[PATCH v1 5/6] Uefipayloadpkg Enable TPM measured boot

public inbox for devel@edk2.groups.io
 help / color / mirror / Atom feed

From: "Subash Lakkimsetti" <subash.lakkimsetti@intel.com>
To: devel@edk2.groups.io
Cc: Subash Lakkimsetti <subash.lakkimsetti@intel.com>,
	Guo Dong <guo.dong@intel.com>, Ray Ni <ray.ni@intel.com>,
	Sean Rhodes <sean@starlabs.systems>,
	James Lu <james.lu@intel.com>, Gua Guo <gua.guo@intel.com>,
	Patrick Rudolph <patrick.rudolph@9elements.com>
Subject: [PATCH v1 5/6] Uefipayloadpkg Enable TPM measured boot
Date: Tue, 21 Mar 2023 22:58:45 -0700	[thread overview]
Message-ID: <c0e08b94e628cbbc4012df98df83efc4b81cf3ce.1679464590.git.subash.lakkimsetti@intel.com> (raw)
In-Reply-To: <cover.1679464590.git.subash.lakkimsetti@intel.com>

From: Subash Lakkimsetti <subash.lakkimsetti@intel.com>

Update the packages to support TPM and measured
boot in uefi payload.

Measured boot can be controoled using flag MEASURED_BOOT_ENABLE

Cc: Guo Dong <guo.dong@intel.com>
Cc: Ray Ni <ray.ni@intel.com>
Cc: Sean Rhodes <sean@starlabs.systems>
Cc: James Lu <james.lu@intel.com>
Cc: Gua Guo <gua.guo@intel.com>
Signed-off-by: Patrick Rudolph <patrick.rudolph@9elements.com>
Signed-off-by: Subash Lakkimsetti <subash.lakkimsetti@intel.com>
---
 UefiPayloadPkg/UefiPayloadPkg.dsc | 88 +++++++++++++++++++++++++++++--
 UefiPayloadPkg/UefiPayloadPkg.fdf | 25 +++++++++
 2 files changed, 109 insertions(+), 4 deletions(-)

diff --git a/UefiPayloadPkg/UefiPayloadPkg.dsc b/UefiPayloadPkg/UefiPayloadPkg.dsc
index f31e5aac16..86612338bf 100644
--- a/UefiPayloadPkg/UefiPayloadPkg.dsc
+++ b/UefiPayloadPkg/UefiPayloadPkg.dsc
@@ -46,6 +46,7 @@
   DEFINE NVME_ENABLE                  = TRUE
 
   DEFINE SECURE_BOOT_ENABLE           = FALSE
+  DEFINE MEASURED_BOOT_ENABLE         = FALSE
 
   #
   # NULL:    NullMemoryTestDxe
@@ -297,14 +298,27 @@
 !else
   AuthVariableLib|MdeModulePkg/Library/AuthVariableLibNull/AuthVariableLibNull.inf
 !endif
-!if $(VARIABLE_SUPPORT) == "EMU"
-  TpmMeasurementLib|MdeModulePkg/Library/TpmMeasurementLibNull/TpmMeasurementLibNull.inf
-!elseif $(VARIABLE_SUPPORT) == "SPI"
-  PlatformSecureLib|SecurityPkg/Library/PlatformSecureLibNull/PlatformSecureLibNull.inf
+  #
+  # TPM
+  #
+!if $(MEASURED_BOOT_ENABLE) == TRUE
+  Tpm12CommandLib|SecurityPkg/Library/Tpm12CommandLib/Tpm12CommandLib.inf
+  Tpm12DeviceLib|SecurityPkg/Library/Tpm12DeviceLibTcg/Tpm12DeviceLibTcg.inf
+  Tpm2CommandLib|SecurityPkg/Library/Tpm2CommandLib/Tpm2CommandLib.inf
+  Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibTcg2/Tpm2DeviceLibTcg2.inf
+  Tcg2PhysicalPresenceLib|SecurityPkg/Library/DxeTcg2PhysicalPresenceLib/DxeTcg2PhysicalPresenceLib.inf
+  Tcg2PpVendorLib|SecurityPkg/Library/Tcg2PpVendorLibNull/Tcg2PpVendorLibNull.inf
   TpmMeasurementLib|SecurityPkg/Library/DxeTpmMeasurementLib/DxeTpmMeasurementLib.inf
+!else
+  TpmMeasurementLib|MdeModulePkg/Library/TpmMeasurementLibNull/TpmMeasurementLibNull.inf
+!endif
+!if $(VARIABLE_SUPPORT) == "SPI"
   S3BootScriptLib|MdePkg/Library/BaseS3BootScriptLibNull/BaseS3BootScriptLibNull.inf
+!endif
+!if $(SECURE_BOOT_ENABLE) == TRUE || $(MEASURED_BOOT_ENABLE) == TRUE || $(VARIABLE_SUPPORT) == "SPI"
   MmUnblockMemoryLib|MdePkg/Library/MmUnblockMemoryLib/MmUnblockMemoryLibNull.inf
 !endif
+  PlatformSecureLib|SecurityPkg/Library/PlatformSecureLibNull/PlatformSecureLibNull.inf
   VarCheckLib|MdeModulePkg/Library/VarCheckLib/VarCheckLib.inf
   VariablePolicyLib|MdeModulePkg/Library/VariablePolicyLib/VariablePolicyLib.inf
   VariablePolicyHelperLib|MdeModulePkg/Library/VariablePolicyHelperLib/VariablePolicyHelperLib.inf
@@ -412,6 +426,10 @@
   BaseCryptLib|CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf
 !endif
 
