>
Subject: [PATCH v1 5/6] Uefipayloadpkg Enable TPM measured boot

From: Subash Lakkimsetti <subash.lakkimsetti@intel.com>

Update the packages to support TPM and measured boot in uefi payload.

Measured boot can be controoled using flag MEASURED_BOOT_ENABLE

Cc: Guo Dong <guo.dong@intel.com>
Cc: Ray Ni <ray.ni@intel.com>
Cc: Sean Rhodes <sean@starlabs.systems>
Cc: James Lu <james.lu@intel.com>
Cc: Gua Guo <gua.guo@intel.com>
Signed-off-by: Patrick Rudolph <patrick.rudolph@9elements.com>
Signed-off-by: Subash Lakkimsetti <subash.lakkimsetti@intel.com>
---
 UefiPayloadPkg/UefiPayloadPkg.dsc | 88 +++++++++++++++++++++++++++++--  UefiPayloadPkg/UefiPayloadPkg.fdf | 25 +++++++++
 2 files changed, 109 insertions(+), 4 deletions(-)

diff --git a/UefiPayloadPkg/UefiPayloadPkg.dsc b/UefiPayloadPkg/UefiPayloadPkg.dsc
index f31e5aac16..86612338bf 100644
--- a/UefiPayloadPkg/UefiPayloadPkg.dsc
+++ b/UefiPayloadPkg/UefiPayloadPkg.dsc
@@ -46,6 +46,7 @@
   DEFINE NVME_ENABLE                  = TRUE    DEFINE SECURE_BOOT_ENABLE           = FALSE+  DEFINE MEASURED_BOOT_ENABLE         = FALSE    #   # NULL:    NullMemoryTestDxe@@ -297,14 +298,27 @@
 !else   AuthVariableLib|MdeModulePkg/Library/AuthVariableLibNull/AuthVariableLibNull.inf !endif-!if $(VARIABLE_SUPPORT) == "EMU"-  TpmMeasurementLib|MdeModulePkg/Library/TpmMeasurementLibNull/TpmMeasurementLibNull.inf-!elseif $(VARIABLE_SUPPORT) == "SPI"-  PlatformSecureLib|SecurityPkg/Library/PlatformSecureLibNull/PlatformSecureLibNull.inf+  #+  # TPM+  #+!if $(MEASURED_BOOT_ENABLE) == TRUE+  Tpm12CommandLib|SecurityPkg/Library/Tpm12CommandLib/Tpm12CommandLib.inf+  Tpm12DeviceLib|SecurityPkg/Library/Tpm12DeviceLibTcg/Tpm12DeviceLibTcg.inf+  Tpm2CommandLib|SecurityPkg/Library/Tpm2CommandLib/Tpm2CommandLib.inf+  Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibTcg2/Tpm2DeviceLibTcg2.inf+  Tcg2PhysicalPresenceLib|SecurityPkg/Library/DxeTcg2PhysicalPresenceLib/DxeTcg2PhysicalPresenceLib.inf+  Tcg2PpVendorLib|SecurityPkg/Library/Tcg2PpVendorLibNull/Tcg2PpVendorLibNull.inf   TpmMeasurementLib|SecurityPkg/Library/DxeTpmMeasurementLib/DxeTpmMeasurementLib.inf+!else+  TpmMeasurementLib|MdeModulePkg/Library/TpmMeasurementLibNull/TpmMeasurementLibNull.inf+!endif+!if $(VARIABLE_SUPPORT) == "SPI"   S3BootScriptLib|MdePkg/Library/BaseS3BootScriptLibNull/BaseS3BootScriptLibNull.inf+!endif+!if $(SECURE_BOOT_ENABLE) == TRUE || $(MEASURED_BOOT_ENABLE) == TRUE || $(VARIABLE_SUPPORT) == "SPI"   MmUnblockMemoryLib|MdePkg/Library/MmUnblockMemoryLib/MmUnblockMemoryLibNull.inf !endif+  PlatformSecureLib|SecurityPkg/Library/PlatformSecureLibNull/PlatformSecureLibNull.inf   VarCheckLib|MdeModulePkg/Library/VarCheckLib/VarCheckLib.inf   VariablePolicyLib|MdeModulePkg/Library/VariablePolicyLib/VariablePolicyLib.inf   VariablePolicyHelperLib|MdeModulePkg/Library/VariablePolicyHelperLib/VariablePolicyHelperLib.inf@@ -412,6 +426,10 @@
   BaseCryptLib|CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf !endif +!if $(MEASURED_BOOT_ENABLE) == TRUE+ Tcg2PhysicalPresenceLib|SecurityPkg/Library/SmmTcg2PhysicalPresenceLib/SmmTcg2PhysicalPresenceLib.inf+!endif+ ################################################################################ # # Pcd Section - list of all EDK II PCD Entries defined by this Platform.@@ -600,6 +618,13 @@
   gEfiSecurityPkgTokenSpaceGuid.PcdFirmwareDebuggerInitialized|FALSE   gEfiSecurityPkgTokenSpaceGuid.PcdTpmInstanceGuid|{0x5a, 0xf2, 0x6b, 0x28, 0xc3, 0xc2, 0x8c, 0x40, 0xb3, 0xb4, 0x25, 0xe6, 0x75, 0x8b, 0x73, 0x17} +!if $(MEASURED_BOOT_ENABLE) == TRUE++  # (BIT0 - SHA1. BIT1 - SHA256, BIT2 - SHA384, BIT3 - SHA512, BIT4 - SM3_256)+  gEfiSecurityPkgTokenSpaceGuid.PcdTpm2HashMask|0x000000016+  gEfiSecurityPkgTokenSpaceGuid.PcdTcg2HashAlgorithmBitmap|0x000000016+!endif+ ################################################################################ # # Components Section - list of all EDK II Modules needed by this Platform.@@ -680,6 +705,10 @@
     <LibraryClasses> !if $(SECURE_BOOT_ENABLE)       NULL|SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.inf+!endif+!if $(MEASURED_BOOT_ENABLE) == TRUE+      NULL|SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLib.inf+      NULL|SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLib.inf !endif   } !endif@@ -842,6 +871,57 @@
   SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf !endif +!if $(MEASURED_BOOT_ENABLE) == TRUE+  SecurityPkg/Tcg/TcgDxe/TcgDxe.inf {+    <LibraryClasses>+      Tpm12DeviceLib|SecurityPkg/Library/Tpm12DeviceLibDTpm/Tpm12DeviceLibDTpm.inf+   }++   SecurityPkg/Tcg/TcgConfigDxe/TcgConfigDxe.inf {+    <LibraryClasses>+      PcdLib|MdePkg/Library/DxePcdLib/DxePcdLib.inf+  }++!if $(SMM_SUPPORT) == TRUE+  SecurityPkg/Tcg/TcgSmm/TcgSmm.inf {+    <LibraryClasses>+    TcgPpVendorLib|SecurityPkg/Library/TcgPpVendorLibNull/TcgPpVendorLibNull.inf++  }+!endif+  SecurityPkg/Tcg/Tcg2Config/Tcg2ConfigDxe.inf {+  <LibraryClasses>+      Tpm2CommandLib|SecurityPkg/Library/Tpm2CommandLib/Tpm2CommandLib.inf+      Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibRouter/Tpm2DeviceLibRouterDxe.inf+      NULL|SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2InstanceLibDTpm.inf+  }+!if $(SMM_SUPPORT) == TRUE+  SecurityPkg/Tcg/Tcg2Smm/Tcg2Smm.inf {+    <LibraryClasses>+      Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibTcg2/Tpm2DeviceLibTcg2.inf+  }+!endif+  SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.inf {+    <LibraryClasses>+      Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibRouter/Tpm2DeviceLibRouterDxe.inf+      HashLib|SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRouterDxe.inf+      NULL|SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2InstanceLibDTpm.inf+      NULL|SecurityPkg/Library/HashInstanceLibSha1/HashInstanceLibSha1.inf+      NULL|SecurityPkg/Library/HashInstanceLibSha256/HashInstanceLibSha256.inf+      NULL|SecurityPkg/Library/HashInstanceLibSha384/HashInstanceLibSha384.inf+      NULL|SecurityPkg/Library/HashInstanceLibSm3/HashInstanceLibSm3.inf+  }+  SecurityPkg/Tcg/Tcg2Acpi/Tcg2Acpi.inf+  SecurityPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.inf {+    <LibraryClasses>+      TpmPlatformHierarchyLib|SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf+  }+  SecurityPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.inf {+    <LibraryClasses>+      TpmPlatformHierarchyLib|SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf+  }+!endif #MEASURED_BOOT_ENABLE+   #   # Misc   #diff --git a/UefiPayloadPkg/UefiPayloadPkg.fdf b/UefiPayloadPkg/UefiPayloadPkg.fdf
index b52e6c75a5..ed9d42b022 100644
--- a/UefiPayloadPkg/UefiPayloadPkg.fdf
+++ b/UefiPayloadPkg/UefiPayloadPkg.fdf
@@ -176,6 +176,21 @@ INF PcAtChipsetPkg/PcatRealTimeClockRuntimeDxe/PcatRealTimeClockRuntimeDxe.inf
   INF SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf !endif +!if $(MEASURED_BOOT_ENABLE) == TRUE+  INF SecurityPkg/Tcg/TcgDxe/TcgDxe.inf+!if $(SMM_SUPPORT) == TRUE+  INF SecurityPkg/Tcg/TcgSmm/TcgSmm.inf+!endif+  INF SecurityPkg/Tcg/TcgConfigDxe/TcgConfigDxe.inf+  INF SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.inf+  INF RuleOverride = DRIVER_ACPITABLE SecurityPkg/Tcg/Tcg2Acpi/Tcg2Acpi.inf+  INF SecurityPkg/Tcg/Tcg2Config/Tcg2ConfigDxe.inf+!if $(SMM_SUPPORT) == TRUE+  INF SecurityPkg/Tcg/Tcg2Smm/Tcg2Smm.inf+!endif+  INF SecurityPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.inf+!endif+ INF UefiCpuPkg/CpuIo2Dxe/CpuIo2Dxe.inf INF MdeModulePkg/Universal/DevicePathDxe/DevicePathDxe.inf !if $(MEMORY_TEST) == "GENERIC"@@ -419,3 +434,13 @@ INF ShellPkg/Application/Shell/Shell.inf
     UI        STRING="Enter Setup"     VERSION   STRING="$(INF_VERSION)" Optional BUILD_NUM=$(BUILD_NUMBER)   }++[Rule.Common.DXE_DRIVER.DRIVER_ACPITABLE]+  FILE DRIVER = $(NAMED_GUID) {+    DXE_DEPEX DXE_DEPEX Optional       $(INF_OUTPUT)/$(MODULE_NAME).depex+    PE32      PE32                     $(INF_OUTPUT)/$(MODULE_NAME).efi+    RAW ACPI  Optional                |.acpi+    RAW ASL   Optional                |.aml+    UI        STRING="$(MODULE_NAME)" Optional+    VERSION   STRING="$(INF_VERSION)" Optional BUILD_NUM=$(BUILD_NUMBER)+  }-- 
2.39.1.windows.1

