From: lushifex <shifeix.a.lu@intel.com>
To: edk2-devel@lists.01.org
Cc: david.wei@intel.com;
Subject: [Patch][edk2-platforms/devel-MinnowBoard3] Enable Secure Boot.
Date: Tue, 21 Feb 2017 22:15:09 -0800 [thread overview]
Message-ID: <f43dce21-f15f-465a-9b29-2329f60cb1cc@SHWDEOPENPSI011.local> (raw)
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: lushifex <shifeix.a.lu@intel.com>
---
.../PlatformSecureDefaultsLib.c | 952 ---------------------
.../PlatformSecureDefaultsLib.inf | 69 --
.../Common/PlatformSettings/PlatformDxe/Platform.c | 17 +-
.../PlatformSettings/PlatformDxe/PlatformDxe.inf | 3 +-
.../PlatformSetupDxe/PlatformSetupDxe.c | 39 +-
.../PlatformSetupDxe/PlatformSetupDxe.inf | 3 +-
.../PlatformSettings/PlatformSetupDxe/Security.vfi | 37 +-
.../PlatformSetupDxe/SetupInfoRecords.c | 89 +-
.../PlatformSetupDxe/VfrStrings.uni | Bin 315770 -> 311660 bytes
.../BroxtonPlatformPkg/PlatformDsc/Components.dsc | 18 +-
.../PlatformDsc/LibraryClasses.dsc | 2 -
Platform/BroxtonPlatformPkg/PlatformPkg.fdf | 11 +-
12 files changed, 69 insertions(+), 1171 deletions(-)
delete mode 100644 Platform/BroxtonPlatformPkg/Common/Library/PlatformSecureDefaultsLib/PlatformSecureDefaultsLib.c
delete mode 100644 Platform/BroxtonPlatformPkg/Common/Library/PlatformSecureDefaultsLib/PlatformSecureDefaultsLib.inf
diff --git a/Platform/BroxtonPlatformPkg/Common/Library/PlatformSecureDefaultsLib/PlatformSecureDefaultsLib.c b/Platform/BroxtonPlatformPkg/Common/Library/PlatformSecureDefaultsLib/PlatformSecureDefaultsLib.c
deleted file mode 100644
index 2cdd01d..0000000
--- a/Platform/BroxtonPlatformPkg/Common/Library/PlatformSecureDefaultsLib/PlatformSecureDefaultsLib.c
+++ /dev/null
@@ -1,952 +0,0 @@
-/** @file
- IPC based PlatformFvbLib library instance.
-
- Copyright (c) 2009 - 2016, Intel Corporation. All rights reserved.<BR>
-
- This program and the accompanying materials
- are licensed and made available under the terms and conditions of the BSD License
- which accompanies this distribution. The full text of the license may be found at
- http://opensource.org/licenses/bsd-license.php.
-
- THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
- WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
-
-**/
-
-#include "Library/PlatformSecureDefaultsLib.h"
-#include <Guid/AuthenticatedVariableFormat.h>
-#include <Guid/SetupVariable.h>
-
-EFI_GUID mUefiImageSecurityDBGuid = EFI_IMAGE_SECURITY_DATABASE_GUID;
-EFI_GUID mUefiCertTypeRsa2048Guid = EFI_CERT_RSA2048_GUID;
-
-#define WIN_CERT_UEFI_RSA2048_SIZE 256
-#define EFI_SECURE_BOOT_ENABLE_NAME L"SecureBootEnable"
-
-extern EFI_GUID mUefiCertTypeRsa2048Guid;
-extern EFI_GUID gEfiSecureBootEnableDisableGuid;
-
-EFI_GUID gOwnerSignatureGUID = {0x77fa9abd, 0x0359, 0x4d32, {0xbd, 0x60, 0x28, 0xf4, 0xe7, 0x8f, 0x78, 0x4b}};
-static EFI_GUID gDbxUpdateImageGuid = {0xa3d48bb3, 0x350f, 0x4bcd, 0xa4, 0xad, 0x44, 0x5b, 0x93, 0x9f, 0x6d, 0x9c };
-
-/**
- Create a time based data payload by concatenating the EFI_VARIABLE_AUTHENTICATION_2
- descriptor with the input data. NO authentication is required in this function.
-
- @param[in, out] DataSize On input, the size of Data buffer in bytes.
- On output, the size of data returned in Data
- buffer in bytes.
- @param[in, out] Data On input, Pointer to data buffer to be wrapped or
- pointer to NULL to wrap an empty payload.
- On output, Pointer to the new payload date buffer allocated from pool,
- it's caller's responsibility to free the memory when finish using it.
-
- @retval EFI_SUCCESS Create time based payload successfully.
- @retval EFI_OUT_OF_RESOURCES There are not enough memory resourses to create time based payload.
- @retval EFI_INVALID_PARAMETER The parameter is invalid.
- @retval Others Unexpected error happens.
-
-**/
-EFI_STATUS
-CreateTimeBasedPayload (
- IN OUT UINTN *DataSize,
- IN OUT UINT8 **Data
- )
-{
- EFI_STATUS Status;
- UINT8 *NewData;
- UINT8 *Payload;
- UINTN PayloadSize;
- EFI_VARIABLE_AUTHENTICATION_2 *DescriptorData;
- UINTN DescriptorSize;
- EFI_TIME Time;
-
- if (Data == NULL || DataSize == NULL) {
- return EFI_INVALID_PARAMETER;
- }
-
- //
- // In Setup mode or Custom mode, the variable does not need to be signed but the
- // parameters to the SetVariable() call still need to be prepared as authenticated
- // variable. So we create EFI_VARIABLE_AUTHENTICATED_2 descriptor without certificate
- // data in it.
- //
- Payload = *Data;
- PayloadSize = *DataSize;
-
- DescriptorSize = OFFSET_OF (EFI_VARIABLE_AUTHENTICATION_2, AuthInfo) + OFFSET_OF (WIN_CERTIFICATE_UEFI_GUID, CertData);
- NewData = (UINT8 *) AllocateZeroPool (DescriptorSize + PayloadSize);
- if (NewData == NULL) {
- return EFI_OUT_OF_RESOURCES;
- }
-
- if ((Payload != NULL) && (PayloadSize != 0)) {
- CopyMem (NewData + DescriptorSize, Payload, PayloadSize);
- }
-
- DescriptorData = (EFI_VARIABLE_AUTHENTICATION_2 *) (NewData);
-
- ZeroMem (&Time, sizeof (EFI_TIME));
- Status = gRT->GetTime (&Time, NULL);
- if (EFI_ERROR (Status)) {
- FreePool(NewData);
- return Status;
- }
- Time.Pad1 = 0;
- Time.Nanosecond = 0;
- Time.TimeZone = 0;
- Time.Daylight = 0;
- Time.Pad2 = 0;
- CopyMem (&DescriptorData->TimeStamp, &Time, sizeof (EFI_TIME));
-
- DescriptorData->AuthInfo.Hdr.dwLength = OFFSET_OF (WIN_CERTIFICATE_UEFI_GUID, CertData);
- DescriptorData->AuthInfo.Hdr.wRevision = 0x0200;
- DescriptorData->AuthInfo.Hdr.wCertificateType = WIN_CERT_TYPE_EFI_GUID;
- CopyGuid (&DescriptorData->AuthInfo.CertType, &gEfiCertPkcs7Guid);
-
- if (Payload != NULL) {
- FreePool(Payload);
- }
-
- *DataSize = DescriptorSize + PayloadSize;
- *Data = NewData;
- return EFI_SUCCESS;
-}
-
-
-/**
- Generate the PK signature list from the X509 Certificate storing file (.cer)
-
- @param[in] X509Data FileHandle of X509 Certificate storing file.
- @param[in] X509DataSize The size of fileHandle of X509 Certificate storing file.
- @param[out] PkCert Point to the data buffer to store the signature list.
-
- @retval EFI_UNSUPPORTED Unsupported Key Length.
- @retval EFI_OUT_OF_RESOURCES There are not enough memory resourses to form the signature list.
-
-**/
-EFI_STATUS
-CreatePkX509SignatureList (
- IN UINT8 *X509Data,
- IN UINTN X509DataSize,
- OUT EFI_SIGNATURE_LIST **PkCert
- )
-{
- EFI_STATUS Status;
- EFI_SIGNATURE_DATA *PkCertData;
-
- PkCertData = NULL;
- Status = EFI_SUCCESS;
- ASSERT (X509Data != NULL);
-
- //
- // Allocate space for PK certificate list and initialize it.
- // Create PK database entry with SignatureHeaderSize equals 0.
- //
- *PkCert = (EFI_SIGNATURE_LIST *) AllocateZeroPool (
- sizeof (EFI_SIGNATURE_LIST) + sizeof (EFI_SIGNATURE_DATA) - 1
- + X509DataSize
- );
- if (*PkCert == NULL) {
- Status = EFI_OUT_OF_RESOURCES;
- goto ON_EXIT;
- }
-
- (*PkCert)->SignatureListSize = (UINT32) (sizeof (EFI_SIGNATURE_LIST)
- + sizeof (EFI_SIGNATURE_DATA) - 1
- + X509DataSize);
- (*PkCert)->SignatureSize = (UINT32) (sizeof (EFI_SIGNATURE_DATA) - 1 + X509DataSize);
- (*PkCert)->SignatureHeaderSize = 0;
- CopyGuid (&(*PkCert)->SignatureType, &gEfiCertX509Guid);
- PkCertData = (EFI_SIGNATURE_DATA *) ((UINTN) (*PkCert)
- + sizeof (EFI_SIGNATURE_LIST)
- + (*PkCert)->SignatureHeaderSize);
- CopyGuid (&PkCertData->SignatureOwner, &gEfiGlobalVariableGuid);
- //
- // Fill the PK database with PKpub data from X509 certificate file.
- //
- CopyMem (&(PkCertData->SignatureData[0]), X509Data, X509DataSize);
-
-ON_EXIT:
-
- if (EFI_ERROR(Status) && *PkCert != NULL) {
- FreePool (*PkCert);
- *PkCert = NULL;
- }
-
- return Status;
-}
-
-
-EFI_STATUS
-EnrollPlatformKey (
- IN VOID *Buf,
- IN UINTN BufSize
- )
-{
- EFI_STATUS Status;
- UINT32 Attr;
- UINTN DataSize;
- EFI_SIGNATURE_LIST *PkCert;
-
- PkCert = NULL;
-
- //
- // Prase the selected PK file and generature PK certificate list.
- //
- Status = CreatePkX509SignatureList (
- Buf,
- BufSize,
- &PkCert
- );
-
- if (EFI_ERROR (Status)) {
- goto ON_EXIT;
- }
- ASSERT (PkCert != NULL);
-
- //
- // Set Platform Key variable.
- //
- Attr = EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_RUNTIME_ACCESS
- | EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS;
- DataSize = PkCert->SignatureListSize;
- Status = CreateTimeBasedPayload (&DataSize, (UINT8 **) &PkCert);
- if (EFI_ERROR (Status)) {
- DEBUG ((EFI_D_ERROR, "Fail to create time-based data payload: %r", Status));
- goto ON_EXIT;
- }
-
- Status = gRT->SetVariable (
- EFI_PLATFORM_KEY_NAME,
- &gEfiGlobalVariableGuid,
- Attr,
- DataSize,
- PkCert
- );
- if (EFI_ERROR (Status)) {
- if (Status == EFI_OUT_OF_RESOURCES) {
- DEBUG ((EFI_D_ERROR, "Enroll PK failed with out of resource.\n"));
- }
- goto ON_EXIT;
- }
-
-ON_EXIT:
-
- if (PkCert != NULL) {
- FreePool (PkCert);
- }
-
- return Status;
-}
-
-
-/**
- Enroll a new KEK item from X509 certificate file.
-
- @param[in] PrivateData The module's private data.
-
- @retval EFI_SUCCESS New X509 is enrolled successfully.
- @retval EFI_INVALID_PARAMETER The parameter is invalid.
- @retval EFI_UNSUPPORTED Unsupported command.
- @retval EFI_OUT_OF_RESOURCES Could not allocate needed resources.
-
-**/
-EFI_STATUS
-EnrollX509ToKek (
- VOID *X509Data,
- UINTN X509DataSize
- )
-{
- EFI_STATUS Status;
- EFI_SIGNATURE_DATA *KEKSigData;
- EFI_SIGNATURE_LIST *KekSigList;
- UINTN DataSize;
- UINTN KekSigListSize;
- UINT32 Attr;
-
- KekSigList = NULL;
- KekSigListSize = 0;
- DataSize = 0;
- KEKSigData = NULL;
-
- ASSERT (X509Data != NULL);
-
- KekSigListSize = sizeof (EFI_SIGNATURE_LIST) + sizeof (EFI_SIGNATURE_DATA) - 1 + X509DataSize;
- KekSigList = (EFI_SIGNATURE_LIST *) AllocateZeroPool (KekSigListSize);
- if (KekSigList == NULL) {
- Status = EFI_OUT_OF_RESOURCES;
- goto ON_EXIT;
- }
-
- //
- // Fill Certificate Database parameters.
- //
- KekSigList->SignatureListSize = (UINT32) KekSigListSize;
- KekSigList->SignatureHeaderSize = 0;
- KekSigList->SignatureSize = (UINT32) (sizeof (EFI_SIGNATURE_DATA) - 1 + X509DataSize);
- CopyGuid (&KekSigList->SignatureType, &gEfiCertX509Guid);
-
- KEKSigData = (EFI_SIGNATURE_DATA *) ((UINT8 *) KekSigList + sizeof (EFI_SIGNATURE_LIST));
- CopyGuid (&KEKSigData->SignatureOwner, &gOwnerSignatureGUID);
- CopyMem (KEKSigData->SignatureData, X509Data, X509DataSize);
-
- //
- // Check if KEK been already existed.
- // If true, use EFI_VARIABLE_APPEND_WRITE attribute to append the
- // new kek to original variable
- //
- Attr = EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_RUNTIME_ACCESS
- | EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS;
- Status = CreateTimeBasedPayload (&KekSigListSize, (UINT8 **) &KekSigList);
- if (EFI_ERROR (Status)) {
- DEBUG ((EFI_D_ERROR, "Fail to create time-based data payload: %r", Status));
- goto ON_EXIT;
- }
-
- Status = gRT->GetVariable(
- EFI_KEY_EXCHANGE_KEY_NAME,
- &gEfiGlobalVariableGuid,
- NULL,
- &DataSize,
- NULL
- );
- if (Status == EFI_BUFFER_TOO_SMALL) {
- Attr |= EFI_VARIABLE_APPEND_WRITE;
- } else if (Status != EFI_NOT_FOUND) {
- goto ON_EXIT;
- }
-
- Status = gRT->SetVariable(
- EFI_KEY_EXCHANGE_KEY_NAME,
- &gEfiGlobalVariableGuid,
- Attr,
- KekSigListSize,
- KekSigList
- );
- if (EFI_ERROR (Status)) {
- goto ON_EXIT;
- }
-
-ON_EXIT:
-
- if (KekSigList != NULL) {
- FreePool (KekSigList);
- }
-
- return Status;
-}
-
-
-/**
- Enroll new KEK into the System without PK's authentication.
- The SignatureOwner GUID will be Private->SignatureGUID.
-
- @param[in] PrivateData The module's private data.
-
- @retval EFI_SUCCESS New KEK enrolled successful.
- @retval EFI_INVALID_PARAMETER The parameter is invalid.
- @retval others Fail to enroll KEK data.
-
-**/
-EFI_STATUS
-EnrollKeyExchangeKey (
- IN VOID *DataBuf,
- IN UINTN BufSize
- )
-{
- return EnrollX509ToKek (DataBuf, BufSize);
-}
-
-
-EFI_STATUS
-EnrollX509toForbSigDB (
- IN CHAR16 *VariableName,
- IN VOID *X509Data,
- IN UINTN X509DataSize
- )
-{
- EFI_STATUS Status;
- VOID *Data;
- UINTN SigDBSize;
- UINT32 Attr;
- UINTN DataSize;
-
- SigDBSize = 0;
- DataSize = 0;
- Data = NULL;
-
- ASSERT (X509Data != NULL);
-
- SigDBSize = X509DataSize;
-
- Data = AllocateZeroPool (SigDBSize);
- if (Data == NULL) {
- Status = EFI_OUT_OF_RESOURCES;
- goto ON_EXIT;
- }
-
- CopyMem ((UINT8 *) Data, X509Data, X509DataSize);
-
- Attr = EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_RUNTIME_ACCESS
- | EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS;
-
- //
- // Check if signature database entry has been already existed.
