From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mga17.intel.com (mga17.intel.com [192.55.52.151]) by mx.groups.io with SMTP id smtpd.web11.3155.1684367809597397300 for ; Wed, 17 May 2023 16:56:49 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="unable to parse pub key" header.i=@intel.com header.s=intel header.b=iImLSOrH; spf=pass (domain: intel.com, ip: 192.55.52.151, mailfrom: subash.lakkimsetti@intel.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1684367809; x=1715903809; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version:content-transfer-encoding; bh=73Hp6uTXpmkzemktCU54T2q9vL+arlOKrj40XVCL9+E=; b=iImLSOrHBe7gSzqCFkeSAXwz8Ca43CuAInBBRYBJGFBlp088QmMKUtKX IcQhVQIIlKeEArN9VX91Ru+IWzOBt2At2pxsZd0vO7oQeHlMqCujkMnai yvNep55OILt4XCpuds8dC428ppo6/O5GUr+qsCJ1vlcjY8Ya+2G8vOPK5 xiD5zvbdfLckh1WrKzgmV1iYBkmmwijHh4v8kEPZxou67xxE78271zpza Px4bNz2CfLIykgMrmG9gudP5Z8z8rJj7vJ52RqLfoJ44+qSnRty3MwdLW ALyRIAN5b6FzOUTncgBZ55PPxwjnOJsqbXYIgyEPhgIvA3mxeeBuzTQVo g==; X-IronPort-AV: E=McAfee;i="6600,9927,10713"; a="332276013" X-IronPort-AV: E=Sophos;i="5.99,283,1677571200"; d="scan'208";a="332276013" Received: from orsmga005.jf.intel.com ([10.7.209.41]) by fmsmga107.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 17 May 2023 16:56:36 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=McAfee;i="6600,9927,10713"; a="876208877" X-IronPort-AV: E=Sophos;i="5.99,283,1677571200"; d="scan'208";a="876208877" Received: from slakkim-mobl.amr.corp.intel.com ([10.212.56.110]) by orsmga005-auth.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 17 May 2023 16:56:35 -0700 From: "Subash Lakkimsetti" To: devel@edk2.groups.io Cc: Subash Lakkimsetti , Guo Dong , Ray Ni , Sean Rhodes , James Lu , Gua Guo Subject: [PATCH v2 2/6] UefiPayloadPkg: Add secureboot information HOBs Date: Wed, 17 May 2023 16:55:30 -0700 Message-Id: X-Mailer: git-send-email 2.39.1.windows.1 In-Reply-To: References: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable From: Subash Lakkimsetti This patch add the HOB fpr secure and measured boot information. This is populated by bootloader phase and uefipayload pkg uses this info to sync the TPM info PCDs. Cc: Guo Dong Cc: Ray Ni Cc: Sean Rhodes Cc: James Lu Cc: Gua Guo Signed-off-by: Subash Lakkimsetti --- UefiPayloadPkg/BlSupportDxe/BlSupportDxe.c | 77 +++++++++++++++++++- UefiPayloadPkg/BlSupportDxe/BlSupportDxe.inf | 13 +++- UefiPayloadPkg/UefiPayloadPkg.dec | 4 +- UefiPayloadPkg/UefiPayloadPkg.dsc | 2 + 4 files changed, 92 insertions(+), 4 deletions(-) diff --git a/UefiPayloadPkg/BlSupportDxe/BlSupportDxe.c b/UefiPayloadPkg/Bl= SupportDxe/BlSupportDxe.c index 2e70c4533c..13ac5582e2 100644 --- a/UefiPayloadPkg/BlSupportDxe/BlSupportDxe.c +++ b/UefiPayloadPkg/BlSupportDxe/BlSupportDxe.c @@ -2,11 +2,14 @@ This driver will report some MMIO/IO resources to dxe core, extract smbi= os and acpi=0D tables from bootloader.=0D =0D - Copyright (c) 2014 - 2021, Intel Corporation. All rights reserved.
=0D + Copyright (c) 2014 - 2023, Intel Corporation. All rights reserved.
=0D SPDX-License-Identifier: BSD-2-Clause-Patent=0D =0D **/=0D #include "BlSupportDxe.h"=0D +#include =0D +#include =0D +#include =0D =0D /**=0D Reserve MMIO/IO resource in GCD=0D @@ -86,6 +89,73 @@ ReserveResourceInGcd ( return Status;=0D }=0D =0D +/**=0D +Sync the Secure boot hob info and TPM PCD as per the information passed fr= om Bootloader.=0D +**/=0D +EFI_STATUS=0D +BlSupportSecurityPcdSync (=0D + VOID=0D + )=0D +{=0D + EFI_STATUS Status;=0D + EFI_HOB_GUID_TYPE *GuidHob;=0D + UNIVERSAL_SECURE_BOOT_INFO *SecurebootInfoHob;=0D + UINTN Size;=0D +=0D + GuidHob =3D GetFirstGuidHob (&gUniversalPayloadSecureBootInfoGuid);=0D + if (GuidHob =3D=3D NULL) {=0D + DEBUG ((DEBUG_ERROR, "gUniversalPayloadSecureBootInfoGuid Not Found!\n= "));=0D + return EFI_UNSUPPORTED;=0D + }=0D +=0D + SecurebootInfoHob =3D (UNIVERSAL_SECURE_BOOT_INFO *)GET_GUID_HOB_DATA (G= uidHob);=0D +=0D + // Sync the Hash mask for TPM 2.0 as per active PCR banks.=0D + // Make sure that the current PCR allocations, the TPM supported PCRs,=0D + // and the PcdTpm2HashMask are all in agreement.=0D + Status =3D PcdSet32S (PcdTpm2HashMask, SecurebootInfoHob->TpmPcrActivePc= rBanks);=0D + ASSERT_EFI_ERROR (Status);=0D + DEBUG ((DEBUG_INFO, "TpmPcrActivePcrBanks 0x%x \n", SecurebootInfoHob->T= pmPcrActivePcrBanks));=0D +=0D + // Set the Firmware debugger PCD=0D + Status =3D PcdSetBoolS (PcdFirmwareDebuggerInitialized, SecurebootInfoHo= b->FirmwareDebuggerInitialized);=0D + ASSERT_EFI_ERROR (Status);=0D + DEBUG ((DEBUG_INFO, " FirmwareDebugger Initialized 0x%x \n", SecurebootI= nfoHob->FirmwareDebuggerInitialized));=0D +=0D + // Set the TPM Type instance GUID=0D + if (SecurebootInfoHob->MeasuredBootEnabled) {=0D + if (SecurebootInfoHob->TpmType =3D=3D TPM_TYPE_20) {=0D + DEBUG ((DEBUG_INFO, "%a: TPM2 detected\n", __func__));=0D + Size =3D sizeof (gEfiTpmDeviceInstanceTpm20DtpmGuid);=0D + Status =3D PcdSetPtrS (=0D + PcdTpmInstanceGuid,=0D + &Size,=0D + &gEfiTpmDeviceInstanceTpm20DtpmGuid=0D + );=0D + } else if (SecurebootInfoHob->TpmType =3D=3D TPM_TYPE_12) {=0D + DEBUG ((DEBUG_INFO, "%a: TPM1.2 detected\n", __func__));=0D + Size =3D sizeof (gEfiTpmDeviceInstanceTpm12Guid);=0D + Status =3D PcdSetPtrS (=0D + PcdTpmInstanceGuid,=0D + &Size,=0D + &gEfiTpmDeviceInstanceTpm12Guid=0D + );=0D + } else {=0D + DEBUG ((DEBUG_INFO, "%a: No TPM detected\n", __func__));=0D + Size =3D sizeof (gEfiTpmDeviceInstanceNoneGuid);=0D + Status =3D PcdSetPtrS (=0D + PcdTpmInstanceGuid,=0D + &Size,=0D + &gEfiTpmDeviceInstanceNoneGuid=0D + );=0D + }=0D +=0D + ASSERT_EFI_ERROR (Status);=0D + }=0D +=0D + return Status;=0D +}=0D +=0D /**=0D Main entry for the bootloader support DXE module.=0D =0D @@ -144,5 +214,10 @@ BlDxeEntryPoint ( ASSERT_EFI_ERROR (Status);=0D }=0D =0D + //=0D + // Sync Bootloader info for TPM=0D + //=0D + BlSupportSecurityPcdSync ();=0D +=0D return EFI_SUCCESS;=0D }=0D diff --git a/UefiPayloadPkg/BlSupportDxe/BlSupportDxe.inf b/UefiPayloadPkg/= BlSupportDxe/BlSupportDxe.inf index 96d85d2b1d..162167e6bb 100644 --- a/UefiPayloadPkg/BlSupportDxe/BlSupportDxe.inf +++ b/UefiPayloadPkg/BlSupportDxe/BlSupportDxe.inf @@ -3,7 +3,7 @@ #=0D # Report some MMIO/IO resources to dxe core, extract smbios and acpi table= s=0D #=0D -# Copyright (c) 2014 - 2021, Intel Corporation. All rights reserved.
= =0D +# Copyright (c) 2014 - 2023, Intel Corporation. All rights reserved.
= =0D #=0D # SPDX-License-Identifier: BSD-2-Clause-Patent=0D #=0D @@ -30,6 +30,7 @@ [Packages]=0D MdePkg/MdePkg.dec=0D MdeModulePkg/MdeModulePkg.dec=0D + SecurityPkg/SecurityPkg.dec=0D UefiPayloadPkg/UefiPayloadPkg.dec=0D =0D [LibraryClasses]=0D @@ -44,6 +45,10 @@ [Guids]=0D gUefiAcpiBoardInfoGuid=0D gEfiGraphicsInfoHobGuid=0D + gUniversalPayloadSecureBootInfoGuid=0D + gEfiTpmDeviceInstanceTpm20DtpmGuid=0D + gEfiTpmDeviceInstanceTpm12Guid=0D + gEfiTpmDeviceInstanceNoneGuid=0D =0D [Pcd]=0D gEfiMdeModulePkgTokenSpaceGuid.PcdVideoHorizontalResolution=0D @@ -52,6 +57,10 @@ gEfiMdeModulePkgTokenSpaceGuid.PcdSetupVideoVerticalResolution=0D gEfiMdePkgTokenSpaceGuid.PcdPciExpressBaseAddress=0D gEfiMdePkgTokenSpaceGuid.PcdPciExpressBaseSize=0D -=0D + ## SOMETIMES_CONSUMES=0D + ## SOMETIMES_PRODUCES=0D + gEfiSecurityPkgTokenSpaceGuid.PcdTpm2HashMask=0D + gEfiSecurityPkgTokenSpaceGuid.PcdFirmwareDebuggerInitialized=0D + gEfiSecurityPkgTokenSpaceGuid.PcdTpmInstanceGuid=0D [Depex]=0D TRUE=0D diff --git a/UefiPayloadPkg/UefiPayloadPkg.dec b/UefiPayloadPkg/UefiPayload= Pkg.dec index 8d111f3a90..63138500dd 100644 --- a/UefiPayloadPkg/UefiPayloadPkg.dec +++ b/UefiPayloadPkg/UefiPayloadPkg.dec @@ -3,7 +3,7 @@ #=0D # Provides drivers and definitions to create uefi payload for bootloaders.= =0D #=0D -# Copyright (c) 2014 - 2021, Intel Corporation. All rights reserved.
=0D +# Copyright (c) 2014 - 2023, Intel Corporation. All rights reserved.
=0D # SPDX-License-Identifier: BSD-2-Clause-Patent=0D #=0D ##=0D @@ -42,6 +42,8 @@ gSpiFlashInfoGuid =3D { 0x2d4aac1b, 0x91a5, 0x4cd5, { 0x9b, 0x5c,= 0xb4, 0x0f, 0x5d, 0x28, 0x51, 0xa1 } }=0D gSmmRegisterInfoGuid =3D { 0xaa9bd7a7, 0xcafb, 0x4499, { 0xa4, 0xa9,= 0xb, 0x34, 0x6b, 0x40, 0xa6, 0x22 } }=0D gS3CommunicationGuid =3D { 0x88e31ba1, 0x1856, 0x4b8b, { 0xbb, 0xdf,= 0xf8, 0x16, 0xdd, 0x94, 0xa, 0xef } }=0D + gUniversalPayloadSecureBootInfoGuid =3D { 0xd970f847, 0x07dd, 0x4b2= 4, { 0x9e, 0x1e, 0xae, 0x6c, 0x80, 0x9b, 0x1d, 0x38 } }=0D +=0D =0D [Ppis]=0D gEfiPayLoadHobBasePpiGuid =3D { 0xdbe23aa1, 0xa342, 0x4b97, {0x85, 0xb6,= 0xb2, 0x26, 0xf1, 0x61, 0x73, 0x89} }=0D diff --git a/UefiPayloadPkg/UefiPayloadPkg.dsc b/UefiPayloadPkg/UefiPayload= Pkg.dsc index 998d222909..0e7093cc7d 100644 --- a/UefiPayloadPkg/UefiPayloadPkg.dsc +++ b/UefiPayloadPkg/UefiPayloadPkg.dsc @@ -584,6 +584,8 @@ =0D gPcAtChipsetPkgTokenSpaceGuid.PcdRtcIndexRegister|$(RTC_INDEX_REGISTER)= =0D gPcAtChipsetPkgTokenSpaceGuid.PcdRtcTargetRegister|$(RTC_TARGET_REGISTER= )=0D + gEfiSecurityPkgTokenSpaceGuid.PcdFirmwareDebuggerInitialized|FALSE=0D + gEfiSecurityPkgTokenSpaceGuid.PcdTpmInstanceGuid|{0x5a, 0xf2, 0x6b, 0x28= , 0xc3, 0xc2, 0x8c, 0x40, 0xb3, 0xb4, 0x25, 0xe6, 0x75, 0x8b, 0x73, 0x17}=0D =0D ##########################################################################= ######=0D #=0D --=20 2.39.1.windows.1