next prev parent reply	other threads:[~2023-03-22 22:55 UTC|newest]

Thread overview: 11+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2023-03-22  5:58 [PATCH v1 0/6] Universal payload secure boot and measured boot Subash Lakkimsetti
2023-03-22  5:58 ` [PATCH v1 1/6] MdeModulePkg: universal payload HOB for secure boot info Subash Lakkimsetti
2023-03-22  5:58 ` [PATCH v1 2/6] UefiPayloadPkg: Add secureboot information HOBs Subash Lakkimsetti
2023-03-22  5:58 ` [PATCH v1 3/6] TGC2ACPI: Uninstall the TPM2 ACPI if present Subash Lakkimsetti
2023-03-22 13:43   ` [edk2-devel] " Yao, Jiewen
2023-03-23  4:37     ` Subash Lakkimsetti
2023-03-25  2:36       ` Yao, Jiewen
2023-03-22  5:58 ` [PATCH v1 4/6] UefiPayloadPkg: Add secure boot configurations Subash Lakkimsetti
2023-03-22  5:58 ` [PATCH v1 5/6] Uefipayloadpkg Enable TPM measured boot Subash Lakkimsetti
2023-03-22 22:55   ` Guo, Gua [this message]
2023-03-22  5:58 ` [PATCH v1 6/6] UefiPayloadPkg: Add secure boot definitions to ci build Subash Lakkimsetti

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:f31e5aac1 dfblob:86612338b dfblob:b52e6c75a dfblob:ed9d42b02 )
 OR (
bs:"Uefipayloadpkg Enable TPM measured boot" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-list from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=BL1PR11MB5478D409919FA3D155BD2423EF869@BL1PR11MB5478.namprd11.prod.outlook.com \
    --to=devel@edk2.groups.io \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox