From: "Guo, Gua" <gua.guo@intel.com>
To: "Lakkimsetti, Subash" <subash.lakkimsetti@intel.com>,
"devel@edk2.groups.io" <devel@edk2.groups.io>
Cc: "Dong, Guo" <guo.dong@intel.com>, "Ni, Ray" <ray.ni@intel.com>,
"Rhodes, Sean" <sean@starlabs.systems>,
"Lu, James" <james.lu@intel.com>,
"Rudolph, Patrick" <patrick.rudolph@9elements.com>
Subject: Re: [PATCH v1 5/6] Uefipayloadpkg Enable TPM measured boot
Date: Wed, 22 Mar 2023 22:55:28 +0000 [thread overview]
Message-ID: <BL1PR11MB5478D409919FA3D155BD2423EF869@BL1PR11MB5478.namprd11.prod.outlook.com> (raw)
In-Reply-To: <c0e08b94e628cbbc4012df98df83efc4b81cf3ce.1679464590.git.subash.lakkimsetti@intel.com>
>From Uefi UPL side
Currently, SPI have silicon dependency so native is not support on UniversalPayload, please use SECURITY_SUPPORT
+------------------------------+
| UefiUPL.elf |
+------------------------------+
| .upld_info |
+------------------------------+
| .upld.uefi_fv |
+------------------------------+
| .upld.bds_fv |
+------------------------------+
| .upld.security_fv |<------------ SECURITY_SUPPORT (Use this macro to decide include it or not and default value is false)
+------------------------------+
Thanks,
Gua
-----Original Message-----
From: Lakkimsetti, Subash <subash.lakkimsetti@intel.com>
Sent: Wednesday, March 22, 2023 1:59 PM
To: devel@edk2.groups.io
Cc: Lakkimsetti, Subash <subash.lakkimsetti@intel.com>; Dong, Guo <guo.dong@intel.com>; Ni, Ray <ray.ni@intel.com>; Rhodes, Sean <sean@starlabs.systems>; Lu, James <james.lu@intel.com>; Guo, Gua <gua.guo@intel.com>; Rudolph, Patrick <patrick.rudolph@9elements.com>
Subject: [PATCH v1 5/6] Uefipayloadpkg Enable TPM measured boot
From: Subash Lakkimsetti <subash.lakkimsetti@intel.com>
Update the packages to support TPM and measured boot in uefi payload.
Measured boot can be controoled using flag MEASURED_BOOT_ENABLE
Cc: Guo Dong <guo.dong@intel.com>
Cc: Ray Ni <ray.ni@intel.com>
Cc: Sean Rhodes <sean@starlabs.systems>
Cc: James Lu <james.lu@intel.com>
Cc: Gua Guo <gua.guo@intel.com>
Signed-off-by: Patrick Rudolph <patrick.rudolph@9elements.com>
Signed-off-by: Subash Lakkimsetti <subash.lakkimsetti@intel.com>
---
UefiPayloadPkg/UefiPayloadPkg.dsc | 88 +++++++++++++++++++++++++++++-- UefiPayloadPkg/UefiPayloadPkg.fdf | 25 +++++++++
2 files changed, 109 insertions(+), 4 deletions(-)
diff --git a/UefiPayloadPkg/UefiPayloadPkg.dsc b/UefiPayloadPkg/UefiPayloadPkg.dsc
index f31e5aac16..86612338bf 100644
--- a/UefiPayloadPkg/UefiPayloadPkg.dsc
+++ b/UefiPayloadPkg/UefiPayloadPkg.dsc
@@ -46,6 +46,7 @@
DEFINE NVME_ENABLE = TRUE DEFINE SECURE_BOOT_ENABLE = FALSE+ DEFINE MEASURED_BOOT_ENABLE = FALSE # # NULL: NullMemoryTestDxe@@ -297,14 +298,27 @@
!else AuthVariableLib|MdeModulePkg/Library/AuthVariableLibNull/AuthVariableLibNull.inf !endif-!if $(VARIABLE_SUPPORT) == "EMU"- TpmMeasurementLib|MdeModulePkg/Library/TpmMeasurementLibNull/TpmMeasurementLibNull.inf-!elseif $(VARIABLE_SUPPORT) == "SPI"- PlatformSecureLib|SecurityPkg/Library/PlatformSecureLibNull/PlatformSecureLibNull.inf+ #+ # TPM+ #+!if $(MEASURED_BOOT_ENABLE) == TRUE+ Tpm12CommandLib|SecurityPkg/Library/Tpm12CommandLib/Tpm12CommandLib.inf+ Tpm12DeviceLib|SecurityPkg/Library/Tpm12DeviceLibTcg/Tpm12DeviceLibTcg.inf+ Tpm2CommandLib|SecurityPkg/Library/Tpm2CommandLib/Tpm2CommandLib.inf+ Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibTcg2/Tpm2DeviceLibTcg2.inf+ Tcg2PhysicalPresenceLib|SecurityPkg/Library/DxeTcg2PhysicalPresenceLib/DxeTcg2PhysicalPresenceLib.inf+ Tcg2PpVendorLib|SecurityPkg/Library/Tcg2PpVendorLibNull/Tcg2PpVendorLibNull.inf TpmMeasurementLib|SecurityPkg/Library/DxeTpmMeasurementLib/DxeTpmMeasurementLib.inf+!else+ TpmMeasurementLib|MdeModulePkg/Library/TpmMeasurementLibNull/TpmMeasurementLibNull.inf+!endif+!if $(VARIABLE_SUPPORT) == "SPI" S3BootScriptLib|MdePkg/Library/BaseS3BootScriptLibNull/BaseS3BootScriptLibNull.inf+!endif+!if $(SECURE_BOOT_ENABLE) == TRUE || $(MEASURED_BOOT_ENABLE) == TRUE || $(VARIABLE_SUPPORT) == "SPI" MmUnblockMemoryLib|MdePkg/Library/MmUnblockMemoryLib/MmUnblockMemoryLibNull.inf !endif+ PlatformSecureLib|SecurityPkg/Library/PlatformSecureLibNull/PlatformSecureLibNull.inf VarCheckLib|MdeModulePkg/Library/VarCheckLib/VarCheckLib.inf VariablePolicyLib|MdeModulePkg/Library/VariablePolicyLib/VariablePolicyLib.inf VariablePolicyHelperLib|MdeModulePkg/Library/VariablePolicyHelperLib/VariablePolicyHelperLib.inf@@ -412,6 +426,10 @@
BaseCryptLib|CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf !endif +!if $(MEASURED_BOOT_ENABLE) == TRUE+ Tcg2PhysicalPresenceLib|SecurityPkg/Library/SmmTcg2PhysicalPresenceLib/SmmTcg2PhysicalPresenceLib.inf+!endif+ ################################################################################ # # Pcd Section - list of all EDK II PCD Entries defined by this Platform.@@ -600,6 +618,13 @@
gEfiSecurityPkgTokenSpaceGuid.PcdFirmwareDebuggerInitialized|FALSE gEfiSecurityPkgTokenSpaceGuid.PcdTpmInstanceGuid|{0x5a, 0xf2, 0x6b, 0x28, 0xc3, 0xc2, 0x8c, 0x40, 0xb3, 0xb4, 0x25, 0xe6, 0x75, 0x8b, 0x73, 0x17} +!if $(MEASURED_BOOT_ENABLE) == TRUE++ # (BIT0 - SHA1. BIT1 - SHA256, BIT2 - SHA384, BIT3 - SHA512, BIT4 - SM3_256)+ gEfiSecurityPkgTokenSpaceGuid.PcdTpm2HashMask|0x000000016+ gEfiSecurityPkgTokenSpaceGuid.PcdTcg2HashAlgorithmBitmap|0x000000016+!endif+ ################################################################################ # # Components Section - list of all EDK II Modules needed by this Platform.@@ -680,6 +705,10 @@
<LibraryClasses> !if $(SECURE_BOOT_ENABLE) NULL|SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.inf+!endif+!if $(MEASURED_BOOT_ENABLE) == TRUE+ NULL|SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLib.inf+ NULL|SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLib.inf !endif } !endif@@ -842,6 +871,57 @@
SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf !endif +!if $(MEASURED_BOOT_ENABLE) == TRUE+ SecurityPkg/Tcg/TcgDxe/TcgDxe.inf {+ <LibraryClasses>+ Tpm12DeviceLib|SecurityPkg/Library/Tpm12DeviceLibDTpm/Tpm12DeviceLibDTpm.inf+ }++ SecurityPkg/Tcg/TcgConfigDxe/TcgConfigDxe.inf {+ <LibraryClasses>+ PcdLib|MdePkg/Library/DxePcdLib/DxePcdLib.inf+ }++!if $(SMM_SUPPORT) == TRUE+ SecurityPkg/Tcg/TcgSmm/TcgSmm.inf {+ <LibraryClasses>+ TcgPpVendorLib|SecurityPkg/Library/TcgPpVendorLibNull/TcgPpVendorLibNull.inf++ }+!endif+ SecurityPkg/Tcg/Tcg2Config/Tcg2ConfigDxe.inf {+ <LibraryClasses>+ Tpm2CommandLib|SecurityPkg/Library/Tpm2CommandLib/Tpm2CommandLib.inf+ Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibRouter/Tpm2DeviceLibRouterDxe.inf+ NULL|SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2InstanceLibDTpm.inf+ }+!if $(SMM_SUPPORT) == TRUE+ SecurityPkg/Tcg/Tcg2Smm/Tcg2Smm.inf {+ <LibraryClasses>+ Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibTcg2/Tpm2DeviceLibTcg2.inf+ }+!endif+ SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.inf {+ <LibraryClasses>+ Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibRouter/Tpm2DeviceLibRouterDxe.inf+ HashLib|SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRouterDxe.inf+ NULL|SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2InstanceLibDTpm.inf+ NULL|SecurityPkg/Library/HashInstanceLibSha1/HashInstanceLibSha1.inf+ NULL|SecurityPkg/Library/HashInstanceLibSha256/HashInstanceLibSha256.inf+ NULL|SecurityPkg/Library/HashInstanceLibSha384/HashInstanceLibSha384.inf+ NULL|SecurityPkg/Library/HashInstanceLibSm3/HashInstanceLibSm3.inf+ }+ SecurityPkg/Tcg/Tcg2Acpi/Tcg2Acpi.inf+ SecurityPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.inf {+ <LibraryClasses>+ TpmPlatformHierarchyLib|SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf+ }+ SecurityPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.inf {+ <LibraryClasses>+ TpmPlatformHierarchyLib|SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf+ }+!endif #MEASURED_BOOT_ENABLE+ # # Misc #diff --git a/UefiPayloadPkg/UefiPayloadPkg.fdf b/UefiPayloadPkg/UefiPayloadPkg.fdf
index b52e6c75a5..ed9d42b022 100644
--- a/UefiPayloadPkg/UefiPayloadPkg.fdf
+++ b/UefiPayloadPkg/UefiPayloadPkg.fdf
@@ -176,6 +176,21 @@ INF PcAtChipsetPkg/PcatRealTimeClockRuntimeDxe/PcatRealTimeClockRuntimeDxe.inf
INF SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf !endif +!if $(MEASURED_BOOT_ENABLE) == TRUE+ INF SecurityPkg/Tcg/TcgDxe/TcgDxe.inf+!if $(SMM_SUPPORT) == TRUE+ INF SecurityPkg/Tcg/TcgSmm/TcgSmm.inf+!endif+ INF SecurityPkg/Tcg/TcgConfigDxe/TcgConfigDxe.inf+ INF SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.inf+ INF RuleOverride = DRIVER_ACPITABLE SecurityPkg/Tcg/Tcg2Acpi/Tcg2Acpi.inf+ INF SecurityPkg/Tcg/Tcg2Config/Tcg2ConfigDxe.inf+!if $(SMM_SUPPORT) == TRUE+ INF SecurityPkg/Tcg/Tcg2Smm/Tcg2Smm.inf+!endif+ INF SecurityPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.inf+!endif+ INF UefiCpuPkg/CpuIo2Dxe/CpuIo2Dxe.inf INF MdeModulePkg/Universal/DevicePathDxe/DevicePathDxe.inf !if $(MEMORY_TEST) == "GENERIC"@@ -419,3 +434,13 @@ INF ShellPkg/Application/Shell/Shell.inf
UI STRING="Enter Setup" VERSION STRING="$(INF_VERSION)" Optional BUILD_NUM=$(BUILD_NUMBER) }++[Rule.Common.DXE_DRIVER.DRIVER_ACPITABLE]+ FILE DRIVER = $(NAMED_GUID) {+ DXE_DEPEX DXE_DEPEX Optional $(INF_OUTPUT)/$(MODULE_NAME).depex+ PE32 PE32 $(INF_OUTPUT)/$(MODULE_NAME).efi+ RAW ACPI Optional |.acpi+ RAW ASL Optional |.aml+ UI STRING="$(MODULE_NAME)" Optional+ VERSION STRING="$(INF_VERSION)" Optional BUILD_NUM=$(BUILD_NUMBER)+ }--
2.39.1.windows.1
next prev parent reply other threads:[~2023-03-22 22:55 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-03-22 5:58 [PATCH v1 0/6] Universal payload secure boot and measured boot Subash Lakkimsetti
2023-03-22 5:58 ` [PATCH v1 1/6] MdeModulePkg: universal payload HOB for secure boot info Subash Lakkimsetti
2023-03-22 5:58 ` [PATCH v1 2/6] UefiPayloadPkg: Add secureboot information HOBs Subash Lakkimsetti
2023-03-22 5:58 ` [PATCH v1 3/6] TGC2ACPI: Uninstall the TPM2 ACPI if present Subash Lakkimsetti
2023-03-22 13:43 ` [edk2-devel] " Yao, Jiewen
2023-03-23 4:37 ` Subash Lakkimsetti
2023-03-25 2:36 ` Yao, Jiewen
2023-03-22 5:58 ` [PATCH v1 4/6] UefiPayloadPkg: Add secure boot configurations Subash Lakkimsetti
2023-03-22 5:58 ` [PATCH v1 5/6] Uefipayloadpkg Enable TPM measured boot Subash Lakkimsetti
2023-03-22 22:55 ` Guo, Gua [this message]
2023-03-22 5:58 ` [PATCH v1 6/6] UefiPayloadPkg: Add secure boot definitions to ci build Subash Lakkimsetti
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-list from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=BL1PR11MB5478D409919FA3D155BD2423EF869@BL1PR11MB5478.namprd11.prod.outlook.com \
--to=devel@edk2.groups.io \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox