From: "Subash Lakkimsetti" <subash.lakkimsetti@intel.com>
To: devel@edk2.groups.io
Cc: Subash Lakkimsetti <subash.lakkimsetti@intel.com>,
Guo Dong <guo.dong@intel.com>, Ray Ni <ray.ni@intel.com>,
Sean Rhodes <sean@starlabs.systems>,
James Lu <james.lu@intel.com>, Gua Guo <gua.guo@intel.com>
Subject: [PATCH v2 5/6] Uefipayloadpkg Enable TPM measured boot
Date: Wed, 17 May 2023 16:55:33 -0700 [thread overview]
Message-ID: <c48390f8a5dc92ab6d057844c5e348b92b69f5b3.1684367408.git.subash.lakkimsetti@intel.com> (raw)
In-Reply-To: <cover.1684367408.git.subash.lakkimsetti@intel.com>
From: Subash Lakkimsetti <subash.lakkimsetti@intel.com>
Update the packages to support TPM and measured
boot in uefi payload.
Measured boot can be controlled using flag MEASURED_BOOT_ENABLE.
Cc: Guo Dong <guo.dong@intel.com>
Cc: Ray Ni <ray.ni@intel.com>
Cc: Sean Rhodes <sean@starlabs.systems>
Cc: James Lu <james.lu@intel.com>
Cc: Gua Guo <gua.guo@intel.com>
Signed-off-by: Subash Lakkimsetti <subash.lakkimsetti@intel.com>
---
UefiPayloadPkg/UefiPayloadPkg.dsc | 96 +++++++++++++++++++++++++++++--
UefiPayloadPkg/UefiPayloadPkg.fdf | 53 +++++++++++++++--
2 files changed, 139 insertions(+), 10 deletions(-)
diff --git a/UefiPayloadPkg/UefiPayloadPkg.dsc b/UefiPayloadPkg/UefiPayloadPkg.dsc
index df078a1b28..0c4c0297ca 100644
--- a/UefiPayloadPkg/UefiPayloadPkg.dsc
+++ b/UefiPayloadPkg/UefiPayloadPkg.dsc
@@ -137,6 +137,7 @@
# Security
#
DEFINE SECURE_BOOT_ENABLE = FALSE
+ DEFINE MEASURED_BOOT_ENABLE = FALSE
[BuildOptions]
*_*_*_CC_FLAGS = -D DISABLE_NEW_DEPRECATED_INTERFACES
@@ -309,14 +310,29 @@
AuthVariableLib|MdeModulePkg/Library/AuthVariableLibNull/AuthVariableLibNull.inf
!endif
-!if $(VARIABLE_SUPPORT) == "EMU"
- TpmMeasurementLib|MdeModulePkg/Library/TpmMeasurementLibNull/TpmMeasurementLibNull.inf
-!elseif $(VARIABLE_SUPPORT) == "SPI"
- PlatformSecureLib|SecurityPkg/Library/PlatformSecureLibNull/PlatformSecureLibNull.inf
- TpmMeasurementLib|SecurityPkg/Library/DxeTpmMeasurementLib/DxeTpmMeasurementLib.inf
+!if $(VARIABLE_SUPPORT) == "SPI"
S3BootScriptLib|MdePkg/Library/BaseS3BootScriptLibNull/BaseS3BootScriptLibNull.inf
- MmUnblockMemoryLib|MdePkg/Library/MmUnblockMemoryLib/MmUnblockMemoryLibNull.inf
!endif
+
+!if $(SECURE_BOOT_ENABLE) == TRUE || $(MEASURED_BOOT_ENABLE) == TRUE || $(VARIABLE_SUPPORT) == "SPI"
+ MmUnblockMemoryLib|MdePkg/Library/MmUnblockMemoryLib/MmUnblockMemoryLibNull.inf
+!endif
+
+ #
+ # TPM
+ #
+!if $(MEASURED_BOOT_ENABLE) == TRUE
+ Tpm12CommandLib|SecurityPkg/Library/Tpm12CommandLib/Tpm12CommandLib.inf
+ Tpm12DeviceLib|SecurityPkg/Library/Tpm12DeviceLibTcg/Tpm12DeviceLibTcg.inf
+ Tpm2CommandLib|SecurityPkg/Library/Tpm2CommandLib/Tpm2CommandLib.inf
+ Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibTcg2/Tpm2DeviceLibTcg2.inf
+ Tcg2PpVendorLib|SecurityPkg/Library/Tcg2PpVendorLibNull/Tcg2PpVendorLibNull.inf
+ TpmMeasurementLib|SecurityPkg/Library/DxeTpmMeasurementLib/DxeTpmMeasurementLib.inf
+ Tcg2PhysicalPresenceLib|SecurityPkg/Library/DxeTcg2PhysicalPresenceLib/DxeTcg2PhysicalPresenceLib.inf
+!else
+ TpmMeasurementLib|MdeModulePkg/Library/TpmMeasurementLibNull/TpmMeasurementLibNull.inf
+!endif
+
VarCheckLib|MdeModulePkg/Library/VarCheckLib/VarCheckLib.inf
VariablePolicyLib|MdeModulePkg/Library/VariablePolicyLib/VariablePolicyLib.inf
VariablePolicyHelperLib|MdeModulePkg/Library/VariablePolicyHelperLib/VariablePolicyHelperLib.inf
@@ -424,6 +440,11 @@
BaseCryptLib|CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf
!endif
+!if $(MEASURED_BOOT_ENABLE) == TRUE && $(SMM_SUPPORT) == TRUE
+ Tcg2PhysicalPresenceLib|SecurityPkg/Library/SmmTcg2PhysicalPresenceLib/SmmTcg2PhysicalPresenceLib.inf
+!endif
+
+
[LibraryClasses.common.DXE_DRIVER, LibraryClasses.common.UEFI_DRIVER, LibraryClasses.common.UEFI_APPLICATION]
!if $(SECURE_BOOT_ENABLE) == TRUE
BaseCryptLib|CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf
@@ -625,6 +646,14 @@
gEfiSecurityPkgTokenSpaceGuid.PcdFirmwareDebuggerInitialized|FALSE
gEfiSecurityPkgTokenSpaceGuid.PcdTpmInstanceGuid|{0x5a, 0xf2, 0x6b, 0x28, 0xc3, 0xc2, 0x8c, 0x40, 0xb3, 0xb4, 0x25, 0xe6, 0x75, 0x8b, 0x73, 0x17}
+!if $(MEASURED_BOOT_ENABLE) == TRUE
+
+ # (BIT0 - SHA1. BIT1 - SHA256, BIT2 - SHA384, BIT3 - SHA512, BIT4 - SM3_256)
+ gEfiSecurityPkgTokenSpaceGuid.PcdTpm2HashMask|0x000000016
+ gEfiSecurityPkgTokenSpaceGuid.PcdTcg2HashAlgorithmBitmap|0x000000016
+!endif
+
+
################################################################################
#
# Components Section - list of all EDK II Modules needed by this Platform.
@@ -677,6 +706,10 @@
<LibraryClasses>
!if $(SECURE_BOOT_ENABLE) == TRUE
NULL|SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.inf
+!if $(MEASURED_BOOT_ENABLE) == TRUE
+ NULL|SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLib.inf
+ NULL|SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLib.inf
+ !endif
!endif
}
!endif
@@ -685,6 +718,57 @@
SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
!endif
+!if $(MEASURED_BOOT_ENABLE) == TRUE
+ SecurityPkg/Tcg/TcgDxe/TcgDxe.inf {
+ <LibraryClasses>
+ Tpm12DeviceLib|SecurityPkg/Library/Tpm12DeviceLibDTpm/Tpm12DeviceLibDTpm.inf
+ }
+
+ SecurityPkg/Tcg/TcgConfigDxe/TcgConfigDxe.inf {
+ <LibraryClasses>
+ PcdLib|MdePkg/Library/DxePcdLib/DxePcdLib.inf
+ }
+
+!if $(SMM_SUPPORT) == TRUE
+ SecurityPkg/Tcg/TcgSmm/TcgSmm.inf {
+ <LibraryClasses>
+ TcgPpVendorLib|SecurityPkg/Library/TcgPpVendorLibNull/TcgPpVendorLibNull.inf
+
+ }
+!endif
+ SecurityPkg/Tcg/Tcg2Config/Tcg2ConfigDxe.inf {
+ <LibraryClasses>
+ Tpm2CommandLib|SecurityPkg/Library/Tpm2CommandLib/Tpm2CommandLib.inf
+ Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibRouter/Tpm2DeviceLibRouterDxe.inf
+ NULL|SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2InstanceLibDTpm.inf
+ }
+!if $(SMM_SUPPORT) == TRUE
+ SecurityPkg/Tcg/Tcg2Smm/Tcg2Smm.inf {
+ <LibraryClasses>
+ Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibTcg2/Tpm2DeviceLibTcg2.inf
+ }
+!endif
+ SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.inf {
+ <LibraryClasses>
+ Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibRouter/Tpm2DeviceLibRouterDxe.inf
+ HashLib|SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRouterDxe.inf
+ NULL|SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2InstanceLibDTpm.inf
+ NULL|SecurityPkg/Library/HashInstanceLibSha1/HashInstanceLibSha1.inf
+ NULL|SecurityPkg/Library/HashInstanceLibSha256/HashInstanceLibSha256.inf
+ NULL|SecurityPkg/Library/HashInstanceLibSha384/HashInstanceLibSha384.inf
+ NULL|SecurityPkg/Library/HashInstanceLibSm3/HashInstanceLibSm3.inf
+ }
+ SecurityPkg/Tcg/Tcg2Acpi/Tcg2Acpi.inf
+ SecurityPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.inf {
+ <LibraryClasses>
+ TpmPlatformHierarchyLib|SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf
+ }
+ SecurityPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.inf {
+ <LibraryClasses>
+ TpmPlatformHierarchyLib|SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf
+ }
+!endif #MEASURED_BOOT_ENABLE
+
UefiCpuPkg/CpuDxe/CpuDxe.inf
MdeModulePkg/Universal/BdsDxe/BdsDxe.inf
!if $(BOOTSPLASH_IMAGE)
diff --git a/UefiPayloadPkg/UefiPayloadPkg.fdf b/UefiPayloadPkg/UefiPayloadPkg.fdf
index d1f76b1e56..6629ec8993 100644
--- a/UefiPayloadPkg/UefiPayloadPkg.fdf
+++ b/UefiPayloadPkg/UefiPayloadPkg.fdf
@@ -60,6 +60,7 @@ FILE FV_IMAGE = 4E35FD93-9C72-4c15-8C4B-E77F1DB2D793 {
SECTION FV_IMAGE = DXEFV
}
+
!if $(NETWORK_DRIVER_ENABLE) == TRUE
################################################################################
[FV.NETWORKFV]
@@ -201,10 +202,6 @@ INF PcAtChipsetPkg/PcatRealTimeClockRuntimeDxe/PcatRealTimeClockRuntimeDxe.inf
INF MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmmRuntimeDxe.inf
!endif
-!if $(SECURE_BOOT_ENABLE) == TRUE
- INF SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
-!endif
-
INF UefiCpuPkg/CpuIo2Dxe/CpuIo2Dxe.inf
INF MdeModulePkg/Universal/DevicePathDxe/DevicePathDxe.inf
!if $(MEMORY_TEST) == "GENERIC"
@@ -307,6 +304,7 @@ INF MdeModulePkg/Universal/Acpi/AcpiPlatformDxe/AcpiPlatformDxe.inf
INF MdeModulePkg/Universal/Acpi/BootGraphicsResourceTableDxe/BootGraphicsResourceTableDxe.inf
!endif
+
!if $(UNIVERSAL_PAYLOAD) == FALSE
INF MdeModulePkg/Universal/BdsDxe/BdsDxe.inf
#
@@ -328,6 +326,29 @@ INF ShellPkg/DynamicCommand/DpDynamicCommand/DpDynamicCommand.inf
INF ShellPkg/Application/Shell/Shell.inf
!endif
+!if $(UNIVERSAL_PAYLOAD) == FALSE
+
+!if $(SECURE_BOOT_ENABLE) == TRUE
+INF SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
+!endif
+
+!if $(MEASURED_BOOT_ENABLE) == TRUE
+ INF SecurityPkg/Tcg/TcgDxe/TcgDxe.inf
+!if $(SMM_SUPPORT) == TRUE
+ INF SecurityPkg/Tcg/TcgSmm/TcgSmm.inf
+!endif
+ INF SecurityPkg/Tcg/TcgConfigDxe/TcgConfigDxe.inf
+ INF SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.inf
+ INF RuleOverride = DRIVER_ACPITABLE SecurityPkg/Tcg/Tcg2Acpi/Tcg2Acpi.inf
+ INF SecurityPkg/Tcg/Tcg2Config/Tcg2ConfigDxe.inf
+!if $(SMM_SUPPORT) == TRUE
+ INF SecurityPkg/Tcg/Tcg2Smm/Tcg2Smm.inf
+!endif
+ INF SecurityPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.inf
+!endif #MEASURED_BOOT_ENABLE
+
+!endif
+
[FV.SECFV]
FvNameGuid = 2700E2F3-19D2-4E2D-9F13-BC891B9FC62C
BlockSize = $(FD_BLOCK_SIZE)
@@ -353,6 +374,20 @@ READ_LOCK_STATUS = TRUE
INF SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
!endif
+!if $(MEASURED_BOOT_ENABLE) == TRUE
+ INF SecurityPkg/Tcg/TcgDxe/TcgDxe.inf
+!if $(SMM_SUPPORT) == TRUE
+ INF SecurityPkg/Tcg/TcgSmm/TcgSmm.inf
+!endif
+ INF SecurityPkg/Tcg/TcgConfigDxe/TcgConfigDxe.inf
+ INF SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.inf
+ INF RuleOverride = DRIVER_ACPITABLE SecurityPkg/Tcg/Tcg2Acpi/Tcg2Acpi.inf
+ INF SecurityPkg/Tcg/Tcg2Config/Tcg2ConfigDxe.inf
+!if $(SMM_SUPPORT) == TRUE
+ INF SecurityPkg/Tcg/Tcg2Smm/Tcg2Smm.inf
+!endif
+ INF SecurityPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.inf
+!endif #MEASURED_BOOT_ENABLE
################################################################################
#
@@ -472,3 +507,13 @@ INF SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.in
UI STRING="Enter Setup"
VERSION STRING="$(INF_VERSION)" Optional BUILD_NUM=$(BUILD_NUMBER)
}
+
+[Rule.Common.DXE_DRIVER.DRIVER_ACPITABLE]
+ FILE DRIVER = $(NAMED_GUID) {
+ DXE_DEPEX DXE_DEPEX Optional $(INF_OUTPUT)/$(MODULE_NAME).depex
+ PE32 PE32 $(INF_OUTPUT)/$(MODULE_NAME).efi
+ RAW ACPI Optional |.acpi
+ RAW ASL Optional |.aml
+ UI STRING="$(MODULE_NAME)" Optional
+ VERSION STRING="$(INF_VERSION)" Optional BUILD_NUM=$(BUILD_NUMBER)
+ }
--
2.39.1.windows.1
next prev parent reply other threads:[~2023-05-17 23:56 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-05-17 23:55 [PATCH v2 0/6] Universal payload secure boot and measured boot Subash Lakkimsetti
2023-05-17 23:55 ` [PATCH v2 1/6] MdeModulePkg: universal payload HOB for secure boot info Subash Lakkimsetti
2023-05-17 23:55 ` [PATCH v2 2/6] UefiPayloadPkg: Add secureboot information HOBs Subash Lakkimsetti
2023-05-17 23:55 ` [PATCH v2 3/6] UefiPayloadPkg: Uninstall the TPM2 ACPI if present Subash Lakkimsetti
2023-05-17 23:55 ` [PATCH v2 4/6] UefiPayloadPkg: Add secure boot configurations Subash Lakkimsetti
2023-05-17 23:55 ` Subash Lakkimsetti [this message]
2023-05-17 23:55 ` [PATCH v2 6/6] UefiPayloadPkg: Add secure boot definitions to ci build Subash Lakkimsetti
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-list from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=c48390f8a5dc92ab6d057844c5e348b92b69f5b3.1684367408.git.subash.lakkimsetti@intel.com \
--to=devel@edk2.groups.io \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox