From: "Subash Lakkimsetti" <subash.lakkimsetti@intel.com>
To: devel@edk2.groups.io
Cc: Subash Lakkimsetti <subash.lakkimsetti@intel.com>,
Guo Dong <guo.dong@intel.com>, Ray Ni <ray.ni@intel.com>,
Sean Rhodes <sean@starlabs.systems>,
James Lu <james.lu@intel.com>, Gua Guo <gua.guo@intel.com>
Subject: [PATCH v2 2/6] UefiPayloadPkg: Add secureboot information HOBs
Date: Wed, 17 May 2023 16:55:30 -0700 [thread overview]
Message-ID: <c0b10ef897572436691d33b36b4dd1f53b3625af.1684367408.git.subash.lakkimsetti@intel.com> (raw)
In-Reply-To: <cover.1684367408.git.subash.lakkimsetti@intel.com>
From: Subash Lakkimsetti <subash.lakkimsetti@intel.com>
This patch add the HOB fpr secure and measured boot
information. This is populated by bootloader phase
and uefipayload pkg uses this info to sync the TPM
info PCDs.
Cc: Guo Dong <guo.dong@intel.com>
Cc: Ray Ni <ray.ni@intel.com>
Cc: Sean Rhodes <sean@starlabs.systems>
Cc: James Lu <james.lu@intel.com>
Cc: Gua Guo <gua.guo@intel.com>
Signed-off-by: Subash Lakkimsetti <subash.lakkimsetti@intel.com>
---
UefiPayloadPkg/BlSupportDxe/BlSupportDxe.c | 77 +++++++++++++++++++-
UefiPayloadPkg/BlSupportDxe/BlSupportDxe.inf | 13 +++-
UefiPayloadPkg/UefiPayloadPkg.dec | 4 +-
UefiPayloadPkg/UefiPayloadPkg.dsc | 2 +
4 files changed, 92 insertions(+), 4 deletions(-)
diff --git a/UefiPayloadPkg/BlSupportDxe/BlSupportDxe.c b/UefiPayloadPkg/BlSupportDxe/BlSupportDxe.c
index 2e70c4533c..13ac5582e2 100644
--- a/UefiPayloadPkg/BlSupportDxe/BlSupportDxe.c
+++ b/UefiPayloadPkg/BlSupportDxe/BlSupportDxe.c
@@ -2,11 +2,14 @@
This driver will report some MMIO/IO resources to dxe core, extract smbios and acpi
tables from bootloader.
- Copyright (c) 2014 - 2021, Intel Corporation. All rights reserved.<BR>
+ Copyright (c) 2014 - 2023, Intel Corporation. All rights reserved.<BR>
SPDX-License-Identifier: BSD-2-Clause-Patent
**/
#include "BlSupportDxe.h"
+#include <Library/DebugLib.h>
+#include <Library/PcdLib.h>
+#include <Include/UniversalPayload/SecureBootInfoGuid.h>
/**
Reserve MMIO/IO resource in GCD
@@ -86,6 +89,73 @@ ReserveResourceInGcd (
return Status;
}
+/**
+Sync the Secure boot hob info and TPM PCD as per the information passed from Bootloader.
+**/
+EFI_STATUS
+BlSupportSecurityPcdSync (
+ VOID
+ )
+{
+ EFI_STATUS Status;
+ EFI_HOB_GUID_TYPE *GuidHob;
+ UNIVERSAL_SECURE_BOOT_INFO *SecurebootInfoHob;
+ UINTN Size;
+
+ GuidHob = GetFirstGuidHob (&gUniversalPayloadSecureBootInfoGuid);
+ if (GuidHob == NULL) {
+ DEBUG ((DEBUG_ERROR, "gUniversalPayloadSecureBootInfoGuid Not Found!\n"));
+ return EFI_UNSUPPORTED;
+ }
+
+ SecurebootInfoHob = (UNIVERSAL_SECURE_BOOT_INFO *)GET_GUID_HOB_DATA (GuidHob);
+
+ // Sync the Hash mask for TPM 2.0 as per active PCR banks.
+ // Make sure that the current PCR allocations, the TPM supported PCRs,
+ // and the PcdTpm2HashMask are all in agreement.
+ Status = PcdSet32S (PcdTpm2HashMask, SecurebootInfoHob->TpmPcrActivePcrBanks);
+ ASSERT_EFI_ERROR (Status);
+ DEBUG ((DEBUG_INFO, "TpmPcrActivePcrBanks 0x%x \n", SecurebootInfoHob->TpmPcrActivePcrBanks));
+
+ // Set the Firmware debugger PCD
+ Status = PcdSetBoolS (PcdFirmwareDebuggerInitialized, SecurebootInfoHob->FirmwareDebuggerInitialized);
+ ASSERT_EFI_ERROR (Status);
+ DEBUG ((DEBUG_INFO, " FirmwareDebugger Initialized 0x%x \n", SecurebootInfoHob->FirmwareDebuggerInitialized));
+
+ // Set the TPM Type instance GUID
+ if (SecurebootInfoHob->MeasuredBootEnabled) {
+ if (SecurebootInfoHob->TpmType == TPM_TYPE_20) {
+ DEBUG ((DEBUG_INFO, "%a: TPM2 detected\n", __func__));
+ Size = sizeof (gEfiTpmDeviceInstanceTpm20DtpmGuid);
+ Status = PcdSetPtrS (
+ PcdTpmInstanceGuid,
+ &Size,
+ &gEfiTpmDeviceInstanceTpm20DtpmGuid
+ );
+ } else if (SecurebootInfoHob->TpmType == TPM_TYPE_12) {
+ DEBUG ((DEBUG_INFO, "%a: TPM1.2 detected\n", __func__));
+ Size = sizeof (gEfiTpmDeviceInstanceTpm12Guid);
+ Status = PcdSetPtrS (
+ PcdTpmInstanceGuid,
+ &Size,
+ &gEfiTpmDeviceInstanceTpm12Guid
+ );
+ } else {
+ DEBUG ((DEBUG_INFO, "%a: No TPM detected\n", __func__));
+ Size = sizeof (gEfiTpmDeviceInstanceNoneGuid);
+ Status = PcdSetPtrS (
+ PcdTpmInstanceGuid,
+ &Size,
+ &gEfiTpmDeviceInstanceNoneGuid
+ );
+ }
+
+ ASSERT_EFI_ERROR (Status);
+ }
+
+ return Status;
+}
+
/**
Main entry for the bootloader support DXE module.
@@ -144,5 +214,10 @@ BlDxeEntryPoint (
ASSERT_EFI_ERROR (Status);
}
+ //
+ // Sync Bootloader info for TPM
+ //
+ BlSupportSecurityPcdSync ();
+
return EFI_SUCCESS;
}
diff --git a/UefiPayloadPkg/BlSupportDxe/BlSupportDxe.inf b/UefiPayloadPkg/BlSupportDxe/BlSupportDxe.inf
index 96d85d2b1d..162167e6bb 100644
--- a/UefiPayloadPkg/BlSupportDxe/BlSupportDxe.inf
+++ b/UefiPayloadPkg/BlSupportDxe/BlSupportDxe.inf
@@ -3,7 +3,7 @@
#
# Report some MMIO/IO resources to dxe core, extract smbios and acpi tables
#
-# Copyright (c) 2014 - 2021, Intel Corporation. All rights reserved.<BR>
+# Copyright (c) 2014 - 2023, Intel Corporation. All rights reserved.<BR>
#
# SPDX-License-Identifier: BSD-2-Clause-Patent
#
@@ -30,6 +30,7 @@
[Packages]
MdePkg/MdePkg.dec
MdeModulePkg/MdeModulePkg.dec
+ SecurityPkg/SecurityPkg.dec
UefiPayloadPkg/UefiPayloadPkg.dec
[LibraryClasses]
@@ -44,6 +45,10 @@
[Guids]
gUefiAcpiBoardInfoGuid
gEfiGraphicsInfoHobGuid
+ gUniversalPayloadSecureBootInfoGuid
+ gEfiTpmDeviceInstanceTpm20DtpmGuid
+ gEfiTpmDeviceInstanceTpm12Guid
+ gEfiTpmDeviceInstanceNoneGuid
[Pcd]
gEfiMdeModulePkgTokenSpaceGuid.PcdVideoHorizontalResolution
@@ -52,6 +57,10 @@
gEfiMdeModulePkgTokenSpaceGuid.PcdSetupVideoVerticalResolution
gEfiMdePkgTokenSpaceGuid.PcdPciExpressBaseAddress
gEfiMdePkgTokenSpaceGuid.PcdPciExpressBaseSize
-
+ ## SOMETIMES_CONSUMES
+ ## SOMETIMES_PRODUCES
+ gEfiSecurityPkgTokenSpaceGuid.PcdTpm2HashMask
+ gEfiSecurityPkgTokenSpaceGuid.PcdFirmwareDebuggerInitialized
+ gEfiSecurityPkgTokenSpaceGuid.PcdTpmInstanceGuid
[Depex]
TRUE
diff --git a/UefiPayloadPkg/UefiPayloadPkg.dec b/UefiPayloadPkg/UefiPayloadPkg.dec
