From: "Zhang, Chao B" <chao.b.zhang@intel.com>
To: "edk2-devel@lists.01.org" <edk2-devel@lists.01.org>
Subject: Re: [PATCH] Enable RSA2048SHA256 to replace CCG SignedSection solution
Date: Thu, 25 Jan 2018 04:55:50 +0000 [thread overview]
Message-ID: <FF72C7E4248F3C4E9BDF19D4918E90F24962F81A@shsmsx102.ccr.corp.intel.com> (raw)
In-Reply-To: <20180125045350.22372-1-chao.b.zhang@intel.com>
Sorry. Made a mistake. please skip the mail.
-----Original Message-----
From: edk2-devel [mailto:edk2-devel-bounces@lists.01.org] On Behalf Of Zhang, Chao B
Sent: Thursday, January 25, 2018 12:54 PM
To: edk2-devel@lists.01.org
Subject: [edk2] [PATCH] Enable RSA2048SHA256 to replace CCG SignedSection solution
---
KabylakePlatSamplePkg/PlatformPkg.dsc | 13 +++++++++--
KabylakePlatSamplePkg/PlatformPkg.fdf | 36 +++++++++++++++--------------
KabylakePlatSamplePkg/PlatformPkgConfig.dsc | 2 +-
3 files changed, 31 insertions(+), 20 deletions(-)
diff --git a/KabylakePlatSamplePkg/PlatformPkg.dsc b/KabylakePlatSamplePkg/PlatformPkg.dsc
index fb085b9..125e018 100644
--- a/KabylakePlatSamplePkg/PlatformPkg.dsc
+++ b/KabylakePlatSamplePkg/PlatformPkg.dsc
@@ -1114,6 +1114,8 @@ gPlatformModuleTokenSpaceGuid.PcdWsmtProtectionFlags|0x07
gUefiCpuPkgTokenSpaceGuid.PcdCpuMsegSize|0x8c0000
+gEfiSecurityPkgTokenSpaceGuid.PcdRsa2048Sha256PublicKeyBuffer|{0x91,
+0x29, 0xc4, 0xbd, 0xea, 0x6d, 0xda, 0xb3, 0xaa, 0x6f, 0x50, 0x16, 0xfc,
+0xdb, 0x4b, 0x7e, 0x3c, 0xd6, 0xdc, 0xa4, 0x7a, 0x0e, 0xdd, 0xe6, 0x15,
+0x8c, 0x73, 0x96, 0xa2, 0xd4, 0xa6, 0x4d}
+
[PcdsFixedAtBuild.IA32]
!if gPlatformModuleTokenSpaceGuid.PcdFspWrapperEnable == TRUE
gEfiMdeModulePkgTokenSpaceGuid.PcdVpdBaseAddress|0x0
@@ -1445,6 +1447,11 @@ gPlatformModuleTokenSpaceGuid.PcdWsmtProtectionFlags|0x07
<LibraryClasses>
NULL|$(CLIENT_COMMON_PACKAGE)/Library/PeiSignedSectionVerificationLib/PeiSignedSectionVerificationLib.inf
}
+
+ MdeModulePkg/Universal/SectionExtractionPei/SectionExtractionPei.inf
+ { <LibraryClasses>
+
+ NULL|SecurityPkg\Library\PeiRsa2048Sha256GuidedSectionExtractLib\PeiRs
+ a2048Sha256GuidedSectionExtractLib.inf
+ }
!endif
!if gSiPkgTokenSpaceGuid.PcdS3Enable == TRUE @@ -1575,7 +1582,8 @@ $(CLIENT_COMMON_PACKAGE)/Universal/DebugServicePei/DebugServicePei.inf {
gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x80080046
<LibraryClasses>
!if gPlatformModuleTokenSpaceGuid.PcdSecureBootEnable == TRUE
- NULL|$(CLIENT_COMMON_PACKAGE)/Library/DxeSignedSectionVerificationLib/DxeSignedSectionVerificationLib.inf
