[PATCH] Enable RSA2048SHA256 to replace CCG SignedSection solution

[PATCH] Enable RSA2048SHA256 to replace CCG SignedSection solution

[Zhang, Chao B]

---
 KabylakePlatSamplePkg/PlatformPkg.dsc       | 13 +++++++++--
 KabylakePlatSamplePkg/PlatformPkg.fdf       | 36 +++++++++++++++--------------
 KabylakePlatSamplePkg/PlatformPkgConfig.dsc |  2 +-
 3 files changed, 31 insertions(+), 20 deletions(-)

diff --git a/KabylakePlatSamplePkg/PlatformPkg.dsc b/KabylakePlatSamplePkg/PlatformPkg.dsc
index fb085b9..125e018 100644
--- a/KabylakePlatSamplePkg/PlatformPkg.dsc
+++ b/KabylakePlatSamplePkg/PlatformPkg.dsc
@@ -1114,6 +1114,8 @@ gPlatformModuleTokenSpaceGuid.PcdWsmtProtectionFlags|0x07
 
   gUefiCpuPkgTokenSpaceGuid.PcdCpuMsegSize|0x8c0000
 
+gEfiSecurityPkgTokenSpaceGuid.PcdRsa2048Sha256PublicKeyBuffer|{0x91, 0x29, 0xc4, 0xbd, 0xea, 0x6d, 0xda, 0xb3, 0xaa, 0x6f, 0x50, 0x16, 0xfc, 0xdb, 0x4b, 0x7e, 0x3c, 0xd6, 0xdc, 0xa4, 0x7a, 0x0e, 0xdd, 0xe6, 0x15, 0x8c, 0x73, 0x96, 0xa2, 0xd4, 0xa6, 0x4d}
+
 [PcdsFixedAtBuild.IA32]
 !if gPlatformModuleTokenSpaceGuid.PcdFspWrapperEnable == TRUE
   gEfiMdeModulePkgTokenSpaceGuid.PcdVpdBaseAddress|0x0
@@ -1445,6 +1447,11 @@ gPlatformModuleTokenSpaceGuid.PcdWsmtProtectionFlags|0x07
     <LibraryClasses>
       NULL|$(CLIENT_COMMON_PACKAGE)/Library/PeiSignedSectionVerificationLib/PeiSignedSectionVerificationLib.inf
   }
+  
+  MdeModulePkg/Universal/SectionExtractionPei/SectionExtractionPei.inf {
+  <LibraryClasses>
+    NULL|SecurityPkg\Library\PeiRsa2048Sha256GuidedSectionExtractLib\PeiRsa2048Sha256GuidedSectionExtractLib.inf
+  }
 !endif
 
 !if gSiPkgTokenSpaceGuid.PcdS3Enable == TRUE
@@ -1575,7 +1582,8 @@ $(CLIENT_COMMON_PACKAGE)/Universal/DebugServicePei/DebugServicePei.inf {
       gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x80080046
     <LibraryClasses>
 !if gPlatformModuleTokenSpaceGuid.PcdSecureBootEnable == TRUE
-      NULL|$(CLIENT_COMMON_PACKAGE)/Library/DxeSignedSectionVerificationLib/DxeSignedSectionVerificationLib.inf
+    # NULL|$(CLIENT_COMMON_PACKAGE)/Library/DxeSignedSectionVerificationLib/DxeSignedSectionVerificationLib.inf
+      NULL|SecurityPkg\Library\DxeRsa2048Sha256GuidedSectionExtractLib\DxeRsa2048Sha256GuidedSectionExtractLib.inf
 !endif
 !if gPlatformModuleTokenSpaceGuid.PcdDxeCrc32SectionEnable == TRUE
       NULL|MdeModulePkg/Library/DxeCrc32GuidedSectionExtractLib/DxeCrc32GuidedSectionExtractLib.inf
@@ -1600,7 +1608,8 @@ $(CLIENT_COMMON_PACKAGE)/Universal/DebugServicePei/DebugServicePei.inf {
       gEfiMdeModulePkgTokenSpaceGuid.PcdPropertiesTableEnable|FALSE
     <LibraryClasses>
 !if gPlatformModuleTokenSpaceGuid.PcdSecureBootEnable == TRUE
-      NULL|$(CLIENT_COMMON_PACKAGE)/Library/DxeSignedSectionVerificationLib/DxeSignedSectionVerificationLib.inf
+      #NULL|$(CLIENT_COMMON_PACKAGE)/Library/DxeSignedSectionVerificationLib/DxeSignedSectionVerificationLib.inf
+      NULL|SecurityPkg\Library\DxeRsa2048Sha256GuidedSectionExtractLib\DxeRsa2048Sha256GuidedSectionExtractLib.inf
 !endif
 !if gPlatformModuleTokenSpaceGuid.PcdDxeCrc32SectionEnable == TRUE
       NULL|MdeModulePkg/Library/DxeCrc32GuidedSectionExtractLib/DxeCrc32GuidedSectionExtractLib.inf
diff --git a/KabylakePlatSamplePkg/PlatformPkg.fdf b/KabylakePlatSamplePkg/PlatformPkg.fdf
index d2e8ee3..9d3fa5d 100644
--- a/KabylakePlatSamplePkg/PlatformPkg.fdf
+++ b/KabylakePlatSamplePkg/PlatformPkg.fdf
@@ -406,7 +406,7 @@ INF  $(PLATFORM_FEATURES_PATH)/Amt/AmtStatusCodePei/AmtStatusCodePei.inf
 
 INF $(PLATFORM_PACKAGE)/BiosInfo/BiosInfo.inf # AdvancedFeaturesContent
 !if gPlatformModuleTokenSpaceGuid.PcdSecureBootEnable == TRUE
-INF  $(PLATFORM_PACKAGE)/Override/$(CLIENT_COMMON_PACKAGE)/Universal/BiosInfoChecker/BiosInfoChecker.inf
+#INF  $(PLATFORM_PACKAGE)/Override/$(CLIENT_COMMON_PACKAGE)/Universal/BiosInfoChecker/BiosInfoChecker.inf
 !endif
 
 !if gSiPkgTokenSpaceGuid.PcdSleEnable == FALSE
@@ -462,12 +462,13 @@ INF $(PLATFORM_PACKAGE)/Platform/MsegSmramPei/MsegSmramPei.inf
 INF MdeModulePkg/Core/DxeIplPeim/DxeIpl.inf
 
 !if gPlatformModuleTokenSpaceGuid.PcdSecureBootEnable == TRUE
-INF $(CLIENT_COMMON_PACKAGE)/Universal/SignedSectionPei/SignedSectionPei.inf
-!if gPlatformModuleTokenSpaceGuid.PcdPubKeyHashBinEnable == TRUE
-FILE RAW = 31C17ABE-6071-435e-BAA4-0B8A8C3649F3 {
-    $(PLATFORM_PACKAGE)/Tools/ToolScripts/SignFv/pubkeyhash.bin
-  }
-!endif # PcdPubKeyHashBinEnable
+INF MdeModulePkg/Universal/SectionExtractionPei/SectionExtractionPei.inf
+#INF $(CLIENT_COMMON_PACKAGE)/Universal/SignedSectionPei/SignedSectionPei.inf
+#!if gPlatformModuleTokenSpaceGuid.PcdPubKeyHashBinEnable == TRUE
+#FILE RAW = 31C17ABE-6071-435e-BAA4-0B8A8C3649F3 {
+#    $(PLATFORM_PACKAGE)/Tools/ToolScripts/SignFv/pubkeyhash.bin
+#  }
+#!endif # PcdPubKeyHashBinEnable
 !endif # PcdSecureBootEnable
 
 !if gPlatformModuleTokenSpaceGuid.PcdTpmEnable == TRUE
@@ -604,7 +605,7 @@ APRIORI PEI {
 !endif
 
 !if gPlatformModuleTokenSpaceGuid.PcdSecureBootEnable == TRUE
-  INF  $(PLATFORM_PACKAGE)/Override/$(CLIENT_COMMON_PACKAGE)/Universal/BiosInfoChecker/BiosInfoChecker.inf  # RPPO-SKL-0031: RoyalParkOverrideContent
+  #INF  $(PLATFORM_PACKAGE)/Override/$(CLIENT_COMMON_PACKAGE)/Universal/BiosInfoChecker/BiosInfoChecker.inf  # RPPO-SKL-0031: RoyalParkOverrideContent
 !endif
   INF  MdeModulePkg/Core/DxeIplPeim/DxeIpl.inf
 !endif
@@ -619,7 +620,7 @@ INF  $(PLATFORM_FEATURES_PATH)/Amt/AmtStatusCodePei/AmtStatusCodePei.inf
 
 INF $(PLATFORM_PACKAGE)/BiosInfo/BiosInfo.inf
 !if gPlatformModuleTokenSpaceGuid.PcdSecureBootEnable == TRUE
-INF  $(PLATFORM_PACKAGE)/Override/$(CLIENT_COMMON_PACKAGE)/Universal/BiosInfoChecker/BiosInfoChecker.inf
+#INF  $(PLATFORM_PACKAGE)/Override/$(CLIENT_COMMON_PACKAGE)/Universal/BiosInfoChecker/BiosInfoChecker.inf
 !endif
 
 !if gSiPkgTokenSpaceGuid.PcdSleEnable == TRUE
@@ -692,12 +693,13 @@ INF $(PLATFORM_FEATURES_PATH)/OverClocking/OverClockInit/PeiOverClock.inf
 
 !if gPlatformModuleTokenSpaceGuid.PcdSecureBootEnable == TRUE
 # ROYAL_PARK_PORTING - Porting Required
-INF RuleOverride = LzmaCompress $(CLIENT_COMMON_PACKAGE)/Universal/SignedSectionPei/SignedSectionPei.inf
-!if gPlatformModuleTokenSpaceGuid.PcdPubKeyHashBinEnable == TRUE
-FILE RAW = 31C17ABE-6071-435e-BAA4-0B8A8C3649F3 {
-    $(PLATFORM_PACKAGE)/Tools/ToolScripts/SignFv/pubkeyhash.bin
-  }
-!endif
+INF MdeModulePkg/Universal/SectionExtractionPei/SectionExtractionPei.inf
+#INF RuleOverride = LzmaCompress $(CLIENT_COMMON_PACKAGE)/Universal/SignedSectionPei/SignedSectionPei.inf
+#!if gPlatformModuleTokenSpaceGuid.PcdPubKeyHashBinEnable == TRUE
+#FILE RAW = 31C17ABE-6071-435e-BAA4-0B8A8C3649F3 {
+#    $(PLATFORM_PACKAGE)/Tools/ToolScripts/SignFv/pubkeyhash.bin
+#  }
+#!endif
 !endif
 
 !if gSiPkgTokenSpaceGuid.PcdSvBuild == TRUE
@@ -1174,7 +1176,7 @@ READ_LOCK_STATUS   = TRUE
 FILE FV_IMAGE = 4E35FD93-9C72-4c15-8C4B-E77F1DB2D792 {
 !if gPlatformModuleTokenSpaceGuid.PcdLzmaEnable == TRUE
   !if gPlatformModuleTokenSpaceGuid.PcdSecureBootEnable == TRUE
-    SECTION GUIDED 0f9d89e8-9259-4f76-a5af-0c89e34023df PROCESSING_REQUIRED = TRUE {
+    SECTION GUIDED A7717414-C616-4977-9420-844712A735BF AUTH_STATUS_VALID = TRUE {
       SECTION GUIDED EE4E5898-3914-4259-9D6E-DC7BD79403CF PROCESSING_REQUIRED = TRUE {
         SECTION FV_IMAGE = FVMAIN2
       }
@@ -2497,7 +2499,7 @@ READ_LOCK_STATUS   = TRUE
 FILE FV_IMAGE = 9E21FD93-9C72-4c15-8C4B-E77F1DB2D792 {
 !if gPlatformModuleTokenSpaceGuid.PcdLzmaEnable == TRUE
 !if gPlatformModuleTokenSpaceGuid.PcdSecureBootEnable == TRUE
-  SECTION GUIDED 0f9d89e8-9259-4f76-a5af-0c89e34023df PROCESSING_REQUIRED = TRUE {
+  SECTION GUIDED A7717414-C616-4977-9420-844712A735BF AUTH_STATUS_VALID = TRUE {
        SECTION GUIDED EE4E5898-3914-4259-9D6E-DC7BD79403CF PROCESSING_REQUIRED = TRUE {
           SECTION FV_IMAGE = FVMAIN
        }
diff --git a/KabylakePlatSamplePkg/PlatformPkgConfig.dsc b/KabylakePlatSamplePkg/PlatformPkgConfig.dsc
index fd2d368..755e66c 100644
--- a/KabylakePlatSamplePkg/PlatformPkgConfig.dsc
+++ b/KabylakePlatSamplePkg/PlatformPkgConfig.dsc
@@ -117,7 +117,7 @@
   gPlatformModuleTokenSpaceGuid.PcdNvmeEnable|TRUE
   gSiPkgTokenSpaceGuid.PcdOverclockEnable|TRUE
   gPlatformModuleTokenSpaceGuid.PcdPciHotplugEnable|TRUE
-  gPlatformModuleTokenSpaceGuid.PcdPerformanceEnable|FALSE
+  gPlatformModuleTokenSpaceGuid.PcdPerformanceEnable|TRUE
   gPlatformModuleTokenSpaceGuid.PcdIntelFpdtEnable|FALSE
   gPlatformModuleTokenSpaceGuid.PcdPostCodeStatusCodeEnable|TRUE
   gSiPkgTokenSpaceGuid.PcdPowerOnEnable|FALSE             # SI:RestrictedContent
-- 
1.9.5.msysgit.1

[PATCH] SecurityPkg/DxePhysicalPresenceLib: Reject illegal PCR bank allocation

[Zhang, Chao B]

According to TCG PP1.3 spec, error PCR bank allocation input should be rejected by
Physical Presence. Firmware has to ensure that at least one PCR banks is active.

Cc: Long Qin <qin.long@intel.com>
Cc: Yao Jiewen <jiewen.yao@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Chao Zhang <chao.b.zhang@intel.com>
---
 .../DxeTcg2PhysicalPresenceLib/DxeTcg2PhysicalPresenceLib.c  | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/SecurityPkg/Library/DxeTcg2PhysicalPresenceLib/DxeTcg2PhysicalPresenceLib.c b/SecurityPkg/Library/DxeTcg2PhysicalPresenceLib/DxeTcg2PhysicalPresenceLib.c
index 5bf95a1..830266b 100644
--- a/SecurityPkg/Library/DxeTcg2PhysicalPresenceLib/DxeTcg2PhysicalPresenceLib.c
+++ b/SecurityPkg/Library/DxeTcg2PhysicalPresenceLib/DxeTcg2PhysicalPresenceLib.c
@@ -186,6 +186,18 @@ Tcg2ExecutePhysicalPresence (
     case TCG2_PHYSICAL_PRESENCE_SET_PCR_BANKS:
       Status = Tpm2GetCapabilitySupportedAndActivePcrs (&TpmHashAlgorithmBitmap, &ActivePcrBanks);
       ASSERT_EFI_ERROR (Status);
+
+      //
+      // PP spec requirements:
+      //    Firmware should check that all requested (set) hashing algorithms are supported with respective PCR banks. 
+      //    Firmware has to ensure that at least one PCR banks is active
+      // If not, an error is returned and no action is taken
+      //
+      if (CommandParameter == 0 || (CommandParameter & (~TpmHashAlgorithmBitmap)) != 0) {
+        DEBUG((DEBUG_ERROR, "PCR banks %x to allocate are not supported by TPM. Skip operation\n", CommandParameter));
+        return TCG_PP_OPERATION_RESPONSE_BIOS_FAILURE
+      }
+      DEBUG((DEBUG_ERROR, "zhangchao TpmHashAlgorithmBitmap %x CommandParameter %x\n", TpmHashAlgorithmBitmap, CommandParameter));
       Status = Tpm2PcrAllocateBanks (PlatformAuth, TpmHashAlgorithmBitmap, CommandParameter);
       if (EFI_ERROR (Status)) {
         return TCG_PP_OPERATION_RESPONSE_BIOS_FAILURE;
-- 
1.9.5.msysgit.1

Re: [PATCH] SecurityPkg/DxePhysicalPresenceLib: Reject illegal PCR bank allocation

[Bill Paul]

Of all the gin joints in all the towns in all the world, Zhang, Chao B had to 
walk into mine at 20:53 on Wednesday 24 January 2018 and say:

> According to TCG PP1.3 spec, error PCR bank allocation input should be
> rejected by Physical Presence. Firmware has to ensure that at least one
> PCR banks is active.
> 
> Cc: Long Qin <qin.long@intel.com>
> Cc: Yao Jiewen <jiewen.yao@intel.com>
> Contributed-under: TianoCore Contribution Agreement 1.1
> Signed-off-by: Chao Zhang <chao.b.zhang@intel.com>
> ---
>  .../DxeTcg2PhysicalPresenceLib/DxeTcg2PhysicalPresenceLib.c  | 12
> ++++++++++++ 1 file changed, 12 insertions(+)
> 
> diff --git
> a/SecurityPkg/Library/DxeTcg2PhysicalPresenceLib/DxeTcg2PhysicalPresenceLi
> b.c
> b/SecurityPkg/Library/DxeTcg2PhysicalPresenceLib/DxeTcg2PhysicalPresenceLi
> b.c index 5bf95a1..830266b 100644
> ---
> a/SecurityPkg/Library/DxeTcg2PhysicalPresenceLib/DxeTcg2PhysicalPresenceLi
> b.c +++
> b/SecurityPkg/Library/DxeTcg2PhysicalPresenceLib/DxeTcg2PhysicalPresenceLi
> b.c @@ -186,6 +186,18 @@ Tcg2ExecutePhysicalPresence (
>      case TCG2_PHYSICAL_PRESENCE_SET_PCR_BANKS:
>        Status = Tpm2GetCapabilitySupportedAndActivePcrs
> (&TpmHashAlgorithmBitmap, &ActivePcrBanks); ASSERT_EFI_ERROR (Status);
> +
> +      //
> +      // PP spec requirements:
> +      //    Firmware should check that all requested (set) hashing
> algorithms are supported with respective PCR banks. +      //    Firmware
> has to ensure that at least one PCR banks is active +      // If not, an
> error is returned and no action is taken
> +      //
> +      if (CommandParameter == 0 || (CommandParameter &
> (~TpmHashAlgorithmBitmap)) != 0) { +        DEBUG((DEBUG_ERROR, "PCR banks
> %x to allocate are not supported by TPM. Skip operation\n",
> CommandParameter)); +        return TCG_PP_OPERATION_RESPONSE_BIOS_FAILURE
> +      }
> +      DEBUG((DEBUG_ERROR, "zhangchao TpmHashAlgorithmBitmap %x

Was it your intention to have the debug error message string identify you by 
name? :)

-Bill

> CommandParameter %x\n", TpmHashAlgorithmBitmap, CommandParameter)); Status
> = Tpm2PcrAllocateBanks (PlatformAuth, TpmHashAlgorithmBitmap,
> CommandParameter); if (EFI_ERROR (Status)) {
>          return TCG_PP_OPERATION_RESPONSE_BIOS_FAILURE;
-- 
=============================================================================
-Bill Paul            (510) 749-2329 | Senior Member of Technical Staff,
                 wpaul@windriver.com | Master of Unix-Fu - Wind River Systems
=============================================================================
   "I put a dollar in a change machine. Nothing changed." - George Carlin
=============================================================================

[PATCH] SecurityPkg/PhysicalPresenceLib: Reject illegal PCR bank allocation

[Zhang, Chao B]

According to TCG PP1.3 spec, error PCR bank allocation input should be
rejected by Physical Presence. Firmware has to ensure that at least one
PCR banks is active.

Cc: Long Qin <qin.long@intel.com>
Cc: Yao Jiewen <jiewen.yao@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Chao Zhang <chao.b.zhang@intel.com>
---
 .../DxeTcg2PhysicalPresenceLib/DxeTcg2PhysicalPresenceLib.c  | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/SecurityPkg/Library/DxeTcg2PhysicalPresenceLib/DxeTcg2PhysicalPresenceLib.c b/SecurityPkg/Library/DxeTcg2PhysicalPresenceLib/DxeTcg2PhysicalPresenceLib.c
index 5bf95a1..28f0ca0 100644
--- a/SecurityPkg/Library/DxeTcg2PhysicalPresenceLib/DxeTcg2PhysicalPresenceLib.c
+++ b/SecurityPkg/Library/DxeTcg2PhysicalPresenceLib/DxeTcg2PhysicalPresenceLib.c
@@ -186,6 +186,18 @@ Tcg2ExecutePhysicalPresence (
     case TCG2_PHYSICAL_PRESENCE_SET_PCR_BANKS:
       Status = Tpm2GetCapabilitySupportedAndActivePcrs (&TpmHashAlgorithmBitmap, &ActivePcrBanks);
       ASSERT_EFI_ERROR (Status);
+
+      //
+      // PP spec requirements:
+      //    Firmware should check that all requested (set) hashing algorithms are supported with respective PCR banks.
+      //    Firmware has to ensure that at least one PCR banks is active.
+      // If not, an error is returned and no action is taken.
+      //
+      if (CommandParameter == 0 || (CommandParameter & (~TpmHashAlgorithmBitmap)) != 0) {
+        DEBUG((DEBUG_ERROR, "PCR banks %x to allocate are not supported by TPM. Skip operation\n", CommandParameter));
+        return TCG_PP_OPERATION_RESPONSE_BIOS_FAILURE
+      }
+      DEBUG((DEBUG_ERROR, "zhangchao TpmHashAlgorithmBitmap %x CommandParameter %x\n", TpmHashAlgorithmBitmap, CommandParameter));
       Status = Tpm2PcrAllocateBanks (PlatformAuth, TpmHashAlgorithmBitmap, CommandParameter);
       if (EFI_ERROR (Status)) {
         return TCG_PP_OPERATION_RESPONSE_BIOS_FAILURE;
-- 
1.9.5.msysgit.1

[PATCH] SecurityPkg:Tpm2DeviceLibDTpm: Support TPM command cancel

[Zhang, Chao B]

Support TPM Command cancel if executing command timeouts. Cancel could
happen in long running command case

Cc: Yao Jiewen <jiewen.yao@intel.com>
Cc: Chinnusamy Rajkumar K <rajkumar.k.chinnusamy@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Chao Zhang <chao.b.zhang@intel.com>
---
 MdePkg/Include/IndustryStandard/TpmTis.h        |  8 +++++--
 SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2Ptp.c | 24 +++++++++++++++++---
 SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2Tis.c | 30 +++++++++++++++++++++----
 3 files changed, 53 insertions(+), 9 deletions(-)

diff --git a/MdePkg/Include/IndustryStandard/TpmTis.h b/MdePkg/Include/IndustryStandard/TpmTis.h
index 519fa79..f25ca25 100644
--- a/MdePkg/Include/IndustryStandard/TpmTis.h
+++ b/MdePkg/Include/IndustryStandard/TpmTis.h
@@ -2,7 +2,7 @@
   TPM Interface Specification definition.
   It covers both TPM1.2 and TPM2.0.
 
-Copyright (c) 2016, Intel Corporation. All rights reserved.<BR>
+Copyright (c) 2016 - 2018, Intel Corporation. All rights reserved.<BR>
 This program and the accompanying materials
 are licensed and made available under the terms and conditions of the BSD License
 which accompanies this distribution.  The full text of the license may be found at
@@ -143,6 +143,10 @@ typedef TIS_PC_REGISTERS  *TIS_PC_REGISTERS_PTR;
 #define TIS_PC_ACC_ESTABLISH        BIT0
 
 ///
+/// Write a 1 to this bit to notify TPM to cancel currently executing command
+///
+#define TIS_PC_STS_CANCEL           BIT24
+///
 /// This field indicates that STS_DATA and STS_EXPECT are valid
 ///
 #define TIS_PC_STS_VALID            BIT7
@@ -180,4 +184,4 @@ typedef TIS_PC_REGISTERS  *TIS_PC_REGISTERS_PTR;
 #define TIS_TIMEOUT_C               (750  * 1000)  // 750ms
 #define TIS_TIMEOUT_D               (750  * 1000)  // 750ms
 
-#endif
\ No newline at end of file
+#endif
diff --git a/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2Ptp.c b/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2Ptp.c
index ddd4bd0..d9df264 100644
--- a/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2Ptp.c
+++ b/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2Ptp.c
@@ -1,7 +1,7 @@
 /** @file
   PTP (Platform TPM Profile) CRB (Command Response Buffer) interface used by dTPM2.0 library.
 
-Copyright (c) 2015 - 2016, Intel Corporation. All rights reserved.<BR>
+Copyright (c) 2015 - 2018, Intel Corporation. All rights reserved.<BR>
 This program and the accompanying materials
 are licensed and made available under the terms and conditions of the BSD License
 which accompanies this distribution.  The full text of the license may be found at
@@ -240,8 +240,26 @@ PtpCrbTpmCommand (
              PTP_TIMEOUT_MAX
              );
   if (EFI_ERROR (Status)) {
-    Status = EFI_DEVICE_ERROR;
-    goto Exit;
+    //
+    // Command Completion check timeout. Cancel the currently executing command by writing TPM_CRB_CTRL_CANCEL,
+    // Expect TPM_RC_CANCELLED or successfully completed response.
+    //
+    MmioWrite32((UINTN)&CrbReg->CrbControlCancel, PTP_CRB_CONTROL_CANCEL);
+    Status = PtpCrbWaitRegisterBits (
+               &CrbReg->CrbControlStart,
+               0,
+               PTP_CRB_CONTROL_START,
+               PTP_TIMEOUT_B
+               );
+    MmioWrite32((UINTN)&CrbReg->CrbControlCancel, 0);
+
+    if (EFI_ERROR(Status)) {
+      //
+      // Still in Command Execution state. Try to goIdle, the behavior is agnostic.
+      //
+      Status = EFI_DEVICE_ERROR;
+      goto Exit;
+    }
   }
 
   //
diff --git a/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2Tis.c b/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2Tis.c
index 6cd7030..0889162 100644
--- a/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2Tis.c
+++ b/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2Tis.c
@@ -1,7 +1,7 @@
 /** @file
   TIS (TPM Interface Specification) functions used by dTPM2.0 library.
   
-Copyright (c) 2013 - 2016, Intel Corporation. All rights reserved.<BR>
+Copyright (c) 2013 - 2018, Intel Corporation. All rights reserved.<BR>
 (C) Copyright 2015 Hewlett Packard Enterprise Development LP<BR>
 This program and the accompanying materials 
 are licensed and made available under the terms and conditions of the BSD License 
@@ -295,10 +295,32 @@ Tpm2TisTpmCommand (
              TIS_TIMEOUT_MAX
              );
   if (EFI_ERROR (Status)) {
-    DEBUG ((DEBUG_ERROR, "Wait for Tpm2 response data time out!!\n"));
-    Status = EFI_DEVICE_ERROR;
-    goto Exit;
+    //
+    // dataAvail check timeout. Cancel the currently executing command by writing commandCancel,
+    // Expect TPM_RC_CANCELLED or successfully completed response.
+    //
+    DEBUG ((DEBUG_ERROR, "Wait for Tpm2 response data time out. Trying to cancel the command!!\n"));
+
+    MmioWrite32((UINTN)&TisReg->Status, TIS_PC_STS_CANCEL);
+    Status = TisPcWaitRegisterBits (
+               &TisReg->Status,
+               (UINT8) (TIS_PC_VALID | TIS_PC_STS_DATA),
+               0,
+               TIS_TIMEOUT_B
+               );
+    //
+    // Do not clear CANCEL bit here bicoz Writes of 0 to this bit are ignored
+    //
+    if (EFI_ERROR (Status)) {
+      //
+      // Cancel executing command fail to get any response
+      // Try to abort the command with write of a 1 to commandReady in Command Execution state
+      //
+      Status = EFI_DEVICE_ERROR;
+      goto Exit;
+    }
   }
+
   //
   // Get response data header
   //
-- 
1.9.5.msysgit.1

Re: [PATCH] SecurityPkg:Tpm2DeviceLibDTpm: Support TPM command cancel

[Yao, Jiewen]

Reviewed-by: Jiewen.yao@intel.com

> -----Original Message-----
> From: Zhang, Chao B
> Sent: Thursday, January 25, 2018 12:54 PM
> To: edk2-devel@lists.01.org
> Cc: Yao, Jiewen <jiewen.yao@intel.com>; Chinnusamy, Rajkumar K
> <rajkumar.k.chinnusamy@intel.com>; Zhang, Chao B <chao.b.zhang@intel.com>
> Subject: [PATCH] SecurityPkg:Tpm2DeviceLibDTpm: Support TPM command
> cancel
> 
> Support TPM Command cancel if executing command timeouts. Cancel could
> happen in long running command case
> 
> Cc: Yao Jiewen <jiewen.yao@intel.com>
> Cc: Chinnusamy Rajkumar K <rajkumar.k.chinnusamy@intel.com>
> Contributed-under: TianoCore Contribution Agreement 1.1
> Signed-off-by: Chao Zhang <chao.b.zhang@intel.com>
> ---
>  MdePkg/Include/IndustryStandard/TpmTis.h        |  8 +++++--
>  SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2Ptp.c | 24
> +++++++++++++++++---
>  SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2Tis.c | 30
> +++++++++++++++++++++----
>  3 files changed, 53 insertions(+), 9 deletions(-)
> 
> diff --git a/MdePkg/Include/IndustryStandard/TpmTis.h
> b/MdePkg/Include/IndustryStandard/TpmTis.h
> index 519fa79..f25ca25 100644
> --- a/MdePkg/Include/IndustryStandard/TpmTis.h
> +++ b/MdePkg/Include/IndustryStandard/TpmTis.h
> @@ -2,7 +2,7 @@
>    TPM Interface Specification definition.
>    It covers both TPM1.2 and TPM2.0.
> 
> -Copyright (c) 2016, Intel Corporation. All rights reserved.<BR>
> +Copyright (c) 2016 - 2018, Intel Corporation. All rights reserved.<BR>
>  This program and the accompanying materials
>  are licensed and made available under the terms and conditions of the BSD
> License
>  which accompanies this distribution.  The full text of the license may be found
> at
> @@ -143,6 +143,10 @@ typedef TIS_PC_REGISTERS
> *TIS_PC_REGISTERS_PTR;
>  #define TIS_PC_ACC_ESTABLISH        BIT0
> 
>  ///
> +/// Write a 1 to this bit to notify TPM to cancel currently executing command
> +///
> +#define TIS_PC_STS_CANCEL           BIT24
> +///
>  /// This field indicates that STS_DATA and STS_EXPECT are valid
>  ///
>  #define TIS_PC_STS_VALID            BIT7
> @@ -180,4 +184,4 @@ typedef TIS_PC_REGISTERS  *TIS_PC_REGISTERS_PTR;
>  #define TIS_TIMEOUT_C               (750  * 1000)  // 750ms
>  #define TIS_TIMEOUT_D               (750  * 1000)  // 750ms
> 
> -#endif
> \ No newline at end of file
> +#endif
> diff --git a/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2Ptp.c
> b/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2Ptp.c
> index ddd4bd0..d9df264 100644
> --- a/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2Ptp.c
> +++ b/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2Ptp.c
> @@ -1,7 +1,7 @@
>  /** @file
>    PTP (Platform TPM Profile) CRB (Command Response Buffer) interface used
> by dTPM2.0 library.
> 
> -Copyright (c) 2015 - 2016, Intel Corporation. All rights reserved.<BR>
> +Copyright (c) 2015 - 2018, Intel Corporation. All rights reserved.<BR>
>  This program and the accompanying materials
>  are licensed and made available under the terms and conditions of the BSD
> License
>  which accompanies this distribution.  The full text of the license may be found
> at
> @@ -240,8 +240,26 @@ PtpCrbTpmCommand (
>               PTP_TIMEOUT_MAX
>               );
>    if (EFI_ERROR (Status)) {
> -    Status = EFI_DEVICE_ERROR;
> -    goto Exit;
> +    //
> +    // Command Completion check timeout. Cancel the currently executing
> command by writing TPM_CRB_CTRL_CANCEL,
> +    // Expect TPM_RC_CANCELLED or successfully completed response.
> +    //
> +    MmioWrite32((UINTN)&CrbReg->CrbControlCancel,
> PTP_CRB_CONTROL_CANCEL);
> +    Status = PtpCrbWaitRegisterBits (
> +               &CrbReg->CrbControlStart,
> +               0,
> +               PTP_CRB_CONTROL_START,
> +               PTP_TIMEOUT_B
> +               );
> +    MmioWrite32((UINTN)&CrbReg->CrbControlCancel, 0);
> +
> +    if (EFI_ERROR(Status)) {
> +      //
> +      // Still in Command Execution state. Try to goIdle, the behavior is
> agnostic.
> +      //
> +      Status = EFI_DEVICE_ERROR;
> +      goto Exit;
> +    }
>    }
> 
>    //
> diff --git a/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2Tis.c
> b/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2Tis.c
> index 6cd7030..0889162 100644
> --- a/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2Tis.c
> +++ b/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2Tis.c
> @@ -1,7 +1,7 @@
>  /** @file
>    TIS (TPM Interface Specification) functions used by dTPM2.0 library.
> 
> -Copyright (c) 2013 - 2016, Intel Corporation. All rights reserved.<BR>
> +Copyright (c) 2013 - 2018, Intel Corporation. All rights reserved.<BR>
>  (C) Copyright 2015 Hewlett Packard Enterprise Development LP<BR>
>  This program and the accompanying materials
>  are licensed and made available under the terms and conditions of the BSD
> License
> @@ -295,10 +295,32 @@ Tpm2TisTpmCommand (
>               TIS_TIMEOUT_MAX
>               );
>    if (EFI_ERROR (Status)) {
> -    DEBUG ((DEBUG_ERROR, "Wait for Tpm2 response data time out!!\n"));
> -    Status = EFI_DEVICE_ERROR;
> -    goto Exit;
> +    //
> +    // dataAvail check timeout. Cancel the currently executing command by
> writing commandCancel,
> +    // Expect TPM_RC_CANCELLED or successfully completed response.
> +    //
> +    DEBUG ((DEBUG_ERROR, "Wait for Tpm2 response data time out. Trying to
> cancel the command!!\n"));
> +
> +    MmioWrite32((UINTN)&TisReg->Status, TIS_PC_STS_CANCEL);
> +    Status = TisPcWaitRegisterBits (
> +               &TisReg->Status,
> +               (UINT8) (TIS_PC_VALID | TIS_PC_STS_DATA),
> +               0,
> +               TIS_TIMEOUT_B
> +               );
> +    //
> +    // Do not clear CANCEL bit here bicoz Writes of 0 to this bit are ignored
> +    //
> +    if (EFI_ERROR (Status)) {
> +      //
> +      // Cancel executing command fail to get any response
> +      // Try to abort the command with write of a 1 to commandReady in
> Command Execution state
> +      //
> +      Status = EFI_DEVICE_ERROR;
> +      goto Exit;
> +    }
>    }
> +
>    //
>    // Get response data header
>    //
> --
> 1.9.5.msysgit.1

Re: [PATCH] Enable RSA2048SHA256 to replace CCG SignedSection solution

[Zhang, Chao B]

Sorry. Made a mistake.  please skip the mail. 

-----Original Message-----
From: edk2-devel [mailto:edk2-devel-bounces@lists.01.org] On Behalf Of Zhang, Chao B
Sent: Thursday, January 25, 2018 12:54 PM
To: edk2-devel@lists.01.org
Subject: [edk2] [PATCH] Enable RSA2048SHA256 to replace CCG SignedSection solution

---
 KabylakePlatSamplePkg/PlatformPkg.dsc       | 13 +++++++++--
 KabylakePlatSamplePkg/PlatformPkg.fdf       | 36 +++++++++++++++--------------
 KabylakePlatSamplePkg/PlatformPkgConfig.dsc |  2 +-
 3 files changed, 31 insertions(+), 20 deletions(-)

diff --git a/KabylakePlatSamplePkg/PlatformPkg.dsc b/KabylakePlatSamplePkg/PlatformPkg.dsc
index fb085b9..125e018 100644
--- a/KabylakePlatSamplePkg/PlatformPkg.dsc
+++ b/KabylakePlatSamplePkg/PlatformPkg.dsc
@@ -1114,6 +1114,8 @@ gPlatformModuleTokenSpaceGuid.PcdWsmtProtectionFlags|0x07
 
   gUefiCpuPkgTokenSpaceGuid.PcdCpuMsegSize|0x8c0000
 
+gEfiSecurityPkgTokenSpaceGuid.PcdRsa2048Sha256PublicKeyBuffer|{0x91, 
+0x29, 0xc4, 0xbd, 0xea, 0x6d, 0xda, 0xb3, 0xaa, 0x6f, 0x50, 0x16, 0xfc, 
+0xdb, 0x4b, 0x7e, 0x3c, 0xd6, 0xdc, 0xa4, 0x7a, 0x0e, 0xdd, 0xe6, 0x15, 
+0x8c, 0x73, 0x96, 0xa2, 0xd4, 0xa6, 0x4d}
+
 [PcdsFixedAtBuild.IA32]
 !if gPlatformModuleTokenSpaceGuid.PcdFspWrapperEnable == TRUE
   gEfiMdeModulePkgTokenSpaceGuid.PcdVpdBaseAddress|0x0
@@ -1445,6 +1447,11 @@ gPlatformModuleTokenSpaceGuid.PcdWsmtProtectionFlags|0x07
     <LibraryClasses>
       NULL|$(CLIENT_COMMON_PACKAGE)/Library/PeiSignedSectionVerificationLib/PeiSignedSectionVerificationLib.inf
   }
+  
+  MdeModulePkg/Universal/SectionExtractionPei/SectionExtractionPei.inf 
+ {  <LibraryClasses>
+    
+ NULL|SecurityPkg\Library\PeiRsa2048Sha256GuidedSectionExtractLib\PeiRs
+ a2048Sha256GuidedSectionExtractLib.inf
+  }
 !endif
 
 !if gSiPkgTokenSpaceGuid.PcdS3Enable == TRUE @@ -1575,7 +1582,8 @@ $(CLIENT_COMMON_PACKAGE)/Universal/DebugServicePei/DebugServicePei.inf {
       gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x80080046
     <LibraryClasses>
 !if gPlatformModuleTokenSpaceGuid.PcdSecureBootEnable == TRUE
-      NULL|$(CLIENT_COMMON_PACKAGE)/Library/DxeSignedSectionVerificationLib/DxeSignedSectionVerificationLib.inf
+    # NULL|$(CLIENT_COMMON_PACKAGE)/Library/DxeSignedSectionVerificationLib/DxeSignedSectionVerificationLib.inf
+      
+ NULL|SecurityPkg\Library\DxeRsa2048Sha256GuidedSectionExtractLib\DxeRs
+ a2048Sha256GuidedSectionExtractLib.inf
 !endif
 !if gPlatformModuleTokenSpaceGuid.PcdDxeCrc32SectionEnable == TRUE
       NULL|MdeModulePkg/Library/DxeCrc32GuidedSectionExtractLib/DxeCrc32GuidedSectionExtractLib.inf
@@ -1600,7 +1608,8 @@ $(CLIENT_COMMON_PACKAGE)/Universal/DebugServicePei/DebugServicePei.inf {
       gEfiMdeModulePkgTokenSpaceGuid.PcdPropertiesTableEnable|FALSE
     <LibraryClasses>
 !if gPlatformModuleTokenSpaceGuid.PcdSecureBootEnable == TRUE
-      NULL|$(CLIENT_COMMON_PACKAGE)/Library/DxeSignedSectionVerificationLib/DxeSignedSectionVerificationLib.inf
+      #NULL|$(CLIENT_COMMON_PACKAGE)/Library/DxeSignedSectionVerificationLib/DxeSignedSectionVerificationLib.inf
+      
+ NULL|SecurityPkg\Library\DxeRsa2048Sha256GuidedSectionExtractLib\DxeRs
+ a2048Sha256GuidedSectionExtractLib.inf
 !endif
 !if gPlatformModuleTokenSpaceGuid.PcdDxeCrc32SectionEnable == TRUE
       NULL|MdeModulePkg/Library/DxeCrc32GuidedSectionExtractLib/DxeCrc32GuidedSectionExtractLib.inf
diff --git a/KabylakePlatSamplePkg/PlatformPkg.fdf b/KabylakePlatSamplePkg/PlatformPkg.fdf
index d2e8ee3..9d3fa5d 100644
--- a/KabylakePlatSamplePkg/PlatformPkg.fdf
+++ b/KabylakePlatSamplePkg/PlatformPkg.fdf
@@ -406,7 +406,7 @@ INF  $(PLATFORM_FEATURES_PATH)/Amt/AmtStatusCodePei/AmtStatusCodePei.inf
 
 INF $(PLATFORM_PACKAGE)/BiosInfo/BiosInfo.inf # AdvancedFeaturesContent  !if gPlatformModuleTokenSpaceGuid.PcdSecureBootEnable == TRUE -INF  $(PLATFORM_PACKAGE)/Override/$(CLIENT_COMMON_PACKAGE)/Universal/BiosInfoChecker/BiosInfoChecker.inf
+#INF  
+$(PLATFORM_PACKAGE)/Override/$(CLIENT_COMMON_PACKAGE)/Universal/BiosInf
+oChecker/BiosInfoChecker.inf
 !endif
 
 !if gSiPkgTokenSpaceGuid.PcdSleEnable == FALSE @@ -462,12 +462,13 @@ INF $(PLATFORM_PACKAGE)/Platform/MsegSmramPei/MsegSmramPei.inf
 INF MdeModulePkg/Core/DxeIplPeim/DxeIpl.inf
 
 !if gPlatformModuleTokenSpaceGuid.PcdSecureBootEnable == TRUE -INF $(CLIENT_COMMON_PACKAGE)/Universal/SignedSectionPei/SignedSectionPei.inf
-!if gPlatformModuleTokenSpaceGuid.PcdPubKeyHashBinEnable == TRUE -FILE RAW = 31C17ABE-6071-435e-BAA4-0B8A8C3649F3 {
-    $(PLATFORM_PACKAGE)/Tools/ToolScripts/SignFv/pubkeyhash.bin
-  }
-!endif # PcdPubKeyHashBinEnable
+INF 
+MdeModulePkg/Universal/SectionExtractionPei/SectionExtractionPei.inf
+#INF 
+$(CLIENT_COMMON_PACKAGE)/Universal/SignedSectionPei/SignedSectionPei.in
+f #!if gPlatformModuleTokenSpaceGuid.PcdPubKeyHashBinEnable == TRUE 
+#FILE RAW = 31C17ABE-6071-435e-BAA4-0B8A8C3649F3 {
+#    $(PLATFORM_PACKAGE)/Tools/ToolScripts/SignFv/pubkeyhash.bin
+#  }
+#!endif # PcdPubKeyHashBinEnable
 !endif # PcdSecureBootEnable
 
 !if gPlatformModuleTokenSpaceGuid.PcdTpmEnable == TRUE @@ -604,7 +605,7 @@ APRIORI PEI {  !endif
 
 !if gPlatformModuleTokenSpaceGuid.PcdSecureBootEnable == TRUE
-  INF  $(PLATFORM_PACKAGE)/Override/$(CLIENT_COMMON_PACKAGE)/Universal/BiosInfoChecker/BiosInfoChecker.inf  # RPPO-SKL-0031: RoyalParkOverrideContent
+  #INF  
+ $(PLATFORM_PACKAGE)/Override/$(CLIENT_COMMON_PACKAGE)/Universal/BiosIn
+ foChecker/BiosInfoChecker.inf  # RPPO-SKL-0031: 
+ RoyalParkOverrideContent
 !endif
   INF  MdeModulePkg/Core/DxeIplPeim/DxeIpl.inf
 !endif
@@ -619,7 +620,7 @@ INF  $(PLATFORM_FEATURES_PATH)/Amt/AmtStatusCodePei/AmtStatusCodePei.inf
 
 INF $(PLATFORM_PACKAGE)/BiosInfo/BiosInfo.inf
 !if gPlatformModuleTokenSpaceGuid.PcdSecureBootEnable == TRUE -INF  $(PLATFORM_PACKAGE)/Override/$(CLIENT_COMMON_PACKAGE)/Universal/BiosInfoChecker/BiosInfoChecker.inf
+#INF  
+$(PLATFORM_PACKAGE)/Override/$(CLIENT_COMMON_PACKAGE)/Universal/BiosInf
+oChecker/BiosInfoChecker.inf
 !endif
 
 !if gSiPkgTokenSpaceGuid.PcdSleEnable == TRUE @@ -692,12 +693,13 @@ INF $(PLATFORM_FEATURES_PATH)/OverClocking/OverClockInit/PeiOverClock.inf
 
 !if gPlatformModuleTokenSpaceGuid.PcdSecureBootEnable == TRUE  # ROYAL_PARK_PORTING - Porting Required -INF RuleOverride = LzmaCompress $(CLIENT_COMMON_PACKAGE)/Universal/SignedSectionPei/SignedSectionPei.inf
-!if gPlatformModuleTokenSpaceGuid.PcdPubKeyHashBinEnable == TRUE -FILE RAW = 31C17ABE-6071-435e-BAA4-0B8A8C3649F3 {
-    $(PLATFORM_PACKAGE)/Tools/ToolScripts/SignFv/pubkeyhash.bin
-  }
-!endif
+INF 
+MdeModulePkg/Universal/SectionExtractionPei/SectionExtractionPei.inf
+#INF RuleOverride = LzmaCompress 
+$(CLIENT_COMMON_PACKAGE)/Universal/SignedSectionPei/SignedSectionPei.in
+f #!if gPlatformModuleTokenSpaceGuid.PcdPubKeyHashBinEnable == TRUE 
+#FILE RAW = 31C17ABE-6071-435e-BAA4-0B8A8C3649F3 {
+#    $(PLATFORM_PACKAGE)/Tools/ToolScripts/SignFv/pubkeyhash.bin
+#  }
+#!endif
 !endif
 
 !if gSiPkgTokenSpaceGuid.PcdSvBuild == TRUE
@@ -1174,7 +1176,7 @@ READ_LOCK_STATUS   = TRUE
 FILE FV_IMAGE = 4E35FD93-9C72-4c15-8C4B-E77F1DB2D792 {  !if gPlatformModuleTokenSpaceGuid.PcdLzmaEnable == TRUE
   !if gPlatformModuleTokenSpaceGuid.PcdSecureBootEnable == TRUE
-    SECTION GUIDED 0f9d89e8-9259-4f76-a5af-0c89e34023df PROCESSING_REQUIRED = TRUE {
+    SECTION GUIDED A7717414-C616-4977-9420-844712A735BF 
+ AUTH_STATUS_VALID = TRUE {
       SECTION GUIDED EE4E5898-3914-4259-9D6E-DC7BD79403CF PROCESSING_REQUIRED = TRUE {
         SECTION FV_IMAGE = FVMAIN2
       }
@@ -2497,7 +2499,7 @@ READ_LOCK_STATUS   = TRUE
 FILE FV_IMAGE = 9E21FD93-9C72-4c15-8C4B-E77F1DB2D792 {  !if gPlatformModuleTokenSpaceGuid.PcdLzmaEnable == TRUE  !if gPlatformModuleTokenSpaceGuid.PcdSecureBootEnable == TRUE
-  SECTION GUIDED 0f9d89e8-9259-4f76-a5af-0c89e34023df PROCESSING_REQUIRED = TRUE {
+  SECTION GUIDED A7717414-C616-4977-9420-844712A735BF AUTH_STATUS_VALID 
+ = TRUE {
        SECTION GUIDED EE4E5898-3914-4259-9D6E-DC7BD79403CF PROCESSING_REQUIRED = TRUE {
           SECTION FV_IMAGE = FVMAIN
        }
diff --git a/KabylakePlatSamplePkg/PlatformPkgConfig.dsc b/KabylakePlatSamplePkg/PlatformPkgConfig.dsc
index fd2d368..755e66c 100644
--- a/KabylakePlatSamplePkg/PlatformPkgConfig.dsc
+++ b/KabylakePlatSamplePkg/PlatformPkgConfig.dsc
@@ -117,7 +117,7 @@
   gPlatformModuleTokenSpaceGuid.PcdNvmeEnable|TRUE
   gSiPkgTokenSpaceGuid.PcdOverclockEnable|TRUE
   gPlatformModuleTokenSpaceGuid.PcdPciHotplugEnable|TRUE
-  gPlatformModuleTokenSpaceGuid.PcdPerformanceEnable|FALSE
+  gPlatformModuleTokenSpaceGuid.PcdPerformanceEnable|TRUE
   gPlatformModuleTokenSpaceGuid.PcdIntelFpdtEnable|FALSE
   gPlatformModuleTokenSpaceGuid.PcdPostCodeStatusCodeEnable|TRUE
   gSiPkgTokenSpaceGuid.PcdPowerOnEnable|FALSE             # SI:RestrictedContent
--
1.9.5.msysgit.1

_______________________________________________
edk2-devel mailing list
edk2-devel@lists.01.org
https://lists.01.org/mailman/listinfo/edk2-devel