+!if $(MEASURED_BOOT_ENABLE) == TRUE
+ Tcg2PhysicalPresenceLib|SecurityPkg/Library/SmmTcg2PhysicalPresenceLib/SmmTcg2PhysicalPresenceLib.inf
+!endif
+
 ################################################################################
 #
 # Pcd Section - list of all EDK II PCD Entries defined by this Platform.
@@ -600,6 +618,13 @@
   gEfiSecurityPkgTokenSpaceGuid.PcdFirmwareDebuggerInitialized|FALSE
   gEfiSecurityPkgTokenSpaceGuid.PcdTpmInstanceGuid|{0x5a, 0xf2, 0x6b, 0x28, 0xc3, 0xc2, 0x8c, 0x40, 0xb3, 0xb4, 0x25, 0xe6, 0x75, 0x8b, 0x73, 0x17}
 
+!if $(MEASURED_BOOT_ENABLE) == TRUE
+
+  # (BIT0 - SHA1. BIT1 - SHA256, BIT2 - SHA384, BIT3 - SHA512, BIT4 - SM3_256)
+  gEfiSecurityPkgTokenSpaceGuid.PcdTpm2HashMask|0x000000016
+  gEfiSecurityPkgTokenSpaceGuid.PcdTcg2HashAlgorithmBitmap|0x000000016
+!endif
+
 ################################################################################
 #
 # Components Section - list of all EDK II Modules needed by this Platform.
@@ -680,6 +705,10 @@
     <LibraryClasses>
 !if $(SECURE_BOOT_ENABLE)
       NULL|SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.inf
+!endif
+!if $(MEASURED_BOOT_ENABLE) == TRUE
+      NULL|SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLib.inf
+      NULL|SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLib.inf
 !endif
   }
 !endif
@@ -842,6 +871,57 @@
   SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
 !endif
 
+!if $(MEASURED_BOOT_ENABLE) == TRUE
+  SecurityPkg/Tcg/TcgDxe/TcgDxe.inf {
+    <LibraryClasses>
+      Tpm12DeviceLib|SecurityPkg/Library/Tpm12DeviceLibDTpm/Tpm12DeviceLibDTpm.inf
+   }
+
+   SecurityPkg/Tcg/TcgConfigDxe/TcgConfigDxe.inf {
+    <LibraryClasses>
+      PcdLib|MdePkg/Library/DxePcdLib/DxePcdLib.inf
+  }
+
+!if $(SMM_SUPPORT) == TRUE
+  SecurityPkg/Tcg/TcgSmm/TcgSmm.inf {
+    <LibraryClasses>
+    TcgPpVendorLib|SecurityPkg/Library/TcgPpVendorLibNull/TcgPpVendorLibNull.inf
+
+  }
+!endif
+  SecurityPkg/Tcg/Tcg2Config/Tcg2ConfigDxe.inf {
+  <LibraryClasses>
+      Tpm2CommandLib|SecurityPkg/Library/Tpm2CommandLib/Tpm2CommandLib.inf
+      Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibRouter/Tpm2DeviceLibRouterDxe.inf
+      NULL|SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2InstanceLibDTpm.inf
+  }
+!if $(SMM_SUPPORT) == TRUE
+  SecurityPkg/Tcg/Tcg2Smm/Tcg2Smm.inf {
+    <LibraryClasses>
+      Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibTcg2/Tpm2DeviceLibTcg2.inf
+  }
+!endif
+  SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.inf {
+    <LibraryClasses>
+      Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibRouter/Tpm2DeviceLibRouterDxe.inf
+      HashLib|SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRouterDxe.inf
+      NULL|SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2InstanceLibDTpm.inf
+      NULL|SecurityPkg/Library/HashInstanceLibSha1/HashInstanceLibSha1.inf
+      NULL|SecurityPkg/Library/HashInstanceLibSha256/HashInstanceLibSha256.inf
+      NULL|SecurityPkg/Library/HashInstanceLibSha384/HashInstanceLibSha384.inf
+      NULL|SecurityPkg/Library/HashInstanceLibSm3/HashInstanceLibSm3.inf
+  }
+  SecurityPkg/Tcg/Tcg2Acpi/Tcg2Acpi.inf
+  SecurityPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.inf {
+    <LibraryClasses>
+      TpmPlatformHierarchyLib|SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf
+  }
+  SecurityPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.inf {
+    <LibraryClasses>
+      TpmPlatformHierarchyLib|SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf
+  }
+!endif #MEASURED_BOOT_ENABLE
+
   #
   # Misc
   #
diff --git a/UefiPayloadPkg/UefiPayloadPkg.fdf b/UefiPayloadPkg/UefiPayloadPkg.fdf
index b52e6c75a5..ed9d42b022 100644
--- a/UefiPayloadPkg/UefiPayloadPkg.fdf
+++ b/UefiPayloadPkg/UefiPayloadPkg.fdf
@@ -176,6 +176,21 @@ INF PcAtChipsetPkg/PcatRealTimeClockRuntimeDxe/PcatRealTimeClockRuntimeDxe.inf
   INF SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
 !endif
 
+!if $(MEASURED_BOOT_ENABLE) == TRUE
+  INF SecurityPkg/Tcg/TcgDxe/TcgDxe.inf
+!if $(SMM_SUPPORT) == TRUE
+  INF SecurityPkg/Tcg/TcgSmm/TcgSmm.inf
+!endif
+  INF SecurityPkg/Tcg/TcgConfigDxe/TcgConfigDxe.inf
+  INF SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.inf
+  INF RuleOverride = DRIVER_ACPITABLE SecurityPkg/Tcg/Tcg2Acpi/Tcg2Acpi.inf
+  INF SecurityPkg/Tcg/Tcg2Config/Tcg2ConfigDxe.inf
+!if $(SMM_SUPPORT) == TRUE
+  INF SecurityPkg/Tcg/Tcg2Smm/Tcg2Smm.inf
+!endif
+  INF SecurityPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.inf
+!endif
+
 INF UefiCpuPkg/CpuIo2Dxe/CpuIo2Dxe.inf
 INF MdeModulePkg/Universal/DevicePathDxe/DevicePathDxe.inf
 !if $(MEMORY_TEST) == "GENERIC"
@@ -419,3 +434,13 @@ INF ShellPkg/Application/Shell/Shell.inf
     UI        STRING="Enter Setup"
     VERSION   STRING="$(INF_VERSION)" Optional BUILD_NUM=$(BUILD_NUMBER)
   }
+
+[Rule.Common.DXE_DRIVER.DRIVER_ACPITABLE]
+  FILE DRIVER = $(NAMED_GUID) {
+    DXE_DEPEX DXE_DEPEX Optional       $(INF_OUTPUT)/$(MODULE_NAME).depex
+    PE32      PE32                     $(INF_OUTPUT)/$(MODULE_NAME).efi
+    RAW ACPI  Optional                |.acpi
+    RAW ASL   Optional                |.aml
+    UI        STRING="$(MODULE_NAME)" Optional
+    VERSION   STRING="$(INF_VERSION)" Optional BUILD_NUM=$(BUILD_NUMBER)
+  }
-- 
2.39.1.windows.1

next prev parent reply	other threads:[~2023-03-22  5:59 UTC|newest]

Thread overview: 11+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2023-03-22  5:58 [PATCH v1 0/6] Universal payload secure boot and measured boot Subash Lakkimsetti
2023-03-22  5:58 ` [PATCH v1 1/6] MdeModulePkg: universal payload HOB for secure boot info Subash Lakkimsetti
2023-03-22  5:58 ` [PATCH v1 2/6] UefiPayloadPkg: Add secureboot information HOBs Subash Lakkimsetti
2023-03-22  5:58 ` [PATCH v1 3/6] TGC2ACPI: Uninstall the TPM2 ACPI if present Subash Lakkimsetti
2023-03-22 13:43   ` [edk2-devel] " Yao, Jiewen
2023-03-23  4:37     ` Subash Lakkimsetti
2023-03-25  2:36       ` Yao, Jiewen
2023-03-22  5:58 ` [PATCH v1 4/6] UefiPayloadPkg: Add secure boot configurations Subash Lakkimsetti
2023-03-22  5:58 ` Subash Lakkimsetti [this message]
2023-03-22 22:55   ` [PATCH v1 5/6] Uefipayloadpkg Enable TPM measured boot Guo, Gua
2023-03-22  5:58 ` [PATCH v1 6/6] UefiPayloadPkg: Add secure boot definitions to ci build Subash Lakkimsetti

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:f31e5aac1 dfblob:86612338b dfblob:b52e6c75a dfblob:ed9d42b02 )
 OR (
bs:"[PATCH v1 5/6] Uefipayloadpkg Enable TPM measured boot" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-list from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=c0e08b94e628cbbc4012df98df83efc4b81cf3ce.1679464590.git.subash.lakkimsetti@intel.com \
    --to=devel@edk2.groups.io \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox