* [PATCH v2 0/6] Universal payload secure boot and measured boot
@ 2023-05-17 23:55 Subash Lakkimsetti
2023-05-17 23:55 ` [PATCH v2 1/6] MdeModulePkg: universal payload HOB for secure boot info Subash Lakkimsetti
` (5 more replies)
0 siblings, 6 replies; 7+ messages in thread
From: Subash Lakkimsetti @ 2023-05-17 23:55 UTC (permalink / raw)
To: devel; +Cc: Subash Lakkimsetti
From: Subash Lakkimsetti <subash.lakkimsetti@intel.com>
Support added in universal payload to enable secure boot and measured boot
Hob structure header for universal payload for secure boot and measure boot information from bootloaders
as per the universal payload spec defined at https://universalscalablefirmware.github.io/documentation/2_universal_payload.html
TCG2ACPI: uninstall TPM2 ACPI if updated from Bootloaders and create a new ACPI tables.
Secure boot configuration and flags are added to UefiPayloadPkg
Measured boot and TPM configurations are added for UefiPayloadPkg
edk2 poull request: https://github.com/tianocore/edk2/pull/3872
Subash Lakkimsetti (6):
MdeModulePkg: universal payload HOB for secure boot info
UefiPayloadPkg: Add secureboot information HOBs
UefiPayloadPkg: Uninstall the TPM2 ACPI if present
UefiPayloadPkg: Add secure boot configurations
Uefipayloadpkg Enable TPM measured boot
UefiPayloadPkg: Add secure boot definitions to ci build
.../UniversalPayload/SecureBootInfoGuid.h | 37 +++
UefiPayloadPkg/BlSupportDxe/BlSupportDxe.c | 77 ++++-
UefiPayloadPkg/BlSupportDxe/BlSupportDxe.inf | 13 +-
UefiPayloadPkg/TcgSupportDxe/TcgSupportDxe.c | 282 ++++++++++++++++++
UefiPayloadPkg/TcgSupportDxe/TcgSupportDxe.h | 28 ++
.../TcgSupportDxe/TcgSupportDxe.inf | 54 ++++
UefiPayloadPkg/UefiPayloadPkg.ci.yaml | 2 +
UefiPayloadPkg/UefiPayloadPkg.dec | 4 +-
UefiPayloadPkg/UefiPayloadPkg.dsc | 148 ++++++++-
UefiPayloadPkg/UefiPayloadPkg.fdf | 74 +++++
UefiPayloadPkg/UniversalPayloadBuild.py | 1 +
11 files changed, 709 insertions(+), 11 deletions(-)
create mode 100644 MdeModulePkg/Include/UniversalPayload/SecureBootInfoGuid.h
create mode 100644 UefiPayloadPkg/TcgSupportDxe/TcgSupportDxe.c
create mode 100644 UefiPayloadPkg/TcgSupportDxe/TcgSupportDxe.h
create mode 100644 UefiPayloadPkg/TcgSupportDxe/TcgSupportDxe.inf
--
2.39.1.windows.1
^ permalink raw reply [flat|nested] 7+ messages in thread
* [PATCH v2 1/6] MdeModulePkg: universal payload HOB for secure boot info
2023-05-17 23:55 [PATCH v2 0/6] Universal payload secure boot and measured boot Subash Lakkimsetti
@ 2023-05-17 23:55 ` Subash Lakkimsetti
2023-05-17 23:55 ` [PATCH v2 2/6] UefiPayloadPkg: Add secureboot information HOBs Subash Lakkimsetti
` (4 subsequent siblings)
5 siblings, 0 replies; 7+ messages in thread
From: Subash Lakkimsetti @ 2023-05-17 23:55 UTC (permalink / raw)
To: devel; +Cc: Subash Lakkimsetti, Zhiguang Liu, Ray Ni, Gua Guo
From: Subash Lakkimsetti <subash.lakkimsetti@intel.com>
Add the hob structure header for universal payload
for secure boot and measure boot information from
bootloaders. Universal payload spec definied at
https://universalscalablefirmware.github.io/documentation/2_universal_payload.html
Cc: Zhiguang Liu <zhiguang.liu@intel.com>
Cc: Ray Ni <ray.ni@intel.com>
Cc: Gua Guo <gua.guo@intel.com>
Signed-off-by: Subash Lakkimsetti <subash.lakkimsetti@intel.com>
---
.../UniversalPayload/SecureBootInfoGuid.h | 37 +++++++++++++++++++
1 file changed, 37 insertions(+)
create mode 100644 MdeModulePkg/Include/UniversalPayload/SecureBootInfoGuid.h
diff --git a/MdeModulePkg/Include/UniversalPayload/SecureBootInfoGuid.h b/MdeModulePkg/Include/UniversalPayload/SecureBootInfoGuid.h
new file mode 100644
index 0000000000..5f0f75eb3a
--- /dev/null
+++ b/MdeModulePkg/Include/UniversalPayload/SecureBootInfoGuid.h
@@ -0,0 +1,37 @@
+/** @file
+ This file defines the hob structure for the Secure boot information.
+
+ Copyright (c) 2023, Intel Corporation. All rights reserved.<BR>
+ SPDX-License-Identifier: BSD-2-Clause-Patent
+
+**/
+
+#ifndef SECUREBOOT_INFO_GUID_H_
+#define SECUREBOOT_INFO_GUID_H_
+
+#include <UniversalPayload/UniversalPayload.h>
+
+/**
+ Secure Boot info Hob GUID
+**/
+extern EFI_GUID gUniversalPayloadSecureBootInfoGuid;
+
+#define PAYLOAD_SECUREBOOT_INFO_HOB_REVISION 0x1
+
+#define NO_TPM 0x0
+#define TPM_TYPE_12 0x1
+#define TPM_TYPE_20 0x2
+
+#pragma pack(1)
+typedef struct {
+ UNIVERSAL_PAYLOAD_GENERIC_HEADER Header;
+ UINT8 VerifiedBootEnabled;
+ UINT8 MeasuredBootEnabled;
+ UINT8 FirmwareDebuggerInitialized;
+ UINT8 TpmType;
+ UINT8 Reserved[3];
+ UINT32 TpmPcrActivePcrBanks;
+} UNIVERSAL_SECURE_BOOT_INFO;
+#pragma pack()
+
+#endif // SECUREBOOT_INFO_GUID_H_
--
2.39.1.windows.1
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [PATCH v2 2/6] UefiPayloadPkg: Add secureboot information HOBs
2023-05-17 23:55 [PATCH v2 0/6] Universal payload secure boot and measured boot Subash Lakkimsetti
2023-05-17 23:55 ` [PATCH v2 1/6] MdeModulePkg: universal payload HOB for secure boot info Subash Lakkimsetti
@ 2023-05-17 23:55 ` Subash Lakkimsetti
2023-05-17 23:55 ` [PATCH v2 3/6] UefiPayloadPkg: Uninstall the TPM2 ACPI if present Subash Lakkimsetti
` (3 subsequent siblings)
5 siblings, 0 replies; 7+ messages in thread
From: Subash Lakkimsetti @ 2023-05-17 23:55 UTC (permalink / raw)
To: devel; +Cc: Subash Lakkimsetti, Guo Dong, Ray Ni, Sean Rhodes, James Lu,
Gua Guo
From: Subash Lakkimsetti <subash.lakkimsetti@intel.com>
This patch add the HOB fpr secure and measured boot
information. This is populated by bootloader phase
and uefipayload pkg uses this info to sync the TPM
info PCDs.
Cc: Guo Dong <guo.dong@intel.com>
Cc: Ray Ni <ray.ni@intel.com>
Cc: Sean Rhodes <sean@starlabs.systems>
Cc: James Lu <james.lu@intel.com>
Cc: Gua Guo <gua.guo@intel.com>
Signed-off-by: Subash Lakkimsetti <subash.lakkimsetti@intel.com>
---
UefiPayloadPkg/BlSupportDxe/BlSupportDxe.c | 77 +++++++++++++++++++-
UefiPayloadPkg/BlSupportDxe/BlSupportDxe.inf | 13 +++-
UefiPayloadPkg/UefiPayloadPkg.dec | 4 +-
UefiPayloadPkg/UefiPayloadPkg.dsc | 2 +
4 files changed, 92 insertions(+), 4 deletions(-)
diff --git a/UefiPayloadPkg/BlSupportDxe/BlSupportDxe.c b/UefiPayloadPkg/BlSupportDxe/BlSupportDxe.c
index 2e70c4533c..13ac5582e2 100644
--- a/UefiPayloadPkg/BlSupportDxe/BlSupportDxe.c
+++ b/UefiPayloadPkg/BlSupportDxe/BlSupportDxe.c
@@ -2,11 +2,14 @@
This driver will report some MMIO/IO resources to dxe core, extract smbios and acpi
tables from bootloader.
- Copyright (c) 2014 - 2021, Intel Corporation. All rights reserved.<BR>
+ Copyright (c) 2014 - 2023, Intel Corporation. All rights reserved.<BR>
SPDX-License-Identifier: BSD-2-Clause-Patent
**/
#include "BlSupportDxe.h"
+#include <Library/DebugLib.h>
+#include <Library/PcdLib.h>
+#include <Include/UniversalPayload/SecureBootInfoGuid.h>
/**
Reserve MMIO/IO resource in GCD
@@ -86,6 +89,73 @@ ReserveResourceInGcd (
return Status;
}
+/**
+Sync the Secure boot hob info and TPM PCD as per the information passed from Bootloader.
+**/
+EFI_STATUS
+BlSupportSecurityPcdSync (
+ VOID
+ )
+{
+ EFI_STATUS Status;
+ EFI_HOB_GUID_TYPE *GuidHob;
+ UNIVERSAL_SECURE_BOOT_INFO *SecurebootInfoHob;
+ UINTN Size;
+
+ GuidHob = GetFirstGuidHob (&gUniversalPayloadSecureBootInfoGuid);
+ if (GuidHob == NULL) {
+ DEBUG ((DEBUG_ERROR, "gUniversalPayloadSecureBootInfoGuid Not Found!\n"));
+ return EFI_UNSUPPORTED;
+ }
+
+ SecurebootInfoHob = (UNIVERSAL_SECURE_BOOT_INFO *)GET_GUID_HOB_DATA (GuidHob);
+
+ // Sync the Hash mask for TPM 2.0 as per active PCR banks.
+ // Make sure that the current PCR allocations, the TPM supported PCRs,
+ // and the PcdTpm2HashMask are all in agreement.
+ Status = PcdSet32S (PcdTpm2HashMask, SecurebootInfoHob->TpmPcrActivePcrBanks);
+ ASSERT_EFI_ERROR (Status);
+ DEBUG ((DEBUG_INFO, "TpmPcrActivePcrBanks 0x%x \n", SecurebootInfoHob->TpmPcrActivePcrBanks));
+
+ // Set the Firmware debugger PCD
+ Status = PcdSetBoolS (PcdFirmwareDebuggerInitialized, SecurebootInfoHob->FirmwareDebuggerInitialized);
+ ASSERT_EFI_ERROR (Status);
+ DEBUG ((DEBUG_INFO, " FirmwareDebugger Initialized 0x%x \n", SecurebootInfoHob->FirmwareDebuggerInitialized));
+
+ // Set the TPM Type instance GUID
+ if (SecurebootInfoHob->MeasuredBootEnabled) {
+ if (SecurebootInfoHob->TpmType == TPM_TYPE_20) {
+ DEBUG ((DEBUG_INFO, "%a: TPM2 detected\n", __func__));
+ Size = sizeof (gEfiTpmDeviceInstanceTpm20DtpmGuid);
+ Status = PcdSetPtrS (
+ PcdTpmInstanceGuid,
+ &Size,
+ &gEfiTpmDeviceInstanceTpm20DtpmGuid
+ );
+ } else if (SecurebootInfoHob->TpmType == TPM_TYPE_12) {
+ DEBUG ((DEBUG_INFO, "%a: TPM1.2 detected\n", __func__));
+ Size = sizeof (gEfiTpmDeviceInstanceTpm12Guid);
+ Status = PcdSetPtrS (
+ PcdTpmInstanceGuid,
+ &Size,
+ &gEfiTpmDeviceInstanceTpm12Guid
+ );
+ } else {
+ DEBUG ((DEBUG_INFO, "%a: No TPM detected\n", __func__));
+ Size = sizeof (gEfiTpmDeviceInstanceNoneGuid);
+ Status = PcdSetPtrS (
+ PcdTpmInstanceGuid,
+ &Size,
+ &gEfiTpmDeviceInstanceNoneGuid
+ );
+ }
+
+ ASSERT_EFI_ERROR (Status);
+ }
+
+ return Status;
+}
+
/**
Main entry for the bootloader support DXE module.
@@ -144,5 +214,10 @@ BlDxeEntryPoint (
ASSERT_EFI_ERROR (Status);
}
+ //
+ // Sync Bootloader info for TPM
+ //
+ BlSupportSecurityPcdSync ();
+
return EFI_SUCCESS;
}
diff --git a/UefiPayloadPkg/BlSupportDxe/BlSupportDxe.inf b/UefiPayloadPkg/BlSupportDxe/BlSupportDxe.inf
index 96d85d2b1d..162167e6bb 100644
--- a/UefiPayloadPkg/BlSupportDxe/BlSupportDxe.inf
+++ b/UefiPayloadPkg/BlSupportDxe/BlSupportDxe.inf
@@ -3,7 +3,7 @@
#
# Report some MMIO/IO resources to dxe core, extract smbios and acpi tables
#
-# Copyright (c) 2014 - 2021, Intel Corporation. All rights reserved.<BR>
+# Copyright (c) 2014 - 2023, Intel Corporation. All rights reserved.<BR>
#
# SPDX-License-Identifier: BSD-2-Clause-Patent
#
@@ -30,6 +30,7 @@
[Packages]
MdePkg/MdePkg.dec
MdeModulePkg/MdeModulePkg.dec
+ SecurityPkg/SecurityPkg.dec
UefiPayloadPkg/UefiPayloadPkg.dec
[LibraryClasses]
@@ -44,6 +45,10 @@
[Guids]
gUefiAcpiBoardInfoGuid
gEfiGraphicsInfoHobGuid
+ gUniversalPayloadSecureBootInfoGuid
+ gEfiTpmDeviceInstanceTpm20DtpmGuid
+ gEfiTpmDeviceInstanceTpm12Guid
+ gEfiTpmDeviceInstanceNoneGuid
[Pcd]
gEfiMdeModulePkgTokenSpaceGuid.PcdVideoHorizontalResolution
@@ -52,6 +57,10 @@
gEfiMdeModulePkgTokenSpaceGuid.PcdSetupVideoVerticalResolution
gEfiMdePkgTokenSpaceGuid.PcdPciExpressBaseAddress
gEfiMdePkgTokenSpaceGuid.PcdPciExpressBaseSize
-
+ ## SOMETIMES_CONSUMES
+ ## SOMETIMES_PRODUCES
+ gEfiSecurityPkgTokenSpaceGuid.PcdTpm2HashMask
+ gEfiSecurityPkgTokenSpaceGuid.PcdFirmwareDebuggerInitialized
+ gEfiSecurityPkgTokenSpaceGuid.PcdTpmInstanceGuid
[Depex]
TRUE
diff --git a/UefiPayloadPkg/UefiPayloadPkg.dec b/UefiPayloadPkg/UefiPayloadPkg.dec
index 8d111f3a90..63138500dd 100644
--- a/UefiPayloadPkg/UefiPayloadPkg.dec
+++ b/UefiPayloadPkg/UefiPayloadPkg.dec
@@ -3,7 +3,7 @@
#
# Provides drivers and definitions to create uefi payload for bootloaders.
#
-# Copyright (c) 2014 - 2021, Intel Corporation. All rights reserved.<BR>
+# Copyright (c) 2014 - 2023, Intel Corporation. All rights reserved.<BR>
# SPDX-License-Identifier: BSD-2-Clause-Patent
#
##
@@ -42,6 +42,8 @@
gSpiFlashInfoGuid = { 0x2d4aac1b, 0x91a5, 0x4cd5, { 0x9b, 0x5c, 0xb4, 0x0f, 0x5d, 0x28, 0x51, 0xa1 } }
gSmmRegisterInfoGuid = { 0xaa9bd7a7, 0xcafb, 0x4499, { 0xa4, 0xa9, 0xb, 0x34, 0x6b, 0x40, 0xa6, 0x22 } }
gS3CommunicationGuid = { 0x88e31ba1, 0x1856, 0x4b8b, { 0xbb, 0xdf, 0xf8, 0x16, 0xdd, 0x94, 0xa, 0xef } }
+ gUniversalPayloadSecureBootInfoGuid = { 0xd970f847, 0x07dd, 0x4b24, { 0x9e, 0x1e, 0xae, 0x6c, 0x80, 0x9b, 0x1d, 0x38 } }
+
[Ppis]
gEfiPayLoadHobBasePpiGuid = { 0xdbe23aa1, 0xa342, 0x4b97, {0x85, 0xb6, 0xb2, 0x26, 0xf1, 0x61, 0x73, 0x89} }
diff --git a/UefiPayloadPkg/UefiPayloadPkg.dsc b/UefiPayloadPkg/UefiPayloadPkg.dsc
index 998d222909..0e7093cc7d 100644
--- a/UefiPayloadPkg/UefiPayloadPkg.dsc
+++ b/UefiPayloadPkg/UefiPayloadPkg.dsc
@@ -584,6 +584,8 @@
gPcAtChipsetPkgTokenSpaceGuid.PcdRtcIndexRegister|$(RTC_INDEX_REGISTER)
gPcAtChipsetPkgTokenSpaceGuid.PcdRtcTargetRegister|$(RTC_TARGET_REGISTER)
+ gEfiSecurityPkgTokenSpaceGuid.PcdFirmwareDebuggerInitialized|FALSE
+ gEfiSecurityPkgTokenSpaceGuid.PcdTpmInstanceGuid|{0x5a, 0xf2, 0x6b, 0x28, 0xc3, 0xc2, 0x8c, 0x40, 0xb3, 0xb4, 0x25, 0xe6, 0x75, 0x8b, 0x73, 0x17}
################################################################################
#
--
2.39.1.windows.1
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [PATCH v2 3/6] UefiPayloadPkg: Uninstall the TPM2 ACPI if present
2023-05-17 23:55 [PATCH v2 0/6] Universal payload secure boot and measured boot Subash Lakkimsetti
2023-05-17 23:55 ` [PATCH v2 1/6] MdeModulePkg: universal payload HOB for secure boot info Subash Lakkimsetti
2023-05-17 23:55 ` [PATCH v2 2/6] UefiPayloadPkg: Add secureboot information HOBs Subash Lakkimsetti
@ 2023-05-17 23:55 ` Subash Lakkimsetti
2023-05-17 23:55 ` [PATCH v2 4/6] UefiPayloadPkg: Add secure boot configurations Subash Lakkimsetti
` (2 subsequent siblings)
5 siblings, 0 replies; 7+ messages in thread
From: Subash Lakkimsetti @ 2023-05-17 23:55 UTC (permalink / raw)
To: devel; +Cc: Subash Lakkimsetti, Guo Dong, Ray Ni, Sean Rhodes, James Lu,
Gua Guo
From: Subash Lakkimsetti <subash.lakkimsetti@intel.com>
Bootloader supports multiple payload and TPM2 ACPI tables are updated
at bootloader phase. When UEFI is used payload these will be duplicates.
The tables are to be uninstalled before updating the TCG2ACPI tables
to avoid duplicates.
Cc: Guo Dong <guo.dong@intel.com>
Cc: Ray Ni <ray.ni@intel.com>
Cc: Sean Rhodes <sean@starlabs.systems>
Cc: James Lu <james.lu@intel.com>
Cc: Gua Guo <gua.guo@intel.com>
Signed-off-by: Subash Lakkimsetti <subash.lakkimsetti@intel.com>
---
UefiPayloadPkg/TcgSupportDxe/TcgSupportDxe.c | 282 ++++++++++++++++++
UefiPayloadPkg/TcgSupportDxe/TcgSupportDxe.h | 28 ++
.../TcgSupportDxe/TcgSupportDxe.inf | 54 ++++
3 files changed, 364 insertions(+)
create mode 100644 UefiPayloadPkg/TcgSupportDxe/TcgSupportDxe.c
create mode 100644 UefiPayloadPkg/TcgSupportDxe/TcgSupportDxe.h
create mode 100644 UefiPayloadPkg/TcgSupportDxe/TcgSupportDxe.inf
diff --git a/UefiPayloadPkg/TcgSupportDxe/TcgSupportDxe.c b/UefiPayloadPkg/TcgSupportDxe/TcgSupportDxe.c
new file mode 100644
index 0000000000..23b61f0958
--- /dev/null
+++ b/UefiPayloadPkg/TcgSupportDxe/TcgSupportDxe.c
@@ -0,0 +1,282 @@
+/** @file
+ This module will provide bootloader support TCG configurations.
+
+ Copyright (c) 22023, Intel Corporation. All rights reserved.<BR>
+ SPDX-License-Identifier: BSD-2-Clause-Patent
+
+**/
+#include "TcgSupportDxe.h"
+
+/**
+ Uninstall TPM2 SSDT ACPI table
+
+ This performs uninstallation of TPM2 SSDT tables published by
+ bootloaders.
+
+ @retval EFI_SUCCESS The TPM2 ACPI table is uninstalled successfully if found.
+ @retval Others Operation error.
+
+**/
+EFI_STATUS
+UnInstallTpm2SSDTAcpiTables (
+ )
+{
+ UINTN TableIndex;
+ UINTN TableKey;
+ EFI_ACPI_TABLE_VERSION TableVersion;
+ VOID *TableHeader;
+ EFI_STATUS Status;
+ EFI_ACPI_SDT_PROTOCOL *mAcpiSdtProtocol;
+ EFI_ACPI_TABLE_PROTOCOL *mAcpiTableProtocol;
+ CHAR8 TableIdString[8];
+ UINT64 TableIdSignature;
+
+ //
+ // Determine whether there is a TPM2 SSDT already in the ACPI table.
+ //
+ Status = EFI_SUCCESS;
+ TableIndex = 0;
+ TableKey = 0;
+ TableHeader = NULL;
+ mAcpiTableProtocol = NULL;
+ mAcpiSdtProtocol = NULL;
+
+ //
+ // Locate the EFI_ACPI_TABLE_PROTOCOL.
+ //
+ Status = gBS->LocateProtocol (
+ &gEfiAcpiTableProtocolGuid,
+ NULL,
+ (VOID **)&mAcpiTableProtocol
+ );
+ if (EFI_ERROR (Status)) {
+ DEBUG ((
+ DEBUG_INFO,
+ "UnInstallTpm2SSDTAcpiTables: Cannot locate the EFI ACPI Table Protocol \n "
+ ));
+ return Status;
+ }
+
+ //
+ // Locate the EFI_ACPI_SDT_PROTOCOL.
+ //
+ Status = gBS->LocateProtocol (
+ &gEfiAcpiSdtProtocolGuid,
+ NULL,
+ (VOID **)&mAcpiSdtProtocol
+ );
+ if (EFI_ERROR (Status)) {
+ DEBUG ((
+ DEBUG_INFO,
+ "UnInstallTpm2SSDTAcpiTables: Cannot locate the EFI ACPI Sdt Protocol, "
+ "\n"
+ ));
+ return Status;
+ }
+
+ while (!EFI_ERROR (Status)) {
+ Status = mAcpiSdtProtocol->GetAcpiTable (
+ TableIndex,
+ (EFI_ACPI_SDT_HEADER **)&TableHeader,
+ &TableVersion,
+ &TableKey
+ );
+
+ if (!EFI_ERROR (Status)) {
+ TableIndex++;
+
+ if (((EFI_ACPI_SDT_HEADER *)TableHeader)->Signature == SIGNATURE_32 ('S', 'S', 'D', 'T')) {
+ CopyMem ((VOID *)TableIdString, (VOID *)((EFI_ACPI_SDT_HEADER *)TableHeader)->OemTableId, sizeof (TableIdString));
+
+ TableIdSignature = SIGNATURE_64 (
+ TableIdString[0],
+ TableIdString[1],
+ TableIdString[2],
+ TableIdString[3],
+ TableIdString[4],
+ TableIdString[5],
+ TableIdString[6],
+ TableIdString[7]
+ );
+
+ if (TableIdSignature == SIGNATURE_64 ('T', 'p', 'm', '2', 'T', 'a', 'b', 'l')) {
+ DEBUG ((DEBUG_INFO, "Found Tpm2 SSDT Table for Physical Presence\n"));
+ break;
+ }
+ }
+ }
+ }
+
+ if (!EFI_ERROR (Status)) {
+ //
+ // A TPM2 SSDT is already in the ACPI table.
+ //
+ DEBUG ((
+ DEBUG_INFO,
+ "A TPM2 SSDT is already exist in the ACPI Table.\n"
+ ));
+
+ //
+ // Uninstall the origin TPM2 SSDT from the ACPI table.
+ //
+ Status = mAcpiTableProtocol->UninstallAcpiTable (
+ mAcpiTableProtocol,
+ TableKey
+ );
+ ASSERT_EFI_ERROR (Status);
+
+ if (EFI_ERROR (Status)) {
+ DEBUG ((DEBUG_INFO, "UnInstall Tpm2SSDTAcpiTables failed \n "));
+
+ return Status;
+ }
+ }
+
+ return EFI_SUCCESS;
+}
+
+/**
+ Uninstall TPM2 table
+
+ This performs uninstallation of TPM2 tables published by
+ bootloaders.
+
+ @retval EFI_SUCCESS The TPM2 table is uninstalled successfully if its found.
+ @retval Others Operation error.
+
+**/
+EFI_STATUS
+UnInstallTpm2Tables (
+ )
+{
+ UINTN TableIndex;
+ UINTN TableKey;
+ EFI_ACPI_TABLE_VERSION TableVersion;
+ VOID *TableHeader;
+ EFI_STATUS Status;
+ EFI_ACPI_SDT_PROTOCOL *mAcpiSdtProtocol;
+ EFI_ACPI_TABLE_PROTOCOL *mAcpiTableProtocol;
+
+ //
+ // Determine whether there is a TPM2 SSDT already in the ACPI table.
+ //
+ Status = EFI_SUCCESS;
+ TableIndex = 0;
+ TableKey = 0;
+ TableHeader = NULL;
+ mAcpiTableProtocol = NULL;
+ mAcpiSdtProtocol = NULL;
+
+ //
+ // Locate the EFI_ACPI_TABLE_PROTOCOL.
+ //
+ Status = gBS->LocateProtocol (
+ &gEfiAcpiTableProtocolGuid,
+ NULL,
+ (VOID **)&mAcpiTableProtocol
+ );
+ if (EFI_ERROR (Status)) {
+ DEBUG ((
+ DEBUG_INFO,
+ "UnInstallTpm2Tables: Cannot locate the EFI ACPI Table Protocol \n "
+ ));
+ return Status;
+ }
+
+ //
+ // Locate the EFI_ACPI_SDT_PROTOCOL.
+ //
+ Status = gBS->LocateProtocol (
+ &gEfiAcpiSdtProtocolGuid,
+ NULL,
+ (VOID **)&mAcpiSdtProtocol
+ );
+ if (EFI_ERROR (Status)) {
+ DEBUG ((
+ DEBUG_INFO,
+ "UnInstallTpm2Tables: Cannot locate the EFI ACPI Sdt Protocol, "
+ "\n"
+ ));
+ return Status;
+ }
+
+ while (!EFI_ERROR (Status)) {
+ Status = mAcpiSdtProtocol->GetAcpiTable (
+ TableIndex,
+ (EFI_ACPI_SDT_HEADER **)&TableHeader,
+ &TableVersion,
+ &TableKey
+ );
+
+ if (!EFI_ERROR (Status)) {
+ TableIndex++;
+
+ if (((EFI_ACPI_SDT_HEADER *)TableHeader)->Signature == EFI_ACPI_5_0_TRUSTED_COMPUTING_PLATFORM_2_TABLE_SIGNATURE ) {
+ DEBUG ((DEBUG_INFO, "Found Tpm2 Table ..\n"));
+ break;
+ }
+ }
+ }
+
+ if (!EFI_ERROR (Status)) {
+ //
+ // A TPM2 SSDT is already in the ACPI table.
+ //
+ DEBUG ((
+ DEBUG_INFO,
+ "A TPM2 table is already exist in the ACPI Table.\n"
+ ));
+
+ //
+ // Uninstall the origin TPM2 SSDT from the ACPI table.
+ //
+ Status = mAcpiTableProtocol->UninstallAcpiTable (
+ mAcpiTableProtocol,
+ TableKey
+ );
+ ASSERT_EFI_ERROR (Status);
+
+ if (EFI_ERROR (Status)) {
+ DEBUG ((DEBUG_INFO, "UnInstall Tpm2Tables failed \n "));
+
+ return Status;
+ }
+ }
+
+ return EFI_SUCCESS;
+}
+
+/**
+ The driver's entry point.
+
+ It patches and installs ACPI tables used for handling TPM physical presence
+ and Memory Clear requests through ACPI method.
+
+ @param[in] ImageHandle The firmware allocated handle for the EFI image.
+ @param[in] SystemTable A pointer to the EFI System Table.
+
+ @retval EFI_SUCCESS The entry point is executed successfully.
+ @retval Others Some error occurs when executing this entry point.
+
+**/
+EFI_STATUS
+EFIAPI
+TcgSupportEntryPoint (
+ IN EFI_HANDLE ImageHandle,
+ IN EFI_SYSTEM_TABLE *SystemTable
+ )
+{
+ EFI_STATUS Status;
+
+ //
+ // Bootloader might pulish the TPM2 ACPT tables
+ // Uninstall TPM tables if it exists
+ //
+ Status = UnInstallTpm2SSDTAcpiTables ();
+ ASSERT_EFI_ERROR (Status);
+
+ Status = UnInstallTpm2Tables ();
+ ASSERT_EFI_ERROR (Status);
+
+ return EFI_SUCCESS;
+}
diff --git a/UefiPayloadPkg/TcgSupportDxe/TcgSupportDxe.h b/UefiPayloadPkg/TcgSupportDxe/TcgSupportDxe.h
new file mode 100644
index 0000000000..bd1e051893
--- /dev/null
+++ b/UefiPayloadPkg/TcgSupportDxe/TcgSupportDxe.h
@@ -0,0 +1,28 @@
+/** @file
+ The header file of bootloader support TCG configurations.
+
+Copyright (c) 2023, Intel Corporation. All rights reserved.<BR>
+SPDX-License-Identifier: BSD-2-Clause-Patent
+
+**/
+
+#ifndef DXE_BOOTLOADER_SUPPORT_H_
+#define DXE_BOOTLOADER_SUPPORT_H_
+
+#include <PiDxe.h>
+
+#include <IndustryStandard/Tpm2Acpi.h>
+#include <Protocol/AcpiTable.h>
+#include <Library/BaseLib.h>
+#include <Library/BaseMemoryLib.h>
+#include <Library/DxeServicesLib.h>
+#include <Library/UefiBootServicesTableLib.h>
+#include <Library/DebugLib.h>
+#include <Library/PcdLib.h>
+#include <Library/PrintLib.h>
+#include <Library/UefiLib.h>
+#include <Library/MmUnblockMemoryLib.h>
+#include <IndustryStandard/Acpi.h>
+#include <Protocol/AcpiSystemDescriptionTable.h>
+
+#endif
diff --git a/UefiPayloadPkg/TcgSupportDxe/TcgSupportDxe.inf b/UefiPayloadPkg/TcgSupportDxe/TcgSupportDxe.inf
new file mode 100644
index 0000000000..a2e406109e
--- /dev/null
+++ b/UefiPayloadPkg/TcgSupportDxe/TcgSupportDxe.inf
@@ -0,0 +1,54 @@
+## @file
+# Bootloader Support DXE Module
+#
+# Report some MMIO/IO resources to dxe core, extract smbios and acpi tables
+#
+# Copyright (c) 2023, Intel Corporation. All rights reserved.<BR>
+#
+# SPDX-License-Identifier: BSD-2-Clause-Patent
+#
+##
+
+[Defines]
+ INF_VERSION = 0x00010005
+ BASE_NAME = TcgSupportDxe
+ FILE_GUID = E0E7E6A4-DD57-11ED-B5EA-0242AC120002
+ MODULE_TYPE = DXE_DRIVER
+ VERSION_STRING = 1.0
+ ENTRY_POINT = TcgSupportEntryPoint
+
+#
+# The following information is for reference only and not required by the build tools.
+#
+# VALID_ARCHITECTURES = IA32 X64 EBC
+#
+
+[Sources]
+ TcgSupportDxe.c
+ TcgSupportDxe.h
+
+[Packages]
+ MdePkg/MdePkg.dec
+ MdeModulePkg/MdeModulePkg.dec
+ SecurityPkg/SecurityPkg.dec
+ UefiPayloadPkg/UefiPayloadPkg.dec
+
+[LibraryClasses]
+ UefiDriverEntryPoint
+ UefiBootServicesTableLib
+ DebugLib
+ BaseMemoryLib
+ UefiLib
+ IoLib
+ HobLib
+
+[Protocols]
+ gEfiAcpiTableProtocolGuid ## CONSUMES
+ gEfiMmCommunicationProtocolGuid ## CONSUMES
+ gEfiAcpiSdtProtocolGuid ## CONSUMES
+
+[Guids]
+ gEfiAcpiTableGuid
+
+[Depex]
+ gEfiAcpiTableProtocolGuid
--
2.39.1.windows.1
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [PATCH v2 4/6] UefiPayloadPkg: Add secure boot configurations
2023-05-17 23:55 [PATCH v2 0/6] Universal payload secure boot and measured boot Subash Lakkimsetti
` (2 preceding siblings ...)
2023-05-17 23:55 ` [PATCH v2 3/6] UefiPayloadPkg: Uninstall the TPM2 ACPI if present Subash Lakkimsetti
@ 2023-05-17 23:55 ` Subash Lakkimsetti
2023-05-17 23:55 ` [PATCH v2 5/6] Uefipayloadpkg Enable TPM measured boot Subash Lakkimsetti
2023-05-17 23:55 ` [PATCH v2 6/6] UefiPayloadPkg: Add secure boot definitions to ci build Subash Lakkimsetti
5 siblings, 0 replies; 7+ messages in thread
From: Subash Lakkimsetti @ 2023-05-17 23:55 UTC (permalink / raw)
To: devel; +Cc: Subash Lakkimsetti, Guo Dong, Ray Ni, Sean Rhodes, James Lu,
Gua Guo
From: Subash Lakkimsetti <subash.lakkimsetti@intel.com>
Add the required modules for secure boot in
UefiPayloadPkg. SECURE_BOOT_ENABLE flag added to control
the secure boot feature. Security modules are added
as seperate FV.
Cc: Guo Dong <guo.dong@intel.com>
Cc: Ray Ni <ray.ni@intel.com>
Cc: Sean Rhodes <sean@starlabs.systems>
Cc: James Lu <james.lu@intel.com>
Cc: Gua Guo <gua.guo@intel.com>
Signed-off-by: Subash Lakkimsetti <subash.lakkimsetti@intel.com>
---
UefiPayloadPkg/UefiPayloadPkg.dsc | 50 ++++++++++++++++++++++++-
UefiPayloadPkg/UefiPayloadPkg.fdf | 29 ++++++++++++++
UefiPayloadPkg/UniversalPayloadBuild.py | 1 +
3 files changed, 79 insertions(+), 1 deletion(-)
diff --git a/UefiPayloadPkg/UefiPayloadPkg.dsc b/UefiPayloadPkg/UefiPayloadPkg.dsc
index 0e7093cc7d..df078a1b28 100644
--- a/UefiPayloadPkg/UefiPayloadPkg.dsc
+++ b/UefiPayloadPkg/UefiPayloadPkg.dsc
@@ -133,6 +133,11 @@
DEFINE MULTIPLE_DEBUG_PORT_SUPPORT = FALSE
+ #
+ # Security
+ #
+ DEFINE SECURE_BOOT_ENABLE = FALSE
+
[BuildOptions]
*_*_*_CC_FLAGS = -D DISABLE_NEW_DEPRECATED_INTERFACES
!if $(USE_CBMEM_FOR_CONSOLE) == FALSE
@@ -290,7 +295,20 @@
DebugLib|MdeModulePkg/Library/PeiDxeDebugLibReportStatusCode/PeiDxeDebugLibReportStatusCode.inf
LockBoxLib|MdeModulePkg/Library/LockBoxNullLib/LockBoxNullLib.inf
FileExplorerLib|MdeModulePkg/Library/FileExplorerLib/FileExplorerLib.inf
+
+!if $(SECURE_BOOT_ENABLE) == TRUE
+ RngLib|MdePkg/Library/BaseRngLibTimerLib/BaseRngLibTimerLib.inf
+ IntrinsicLib|CryptoPkg/Library/IntrinsicLib/IntrinsicLib.inf
+ OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf
+ PlatformSecureLib|SecurityPkg/Library/PlatformSecureLibNull/PlatformSecureLibNull.inf
+ AuthVariableLib|SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf
+ SecureBootVariableLib|SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf
+ PlatformPKProtectionLib|SecurityPkg/Library/PlatformPKProtectionLibVarPolicy/PlatformPKProtectionLibVarPolicy.inf
+ SecureBootVariableProvisionLib|SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootVariableProvisionLib.inf
+!else
AuthVariableLib|MdeModulePkg/Library/AuthVariableLibNull/AuthVariableLibNull.inf
+!endif
+
!if $(VARIABLE_SUPPORT) == "EMU"
TpmMeasurementLib|MdeModulePkg/Library/TpmMeasurementLibNull/TpmMeasurementLibNull.inf
!elseif $(VARIABLE_SUPPORT) == "SPI"
@@ -406,6 +424,16 @@
BaseCryptLib|CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf
!endif
+[LibraryClasses.common.DXE_DRIVER, LibraryClasses.common.UEFI_DRIVER, LibraryClasses.common.UEFI_APPLICATION]
+!if $(SECURE_BOOT_ENABLE) == TRUE
+ BaseCryptLib|CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf
+!endif
+
+[LibraryClasses.common.DXE_RUNTIME_DRIVER]
+!if $(SECURE_BOOT_ENABLE) == TRUE
+ BaseCryptLib|CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf
+!endif
+
################################################################################
#
# Pcd Section - list of all EDK II PCD Entries defined by this Platform.
@@ -475,6 +503,16 @@
gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.TlsGet.Family | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
!endif
+!if $(SECURE_BOOT_ENABLE) == TRUE
+ gEfiMdeModulePkgTokenSpaceGuid.PcdMaxAuthVariableSize|0x2800
+ gEfiSecurityPkgTokenSpaceGuid.PcdUserPhysicalPresence|TRUE
+
+ # override the default values from SecurityPkg to ensure images from all sources are verified in secure boot
+ gEfiSecurityPkgTokenSpaceGuid.PcdOptionRomImageVerificationPolicy|0x04
+ gEfiSecurityPkgTokenSpaceGuid.PcdFixedMediaImageVerificationPolicy|0x04
+ gEfiSecurityPkgTokenSpaceGuid.PcdRemovableMediaImageVerificationPolicy|0x04
+!endif
+
[PcdsPatchableInModule.X64]
!if $(NETWORK_DRIVER_ENABLE) == TRUE
gEfiNetworkPkgTokenSpaceGuid.PcdAllowHttpConnections|TRUE
@@ -635,8 +673,18 @@
# Components that produce the architectural protocols
#
!if $(SECURITY_STUB_ENABLE) == TRUE
- MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf
+ MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf {
+ <LibraryClasses>
+!if $(SECURE_BOOT_ENABLE) == TRUE
+ NULL|SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.inf
!endif
+ }
+!endif
+
+!if $(SECURE_BOOT_ENABLE) == TRUE
+ SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
+!endif
+
UefiCpuPkg/CpuDxe/CpuDxe.inf
MdeModulePkg/Universal/BdsDxe/BdsDxe.inf
!if $(BOOTSPLASH_IMAGE)
diff --git a/UefiPayloadPkg/UefiPayloadPkg.fdf b/UefiPayloadPkg/UefiPayloadPkg.fdf
index f8c2aa8c4a..d1f76b1e56 100644
--- a/UefiPayloadPkg/UefiPayloadPkg.fdf
+++ b/UefiPayloadPkg/UefiPayloadPkg.fdf
@@ -201,6 +201,10 @@ INF PcAtChipsetPkg/PcatRealTimeClockRuntimeDxe/PcatRealTimeClockRuntimeDxe.inf
INF MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmmRuntimeDxe.inf
!endif
+!if $(SECURE_BOOT_ENABLE) == TRUE
+ INF SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
+!endif
+
INF UefiCpuPkg/CpuIo2Dxe/CpuIo2Dxe.inf
INF MdeModulePkg/Universal/DevicePathDxe/DevicePathDxe.inf
!if $(MEMORY_TEST) == "GENERIC"
@@ -324,6 +328,31 @@ INF ShellPkg/DynamicCommand/DpDynamicCommand/DpDynamicCommand.inf
INF ShellPkg/Application/Shell/Shell.inf
!endif
+[FV.SECFV]
+FvNameGuid = 2700E2F3-19D2-4E2D-9F13-BC891B9FC62C
+BlockSize = $(FD_BLOCK_SIZE)
+FvForceRebase = FALSE
+FvAlignment = 16
+ERASE_POLARITY = 1
+MEMORY_MAPPED = TRUE
+STICKY_WRITE = TRUE
+LOCK_CAP = TRUE
+LOCK_STATUS = TRUE
+WRITE_DISABLED_CAP = TRUE
+WRITE_ENABLED_CAP = TRUE
+WRITE_STATUS = TRUE
+WRITE_LOCK_CAP = TRUE
+WRITE_LOCK_STATUS = TRUE
+READ_DISABLED_CAP = TRUE
+READ_ENABLED_CAP = TRUE
+READ_STATUS = TRUE
+READ_LOCK_CAP = TRUE
+READ_LOCK_STATUS = TRUE
+
+!if $(SECURE_BOOT_ENABLE) == TRUE
+INF SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
+!endif
+
################################################################################
#
diff --git a/UefiPayloadPkg/UniversalPayloadBuild.py b/UefiPayloadPkg/UniversalPayloadBuild.py
index 416946a431..4a8b76bacc 100644
--- a/UefiPayloadPkg/UniversalPayloadBuild.py
+++ b/UefiPayloadPkg/UniversalPayloadBuild.py
@@ -118,6 +118,7 @@ def BuildUniversalPayload(Args):
['uefi_fv', os.path.join(BuildDir, "{}_{}".format (BuildTarget, ToolChain), os.path.normpath("FV/DXEFV.Fv")) ],
['bds_fv', os.path.join(BuildDir, "{}_{}".format (BuildTarget, ToolChain), os.path.normpath("FV/BDSFV.Fv")) ],
['network_fv', os.path.join(BuildDir, "{}_{}".format (BuildTarget, ToolChain), os.path.normpath("FV/NETWORKFV.Fv")) ],
+ ['security_fv', os.path.join(BuildDir, "{}_{}".format (BuildTarget, ToolChain), os.path.normpath("FV/SECFV.Fv")) ],
]
AddSectionName = '.upld_info'
ReplaceFv (EntryOutputDir, UpldInfoFile, AddSectionName, Alignment = 4)
--
2.39.1.windows.1
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [PATCH v2 5/6] Uefipayloadpkg Enable TPM measured boot
2023-05-17 23:55 [PATCH v2 0/6] Universal payload secure boot and measured boot Subash Lakkimsetti
` (3 preceding siblings ...)
2023-05-17 23:55 ` [PATCH v2 4/6] UefiPayloadPkg: Add secure boot configurations Subash Lakkimsetti
@ 2023-05-17 23:55 ` Subash Lakkimsetti
2023-05-17 23:55 ` [PATCH v2 6/6] UefiPayloadPkg: Add secure boot definitions to ci build Subash Lakkimsetti
5 siblings, 0 replies; 7+ messages in thread
From: Subash Lakkimsetti @ 2023-05-17 23:55 UTC (permalink / raw)
To: devel; +Cc: Subash Lakkimsetti, Guo Dong, Ray Ni, Sean Rhodes, James Lu,
Gua Guo
From: Subash Lakkimsetti <subash.lakkimsetti@intel.com>
Update the packages to support TPM and measured
boot in uefi payload.
Measured boot can be controlled using flag MEASURED_BOOT_ENABLE.
Cc: Guo Dong <guo.dong@intel.com>
Cc: Ray Ni <ray.ni@intel.com>
Cc: Sean Rhodes <sean@starlabs.systems>
Cc: James Lu <james.lu@intel.com>
Cc: Gua Guo <gua.guo@intel.com>
Signed-off-by: Subash Lakkimsetti <subash.lakkimsetti@intel.com>
---
UefiPayloadPkg/UefiPayloadPkg.dsc | 96 +++++++++++++++++++++++++++++--
UefiPayloadPkg/UefiPayloadPkg.fdf | 53 +++++++++++++++--
2 files changed, 139 insertions(+), 10 deletions(-)
diff --git a/UefiPayloadPkg/UefiPayloadPkg.dsc b/UefiPayloadPkg/UefiPayloadPkg.dsc
index df078a1b28..0c4c0297ca 100644
--- a/UefiPayloadPkg/UefiPayloadPkg.dsc
+++ b/UefiPayloadPkg/UefiPayloadPkg.dsc
@@ -137,6 +137,7 @@
# Security
#
DEFINE SECURE_BOOT_ENABLE = FALSE
+ DEFINE MEASURED_BOOT_ENABLE = FALSE
[BuildOptions]
*_*_*_CC_FLAGS = -D DISABLE_NEW_DEPRECATED_INTERFACES
@@ -309,14 +310,29 @@
AuthVariableLib|MdeModulePkg/Library/AuthVariableLibNull/AuthVariableLibNull.inf
!endif
-!if $(VARIABLE_SUPPORT) == "EMU"
- TpmMeasurementLib|MdeModulePkg/Library/TpmMeasurementLibNull/TpmMeasurementLibNull.inf
-!elseif $(VARIABLE_SUPPORT) == "SPI"
- PlatformSecureLib|SecurityPkg/Library/PlatformSecureLibNull/PlatformSecureLibNull.inf
- TpmMeasurementLib|SecurityPkg/Library/DxeTpmMeasurementLib/DxeTpmMeasurementLib.inf
+!if $(VARIABLE_SUPPORT) == "SPI"
S3BootScriptLib|MdePkg/Library/BaseS3BootScriptLibNull/BaseS3BootScriptLibNull.inf
- MmUnblockMemoryLib|MdePkg/Library/MmUnblockMemoryLib/MmUnblockMemoryLibNull.inf
!endif
+
+!if $(SECURE_BOOT_ENABLE) == TRUE || $(MEASURED_BOOT_ENABLE) == TRUE || $(VARIABLE_SUPPORT) == "SPI"
+ MmUnblockMemoryLib|MdePkg/Library/MmUnblockMemoryLib/MmUnblockMemoryLibNull.inf
+!endif
+
+ #
+ # TPM
+ #
+!if $(MEASURED_BOOT_ENABLE) == TRUE
+ Tpm12CommandLib|SecurityPkg/Library/Tpm12CommandLib/Tpm12CommandLib.inf
+ Tpm12DeviceLib|SecurityPkg/Library/Tpm12DeviceLibTcg/Tpm12DeviceLibTcg.inf
+ Tpm2CommandLib|SecurityPkg/Library/Tpm2CommandLib/Tpm2CommandLib.inf
+ Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibTcg2/Tpm2DeviceLibTcg2.inf
+ Tcg2PpVendorLib|SecurityPkg/Library/Tcg2PpVendorLibNull/Tcg2PpVendorLibNull.inf
+ TpmMeasurementLib|SecurityPkg/Library/DxeTpmMeasurementLib/DxeTpmMeasurementLib.inf
+ Tcg2PhysicalPresenceLib|SecurityPkg/Library/DxeTcg2PhysicalPresenceLib/DxeTcg2PhysicalPresenceLib.inf
+!else
+ TpmMeasurementLib|MdeModulePkg/Library/TpmMeasurementLibNull/TpmMeasurementLibNull.inf
+!endif
+
VarCheckLib|MdeModulePkg/Library/VarCheckLib/VarCheckLib.inf
VariablePolicyLib|MdeModulePkg/Library/VariablePolicyLib/VariablePolicyLib.inf
VariablePolicyHelperLib|MdeModulePkg/Library/VariablePolicyHelperLib/VariablePolicyHelperLib.inf
@@ -424,6 +440,11 @@
BaseCryptLib|CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf
!endif
+!if $(MEASURED_BOOT_ENABLE) == TRUE && $(SMM_SUPPORT) == TRUE
+ Tcg2PhysicalPresenceLib|SecurityPkg/Library/SmmTcg2PhysicalPresenceLib/SmmTcg2PhysicalPresenceLib.inf
+!endif
+
+
[LibraryClasses.common.DXE_DRIVER, LibraryClasses.common.UEFI_DRIVER, LibraryClasses.common.UEFI_APPLICATION]
!if $(SECURE_BOOT_ENABLE) == TRUE
BaseCryptLib|CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf
@@ -625,6 +646,14 @@
gEfiSecurityPkgTokenSpaceGuid.PcdFirmwareDebuggerInitialized|FALSE
gEfiSecurityPkgTokenSpaceGuid.PcdTpmInstanceGuid|{0x5a, 0xf2, 0x6b, 0x28, 0xc3, 0xc2, 0x8c, 0x40, 0xb3, 0xb4, 0x25, 0xe6, 0x75, 0x8b, 0x73, 0x17}
+!if $(MEASURED_BOOT_ENABLE) == TRUE
+
+ # (BIT0 - SHA1. BIT1 - SHA256, BIT2 - SHA384, BIT3 - SHA512, BIT4 - SM3_256)
+ gEfiSecurityPkgTokenSpaceGuid.PcdTpm2HashMask|0x000000016
+ gEfiSecurityPkgTokenSpaceGuid.PcdTcg2HashAlgorithmBitmap|0x000000016
+!endif
+
+
################################################################################
#
# Components Section - list of all EDK II Modules needed by this Platform.
@@ -677,6 +706,10 @@
<LibraryClasses>
!if $(SECURE_BOOT_ENABLE) == TRUE
NULL|SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.inf
+!if $(MEASURED_BOOT_ENABLE) == TRUE
+ NULL|SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLib.inf
+ NULL|SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLib.inf
+ !endif
!endif
}
!endif
@@ -685,6 +718,57 @@
SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
!endif
+!if $(MEASURED_BOOT_ENABLE) == TRUE
+ SecurityPkg/Tcg/TcgDxe/TcgDxe.inf {
+ <LibraryClasses>
+ Tpm12DeviceLib|SecurityPkg/Library/Tpm12DeviceLibDTpm/Tpm12DeviceLibDTpm.inf
+ }
+
+ SecurityPkg/Tcg/TcgConfigDxe/TcgConfigDxe.inf {
+ <LibraryClasses>
+ PcdLib|MdePkg/Library/DxePcdLib/DxePcdLib.inf
+ }
+
+!if $(SMM_SUPPORT) == TRUE
+ SecurityPkg/Tcg/TcgSmm/TcgSmm.inf {
+ <LibraryClasses>
+ TcgPpVendorLib|SecurityPkg/Library/TcgPpVendorLibNull/TcgPpVendorLibNull.inf
+
+ }
+!endif
+ SecurityPkg/Tcg/Tcg2Config/Tcg2ConfigDxe.inf {
+ <LibraryClasses>
+ Tpm2CommandLib|SecurityPkg/Library/Tpm2CommandLib/Tpm2CommandLib.inf
+ Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibRouter/Tpm2DeviceLibRouterDxe.inf
+ NULL|SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2InstanceLibDTpm.inf
+ }
+!if $(SMM_SUPPORT) == TRUE
+ SecurityPkg/Tcg/Tcg2Smm/Tcg2Smm.inf {
+ <LibraryClasses>
+ Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibTcg2/Tpm2DeviceLibTcg2.inf
+ }
+!endif
+ SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.inf {
+ <LibraryClasses>
+ Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibRouter/Tpm2DeviceLibRouterDxe.inf
+ HashLib|SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRouterDxe.inf
+ NULL|SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2InstanceLibDTpm.inf
+ NULL|SecurityPkg/Library/HashInstanceLibSha1/HashInstanceLibSha1.inf
+ NULL|SecurityPkg/Library/HashInstanceLibSha256/HashInstanceLibSha256.inf
+ NULL|SecurityPkg/Library/HashInstanceLibSha384/HashInstanceLibSha384.inf
+ NULL|SecurityPkg/Library/HashInstanceLibSm3/HashInstanceLibSm3.inf
+ }
+ SecurityPkg/Tcg/Tcg2Acpi/Tcg2Acpi.inf
+ SecurityPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.inf {
+ <LibraryClasses>
+ TpmPlatformHierarchyLib|SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf
+ }
+ SecurityPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.inf {
+ <LibraryClasses>
+ TpmPlatformHierarchyLib|SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf
+ }
+!endif #MEASURED_BOOT_ENABLE
+
UefiCpuPkg/CpuDxe/CpuDxe.inf
MdeModulePkg/Universal/BdsDxe/BdsDxe.inf
!if $(BOOTSPLASH_IMAGE)
diff --git a/UefiPayloadPkg/UefiPayloadPkg.fdf b/UefiPayloadPkg/UefiPayloadPkg.fdf
index d1f76b1e56..6629ec8993 100644
--- a/UefiPayloadPkg/UefiPayloadPkg.fdf
+++ b/UefiPayloadPkg/UefiPayloadPkg.fdf
@@ -60,6 +60,7 @@ FILE FV_IMAGE = 4E35FD93-9C72-4c15-8C4B-E77F1DB2D793 {
SECTION FV_IMAGE = DXEFV
}
+
!if $(NETWORK_DRIVER_ENABLE) == TRUE
################################################################################
[FV.NETWORKFV]
@@ -201,10 +202,6 @@ INF PcAtChipsetPkg/PcatRealTimeClockRuntimeDxe/PcatRealTimeClockRuntimeDxe.inf
INF MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmmRuntimeDxe.inf
!endif
-!if $(SECURE_BOOT_ENABLE) == TRUE
- INF SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
-!endif
-
INF UefiCpuPkg/CpuIo2Dxe/CpuIo2Dxe.inf
INF MdeModulePkg/Universal/DevicePathDxe/DevicePathDxe.inf
!if $(MEMORY_TEST) == "GENERIC"
@@ -307,6 +304,7 @@ INF MdeModulePkg/Universal/Acpi/AcpiPlatformDxe/AcpiPlatformDxe.inf
INF MdeModulePkg/Universal/Acpi/BootGraphicsResourceTableDxe/BootGraphicsResourceTableDxe.inf
!endif
+
!if $(UNIVERSAL_PAYLOAD) == FALSE
INF MdeModulePkg/Universal/BdsDxe/BdsDxe.inf
#
@@ -328,6 +326,29 @@ INF ShellPkg/DynamicCommand/DpDynamicCommand/DpDynamicCommand.inf
INF ShellPkg/Application/Shell/Shell.inf
!endif
+!if $(UNIVERSAL_PAYLOAD) == FALSE
+
+!if $(SECURE_BOOT_ENABLE) == TRUE
+INF SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
+!endif
+
+!if $(MEASURED_BOOT_ENABLE) == TRUE
+ INF SecurityPkg/Tcg/TcgDxe/TcgDxe.inf
+!if $(SMM_SUPPORT) == TRUE
+ INF SecurityPkg/Tcg/TcgSmm/TcgSmm.inf
+!endif
+ INF SecurityPkg/Tcg/TcgConfigDxe/TcgConfigDxe.inf
+ INF SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.inf
+ INF RuleOverride = DRIVER_ACPITABLE SecurityPkg/Tcg/Tcg2Acpi/Tcg2Acpi.inf
+ INF SecurityPkg/Tcg/Tcg2Config/Tcg2ConfigDxe.inf
+!if $(SMM_SUPPORT) == TRUE
+ INF SecurityPkg/Tcg/Tcg2Smm/Tcg2Smm.inf
+!endif
+ INF SecurityPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.inf
+!endif #MEASURED_BOOT_ENABLE
+
+!endif
+
[FV.SECFV]
FvNameGuid = 2700E2F3-19D2-4E2D-9F13-BC891B9FC62C
BlockSize = $(FD_BLOCK_SIZE)
@@ -353,6 +374,20 @@ READ_LOCK_STATUS = TRUE
INF SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
!endif
+!if $(MEASURED_BOOT_ENABLE) == TRUE
+ INF SecurityPkg/Tcg/TcgDxe/TcgDxe.inf
+!if $(SMM_SUPPORT) == TRUE
+ INF SecurityPkg/Tcg/TcgSmm/TcgSmm.inf
+!endif
+ INF SecurityPkg/Tcg/TcgConfigDxe/TcgConfigDxe.inf
+ INF SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.inf
+ INF RuleOverride = DRIVER_ACPITABLE SecurityPkg/Tcg/Tcg2Acpi/Tcg2Acpi.inf
+ INF SecurityPkg/Tcg/Tcg2Config/Tcg2ConfigDxe.inf
+!if $(SMM_SUPPORT) == TRUE
+ INF SecurityPkg/Tcg/Tcg2Smm/Tcg2Smm.inf
+!endif
+ INF SecurityPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.inf
+!endif #MEASURED_BOOT_ENABLE
################################################################################
#
@@ -472,3 +507,13 @@ INF SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.in
UI STRING="Enter Setup"
VERSION STRING="$(INF_VERSION)" Optional BUILD_NUM=$(BUILD_NUMBER)
}
+
+[Rule.Common.DXE_DRIVER.DRIVER_ACPITABLE]
+ FILE DRIVER = $(NAMED_GUID) {
+ DXE_DEPEX DXE_DEPEX Optional $(INF_OUTPUT)/$(MODULE_NAME).depex
+ PE32 PE32 $(INF_OUTPUT)/$(MODULE_NAME).efi
+ RAW ACPI Optional |.acpi
+ RAW ASL Optional |.aml
+ UI STRING="$(MODULE_NAME)" Optional
+ VERSION STRING="$(INF_VERSION)" Optional BUILD_NUM=$(BUILD_NUMBER)
+ }
--
2.39.1.windows.1
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [PATCH v2 6/6] UefiPayloadPkg: Add secure boot definitions to ci build
2023-05-17 23:55 [PATCH v2 0/6] Universal payload secure boot and measured boot Subash Lakkimsetti
` (4 preceding siblings ...)
2023-05-17 23:55 ` [PATCH v2 5/6] Uefipayloadpkg Enable TPM measured boot Subash Lakkimsetti
@ 2023-05-17 23:55 ` Subash Lakkimsetti
5 siblings, 0 replies; 7+ messages in thread
From: Subash Lakkimsetti @ 2023-05-17 23:55 UTC (permalink / raw)
To: devel; +Cc: Subash Lakkimsetti, Guo Dong, Ray Ni, Sean Rhodes, James Lu,
Gua Guo
From: Subash Lakkimsetti <subash.lakkimsetti@intel.com>
Define the build flags for secure boot and measure boot
for ci builds
Cc: Guo Dong <guo.dong@intel.com>
Cc: Ray Ni <ray.ni@intel.com>
Cc: Sean Rhodes <sean@starlabs.systems>
Cc: James Lu <james.lu@intel.com>
Cc: Gua Guo <gua.guo@intel.com>
Signed-off-by: Subash Lakkimsetti <subash.lakkimsetti@intel.com>
---
UefiPayloadPkg/UefiPayloadPkg.ci.yaml | 2 ++
1 file changed, 2 insertions(+)
diff --git a/UefiPayloadPkg/UefiPayloadPkg.ci.yaml b/UefiPayloadPkg/UefiPayloadPkg.ci.yaml
index 278f271c36..e594ea6c20 100644
--- a/UefiPayloadPkg/UefiPayloadPkg.ci.yaml
+++ b/UefiPayloadPkg/UefiPayloadPkg.ci.yaml
@@ -92,5 +92,7 @@
"BLD_*_EMU_VARIABLE_ENABLE": "FALSE",
"BLD_*_DISABLE_RESET_SYSTEM": "TRUE",
"BLD_*_SERIAL_DRIVER_ENABLE": "FALSE",
+ "BLD_*_SECURE_BOOT_ENABLE": "TRUE",
+ "BLD_*_MEASURED_BOOT_ENABLE": "TRUE",
}
}
--
2.39.1.windows.1
^ permalink raw reply related [flat|nested] 7+ messages in thread
end of thread, other threads:[~2023-05-17 23:56 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2023-05-17 23:55 [PATCH v2 0/6] Universal payload secure boot and measured boot Subash Lakkimsetti
2023-05-17 23:55 ` [PATCH v2 1/6] MdeModulePkg: universal payload HOB for secure boot info Subash Lakkimsetti
2023-05-17 23:55 ` [PATCH v2 2/6] UefiPayloadPkg: Add secureboot information HOBs Subash Lakkimsetti
2023-05-17 23:55 ` [PATCH v2 3/6] UefiPayloadPkg: Uninstall the TPM2 ACPI if present Subash Lakkimsetti
2023-05-17 23:55 ` [PATCH v2 4/6] UefiPayloadPkg: Add secure boot configurations Subash Lakkimsetti
2023-05-17 23:55 ` [PATCH v2 5/6] Uefipayloadpkg Enable TPM measured boot Subash Lakkimsetti
2023-05-17 23:55 ` [PATCH v2 6/6] UefiPayloadPkg: Add secure boot definitions to ci build Subash Lakkimsetti
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox