From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mga09.intel.com (mga09.intel.com [134.134.136.24]) by mx.groups.io with SMTP id smtpd.web11.20502.1599157005983134491 for ; Thu, 03 Sep 2020 11:16:46 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@intel.onmicrosoft.com header.s=selector2-intel-onmicrosoft-com header.b=Szqk1VLY; spf=pass (domain: intel.com, ip: 134.134.136.24, mailfrom: divneil.r.wadhawan@intel.com) IronPort-SDR: nHynqLItbZ97SDu1cjZG8U11Zqxm8ywbDPnx345MvkhF4sfC8G8rB7QyGIZgcp50PdPC+N5iG4 QZbke2TAKJ4A== X-IronPort-AV: E=McAfee;i="6000,8403,9733"; a="158619556" X-IronPort-AV: E=Sophos;i="5.76,387,1592895600"; d="scan'208";a="158619556" X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from fmsmga002.fm.intel.com ([10.253.24.26]) by orsmga102.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 03 Sep 2020 11:16:44 -0700 IronPort-SDR: laLMDU8Y4jCPiyriR0nQ6k35xPL5WOGrnWGwE1SigXlqmD5yUWq3tJuxGUKR4GxSx4vhZH7jwr 3CacZQ4FXMhQ== X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.76,387,1592895600"; d="scan'208";a="334555081" Received: from fmsmsx602.amr.corp.intel.com ([10.18.126.82]) by fmsmga002.fm.intel.com with ESMTP; 03 Sep 2020 11:16:44 -0700 Received: from fmsmsx603.amr.corp.intel.com (10.18.126.83) by fmsmsx602.amr.corp.intel.com (10.18.126.82) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1713.5; Thu, 3 Sep 2020 11:16:44 -0700 Received: from fmsedg602.ED.cps.intel.com (10.1.192.136) by fmsmsx603.amr.corp.intel.com (10.18.126.83) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1713.5 via Frontend Transport; Thu, 3 Sep 2020 11:16:44 -0700 Received: from NAM11-BN8-obe.outbound.protection.outlook.com (104.47.58.174) by edgegateway.intel.com (192.55.55.71) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.1713.5; Thu, 3 Sep 2020 11:16:43 -0700 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=YRrRMnMvN8+tHuHY6Nq2dBCpy+y1MCwu9UWt1zrkSLWfF2xQ3TRoL4a/4jrCQJ2uXJJbyoYRHcp+a8AGw7MrP4WfHSVgflpX4RNhCgCvJqwH19VMxXN47x8XHe5vuReS9b5ElOFkxHTq2C3L/gDn6tvhfmhR62qdPoxGWRfyt93t1LGibK4GRRGbIgNoQs51bf5zXMuUEHZfvydLMHnaey5VjXwQeLEL0KlYjsrH+zfBtCoD1Nqht7rBns+AgyT5NNR6yBAJQuwk55K6dfSHk6hOCTy0lEzCXkerBcmeuVeaxxff+jUt35EfF5JH3E2c+lWVpJ3UMwbTOmBKmUd6uA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=AZasjmGc/kOGNA0/wsel5o7WPemikRhJxYXqBme+Dck=; b=anFDK7sveILB0+BCs7YqHrxDgKdFovCtm59Jtmpzf/1ggghjWGkd7QDcqINluGyrsnpIbBo3tjpN8cVH4vK8VUOI2d0r5XVetm0GhgKmAlir2nCqi1gmdjXO1FX+DtnJxZvfFnaNjJ2lBvry8EFUeOudi7vK4rl4jN3csSFAvXvk8uenejjNUjFS84+bm70JmTFVNaDO/q3rAwd7LJoEYMBjBDebG8srEcTaXBjIKQw/KUvE4r1HWZfoFhP/HGlIh3RnCDrFf/81nykaidp25xEdY8WfNtdYfIaDQbPX7R+FrsbiMxJw3KNeXJSRNMLa2Rsbewn3WuKZO6N5eX0uLA== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=intel.com; dmarc=pass action=none header.from=intel.com; dkim=pass header.d=intel.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=intel.onmicrosoft.com; s=selector2-intel-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=AZasjmGc/kOGNA0/wsel5o7WPemikRhJxYXqBme+Dck=; b=Szqk1VLYaLHDQavaHCIhDCl1Qu7h5LLMPo8k1HDMyzwbymM7Ujr/s71LrEVtVH+3lQhUW9H1ZEUgj4Wo0VKMfQ+INSRZkqsdCGd5DEzlQuNOAfXArQcpbVCyr3aaC4+NwgS5HAgv9/zLdBF4wcXd+6tgFy3GzAge1uxJ/u6KhNc= Received: from DM6PR11MB4315.namprd11.prod.outlook.com (2603:10b6:5:201::28) by DM5PR11MB1515.namprd11.prod.outlook.com (2603:10b6:4:11::13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3326.19; Thu, 3 Sep 2020 18:16:37 +0000 Received: from DM6PR11MB4315.namprd11.prod.outlook.com ([fe80::4c5c:c6d0:dfd3:1e45]) by DM6PR11MB4315.namprd11.prod.outlook.com ([fe80::4c5c:c6d0:dfd3:1e45%4]) with mapi id 15.20.3348.016; Thu, 3 Sep 2020 18:16:37 +0000 From: "Wadhawan, Divneil R" To: "devel@edk2.groups.io" CC: "Ni, Ray" , "Andrew Fish (afish@apple.com)" , "Justen, Jordan L" , "Kinney, Michael D" , "Wadhawan, Divneil R" Subject: [PATCH] EmulatorPkg: Enable support for Secure Boot Thread-Topic: [PATCH] EmulatorPkg: Enable support for Secure Boot Thread-Index: AdaCHcOq09NVsUUUTq6Wok4PiAO4og== Date: Thu, 3 Sep 2020 18:16:36 +0000 Message-ID: Accept-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: dlp-product: dlpe-windows dlp-reaction: no-action dlp-version: 11.5.1.3 authentication-results: edk2.groups.io; dkim=none (message not signed) header.d=none;edk2.groups.io; dmarc=none action=none header.from=intel.com; x-originating-ip: [223.226.100.182] x-ms-publictraffictype: Email x-ms-office365-filtering-correlation-id: 8cde7683-dbdb-49e1-4955-08d850357f32 x-ms-traffictypediagnostic: DM5PR11MB1515: x-ld-processed: 46c98d88-e344-4ed4-8496-4ed7712e255d,ExtAddr x-ms-exchange-transport-forked: True x-microsoft-antispam-prvs: x-ms-oob-tlc-oobclassifiers: OLM:6430; x-ms-exchange-senderadcheck: 1 x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: 9CD3fYRVml3R3VxDh4XfVuuup5CDRrU2dDIhR7XIawv7yPud42iqin3ZOEAXea/t1E3iaHjpXmp+VS7f/bo4mF1VJfdrhQx+YceLA+MXNMhs7Gd2Y95sTkk/L1kGh7DSKUcFO0CzShiFeCBGMtNFm224SXxn6fTj+w/lrJvepmi8NHEFSZKtIZKh8oRpy6PqBA4Yokbfz5b8808kmSVR32GWyA+idDkrhgOhkmFmS6N1zsiBR4J/1FxOXL6+1HiX8Mom2TUYK+HhXS65BdP5j8F06vtnh+CNtzVH7Forqzp2k1UeqYM1VV05i49AS6ipUw+C3tQpwTzgdWJepGmbBw== x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:DM6PR11MB4315.namprd11.prod.outlook.com;PTR:;CAT:NONE;SFS:(4636009)(346002)(396003)(366004)(39860400002)(376002)(136003)(66446008)(66946007)(52536014)(71200400001)(2906002)(316002)(5660300002)(6916009)(8676002)(33656002)(83380400001)(55016002)(4326008)(26005)(478600001)(186003)(66556008)(66476007)(55236004)(8936002)(64756008)(107886003)(86362001)(7696005)(76116006)(6506007)(9686003)(54906003);DIR:OUT;SFP:1102; x-ms-exchange-antispam-messagedata: aidq6KJwBuK9U+jkZPe2ANTBXg7hjRskReaq7iHr0H6swVW/K+TSL2V5BQ4r5cNKX+N1KBlHEdB3p+NpeK8YW8jCM3YZY011Nm8ja9raFVwpahf65vbziDUmzmVH5OfuXM6Rv5eGSWgKBcZoUjk8wPpxnyHd93z6ycZslUGi8vJ5yPiE5NccyvxErcuRiNPizQC89WwDiKmEGbx1v7V0oSiKzGoNUYddA1aYuKqk6D6BKuDADYITDFUNRsa7b+w5PUO0WfzzQ0ppmoOkjyVPodKoyGEaqznJb0ZASuDduZnSV48VivdUBDYi0aKkeJdkCAdswjn02tSQix9G88kqMVI4ydeTzIhc1i7Sf0Hesqy+OTO4CsRiklchEjVbLjy+QiomH3oOXq+HRXFtnzCUuzgNZUilbfjOoozG0Gkhyv40j0v0M8TnxwvGcaJbtmKvU/aifj4ujLzrSNjJD7pyjNp2S3VrXFJ2syWCRYqhZSEjhBOSBFYWpFk9KxfVZCNyGWuETSnOsxsbFVp+y2PL9GMbLDhcONp/6NYafUhTpAVmh+avworcNiVRin+y11oK+Ab0lb8w9m8KPux4QCzvZ6fZVO/bfHpSmIRItZdEBqaKGqJEOBpuiU53k4Sc3STBYYJbDYEYQ0FLD8X7byAShg== MIME-Version: 1.0 X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: DM6PR11MB4315.namprd11.prod.outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: 8cde7683-dbdb-49e1-4955-08d850357f32 X-MS-Exchange-CrossTenant-originalarrivaltime: 03 Sep 2020 18:16:36.9696 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 46c98d88-e344-4ed4-8496-4ed7712e255d X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: fcS8+zDEfkWI3BASC+vxI+oVSAkSp/nYticKUlVvsplUc78Fsxv6OMGHna5C9Z+Rb6EkDRPtmVAivu8zq7ikqgOFu56JHhKnmx69zQ3UH1I= X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM5PR11MB1515 Return-Path: divneil.r.wadhawan@intel.com X-OriginatorOrg: intel.com Content-Language: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable SECURE_BOOT_ENABLE feature flag is introduced to enable Secure Boot. The following gets enabled with this patch: o Secure Boot Menu in "Device Manager" for enrolling keys o Storage space for Authenticated Variables o Authenticated execution of 3rd party images Signed-off-by: Divneil Rai Wadhawan --- EmulatorPkg/EmulatorPkg.dsc | 40 +++++++++++++++++++++++++++++++++++-- EmulatorPkg/EmulatorPkg.fdf | 21 +++++++++++++++---- 2 files changed, 55 insertions(+), 6 deletions(-) diff --git a/EmulatorPkg/EmulatorPkg.dsc b/EmulatorPkg/EmulatorPkg.dsc index 86a6271735..6591c3e824 100644 --- a/EmulatorPkg/EmulatorPkg.dsc +++ b/EmulatorPkg/EmulatorPkg.dsc @@ -32,6 +32,7 @@ DEFINE NETWORK_TLS_ENABLE =3D FALSE DEFINE NETWORK_HTTP_BOOT_ENABLE =3D FALSE DEFINE NETWORK_ISCSI_ENABLE =3D FALSE + DEFINE SECURE_BOOT_ENABLE =3D FALSE =20 [SkuIds] 0|DEFAULT @@ -106,12 +107,20 @@ LockBoxLib|MdeModulePkg/Library/LockBoxNullLib/LockBoxNullLib.inf CpuExceptionHandlerLib|MdeModulePkg/Library/CpuExceptionHandlerLibNull/C= puExceptionHandlerLibNull.inf TpmMeasurementLib|MdeModulePkg/Library/TpmMeasurementLibNull/TpmMeasurem= entLibNull.inf - AuthVariableLib|MdeModulePkg/Library/AuthVariableLibNull/AuthVariableLib= Null.inf VarCheckLib|MdeModulePkg/Library/VarCheckLib/VarCheckLib.inf SortLib|MdeModulePkg/Library/BaseSortLib/BaseSortLib.inf ShellLib|ShellPkg/Library/UefiShellLib/UefiShellLib.inf FileHandleLib|MdePkg/Library/UefiFileHandleLib/UefiFileHandleLib.inf =20 + !if $(SECURE_BOOT_ENABLE) =3D=3D TRUE + IntrinsicLib|CryptoPkg/Library/IntrinsicLib/IntrinsicLib.inf + OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf + PlatformSecureLib|SecurityPkg/Library/PlatformSecureLibNull/PlatformSe= cureLibNull.inf + AuthVariableLib|SecurityPkg/Library/AuthVariableLib/AuthVariableLib.in= f + !else + AuthVariableLib|MdeModulePkg/Library/AuthVariableLibNull/AuthVariableL= ibNull.inf + !endif + [LibraryClasses.common.SEC] PeiServicesLib|EmulatorPkg/Library/SecPeiServicesLib/SecPeiServicesLib.i= nf PcdLib|MdePkg/Library/BasePcdLibNull/BasePcdLibNull.inf @@ -162,7 +171,20 @@ TimerLib|EmulatorPkg/Library/DxeCoreTimerLib/DxeCoreTimerLib.inf EmuThunkLib|EmulatorPkg/Library/DxeEmuLib/DxeEmuLib.inf =20 -[LibraryClasses.common.DXE_RUNTIME_DRIVER, LibraryClasses.common.UEFI_DRIV= ER, LibraryClasses.common.DXE_DRIVER, LibraryClasses.common.UEFI_APPLICATIO= N] +[LibraryClasses.common.DXE_DRIVER] + HobLib|MdePkg/Library/DxeHobLib/DxeHobLib.inf + PcdLib|MdePkg/Library/DxePcdLib/DxePcdLib.inf + MemoryAllocationLib|MdePkg/Library/UefiMemoryAllocationLib/UefiMemoryAll= ocationLib.inf + ReportStatusCodeLib|MdeModulePkg/Library/DxeReportStatusCodeLib/DxeRepor= tStatusCodeLib.inf + EmuThunkLib|EmulatorPkg/Library/DxeEmuLib/DxeEmuLib.inf + PeCoffExtraActionLib|EmulatorPkg/Library/DxeEmuPeCoffExtraActionLib/DxeE= muPeCoffExtraActionLib.inf + ReportStatusCodeLib|MdeModulePkg/Library/DxeReportStatusCodeLib/DxeRepor= tStatusCodeLib.inf + TimerLib|EmulatorPkg/Library/DxeTimerLib/DxeTimerLib.inf + !if $(SECURE_BOOT_ENABLE) =3D=3D TRUE + BaseCryptLib|CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf + !endif + +[LibraryClasses.common.DXE_RUNTIME_DRIVER, LibraryClasses.common.UEFI_DRIV= ER, LibraryClasses.common.UEFI_APPLICATION] HobLib|MdePkg/Library/DxeHobLib/DxeHobLib.inf PcdLib|MdePkg/Library/DxePcdLib/DxePcdLib.inf MemoryAllocationLib|MdePkg/Library/UefiMemoryAllocationLib/UefiMemoryAll= ocationLib.inf @@ -171,6 +193,9 @@ PeCoffExtraActionLib|EmulatorPkg/Library/DxeEmuPeCoffExtraActionLib/DxeE= muPeCoffExtraActionLib.inf ReportStatusCodeLib|MdeModulePkg/Library/DxeReportStatusCodeLib/DxeRepor= tStatusCodeLib.inf TimerLib|EmulatorPkg/Library/DxeTimerLib/DxeTimerLib.inf + !if $(SECURE_BOOT_ENABLE) =3D=3D TRUE + BaseCryptLib|CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf + !endif =20 [PcdsFeatureFlag] gEfiMdeModulePkgTokenSpaceGuid.PcdDxeIplSwitchToLongMode|FALSE @@ -190,6 +215,10 @@ gEmulatorPkgTokenSpaceGuid.PcdEmuFirmwareFdSize|0x002a0000 gEmulatorPkgTokenSpaceGuid.PcdEmuFirmwareBlockSize|0x10000 gEmulatorPkgTokenSpaceGuid.PcdEmuFirmwareVolume|L"../FV/FV_RECOVERY.fd" + !if $(SECURE_BOOT_ENABLE) =3D=3D TRUE + gEfiMdeModulePkgTokenSpaceGuid.PcdMaxAuthVariableSize|0x2800 + gEfiSecurityPkgTokenSpaceGuid.PcdUserPhysicalPresence|TRUE + !endif =20 gEmulatorPkgTokenSpaceGuid.PcdEmuMemorySize|L"64!64" =20 @@ -315,6 +344,13 @@ EmulatorPkg/PlatformSmbiosDxe/PlatformSmbiosDxe.inf EmulatorPkg/TimerDxe/Timer.inf =20 + !if $(SECURE_BOOT_ENABLE) =3D=3D TRUE + SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfig= Dxe.inf + MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf { + + NULL|SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificatio= nLib.inf + } + !endif =20 MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf { diff --git a/EmulatorPkg/EmulatorPkg.fdf b/EmulatorPkg/EmulatorPkg.fdf index 295f6f1db8..4bf592e778 100644 --- a/EmulatorPkg/EmulatorPkg.fdf +++ b/EmulatorPkg/EmulatorPkg.fdf @@ -46,10 +46,16 @@ DATA =3D { # Blockmap[1]: End 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, ## This is the VARIABLE_STORE_HEADER - #Signature: gEfiVariableGuid =3D - # { 0xddcf3616, 0x3275, 0x4164, { 0x98, 0xb6, 0xfe, 0x85, 0x70, 0x7f, 0= xfe, 0x7d }} - 0x16, 0x36, 0xcf, 0xdd, 0x75, 0x32, 0x64, 0x41, - 0x98, 0xb6, 0xfe, 0x85, 0x70, 0x7f, 0xfe, 0x7d, + !if $(SECURE_BOOT_ENABLE) =3D=3D FALSE + #Signature: gEfiVariableGuid =3D + # { 0xddcf3616, 0x3275, 0x4164, { 0x98, 0xb6, 0xfe, 0x85, 0x70, 0x7f,= 0xfe, 0x7d }} + 0x16, 0x36, 0xcf, 0xdd, 0x75, 0x32, 0x64, 0x41, + 0x98, 0xb6, 0xfe, 0x85, 0x70, 0x7f, 0xfe, 0x7d, + !else + # Signature: gEfiAuthenticatedVariableGuid =3D { 0xaaf32c78, 0x947b, 0= x439a, { 0xa1, 0x80, 0x2e, 0x14, 0x4e, 0xc3, 0x77, 0x92 } } + 0x78, 0x2c, 0xf3, 0xaa, 0x7b, 0x94, 0x9a, 0x43, + 0xa1, 0x80, 0x2e, 0x14, 0x4e, 0xc3, 0x77, 0x92, + !endif #Size: 0xc000 (gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageVariableS= ize) - 0x48 (size of EFI_FIRMWARE_VOLUME_HEADER) =3D 0xBFB8 # This can speed up the Variable Dispatch a bit. 0xB8, 0xBF, 0x00, 0x00, @@ -186,6 +192,13 @@ INF RuleOverride =3D UI MdeModulePkg/Application/UiAp= p/UiApp.inf INF MdeModulePkg/Application/BootManagerMenuApp/BootManagerMenuApp.inf INF MdeModulePkg/Universal/DriverSampleDxe/DriverSampleDxe.inf =20 +# +# Secure Boot Key Enroll +# +!if $(SECURE_BOOT_ENABLE) =3D=3D TRUE +INF SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfig= Dxe.inf +!endif + # # Network stack drivers # --=20 2.24.1.windows.2