From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from mga09.intel.com (mga09.intel.com [134.134.136.24])
 by mx.groups.io with SMTP id smtpd.web11.36147.1679464748894976382
 for <devel@edk2.groups.io>;
 Tue, 21 Mar 2023 22:59:08 -0700
Authentication-Results: mx.groups.io;
 dkim=fail reason="unable to parse pub key" header.i=@intel.com header.s=intel header.b=TPv8glvy;
 spf=pass (domain: intel.com, ip: 134.134.136.24, mailfrom: subash.lakkimsetti@intel.com)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;
  d=intel.com; i=@intel.com; q=dns/txt; s=Intel;
  t=1679464748; x=1711000748;
  h=from:to:cc:subject:date:message-id:in-reply-to:
   references:mime-version:content-transfer-encoding;
  bh=DSKlzT9Ed9ydtoCRw0kT5Kbo6+KHVpu2mGb3mUWCg1M=;
  b=TPv8glvyZRNJSukz5qIbBBUrBB2f5qskjwmN9EXt/mjnk1EYVkpr0ImF
   biuKQ7ZV1FU6mLvAy2hYvMvVdPs50OPtqWcrC8Cz+O4h7FgEDltIly7f2
   RmBfjs9dRtWx107c7xFzBStlPwMn9z/1haA8oRH72C5E2bk4ZIQRaO+xJ
   t++cnL5zIf1btj5ATkEaYriYZjrHVRbPI+u/HKVwRIZqOOT1brvhnaKwg
   ROy+q9tvTVABXlV0sdN7LnVPACPWzCfOwRD90iIXzT1YVVHeOEBbmG8dS
   UklvJH4EkMZ953o9MZ8lVwpYLIwn6czkZCmShlFOsxeVMNdG2S1z5kkKJ
   Q==;
X-IronPort-AV: E=McAfee;i="6600,9927,10656"; a="340671548"
X-IronPort-AV: E=Sophos;i="5.98,280,1673942400"; 
   d="scan'208";a="340671548"
Received: from orsmga001.jf.intel.com ([10.7.209.18])
  by orsmga102.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 21 Mar 2023 22:59:08 -0700
X-ExtLoop1: 1
X-IronPort-AV: E=McAfee;i="6600,9927,10656"; a="714294405"
X-IronPort-AV: E=Sophos;i="5.98,280,1673942400"; 
   d="scan'208";a="714294405"
Received: from slakkim-mobl.amr.corp.intel.com ([10.213.186.211])
  by orsmga001-auth.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 21 Mar 2023 22:59:07 -0700
From: "Subash Lakkimsetti" <subash.lakkimsetti@intel.com>
To: devel@edk2.groups.io
Cc: Subash Lakkimsetti <subash.lakkimsetti@intel.com>,
	Guo Dong <guo.dong@intel.com>,
	Ray Ni <ray.ni@intel.com>,
	Sean Rhodes <sean@starlabs.systems>,
	James Lu <james.lu@intel.com>,
	Gua Guo <gua.guo@intel.com>,
	Patrick Rudolph <patrick.rudolph@9elements.com>
Subject: [PATCH v1 5/6] Uefipayloadpkg Enable TPM measured boot
Date: Tue, 21 Mar 2023 22:58:45 -0700
Message-Id: <c0e08b94e628cbbc4012df98df83efc4b81cf3ce.1679464590.git.subash.lakkimsetti@intel.com>
X-Mailer: git-send-email 2.39.1.windows.1
In-Reply-To: <cover.1679464590.git.subash.lakkimsetti@intel.com>
References: <cover.1679464590.git.subash.lakkimsetti@intel.com>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable

From: Subash Lakkimsetti <subash.lakkimsetti@intel.com>

Update the packages to support TPM and measured
boot in uefi payload.

Measured boot can be controoled using flag MEASURED_BOOT_ENABLE

Cc: Guo Dong <guo.dong@intel.com>
Cc: Ray Ni <ray.ni@intel.com>
Cc: Sean Rhodes <sean@starlabs.systems>
Cc: James Lu <james.lu@intel.com>
Cc: Gua Guo <gua.guo@intel.com>
Signed-off-by: Patrick Rudolph <patrick.rudolph@9elements.com>
Signed-off-by: Subash Lakkimsetti <subash.lakkimsetti@intel.com>
---
 UefiPayloadPkg/UefiPayloadPkg.dsc | 88 +++++++++++++++++++++++++++++--
 UefiPayloadPkg/UefiPayloadPkg.fdf | 25 +++++++++
 2 files changed, 109 insertions(+), 4 deletions(-)

diff --git a/UefiPayloadPkg/UefiPayloadPkg.dsc b/UefiPayloadPkg/UefiPayload=
Pkg.dsc
index f31e5aac16..86612338bf 100644
--- a/UefiPayloadPkg/UefiPayloadPkg.dsc
+++ b/UefiPayloadPkg/UefiPayloadPkg.dsc
@@ -46,6 +46,7 @@
   DEFINE NVME_ENABLE                  =3D TRUE=0D
 =0D
   DEFINE SECURE_BOOT_ENABLE           =3D FALSE=0D
+  DEFINE MEASURED_BOOT_ENABLE         =3D FALSE=0D
 =0D
   #=0D
   # NULL:    NullMemoryTestDxe=0D
@@ -297,14 +298,27 @@
 !else=0D
   AuthVariableLib|MdeModulePkg/Library/AuthVariableLibNull/AuthVariableLib=
Null.inf=0D
 !endif=0D
-!if $(VARIABLE_SUPPORT) =3D=3D "EMU"=0D
-  TpmMeasurementLib|MdeModulePkg/Library/TpmMeasurementLibNull/TpmMeasurem=
entLibNull.inf=0D
-!elseif $(VARIABLE_SUPPORT) =3D=3D "SPI"=0D
-  PlatformSecureLib|SecurityPkg/Library/PlatformSecureLibNull/PlatformSecu=
reLibNull.inf=0D
+  #=0D
+  # TPM=0D
+  #=0D
+!if $(MEASURED_BOOT_ENABLE) =3D=3D TRUE=0D
+  Tpm12CommandLib|SecurityPkg/Library/Tpm12CommandLib/Tpm12CommandLib.inf=
=0D
+  Tpm12DeviceLib|SecurityPkg/Library/Tpm12DeviceLibTcg/Tpm12DeviceLibTcg.i=
nf=0D
+  Tpm2CommandLib|SecurityPkg/Library/Tpm2CommandLib/Tpm2CommandLib.inf=0D
+  Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibTcg2/Tpm2DeviceLibTcg2.in=
f=0D
+  Tcg2PhysicalPresenceLib|SecurityPkg/Library/DxeTcg2PhysicalPresenceLib/D=
xeTcg2PhysicalPresenceLib.inf=0D
+  Tcg2PpVendorLib|SecurityPkg/Library/Tcg2PpVendorLibNull/Tcg2PpVendorLibN=
ull.inf=0D
   TpmMeasurementLib|SecurityPkg/Library/DxeTpmMeasurementLib/DxeTpmMeasure=
mentLib.inf=0D
+!else=0D
+  TpmMeasurementLib|MdeModulePkg/Library/TpmMeasurementLibNull/TpmMeasurem=
entLibNull.inf=0D
+!endif=0D
+!if $(VARIABLE_SUPPORT) =3D=3D "SPI"=0D
   S3BootScriptLib|MdePkg/Library/BaseS3BootScriptLibNull/BaseS3BootScriptL=
ibNull.inf=0D
+!endif=0D
+!if $(SECURE_BOOT_ENABLE) =3D=3D TRUE || $(MEASURED_BOOT_ENABLE) =3D=3D TR=
UE || $(VARIABLE_SUPPORT) =3D=3D "SPI"=0D
   MmUnblockMemoryLib|MdePkg/Library/MmUnblockMemoryLib/MmUnblockMemoryLibN=
ull.inf=0D
 !endif=0D
+  PlatformSecureLib|SecurityPkg/Library/PlatformSecureLibNull/PlatformSecu=
reLibNull.inf=0D
   VarCheckLib|MdeModulePkg/Library/VarCheckLib/VarCheckLib.inf=0D
   VariablePolicyLib|MdeModulePkg/Library/VariablePolicyLib/VariablePolicyL=
ib.inf=0D
   VariablePolicyHelperLib|MdeModulePkg/Library/VariablePolicyHelperLib/Var=
iablePolicyHelperLib.inf=0D
@@ -412,6 +426,10 @@
   BaseCryptLib|CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf=0D
 !endif=0D
 =0D
+!if $(MEASURED_BOOT_ENABLE) =3D=3D TRUE=0D
+ Tcg2PhysicalPresenceLib|SecurityPkg/Library/SmmTcg2PhysicalPresenceLib/Sm=
mTcg2PhysicalPresenceLib.inf=0D
+!endif=0D
+=0D
 ##########################################################################=
######=0D
 #=0D
 # Pcd Section - list of all EDK II PCD Entries defined by this Platform.=0D
@@ -600,6 +618,13 @@
   gEfiSecurityPkgTokenSpaceGuid.PcdFirmwareDebuggerInitialized|FALSE=0D
   gEfiSecurityPkgTokenSpaceGuid.PcdTpmInstanceGuid|{0x5a, 0xf2, 0x6b, 0x28=
, 0xc3, 0xc2, 0x8c, 0x40, 0xb3, 0xb4, 0x25, 0xe6, 0x75, 0x8b, 0x73, 0x17}=0D
 =0D
+!if $(MEASURED_BOOT_ENABLE) =3D=3D TRUE=0D
+=0D
+  # (BIT0 - SHA1. BIT1 - SHA256, BIT2 - SHA384, BIT3 - SHA512, BIT4 - SM3_=
256)=0D
+  gEfiSecurityPkgTokenSpaceGuid.PcdTpm2HashMask|0x000000016=0D
+  gEfiSecurityPkgTokenSpaceGuid.PcdTcg2HashAlgorithmBitmap|0x000000016=0D
+!endif=0D
+=0D
 ##########################################################################=
######=0D
 #=0D
 # Components Section - list of all EDK II Modules needed by this Platform.=
=0D
@@ -680,6 +705,10 @@
     <LibraryClasses>=0D
 !if $(SECURE_BOOT_ENABLE)=0D
       NULL|SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificatio=
nLib.inf=0D
+!endif=0D
+!if $(MEASURED_BOOT_ENABLE) =3D=3D TRUE=0D
+      NULL|SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLib=
.inf=0D
+      NULL|SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLib.i=
nf=0D
 !endif=0D
   }=0D
 !endif=0D
@@ -842,6 +871,57 @@
   SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDx=
e.inf=0D
 !endif=0D
 =0D
+!if $(MEASURED_BOOT_ENABLE) =3D=3D TRUE=0D
+  SecurityPkg/Tcg/TcgDxe/TcgDxe.inf {=0D
+    <LibraryClasses>=0D
+      Tpm12DeviceLib|SecurityPkg/Library/Tpm12DeviceLibDTpm/Tpm12DeviceLib=
DTpm.inf=0D
+   }=0D
+=0D
+   SecurityPkg/Tcg/TcgConfigDxe/TcgConfigDxe.inf {=0D
+    <LibraryClasses>=0D
+      PcdLib|MdePkg/Library/DxePcdLib/DxePcdLib.inf=0D
+  }=0D
+=0D
+!if $(SMM_SUPPORT) =3D=3D TRUE=0D
+  SecurityPkg/Tcg/TcgSmm/TcgSmm.inf {=0D
+    <LibraryClasses>=0D
+    TcgPpVendorLib|SecurityPkg/Library/TcgPpVendorLibNull/TcgPpVendorLibNu=
ll.inf=0D
+=0D
+  }=0D
+!endif=0D
+  SecurityPkg/Tcg/Tcg2Config/Tcg2ConfigDxe.inf {=0D
+  <LibraryClasses>=0D
+      Tpm2CommandLib|SecurityPkg/Library/Tpm2CommandLib/Tpm2CommandLib.inf=
=0D
+      Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibRouter/Tpm2DeviceLibR=
outerDxe.inf=0D
+      NULL|SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2InstanceLibDTpm.inf=0D
+  }=0D
+!if $(SMM_SUPPORT) =3D=3D TRUE=0D
+  SecurityPkg/Tcg/Tcg2Smm/Tcg2Smm.inf {=0D
+    <LibraryClasses>=0D
+      Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibTcg2/Tpm2DeviceLibTcg=
2.inf=0D
+  }=0D
+!endif=0D
+  SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.inf {=0D
+    <LibraryClasses>=0D
+      Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibRouter/Tpm2DeviceLibR=
outerDxe.inf=0D
+      HashLib|SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCrypt=
oRouterDxe.inf=0D
+      NULL|SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2InstanceLibDTpm.inf=0D
+      NULL|SecurityPkg/Library/HashInstanceLibSha1/HashInstanceLibSha1.inf=
=0D
+      NULL|SecurityPkg/Library/HashInstanceLibSha256/HashInstanceLibSha256=
.inf=0D
+      NULL|SecurityPkg/Library/HashInstanceLibSha384/HashInstanceLibSha384=
.inf=0D
+      NULL|SecurityPkg/Library/HashInstanceLibSm3/HashInstanceLibSm3.inf=0D
+  }=0D
+  SecurityPkg/Tcg/Tcg2Acpi/Tcg2Acpi.inf=0D
+  SecurityPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.inf {=0D
+    <LibraryClasses>=0D
+      TpmPlatformHierarchyLib|SecurityPkg/Library/PeiDxeTpmPlatformHierarc=
hyLib/PeiDxeTpmPlatformHierarchyLib.inf=0D
+  }=0D
+  SecurityPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.inf {=0D
+    <LibraryClasses>=0D
+      TpmPlatformHierarchyLib|SecurityPkg/Library/PeiDxeTpmPlatformHierarc=
hyLib/PeiDxeTpmPlatformHierarchyLib.inf=0D
+  }=0D
+!endif #MEASURED_BOOT_ENABLE=0D
+=0D
   #=0D
   # Misc=0D
   #=0D
diff --git a/UefiPayloadPkg/UefiPayloadPkg.fdf b/UefiPayloadPkg/UefiPayload=
Pkg.fdf
index b52e6c75a5..ed9d42b022 100644
--- a/UefiPayloadPkg/UefiPayloadPkg.fdf
+++ b/UefiPayloadPkg/UefiPayloadPkg.fdf
@@ -176,6 +176,21 @@ INF PcAtChipsetPkg/PcatRealTimeClockRuntimeDxe/PcatRea=
lTimeClockRuntimeDxe.inf
   INF SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConf=
igDxe.inf=0D
 !endif=0D
 =0D
+!if $(MEASURED_BOOT_ENABLE) =3D=3D TRUE=0D
+  INF SecurityPkg/Tcg/TcgDxe/TcgDxe.inf=0D
+!if $(SMM_SUPPORT) =3D=3D TRUE=0D
+  INF SecurityPkg/Tcg/TcgSmm/TcgSmm.inf=0D
+!endif=0D
+  INF SecurityPkg/Tcg/TcgConfigDxe/TcgConfigDxe.inf=0D
+  INF SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.inf=0D
+  INF RuleOverride =3D DRIVER_ACPITABLE SecurityPkg/Tcg/Tcg2Acpi/Tcg2Acpi.=
inf=0D
+  INF SecurityPkg/Tcg/Tcg2Config/Tcg2ConfigDxe.inf=0D
+!if $(SMM_SUPPORT) =3D=3D TRUE=0D
+  INF SecurityPkg/Tcg/Tcg2Smm/Tcg2Smm.inf=0D
+!endif=0D
+  INF SecurityPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.inf=0D
+!endif=0D
+=0D
 INF UefiCpuPkg/CpuIo2Dxe/CpuIo2Dxe.inf=0D
 INF MdeModulePkg/Universal/DevicePathDxe/DevicePathDxe.inf=0D
 !if $(MEMORY_TEST) =3D=3D "GENERIC"=0D
@@ -419,3 +434,13 @@ INF ShellPkg/Application/Shell/Shell.inf
     UI        STRING=3D"Enter Setup"=0D
     VERSION   STRING=3D"$(INF_VERSION)" Optional BUILD_NUM=3D$(BUILD_NUMBE=
R)=0D
   }=0D
+=0D
+[Rule.Common.DXE_DRIVER.DRIVER_ACPITABLE]=0D
+  FILE DRIVER =3D $(NAMED_GUID) {=0D
+    DXE_DEPEX DXE_DEPEX Optional       $(INF_OUTPUT)/$(MODULE_NAME).depex=
=0D
+    PE32      PE32                     $(INF_OUTPUT)/$(MODULE_NAME).efi=0D
+    RAW ACPI  Optional                |.acpi=0D
+    RAW ASL   Optional                |.aml=0D
+    UI        STRING=3D"$(MODULE_NAME)" Optional=0D
+    VERSION   STRING=3D"$(INF_VERSION)" Optional BUILD_NUM=3D$(BUILD_NUMBE=
R)=0D
+  }=0D
--=20
2.39.1.windows.1