- // If true, use EFI_VARIABLE_APPEND_WRITE attribute to append the
- // new signature data to original variable
- //
- Status = gRT->GetVariable(
- VariableName,
- &gEfiImageSecurityDatabaseGuid,
- NULL,
- &DataSize,
- NULL
- );
- if (Status == EFI_BUFFER_TOO_SMALL) {
- Attr |= EFI_VARIABLE_APPEND_WRITE;
- } else if (Status != EFI_NOT_FOUND) {
- goto ON_EXIT;
- }
-
- Status = gRT->SetVariable(
- VariableName,
- &gEfiImageSecurityDatabaseGuid,
- Attr,
- SigDBSize,
- Data
- );
-
- if (EFI_ERROR (Status)) {
- goto ON_EXIT;
- }
-
-ON_EXIT:
-
- if (Data != NULL) {
- FreePool (Data);
- }
-
- return Status;
-}
-
-
-/**
- Enroll X509 certificate into Forbidden Database (DBX) without
- KEK's authentication.
-
- @param[in] VariableName Variable name of signature database, must be
- @param[in] *DataBuf Pointer to Data Buffer
- @param[in] BufSize Data Buffer size
-
- @retval EFI_SUCCESS New X509 is enrolled successfully.
- @retval EFI_OUT_OF_RESOURCES Could not allocate needed resources.
-
-**/
-EFI_STATUS
-EnrollKeyForbiddenSignatureDatabase (
- IN CHAR16 *VariableName,
- IN VOID *DataBuf,
- IN UINTN BufSize
- )
-{
- return EnrollX509toForbSigDB (VariableName, DataBuf, BufSize);
-}
-
-
-/**
- Enroll a new X509 certificate into Signature Database (DB or DBX) without
- KEK's authentication.
-
- @param[in] PrivateData The module's private data.
- @param[in] VariableName Variable name of signature database, must be
- EFI_IMAGE_SECURITY_DATABASE or EFI_IMAGE_SECURITY_DATABASE1.
-
- @retval EFI_SUCCESS New X509 is enrolled successfully.
- @retval EFI_OUT_OF_RESOURCES Could not allocate needed resources.
-
-**/
-EFI_STATUS
-EnrollX509toSigDB (
- IN CHAR16 *VariableName,
- IN VOID *X509Data,
- IN UINTN X509DataSize
- )
-{
- EFI_STATUS Status;
- EFI_SIGNATURE_LIST *SigDBCert;
- EFI_SIGNATURE_DATA *SigDBCertData;
- VOID *Data;
- UINTN DataSize;
- UINTN SigDBSize;
- UINT32 Attr;
-
- SigDBSize = 0;
- DataSize = 0;
- SigDBCert = NULL;
- SigDBCertData = NULL;
- Data = NULL;
-
- ASSERT (X509Data != NULL);
-
- SigDBSize = sizeof (EFI_SIGNATURE_LIST) + sizeof (EFI_SIGNATURE_DATA) - 1 + X509DataSize;
-
- Data = AllocateZeroPool (SigDBSize);
- if (Data == NULL) {
- Status = EFI_OUT_OF_RESOURCES;
- goto ON_EXIT;
- }
-
- //
- // Fill Certificate Database parameters.
- //
- SigDBCert = (EFI_SIGNATURE_LIST *) Data;
- SigDBCert->SignatureListSize = (UINT32) SigDBSize;
- SigDBCert->SignatureHeaderSize = 0;
- SigDBCert->SignatureSize = (UINT32) (sizeof (EFI_SIGNATURE_DATA) - 1 + X509DataSize);
- CopyGuid (&SigDBCert->SignatureType, &gEfiCertX509Guid);
-
- SigDBCertData = (EFI_SIGNATURE_DATA *) ((UINT8 *) SigDBCert + sizeof (EFI_SIGNATURE_LIST));
- CopyGuid (&SigDBCertData->SignatureOwner, &gOwnerSignatureGUID);
- CopyMem ((UINT8 *) (SigDBCertData->SignatureData), X509Data, X509DataSize);
-
- //
- // Check if signature database entry has been already existed.
- // If true, use EFI_VARIABLE_APPEND_WRITE attribute to append the
- // new signature data to original variable
- //
- Attr = EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_RUNTIME_ACCESS
- | EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS;
- Status = CreateTimeBasedPayload (&SigDBSize, (UINT8 **) &Data);
- if (EFI_ERROR (Status)) {
- DEBUG ((EFI_D_ERROR, "Fail to create time-based data payload: %r", Status));
- goto ON_EXIT;
- }
-
- Status = gRT->GetVariable(
- VariableName,
- &gEfiImageSecurityDatabaseGuid,
- NULL,
- &DataSize,
- NULL
- );
- if (Status == EFI_BUFFER_TOO_SMALL) {
- Attr |= EFI_VARIABLE_APPEND_WRITE;
- } else if (Status != EFI_NOT_FOUND) {
- goto ON_EXIT;
- }
-
- Status = gRT->SetVariable(
- VariableName,
- &gEfiImageSecurityDatabaseGuid,
- Attr,
- SigDBSize,
- Data
- );
- if (EFI_ERROR (Status)) {
- goto ON_EXIT;
- }
-
-ON_EXIT:
-
- if (Data != NULL) {
- FreePool (Data);
- }
-
- return Status;
-}
-
-
-EFI_STATUS
-EnrollSignatureDatabase (
- IN CHAR16 *VariableName,
- IN VOID *DataBuf,
- IN UINTN BufSize
- )
-{
- return EnrollX509toSigDB (VariableName, DataBuf, BufSize);
-}
-
-
-/**
- Function to Load Secure Keys given the binary GUID
-
- @param[in] VendorGuid GUID of the Variable.
- @param[in] VariableName Name of the Variable.
- @param[in] VendorGuid GUID of the Variable.
-
- @retval EFI_SUCCESS Set the variable successfully.
- @retval Others Set variable failed.
-
-**/
-EFI_STATUS
-SetSecureVariabeKeys (
- IN EFI_GUID *ImageGuid,
- IN CHAR16 *VariableName,
- IN EFI_GUID *VendorGuid
- )
-{
- EFI_STATUS Status;
- EFI_FIRMWARE_VOLUME2_PROTOCOL *Fv;
- UINTN FvProtocolCount;
- EFI_HANDLE *FvHandles;
- UINTN Index1;
- UINT32 AuthenticationStatus;
- UINT8 *Buffer=NULL;
- UINTN BufferSize=0;
- UINT32 Attr;
-
- Attr = EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS;
-
- FvHandles = NULL;
-
- Status = gBS->LocateHandleBuffer (
- ByProtocol,
- &gEfiFirmwareVolume2ProtocolGuid,
- NULL,
- &FvProtocolCount,
- &FvHandles
- );
-
- if (!EFI_ERROR (Status)) {
- for (Index1 = 0; Index1 < FvProtocolCount; Index1++) {
- Status = gBS->HandleProtocol (
- FvHandles[Index1],
- &gEfiFirmwareVolume2ProtocolGuid,
- (VOID **) &Fv
- );
- BufferSize= 0;
-
- Status = Fv->ReadSection (
- Fv,
- ImageGuid,
- EFI_SECTION_RAW,
- 0,
- (VOID **) &Buffer,
- &BufferSize,
- &AuthenticationStatus
- );
-
- if (!EFI_ERROR (Status)) {
- Status = EFI_SUCCESS;
- break;
- }
- }
- }
-
- if (Buffer == NULL)
- return EFI_UNSUPPORTED;
- if (StrCmp (VariableName, L"PK") == 0){
- Status = EnrollPlatformKey (Buffer, BufferSize);
- } else if (StrCmp (VariableName, L"KEK") == 0) {
- Status = EnrollKeyExchangeKey (Buffer, BufferSize);
- } else if (CompareGuid (ImageGuid, &gDbxUpdateImageGuid)) {
- Status = EnrollKeyForbiddenSignatureDatabase (VariableName,Buffer, BufferSize);
- } else {
- Status = EnrollSignatureDatabase (VariableName, Buffer, BufferSize);
- }
- return Status;
-}
-
-
-/**
- Internal function to Update User Mode to Setup Mode given its name and GUID, no authentication
- required.
-
- @param[in] VariableName Name of the Variable.
- @param[in] VendorGuid GUID of the Variable.
-
- @retval EFI_SUCCESS Updated to Setup Mode successfully.
- @retval Others The driver failed to start the device.
-
-**/
-EFI_STATUS
-UpdateSetupModetoUserMode (
- IN CHAR16 *VariableName,
- IN EFI_GUID *VendorGuid
- )
-{
- EFI_STATUS Status;
- VOID* Variable;
- UINT8 SetupMode;
- UINT8 SecureBootEnable;
-
- SetupMode = 0;
- SecureBootEnable = 1;
-
- GetVariable2 (VariableName, VendorGuid, &Variable, NULL);
- if (Variable == NULL) {
- return EFI_SUCCESS;
- }
-
- Status = gRT->SetVariable (
- VariableName,
- VendorGuid,
- EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS,
- 1,
- &SetupMode
- );
-
- if (!EFI_ERROR (Status)) {
- Status = gRT->SetVariable (
- EFI_SECURE_BOOT_ENABLE_NAME,
- &gEfiSecureBootEnableDisableGuid,
- EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_ACCESS,
- sizeof (UINT8),
- &SecureBootEnable
- );
- }
- return Status;
-}
-
-
-/**
- Enrolls PK, KEK, Db and Dbx.
-
- Note: Setup variable uses UEFI Runtime Services.
- Do not call this function from PEI.
-
-**/
-VOID
-EnrollKeys (
- VOID
- )
-{
- EFI_STATUS Status;
- UINT8 SecureBootCstMde;
- UINTN DataSize;
- SYSTEM_CONFIGURATION SystemConfiguration;
- UINTN VarSize;
-
- EFI_GUID KekImageGuid = { 0x5d354a1f, 0x98d7, 0x4938, 0x8f, 0x18, 0xf8, 0x4e, 0x1c, 0x89, 0xb2, 0xed };
- EFI_GUID Db1ImageGuid = { 0x4de09060, 0x5864, 0x471a, 0xb3, 0x52, 0xd4, 0x50, 0x6e, 0xd7, 0xbb, 0xb0 };
- EFI_GUID DbxImageGuid = { 0x96b44e98, 0x6c49, 0x4c03, 0xa8, 0xa4, 0x77, 0x93, 0xef, 0x41, 0x68, 0x5a };
- EFI_GUID PkImageGuid = { 0xc43024ad, 0x8cb8, 0x4393, 0x8a, 0xe1, 0xf3, 0x5c, 0xbf, 0xc7, 0xcd, 0x56 };
- EFI_GUID Db2ImageGuid = { 0x0f97c7a2, 0xba0c, 0x4e8a, 0x90, 0xf9, 0xb1, 0xcc, 0x40, 0x57, 0x01, 0xf8 };
- EFI_GUID Db3ImageGuid = { 0x774491b2, 0x85ff, 0x47b0, 0x89, 0xa4, 0xcc, 0xd8, 0xb3, 0x99, 0xaa, 0xd4 };
- EFI_GUID Kek2ImageGuid = { 0xE989363D, 0x449F, 0x4b32, 0x96, 0xB0, 0xB2, 0x71, 0x73, 0x44, 0xD0, 0xEE };
- EFI_GUID Db4ImageGuid = { 0xB69B054C, 0x7EA4, 0x4f13, 0xB7, 0xFF, 0x72, 0xC6, 0x32, 0x3B, 0xC8, 0x5A };
- EFI_GUID Db5ImageGuid = { 0xB8FA2839, 0xE0C1, 0x4368, 0xA5, 0x1B, 0x5F, 0x4A, 0x21, 0x74, 0x61, 0x29 };
- EFI_GUID Db6ImageGuid = { 0x758FBB84, 0xEF4C, 0x4acf, 0xB1, 0xA6, 0xE8, 0x44, 0xD5, 0xFF, 0x6B, 0xA6 };
-
- VarSize = sizeof (SYSTEM_CONFIGURATION);
- Status = gRT->GetVariable (
- L"Setup",
- &gEfiSetupVariableGuid,
- NULL,
- &VarSize,
- &SystemConfiguration
- );
-
- ASSERT_EFI_ERROR (Status);
-
- //
- // Enroll Key Exchange Key
- //
- SetSecureVariabeKeys (&KekImageGuid, EFI_KEY_EXCHANGE_KEY_NAME, &gEfiGlobalVariableGuid);
- if (!(SystemConfiguration.UseProductKey)) {
- SetSecureVariabeKeys (&Kek2ImageGuid, EFI_KEY_EXCHANGE_KEY_NAME, &gEfiGlobalVariableGuid);
- //
- // Enroll Authenticated database.
- //
- SetSecureVariabeKeys (&Db1ImageGuid, EFI_IMAGE_SECURITY_DATABASE, &gEfiImageSecurityDatabaseGuid);
- SetSecureVariabeKeys (&Db4ImageGuid, EFI_IMAGE_SECURITY_DATABASE, &gEfiImageSecurityDatabaseGuid);
- SetSecureVariabeKeys (&Db5ImageGuid, EFI_IMAGE_SECURITY_DATABASE, &gEfiImageSecurityDatabaseGuid);
- SetSecureVariabeKeys (&Db6ImageGuid, EFI_IMAGE_SECURITY_DATABASE, &gEfiImageSecurityDatabaseGuid);
- //
- // Enroll Platform Key - 219_Microsoft_UEFI_Logo_Test_KEK.cer for WOS and common_PK.x509.cer for AOS
- //
- SetSecureVariabeKeys (&PkImageGuid, EFI_PLATFORM_KEY_NAME, &gEfiGlobalVariableGuid);
- } else {
- //
- // Enroll Platform Key - KEK_MSFTproductionKekCA.cer
- //
- SetSecureVariabeKeys (&KekImageGuid, EFI_PLATFORM_KEY_NAME, &gEfiGlobalVariableGuid);
- }
- SetSecureVariabeKeys (&Db2ImageGuid, EFI_IMAGE_SECURITY_DATABASE, &gEfiImageSecurityDatabaseGuid);
- SetSecureVariabeKeys (&Db3ImageGuid, EFI_IMAGE_SECURITY_DATABASE, &gEfiImageSecurityDatabaseGuid);
- //
- //Enroll Forbidden Database
- //
- SetSecureVariabeKeys (&DbxImageGuid, EFI_IMAGE_SECURITY_DATABASE1, &gEfiImageSecurityDatabaseGuid);
- SetSecureVariabeKeys (&gDbxUpdateImageGuid, EFI_IMAGE_SECURITY_DATABASE1, &gEfiImageSecurityDatabaseGuid);
-
- //
- // If secure boot mode in custom mode, change to standard mode.
- //
- Status = gRT->GetVariable (
- EFI_CUSTOM_MODE_NAME,
- &gEfiCustomModeEnableGuid,
- NULL,
- &DataSize,
- &SecureBootCstMde
- );
-
- if (SecureBootCstMde) {
- SecureBootCstMde = !SecureBootCstMde;
- Status = gRT->SetVariable (
- EFI_CUSTOM_MODE_NAME,
- &gEfiCustomModeEnableGuid,
- EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_ACCESS,
- sizeof (UINT8),
- &SecureBootCstMde
- );
- }
-}
-
-
-/**
- Internal function to delete a Variable given its name and GUID, no authentication
- required.
-
- @param[in] VariableName Name of the Variable.
- @param[in] VendorGuid GUID of the Variable.
-
- @retval EFI_SUCCESS Variable deleted successfully.
- @retval Others The driver failed to start the device.
-
-**/
-EFI_STATUS
-DeleteVariable (
- IN CHAR16 *VariableName,
- IN EFI_GUID *VendorGuid
- )
-{
- EFI_STATUS Status;
- VOID* Variable;
- UINT8 *Data;
- UINTN DataSize;
- UINT32 Attr;
-
- GetVariable2 (VariableName, VendorGuid, &Variable, NULL);
- if (Variable == NULL) {
- return EFI_SUCCESS;
- }
-
- Data = NULL;
- DataSize = 0;
- Attr = EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS
- | EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS;
-
- Status = CreateTimeBasedPayload (&DataSize, &Data);
- if (EFI_ERROR (Status)) {
- DEBUG ((EFI_D_ERROR, "Fail to create time-based data payload: %r", Status));
- return Status;
- }
-
- Status = gRT->SetVariable (
- VariableName,
- VendorGuid,
- Attr,
- DataSize,
- Data
- );
- if (Data != NULL) {
- FreePool (Data);
- }
- return Status;
-}
-
-
-/**
- Internal function to Update User Mode to Setup Mode given its name and GUID, no authentication
- required.
-
- @param[in] VariableName Name of the Variable.
- @param[in] VendorGuid GUID of the Variable.
-
- @retval EFI_SUCCESS Updated to Setup Mode successfully.
- @retval Others The driver failed to start the device.
-
-**/
-EFI_STATUS
-UpdateUserModetoSetupMode (
- IN CHAR16 *VariableName,
- IN EFI_GUID *VendorGuid
- )
-{
- EFI_STATUS Status;
- VOID* Variable;
- UINT8 SetupMode;
- UINT8 SecureBootDisable;
-
- SetupMode = 1;
- SecureBootDisable = 0;
-
- GetVariable2 (VariableName, VendorGuid, &Variable, NULL);
- if (Variable == NULL) {
- return EFI_SUCCESS;
- }
-
- Status = gRT->SetVariable (
- VariableName,
- VendorGuid,
- EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS,
- 1,
- &SetupMode
- );
-
- if (!EFI_ERROR (Status)) {
- GetVariable2 (EFI_SECURE_BOOT_ENABLE_NAME, &gEfiSecureBootEnableDisableGuid, &Variable, NULL);
- Status = gRT->SetVariable (
- EFI_SECURE_BOOT_ENABLE_NAME,
- &gEfiSecureBootEnableDisableGuid,
- EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_ACCESS,
- sizeof (UINT8),
- &SecureBootDisable
- );
- }
- return Status;
-}
-
-
-/**
- Deletes PK, KEK, Db and Dbx.
-
-**/
-VOID
-DeleteKeys (
- )
-{
- //
- // 1. Clear PK.
- //
- DeleteVariable (EFI_PLATFORM_KEY_NAME, &gEfiGlobalVariableGuid);
-
- //
- // 2. Update "SetupMode" variable to SETUP_MODE.
- //
- UpdateUserModetoSetupMode (EFI_SETUP_MODE_NAME, &gEfiGlobalVariableGuid);
-
- //
- // 3. Clear KEK, DB and DBX.
- //
- DeleteVariable (EFI_KEY_EXCHANGE_KEY_NAME, &gEfiGlobalVariableGuid);
- DeleteVariable (EFI_IMAGE_SECURITY_DATABASE, &gEfiImageSecurityDatabaseGuid);
- DeleteVariable (EFI_IMAGE_SECURITY_DATABASE1, &gEfiImageSecurityDatabaseGuid);
-}
-
-
-/**
- Enable Custom Mode.
-
-**/
- VOID
- EnableCustomMode (
- )
-{
- UINT8 CustomMode;
- EFI_STATUS Status;
-
- CustomMode = 1;
-
- Status = gRT->SetVariable (
- EFI_CUSTOM_MODE_NAME,
- &gEfiCustomModeEnableGuid,
- EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_ACCESS,
- sizeof (UINT8),
- &CustomMode
- );
-
-}
-
diff --git a/Platform/BroxtonPlatformPkg/Common/Library/PlatformSecureDefaultsLib/PlatformSecureDefaultsLib.inf b/Platform/BroxtonPlatformPkg/Common/Library/PlatformSecureDefaultsLib/PlatformSecureDefaultsLib.inf
deleted file mode 100644
index 72a001d..0000000
--- a/Platform/BroxtonPlatformPkg/Common/Library/PlatformSecureDefaultsLib/PlatformSecureDefaultsLib.inf
+++ /dev/null
@@ -1,69 +0,0 @@
-## @file
-# NULL PlatformFvbLib library instance.
-# This library handles hooks for the EMU Variable FVB driver.
-#
-# Copyright (c) 2006 - 2016, Intel Corporation. All rights reserved.<BR>
-#
-# This program and the accompanying materials
-# are licensed and made available under the terms and conditions of the BSD License
-# which accompanies this distribution. The full text of the license may be found at
-# http://opensource.org/licenses/bsd-license.php.
-#
-# THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
-# WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
-#
-##
-
-[Defines]
- INF_VERSION = 0x00010005
- BASE_NAME = PlatformSecureDefaultsLib
- FILE_GUID = 402B0508-781A-4016-A1D7-9740FFE001A0
- MODULE_TYPE = BASE
- VERSION_STRING = 1.0
- LIBRARY_CLASS = PlatformSecureDefaultsLib | DXE_DRIVER DXE_RUNTIME_DRIVER
-
-#
-# The following information is for reference only and not required by the build tools.
-#
-# VALID_ARCHITECTURES = IA32 X64 IPF EBC
-#
-
-[Sources]
- PlatformSecureDefaultsLib.c
-
-[Packages]
- MdePkg/MdePkg.dec
- MdeModulePkg/MdeModulePkg.dec
- IntelFrameworkPkg/IntelFrameworkPkg.dec
- IntelFrameworkModulePkg/IntelFrameworkModulePkg.dec
- SecurityPkg/SecurityPkg.dec
- BroxtonPlatformPkg/PlatformPkg.dec
- BroxtonSiPkg/BroxtonSiPkg.dec
-
-[LibraryClasses]
- DebugLib
- DxeServicesTableLib
- UefiBootServicesTableLib
- DevicePathLib
- BaseMemoryLib
- BaseLib
- IoLib
- TimerLib
- MemoryAllocationLib
- PcdLib
-
-[Protocols]
- gEfiFirmwareVolume2ProtocolGuid
-
-[Guids]
- gEfiGlobalVariableGuid ## PRODUCES ## Variable Guid
- gEfiSetupVariableGuid
- gEfiVariableGuid
- gEfiImageSecurityDatabaseGuid
- gEfiCertX509Guid
- gEfiCertPkcs7Guid
- gEfiCustomModeEnableGuid
-
-[Depex]
- TRUE
-
diff --git a/Platform/BroxtonPlatformPkg/Common/PlatformSettings/PlatformDxe/Platform.c b/Platform/BroxtonPlatformPkg/Common/PlatformSettings/PlatformDxe/Platform.c
index 02dcc27..187eb21 100644
--- a/Platform/BroxtonPlatformPkg/Common/PlatformSettings/PlatformDxe/Platform.c
+++ b/Platform/BroxtonPlatformPkg/Common/PlatformSettings/PlatformDxe/Platform.c
@@ -1,7 +1,7 @@
/** @file
Platform Initialization Driver.
- Copyright (c) 1999 - 2016, Intel Corporation. All rights reserved.<BR>
+ Copyright (c) 1999 - 2017, Intel Corporation. All rights reserved.<BR>
This program and the accompanying materials
are licensed and made available under the terms and conditions of the BSD License
@@ -641,7 +641,7 @@ InitPlatformResolution (
PcdSet32S (PcdVideoVerticalResolution, PanelResolution[mSystemConfiguration.IgdFlatPanel].VerticalResolution);
}
-VOID
+VOID
OverrideSdCardPresence (
VOID
)
@@ -670,7 +670,7 @@ OverrideSdCardPresence (
} else {
P2sbMmioBar &= B_P2SB_BAR_BA;
}
-
+
Gpio177PadConfigDW0RegAdd = P2SB_MMIO_ADDR (P2sbMmioBar, SOUTHWEST, 0x5D0);
Gpio177RxState = MmioRead32(Gpio177PadConfigDW0RegAdd) & BIT1;
DEBUG ((DEBUG_INFO, "Gpio177PadConfigDW0RegAdd: 0x%X\n", Gpio177PadConfigDW0RegAdd));
@@ -868,11 +868,6 @@ InitializePlatform (
FdoEnabledGuidHob = GetFirstGuidHob (&gFdoModeEnabledHobGuid);
if (FdoEnabledGuidHob != NULL) {
- //
- // Secure boot must be disabled in Flash Descriptor Override (FDO) boot
- //
- EnableCustomMode ();
- DeleteKeys ();
}
#if (ENBDT_PF_ENABLE == 1) //BXTP
@@ -916,9 +911,9 @@ InitializePlatform (
&EfiExitBootServicesEvent
);
-
- OverrideSdCardPresence();
-
+
+ OverrideSdCardPresence();
+
return EFI_SUCCESS;
}
diff --git a/Platform/BroxtonPlatformPkg/Common/PlatformSettings/PlatformDxe/PlatformDxe.inf b/Platform/BroxtonPlatformPkg/Common/PlatformSettings/PlatformDxe/PlatformDxe.inf
index c2714a6..cf8ca08 100644
--- a/Platform/BroxtonPlatformPkg/Common/PlatformSettings/PlatformDxe/PlatformDxe.inf
+++ b/Platform/BroxtonPlatformPkg/Common/PlatformSettings/PlatformDxe/PlatformDxe.inf
@@ -1,7 +1,7 @@
## @file
# Component description file for platform DXE driver
#
-# Copyright (c) 1999 - 2016, Intel Corporation. All rights reserved.<BR>
+# Copyright (c) 1999 - 2017, Intel Corporation. All rights reserved.<BR>
#
# This program and the accompanying materials
# are licensed and made available under the terms and conditions of the BSD License
@@ -50,7 +50,6 @@
UefiBootServicesTableLib
UefiDriverEntryPoint
UefiRuntimeServicesTableLib
- PlatformSecureDefaultsLib
DxeServicesTableLib
DebugLib
HiiLib
diff --git a/Platform/BroxtonPlatformPkg/Common/PlatformSettings/PlatformSetupDxe/PlatformSetupDxe.c b/Platform/BroxtonPlatformPkg/Common/PlatformSettings/PlatformSetupDxe/PlatformSetupDxe.c
index 02b03ff..5cbe136 100644
--- a/Platform/BroxtonPlatformPkg/Common/PlatformSettings/PlatformSetupDxe/PlatformSetupDxe.c
+++ b/Platform/BroxtonPlatformPkg/Common/PlatformSettings/PlatformSetupDxe/PlatformSetupDxe.c
@@ -13,7 +13,7 @@
4. It save all the mapping info in NV variables which will be consumed
by platform override protocol driver to publish the platform override protocol.
- Copyright (c) 2007 - 2016, Intel Corporation. All rights reserved.<BR>
+ Copyright (c) 2007 - 2017, Intel Corporation. All rights reserved.<BR>
This program and the accompanying materials
are licensed and made available under the terms and conditions of the BSD License
@@ -508,43 +508,6 @@ SystemConfigCallback (
if (Key.UnicodeChar == CHAR_CARRIAGE_RETURN) {
}
- } else if (KeyValue == 0x1237 /*KEY_CLEAR_KEK_AND_PK*/ ) {
- //
- //Delete PK, KEK, DB, DBx
- //
- EnableCustomMode ();
- DeleteKeys ();
- StrCpyS (StringBuffer1, 200, L"Clear Keys Completed");
- StrCpyS (StringBuffer2, 200, L"Please Restart System");
-
- //
- // Popup a menu to notice user
- //
- do {
- CreatePopUp (EFI_LIGHTGRAY | EFI_BACKGROUND_BLUE, &Key, StringBuffer1, StringBuffer2, NULL);
- } while ((Key.ScanCode != SCAN_ESC) && (Key.UnicodeChar != CHAR_CARRIAGE_RETURN));
-
- gRT->ResetSystem (EfiResetCold, EFI_SUCCESS, 0, NULL);
- } else if (KeyValue == 0x1238 /*KEY_LOAD_DEFAULTS_KEYS*/ ) {
- //
- // Enroll PK, KEK, DB and DBx
- //
- EnrollKeys ();
- StrCpyS (StringBuffer1, 200, L"Restore Keys Completed");
- StrCpyS (StringBuffer2, 200, L"Please Restart System");
-
- //
- // Popup a notification menu
- //
- do {
- CreatePopUp(EFI_LIGHTGRAY | EFI_BACKGROUND_BLUE, &Key, StringBuffer1, StringBuffer2, NULL);
- } while ((Key.ScanCode != SCAN_ESC) && (Key.UnicodeChar != CHAR_CARRIAGE_RETURN));
-
- //
- // Reset the system
- //
- gRT->ResetSystem (EfiResetCold, EFI_SUCCESS, 0, NULL);
-
} else if (KeyValue == 0x1239) {
//
// Popup a notification menu
diff --git a/Platform/BroxtonPlatformPkg/Common/PlatformSettings/PlatformSetupDxe/PlatformSetupDxe.inf b/Platform/BroxtonPlatformPkg/Common/PlatformSettings/PlatformSetupDxe/PlatformSetupDxe.inf
index 09a16c8..0cbcb71 100644
--- a/Platform/BroxtonPlatformPkg/Common/PlatformSettings/PlatformSetupDxe/PlatformSetupDxe.inf
+++ b/Platform/BroxtonPlatformPkg/Common/PlatformSettings/PlatformSetupDxe/PlatformSetupDxe.inf
@@ -16,7 +16,7 @@
# 4. It save all the mapping info in NV variables for the following boot,
# which will be consumed by GetDriver API of the produced the platform override protocol.
#
-# Copyright (c) 2007 - 2016, Intel Corporation. All rights reserved.<BR>
+# Copyright (c) 2007 - 2017, Intel Corporation. All rights reserved.<BR>
#
# This program and the accompanying materials
# are licensed and made available under the terms and conditions of the BSD License
@@ -92,7 +92,6 @@
BiosIdLib
CpuIA32Lib
IoLib
- PlatformSecureDefaultsLib
BaseIpcLib
HeciMsgLib
SteppingLib
diff --git a/Platform/BroxtonPlatformPkg/Common/PlatformSettings/PlatformSetupDxe/Security.vfi b/Platform/BroxtonPlatformPkg/Common/PlatformSettings/PlatformSetupDxe/Security.vfi
index f79e81b..9d0855e 100644
--- a/Platform/BroxtonPlatformPkg/Common/PlatformSettings/PlatformSetupDxe/Security.vfi
+++ b/Platform/BroxtonPlatformPkg/Common/PlatformSettings/PlatformSetupDxe/Security.vfi
@@ -107,39 +107,6 @@ form formid = SECURITY_CONFIGURATION_FORM_ID,
endif;
endif;
- subtitle text = STRING_TOKEN(STR_NULL_STRING);
-
-
- subtitle text = STRING_TOKEN(STR_NULL_STRING);
-
- oneof varid = Setup.SecureBootCustomMode,
- prompt = STRING_TOKEN(STR_SECURE_BOOT_MODE_PROMPT),
- help = STRING_TOKEN(STR_SECURE_BOOT_MODE_HELP),
- option text = STRING_TOKEN(STR_SB_STANDARD_MODE), value=0x00, flags = DEFAULT | MANUFACTURING;
- option text = STRING_TOKEN(STR_SB_CUSTOM_MODE), value=0x01, flags = 0;
- endoneof;
- oneof varid = Setup.UseProductKey,
- prompt = STRING_TOKEN(STR_SECURE_BOOT_PRO_KEY_PROMPT),
- help = STRING_TOKEN(STR_SECURE_BOOT_PRO_KEY_HELP),
- option text = STRING_TOKEN(STR_DEV_KEY), value=0x00, flags = DEFAULT | RESET_REQUIRED;
- option text = STRING_TOKEN(STR_PRO_KEY), value=0x01, flags = RESET_REQUIRED;
- endoneof;
- text
- help = STRING_TOKEN(STR_CLEAR_ALL_KEYS_HELP),
- text = STRING_TOKEN(STR_CLEAR_ALL_KEYS),
- text = STRING_TOKEN(STR_NULL_STRING),
- flags = INTERACTIVE,
- key = 0x1237; //KEY_CLEAR_KEK_AND_PK;
-
- text
- help = STRING_TOKEN(STR_LOAD_DEFAULTS_KEYS_HELP),
- text = STRING_TOKEN(STR_LOAD_DEFAULTS_KEYS),
- text = STRING_TOKEN(STR_NULL_STRING),
- flags = INTERACTIVE,
- key = 0x1238; //KEY_LOAD_DEFAULTS_KEYS;
-
- subtitle text = STRING_TOKEN(STR_NULL_STRING);
-
//
//TPM related
//
@@ -154,7 +121,7 @@ form formid = SECURITY_CONFIGURATION_FORM_ID,
option text = STRING_TOKEN(STR_TPM_DTPM_2_0), value = 0x03, flags = RESET_REQUIRED;
endoneof;
- suppressif NOT ideqval Setup.TPM == 1;
+ suppressif NOT ideqval Setup.TPM == 1;
oneof varid = Setup.TPMSupportedBanks,
prompt = STRING_TOKEN(STR_TPM2_PCR_ALLOCATE_PROMPT),
help = STRING_TOKEN(STR_TPM2_PCR_ALLOCATE_HELP),
@@ -164,6 +131,6 @@ form formid = SECURITY_CONFIGURATION_FORM_ID,
option text = STRING_TOKEN(STR_TPM2_PCR_ALLOCATE_BOTH), value = TPM2_SUPPORTED_BANK_BOTH, flags = RESET_REQUIRED;
endoneof;
endif;
-
+
endform;
diff --git a/Platform/BroxtonPlatformPkg/Common/PlatformSettings/PlatformSetupDxe/SetupInfoRecords.c b/Platform/BroxtonPlatformPkg/Common/PlatformSettings/PlatformSetupDxe/SetupInfoRecords.c
index 8f7a534..d504995 100644
--- a/Platform/BroxtonPlatformPkg/Common/PlatformSettings/PlatformSetupDxe/SetupInfoRecords.c
+++ b/Platform/BroxtonPlatformPkg/Common/PlatformSettings/PlatformSetupDxe/SetupInfoRecords.c
@@ -1,7 +1,7 @@
/** @file
To retrieve various platform info data for Setup menu.
- Copyright (c) 1999 - 2016, Intel Corporation. All rights reserved.<BR>
+ Copyright (c) 1999 - 2017, Intel Corporation. All rights reserved.<BR>
This program and the accompanying materials
are licensed and made available under the terms and conditions of the BSD License
@@ -47,8 +47,6 @@
#include "ScAccess.h"
#include "SetupMode.h"
-#define EFI_CUSTOM_MODE_NAME L"CustomMode"
-extern EFI_GUID gEfiCustomModeEnableGuid;
#define LEFT_JUSTIFY 0x01
#define PREFIX_SIGN 0x02
@@ -65,7 +63,6 @@ EFI_GUID mProcessorProducerGuid;
EFI_HII_HANDLE mHiiHandle;
SYSTEM_CONFIGURATION mSystemConfiguration;
EFI_PLATFORM_INFO_HOB *mPlatformInfo;
-UINT8 mUseProductKey = 0;
#define memset SetMem
@@ -1720,14 +1717,30 @@ SetupInfo (
VOID
CheckSystemConfigLoad (
- SYSTEM_CONFIGURATION *SystemConfigPtr
+ SYSTEM_CONFIGURATION *SystemConfigPtr
)
{
EFI_STATUS Status;
SEC_OPERATION_PROTOCOL *SeCOp;
SEC_INFOMATION SeCInfo;
+ UINT8 SecureBoot;
+ UINTN DataSize;
+
+ DataSize = sizeof (SecureBoot);
+ Status = gRT->GetVariable (
+ EFI_SECURE_BOOT_MODE_NAME,
+ &gEfiGlobalVariableGuid,
+ NULL,
+ &DataSize,
+ &SecureBoot
+ );
+
+ if (EFI_ERROR (Status)) {
+ SystemConfigPtr->SecureBoot = 0;
+ } else {
+ SystemConfigPtr->SecureBoot = SecureBoot;
+ }
- mUseProductKey = SystemConfigPtr->UseProductKey;
Status = gBS->LocateProtocol (
&gEfiSeCOperationProtocolGuid,
NULL,
@@ -1787,7 +1800,7 @@ CheckTPMActivePcrBanks (
VOID
CheckSystemConfigSave (
- SYSTEM_CONFIGURATION *SystemConfigPtr
+ SYSTEM_CONFIGURATION *SystemConfigPtr
)
{
EFI_STATUS Status;
@@ -1795,51 +1808,7 @@ CheckSystemConfigSave (
SEC_INFOMATION SeCInfo;
UINT8 SecureBootCfg;
UINTN DataSize;
- UINT8 CustomMode;
-
- if (mUseProductKey != SystemConfigPtr->UseProductKey) {
- EnableCustomMode ();
- DeleteKeys ();
- EnrollKeys ();
- }
- DataSize = sizeof (CustomMode);
- Status = gRT->GetVariable (
- EFI_CUSTOM_MODE_NAME,
- &gEfiCustomModeEnableGuid,
- NULL,
- &DataSize,
- &CustomMode
- );
-
- if (EFI_ERROR (Status)) {
- DeleteKeys ();
- EnrollKeys ();
- DataSize = sizeof (CustomMode);
- Status = gRT->GetVariable (
- EFI_CUSTOM_MODE_NAME,
- &gEfiCustomModeEnableGuid,
- NULL,
- &DataSize,
- &CustomMode
- );
- }
-
- if (CustomMode != SystemConfigPtr->SecureBootCustomMode) {
- if (CustomMode == 1) {
- DeleteKeys ();
- EnrollKeys ();
- CustomMode = 0;
- } else {
- CustomMode = 1;
- Status = gRT->SetVariable (
- EFI_CUSTOM_MODE_NAME,
- &gEfiCustomModeEnableGuid,
- EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_ACCESS,
- sizeof (UINT8),
- &CustomMode
- );
- }
- }
+ BOOLEAN SecureBootNotFound;
Status = gBS->LocateProtocol (
&gEfiSeCOperationProtocolGuid,
@@ -1861,6 +1830,8 @@ CheckSystemConfigSave (
//
// Secure Boot configuration changes
//
+ DataSize = sizeof (SecureBootCfg);
+ SecureBootNotFound = FALSE;
Status = gRT->GetVariable (
EFI_SECURE_BOOT_ENABLE_NAME,
&gEfiSecureBootEnableDisableGuid,
@@ -1870,12 +1841,22 @@ CheckSystemConfigSave (
);
if (EFI_ERROR (Status)) {
- SecureBootCfg = 0;
+ SecureBootNotFound = TRUE;
+ }
+
+ if (SecureBootNotFound) {
+ Status = gRT->GetVariable (
+ EFI_SECURE_BOOT_ENABLE_NAME,
+ &gEfiSecureBootEnableDisableGuid,
+ NULL,
+ &DataSize,
+ &SecureBootCfg
+ );
+ ASSERT_EFI_ERROR (Status);
}
if ((SecureBootCfg) != SystemConfigPtr->SecureBoot) {
SecureBootCfg = !SecureBootCfg;
-
Status = gRT->SetVariable (
EFI_SECURE_BOOT_ENABLE_NAME,
&gEfiSecureBootEnableDisableGuid,
diff --git a/Platform/BroxtonPlatformPkg/Common/PlatformSettings/PlatformSetupDxe/VfrStrings.uni b/Platform/BroxtonPlatformPkg/Common/PlatformSettings/PlatformSetupDxe/VfrStrings.uni
index 47b84ee6a0ac53bef15b322024a47c9935285ffb..9ff9a80ba62edb19ac8982991e2dcc364d1df52a 100644
GIT binary patch
delta 42
zcmV+_0M-Bcq7&?b6Oh6MHvlXEAd}HFBZ2CL>H&r70=4P`rpuSC=K&74tlR_6^p{B#
AVgLXD
delta 1706
zcmbtUOHUI~6h1T45<nXv1hhfJOe-ZpMG^3|k?F(4P%Po$V_|9oMVcV3v{f`wf(h(2
zCbPIZ1s80HuZ3X?Y%xUt0d6#DG=}KPmEW16wnGXM&CT4o_uTXN?m6dvUmw-{dQtOq
z#d(U3l4^Wx_fF-ebJBE9ewS0`S4Gts`G8U7FWWajy%eG-`6+_YFJg7_S&_Q$Xg1!=
zsAA}WTqV})EM1pPSA1Jl0-`e_`NXR|j>?dqk{B6MsT=<xieq&QUx2cdhCE5Pu=C;T
z!!AZ+(23DFW&ngN&bG$u8EvxI1KaUwKk0Odf|z?TtMHYNk%SM9GGJ;&5WR59o-;H;
z2_R5u5G#&*)5K=U;xvpA#~CA!VV#-8mR+W?y@PcN*18FIQ(^Ob9RD=FjClbL!&fc<
zyNj@+7%IH6Ru=y;?EZEor-xirDO#U9BI3rP+%8gSd2h&LrfAUg!g2m7-9qn{yj=Dz
zrPN!cLMh8#dEcdgxNJa-hKEh=0EN*)T$w25Fh-QRAh{;ANx9KbbLX@G@(?%6%{jEP
z(gn#qWUy3}dJihPjfpYWsqGN+(|7s0u|DEBoj2#w_W%$#1H-abL1d7za2u*<DL+k=
zMAA`=WY?}l^%IBpkPg35d?C7k#0(%Y{ivcXIkQ(zUJRp`V<rrK1*J+HgnSq}S>z;R
z_HrJ02(S~7l}cj3gNXm>TErG)Z$kv|ce=`yE_aB|dHHag6|Rscd%`ESq`VaB;|0{a
zaw9f=C|YeF3K-qW6XJH0W6)(I53#%=Yt@!^5ofTbE@l@bU&SA(SUxCe{8$=nyoVY_
z(NDc#%gss}8{s}?ODFeNT<BTZYkbhk-9@x&H!-xPHfGLdvG!6aXVZjfisz802d+4i
z&nOC*0;$B&sLW8-qfsGcit544JeW24D}gl=jHScv9<VW<DHlmu+Fw6psxprxOp_v#
z7J5WEQW2ud*7bz`SUGQ`8c(>l1ti`EapR?{4yT!ryhV#x`mB`ImP9A!zDVxHXYZA@
GpT7a+n_%An
diff --git a/Platform/BroxtonPlatformPkg/PlatformDsc/Components.dsc b/Platform/BroxtonPlatformPkg/PlatformDsc/Components.dsc
index eb47ea0..d3be2da 100644
--- a/Platform/BroxtonPlatformPkg/PlatformDsc/Components.dsc
+++ b/Platform/BroxtonPlatformPkg/PlatformDsc/Components.dsc
@@ -234,6 +234,16 @@
!endif
#
+ # Secure Boot
+ #
+!if $(SECURE_BOOT_ENABLE) == TRUE
+ SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf {
+ <LibraryClasses>
+ PlatformSecureLib|SecurityPkg/Library/PlatformSecureLibNull/PlatformSecureLibNull.inf
+ }
+!endif
+
+ #
# SMM
#
MdeModulePkg/Core/PiSmmCore/PiSmmIpl.inf
@@ -367,10 +377,10 @@
$(PLATFORM_SI_PACKAGE)/SouthCluster/Sdio/Dxe/MMC/MmcHostDxe/MmcHostDxe.inf
$(PLATFORM_SI_PACKAGE)/SouthCluster/Sdio/Dxe/MMC/MmcMediaDeviceDxe/MmcMediaDeviceDxe.inf
-
+
$(PLATFORM_SI_PACKAGE)/SouthCluster/Sdio/Dxe/SD/SdControllerDxe/SdControllerDxe.inf
$(PLATFORM_SI_PACKAGE)/SouthCluster/Sdio/Dxe/SD/SdMediaDeviceDxe/SdMediaDeviceDxe.inf
-
+
!if $(ACPI50_ENABLE) == TRUE
MdeModulePkg/Universal/SmmCommunicationBufferDxe/SmmCommunicationBufferDxe.inf
@@ -474,12 +484,12 @@
PcAtChipsetPkg/8259InterruptControllerDxe/8259.inf
$(PLATFORM_PACKAGE_COMMON)/Features/UsbDeviceDxe/UsbDeviceDxe.inf
-
+
#
# USB TypeC
#
$(PLATFORM_PACKAGE_COMMON)/Acpi/UsbTypeCDxe/UsbTypeCDxe.inf
-
+
#
# Application
#
diff --git a/Platform/BroxtonPlatformPkg/PlatformDsc/LibraryClasses.dsc b/Platform/BroxtonPlatformPkg/PlatformDsc/LibraryClasses.dsc
index c2424f0..971dc4a 100644
--- a/Platform/BroxtonPlatformPkg/PlatformDsc/LibraryClasses.dsc
+++ b/Platform/BroxtonPlatformPkg/PlatformDsc/LibraryClasses.dsc
@@ -237,8 +237,6 @@
!if $(SECURE_BOOT_ENABLE) == TRUE
BaseCryptLib|CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf
!endif
-
- PlatformSecureDefaultsLib|$(PLATFORM_PACKAGE_COMMON)/Library/PlatformSecureDefaultsLib/PlatformSecureDefaultsLib.inf
SmmCpuPlatformHookLib|UefiCpuPkg/Library/SmmCpuPlatformHookLibNull/SmmCpuPlatformHookLibNull.inf
BasePlatformCmosLib|$(PLATFORM_PACKAGE_COMMON)/Library/PlatformCmosLib/PlatformCmosLib.inf
diff --git a/Platform/BroxtonPlatformPkg/PlatformPkg.fdf b/Platform/BroxtonPlatformPkg/PlatformPkg.fdf
index a5a3555..2476407 100644
--- a/Platform/BroxtonPlatformPkg/PlatformPkg.fdf
+++ b/Platform/BroxtonPlatformPkg/PlatformPkg.fdf
@@ -450,7 +450,7 @@ APRIORI DXE {
INF $(PLATFORM_SI_PACKAGE)/SouthCluster/Sdio/Dxe/SD/SdControllerDxe/SdControllerDxe.inf
INF $(PLATFORM_SI_PACKAGE)/SouthCluster/Sdio/Dxe/SD/SdMediaDeviceDxe/SdMediaDeviceDxe.inf
-
+
INF IntelFrameworkModulePkg/Universal/Acpi/AcpiS3SaveDxe/AcpiS3SaveDxe.inf
#
@@ -575,6 +575,13 @@ APRIORI DXE {
INF $(PLATFORM_PACKAGE_COMMON)/PnpDxe/PnpDxe.inf
#
+ # Secure Boot
+ #
+!if $(SECURE_BOOT_ENABLE) == TRUE
+ INF SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
+!endif
+
+ #
# SMM
#
INF MdeModulePkg/Core/PiSmmCore/PiSmmIpl.inf
@@ -710,7 +717,7 @@ APRIORI DXE {
SECTION PE32 = ShellBinPkg/UefiShell/$(IA32_X64_LC)/Shell.efi
}
- INF $(PLATFORM_PACKAGE_COMMON)/Features/UsbDeviceDxe/UsbDeviceDxe.inf
+ INF $(PLATFORM_PACKAGE_COMMON)/Features/UsbDeviceDxe/UsbDeviceDxe.inf
#
# USB TypeC
--
2.7.0.windows.1
next reply other threads:[~2017-02-22 6:34 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-02-22 6:15 lushifex [this message]
2017-02-22 6:38 ` [Patch][edk2-platforms/devel-MinnowBoard3] Enable Secure Boot Wei, David
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-list from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=f43dce21-f15f-465a-9b29-2329f60cb1cc@SHWDEOPENPSI011.local \
--to=devel@edk2.groups.io \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox