[edk2-platforms][PATCH V1 0/3] Platform/Sgi: enable support for UEFI secure boot

[edk2-platforms][PATCH V1 0/3] Platform/Sgi: enable support for UEFI secure boot

[sayanta.pattanayak]

This patch series adds secure boot support for Arm's reference design
platforms. The first patch refactors the existing StandaloneMM platform
description file and splits into three different files. This is required
to accomodate for changes register base addresses in RD-N2 platform and
the other supported platforms. The second path add support for NOR flash
platform library to be used with StandaloneMM execution context. The
third patch then enables the support for UEFI secure for all the
supported reference design platforms.

This patch series should be applied on top of the patch series
https://edk2.groups.io/g/devel/message/75368

Link to github branch with the patches in this series -
https://github.com/SayantaP-arm/edk2-platforms/tree/rd_platform_secure_boot

Sayanta Pattanayak (3):
  Platform/Sgi: refactor StandaloneMM platform description file
  Platform/Sgi: add StandaloneMM usable NorFlashPlatformLib
  Platform/Sgi: enable support for UEFI secure boot

 Platform/ARM/SgiPkg/SgiPlatform.dec           |   1 +
 Platform/ARM/SgiPkg/SgiPlatform.dsc.inc       |  31 +++++
 ...StandaloneMm.dsc => SgiPlatformMm.dsc.inc} |  62 +++++----
 Platform/ARM/SgiPkg/PlatformStandaloneMm.dsc  | 130 ++++--------------
 Platform/ARM/SgiPkg/PlatformStandaloneMm2.dsc |  55 ++++++++
 Platform/ARM/SgiPkg/PlatformStandaloneMm.fdf  |   5 +
 Platform/ARM/SgiPkg/SgiPlatform.fdf           |   9 +-
 .../NorFlashLib/StandaloneMmNorFlashLib.inf   |  33 +++++
 .../NorFlashLib/StandaloneMmNorFlashLib.c     |  82 +++++++++++
 9 files changed, 274 insertions(+), 134 deletions(-)
 copy Platform/ARM/SgiPkg/{PlatformStandaloneMm.dsc => SgiPlatformMm.dsc.inc} (73%)
 create mode 100644 Platform/ARM/SgiPkg/PlatformStandaloneMm2.dsc
 create mode 100644 Platform/ARM/SgiPkg/Library/NorFlashLib/StandaloneMmNorFlashLib.inf
 create mode 100644 Platform/ARM/SgiPkg/Library/NorFlashLib/StandaloneMmNorFlashLib.c

-- 
2.17.1

[edk2-platforms][PATCH V1 1/3] Platform/Sgi: refactor StandaloneMM platform description file

[Sayanta Pattanayak]

The RD-N2 platform has a different memory map from that of the other
platforms supported under the SgiPkg. To enable the use of StandaloneMM
as a secure partition on RD-N2 platform, refactor the existing
StandaloneMM platform description file. The differing portions are split
into two different files and the rest of the  platform description file
is converted into a include file.

Signed-off-by: Sayanta Pattanayak <sayanta.pattanayak@arm.com>
---
 Platform/ARM/SgiPkg/{PlatformStandaloneMm.dsc => SgiPlatformMm.dsc.inc} |  30 +----
 Platform/ARM/SgiPkg/PlatformStandaloneMm.dsc                            | 117 ++------------------
 Platform/ARM/SgiPkg/PlatformStandaloneMm2.dsc                           |  40 +++++++
 3 files changed, 53 insertions(+), 134 deletions(-)

diff --git a/Platform/ARM/SgiPkg/PlatformStandaloneMm.dsc b/Platform/ARM/SgiPkg/SgiPlatformMm.dsc.inc
similarity index 83%
copy from Platform/ARM/SgiPkg/PlatformStandaloneMm.dsc
copy to Platform/ARM/SgiPkg/SgiPlatformMm.dsc.inc
index e281d5490912..3389ff676a91 100644
--- a/Platform/ARM/SgiPkg/PlatformStandaloneMm.dsc
+++ b/Platform/ARM/SgiPkg/SgiPlatformMm.dsc.inc
@@ -1,37 +1,16 @@
+## @file
+#  StandaloneMM platform description include file for all supported platforms.
 #
-#  Copyright (c) 2018, ARM Limited. All rights reserved.
+#  Copyright (c) 2021, ARM Limited. All rights reserved.
 #
 #  SPDX-License-Identifier: BSD-2-Clause-Patent
-#
-
-################################################################################
-#
-# Defines Section - statements that will be processed to create a Makefile.
-#
-################################################################################
-[Defines]
-  PLATFORM_NAME                  = SgiMmStandalone
-  PLATFORM_GUID                  = 34B78C8F-CFD5-49D5-8360-E91143F6106D
-  PLATFORM_VERSION               = 1.0
-  DSC_SPECIFICATION              = 0x00010011
-  OUTPUT_DIRECTORY               = Build/$(PLATFORM_NAME)
-  SUPPORTED_ARCHITECTURES        = AARCH64
-  BUILD_TARGETS                  = DEBUG|RELEASE|NOOPT
-  SKUID_IDENTIFIER               = DEFAULT
-  FLASH_DEFINITION               = Platform/ARM/SgiPkg/PlatformStandaloneMm.fdf
-  DEFINE DEBUG_MESSAGE           = TRUE
-
-  # LzmaF86
-  DEFINE COMPRESSION_TOOL_GUID   = D42AE6BD-1352-4bfb-909A-CA72A6EAE889
+##
 
 ################################################################################
 #
 # Library Class section - list of all Library Classes needed by this Platform.
 #
 ################################################################################
-
-!include MdePkg/MdeLibs.dsc.inc
-
 [LibraryClasses]
   #
   # Basic
@@ -92,7 +71,6 @@
   gEfiMdePkgTokenSpaceGuid.PcdReportStatusCodePropertyMask|0x0f
 
   ## PL011 - Serial Terminal
-  gEfiMdeModulePkgTokenSpaceGuid.PcdSerialRegisterBase|0x7FF70000
   gEfiMdePkgTokenSpaceGuid.PcdUartDefaultBaudRate|115200
 
   gEfiMdePkgTokenSpaceGuid.PcdMaximumGuidedExtractHandler|0x2
diff --git a/Platform/ARM/SgiPkg/PlatformStandaloneMm.dsc b/Platform/ARM/SgiPkg/PlatformStandaloneMm.dsc
index e281d5490912..cdf8aaa88f03 100644
--- a/Platform/ARM/SgiPkg/PlatformStandaloneMm.dsc
+++ b/Platform/ARM/SgiPkg/PlatformStandaloneMm.dsc
@@ -1,8 +1,11 @@
+## @file
+#  StandaloneMM platform description file for SGI-575, RD-N1-Edge, RD-E1-Edge
+#  and RD-V1 platforms.
 #
-#  Copyright (c) 2018, ARM Limited. All rights reserved.
+#  Copyright (c) 2021, ARM Limited. All rights reserved.
 #
 #  SPDX-License-Identifier: BSD-2-Clause-Patent
-#
+##
 
 ################################################################################
 #
@@ -11,9 +14,9 @@
 ################################################################################
 [Defines]
   PLATFORM_NAME                  = SgiMmStandalone
-  PLATFORM_GUID                  = 34B78C8F-CFD5-49D5-8360-E91143F6106D
+  PLATFORM_GUID                  = 503b97f6-1be9-4661-97fd-9a55bbd2680d
   PLATFORM_VERSION               = 1.0
-  DSC_SPECIFICATION              = 0x00010011
+  DSC_SPECIFICATION              = 0x0001001B
   OUTPUT_DIRECTORY               = Build/$(PLATFORM_NAME)
   SUPPORTED_ARCHITECTURES        = AARCH64
   BUILD_TARGETS                  = DEBUG|RELEASE|NOOPT
@@ -24,62 +27,9 @@
   # LzmaF86
   DEFINE COMPRESSION_TOOL_GUID   = D42AE6BD-1352-4bfb-909A-CA72A6EAE889
 
-################################################################################
-#
-# Library Class section - list of all Library Classes needed by this Platform.
-#
-################################################################################
-
+# include common definitions.
 !include MdePkg/MdeLibs.dsc.inc
-
-[LibraryClasses]
-  #
-  # Basic
-  #
-  BaseLib|MdePkg/Library/BaseLib/BaseLib.inf
-  BaseMemoryLib|MdePkg/Library/BaseMemoryLib/BaseMemoryLib.inf
-  DebugLib|MdePkg/Library/BaseDebugLibSerialPort/BaseDebugLibSerialPort.inf
-  DebugPrintErrorLevelLib|MdePkg/Library/BaseDebugPrintErrorLevelLib/BaseDebugPrintErrorLevelLib.inf
-  ExtractGuidedSectionLib|EmbeddedPkg/Library/PrePiExtractGuidedSectionLib/PrePiExtractGuidedSectionLib.inf
-  FvLib|StandaloneMmPkg/Library/FvLib/FvLib.inf
-  HobLib|StandaloneMmPkg/Library/StandaloneMmCoreHobLib/StandaloneMmCoreHobLib.inf
-  IoLib|MdePkg/Library/BaseIoLibIntrinsic/BaseIoLibIntrinsic.inf
-  MemLib|StandaloneMmPkg/Library/StandaloneMmMemLib/StandaloneMmMemLib.inf
-  MemoryAllocationLib|StandaloneMmPkg/Library/StandaloneMmCoreMemoryAllocationLib/StandaloneMmCoreMemoryAllocationLib.inf
-  PcdLib|MdePkg/Library/BasePcdLibNull/BasePcdLibNull.inf
-  PeCoffLib|MdePkg/Library/BasePeCoffLib/BasePeCoffLib.inf
-  PrintLib|MdePkg/Library/BasePrintLib/BasePrintLib.inf
-  ReportStatusCodeLib|MdePkg/Library/BaseReportStatusCodeLibNull/BaseReportStatusCodeLibNull.inf
-
-  #
-  # Entry point
-  #
-  StandaloneMmDriverEntryPoint|MdePkg/Library/StandaloneMmDriverEntryPoint/StandaloneMmDriverEntryPoint.inf
-
-  ArmLib|ArmPkg/Library/ArmLib/ArmBaseLib.inf
-  StandaloneMmMmuLib|ArmPkg/Library/StandaloneMmMmuLib/ArmMmuStandaloneMmLib.inf
-  ArmSvcLib|ArmPkg/Library/ArmSvcLib/ArmSvcLib.inf
-  CacheMaintenanceLib|ArmPkg/Library/ArmCacheMaintenanceLib/ArmCacheMaintenanceLib.inf
-  PeCoffExtraActionLib|StandaloneMmPkg/Library/StandaloneMmPeCoffExtraActionLib/StandaloneMmPeCoffExtraActionLib.inf
-
-  # ARM PL011 UART Driver
-  PL011UartClockLib|ArmPlatformPkg/Library/PL011UartClockLib/PL011UartClockLib.inf
-  PL011UartLib|ArmPlatformPkg/Library/PL011UartLib/PL011UartLib.inf
-  SerialPortLib|ArmPlatformPkg/Library/PL011SerialPortLib/PL011SerialPortLib.inf
-
-  StandaloneMmCoreEntryPoint|StandaloneMmPkg/Library/StandaloneMmCoreEntryPoint/StandaloneMmCoreEntryPoint.inf
-
-  #
-  # It is not possible to prevent the ARM compiler for generic intrinsic functions.
-  # This library provides the instrinsic functions generate by a given compiler.
-  # And NULL mean link this library into all ARM images.
-  #
-  NULL|ArmPkg/Library/CompilerIntrinsicsLib/CompilerIntrinsicsLib.inf
-
-[LibraryClasses.common.MM_STANDALONE]
-  HobLib|StandaloneMmPkg/Library/StandaloneMmHobLib/StandaloneMmHobLib.inf
-  MmServicesTableLib|MdePkg/Library/StandaloneMmServicesTableLib/StandaloneMmServicesTableLib.inf
-  MemoryAllocationLib|StandaloneMmPkg/Library/StandaloneMmMemoryAllocationLib/StandaloneMmMemoryAllocationLib.inf
+!include Platform/ARM/SgiPkg/SgiPlatformMm.dsc.inc
 
 ################################################################################
 #
@@ -87,54 +37,5 @@
 #
 ################################################################################
 [PcdsFixedAtBuild]
-  gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x800000CF
-  gEfiMdePkgTokenSpaceGuid.PcdDebugPropertyMask|0xff
-  gEfiMdePkgTokenSpaceGuid.PcdReportStatusCodePropertyMask|0x0f
-
   ## PL011 - Serial Terminal
   gEfiMdeModulePkgTokenSpaceGuid.PcdSerialRegisterBase|0x7FF70000
-  gEfiMdePkgTokenSpaceGuid.PcdUartDefaultBaudRate|115200
-
-  gEfiMdePkgTokenSpaceGuid.PcdMaximumGuidedExtractHandler|0x2
-
-###################################################################################################
-#
-# Components Section - list of the modules and components that will be processed by compilation
-#                      tools and the EDK II tools to generate PE32/PE32+/Coff image files.
-#
-# Note: The EDK II DSC file is not used to specify how compiled binary images get placed
-#       into firmware volume images. This section is just a list of modules to compile from
-#       source into UEFI-compliant binaries.
-#       It is the FDF file that contains information on combining binary files into firmware
-#       volume images, whose concept is beyond UEFI and is described in PI specification.
-#       Binary modules do not need to be listed in this section, as they should be
-#       specified in the FDF file. For example: Shell binary (Shell_Full.efi), FAT binary (Fat.efi),
-#       Logo (Logo.bmp), and etc.
-#       There may also be modules listed in this section that are not required in the FDF file,
-#       When a module listed here is excluded from FDF file, then UEFI-compliant binary will be
-#       generated for it, but the binary will not be put into any firmware volume.
-#
-###################################################################################################
-[Components.common]
-  #
-  # MM Core
-  #
-  StandaloneMmPkg/Core/StandaloneMmCore.inf
-
-[Components.AARCH64]
-  StandaloneMmPkg/Drivers/StandaloneMmCpu/AArch64/StandaloneMmCpu.inf
-
-###################################################################################################
-#
-# BuildOptions Section - Define the module specific tool chain flags that should be used as
-#                        the default flags for a module. These flags are appended to any
-#                        standard flags that are defined by the build process. They can be
-#                        applied for any modules or only those modules with the specific
-#                        module style (EDK or EDKII) specified in [Components] section.
-#
-###################################################################################################
-[BuildOptions.AARCH64]
-  GCC:*_*_*_DLINK_FLAGS = -z common-page-size=0x1000 -march=armv8-a+nofp
-
-[BuildOptions]
-  *_*_*_CC_FLAGS = -D DISABLE_NEW_DEPRECATED_INTERFACES
diff --git a/Platform/ARM/SgiPkg/PlatformStandaloneMm2.dsc b/Platform/ARM/SgiPkg/PlatformStandaloneMm2.dsc
new file mode 100644
index 000000000000..bb359a15cc0d
--- /dev/null
+++ b/Platform/ARM/SgiPkg/PlatformStandaloneMm2.dsc
@@ -0,0 +1,40 @@
+## @file
+#  StandaloneMM platform description file for RD-N2 platforms.
+#
+#  Copyright (c) 2021, ARM Limited. All rights reserved.
+#
+#  SPDX-License-Identifier: BSD-2-Clause-Patent
+##
+
+################################################################################
+#
+# Defines Section - statements that will be processed to create a Makefile.
+#
+################################################################################
+[Defines]
+  PLATFORM_NAME                  = SgiMmStandalone
+  PLATFORM_GUID                  = 67309f8a-d278-4df5-86ee-a1826cf481ed
+  PLATFORM_VERSION               = 1.0
+  DSC_SPECIFICATION              = 0x0001001B
+  OUTPUT_DIRECTORY               = Build/$(PLATFORM_NAME)
+  SUPPORTED_ARCHITECTURES        = AARCH64
+  BUILD_TARGETS                  = DEBUG|RELEASE|NOOPT
+  SKUID_IDENTIFIER               = DEFAULT
+  FLASH_DEFINITION               = Platform/ARM/SgiPkg/PlatformStandaloneMm.fdf
+  DEFINE DEBUG_MESSAGE           = TRUE
+
+  # LzmaF86
+  DEFINE COMPRESSION_TOOL_GUID   = D42AE6BD-1352-4bfb-909A-CA72A6EAE889
+
+# include common definitions.
+!include MdePkg/MdeLibs.dsc.inc
+!include Platform/ARM/SgiPkg/SgiPlatformMm.dsc.inc
+
+################################################################################
+#
+# Pcd Section - list of all EDK II PCD Entries defined by this Platform
+#
+################################################################################
+[PcdsFixedAtBuild]
+  ## PL011 - Serial Terminal
+  gEfiMdeModulePkgTokenSpaceGuid.PcdSerialRegisterBase|0x0EF80000
-- 
2.17.1

[edk2-platforms][PATCH V1 2/3] Platform/Sgi: add StandaloneMM usable NorFlashPlatformLib

[Sayanta Pattanayak]

Add the NorFlashPlatformLib library instance that can be linked with
MM_STANDALONE modules that implement a secure variable storage. The
third instance of the NOR flash is used as the non-volatile storage.

Signed-off-by: Sayanta Pattanayak <sayanta.pattanayak@arm.com>
---
 Platform/ARM/SgiPkg/SgiPlatform.dec                                 |  1 +
 Platform/ARM/SgiPkg/Library/NorFlashLib/StandaloneMmNorFlashLib.inf | 33 ++++++++
 Platform/ARM/SgiPkg/Library/NorFlashLib/StandaloneMmNorFlashLib.c   | 82 ++++++++++++++++++++
 3 files changed, 116 insertions(+)

diff --git a/Platform/ARM/SgiPkg/SgiPlatform.dec b/Platform/ARM/SgiPkg/SgiPlatform.dec
index 3effd49592ea..af08ed153eae 100644
--- a/Platform/ARM/SgiPkg/SgiPlatform.dec
+++ b/Platform/ARM/SgiPkg/SgiPlatform.dec
@@ -54,6 +54,7 @@
 
   gArmSgiTokenSpaceGuid.PcdSmcCs0Base|0|UINT64|0x0000000C
   gArmSgiTokenSpaceGuid.PcdSmcCs1Base|0|UINT64|0x0000000D
+  gArmSgiTokenSpaceGuid.PcdSmcCs2Base|0|UINT64|0x00001000
   gArmSgiTokenSpaceGuid.PcdSysPeriphBase|0x00000000|UINT64|0x0000000E
   gArmSgiTokenSpaceGuid.PcdSysPeriphSysRegBase|0x0|UINT64|0x0000000F
 
diff --git a/Platform/ARM/SgiPkg/Library/NorFlashLib/StandaloneMmNorFlashLib.inf b/Platform/ARM/SgiPkg/Library/NorFlashLib/StandaloneMmNorFlashLib.inf
new file mode 100644
index 000000000000..96bbf1e42313
--- /dev/null
+++ b/Platform/ARM/SgiPkg/Library/NorFlashLib/StandaloneMmNorFlashLib.inf
@@ -0,0 +1,33 @@
+## @file
+#  StandaloneMM instance of NOR Flash library.
+#
+#  Copyright (c) 2021, ARM Limited. All rights reserved.
+#  SPDX-License-Identifier: BSD-2-Clause-Patent
+#
+##
+
+[Defines]
+  INF_VERSION                    = 0x0001001A
+  BASE_NAME                      = NorFlashMmLib
+  FILE_GUID                      = 2ce22190-b933-4d1e-99ba-8bf1f0768255
+  MODULE_TYPE                    = MM_STANDALONE
+  VERSION_STRING                 = 1.0
+  PI_SPECIFICATION_VERSION       = 0x00010032
+  LIBRARY_CLASS                  = NorFlashPlatformLib
+
+[Sources.common]
+  StandaloneMmNorFlashLib.c
+
+[Packages]
+  ArmPlatformPkg/ArmPlatformPkg.dec
+  MdePkg/MdePkg.dec
+  Platform/ARM/SgiPkg/SgiPlatform.dec
+
+[LibraryClasses]
+  BaseLib
+  DebugLib
+  IoLib
+
+[FixedPcd]
+  gArmSgiTokenSpaceGuid.PcdSysPeriphSysRegBase
+  gArmSgiTokenSpaceGuid.PcdSmcCs2Base
diff --git a/Platform/ARM/SgiPkg/Library/NorFlashLib/StandaloneMmNorFlashLib.c b/Platform/ARM/SgiPkg/Library/NorFlashLib/StandaloneMmNorFlashLib.c
new file mode 100644
index 000000000000..3e5a5612c17e
--- /dev/null
+++ b/Platform/ARM/SgiPkg/Library/NorFlashLib/StandaloneMmNorFlashLib.c
@@ -0,0 +1,82 @@
+/** @file
+* NOR flash platform library to be used in StandaloneMM context
+*
+* This file provides platform callbacks for the NOR flash module that executes
+* in the StandaloneMM context. The third NOR flash instance of 64MB size on the
+* reference design platform is assigned to be used in the StandaloneMM context.
+*
+* Copyright (c) 2021, ARM Ltd. All rights reserved.
+*
+* SPDX-License-Identifier: BSD-2-Clause-Patent
+*
+**/
+
+#include <Library/DebugLib.h>
+#include <Library/IoLib.h>
+#include <Library/NorFlashPlatformLib.h>
+#include <PiMm.h>
+#include <SgiPlatform.h>
+
+//
+// 64MB NOR flash connected to CS2 is assigned to be used in StandaloneMM
+// context.
+//
+STATIC NOR_FLASH_DESCRIPTION mNorFlashDevices[] = {
+  {
+    // NOR-Flash2 assigned for secure storage.
+    FixedPcdGet64 (PcdSmcCs2Base),
+    FixedPcdGet64 (PcdSmcCs2Base),
+    SIZE_256KB * 256,
+    SIZE_256KB,
+  },
+};
+
+/** Allow access to NOR flash
+
+  On the reference design platforms, the access to NOR flash has to be
+  explicitly permitted by writing to the FLASH_RWEN bit of the SYSPH_SYS_REG
+  register.
+
+  @retval  EFI_SUCCESS  Initialize required to access NOR flash is complete.
+
+**/
+EFI_STATUS
+NorFlashPlatformInitialization (
+  VOID
+  )
+{
+  UINT64 SysRegFlash;
+
+  SysRegFlash = FixedPcdGet64 (PcdSysPeriphSysRegBase) + SGI_SYSPH_SYS_REG_FLASH;
+  MmioOr32 (SysRegFlash, SGI_SYSPH_SYS_REG_FLASH_RWEN);
+  return EFI_SUCCESS;
+}
+
+/** Returns the list of available NOR flash devices
+
+  For the StandaloneMM execution context, return the list of available NOR
+  flash devices that are available for use.
+
+  @param[in]   NorFlashDevices  Pointer to array of NOR flash devices.
+  @param[in]   Count            Number of elements in the NOR flash devices
+                                array.
+
+  @retval  EFI_SUCCESS            Valid set of NOR flash devices is returned.
+  @retval  EFI_INVALID_PARAMETER  Pointers to NOR flash devices and/or count is
+                                  invalid.
+
+**/
+EFI_STATUS
+NorFlashPlatformGetDevices (
+  OUT NOR_FLASH_DESCRIPTION   **NorFlashDevices,
+  OUT UINT32                  *Count
+  )
+{
+  if ((NorFlashDevices == NULL) || (Count == NULL)) {
+    return EFI_INVALID_PARAMETER;
+  }
+
+  *NorFlashDevices = mNorFlashDevices;
+  *Count = ARRAY_SIZE (mNorFlashDevices);
+  return EFI_SUCCESS;
+}
-- 
2.17.1

[edk2-platforms][PATCH V1 3/3] Platform/Sgi: enable support for UEFI secure boot

[Sayanta Pattanayak]

Enable the use of UEFI secure boot for Arm's Neoverse reference design
platforms. The UEFI authenticated variable store uses NOR flash 2 which
is accessible from Standalone MM context residing in a secure partition.