index 8d111f3a90..63138500dd 100644
--- a/UefiPayloadPkg/UefiPayloadPkg.dec
+++ b/UefiPayloadPkg/UefiPayloadPkg.dec
@@ -3,7 +3,7 @@
#
# Provides drivers and definitions to create uefi payload for bootloaders.
#
-# Copyright (c) 2014 - 2021, Intel Corporation. All rights reserved.<BR>
+# Copyright (c) 2014 - 2023, Intel Corporation. All rights reserved.<BR>
# SPDX-License-Identifier: BSD-2-Clause-Patent
#
##
@@ -42,6 +42,8 @@
gSpiFlashInfoGuid = { 0x2d4aac1b, 0x91a5, 0x4cd5, { 0x9b, 0x5c, 0xb4, 0x0f, 0x5d, 0x28, 0x51, 0xa1 } }
gSmmRegisterInfoGuid = { 0xaa9bd7a7, 0xcafb, 0x4499, { 0xa4, 0xa9, 0xb, 0x34, 0x6b, 0x40, 0xa6, 0x22 } }
gS3CommunicationGuid = { 0x88e31ba1, 0x1856, 0x4b8b, { 0xbb, 0xdf, 0xf8, 0x16, 0xdd, 0x94, 0xa, 0xef } }
+ gUniversalPayloadSecureBootInfoGuid = { 0xd970f847, 0x07dd, 0x4b24, { 0x9e, 0x1e, 0xae, 0x6c, 0x80, 0x9b, 0x1d, 0x38 } }
+
[Ppis]
gEfiPayLoadHobBasePpiGuid = { 0xdbe23aa1, 0xa342, 0x4b97, {0x85, 0xb6, 0xb2, 0x26, 0xf1, 0x61, 0x73, 0x89} }
diff --git a/UefiPayloadPkg/UefiPayloadPkg.dsc b/UefiPayloadPkg/UefiPayloadPkg.dsc
index 998d222909..0e7093cc7d 100644
--- a/UefiPayloadPkg/UefiPayloadPkg.dsc
+++ b/UefiPayloadPkg/UefiPayloadPkg.dsc
@@ -584,6 +584,8 @@
gPcAtChipsetPkgTokenSpaceGuid.PcdRtcIndexRegister|$(RTC_INDEX_REGISTER)
gPcAtChipsetPkgTokenSpaceGuid.PcdRtcTargetRegister|$(RTC_TARGET_REGISTER)
+ gEfiSecurityPkgTokenSpaceGuid.PcdFirmwareDebuggerInitialized|FALSE
+ gEfiSecurityPkgTokenSpaceGuid.PcdTpmInstanceGuid|{0x5a, 0xf2, 0x6b, 0x28, 0xc3, 0xc2, 0x8c, 0x40, 0xb3, 0xb4, 0x25, 0xe6, 0x75, 0x8b, 0x73, 0x17}
################################################################################
#
--
2.39.1.windows.1
next prev parent reply other threads:[~2023-05-17 23:56 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-05-17 23:55 [PATCH v2 0/6] Universal payload secure boot and measured boot Subash Lakkimsetti
2023-05-17 23:55 ` [PATCH v2 1/6] MdeModulePkg: universal payload HOB for secure boot info Subash Lakkimsetti
2023-05-17 23:55 ` Subash Lakkimsetti [this message]
2023-05-17 23:55 ` [PATCH v2 3/6] UefiPayloadPkg: Uninstall the TPM2 ACPI if present Subash Lakkimsetti
2023-05-17 23:55 ` [PATCH v2 4/6] UefiPayloadPkg: Add secure boot configurations Subash Lakkimsetti
2023-05-17 23:55 ` [PATCH v2 5/6] Uefipayloadpkg Enable TPM measured boot Subash Lakkimsetti
2023-05-17 23:55 ` [PATCH v2 6/6] UefiPayloadPkg: Add secure boot definitions to ci build Subash Lakkimsetti
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-list from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=c0b10ef897572436691d33b36b4dd1f53b3625af.1684367408.git.subash.lakkimsetti@intel.com \
--to=devel@edk2.groups.io \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox