From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from mga17.intel.com (mga17.intel.com [192.55.52.151])
 by mx.groups.io with SMTP id smtpd.web11.3155.1684367809597397300
 for <devel@edk2.groups.io>;
 Wed, 17 May 2023 16:56:51 -0700
Authentication-Results: mx.groups.io;
 dkim=fail reason="unable to parse pub key" header.i=@intel.com header.s=intel header.b=HkqCQup2;
 spf=pass (domain: intel.com, ip: 192.55.52.151, mailfrom: subash.lakkimsetti@intel.com)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;
  d=intel.com; i=@intel.com; q=dns/txt; s=Intel;
  t=1684367811; x=1715903811;
  h=from:to:cc:subject:date:message-id:in-reply-to:
   references:mime-version:content-transfer-encoding;
  bh=45ORCoi/iMrqS52WDDJyUzSc8vYWMourssRwkuY32Pw=;
  b=HkqCQup29lQ+15KsmbzgA8+I8KjmcdK9TtpoAZLK5+K2+2o2TtLWB296
   h2FdB5dNKUUSK5ed7axDH9uzsj5cpg9pcgu7VPsx7U77vWeRraFPrC4p/
   YWbvD52d8BC3NRA6wceGvtd1niTkRU0mGbgnh6r+bLz6UqR31d6tpAAVM
   A11DIpaexuloBv+VWCrt6SKsXgO7K3VMKnrtUenTkypkOkEJ1e5MvYK2E
   ZlaoJ+CWWPs6SSy0xPEhkhXjQtehjxMetLwUhdg47pk466zNtWiieGxmP
   pucSrYFCZ63gnstssw9QzODp0o6vvXK2PswH0RB02TQ2GopFZ2c3lhR8x
   w==;
X-IronPort-AV: E=McAfee;i="6600,9927,10713"; a="332276041"
X-IronPort-AV: E=Sophos;i="5.99,283,1677571200"; 
   d="scan'208";a="332276041"
Received: from orsmga005.jf.intel.com ([10.7.209.41])
  by fmsmga107.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 17 May 2023 16:56:42 -0700
X-ExtLoop1: 1
X-IronPort-AV: E=McAfee;i="6600,9927,10713"; a="876208962"
X-IronPort-AV: E=Sophos;i="5.99,283,1677571200"; 
   d="scan'208";a="876208962"
Received: from slakkim-mobl.amr.corp.intel.com ([10.212.56.110])
  by orsmga005-auth.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 17 May 2023 16:56:42 -0700
From: "Subash Lakkimsetti" <subash.lakkimsetti@intel.com>
To: devel@edk2.groups.io
Cc: Subash Lakkimsetti <subash.lakkimsetti@intel.com>,
	Guo Dong <guo.dong@intel.com>,
	Ray Ni <ray.ni@intel.com>,
	Sean Rhodes <sean@starlabs.systems>,
	James Lu <james.lu@intel.com>,
	Gua Guo <gua.guo@intel.com>
Subject: [PATCH v2 5/6] Uefipayloadpkg Enable TPM measured boot
Date: Wed, 17 May 2023 16:55:33 -0700
Message-Id: <c48390f8a5dc92ab6d057844c5e348b92b69f5b3.1684367408.git.subash.lakkimsetti@intel.com>
X-Mailer: git-send-email 2.39.1.windows.1
In-Reply-To: <cover.1684367408.git.subash.lakkimsetti@intel.com>
References: <cover.1684367408.git.subash.lakkimsetti@intel.com>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable

From: Subash Lakkimsetti <subash.lakkimsetti@intel.com>

Update the packages to support TPM and measured
boot in uefi payload.

Measured boot can be controlled using flag MEASURED_BOOT_ENABLE.

Cc: Guo Dong <guo.dong@intel.com>
Cc: Ray Ni <ray.ni@intel.com>
Cc: Sean Rhodes <sean@starlabs.systems>
Cc: James Lu <james.lu@intel.com>
Cc: Gua Guo <gua.guo@intel.com>
Signed-off-by: Subash Lakkimsetti <subash.lakkimsetti@intel.com>
---
 UefiPayloadPkg/UefiPayloadPkg.dsc | 96 +++++++++++++++++++++++++++++--
 UefiPayloadPkg/UefiPayloadPkg.fdf | 53 +++++++++++++++--
 2 files changed, 139 insertions(+), 10 deletions(-)

diff --git a/UefiPayloadPkg/UefiPayloadPkg.dsc b/UefiPayloadPkg/UefiPayload=
Pkg.dsc
index df078a1b28..0c4c0297ca 100644
--- a/UefiPayloadPkg/UefiPayloadPkg.dsc
+++ b/UefiPayloadPkg/UefiPayloadPkg.dsc
@@ -137,6 +137,7 @@
   # Security=0D
   #=0D
   DEFINE SECURE_BOOT_ENABLE       =3D FALSE=0D
+  DEFINE MEASURED_BOOT_ENABLE     =3D FALSE=0D
 =0D
 [BuildOptions]=0D
   *_*_*_CC_FLAGS                 =3D -D DISABLE_NEW_DEPRECATED_INTERFACES=
=0D
@@ -309,14 +310,29 @@
   AuthVariableLib|MdeModulePkg/Library/AuthVariableLibNull/AuthVariableLib=
Null.inf=0D
 !endif=0D
 =0D
-!if $(VARIABLE_SUPPORT) =3D=3D "EMU"=0D
-  TpmMeasurementLib|MdeModulePkg/Library/TpmMeasurementLibNull/TpmMeasurem=
entLibNull.inf=0D
-!elseif $(VARIABLE_SUPPORT) =3D=3D "SPI"=0D
-  PlatformSecureLib|SecurityPkg/Library/PlatformSecureLibNull/PlatformSecu=
reLibNull.inf=0D
-  TpmMeasurementLib|SecurityPkg/Library/DxeTpmMeasurementLib/DxeTpmMeasure=
mentLib.inf=0D
+!if $(VARIABLE_SUPPORT) =3D=3D "SPI"=0D
   S3BootScriptLib|MdePkg/Library/BaseS3BootScriptLibNull/BaseS3BootScriptL=
ibNull.inf=0D
-  MmUnblockMemoryLib|MdePkg/Library/MmUnblockMemoryLib/MmUnblockMemoryLibN=
ull.inf=0D
 !endif=0D
+=0D
+!if $(SECURE_BOOT_ENABLE) =3D=3D TRUE || $(MEASURED_BOOT_ENABLE) =3D=3D TR=
UE || $(VARIABLE_SUPPORT) =3D=3D "SPI"=0D
+   MmUnblockMemoryLib|MdePkg/Library/MmUnblockMemoryLib/MmUnblockMemoryLib=
Null.inf=0D
+!endif=0D
+=0D
+  #=0D
+  # TPM=0D
+  #=0D
+!if $(MEASURED_BOOT_ENABLE) =3D=3D TRUE=0D
+  Tpm12CommandLib|SecurityPkg/Library/Tpm12CommandLib/Tpm12CommandLib.inf=
=0D
+  Tpm12DeviceLib|SecurityPkg/Library/Tpm12DeviceLibTcg/Tpm12DeviceLibTcg.i=
nf=0D
+  Tpm2CommandLib|SecurityPkg/Library/Tpm2CommandLib/Tpm2CommandLib.inf=0D
+  Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibTcg2/Tpm2DeviceLibTcg2.in=
f=0D
+  Tcg2PpVendorLib|SecurityPkg/Library/Tcg2PpVendorLibNull/Tcg2PpVendorLibN=
ull.inf=0D
+  TpmMeasurementLib|SecurityPkg/Library/DxeTpmMeasurementLib/DxeTpmMeasure=
mentLib.inf=0D
+  Tcg2PhysicalPresenceLib|SecurityPkg/Library/DxeTcg2PhysicalPresenceLib/D=
xeTcg2PhysicalPresenceLib.inf=0D
+!else=0D
+  TpmMeasurementLib|MdeModulePkg/Library/TpmMeasurementLibNull/TpmMeasurem=
entLibNull.inf=0D
+!endif=0D
+=0D
   VarCheckLib|MdeModulePkg/Library/VarCheckLib/VarCheckLib.inf=0D
   VariablePolicyLib|MdeModulePkg/Library/VariablePolicyLib/VariablePolicyL=
ib.inf=0D
   VariablePolicyHelperLib|MdeModulePkg/Library/VariablePolicyHelperLib/Var=
iablePolicyHelperLib.inf=0D
@@ -424,6 +440,11 @@
   BaseCryptLib|CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf=0D
 !endif=0D
 =0D
+!if $(MEASURED_BOOT_ENABLE) =3D=3D TRUE && $(SMM_SUPPORT) =3D=3D TRUE=0D
+ Tcg2PhysicalPresenceLib|SecurityPkg/Library/SmmTcg2PhysicalPresenceLib/Sm=
mTcg2PhysicalPresenceLib.inf=0D
+!endif=0D
+=0D
+=0D
 [LibraryClasses.common.DXE_DRIVER, LibraryClasses.common.UEFI_DRIVER, Libr=
aryClasses.common.UEFI_APPLICATION]=0D
 !if $(SECURE_BOOT_ENABLE) =3D=3D TRUE=0D
   BaseCryptLib|CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf=0D
@@ -625,6 +646,14 @@
   gEfiSecurityPkgTokenSpaceGuid.PcdFirmwareDebuggerInitialized|FALSE=0D
   gEfiSecurityPkgTokenSpaceGuid.PcdTpmInstanceGuid|{0x5a, 0xf2, 0x6b, 0x28=
, 0xc3, 0xc2, 0x8c, 0x40, 0xb3, 0xb4, 0x25, 0xe6, 0x75, 0x8b, 0x73, 0x17}=0D
 =0D
+!if $(MEASURED_BOOT_ENABLE) =3D=3D TRUE=0D
+=0D
+  # (BIT0 - SHA1. BIT1 - SHA256, BIT2 - SHA384, BIT3 - SHA512, BIT4 - SM3_=
256)=0D
+  gEfiSecurityPkgTokenSpaceGuid.PcdTpm2HashMask|0x000000016=0D
+  gEfiSecurityPkgTokenSpaceGuid.PcdTcg2HashAlgorithmBitmap|0x000000016=0D
+!endif=0D
+=0D
+=0D
 ##########################################################################=
######=0D
 #=0D
 # Components Section - list of all EDK II Modules needed by this Platform.=
=0D
@@ -677,6 +706,10 @@
       <LibraryClasses>=0D
 !if $(SECURE_BOOT_ENABLE) =3D=3D TRUE=0D
       NULL|SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificatio=
nLib.inf=0D
+!if $(MEASURED_BOOT_ENABLE) =3D=3D TRUE=0D
+      NULL|SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLib=
.inf=0D
+      NULL|SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLib.i=
nf=0D
+ !endif=0D
 !endif=0D
   }=0D
 !endif=0D
@@ -685,6 +718,57 @@
   SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDx=
e.inf=0D
 !endif=0D
 =0D
+!if $(MEASURED_BOOT_ENABLE) =3D=3D TRUE=0D
+  SecurityPkg/Tcg/TcgDxe/TcgDxe.inf {=0D
+    <LibraryClasses>=0D
+      Tpm12DeviceLib|SecurityPkg/Library/Tpm12DeviceLibDTpm/Tpm12DeviceLib=
DTpm.inf=0D
+   }=0D
+=0D
+   SecurityPkg/Tcg/TcgConfigDxe/TcgConfigDxe.inf {=0D
+    <LibraryClasses>=0D
+      PcdLib|MdePkg/Library/DxePcdLib/DxePcdLib.inf=0D
+  }=0D
+=0D
+!if $(SMM_SUPPORT) =3D=3D TRUE=0D
+  SecurityPkg/Tcg/TcgSmm/TcgSmm.inf {=0D
+    <LibraryClasses>=0D
+    TcgPpVendorLib|SecurityPkg/Library/TcgPpVendorLibNull/TcgPpVendorLibNu=
ll.inf=0D
+=0D
+  }=0D
+!endif=0D
+  SecurityPkg/Tcg/Tcg2Config/Tcg2ConfigDxe.inf {=0D
+  <LibraryClasses>=0D
+      Tpm2CommandLib|SecurityPkg/Library/Tpm2CommandLib/Tpm2CommandLib.inf=
=0D
+      Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibRouter/Tpm2DeviceLibR=
outerDxe.inf=0D
+      NULL|SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2InstanceLibDTpm.inf=0D
+  }=0D
+!if $(SMM_SUPPORT) =3D=3D TRUE=0D
+  SecurityPkg/Tcg/Tcg2Smm/Tcg2Smm.inf {=0D
+    <LibraryClasses>=0D
+      Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibTcg2/Tpm2DeviceLibTcg=
2.inf=0D
+  }=0D
+!endif=0D
+  SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.inf {=0D
+    <LibraryClasses>=0D
+      Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibRouter/Tpm2DeviceLibR=
outerDxe.inf=0D
+      HashLib|SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCrypt=
oRouterDxe.inf=0D
+      NULL|SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2InstanceLibDTpm.inf=0D
+      NULL|SecurityPkg/Library/HashInstanceLibSha1/HashInstanceLibSha1.inf=
=0D
+      NULL|SecurityPkg/Library/HashInstanceLibSha256/HashInstanceLibSha256=
.inf=0D
+      NULL|SecurityPkg/Library/HashInstanceLibSha384/HashInstanceLibSha384=
.inf=0D
+      NULL|SecurityPkg/Library/HashInstanceLibSm3/HashInstanceLibSm3.inf=0D
+  }=0D
+  SecurityPkg/Tcg/Tcg2Acpi/Tcg2Acpi.inf=0D
+  SecurityPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.inf {=0D
+    <LibraryClasses>=0D
+      TpmPlatformHierarchyLib|SecurityPkg/Library/PeiDxeTpmPlatformHierarc=
hyLib/PeiDxeTpmPlatformHierarchyLib.inf=0D
+  }=0D
+  SecurityPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.inf {=0D
+    <LibraryClasses>=0D
+      TpmPlatformHierarchyLib|SecurityPkg/Library/PeiDxeTpmPlatformHierarc=
hyLib/PeiDxeTpmPlatformHierarchyLib.inf=0D
+  }=0D
+!endif #MEASURED_BOOT_ENABLE=0D
+=0D
   UefiCpuPkg/CpuDxe/CpuDxe.inf=0D
   MdeModulePkg/Universal/BdsDxe/BdsDxe.inf=0D
 !if $(BOOTSPLASH_IMAGE)=0D
diff --git a/UefiPayloadPkg/UefiPayloadPkg.fdf b/UefiPayloadPkg/UefiPayload=
Pkg.fdf
index d1f76b1e56..6629ec8993 100644
--- a/UefiPayloadPkg/UefiPayloadPkg.fdf
+++ b/UefiPayloadPkg/UefiPayloadPkg.fdf
@@ -60,6 +60,7 @@ FILE FV_IMAGE =3D 4E35FD93-9C72-4c15-8C4B-E77F1DB2D793 {
     SECTION FV_IMAGE =3D DXEFV=0D
 }=0D
 =0D
+=0D
 !if $(NETWORK_DRIVER_ENABLE) =3D=3D TRUE=0D
 ##########################################################################=
######=0D
 [FV.NETWORKFV]=0D
@@ -201,10 +202,6 @@ INF PcAtChipsetPkg/PcatRealTimeClockRuntimeDxe/PcatRea=
lTimeClockRuntimeDxe.inf
   INF MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmmRuntimeDxe.inf=
=0D
 !endif=0D
 =0D
-!if $(SECURE_BOOT_ENABLE) =3D=3D TRUE=0D
-  INF SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConf=
igDxe.inf=0D
-!endif=0D
-=0D
 INF UefiCpuPkg/CpuIo2Dxe/CpuIo2Dxe.inf=0D
 INF MdeModulePkg/Universal/DevicePathDxe/DevicePathDxe.inf=0D
 !if $(MEMORY_TEST) =3D=3D "GENERIC"=0D
@@ -307,6 +304,7 @@ INF  MdeModulePkg/Universal/Acpi/AcpiPlatformDxe/AcpiPl=
atformDxe.inf
 INF  MdeModulePkg/Universal/Acpi/BootGraphicsResourceTableDxe/BootGraphics=
ResourceTableDxe.inf=0D
 !endif=0D
 =0D
+=0D
 !if $(UNIVERSAL_PAYLOAD) =3D=3D FALSE=0D
 INF MdeModulePkg/Universal/BdsDxe/BdsDxe.inf=0D
 #=0D
@@ -328,6 +326,29 @@ INF ShellPkg/DynamicCommand/DpDynamicCommand/DpDynamic=
Command.inf
 INF ShellPkg/Application/Shell/Shell.inf=0D
 !endif=0D
 =0D
+!if $(UNIVERSAL_PAYLOAD) =3D=3D FALSE=0D
+=0D
+!if $(SECURE_BOOT_ENABLE) =3D=3D TRUE=0D
+INF SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfig=
Dxe.inf=0D
+!endif=0D
+=0D
+!if $(MEASURED_BOOT_ENABLE) =3D=3D TRUE=0D
+  INF SecurityPkg/Tcg/TcgDxe/TcgDxe.inf=0D
+!if $(SMM_SUPPORT) =3D=3D TRUE=0D
+  INF SecurityPkg/Tcg/TcgSmm/TcgSmm.inf=0D
+!endif=0D
+  INF SecurityPkg/Tcg/TcgConfigDxe/TcgConfigDxe.inf=0D
+  INF SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.inf=0D
+  INF RuleOverride =3D DRIVER_ACPITABLE SecurityPkg/Tcg/Tcg2Acpi/Tcg2Acpi.=
inf=0D
+  INF SecurityPkg/Tcg/Tcg2Config/Tcg2ConfigDxe.inf=0D
+!if $(SMM_SUPPORT) =3D=3D TRUE=0D
+  INF SecurityPkg/Tcg/Tcg2Smm/Tcg2Smm.inf=0D
+!endif=0D
+  INF SecurityPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.inf=0D
+!endif #MEASURED_BOOT_ENABLE=0D
+=0D
+!endif=0D
+=0D
 [FV.SECFV]=0D
 FvNameGuid         =3D 2700E2F3-19D2-4E2D-9F13-BC891B9FC62C=0D
 BlockSize          =3D $(FD_BLOCK_SIZE)=0D
@@ -353,6 +374,20 @@ READ_LOCK_STATUS   =3D TRUE
 INF SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfig=
Dxe.inf=0D
 !endif=0D
 =0D
+!if $(MEASURED_BOOT_ENABLE) =3D=3D TRUE=0D
+  INF SecurityPkg/Tcg/TcgDxe/TcgDxe.inf=0D
+!if $(SMM_SUPPORT) =3D=3D TRUE=0D
+  INF SecurityPkg/Tcg/TcgSmm/TcgSmm.inf=0D
+!endif=0D
+  INF SecurityPkg/Tcg/TcgConfigDxe/TcgConfigDxe.inf=0D
+  INF SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.inf=0D
+  INF RuleOverride =3D DRIVER_ACPITABLE SecurityPkg/Tcg/Tcg2Acpi/Tcg2Acpi.=
inf=0D
+  INF SecurityPkg/Tcg/Tcg2Config/Tcg2ConfigDxe.inf=0D
+!if $(SMM_SUPPORT) =3D=3D TRUE=0D
+  INF SecurityPkg/Tcg/Tcg2Smm/Tcg2Smm.inf=0D
+!endif=0D
+  INF SecurityPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.inf=0D
+!endif #MEASURED_BOOT_ENABLE=0D
 =0D
 ##########################################################################=
######=0D
 #=0D
@@ -472,3 +507,13 @@ INF SecurityPkg/VariableAuthenticated/SecureBootConfig=
Dxe/SecureBootConfigDxe.in
     UI        STRING=3D"Enter Setup"=0D
     VERSION   STRING=3D"$(INF_VERSION)" Optional BUILD_NUM=3D$(BUILD_NUMBE=
R)=0D
   }=0D
+=0D
+[Rule.Common.DXE_DRIVER.DRIVER_ACPITABLE]=0D
+  FILE DRIVER =3D $(NAMED_GUID) {=0D
+    DXE_DEPEX DXE_DEPEX Optional       $(INF_OUTPUT)/$(MODULE_NAME).depex=
=0D
+    PE32      PE32                     $(INF_OUTPUT)/$(MODULE_NAME).efi=0D
+    RAW ACPI  Optional                |.acpi=0D
+    RAW ASL   Optional                |.aml=0D
+    UI        STRING=3D"$(MODULE_NAME)" Optional=0D
+    VERSION   STRING=3D"$(INF_VERSION)" Optional BUILD_NUM=3D$(BUILD_NUMBE=
R)=0D
+  }=0D
--=20
2.39.1.windows.1