From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received-SPF: Pass (sender SPF authorized) identity=mailfrom; client-ip=192.55.52.115; helo=mga14.intel.com; envelope-from=chao.b.zhang@intel.com; receiver=edk2-devel@lists.01.org Received: from mga14.intel.com (mga14.intel.com [192.55.52.115]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id CB2C221E25686 for ; Wed, 24 Jan 2018 20:50:24 -0800 (PST) X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from orsmga004.jf.intel.com ([10.7.209.38]) by fmsmga103.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 24 Jan 2018 20:55:53 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.46,409,1511856000"; d="scan'208";a="168966985" Received: from fmsmsx105.amr.corp.intel.com ([10.18.124.203]) by orsmga004.jf.intel.com with ESMTP; 24 Jan 2018 20:55:53 -0800 Received: from FMSMSX110.amr.corp.intel.com (10.18.116.10) by FMSMSX105.amr.corp.intel.com (10.18.124.203) with Microsoft SMTP Server (TLS) id 14.3.319.2; Wed, 24 Jan 2018 20:55:52 -0800 Received: from shsmsx101.ccr.corp.intel.com (10.239.4.153) by fmsmsx110.amr.corp.intel.com (10.18.116.10) with Microsoft SMTP Server (TLS) id 14.3.319.2; Wed, 24 Jan 2018 20:55:52 -0800 Received: from shsmsx102.ccr.corp.intel.com ([169.254.2.189]) by SHSMSX101.ccr.corp.intel.com ([169.254.1.159]) with mapi id 14.03.0319.002; Thu, 25 Jan 2018 12:55:50 +0800 From: "Zhang, Chao B" To: "edk2-devel@lists.01.org" Thread-Topic: [edk2] [PATCH] Enable RSA2048SHA256 to replace CCG SignedSection solution Thread-Index: AQHTlZiISu40WpnuR0qLaVoGC+SPdaOEBjMA Date: Thu, 25 Jan 2018 04:55:50 +0000 Message-ID: References: <20180125045350.22372-1-chao.b.zhang@intel.com> In-Reply-To: <20180125045350.22372-1-chao.b.zhang@intel.com> Accept-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-ctpclassification: CTP_NT x-titus-metadata-40: eyJDYXRlZ29yeUxhYmVscyI6IiIsIk1ldGFkYXRhIjp7Im5zIjoiaHR0cDpcL1wvd3d3LnRpdHVzLmNvbVwvbnNcL0ludGVsMyIsImlkIjoiMGY0ZGRhNzMtNWRlNy00M2Q5LWEwOTgtMWMzYWQ1N2E2YmEzIiwicHJvcHMiOlt7Im4iOiJDVFBDbGFzc2lmaWNhdGlvbiIsInZhbHMiOlt7InZhbHVlIjoiQ1RQX05UIn1dfV19LCJTdWJqZWN0TGFiZWxzIjpbXSwiVE1DVmVyc2lvbiI6IjE3LjIuNS4xOCIsIlRydXN0ZWRMYWJlbEhhc2giOiJpNzBCNDhGT2IwUThOSlZtdXJIdW1Cc2dIY3RFbDhIdmM2aUdJeW9tSFI3cXZiMnZjVXN1TmZ5ZXNSUWhLeHhaIn0= dlp-product: dlpe-windows dlp-version: 11.0.0.116 dlp-reaction: no-action x-originating-ip: [10.239.127.40] MIME-Version: 1.0 Subject: Re: [PATCH] Enable RSA2048SHA256 to replace CCG SignedSection solution X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 25 Jan 2018 04:50:25 -0000 Content-Language: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Sorry. Made a mistake. please skip the mail.=20 -----Original Message----- From: edk2-devel [mailto:edk2-devel-bounces@lists.01.org] On Behalf Of Zhan= g, Chao B Sent: Thursday, January 25, 2018 12:54 PM To: edk2-devel@lists.01.org Subject: [edk2] [PATCH] Enable RSA2048SHA256 to replace CCG SignedSection s= olution --- KabylakePlatSamplePkg/PlatformPkg.dsc | 13 +++++++++-- KabylakePlatSamplePkg/PlatformPkg.fdf | 36 +++++++++++++++----------= ---- KabylakePlatSamplePkg/PlatformPkgConfig.dsc | 2 +- 3 files changed, 31 insertions(+), 20 deletions(-) diff --git a/KabylakePlatSamplePkg/PlatformPkg.dsc b/KabylakePlatSamplePkg/= PlatformPkg.dsc index fb085b9..125e018 100644 --- a/KabylakePlatSamplePkg/PlatformPkg.dsc +++ b/KabylakePlatSamplePkg/PlatformPkg.dsc @@ -1114,6 +1114,8 @@ gPlatformModuleTokenSpaceGuid.PcdWsmtProtectionFlags|= 0x07 =20 gUefiCpuPkgTokenSpaceGuid.PcdCpuMsegSize|0x8c0000 =20 +gEfiSecurityPkgTokenSpaceGuid.PcdRsa2048Sha256PublicKeyBuffer|{0x91,=20 +0x29, 0xc4, 0xbd, 0xea, 0x6d, 0xda, 0xb3, 0xaa, 0x6f, 0x50, 0x16, 0xfc,=20 +0xdb, 0x4b, 0x7e, 0x3c, 0xd6, 0xdc, 0xa4, 0x7a, 0x0e, 0xdd, 0xe6, 0x15,=20 +0x8c, 0x73, 0x96, 0xa2, 0xd4, 0xa6, 0x4d} + [PcdsFixedAtBuild.IA32] !if gPlatformModuleTokenSpaceGuid.PcdFspWrapperEnable =3D=3D TRUE gEfiMdeModulePkgTokenSpaceGuid.PcdVpdBaseAddress|0x0 @@ -1445,6 +1447,11 @@ gPlatformModuleTokenSpaceGuid.PcdWsmtProtectionFlags= |0x07 NULL|$(CLIENT_COMMON_PACKAGE)/Library/PeiSignedSectionVerificationLi= b/PeiSignedSectionVerificationLib.inf } + =20 + MdeModulePkg/Universal/SectionExtractionPei/SectionExtractionPei.inf=20 + { + =20 + NULL|SecurityPkg\Library\PeiRsa2048Sha256GuidedSectionExtractLib\PeiRs + a2048Sha256GuidedSectionExtractLib.inf + } !endif =20 !if gSiPkgTokenSpaceGuid.PcdS3Enable =3D=3D TRUE @@ -1575,7 +1582,8 @@ $(C= LIENT_COMMON_PACKAGE)/Universal/DebugServicePei/DebugServicePei.inf { gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x80080046 !if gPlatformModuleTokenSpaceGuid.PcdSecureBootEnable =3D=3D TRUE - NULL|$(CLIENT_COMMON_PACKAGE)/Library/DxeSignedSectionVerificationLi= b/DxeSignedSectionVerificationLib.inf + # NULL|$(CLIENT_COMMON_PACKAGE)/Library/DxeSignedSectionVerificationLi= b/DxeSignedSectionVerificationLib.inf + =20 + NULL|SecurityPkg\Library\DxeRsa2048Sha256GuidedSectionExtractLib\DxeRs + a2048Sha256GuidedSectionExtractLib.inf !endif !if gPlatformModuleTokenSpaceGuid.PcdDxeCrc32SectionEnable =3D=3D TRUE NULL|MdeModulePkg/Library/DxeCrc32GuidedSectionExtractLib/DxeCrc32Gu= idedSectionExtractLib.inf @@ -1600,7 +1608,8 @@ $(CLIENT_COMMON_PACKAGE)/Universal/DebugServicePei/De= bugServicePei.inf { gEfiMdeModulePkgTokenSpaceGuid.PcdPropertiesTableEnable|FALSE !if gPlatformModuleTokenSpaceGuid.PcdSecureBootEnable =3D=3D TRUE - NULL|$(CLIENT_COMMON_PACKAGE)/Library/DxeSignedSectionVerificationLi= b/DxeSignedSectionVerificationLib.inf + #NULL|$(CLIENT_COMMON_PACKAGE)/Library/DxeSignedSectionVerificationL= ib/DxeSignedSectionVerificationLib.inf + =20 + NULL|SecurityPkg\Library\DxeRsa2048Sha256GuidedSectionExtractLib\DxeRs + a2048Sha256GuidedSectionExtractLib.inf !endif !if gPlatformModuleTokenSpaceGuid.PcdDxeCrc32SectionEnable =3D=3D TRUE NULL|MdeModulePkg/Library/DxeCrc32GuidedSectionExtractLib/DxeCrc32Gu= idedSectionExtractLib.inf diff --git a/KabylakePlatSamplePkg/PlatformPkg.fdf b/KabylakePlatSamplePkg/= PlatformPkg.fdf index d2e8ee3..9d3fa5d 100644 --- a/KabylakePlatSamplePkg/PlatformPkg.fdf +++ b/KabylakePlatSamplePkg/PlatformPkg.fdf @@ -406,7 +406,7 @@ INF $(PLATFORM_FEATURES_PATH)/Amt/AmtStatusCodePei/Amt= StatusCodePei.inf =20 INF $(PLATFORM_PACKAGE)/BiosInfo/BiosInfo.inf # AdvancedFeaturesContent != if gPlatformModuleTokenSpaceGuid.PcdSecureBootEnable =3D=3D TRUE -INF $(PL= ATFORM_PACKAGE)/Override/$(CLIENT_COMMON_PACKAGE)/Universal/BiosInfoChecker= /BiosInfoChecker.inf +#INF =20 +$(PLATFORM_PACKAGE)/Override/$(CLIENT_COMMON_PACKAGE)/Universal/BiosInf +oChecker/BiosInfoChecker.inf !endif =20 !if gSiPkgTokenSpaceGuid.PcdSleEnable =3D=3D FALSE @@ -462,12 +462,13 @@ I= NF $(PLATFORM_PACKAGE)/Platform/MsegSmramPei/MsegSmramPei.inf INF MdeModulePkg/Core/DxeIplPeim/DxeIpl.inf =20 !if gPlatformModuleTokenSpaceGuid.PcdSecureBootEnable =3D=3D TRUE -INF $(C= LIENT_COMMON_PACKAGE)/Universal/SignedSectionPei/SignedSectionPei.inf -!if gPlatformModuleTokenSpaceGuid.PcdPubKeyHashBinEnable =3D=3D TRUE -FILE= RAW =3D 31C17ABE-6071-435e-BAA4-0B8A8C3649F3 { - $(PLATFORM_PACKAGE)/Tools/ToolScripts/SignFv/pubkeyhash.bin - } -!endif # PcdPubKeyHashBinEnable +INF=20 +MdeModulePkg/Universal/SectionExtractionPei/SectionExtractionPei.inf +#INF=20 +$(CLIENT_COMMON_PACKAGE)/Universal/SignedSectionPei/SignedSectionPei.in +f #!if gPlatformModuleTokenSpaceGuid.PcdPubKeyHashBinEnable =3D=3D TRUE=20 +#FILE RAW =3D 31C17ABE-6071-435e-BAA4-0B8A8C3649F3 { +# $(PLATFORM_PACKAGE)/Tools/ToolScripts/SignFv/pubkeyhash.bin +# } +#!endif # PcdPubKeyHashBinEnable !endif # PcdSecureBootEnable =20 !if gPlatformModuleTokenSpaceGuid.PcdTpmEnable =3D=3D TRUE @@ -604,7 +605,= 7 @@ APRIORI PEI { !endif =20 !if gPlatformModuleTokenSpaceGuid.PcdSecureBootEnable =3D=3D TRUE - INF $(PLATFORM_PACKAGE)/Override/$(CLIENT_COMMON_PACKAGE)/Universal/Bio= sInfoChecker/BiosInfoChecker.inf # RPPO-SKL-0031: RoyalParkOverrideContent + #INF =20 + $(PLATFORM_PACKAGE)/Override/$(CLIENT_COMMON_PACKAGE)/Universal/BiosIn + foChecker/BiosInfoChecker.inf # RPPO-SKL-0031:=20 + RoyalParkOverrideContent !endif INF MdeModulePkg/Core/DxeIplPeim/DxeIpl.inf !endif @@ -619,7 +620,7 @@ INF $(PLATFORM_FEATURES_PATH)/Amt/AmtStatusCodePei/Amt= StatusCodePei.inf =20 INF $(PLATFORM_PACKAGE)/BiosInfo/BiosInfo.inf !if gPlatformModuleTokenSpaceGuid.PcdSecureBootEnable =3D=3D TRUE -INF $(= PLATFORM_PACKAGE)/Override/$(CLIENT_COMMON_PACKAGE)/Universal/BiosInfoCheck= er/BiosInfoChecker.inf +#INF =20 +$(PLATFORM_PACKAGE)/Override/$(CLIENT_COMMON_PACKAGE)/Universal/BiosInf +oChecker/BiosInfoChecker.inf !endif =20 !if gSiPkgTokenSpaceGuid.PcdSleEnable =3D=3D TRUE @@ -692,12 +693,13 @@ IN= F $(PLATFORM_FEATURES_PATH)/OverClocking/OverClockInit/PeiOverClock.inf =20 !if gPlatformModuleTokenSpaceGuid.PcdSecureBootEnable =3D=3D TRUE # ROYAL= _PARK_PORTING - Porting Required -INF RuleOverride =3D LzmaCompress $(CLIEN= T_COMMON_PACKAGE)/Universal/SignedSectionPei/SignedSectionPei.inf -!if gPlatformModuleTokenSpaceGuid.PcdPubKeyHashBinEnable =3D=3D TRUE -FILE= RAW =3D 31C17ABE-6071-435e-BAA4-0B8A8C3649F3 { - $(PLATFORM_PACKAGE)/Tools/ToolScripts/SignFv/pubkeyhash.bin - } -!endif +INF=20 +MdeModulePkg/Universal/SectionExtractionPei/SectionExtractionPei.inf +#INF RuleOverride =3D LzmaCompress=20 +$(CLIENT_COMMON_PACKAGE)/Universal/SignedSectionPei/SignedSectionPei.in +f #!if gPlatformModuleTokenSpaceGuid.PcdPubKeyHashBinEnable =3D=3D TRUE=20 +#FILE RAW =3D 31C17ABE-6071-435e-BAA4-0B8A8C3649F3 { +# $(PLATFORM_PACKAGE)/Tools/ToolScripts/SignFv/pubkeyhash.bin +# } +#!endif !endif =20 !if gSiPkgTokenSpaceGuid.PcdSvBuild =3D=3D TRUE @@ -1174,7 +1176,7 @@ READ_LOCK_STATUS =3D TRUE FILE FV_IMAGE =3D 4E35FD93-9C72-4c15-8C4B-E77F1DB2D792 { !if gPlatformMod= uleTokenSpaceGuid.PcdLzmaEnable =3D=3D TRUE !if gPlatformModuleTokenSpaceGuid.PcdSecureBootEnable =3D=3D TRUE - SECTION GUIDED 0f9d89e8-9259-4f76-a5af-0c89e34023df PROCESSING_REQUIRE= D =3D TRUE { + SECTION GUIDED A7717414-C616-4977-9420-844712A735BF=20 + AUTH_STATUS_VALID =3D TRUE { SECTION GUIDED EE4E5898-3914-4259-9D6E-DC7BD79403CF PROCESSING_REQUI= RED =3D TRUE { SECTION FV_IMAGE =3D FVMAIN2 } @@ -2497,7 +2499,7 @@ READ_LOCK_STATUS =3D TRUE FILE FV_IMAGE =3D 9E21FD93-9C72-4c15-8C4B-E77F1DB2D792 { !if gPlatformMod= uleTokenSpaceGuid.PcdLzmaEnable =3D=3D TRUE !if gPlatformModuleTokenSpaceG= uid.PcdSecureBootEnable =3D=3D TRUE - SECTION GUIDED 0f9d89e8-9259-4f76-a5af-0c89e34023df PROCESSING_REQUIRED = =3D TRUE { + SECTION GUIDED A7717414-C616-4977-9420-844712A735BF AUTH_STATUS_VALID=20 + =3D TRUE { SECTION GUIDED EE4E5898-3914-4259-9D6E-DC7BD79403CF PROCESSING_REQU= IRED =3D TRUE { SECTION FV_IMAGE =3D FVMAIN } diff --git a/KabylakePlatSamplePkg/PlatformPkgConfig.dsc b/KabylakePlatSamp= lePkg/PlatformPkgConfig.dsc index fd2d368..755e66c 100644 --- a/KabylakePlatSamplePkg/PlatformPkgConfig.dsc +++ b/KabylakePlatSamplePkg/PlatformPkgConfig.dsc @@ -117,7 +117,7 @@ gPlatformModuleTokenSpaceGuid.PcdNvmeEnable|TRUE gSiPkgTokenSpaceGuid.PcdOverclockEnable|TRUE gPlatformModuleTokenSpaceGuid.PcdPciHotplugEnable|TRUE - gPlatformModuleTokenSpaceGuid.PcdPerformanceEnable|FALSE + gPlatformModuleTokenSpaceGuid.PcdPerformanceEnable|TRUE gPlatformModuleTokenSpaceGuid.PcdIntelFpdtEnable|FALSE gPlatformModuleTokenSpaceGuid.PcdPostCodeStatusCodeEnable|TRUE gSiPkgTokenSpaceGuid.PcdPowerOnEnable|FALSE # SI:RestrictedC= ontent -- 1.9.5.msysgit.1 _______________________________________________ edk2-devel mailing list edk2-devel@lists.01.org https://lists.01.org/mailman/listinfo/edk2-devel