+ # NULL|$(CLIENT_COMMON_PACKAGE)/Library/DxeSignedSectionVerificationLib/DxeSignedSectionVerificationLib.inf
+
+ NULL|SecurityPkg\Library\DxeRsa2048Sha256GuidedSectionExtractLib\DxeRs
+ a2048Sha256GuidedSectionExtractLib.inf
!endif
!if gPlatformModuleTokenSpaceGuid.PcdDxeCrc32SectionEnable == TRUE
NULL|MdeModulePkg/Library/DxeCrc32GuidedSectionExtractLib/DxeCrc32GuidedSectionExtractLib.inf
@@ -1600,7 +1608,8 @@ $(CLIENT_COMMON_PACKAGE)/Universal/DebugServicePei/DebugServicePei.inf {
gEfiMdeModulePkgTokenSpaceGuid.PcdPropertiesTableEnable|FALSE
<LibraryClasses>
!if gPlatformModuleTokenSpaceGuid.PcdSecureBootEnable == TRUE
- NULL|$(CLIENT_COMMON_PACKAGE)/Library/DxeSignedSectionVerificationLib/DxeSignedSectionVerificationLib.inf
+ #NULL|$(CLIENT_COMMON_PACKAGE)/Library/DxeSignedSectionVerificationLib/DxeSignedSectionVerificationLib.inf
+
+ NULL|SecurityPkg\Library\DxeRsa2048Sha256GuidedSectionExtractLib\DxeRs
+ a2048Sha256GuidedSectionExtractLib.inf
!endif
!if gPlatformModuleTokenSpaceGuid.PcdDxeCrc32SectionEnable == TRUE
NULL|MdeModulePkg/Library/DxeCrc32GuidedSectionExtractLib/DxeCrc32GuidedSectionExtractLib.inf
diff --git a/KabylakePlatSamplePkg/PlatformPkg.fdf b/KabylakePlatSamplePkg/PlatformPkg.fdf
index d2e8ee3..9d3fa5d 100644
--- a/KabylakePlatSamplePkg/PlatformPkg.fdf
+++ b/KabylakePlatSamplePkg/PlatformPkg.fdf
@@ -406,7 +406,7 @@ INF $(PLATFORM_FEATURES_PATH)/Amt/AmtStatusCodePei/AmtStatusCodePei.inf
INF $(PLATFORM_PACKAGE)/BiosInfo/BiosInfo.inf # AdvancedFeaturesContent !if gPlatformModuleTokenSpaceGuid.PcdSecureBootEnable == TRUE -INF $(PLATFORM_PACKAGE)/Override/$(CLIENT_COMMON_PACKAGE)/Universal/BiosInfoChecker/BiosInfoChecker.inf
+#INF
+$(PLATFORM_PACKAGE)/Override/$(CLIENT_COMMON_PACKAGE)/Universal/BiosInf
+oChecker/BiosInfoChecker.inf
!endif
!if gSiPkgTokenSpaceGuid.PcdSleEnable == FALSE @@ -462,12 +462,13 @@ INF $(PLATFORM_PACKAGE)/Platform/MsegSmramPei/MsegSmramPei.inf
INF MdeModulePkg/Core/DxeIplPeim/DxeIpl.inf
!if gPlatformModuleTokenSpaceGuid.PcdSecureBootEnable == TRUE -INF $(CLIENT_COMMON_PACKAGE)/Universal/SignedSectionPei/SignedSectionPei.inf
-!if gPlatformModuleTokenSpaceGuid.PcdPubKeyHashBinEnable == TRUE -FILE RAW = 31C17ABE-6071-435e-BAA4-0B8A8C3649F3 {
- $(PLATFORM_PACKAGE)/Tools/ToolScripts/SignFv/pubkeyhash.bin
- }
-!endif # PcdPubKeyHashBinEnable
+INF
+MdeModulePkg/Universal/SectionExtractionPei/SectionExtractionPei.inf
+#INF
+$(CLIENT_COMMON_PACKAGE)/Universal/SignedSectionPei/SignedSectionPei.in
+f #!if gPlatformModuleTokenSpaceGuid.PcdPubKeyHashBinEnable == TRUE
+#FILE RAW = 31C17ABE-6071-435e-BAA4-0B8A8C3649F3 {
+# $(PLATFORM_PACKAGE)/Tools/ToolScripts/SignFv/pubkeyhash.bin
+# }
+#!endif # PcdPubKeyHashBinEnable
!endif # PcdSecureBootEnable
!if gPlatformModuleTokenSpaceGuid.PcdTpmEnable == TRUE @@ -604,7 +605,7 @@ APRIORI PEI { !endif
!if gPlatformModuleTokenSpaceGuid.PcdSecureBootEnable == TRUE
- INF $(PLATFORM_PACKAGE)/Override/$(CLIENT_COMMON_PACKAGE)/Universal/BiosInfoChecker/BiosInfoChecker.inf # RPPO-SKL-0031: RoyalParkOverrideContent
+ #INF
+ $(PLATFORM_PACKAGE)/Override/$(CLIENT_COMMON_PACKAGE)/Universal/BiosIn
+ foChecker/BiosInfoChecker.inf # RPPO-SKL-0031:
+ RoyalParkOverrideContent
!endif
INF MdeModulePkg/Core/DxeIplPeim/DxeIpl.inf
!endif
@@ -619,7 +620,7 @@ INF $(PLATFORM_FEATURES_PATH)/Amt/AmtStatusCodePei/AmtStatusCodePei.inf
INF $(PLATFORM_PACKAGE)/BiosInfo/BiosInfo.inf
!if gPlatformModuleTokenSpaceGuid.PcdSecureBootEnable == TRUE -INF $(PLATFORM_PACKAGE)/Override/$(CLIENT_COMMON_PACKAGE)/Universal/BiosInfoChecker/BiosInfoChecker.inf
+#INF
+$(PLATFORM_PACKAGE)/Override/$(CLIENT_COMMON_PACKAGE)/Universal/BiosInf
+oChecker/BiosInfoChecker.inf
!endif
!if gSiPkgTokenSpaceGuid.PcdSleEnable == TRUE @@ -692,12 +693,13 @@ INF $(PLATFORM_FEATURES_PATH)/OverClocking/OverClockInit/PeiOverClock.inf
!if gPlatformModuleTokenSpaceGuid.PcdSecureBootEnable == TRUE # ROYAL_PARK_PORTING - Porting Required -INF RuleOverride = LzmaCompress $(CLIENT_COMMON_PACKAGE)/Universal/SignedSectionPei/SignedSectionPei.inf
-!if gPlatformModuleTokenSpaceGuid.PcdPubKeyHashBinEnable == TRUE -FILE RAW = 31C17ABE-6071-435e-BAA4-0B8A8C3649F3 {
- $(PLATFORM_PACKAGE)/Tools/ToolScripts/SignFv/pubkeyhash.bin
- }
-!endif
+INF
+MdeModulePkg/Universal/SectionExtractionPei/SectionExtractionPei.inf
+#INF RuleOverride = LzmaCompress
+$(CLIENT_COMMON_PACKAGE)/Universal/SignedSectionPei/SignedSectionPei.in
+f #!if gPlatformModuleTokenSpaceGuid.PcdPubKeyHashBinEnable == TRUE
+#FILE RAW = 31C17ABE-6071-435e-BAA4-0B8A8C3649F3 {
+# $(PLATFORM_PACKAGE)/Tools/ToolScripts/SignFv/pubkeyhash.bin
+# }
+#!endif
!endif
!if gSiPkgTokenSpaceGuid.PcdSvBuild == TRUE
@@ -1174,7 +1176,7 @@ READ_LOCK_STATUS = TRUE
FILE FV_IMAGE = 4E35FD93-9C72-4c15-8C4B-E77F1DB2D792 { !if gPlatformModuleTokenSpaceGuid.PcdLzmaEnable == TRUE
!if gPlatformModuleTokenSpaceGuid.PcdSecureBootEnable == TRUE
- SECTION GUIDED 0f9d89e8-9259-4f76-a5af-0c89e34023df PROCESSING_REQUIRED = TRUE {
+ SECTION GUIDED A7717414-C616-4977-9420-844712A735BF
+ AUTH_STATUS_VALID = TRUE {
SECTION GUIDED EE4E5898-3914-4259-9D6E-DC7BD79403CF PROCESSING_REQUIRED = TRUE {
SECTION FV_IMAGE = FVMAIN2
}
@@ -2497,7 +2499,7 @@ READ_LOCK_STATUS = TRUE
FILE FV_IMAGE = 9E21FD93-9C72-4c15-8C4B-E77F1DB2D792 { !if gPlatformModuleTokenSpaceGuid.PcdLzmaEnable == TRUE !if gPlatformModuleTokenSpaceGuid.PcdSecureBootEnable == TRUE
- SECTION GUIDED 0f9d89e8-9259-4f76-a5af-0c89e34023df PROCESSING_REQUIRED = TRUE {
+ SECTION GUIDED A7717414-C616-4977-9420-844712A735BF AUTH_STATUS_VALID
+ = TRUE {
SECTION GUIDED EE4E5898-3914-4259-9D6E-DC7BD79403CF PROCESSING_REQUIRED = TRUE {
SECTION FV_IMAGE = FVMAIN
}
diff --git a/KabylakePlatSamplePkg/PlatformPkgConfig.dsc b/KabylakePlatSamplePkg/PlatformPkgConfig.dsc
index fd2d368..755e66c 100644
--- a/KabylakePlatSamplePkg/PlatformPkgConfig.dsc
+++ b/KabylakePlatSamplePkg/PlatformPkgConfig.dsc
@@ -117,7 +117,7 @@
gPlatformModuleTokenSpaceGuid.PcdNvmeEnable|TRUE
gSiPkgTokenSpaceGuid.PcdOverclockEnable|TRUE
gPlatformModuleTokenSpaceGuid.PcdPciHotplugEnable|TRUE
- gPlatformModuleTokenSpaceGuid.PcdPerformanceEnable|FALSE
+ gPlatformModuleTokenSpaceGuid.PcdPerformanceEnable|TRUE
gPlatformModuleTokenSpaceGuid.PcdIntelFpdtEnable|FALSE
gPlatformModuleTokenSpaceGuid.PcdPostCodeStatusCodeEnable|TRUE
gSiPkgTokenSpaceGuid.PcdPowerOnEnable|FALSE # SI:RestrictedContent
--
1.9.5.msysgit.1
_______________________________________________
edk2-devel mailing list
edk2-devel@lists.01.org
https://lists.01.org/mailman/listinfo/edk2-devel
prev parent reply other threads:[~2018-01-25 4:50 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-01-25 4:53 [PATCH] Enable RSA2048SHA256 to replace CCG SignedSection solution Zhang, Chao B
2018-01-25 4:53 ` [PATCH] SecurityPkg/DxePhysicalPresenceLib: Reject illegal PCR bank allocation Zhang, Chao B
2018-01-25 19:34 ` Bill Paul
2018-01-25 4:53 ` [PATCH] SecurityPkg/PhysicalPresenceLib: " Zhang, Chao B
2018-01-25 4:53 ` [PATCH] SecurityPkg:Tpm2DeviceLibDTpm: Support TPM command cancel Zhang, Chao B
2018-01-25 6:39 ` Yao, Jiewen
2018-01-25 4:55 ` Zhang, Chao B [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-list from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=FF72C7E4248F3C4E9BDF19D4918E90F24962F81A@shsmsx102.ccr.corp.intel.com \
--to=devel@edk2.groups.io \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox