Reviewed-by: Ray Ni <ray.ni@intel.com>
From: Wadhawan, Divneil R <divneil.r.wadhawan@intel.com>
Sent: Thursday, September 17, 2020 3:43 PM
To: Ni, Ray <ray.ni@intel.com>; devel@edk2.groups.io
Cc: gaoliming <gaoliming@byosoft.com.cn>; 'Andrew Fish' <afish@apple.com>; Justen, Jordan L <jordan.l.justen@intel.com>; Kinney, Michael D <michael.d.kinney@intel.com>; Wadhawan, Divneil R <divneil.r.wadhawan@intel.com>
Subject: RE: [edk2-devel] [PATCH v2] EmulatorPkg: Enable support for Secure Boot
Hi Ray,
Yes, I have tested the following:
I am planning to post the script in BZ:
https://bugzilla.tianocore.org/show_bug.cgi?id=2949 in a day or too.
The script generates the full key hierarchy that makes it easy to test this patch.
The patch in BZ requires modifications as per Mike’s comment, so, you can skip the patches in BZ for now.
Regards,
Divneil
From: Ni, Ray <ray.ni@intel.com>
Sent: Thursday, September 17, 2020 12:49 PM
To: Wadhawan, Divneil R <divneil.r.wadhawan@intel.com>;
devel@edk2.groups.io
Cc: gaoliming <gaoliming@byosoft.com.cn>; 'Andrew Fish' <afish@apple.com>; Justen, Jordan L <jordan.l.justen@intel.com>;
Kinney, Michael D <michael.d.kinney@intel.com>
Subject: RE: [edk2-devel] [PATCH v2] EmulatorPkg: Enable support for Secure Boot
Divneil,
Just want to double confirm: did you test the secure boot and non-secure boot?
Thanks,
Ray
From: Wadhawan, Divneil R <divneil.r.wadhawan@intel.com>
Sent: Wednesday, September 16, 2020 11:53 PM
To: devel@edk2.groups.io
Cc: Ni, Ray <ray.ni@intel.com>; gaoliming <gaoliming@byosoft.com.cn>; 'Andrew Fish' <afish@apple.com>; Justen, Jordan L <jordan.l.justen@intel.com>;
Kinney, Michael D <michael.d.kinney@intel.com>; Wadhawan, Divneil R <divneil.r.wadhawan@intel.com>
Subject: [edk2-devel] [PATCH v2] EmulatorPkg: Enable support for Secure Boot
SECURE_BOOT_ENABLE feature flag is introduced to enable Secure Boot.
The following gets enabled with this patch:
o Secure Boot Menu in "Device Manager" for enrolling keys
o Storage space for Authenticated Variables
o Authenticated execution of 3rd party images
Signed-off-by: Divneil Rai Wadhawan <divneil.r.wadhawan@intel.com>
---
EmulatorPkg/EmulatorPkg.dsc | 37 +++++++++++++++++++++++++++++++++++--
EmulatorPkg/EmulatorPkg.fdf | 14 ++++++++++++++
2 files changed, 49 insertions(+), 2 deletions(-)
diff --git a/EmulatorPkg/EmulatorPkg.dsc b/EmulatorPkg/EmulatorPkg.dsc
index 86a6271735..c6e25c745e 100644
--- a/EmulatorPkg/EmulatorPkg.dsc
+++ b/EmulatorPkg/EmulatorPkg.dsc
@@ -32,6 +32,7 @@
DEFINE NETWORK_TLS_ENABLE = FALSE
DEFINE NETWORK_HTTP_BOOT_ENABLE = FALSE
DEFINE NETWORK_ISCSI_ENABLE = FALSE
+ DEFINE SECURE_BOOT_ENABLE = FALSE
[SkuIds]
0|DEFAULT
@@ -106,12 +107,20 @@
LockBoxLib|MdeModulePkg/Library/LockBoxNullLib/LockBoxNullLib.inf
CpuExceptionHandlerLib|MdeModulePkg/Library/CpuExceptionHandlerLibNull/CpuExceptionHandlerLibNull.inf
TpmMeasurementLib|MdeModulePkg/Library/TpmMeasurementLibNull/TpmMeasurementLibNull.inf
- AuthVariableLib|MdeModulePkg/Library/AuthVariableLibNull/AuthVariableLibNull.inf
VarCheckLib|MdeModulePkg/Library/VarCheckLib/VarCheckLib.inf
SortLib|MdeModulePkg/Library/BaseSortLib/BaseSortLib.inf
ShellLib|ShellPkg/Library/UefiShellLib/UefiShellLib.inf
FileHandleLib|MdePkg/Library/UefiFileHandleLib/UefiFileHandleLib.inf
+!if $(SECURE_BOOT_ENABLE) == TRUE
+ IntrinsicLib|CryptoPkg/Library/IntrinsicLib/IntrinsicLib.inf
+ OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf
+ PlatformSecureLib|SecurityPkg/Library/PlatformSecureLibNull/PlatformSecureLibNull.inf
+ AuthVariableLib|SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf
+!else
+ AuthVariableLib|MdeModulePkg/Library/AuthVariableLibNull/AuthVariableLibNull.inf
+!endif
+
[LibraryClasses.common.SEC]
PeiServicesLib|EmulatorPkg/Library/SecPeiServicesLib/SecPeiServicesLib.inf
PcdLib|MdePkg/Library/BasePcdLibNull/BasePcdLibNull.inf
@@ -162,6 +171,16 @@
TimerLib|EmulatorPkg/Library/DxeCoreTimerLib/DxeCoreTimerLib.inf
EmuThunkLib|EmulatorPkg/Library/DxeEmuLib/DxeEmuLib.inf
+[LibraryClasses.common.DXE_DRIVER, LibraryClasses.common.UEFI_DRIVER, LibraryClasses.common.UEFI_APPLICATION]
+!if $(SECURE_BOOT_ENABLE) == TRUE
+ BaseCryptLib|CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf
+!endif
+
+[LibraryClasses.common.DXE_RUNTIME_DRIVER]
+!if $(SECURE_BOOT_ENABLE) == TRUE
+ BaseCryptLib|CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf
+!endif
+
[LibraryClasses.common.DXE_RUNTIME_DRIVER, LibraryClasses.common.UEFI_DRIVER, LibraryClasses.common.DXE_DRIVER, LibraryClasses.common.UEFI_APPLICATION]
HobLib|MdePkg/Library/DxeHobLib/DxeHobLib.inf
PcdLib|MdePkg/Library/DxePcdLib/DxePcdLib.inf
@@ -190,6 +209,10 @@
gEmulatorPkgTokenSpaceGuid.PcdEmuFirmwareFdSize|0x002a0000
gEmulatorPkgTokenSpaceGuid.PcdEmuFirmwareBlockSize|0x10000
gEmulatorPkgTokenSpaceGuid.PcdEmuFirmwareVolume|L"../FV/FV_RECOVERY.fd"
+!if $(SECURE_BOOT_ENABLE) == TRUE
+ gEfiMdeModulePkgTokenSpaceGuid.PcdMaxAuthVariableSize|0x2800
+ gEfiSecurityPkgTokenSpaceGuid.PcdUserPhysicalPresence|TRUE
+!endif
gEmulatorPkgTokenSpaceGuid.PcdEmuMemorySize|L"64!64"
@@ -306,7 +329,14 @@
EmulatorPkg/ResetRuntimeDxe/Reset.inf
MdeModulePkg/Core/RuntimeDxe/RuntimeDxe.inf
EmulatorPkg/FvbServicesRuntimeDxe/FvbServicesRuntimeDxe.inf
- MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf
+
+ MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf {
+ <LibraryClasses>
+!if $(SECURE_BOOT_ENABLE) == TRUE
+ NULL|SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.inf
+!endif
+ }
+
MdeModulePkg/Universal/EbcDxe/EbcDxe.inf
MdeModulePkg/Universal/MemoryTest/NullMemoryTestDxe/NullMemoryTestDxe.inf
EmulatorPkg/EmuThunkDxe/EmuThunk.inf
@@ -315,6 +345,9 @@
EmulatorPkg/PlatformSmbiosDxe/PlatformSmbiosDxe.inf
EmulatorPkg/TimerDxe/Timer.inf
+!if $(SECURE_BOOT_ENABLE) == TRUE
+ SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
+!endif
MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf {
<LibraryClasses>
diff --git a/EmulatorPkg/EmulatorPkg.fdf b/EmulatorPkg/EmulatorPkg.fdf
index 295f6f1db8..b256aa9397 100644
--- a/EmulatorPkg/EmulatorPkg.fdf
+++ b/EmulatorPkg/EmulatorPkg.fdf
@@ -46,10 +46,17 @@ DATA = {
# Blockmap[1]: End
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
## This is the VARIABLE_STORE_HEADER
+!if $(SECURE_BOOT_ENABLE) == FALSE
#Signature: gEfiVariableGuid =
# { 0xddcf3616, 0x3275, 0x4164, { 0x98, 0xb6, 0xfe, 0x85, 0x70, 0x7f, 0xfe, 0x7d }}
0x16, 0x36, 0xcf, 0xdd, 0x75, 0x32, 0x64, 0x41,
0x98, 0xb6, 0xfe, 0x85, 0x70, 0x7f, 0xfe, 0x7d,
+!else
+ # Signature: gEfiAuthenticatedVariableGuid =
+ # { 0xaaf32c78, 0x947b, 0x439a, { 0xa1, 0x80, 0x2e, 0x14, 0x4e, 0xc3, 0x77, 0x92 }}
+ 0x78, 0x2c, 0xf3, 0xaa, 0x7b, 0x94, 0x9a, 0x43,
+ 0xa1, 0x80, 0x2e, 0x14, 0x4e, 0xc3, 0x77, 0x92,
+!endif
#Size: 0xc000 (gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageVariableSize) - 0x48 (size of EFI_FIRMWARE_VOLUME_HEADER) = 0xBFB8
# This can speed up the Variable Dispatch a bit.
0xB8, 0xBF, 0x00, 0x00,
@@ -186,6 +193,13 @@ INF RuleOverride = UI MdeModulePkg/Application/UiApp/UiApp.inf
INF MdeModulePkg/Application/BootManagerMenuApp/BootManagerMenuApp.inf
INF MdeModulePkg/Universal/DriverSampleDxe/DriverSampleDxe.inf
+#
+# Secure Boot Key Enroll
+#
+!if $(SECURE_BOOT_ENABLE) == TRUE
+INF SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
+!endif
+
#
# Network stack drivers
#
--
2.24.1.windows.2