Signed-off-by: Sayanta Pattanayak <sayanta.pattanayak@arm.com>
---
 Platform/ARM/SgiPkg/SgiPlatform.dsc.inc       | 31 +++++++++++++++++++
 Platform/ARM/SgiPkg/SgiPlatformMm.dsc.inc     | 32 ++++++++++++++++++++
 Platform/ARM/SgiPkg/PlatformStandaloneMm.dsc  | 15 +++++++++
 Platform/ARM/SgiPkg/PlatformStandaloneMm2.dsc | 15 +++++++++
 Platform/ARM/SgiPkg/PlatformStandaloneMm.fdf  |  5 +++
 Platform/ARM/SgiPkg/SgiPlatform.fdf           |  9 +++++-
 6 files changed, 106 insertions(+), 1 deletion(-)

diff --git a/Platform/ARM/SgiPkg/SgiPlatform.dsc.inc b/Platform/ARM/SgiPkg/SgiPlatform.dsc.inc
index 091de0c99c74..e4aee7a09acf 100644
--- a/Platform/ARM/SgiPkg/SgiPlatform.dsc.inc
+++ b/Platform/ARM/SgiPkg/SgiPlatform.dsc.inc
@@ -6,6 +6,14 @@
 
 !include Platform/ARM/VExpressPkg/ArmVExpress.dsc.inc
 
+[Defines]
+  # To allow the use of secure storage, set this to TRUE.
+  DEFINE SECURE_STORAGE_ENABLE              = FALSE
+
+  # To allow the use of UEFI secure boot, set this to TRUE.
+  # Secure boot requires secure storage to be enabled as well.
+  DEFINE SECURE_BOOT_ENABLE                 = FALSE
+
 [BuildOptions]
   *_*_*_CC_FLAGS = -D DISABLE_NEW_DEPRECATED_INTERFACES
 
@@ -22,6 +30,9 @@
   NorFlashPlatformLib|Platform/ARM/SgiPkg/Library/NorFlashLib/NorFlashLib.inf
   HobLib|MdePkg/Library/DxeHobLib/DxeHobLib.inf
   TimerLib|ArmPkg/Library/ArmArchTimerLib/ArmArchTimerLib.inf
+!if $(SECURE_BOOT_ENABLE) == TRUE
+  MmUnblockMemoryLib|MdePkg/Library/MmUnblockMemoryLib/MmUnblockMemoryLibNull.inf
+!endif
 
   # Virtio Support
   VirtioLib|OvmfPkg/Library/VirtioLib/VirtioLib.inf
@@ -84,6 +95,7 @@
 [PcdsFeatureFlag.common]
   gArmSgiTokenSpaceGuid.PcdVirtioBlkSupported|TRUE
   gArmSgiTokenSpaceGuid.PcdVirtioNetSupported|TRUE
+  gEfiMdeModulePkgTokenSpaceGuid.PcdEnableVariableRuntimeCache|FALSE
 
 [PcdsFixedAtBuild.common]
   gArmTokenSpaceGuid.PcdVFPEnabled|1
@@ -230,7 +242,15 @@
   MdeModulePkg/Core/RuntimeDxe/RuntimeDxe.inf
   MdeModulePkg/Universal/CapsuleRuntimeDxe/CapsuleRuntimeDxe.inf
   MdeModulePkg/Universal/MonotonicCounterRuntimeDxe/MonotonicCounterRuntimeDxe.inf
+!if $(SECURE_BOOT_ENABLE) == TRUE
+  MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf {
+    <LibraryClasses>
+      NULL|SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.inf
+  }
+  SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
+!else
   MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf
+!endif
   OvmfPkg/VirtioBlkDxe/VirtioBlk.inf
 
   MdeModulePkg/Universal/Console/ConPlatformDxe/ConPlatformDxe.inf
@@ -238,6 +258,9 @@
   MdeModulePkg/Universal/Console/GraphicsConsoleDxe/GraphicsConsoleDxe.inf
   MdeModulePkg/Universal/Console/TerminalDxe/TerminalDxe.inf
   MdeModulePkg/Universal/SerialDxe/SerialDxe.inf
+!if $(SECURE_STORAGE_ENABLE) == TRUE
+  MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmmRuntimeDxe.inf
+!else
   MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf {
     <LibraryClasses>
       NULL|MdeModulePkg/Library/VarCheckUefiLib/VarCheckUefiLib.inf
@@ -245,6 +268,7 @@
       BaseMemoryLib|MdePkg/Library/BaseMemoryLib/BaseMemoryLib.inf
   }
   MdeModulePkg/Universal/FaultTolerantWriteDxe/FaultTolerantWriteDxe.inf
+!endif
 
   #
   # ACPI Support
@@ -314,4 +338,11 @@
   #
   MdeModulePkg/Bus/Pci/SataControllerDxe/SataControllerDxe.inf
 
+!if $(SECURE_STORAGE_ENABLE) == TRUE
+  ArmPkg/Drivers/MmCommunicationDxe/MmCommunication.inf {
+    <LibraryClasses>
+      NULL|StandaloneMmPkg/Library/VariableMmDependency/VariableMmDependency.inf
+  }
+!else
   ArmPkg/Drivers/MmCommunicationDxe/MmCommunication.inf
+!endif
diff --git a/Platform/ARM/SgiPkg/SgiPlatformMm.dsc.inc b/Platform/ARM/SgiPkg/SgiPlatformMm.dsc.inc
index 3389ff676a91..6839ec35da8a 100644
--- a/Platform/ARM/SgiPkg/SgiPlatformMm.dsc.inc
+++ b/Platform/ARM/SgiPkg/SgiPlatformMm.dsc.inc
@@ -59,6 +59,19 @@
   HobLib|StandaloneMmPkg/Library/StandaloneMmHobLib/StandaloneMmHobLib.inf
   MmServicesTableLib|MdePkg/Library/StandaloneMmServicesTableLib/StandaloneMmServicesTableLib.inf
   MemoryAllocationLib|StandaloneMmPkg/Library/StandaloneMmMemoryAllocationLib/StandaloneMmMemoryAllocationLib.inf
+!if $(SECURE_STORAGE_ENABLE) == TRUE
+  AuthVariableLib|SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf
+  BaseCryptLib|CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf
+  IntrinsicLib|CryptoPkg/Library/IntrinsicLib/IntrinsicLib.inf
+  NorFlashPlatformLib|Platform/ARM/SgiPkg/Library/NorFlashLib/StandaloneMmNorFlashLib.inf
+  OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLib.inf
+  RngLib|MdePkg/Library/BaseRngLibTimerLib/BaseRngLibTimerLib.inf
+  PlatformSecureLib|SecurityPkg/Library/PlatformSecureLibNull/PlatformSecureLibNull.inf
+  SynchronizationLib|MdePkg/Library/BaseSynchronizationLib/BaseSynchronizationLib.inf
+  TimerLib|MdePkg/Library/BaseTimerLibNullTemplate/BaseTimerLibNullTemplate.inf
+  VarCheckLib|MdeModulePkg/Library/VarCheckLib/VarCheckLib.inf
+  SafeIntLib|MdePkg/Library/BaseSafeIntLib/BaseSafeIntLib.inf
+!endif
 
 ################################################################################
 #
@@ -75,6 +88,12 @@
 
   gEfiMdePkgTokenSpaceGuid.PcdMaximumGuidedExtractHandler|0x2
 
+!if $(SECURE_STORAGE_ENABLE) == TRUE
+  gEfiMdeModulePkgTokenSpaceGuid.PcdMaxVariableSize|0x2000
+  gEfiMdeModulePkgTokenSpaceGuid.PcdMaxAuthVariableSize|0x2800
+  gEfiSecurityPkgTokenSpaceGuid.PcdUserPhysicalPresence|TRUE
+!endif
+
 ###################################################################################################
 #
 # Components Section - list of the modules and components that will be processed by compilation
@@ -101,6 +120,19 @@
 
 [Components.AARCH64]
   StandaloneMmPkg/Drivers/StandaloneMmCpu/AArch64/StandaloneMmCpu.inf
+!if $(SECURE_STORAGE_ENABLE) == TRUE
+  ArmPlatformPkg/Drivers/NorFlashDxe/NorFlashStandaloneMm.inf
+  MdeModulePkg/Universal/FaultTolerantWriteDxe/FaultTolerantWriteStandaloneMm.inf
+  MdeModulePkg/Universal/Variable/RuntimeDxe/VariableStandaloneMm.inf {
+    <LibraryClasses>
+      DevicePathLib|MdePkg/Library/UefiDevicePathLib/UefiDevicePathLib.inf
+      NULL|MdeModulePkg/Library/VarCheckUefiLib/VarCheckUefiLib.inf
+      NULL|MdeModulePkg/Library/VarCheckPolicyLib/VarCheckPolicyLibStandaloneMm.inf
+      BaseMemoryLib|MdePkg/Library/BaseMemoryLib/BaseMemoryLib.inf
+      VariablePolicyLib|MdeModulePkg/Library/VariablePolicyLib/VariablePolicyLib.inf
+      VariablePolicyHelperLib|MdeModulePkg/Library/VariablePolicyHelperLib/VariablePolicyHelperLib.inf
+  }
+!endif
 
 ###################################################################################################
 #
diff --git a/Platform/ARM/SgiPkg/PlatformStandaloneMm.dsc b/Platform/ARM/SgiPkg/PlatformStandaloneMm.dsc
index cdf8aaa88f03..2cb4895cfcff 100644
--- a/Platform/ARM/SgiPkg/PlatformStandaloneMm.dsc
+++ b/Platform/ARM/SgiPkg/PlatformStandaloneMm.dsc
@@ -39,3 +39,18 @@
 [PcdsFixedAtBuild]
   ## PL011 - Serial Terminal
   gEfiMdeModulePkgTokenSpaceGuid.PcdSerialRegisterBase|0x7FF70000
+
+!if $(SECURE_STORAGE_ENABLE) == TRUE
+  ##Secure NOR Flash 2
+  gArmSgiTokenSpaceGuid.PcdSmcCs2Base|0x10000000
+  gArmSgiTokenSpaceGuid.PcdSysPeriphBase|0x1C000000
+  gArmSgiTokenSpaceGuid.PcdSysPeriphSysRegBase|0x1C010000
+
+  ##Secure Variable Storage in NOR Flash 2
+  gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageVariableBase|0x10000000
+  gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageVariableSize|0x00100000
+  gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageFtwWorkingBase|0x10100000
+  gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageFtwWorkingSize|0x00100000
+  gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageFtwSpareBase|0x10200000
+  gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageFtwSpareSize|0x00100000
+!endif
diff --git a/Platform/ARM/SgiPkg/PlatformStandaloneMm2.dsc b/Platform/ARM/SgiPkg/PlatformStandaloneMm2.dsc
index bb359a15cc0d..46c2ae3529d1 100644
--- a/Platform/ARM/SgiPkg/PlatformStandaloneMm2.dsc
+++ b/Platform/ARM/SgiPkg/PlatformStandaloneMm2.dsc
@@ -38,3 +38,18 @@
 [PcdsFixedAtBuild]
   ## PL011 - Serial Terminal
   gEfiMdeModulePkgTokenSpaceGuid.PcdSerialRegisterBase|0x0EF80000
+
+!if $(SECURE_STORAGE_ENABLE) == TRUE
+  ##Secure NOR Flash 2
+  gArmSgiTokenSpaceGuid.PcdSmcCs2Base|0x1054000000
+  gArmSgiTokenSpaceGuid.PcdSysPeriphBase|0x0C000000
+  gArmSgiTokenSpaceGuid.PcdSysPeriphSysRegBase|0x0C010000
+
+  ##Secure Variable Storage in NOR Flash 2
+  gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageVariableBase64|0x1054000000
+  gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageVariableSize|0x00100000
+  gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageFtwWorkingBase64|0x1054100000
+  gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageFtwWorkingSize|0x00100000
+  gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageFtwSpareBase64|0x1054200000
+  gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageFtwSpareSize|0x00100000
+!endif
diff --git a/Platform/ARM/SgiPkg/PlatformStandaloneMm.fdf b/Platform/ARM/SgiPkg/PlatformStandaloneMm.fdf
index 5a0772cd8522..474c9c0ce764 100644
--- a/Platform/ARM/SgiPkg/PlatformStandaloneMm.fdf
+++ b/Platform/ARM/SgiPkg/PlatformStandaloneMm.fdf
@@ -49,6 +49,11 @@ READ_LOCK_CAP      = TRUE
 READ_LOCK_STATUS   = TRUE
 
   INF StandaloneMmPkg/Core/StandaloneMmCore.inf
+!if $(SECURE_STORAGE_ENABLE) == TRUE
+  INF ArmPlatformPkg/Drivers/NorFlashDxe/NorFlashStandaloneMm.inf
+  INF MdeModulePkg/Universal/FaultTolerantWriteDxe/FaultTolerantWriteStandaloneMm.inf
+  INF MdeModulePkg/Universal/Variable/RuntimeDxe/VariableStandaloneMm.inf
+!endif
   INF StandaloneMmPkg/Drivers/StandaloneMmCpu/AArch64/StandaloneMmCpu.inf
 
 ################################################################################
diff --git a/Platform/ARM/SgiPkg/SgiPlatform.fdf b/Platform/ARM/SgiPkg/SgiPlatform.fdf
index e11d943d6efc..d94e4633e36c 100644
--- a/Platform/ARM/SgiPkg/SgiPlatform.fdf
+++ b/Platform/ARM/SgiPkg/SgiPlatform.fdf
@@ -90,10 +90,17 @@ READ_LOCK_STATUS   = TRUE
   INF EmbeddedPkg/ResetRuntimeDxe/ResetRuntimeDxe.inf
   INF MdeModulePkg/Core/RuntimeDxe/RuntimeDxe.inf
   INF MdeModulePkg/Universal/CapsuleRuntimeDxe/CapsuleRuntimeDxe.inf
-  INF MdeModulePkg/Universal/FaultTolerantWriteDxe/FaultTolerantWriteDxe.inf
   INF MdeModulePkg/Universal/MonotonicCounterRuntimeDxe/MonotonicCounterRuntimeDxe.inf
   INF MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf
+!if $(SECURE_BOOT_ENABLE) == TRUE
+  INF SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
+!endif
+!if $(SECURE_STORAGE_ENABLE) == TRUE
+  INF MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmmRuntimeDxe.inf
+!else
+  INF MdeModulePkg/Universal/FaultTolerantWriteDxe/FaultTolerantWriteDxe.inf
   INF MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf
+!endif
 
   #
   # ACPI Support
-- 
2.17.1

Re: [edk2-platforms][PATCH V1 1/3] Platform/Sgi: refactor StandaloneMM platform description file

[Sami Mujawar]

Hi Sayanta,

This patch looks good to me.

Reviewed-by: Sami Mujawar <sami.mujawar@arm.com>

Regards,

Sami Mujawar


On 24/05/2021 06:22 PM, Sayanta Pattanayak wrote:
> The RD-N2 platform has a different memory map from that of the other
> platforms supported under the SgiPkg. To enable the use of StandaloneMM
> as a secure partition on RD-N2 platform, refactor the existing
> StandaloneMM platform description file. The differing portions are split
> into two different files and the rest of the  platform description file
> is converted into a include file.
>
> Signed-off-by: Sayanta Pattanayak <sayanta.pattanayak@arm.com>
> ---
>   Platform/ARM/SgiPkg/{PlatformStandaloneMm.dsc => SgiPlatformMm.dsc.inc} |  30 +----
>   Platform/ARM/SgiPkg/PlatformStandaloneMm.dsc                            | 117 ++------------------
>   Platform/ARM/SgiPkg/PlatformStandaloneMm2.dsc                           |  40 +++++++
>   3 files changed, 53 insertions(+), 134 deletions(-)
>
> diff --git a/Platform/ARM/SgiPkg/PlatformStandaloneMm.dsc b/Platform/ARM/SgiPkg/SgiPlatformMm.dsc.inc
> similarity index 83%
> copy from Platform/ARM/SgiPkg/PlatformStandaloneMm.dsc
> copy to Platform/ARM/SgiPkg/SgiPlatformMm.dsc.inc
> index e281d5490912..3389ff676a91 100644
> --- a/Platform/ARM/SgiPkg/PlatformStandaloneMm.dsc
> +++ b/Platform/ARM/SgiPkg/SgiPlatformMm.dsc.inc
> @@ -1,37 +1,16 @@
> +## @file
> +#  StandaloneMM platform description include file for all supported platforms.
>   #
> -#  Copyright (c) 2018, ARM Limited. All rights reserved.
> +#  Copyright (c) 2021, ARM Limited. All rights reserved.
>   #
>   #  SPDX-License-Identifier: BSD-2-Clause-Patent
> -#
> -
> -################################################################################
> -#
> -# Defines Section - statements that will be processed to create a Makefile.
> -#
> -################################################################################
> -[Defines]
> -  PLATFORM_NAME                  = SgiMmStandalone
> -  PLATFORM_GUID                  = 34B78C8F-CFD5-49D5-8360-E91143F6106D
> -  PLATFORM_VERSION               = 1.0
> -  DSC_SPECIFICATION              = 0x00010011
> -  OUTPUT_DIRECTORY               = Build/$(PLATFORM_NAME)
> -  SUPPORTED_ARCHITECTURES        = AARCH64
> -  BUILD_TARGETS                  = DEBUG|RELEASE|NOOPT
> -  SKUID_IDENTIFIER               = DEFAULT
> -  FLASH_DEFINITION               = Platform/ARM/SgiPkg/PlatformStandaloneMm.fdf
> -  DEFINE DEBUG_MESSAGE           = TRUE
> -
> -  # LzmaF86
> -  DEFINE COMPRESSION_TOOL_GUID   = D42AE6BD-1352-4bfb-909A-CA72A6EAE889
> +##
>   
>   ################################################################################
>   #
>   # Library Class section - list of all Library Classes needed by this Platform.
>   #
>   ################################################################################
> -
> -!include MdePkg/MdeLibs.dsc.inc
> -
>   [LibraryClasses]
>     #
>     # Basic
> @@ -92,7 +71,6 @@
>     gEfiMdePkgTokenSpaceGuid.PcdReportStatusCodePropertyMask|0x0f
>   
>     ## PL011 - Serial Terminal
> -  gEfiMdeModulePkgTokenSpaceGuid.PcdSerialRegisterBase|0x7FF70000
>     gEfiMdePkgTokenSpaceGuid.PcdUartDefaultBaudRate|115200
>   
>     gEfiMdePkgTokenSpaceGuid.PcdMaximumGuidedExtractHandler|0x2
> diff --git a/Platform/ARM/SgiPkg/PlatformStandaloneMm.dsc b/Platform/ARM/SgiPkg/PlatformStandaloneMm.dsc
> index e281d5490912..cdf8aaa88f03 100644
> --- a/Platform/ARM/SgiPkg/PlatformStandaloneMm.dsc
> +++ b/Platform/ARM/SgiPkg/PlatformStandaloneMm.dsc
> @@ -1,8 +1,11 @@
> +## @file
> +#  StandaloneMM platform description file for SGI-575, RD-N1-Edge, RD-E1-Edge
> +#  and RD-V1 platforms.
>   #
> -#  Copyright (c) 2018, ARM Limited. All rights reserved.
> +#  Copyright (c) 2021, ARM Limited. All rights reserved.
>   #
>   #  SPDX-License-Identifier: BSD-2-Clause-Patent
> -#
> +##
>   
>   ################################################################################
>   #
> @@ -11,9 +14,9 @@
>   ################################################################################
>   [Defines]
>     PLATFORM_NAME                  = SgiMmStandalone
> -  PLATFORM_GUID                  = 34B78C8F-CFD5-49D5-8360-E91143F6106D
> +  PLATFORM_GUID                  = 503b97f6-1be9-4661-97fd-9a55bbd2680d
>     PLATFORM_VERSION               = 1.0
> -  DSC_SPECIFICATION              = 0x00010011
> +  DSC_SPECIFICATION              = 0x0001001B
>     OUTPUT_DIRECTORY               = Build/$(PLATFORM_NAME)
>     SUPPORTED_ARCHITECTURES        = AARCH64
>     BUILD_TARGETS                  = DEBUG|RELEASE|NOOPT
> @@ -24,62 +27,9 @@
>     # LzmaF86
>     DEFINE COMPRESSION_TOOL_GUID   = D42AE6BD-1352-4bfb-909A-CA72A6EAE889
>   
> -################################################################################
> -#
> -# Library Class section - list of all Library Classes needed by this Platform.
> -#
> -################################################################################
> -
> +# include common definitions.
>   !include MdePkg/MdeLibs.dsc.inc
> -
> -[LibraryClasses]
> -  #
> -  # Basic
> -  #
> -  BaseLib|MdePkg/Library/BaseLib/BaseLib.inf
> -  BaseMemoryLib|MdePkg/Library/BaseMemoryLib/BaseMemoryLib.inf
> -  DebugLib|MdePkg/Library/BaseDebugLibSerialPort/BaseDebugLibSerialPort.inf
> -  DebugPrintErrorLevelLib|MdePkg/Library/BaseDebugPrintErrorLevelLib/BaseDebugPrintErrorLevelLib.inf
> -  ExtractGuidedSectionLib|EmbeddedPkg/Library/PrePiExtractGuidedSectionLib/PrePiExtractGuidedSectionLib.inf
> -  FvLib|StandaloneMmPkg/Library/FvLib/FvLib.inf
> -  HobLib|StandaloneMmPkg/Library/StandaloneMmCoreHobLib/StandaloneMmCoreHobLib.inf
> -  IoLib|MdePkg/Library/BaseIoLibIntrinsic/BaseIoLibIntrinsic.inf
> -  MemLib|StandaloneMmPkg/Library/StandaloneMmMemLib/StandaloneMmMemLib.inf
> -  MemoryAllocationLib|StandaloneMmPkg/Library/StandaloneMmCoreMemoryAllocationLib/StandaloneMmCoreMemoryAllocationLib.inf
> -  PcdLib|MdePkg/Library/BasePcdLibNull/BasePcdLibNull.inf
> -  PeCoffLib|MdePkg/Library/BasePeCoffLib/BasePeCoffLib.inf
> -  PrintLib|MdePkg/Library/BasePrintLib/BasePrintLib.inf
> -  ReportStatusCodeLib|MdePkg/Library/BaseReportStatusCodeLibNull/BaseReportStatusCodeLibNull.inf
> -
> -  #
> -  # Entry point
> -  #
> -  StandaloneMmDriverEntryPoint|MdePkg/Library/StandaloneMmDriverEntryPoint/StandaloneMmDriverEntryPoint.inf
> -
> -  ArmLib|ArmPkg/Library/ArmLib/ArmBaseLib.inf
> -  StandaloneMmMmuLib|ArmPkg/Library/StandaloneMmMmuLib/ArmMmuStandaloneMmLib.inf
> -  ArmSvcLib|ArmPkg/Library/ArmSvcLib/ArmSvcLib.inf
> -  CacheMaintenanceLib|ArmPkg/Library/ArmCacheMaintenanceLib/ArmCacheMaintenanceLib.inf
> -  PeCoffExtraActionLib|StandaloneMmPkg/Library/StandaloneMmPeCoffExtraActionLib/StandaloneMmPeCoffExtraActionLib.inf
> -
> -  # ARM PL011 UART Driver
> -  PL011UartClockLib|ArmPlatformPkg/Library/PL011UartClockLib/PL011UartClockLib.inf
> -  PL011UartLib|ArmPlatformPkg/Library/PL011UartLib/PL011UartLib.inf
> -  SerialPortLib|ArmPlatformPkg/Library/PL011SerialPortLib/PL011SerialPortLib.inf
> -
> -  StandaloneMmCoreEntryPoint|StandaloneMmPkg/Library/StandaloneMmCoreEntryPoint/StandaloneMmCoreEntryPoint.inf
> -
> -  #
> -  # It is not possible to prevent the ARM compiler for generic intrinsic functions.
> -  # This library provides the instrinsic functions generate by a given compiler.
> -  # And NULL mean link this library into all ARM images.
> -  #
> -  NULL|ArmPkg/Library/CompilerIntrinsicsLib/CompilerIntrinsicsLib.inf
> -
> -[LibraryClasses.common.MM_STANDALONE]
> -  HobLib|StandaloneMmPkg/Library/StandaloneMmHobLib/StandaloneMmHobLib.inf
> -  MmServicesTableLib|MdePkg/Library/StandaloneMmServicesTableLib/StandaloneMmServicesTableLib.inf
> -  MemoryAllocationLib|StandaloneMmPkg/Library/StandaloneMmMemoryAllocationLib/StandaloneMmMemoryAllocationLib.inf
> +!include Platform/ARM/SgiPkg/SgiPlatformMm.dsc.inc
>   
>   ################################################################################
>   #
> @@ -87,54 +37,5 @@
>   #
>   ################################################################################
>   [PcdsFixedAtBuild]
> -  gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x800000CF
> -  gEfiMdePkgTokenSpaceGuid.PcdDebugPropertyMask|0xff
> -  gEfiMdePkgTokenSpaceGuid.PcdReportStatusCodePropertyMask|0x0f
> -
>     ## PL011 - Serial Terminal
>     gEfiMdeModulePkgTokenSpaceGuid.PcdSerialRegisterBase|0x7FF70000
> -  gEfiMdePkgTokenSpaceGuid.PcdUartDefaultBaudRate|115200
> -
> -  gEfiMdePkgTokenSpaceGuid.PcdMaximumGuidedExtractHandler|0x2
> -
> -###################################################################################################
> -#
> -# Components Section - list of the modules and components that will be processed by compilation
> -#                      tools and the EDK II tools to generate PE32/PE32+/Coff image files.
> -#
> -# Note: The EDK II DSC file is not used to specify how compiled binary images get placed
> -#       into firmware volume images. This section is just a list of modules to compile from
> -#       source into UEFI-compliant binaries.
> -#       It is the FDF file that contains information on combining binary files into firmware
> -#       volume images, whose concept is beyond UEFI and is described in PI specification.
> -#       Binary modules do not need to be listed in this section, as they should be
> -#       specified in the FDF file. For example: Shell binary (Shell_Full.efi), FAT binary (Fat.efi),
> -#       Logo (Logo.bmp), and etc.
> -#       There may also be modules listed in this section that are not required in the FDF file,
> -#       When a module listed here is excluded from FDF file, then UEFI-compliant binary will be
> -#       generated for it, but the binary will not be put into any firmware volume.
> -#
> -###################################################################################################
> -[Components.common]
> -  #
> -  # MM Core
> -  #
> -  StandaloneMmPkg/Core/StandaloneMmCore.inf
> -
> -[Components.AARCH64]
> -  StandaloneMmPkg/Drivers/StandaloneMmCpu/AArch64/StandaloneMmCpu.inf
> -
> -###################################################################################################
> -#
> -# BuildOptions Section - Define the module specific tool chain flags that should be used as
> -#                        the default flags for a module. These flags are appended to any
> -#                        standard flags that are defined by the build process. They can be
> -#                        applied for any modules or only those modules with the specific
> -#                        module style (EDK or EDKII) specified in [Components] section.
> -#
> -###################################################################################################
> -[BuildOptions.AARCH64]
> -  GCC:*_*_*_DLINK_FLAGS = -z common-page-size=0x1000 -march=armv8-a+nofp
> -
> -[BuildOptions]
> -  *_*_*_CC_FLAGS = -D DISABLE_NEW_DEPRECATED_INTERFACES
> diff --git a/Platform/ARM/SgiPkg/PlatformStandaloneMm2.dsc b/Platform/ARM/SgiPkg/PlatformStandaloneMm2.dsc
> new file mode 100644
> index 000000000000..bb359a15cc0d
> --- /dev/null
> +++ b/Platform/ARM/SgiPkg/PlatformStandaloneMm2.dsc
> @@ -0,0 +1,40 @@
> +## @file
> +#  StandaloneMM platform description file for RD-N2 platforms.
> +#
> +#  Copyright (c) 2021, ARM Limited. All rights reserved.
> +#
> +#  SPDX-License-Identifier: BSD-2-Clause-Patent
> +##
> +
> +################################################################################
> +#
> +# Defines Section - statements that will be processed to create a Makefile.
> +#
> +################################################################################
> +[Defines]
> +  PLATFORM_NAME                  = SgiMmStandalone
> +  PLATFORM_GUID                  = 67309f8a-d278-4df5-86ee-a1826cf481ed
> +  PLATFORM_VERSION               = 1.0
> +  DSC_SPECIFICATION              = 0x0001001B
> +  OUTPUT_DIRECTORY               = Build/$(PLATFORM_NAME)
> +  SUPPORTED_ARCHITECTURES        = AARCH64
> +  BUILD_TARGETS                  = DEBUG|RELEASE|NOOPT
> +  SKUID_IDENTIFIER               = DEFAULT
> +  FLASH_DEFINITION               = Platform/ARM/SgiPkg/PlatformStandaloneMm.fdf
> +  DEFINE DEBUG_MESSAGE           = TRUE
> +
> +  # LzmaF86
> +  DEFINE COMPRESSION_TOOL_GUID   = D42AE6BD-1352-4bfb-909A-CA72A6EAE889
> +
> +# include common definitions.
> +!include MdePkg/MdeLibs.dsc.inc
> +!include Platform/ARM/SgiPkg/SgiPlatformMm.dsc.inc
> +
> +################################################################################
> +#
> +# Pcd Section - list of all EDK II PCD Entries defined by this Platform
> +#
> +################################################################################
> +[PcdsFixedAtBuild]
> +  ## PL011 - Serial Terminal
> +  gEfiMdeModulePkgTokenSpaceGuid.PcdSerialRegisterBase|0x0EF80000

Re: [edk2-platforms][PATCH V1 2/3] Platform/Sgi: add StandaloneMM usable NorFlashPlatformLib

[Sami Mujawar]

Hi Sayanta,

I have a minor suggestion maked inline as [SAMI].

Otherwise this patch looks good to me.

With that addressed.

Reviewed-by: Sami Mujawar <sami.mujawar@arm.com>

Regards,

Sami Mujawar

On 24/05/2021 06:22 PM, Sayanta Pattanayak wrote:
> Add the NorFlashPlatformLib library instance that can be linked with
> MM_STANDALONE modules that implement a secure variable storage. The
> third instance of the NOR flash is used as the non-volatile storage.
>
> Signed-off-by: Sayanta Pattanayak <sayanta.pattanayak@arm.com>
> ---
>   Platform/ARM/SgiPkg/SgiPlatform.dec                                 |  1 +
>   Platform/ARM/SgiPkg/Library/NorFlashLib/StandaloneMmNorFlashLib.inf | 33 ++++++++
>   Platform/ARM/SgiPkg/Library/NorFlashLib/StandaloneMmNorFlashLib.c   | 82 ++++++++++++++++++++
>   3 files changed, 116 insertions(+)
>
> diff --git a/Platform/ARM/SgiPkg/SgiPlatform.dec b/Platform/ARM/SgiPkg/SgiPlatform.dec
> index 3effd49592ea..af08ed153eae 100644
> --- a/Platform/ARM/SgiPkg/SgiPlatform.dec
> +++ b/Platform/ARM/SgiPkg/SgiPlatform.dec
> @@ -54,6 +54,7 @@
>   
>     gArmSgiTokenSpaceGuid.PcdSmcCs0Base|0|UINT64|0x0000000C
>     gArmSgiTokenSpaceGuid.PcdSmcCs1Base|0|UINT64|0x0000000D
> +  gArmSgiTokenSpaceGuid.PcdSmcCs2Base|0|UINT64|0x00001000
>     gArmSgiTokenSpaceGuid.PcdSysPeriphBase|0x00000000|UINT64|0x0000000E
>     gArmSgiTokenSpaceGuid.PcdSysPeriphSysRegBase|0x0|UINT64|0x0000000F
>   
> diff --git a/Platform/ARM/SgiPkg/Library/NorFlashLib/StandaloneMmNorFlashLib.inf b/Platform/ARM/SgiPkg/Library/NorFlashLib/StandaloneMmNorFlashLib.inf
> new file mode 100644
> index 000000000000..96bbf1e42313
> --- /dev/null
> +++ b/Platform/ARM/SgiPkg/Library/NorFlashLib/StandaloneMmNorFlashLib.inf
> @@ -0,0 +1,33 @@
> +## @file
> +#  StandaloneMM instance of NOR Flash library.
> +#
> +#  Copyright (c) 2021, ARM Limited. All rights reserved.
> +#  SPDX-License-Identifier: BSD-2-Clause-Patent
> +#
> +##
> +
> +[Defines]
> +  INF_VERSION                    = 0x0001001A
> +  BASE_NAME                      = NorFlashMmLib
> +  FILE_GUID                      = 2ce22190-b933-4d1e-99ba-8bf1f0768255
> +  MODULE_TYPE                    = MM_STANDALONE
> +  VERSION_STRING                 = 1.0
> +  PI_SPECIFICATION_VERSION       = 0x00010032
> +  LIBRARY_CLASS                  = NorFlashPlatformLib
> +
> +[Sources.common]
> +  StandaloneMmNorFlashLib.c
> +
> +[Packages]
> +  ArmPlatformPkg/ArmPlatformPkg.dec
> +  MdePkg/MdePkg.dec
> +  Platform/ARM/SgiPkg/SgiPlatform.dec
> +
> +[LibraryClasses]
> +  BaseLib
> +  DebugLib
> +  IoLib
> +
> +[FixedPcd]
> +  gArmSgiTokenSpaceGuid.PcdSysPeriphSysRegBase
> +  gArmSgiTokenSpaceGuid.PcdSmcCs2Base
> diff --git a/Platform/ARM/SgiPkg/Library/NorFlashLib/StandaloneMmNorFlashLib.c b/Platform/ARM/SgiPkg/Library/NorFlashLib/StandaloneMmNorFlashLib.c
> new file mode 100644
> index 000000000000..3e5a5612c17e
> --- /dev/null
> +++ b/Platform/ARM/SgiPkg/Library/NorFlashLib/StandaloneMmNorFlashLib.c
> @@ -0,0 +1,82 @@
> +/** @file
> +* NOR flash platform library to be used in StandaloneMM context
> +*
> +* This file provides platform callbacks for the NOR flash module that executes
> +* in the StandaloneMM context. The third NOR flash instance of 64MB size on the
> +* reference design platform is assigned to be used in the StandaloneMM context.
> +*
> +* Copyright (c) 2021, ARM Ltd. All rights reserved.
> +*
> +* SPDX-License-Identifier: BSD-2-Clause-Patent
> +*
> +**/
> +
> +#include <Library/DebugLib.h>
> +#include <Library/IoLib.h>
> +#include <Library/NorFlashPlatformLib.h>
> +#include <PiMm.h>
> +#include <SgiPlatform.h>
> +
> +//
> +// 64MB NOR flash connected to CS2 is assigned to be used in StandaloneMM
> +// context.
> +//
> +STATIC NOR_FLASH_DESCRIPTION mNorFlashDevices[] = {
[SAMI] Minor - Can we add the CONST qualifier?
> +  {
> +    // NOR-Flash2 assigned for secure storage.
> +    FixedPcdGet64 (PcdSmcCs2Base),
> +    FixedPcdGet64 (PcdSmcCs2Base),
> +    SIZE_256KB * 256,
> +    SIZE_256KB,
> +  },
> +};
> +
> +/** Allow access to NOR flash
> +
> +  On the reference design platforms, the access to NOR flash has to be
> +  explicitly permitted by writing to the FLASH_RWEN bit of the SYSPH_SYS_REG
> +  register.
> +
> +  @retval  EFI_SUCCESS  Initialize required to access NOR flash is complete.
> +
> +**/
> +EFI_STATUS
> +NorFlashPlatformInitialization (
> +  VOID
> +  )
> +{
> +  UINT64 SysRegFlash;
> +
> +  SysRegFlash = FixedPcdGet64 (PcdSysPeriphSysRegBase) + SGI_SYSPH_SYS_REG_FLASH;
> +  MmioOr32 (SysRegFlash, SGI_SYSPH_SYS_REG_FLASH_RWEN);
> +  return EFI_SUCCESS;
> +}
> +
> +/** Returns the list of available NOR flash devices
> +
> +  For the StandaloneMM execution context, return the list of available NOR
> +  flash devices that are available for use.
> +
> +  @param[in]   NorFlashDevices  Pointer to array of NOR flash devices.
> +  @param[in]   Count            Number of elements in the NOR flash devices
> +                                array.
> +
> +  @retval  EFI_SUCCESS            Valid set of NOR flash devices is returned.
> +  @retval  EFI_INVALID_PARAMETER  Pointers to NOR flash devices and/or count is
> +                                  invalid.
> +
> +**/
> +EFI_STATUS
> +NorFlashPlatformGetDevices (
> +  OUT NOR_FLASH_DESCRIPTION   **NorFlashDevices,
> +  OUT UINT32                  *Count
> +  )
> +{
> +  if ((NorFlashDevices == NULL) || (Count == NULL)) {
> +    return EFI_INVALID_PARAMETER;
> +  }
> +
> +  *NorFlashDevices = mNorFlashDevices;
> +  *Count = ARRAY_SIZE (mNorFlashDevices);
> +  return EFI_SUCCESS;
> +}

Re: [edk2-platforms][PATCH V1 3/3] Platform/Sgi: enable support for UEFI secure boot

[Sami Mujawar]

Hi Sayanta,

Thank you for this patch.

Please find my response inline marked [SAMI].

Regards,

Sami Mujawar

On 24/05/2021 06:23 PM, Sayanta Pattanayak wrote:
> Enable the use of UEFI secure boot for Arm's Neoverse reference design
> platforms. The UEFI authenticated variable store uses NOR flash 2 which
> is accessible from Standalone MM context residing in a secure partition.
>
> Signed-off-by: Sayanta Pattanayak <sayanta.pattanayak@arm.com>
> ---
>   Platform/ARM/SgiPkg/SgiPlatform.dsc.inc       | 31 +++++++++++++++++++
>   Platform/ARM/SgiPkg/SgiPlatformMm.dsc.inc     | 32 ++++++++++++++++++++
>   Platform/ARM/SgiPkg/PlatformStandaloneMm.dsc  | 15 +++++++++
>   Platform/ARM/SgiPkg/PlatformStandaloneMm2.dsc | 15 +++++++++
>   Platform/ARM/SgiPkg/PlatformStandaloneMm.fdf  |  5 +++
>   Platform/ARM/SgiPkg/SgiPlatform.fdf           |  9 +++++-
>   6 files changed, 106 insertions(+), 1 deletion(-)
>
> diff --git a/Platform/ARM/SgiPkg/SgiPlatform.dsc.inc b/Platform/ARM/SgiPkg/SgiPlatform.dsc.inc
> index 091de0c99c74..e4aee7a09acf 100644
> --- a/Platform/ARM/SgiPkg/SgiPlatform.dsc.inc
> +++ b/Platform/ARM/SgiPkg/SgiPlatform.dsc.inc
> @@ -6,6 +6,14 @@
>   
>   !include Platform/ARM/VExpressPkg/ArmVExpress.dsc.inc
>   
> +[Defines]
> +  # To allow the use of secure storage, set this to TRUE.
> +  DEFINE SECURE_STORAGE_ENABLE              = FALSE
> +
> +  # To allow the use of UEFI secure boot, set this to TRUE.
> +  # Secure boot requires secure storage to be enabled as well.
> +  DEFINE SECURE_BOOT_ENABLE                 = FALSE
> +
>   [BuildOptions]
>     *_*_*_CC_FLAGS = -D DISABLE_NEW_DEPRECATED_INTERFACES
>   
> @@ -22,6 +30,9 @@
>     NorFlashPlatformLib|Platform/ARM/SgiPkg/Library/NorFlashLib/NorFlashLib.inf
>     HobLib|MdePkg/Library/DxeHobLib/DxeHobLib.inf
>     TimerLib|ArmPkg/Library/ArmArchTimerLib/ArmArchTimerLib.inf
> +!if $(SECURE_BOOT_ENABLE) == TRUE
> +  MmUnblockMemoryLib|MdePkg/Library/MmUnblockMemoryLib/MmUnblockMemoryLibNull.inf
> +!endif
>   
>     # Virtio Support
>     VirtioLib|OvmfPkg/Library/VirtioLib/VirtioLib.inf
> @@ -84,6 +95,7 @@
>   [PcdsFeatureFlag.common]
>     gArmSgiTokenSpaceGuid.PcdVirtioBlkSupported|TRUE
>     gArmSgiTokenSpaceGuid.PcdVirtioNetSupported|TRUE
> +  gEfiMdeModulePkgTokenSpaceGuid.PcdEnableVariableRuntimeCache|FALSE
>   
>   [PcdsFixedAtBuild.common]
>     gArmTokenSpaceGuid.PcdVFPEnabled|1
> @@ -230,7 +242,15 @@
>     MdeModulePkg/Core/RuntimeDxe/RuntimeDxe.inf
>     MdeModulePkg/Universal/CapsuleRuntimeDxe/CapsuleRuntimeDxe.inf
>     MdeModulePkg/Universal/MonotonicCounterRuntimeDxe/MonotonicCounterRuntimeDxe.inf
> +!if $(SECURE_BOOT_ENABLE) == TRUE
> +  MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf {
> +    <LibraryClasses>
> +      NULL|SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.inf
> +  }
> +  SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
> +!else
>     MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf
> +!endif
>     OvmfPkg/VirtioBlkDxe/VirtioBlk.inf
>   
>     MdeModulePkg/Universal/Console/ConPlatformDxe/ConPlatformDxe.inf
> @@ -238,6 +258,9 @@
>     MdeModulePkg/Universal/Console/GraphicsConsoleDxe/GraphicsConsoleDxe.inf
>     MdeModulePkg/Universal/Console/TerminalDxe/TerminalDxe.inf
>     MdeModulePkg/Universal/SerialDxe/SerialDxe.inf
> +!if $(SECURE_STORAGE_ENABLE) == TRUE
> +  MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmmRuntimeDxe.inf
> +!else
>     MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf {
>       <LibraryClasses>
>         NULL|MdeModulePkg/Library/VarCheckUefiLib/VarCheckUefiLib.inf
> @@ -245,6 +268,7 @@
>         BaseMemoryLib|MdePkg/Library/BaseMemoryLib/BaseMemoryLib.inf
>     }
>     MdeModulePkg/Universal/FaultTolerantWriteDxe/FaultTolerantWriteDxe.inf
> +!endif
>   
>     #
>     # ACPI Support
> @@ -314,4 +338,11 @@
>     #
>     MdeModulePkg/Bus/Pci/SataControllerDxe/SataControllerDxe.inf
>   
> +!if $(SECURE_STORAGE_ENABLE) == TRUE
> +  ArmPkg/Drivers/MmCommunicationDxe/MmCommunication.inf {
> +    <LibraryClasses>
> +      NULL|StandaloneMmPkg/Library/VariableMmDependency/VariableMmDependency.inf
> +  }
> +!else
>     ArmPkg/Drivers/MmCommunicationDxe/MmCommunication.inf
> +!endif
> diff --git a/Platform/ARM/SgiPkg/SgiPlatformMm.dsc.inc b/Platform/ARM/SgiPkg/SgiPlatformMm.dsc.inc
> index 3389ff676a91..6839ec35da8a 100644
> --- a/Platform/ARM/SgiPkg/SgiPlatformMm.dsc.inc
> +++ b/Platform/ARM/SgiPkg/SgiPlatformMm.dsc.inc
> @@ -59,6 +59,19 @@
>     HobLib|StandaloneMmPkg/Library/StandaloneMmHobLib/StandaloneMmHobLib.inf
>     MmServicesTableLib|MdePkg/Library/StandaloneMmServicesTableLib/StandaloneMmServicesTableLib.inf
>     MemoryAllocationLib|StandaloneMmPkg/Library/StandaloneMmMemoryAllocationLib/StandaloneMmMemoryAllocationLib.inf
> +!if $(SECURE_STORAGE_ENABLE) == TRUE
> +  AuthVariableLib|SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf
> +  BaseCryptLib|CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf
> +  IntrinsicLib|CryptoPkg/Library/IntrinsicLib/IntrinsicLib.inf
> +  NorFlashPlatformLib|Platform/ARM/SgiPkg/Library/NorFlashLib/StandaloneMmNorFlashLib.inf
> +  OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLib.inf
> +  RngLib|MdePkg/Library/BaseRngLibTimerLib/BaseRngLibTimerLib.inf
[SAMI] There is a recent patch series that adds ARMv8.5 FEAT_RNG support 
to BaseRngLib
  see 
https://github.com/tianocore/edk2/commit/9301e5644cef5a5234f71b178373dd508cabb9ee.
Can this be used instead of BaseRngLibTimerLib? BaseRngLibTimerLib is 
for non-production use so it would be good to avoid.
Indeed, this would require that Sgi platforms are ARMv8.5 or above. If 
not, then can we conditionally use BaseRngLibTimerLib for platforms that 
do not support FEAT_RNG.
[/SAMI]
> +  PlatformSecureLib|SecurityPkg/Library/PlatformSecureLibNull/PlatformSecureLibNull.inf
> +  SynchronizationLib|MdePkg/Library/BaseSynchronizationLib/BaseSynchronizationLib.inf
> +  TimerLib|MdePkg/Library/BaseTimerLibNullTemplate/BaseTimerLibNullTemplate.inf
> +  VarCheckLib|MdeModulePkg/Library/VarCheckLib/VarCheckLib.inf
> +  SafeIntLib|MdePkg/Library/BaseSafeIntLib/BaseSafeIntLib.inf
> +!endif
>   
>   ################################################################################
>   #
> @@ -75,6 +88,12 @@
>   
>     gEfiMdePkgTokenSpaceGuid.PcdMaximumGuidedExtractHandler|0x2
>   
> +!if $(SECURE_STORAGE_ENABLE) == TRUE
> +  gEfiMdeModulePkgTokenSpaceGuid.PcdMaxVariableSize|0x2000
> +  gEfiMdeModulePkgTokenSpaceGuid.PcdMaxAuthVariableSize|0x2800
> +  gEfiSecurityPkgTokenSpaceGuid.PcdUserPhysicalPresence|TRUE
> +!endif
> +
>   ###################################################################################################
>   #
>   # Components Section - list of the modules and components that will be processed by compilation
> @@ -101,6 +120,19 @@
>   
>   [Components.AARCH64]
>     StandaloneMmPkg/Drivers/StandaloneMmCpu/AArch64/StandaloneMmCpu.inf
> +!if $(SECURE_STORAGE_ENABLE) == TRUE
> +  ArmPlatformPkg/Drivers/NorFlashDxe/NorFlashStandaloneMm.inf
> +  MdeModulePkg/Universal/FaultTolerantWriteDxe/FaultTolerantWriteStandaloneMm.inf
> +  MdeModulePkg/Universal/Variable/RuntimeDxe/VariableStandaloneMm.inf {
> +    <LibraryClasses>
> +      DevicePathLib|MdePkg/Library/UefiDevicePathLib/UefiDevicePathLib.inf
> +      NULL|MdeModulePkg/Library/VarCheckUefiLib/VarCheckUefiLib.inf
> +      NULL|MdeModulePkg/Library/VarCheckPolicyLib/VarCheckPolicyLibStandaloneMm.inf
> +      BaseMemoryLib|MdePkg/Library/BaseMemoryLib/BaseMemoryLib.inf
> +      VariablePolicyLib|MdeModulePkg/Library/VariablePolicyLib/VariablePolicyLib.inf
> +      VariablePolicyHelperLib|MdeModulePkg/Library/VariablePolicyHelperLib/VariablePolicyHelperLib.inf
> +  }
> +!endif
>   
>   ###################################################################################################
>   #
> diff --git a/Platform/ARM/SgiPkg/PlatformStandaloneMm.dsc b/Platform/ARM/SgiPkg/PlatformStandaloneMm.dsc
> index cdf8aaa88f03..2cb4895cfcff 100644
> --- a/Platform/ARM/SgiPkg/PlatformStandaloneMm.dsc
> +++ b/Platform/ARM/SgiPkg/PlatformStandaloneMm.dsc
> @@ -39,3 +39,18 @@
>   [PcdsFixedAtBuild]
>     ## PL011 - Serial Terminal
>     gEfiMdeModulePkgTokenSpaceGuid.PcdSerialRegisterBase|0x7FF70000
> +
> +!if $(SECURE_STORAGE_ENABLE) == TRUE
> +  ##Secure NOR Flash 2
> +  gArmSgiTokenSpaceGuid.PcdSmcCs2Base|0x10000000
> +  gArmSgiTokenSpaceGuid.PcdSysPeriphBase|0x1C000000
> +  gArmSgiTokenSpaceGuid.PcdSysPeriphSysRegBase|0x1C010000
> +
> +  ##Secure Variable Storage in NOR Flash 2
> +  gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageVariableBase|0x10000000
> +  gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageVariableSize|0x00100000
> +  gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageFtwWorkingBase|0x10100000
> +  gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageFtwWorkingSize|0x00100000
> +  gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageFtwSpareBase|0x10200000
> +  gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageFtwSpareSize|0x00100000
> +!endif
> diff --git a/Platform/ARM/SgiPkg/PlatformStandaloneMm2.dsc b/Platform/ARM/SgiPkg/PlatformStandaloneMm2.dsc
> index bb359a15cc0d..46c2ae3529d1 100644
> --- a/Platform/ARM/SgiPkg/PlatformStandaloneMm2.dsc
> +++ b/Platform/ARM/SgiPkg/PlatformStandaloneMm2.dsc
> @@ -38,3 +38,18 @@
>   [PcdsFixedAtBuild]
>     ## PL011 - Serial Terminal
>     gEfiMdeModulePkgTokenSpaceGuid.PcdSerialRegisterBase|0x0EF80000
> +
> +!if $(SECURE_STORAGE_ENABLE) == TRUE
> +  ##Secure NOR Flash 2
> +  gArmSgiTokenSpaceGuid.PcdSmcCs2Base|0x1054000000
> +  gArmSgiTokenSpaceGuid.PcdSysPeriphBase|0x0C000000
> +  gArmSgiTokenSpaceGuid.PcdSysPeriphSysRegBase|0x0C010000
> +
> +  ##Secure Variable Storage in NOR Flash 2
> +  gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageVariableBase64|0x1054000000
> +  gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageVariableSize|0x00100000
> +  gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageFtwWorkingBase64|0x1054100000
> +  gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageFtwWorkingSize|0x00100000
> +  gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageFtwSpareBase64|0x1054200000
> +  gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageFtwSpareSize|0x00100000
> +!endif
> diff --git a/Platform/ARM/SgiPkg/PlatformStandaloneMm.fdf b/Platform/ARM/SgiPkg/PlatformStandaloneMm.fdf
> index 5a0772cd8522..474c9c0ce764 100644
> --- a/Platform/ARM/SgiPkg/PlatformStandaloneMm.fdf
> +++ b/Platform/ARM/SgiPkg/PlatformStandaloneMm.fdf
> @@ -49,6 +49,11 @@ READ_LOCK_CAP      = TRUE
>   READ_LOCK_STATUS   = TRUE
>   
>     INF StandaloneMmPkg/Core/StandaloneMmCore.inf
> +!if $(SECURE_STORAGE_ENABLE) == TRUE
> +  INF ArmPlatformPkg/Drivers/NorFlashDxe/NorFlashStandaloneMm.inf
> +  INF MdeModulePkg/Universal/FaultTolerantWriteDxe/FaultTolerantWriteStandaloneMm.inf
> +  INF MdeModulePkg/Universal/Variable/RuntimeDxe/VariableStandaloneMm.inf
> +!endif
>     INF StandaloneMmPkg/Drivers/StandaloneMmCpu/AArch64/StandaloneMmCpu.inf
>   
>   ################################################################################
> diff --git a/Platform/ARM/SgiPkg/SgiPlatform.fdf b/Platform/ARM/SgiPkg/SgiPlatform.fdf
> index e11d943d6efc..d94e4633e36c 100644
> --- a/Platform/ARM/SgiPkg/SgiPlatform.fdf
> +++ b/Platform/ARM/SgiPkg/SgiPlatform.fdf
> @@ -90,10 +90,17 @@ READ_LOCK_STATUS   = TRUE
>     INF EmbeddedPkg/ResetRuntimeDxe/ResetRuntimeDxe.inf
>     INF MdeModulePkg/Core/RuntimeDxe/RuntimeDxe.inf
>     INF MdeModulePkg/Universal/CapsuleRuntimeDxe/CapsuleRuntimeDxe.inf
> -  INF MdeModulePkg/Universal/FaultTolerantWriteDxe/FaultTolerantWriteDxe.inf
>     INF MdeModulePkg/Universal/MonotonicCounterRuntimeDxe/MonotonicCounterRuntimeDxe.inf
>     INF MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf
> +!if $(SECURE_BOOT_ENABLE) == TRUE
> +  INF SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
> +!endif
> +!if $(SECURE_STORAGE_ENABLE) == TRUE
> +  INF MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmmRuntimeDxe.inf
> +!else
> +  INF MdeModulePkg/Universal/FaultTolerantWriteDxe/FaultTolerantWriteDxe.inf
>     INF MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf
> +!endif
>   
>     #
>     # ACPI Support

Re: [edk2-platforms][PATCH V1 3/3] Platform/Sgi: enable support for UEFI secure boot

[Sayanta Pattanayak]

Hi Sami,

Thanks for the review and suggestion. Please find my reply inline.

> 
> Hi Sayanta,
> 
> Thank you for this patch.
> 
> Please find my response inline marked [SAMI].
> 
> Regards,
> 
> Sami Mujawar
> 
> On 24/05/2021 06:23 PM, Sayanta Pattanayak wrote:
> > Enable the use of UEFI secure boot for Arm's Neoverse reference design
> > platforms. The UEFI authenticated variable store uses NOR flash 2
> > which is accessible from Standalone MM context residing in a secure
> partition.
> >
> > Signed-off-by: Sayanta Pattanayak <sayanta.pattanayak@arm.com>
> > ---
> >   Platform/ARM/SgiPkg/SgiPlatform.dsc.inc       | 31
> +++++++++++++++++++
> >   Platform/ARM/SgiPkg/SgiPlatformMm.dsc.inc     | 32
> ++++++++++++++++++++
> >   Platform/ARM/SgiPkg/PlatformStandaloneMm.dsc  | 15 +++++++++
> >   Platform/ARM/SgiPkg/PlatformStandaloneMm2.dsc | 15 +++++++++
> >   Platform/ARM/SgiPkg/PlatformStandaloneMm.fdf  |  5 +++
> >   Platform/ARM/SgiPkg/SgiPlatform.fdf           |  9 +++++-
> >   6 files changed, 106 insertions(+), 1 deletion(-)
> >

<...>

> >     ArmPkg/Drivers/MmCommunicationDxe/MmCommunication.inf
> > +!endif
> > diff --git a/Platform/ARM/SgiPkg/SgiPlatformMm.dsc.inc
> > b/Platform/ARM/SgiPkg/SgiPlatformMm.dsc.inc
> > index 3389ff676a91..6839ec35da8a 100644
> > --- a/Platform/ARM/SgiPkg/SgiPlatformMm.dsc.inc
> > +++ b/Platform/ARM/SgiPkg/SgiPlatformMm.dsc.inc
> > @@ -59,6 +59,19 @@
> >
> HobLib|StandaloneMmPkg/Library/StandaloneMmHobLib/StandaloneMmH
> obLib.inf
> >
> MmServicesTableLib|MdePkg/Library/StandaloneMmServicesTableLib/Stan
> daloneMmServicesTableLib.inf
> >
> >
> MemoryAllocationLib|StandaloneMmPkg/Library/StandaloneMmMemoryAll
> ocati
> > onLib/StandaloneMmMemoryAllocationLib.inf
> > +!if $(SECURE_STORAGE_ENABLE) == TRUE
> > +
> > +AuthVariableLib|SecurityPkg/Library/AuthVariableLib/AuthVariableLib.i
> > +nf
> > +  BaseCryptLib|CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf
> > +  IntrinsicLib|CryptoPkg/Library/IntrinsicLib/IntrinsicLib.inf
> > +
> >
> +NorFlashPlatformLib|Platform/ARM/SgiPkg/Library/NorFlashLib/Standalon
> > +eMmNorFlashLib.inf
> > +  OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLib.inf
> > +  RngLib|MdePkg/Library/BaseRngLibTimerLib/BaseRngLibTimerLib.inf
> [SAMI] There is a recent patch series that adds ARMv8.5 FEAT_RNG support
> to BaseRngLib
>   see
> https://github.com/tianocore/edk2/commit/9301e5644cef5a5234f71b178373
> dd508cabb9ee.
> Can this be used instead of BaseRngLibTimerLib? BaseRngLibTimerLib is for
> non-production use so it would be good to avoid.
> Indeed, this would require that Sgi platforms are ARMv8.5 or above. If not,
> then can we conditionally use BaseRngLibTimerLib for platforms that do not
> support FEAT_RNG.
> [/SAMI]

Current SGI platforms with secureboot are of pre ARMv8.5.  For ARMv8.5 and above SGI platform, will follow the conditional approach.

Regards,
Sayanta

<...>

Re: [edk2-platforms][PATCH V1 3/3] Platform/Sgi: enable support for UEFI secure boot

[Sami Mujawar]

[-- Attachment #1: Type: text/plain, Size: 3446 bytes --]

Hi Sayanta,

Thanks for confirming.

With that.

Reviewed-by: Sami Mujawar <sami.mujawar@arm.com>

Regards,

Sami Mujawar

From: Sayanta Pattanayak <Sayanta.Pattanayak@arm.com>
Date: Wednesday, 26 May 2021 at 19:15
To: Sami Mujawar <Sami.Mujawar@arm.com>, devel@edk2.groups.io <devel@edk2.groups.io>
Cc: Ard Biesheuvel <ardb+tianocore@kernel.org>, nd <nd@arm.com>
Subject: RE: [edk2-platforms][PATCH V1 3/3] Platform/Sgi: enable support for UEFI secure boot
Hi Sami,

Thanks for the review and suggestion. Please find my reply inline.

>
> Hi Sayanta,
>
> Thank you for this patch.
>
> Please find my response inline marked [SAMI].
>
> Regards,
>
> Sami Mujawar
>
> On 24/05/2021 06:23 PM, Sayanta Pattanayak wrote:
> > Enable the use of UEFI secure boot for Arm's Neoverse reference design
> > platforms. The UEFI authenticated variable store uses NOR flash 2
> > which is accessible from Standalone MM context residing in a secure
> partition.
> >
> > Signed-off-by: Sayanta Pattanayak <sayanta.pattanayak@arm.com>
> > ---
> >   Platform/ARM/SgiPkg/SgiPlatform.dsc.inc       | 31
> +++++++++++++++++++
> >   Platform/ARM/SgiPkg/SgiPlatformMm.dsc.inc     | 32
> ++++++++++++++++++++
> >   Platform/ARM/SgiPkg/PlatformStandaloneMm.dsc  | 15 +++++++++
> >   Platform/ARM/SgiPkg/PlatformStandaloneMm2.dsc | 15 +++++++++
> >   Platform/ARM/SgiPkg/PlatformStandaloneMm.fdf  |  5 +++
> >   Platform/ARM/SgiPkg/SgiPlatform.fdf           |  9 +++++-
> >   6 files changed, 106 insertions(+), 1 deletion(-)
> >

<...>

> >     ArmPkg/Drivers/MmCommunicationDxe/MmCommunication.inf
> > +!endif
> > diff --git a/Platform/ARM/SgiPkg/SgiPlatformMm.dsc.inc
> > b/Platform/ARM/SgiPkg/SgiPlatformMm.dsc.inc
> > index 3389ff676a91..6839ec35da8a 100644
> > --- a/Platform/ARM/SgiPkg/SgiPlatformMm.dsc.inc
> > +++ b/Platform/ARM/SgiPkg/SgiPlatformMm.dsc.inc
> > @@ -59,6 +59,19 @@
> >
> HobLib|StandaloneMmPkg/Library/StandaloneMmHobLib/StandaloneMmH
> obLib.inf
> >
> MmServicesTableLib|MdePkg/Library/StandaloneMmServicesTableLib/Stan
> daloneMmServicesTableLib.inf
> >
> >
> MemoryAllocationLib|StandaloneMmPkg/Library/StandaloneMmMemoryAll
> ocati
> > onLib/StandaloneMmMemoryAllocationLib.inf
> > +!if $(SECURE_STORAGE_ENABLE) == TRUE
> > +
> > +AuthVariableLib|SecurityPkg/Library/AuthVariableLib/AuthVariableLib.i
> > +nf
> > +  BaseCryptLib|CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf
> > +  IntrinsicLib|CryptoPkg/Library/IntrinsicLib/IntrinsicLib.inf
> > +
> >
> +NorFlashPlatformLib|Platform/ARM/SgiPkg/Library/NorFlashLib/Standalon
> > +eMmNorFlashLib.inf
> > +  OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLib.inf
> > +  RngLib|MdePkg/Library/BaseRngLibTimerLib/BaseRngLibTimerLib.inf
> [SAMI] There is a recent patch series that adds ARMv8.5 FEAT_RNG support
> to BaseRngLib
>   see
> https://github.com/tianocore/edk2/commit/9301e5644cef5a5234f71b178373
> dd508cabb9ee.
> Can this be used instead of BaseRngLibTimerLib? BaseRngLibTimerLib is for
> non-production use so it would be good to avoid.
> Indeed, this would require that Sgi platforms are ARMv8.5 or above. If not,
> then can we conditionally use BaseRngLibTimerLib for platforms that do not
> support FEAT_RNG.
> [/SAMI]

Current SGI platforms with secureboot are of pre ARMv8.5.  For ARMv8.5 and above SGI platform, will follow the conditional approach.

Regards,
Sayanta

<...>

[-- Attachment #2: Type: text/html, Size: 6847 bytes --]

Re: [edk2-devel] [edk2-platforms][PATCH V1 0/3] Platform/Sgi: enable support for UEFI secure boot

[Thomas Abraham]

On 5/24/21 10:52 PM, Sayanta Pattanayak via groups.io wrote:
> This patch series adds secure boot support for Arm's reference design
> platforms. The first patch refactors the existing StandaloneMM platform
> description file and splits into three different files. This is required
> to accomodate for changes register base addresses in RD-N2 platform and
> the other supported platforms. The second path add support for NOR flash
> platform library to be used with StandaloneMM execution context. The
> third patch then enables the support for UEFI secure for all the
> supported reference design platforms.
>
> This patch series should be applied on top of the patch series
> https://edk2.groups.io/g/devel/message/75368
>
> Link to github branch with the patches in this series -
> https://github.com/SayantaP-arm/edk2-
> platforms/tree/rd_platform_secure_boot
>
> Sayanta Pattanayak (3):
>   Platform/Sgi: refactor StandaloneMM platform description file
>   Platform/Sgi: add StandaloneMM usable NorFlashPlatformLib
>   Platform/Sgi: enable support for UEFI secure boot

For this patch series:
Reviewed-by: Thomas Abraham <thomas.abraham@arm.com>

[...]
IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.

Re: [edk2-platforms][PATCH V1 0/3] Platform/Sgi: enable support for UEFI secure boot

[Sami Mujawar]

Pushed as d4fe6d9defc2..1d23831b5f07

Thanks.

Regards,

Sami Mujawar


On 24/05/2021 06:22 PM, Sayanta Pattanayak wrote:
> This patch series adds secure boot support for Arm's reference design
> platforms. The first patch refactors the existing StandaloneMM platform
> description file and splits into three different files. This is required
> to accomodate for changes register base addresses in RD-N2 platform and
> the other supported platforms. The second path add support for NOR flash
> platform library to be used with StandaloneMM execution context. The
> third patch then enables the support for UEFI secure for all the
> supported reference design platforms.
>
> This patch series should be applied on top of the patch series
> https://edk2.groups.io/g/devel/message/75368
>
> Link to github branch with the patches in this series -
> https://github.com/SayantaP-arm/edk2-platforms/tree/rd_platform_secure_boot
>
> Sayanta Pattanayak (3):
>    Platform/Sgi: refactor StandaloneMM platform description file
>    Platform/Sgi: add StandaloneMM usable NorFlashPlatformLib
>    Platform/Sgi: enable support for UEFI secure boot
>
>   Platform/ARM/SgiPkg/SgiPlatform.dec           |   1 +
>   Platform/ARM/SgiPkg/SgiPlatform.dsc.inc       |  31 +++++
>   ...StandaloneMm.dsc => SgiPlatformMm.dsc.inc} |  62 +++++----
>   Platform/ARM/SgiPkg/PlatformStandaloneMm.dsc  | 130 ++++--------------
>   Platform/ARM/SgiPkg/PlatformStandaloneMm2.dsc |  55 ++++++++
>   Platform/ARM/SgiPkg/PlatformStandaloneMm.fdf  |   5 +
>   Platform/ARM/SgiPkg/SgiPlatform.fdf           |   9 +-
>   .../NorFlashLib/StandaloneMmNorFlashLib.inf   |  33 +++++
>   .../NorFlashLib/StandaloneMmNorFlashLib.c     |  82 +++++++++++
>   9 files changed, 274 insertions(+), 134 deletions(-)
>   copy Platform/ARM/SgiPkg/{PlatformStandaloneMm.dsc => SgiPlatformMm.dsc.inc} (73%)
>   create mode 100644 Platform/ARM/SgiPkg/PlatformStandaloneMm2.dsc
>   create mode 100644 Platform/ARM/SgiPkg/Library/NorFlashLib/StandaloneMmNorFlashLib.inf
>   create mode 100644 Platform/ARM/SgiPkg/Library/NorFlashLib/StandaloneMmNorFlashLib.c
>