* [PATCH v1 0/6] Universal payload secure boot and measured boot
@ 2023-03-22 5:58 Subash Lakkimsetti
2023-03-22 5:58 ` [PATCH v1 1/6] MdeModulePkg: universal payload HOB for secure boot info Subash Lakkimsetti
` (5 more replies)
0 siblings, 6 replies; 11+ messages in thread
From: Subash Lakkimsetti @ 2023-03-22 5:58 UTC (permalink / raw)
To: devel; +Cc: Subash Lakkimsetti
From: Subash Lakkimsetti <subash.lakkimsetti@intel.com>
Support added in universal payload to enable secure boot and measured boot
Hob structure header for universal payload for secure boot and measure boot information from bootloaders
as per the universal payload spec defined at https://universalscalablefirmware.github.io/documentation/2_universal_payload.html
TCG2ACPI: uninstall TPM2 ACPI if updated from Bootloaders and create a new ACPI tables.
Secure boot configuration and flags are added to UefiPayloadPkg
Measured boot and TPM configurations are added for UefiPayloadPkg
Subash Lakkimsetti (6):
MdeModulePkg: universal payload HOB for secure boot info
UefiPayloadPkg: Add secureboot information HOBs
TGC2ACPI: Uninstall the TPM2 ACPI if present
UefiPayloadPkg: Add secure boot configurations
Uefipayloadpkg Enable TPM measured boot
UefiPayloadPkg: Add secure boot definitions to ci build
.../UniversalPayload/SecureBootInfoGuid.h | 37 +++
SecurityPkg/Tcg/Tcg2Acpi/Tcg2Acpi.c | 251 ++++++++++++++++++
SecurityPkg/Tcg/Tcg2Acpi/Tcg2Acpi.inf | 3 +
UefiPayloadPkg/BlSupportDxe/BlSupportDxe.c | 77 +++++-
UefiPayloadPkg/BlSupportDxe/BlSupportDxe.inf | 13 +-
UefiPayloadPkg/UefiPayloadPkg.ci.yaml | 4 +
UefiPayloadPkg/UefiPayloadPkg.dec | 4 +-
UefiPayloadPkg/UefiPayloadPkg.dsc | 127 ++++++++-
UefiPayloadPkg/UefiPayloadPkg.fdf | 29 ++
9 files changed, 534 insertions(+), 11 deletions(-)
create mode 100644 MdeModulePkg/Include/UniversalPayload/SecureBootInfoGuid.h
--
2.39.1.windows.1
^ permalink raw reply [flat|nested] 11+ messages in thread
* [PATCH v1 1/6] MdeModulePkg: universal payload HOB for secure boot info
2023-03-22 5:58 [PATCH v1 0/6] Universal payload secure boot and measured boot Subash Lakkimsetti
@ 2023-03-22 5:58 ` Subash Lakkimsetti
2023-03-22 5:58 ` [PATCH v1 2/6] UefiPayloadPkg: Add secureboot information HOBs Subash Lakkimsetti
` (4 subsequent siblings)
5 siblings, 0 replies; 11+ messages in thread
From: Subash Lakkimsetti @ 2023-03-22 5:58 UTC (permalink / raw)
To: devel; +Cc: Subash Lakkimsetti, Zhiguang Liu, Ray Ni, Gua Guo
From: Subash Lakkimsetti <subash.lakkimsetti@intel.com>
Add the hob structure header for universal payload
for secure boot and measure boot information from
bootloaders. Universal payload spec definied at
https://universalscalablefirmware.github.io/documentation/2_universal_payload.html
Cc: Zhiguang Liu <zhiguang.liu@intel.com>
Cc: Ray Ni <ray.ni@intel.com>
Cc: Gua Guo <gua.guo@intel.com>
Signed-off-by: Subash Lakkimsetti <subash.lakkimsetti@intel.com>
---
.../UniversalPayload/SecureBootInfoGuid.h | 37 +++++++++++++++++++
1 file changed, 37 insertions(+)
create mode 100644 MdeModulePkg/Include/UniversalPayload/SecureBootInfoGuid.h
diff --git a/MdeModulePkg/Include/UniversalPayload/SecureBootInfoGuid.h b/MdeModulePkg/Include/UniversalPayload/SecureBootInfoGuid.h
new file mode 100644
index 0000000000..5f0f75eb3a
--- /dev/null
+++ b/MdeModulePkg/Include/UniversalPayload/SecureBootInfoGuid.h
@@ -0,0 +1,37 @@
+/** @file
+ This file defines the hob structure for the Secure boot information.
+
+ Copyright (c) 2023, Intel Corporation. All rights reserved.<BR>
+ SPDX-License-Identifier: BSD-2-Clause-Patent
+
+**/
+
+#ifndef SECUREBOOT_INFO_GUID_H_
+#define SECUREBOOT_INFO_GUID_H_
+
+#include <UniversalPayload/UniversalPayload.h>
+
+/**
+ Secure Boot info Hob GUID
+**/
+extern EFI_GUID gUniversalPayloadSecureBootInfoGuid;
+
+#define PAYLOAD_SECUREBOOT_INFO_HOB_REVISION 0x1
+
+#define NO_TPM 0x0
+#define TPM_TYPE_12 0x1
+#define TPM_TYPE_20 0x2
+
+#pragma pack(1)
+typedef struct {
+ UNIVERSAL_PAYLOAD_GENERIC_HEADER Header;
+ UINT8 VerifiedBootEnabled;
+ UINT8 MeasuredBootEnabled;
+ UINT8 FirmwareDebuggerInitialized;
+ UINT8 TpmType;
+ UINT8 Reserved[3];
+ UINT32 TpmPcrActivePcrBanks;
+} UNIVERSAL_SECURE_BOOT_INFO;
+#pragma pack()
+
+#endif // SECUREBOOT_INFO_GUID_H_
--
2.39.1.windows.1
^ permalink raw reply related [flat|nested] 11+ messages in thread
* [PATCH v1 2/6] UefiPayloadPkg: Add secureboot information HOBs
2023-03-22 5:58 [PATCH v1 0/6] Universal payload secure boot and measured boot Subash Lakkimsetti
2023-03-22 5:58 ` [PATCH v1 1/6] MdeModulePkg: universal payload HOB for secure boot info Subash Lakkimsetti
@ 2023-03-22 5:58 ` Subash Lakkimsetti
2023-03-22 5:58 ` [PATCH v1 3/6] TGC2ACPI: Uninstall the TPM2 ACPI if present Subash Lakkimsetti
` (3 subsequent siblings)
5 siblings, 0 replies; 11+ messages in thread
From: Subash Lakkimsetti @ 2023-03-22 5:58 UTC (permalink / raw)
To: devel; +Cc: Subash Lakkimsetti, Guo Dong, Ray Ni, Sean Rhodes, James Lu,
Gua Guo
From: Subash Lakkimsetti <subash.lakkimsetti@intel.com>
This patch add the HOB fpr secure and measured boot
information. This is populated by bootloader phase
and uefipayload pkg uses this info to sync the TPM
info PCDs.
Cc: Guo Dong <guo.dong@intel.com>
Cc: Ray Ni <ray.ni@intel.com>
Cc: Sean Rhodes <sean@starlabs.systems>
Cc: James Lu <james.lu@intel.com>
Cc: Gua Guo <gua.guo@intel.com>
Signed-off-by: Subash Lakkimsetti <subash.lakkimsetti@intel.com>
---
UefiPayloadPkg/BlSupportDxe/BlSupportDxe.c | 77 +++++++++++++++++++-
UefiPayloadPkg/BlSupportDxe/BlSupportDxe.inf | 13 +++-
UefiPayloadPkg/UefiPayloadPkg.dec | 4 +-
UefiPayloadPkg/UefiPayloadPkg.dsc | 2 +
4 files changed, 92 insertions(+), 4 deletions(-)
diff --git a/UefiPayloadPkg/BlSupportDxe/BlSupportDxe.c b/UefiPayloadPkg/BlSupportDxe/BlSupportDxe.c
index 2e70c4533c..7415507ec6 100644
--- a/UefiPayloadPkg/BlSupportDxe/BlSupportDxe.c
+++ b/UefiPayloadPkg/BlSupportDxe/BlSupportDxe.c
@@ -2,11 +2,14 @@
This driver will report some MMIO/IO resources to dxe core, extract smbios and acpi
tables from bootloader.
- Copyright (c) 2014 - 2021, Intel Corporation. All rights reserved.<BR>
+ Copyright (c) 2014 - 2023, Intel Corporation. All rights reserved.<BR>
SPDX-License-Identifier: BSD-2-Clause-Patent
**/
#include "BlSupportDxe.h"
+#include <Library/DebugLib.h>
+#include <Library/PcdLib.h>
+#include <Include/UniversalPayload/SecureBootInfoGuid.h>
/**
Reserve MMIO/IO resource in GCD
@@ -86,6 +89,73 @@ ReserveResourceInGcd (
return Status;
}
+/**
+Sync the Secure boot hob info and TPM PCD as per the information passed from Bootloader.
+**/
+EFI_STATUS
+BlSupportSecurityPcdSync (
+ VOID
+ )
+{
+ EFI_STATUS Status;
+ EFI_HOB_GUID_TYPE *GuidHob;
+ UNIVERSAL_SECURE_BOOT_INFO *SecurebootInfoHob;
+ UINTN Size;
+
+ GuidHob = GetFirstGuidHob (&gUniversalPayloadSecureBootInfoGuid);
+ if (GuidHob == NULL) {
+ DEBUG ((DEBUG_ERROR, "gUniversalPayloadSecureBootInfoGuid Not Found!\n"));
+ return EFI_UNSUPPORTED;
+ }
+
+ SecurebootInfoHob = (UNIVERSAL_SECURE_BOOT_INFO *)GET_GUID_HOB_DATA (GuidHob);
+
+ // Sync the Hash mask for TPM 2.0 as per active PCR banks.
+ // Make sure that the current PCR allocations, the TPM supported PCRs,
+ // and the PcdTpm2HashMask are all in agreement.
+ Status = PcdSet32S (PcdTpm2HashMask, SecurebootInfoHob->TpmPcrActivePcrBanks);
+ ASSERT_EFI_ERROR (Status);
+ DEBUG ((DEBUG_INFO, "TpmPcrActivePcrBanks 0x%x \n", SecurebootInfoHob->TpmPcrActivePcrBanks));
+
+ // Set the Firmware debugger PCD
+ Status = PcdSetBoolS (PcdFirmwareDebuggerInitialized, SecurebootInfoHob->FirmwareDebuggerInitialized);
+ ASSERT_EFI_ERROR (Status);
+ DEBUG ((DEBUG_INFO, " FirmwareDebugger Initialized 0x%x \n", SecurebootInfoHob->FirmwareDebuggerInitialized));
+
+ // Set the TPM Type instance GUID
+ if (SecurebootInfoHob->MeasuredBootEnabled) {
+ if (SecurebootInfoHob->TpmType == TPM_TYPE_20) {
+ DEBUG ((DEBUG_INFO, "%a: TPM2 detected\n", __FUNCTION__));
+ Size = sizeof (gEfiTpmDeviceInstanceTpm20DtpmGuid);
+ Status = PcdSetPtrS (
+ PcdTpmInstanceGuid,
+ &Size,
+ &gEfiTpmDeviceInstanceTpm20DtpmGuid
+ );
+ } else if (SecurebootInfoHob->TpmType == TPM_TYPE_12) {
+ DEBUG ((DEBUG_INFO, "%a: TPM1.2 detected\n", __FUNCTION__));
+ Size = sizeof (gEfiTpmDeviceInstanceTpm12Guid);
+ Status = PcdSetPtrS (
+ PcdTpmInstanceGuid,
+ &Size,
+ &gEfiTpmDeviceInstanceTpm12Guid
+ );
+ } else {
+ DEBUG ((DEBUG_INFO, "%a: No TPM detected\n", __FUNCTION__));
+ Size = sizeof (gEfiTpmDeviceInstanceNoneGuid);
+ Status = PcdSetPtrS (
+ PcdTpmInstanceGuid,
+ &Size,
+ &gEfiTpmDeviceInstanceNoneGuid
+ );
+ }
+
+ ASSERT_EFI_ERROR (Status);
+ }
+
+ return Status;
+}
+
/**
Main entry for the bootloader support DXE module.
@@ -144,5 +214,10 @@ BlDxeEntryPoint (
ASSERT_EFI_ERROR (Status);
}
+ //
+ // Sync Bootloader info for TPM
+ //
+ BlSupportSecurityPcdSync ();
+
return EFI_SUCCESS;
}
diff --git a/UefiPayloadPkg/BlSupportDxe/BlSupportDxe.inf b/UefiPayloadPkg/BlSupportDxe/BlSupportDxe.inf
index 96d85d2b1d..162167e6bb 100644
--- a/UefiPayloadPkg/BlSupportDxe/BlSupportDxe.inf
+++ b/UefiPayloadPkg/BlSupportDxe/BlSupportDxe.inf
@@ -3,7 +3,7 @@
#
# Report some MMIO/IO resources to dxe core, extract smbios and acpi tables
#
-# Copyright (c) 2014 - 2021, Intel Corporation. All rights reserved.<BR>
+# Copyright (c) 2014 - 2023, Intel Corporation. All rights reserved.<BR>
#
# SPDX-License-Identifier: BSD-2-Clause-Patent
#
@@ -30,6 +30,7 @@
[Packages]
MdePkg/MdePkg.dec
MdeModulePkg/MdeModulePkg.dec
+ SecurityPkg/SecurityPkg.dec
UefiPayloadPkg/UefiPayloadPkg.dec
[LibraryClasses]
@@ -44,6 +45,10 @@
[Guids]
gUefiAcpiBoardInfoGuid
gEfiGraphicsInfoHobGuid
+ gUniversalPayloadSecureBootInfoGuid
+ gEfiTpmDeviceInstanceTpm20DtpmGuid
+ gEfiTpmDeviceInstanceTpm12Guid
+ gEfiTpmDeviceInstanceNoneGuid
[Pcd]
gEfiMdeModulePkgTokenSpaceGuid.PcdVideoHorizontalResolution
@@ -52,6 +57,10 @@
gEfiMdeModulePkgTokenSpaceGuid.PcdSetupVideoVerticalResolution
gEfiMdePkgTokenSpaceGuid.PcdPciExpressBaseAddress
gEfiMdePkgTokenSpaceGuid.PcdPciExpressBaseSize
-
+ ## SOMETIMES_CONSUMES
+ ## SOMETIMES_PRODUCES
+ gEfiSecurityPkgTokenSpaceGuid.PcdTpm2HashMask
+ gEfiSecurityPkgTokenSpaceGuid.PcdFirmwareDebuggerInitialized
+ gEfiSecurityPkgTokenSpaceGuid.PcdTpmInstanceGuid
[Depex]
TRUE
diff --git a/UefiPayloadPkg/UefiPayloadPkg.dec b/UefiPayloadPkg/UefiPayloadPkg.dec
index 7d61d6eeae..20981af295 100644
--- a/UefiPayloadPkg/UefiPayloadPkg.dec
+++ b/UefiPayloadPkg/UefiPayloadPkg.dec
@@ -3,7 +3,7 @@
#
# Provides drivers and definitions to create uefi payload for bootloaders.
#
-# Copyright (c) 2014 - 2021, Intel Corporation. All rights reserved.<BR>
+# Copyright (c) 2014 - 2023, Intel Corporation. All rights reserved.<BR>
# SPDX-License-Identifier: BSD-2-Clause-Patent
#
##
@@ -42,6 +42,8 @@
gSpiFlashInfoGuid = { 0x2d4aac1b, 0x91a5, 0x4cd5, { 0x9b, 0x5c, 0xb4, 0x0f, 0x5d, 0x28, 0x51, 0xa1 } }
gSmmRegisterInfoGuid = { 0xaa9bd7a7, 0xcafb, 0x4499, { 0xa4, 0xa9, 0xb, 0x34, 0x6b, 0x40, 0xa6, 0x22 } }
gS3CommunicationGuid = { 0x88e31ba1, 0x1856, 0x4b8b, { 0xbb, 0xdf, 0xf8, 0x16, 0xdd, 0x94, 0xa, 0xef } }
+ gUniversalPayloadSecureBootInfoGuid = { 0xd970f847, 0x07dd, 0x4b24, { 0x9e, 0x1e, 0xae, 0x6c, 0x80, 0x9b, 0x1d, 0x38 } }
+
[Ppis]
gEfiPayLoadHobBasePpiGuid = { 0xdbe23aa1, 0xa342, 0x4b97, {0x85, 0xb6, 0xb2, 0x26, 0xf1, 0x61, 0x73, 0x89} }
diff --git a/UefiPayloadPkg/UefiPayloadPkg.dsc b/UefiPayloadPkg/UefiPayloadPkg.dsc
index bca5d3f335..2f5c70ec9c 100644
--- a/UefiPayloadPkg/UefiPayloadPkg.dsc
+++ b/UefiPayloadPkg/UefiPayloadPkg.dsc
@@ -579,6 +579,8 @@
gPcAtChipsetPkgTokenSpaceGuid.PcdRtcIndexRegister|$(RTC_INDEX_REGISTER)
gPcAtChipsetPkgTokenSpaceGuid.PcdRtcTargetRegister|$(RTC_TARGET_REGISTER)
+ gEfiSecurityPkgTokenSpaceGuid.PcdFirmwareDebuggerInitialized|FALSE
+ gEfiSecurityPkgTokenSpaceGuid.PcdTpmInstanceGuid|{0x5a, 0xf2, 0x6b, 0x28, 0xc3, 0xc2, 0x8c, 0x40, 0xb3, 0xb4, 0x25, 0xe6, 0x75, 0x8b, 0x73, 0x17}
################################################################################
#
--
2.39.1.windows.1
^ permalink raw reply related [flat|nested] 11+ messages in thread
* [PATCH v1 3/6] TGC2ACPI: Uninstall the TPM2 ACPI if present
2023-03-22 5:58 [PATCH v1 0/6] Universal payload secure boot and measured boot Subash Lakkimsetti
2023-03-22 5:58 ` [PATCH v1 1/6] MdeModulePkg: universal payload HOB for secure boot info Subash Lakkimsetti
2023-03-22 5:58 ` [PATCH v1 2/6] UefiPayloadPkg: Add secureboot information HOBs Subash Lakkimsetti
@ 2023-03-22 5:58 ` Subash Lakkimsetti
2023-03-22 13:43 ` [edk2-devel] " Yao, Jiewen
2023-03-22 5:58 ` [PATCH v1 4/6] UefiPayloadPkg: Add secure boot configurations Subash Lakkimsetti
` (2 subsequent siblings)
5 siblings, 1 reply; 11+ messages in thread
From: Subash Lakkimsetti @ 2023-03-22 5:58 UTC (permalink / raw)
To: devel; +Cc: Subash Lakkimsetti, Qi Zhang, Rahul Kumar
From: Subash Lakkimsetti <subash.lakkimsetti@intel.com>
Bootloader supports multiple payload and TPM2 ACPI tables are updated
at bootloader phase. When UEFI is used payload these will be duplicates.
The tables are to be uninstalled before updating the TCG2ACPI tables
to avoid duplicates.
Cc: Qi Zhang <qi1.zhang@intel.com>
Cc: Rahul Kumar <rahul1.kumar@intel.com>
Signed-off-by: Subash Lakkimsetti <subash.lakkimsetti@intel.com>
---
SecurityPkg/Tcg/Tcg2Acpi/Tcg2Acpi.c | 251 ++++++++++++++++++++++++++
SecurityPkg/Tcg/Tcg2Acpi/Tcg2Acpi.inf | 3 +
2 files changed, 254 insertions(+)
diff --git a/SecurityPkg/Tcg/Tcg2Acpi/Tcg2Acpi.c b/SecurityPkg/Tcg/Tcg2Acpi/Tcg2Acpi.c
index e8822cbeb0..4b35796ba7 100644
--- a/SecurityPkg/Tcg/Tcg2Acpi/Tcg2Acpi.c
+++ b/SecurityPkg/Tcg/Tcg2Acpi/Tcg2Acpi.c
@@ -39,6 +39,8 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
#include <Library/Tpm2CommandLib.h>
#include <Library/UefiLib.h>
#include <Library/MmUnblockMemoryLib.h>
+#include <IndustryStandard/Acpi.h>
+#include <Protocol/AcpiSystemDescriptionTable.h>
//
// Physical Presence Interface Version supported by Platform
@@ -867,6 +869,245 @@ PublishTpm2 (
return Status;
}
+/**
+ Uninstall TPM2 SSDT ACPI table
+
+ This performs uninstallation of TPM2 SSDT tables published by
+ bootloaders.
+
+ @retval EFI_SUCCESS The TPM2 ACPI table is uninstalled successfully if found.
+ @retval Others Operation error.
+
+**/
+EFI_STATUS
+UnInstallTpm2SSDTAcpiTables (
+ )
+{
+ UINTN TableIndex;
+ UINTN TableKey;
+ EFI_ACPI_TABLE_VERSION TableVersion;
+ VOID *TableHeader;
+ EFI_STATUS Status;
+ EFI_ACPI_SDT_PROTOCOL *mAcpiSdtProtocol;
+ EFI_ACPI_TABLE_PROTOCOL *mAcpiTableProtocol;
+ CHAR8 TableIdString[8];
+ UINT64 TableIdSignature;
+
+ //
+ // Determine whether there is a TPM2 SSDT already in the ACPI table.
+ //
+ Status = EFI_SUCCESS;
+ TableIndex = 0;
+ TableKey = 0;
+ TableHeader = NULL;
+ mAcpiTableProtocol = NULL;
+ mAcpiSdtProtocol = NULL;
+
+ //
+ // Locate the EFI_ACPI_TABLE_PROTOCOL.
+ //
+ Status = gBS->LocateProtocol (
+ &gEfiAcpiTableProtocolGuid,
+ NULL,
+ (VOID **)&mAcpiTableProtocol
+ );
+ if (EFI_ERROR (Status)) {
+ DEBUG ((
+ DEBUG_INFO,
+ "UnInstallTpm2SSDTAcpiTables: Cannot locate the EFI ACPI Table Protocol \n "
+ ));
+ return Status;
+ }
+
+ //
+ // Locate the EFI_ACPI_SDT_PROTOCOL.
+ //
+ Status = gBS->LocateProtocol (
+ &gEfiAcpiSdtProtocolGuid,
+ NULL,
+ (VOID **)&mAcpiSdtProtocol
+ );
+ if (EFI_ERROR (Status)) {
+ DEBUG ((
+ DEBUG_INFO,
+ "UnInstallTpm2SSDTAcpiTables: Cannot locate the EFI ACPI Sdt Protocol, "
+ "\n"
+ ));
+ return Status;
+ }
+
+ while (!EFI_ERROR (Status)) {
+ Status = mAcpiSdtProtocol->GetAcpiTable (
+ TableIndex,
+ (EFI_ACPI_SDT_HEADER **)&TableHeader,
+ &TableVersion,
+ &TableKey
+ );
+
+ if (!EFI_ERROR (Status)) {
+ TableIndex++;
+
+ if (((EFI_ACPI_SDT_HEADER *)TableHeader)->Signature == SIGNATURE_32 ('S', 'S', 'D', 'T')) {
+ CopyMem ((VOID *)TableIdString, (VOID *)((EFI_ACPI_SDT_HEADER *)TableHeader)->OemTableId, sizeof (TableIdString));
+
+ TableIdSignature = SIGNATURE_64 (
+ TableIdString[0],
+ TableIdString[1],
+ TableIdString[2],
+ TableIdString[3],
+ TableIdString[4],
+ TableIdString[5],
+ TableIdString[6],
+ TableIdString[7]
+ );
+
+ if (TableIdSignature == SIGNATURE_64 ('T', 'p', 'm', '2', 'T', 'a', 'b', 'l')) {
+ DEBUG ((DEBUG_INFO, "Found Tpm2 SSDT Table for Physical Presence\n"));
+ break;
+ }
+ }
+ }
+ }
+
+ if (!EFI_ERROR (Status)) {
+ //
+ // A TPM2 SSDT is already in the ACPI table.
+ //
+ DEBUG ((
+ DEBUG_INFO,
+ "A TPM2 SSDT is already exist in the ACPI Table.\n"
+ ));
+
+ //
+ // Uninstall the origin TPM2 SSDT from the ACPI table.
+ //
+ Status = mAcpiTableProtocol->UninstallAcpiTable (
+ mAcpiTableProtocol,
+ TableKey
+ );
+ ASSERT_EFI_ERROR (Status);
+
+ if (EFI_ERROR (Status)) {
+ DEBUG ((DEBUG_INFO, "UnInstall Tpm2SSDTAcpiTables failed \n "));
+
+ return Status;
+ }
+ }
+
+ return EFI_SUCCESS;
+}
+
+/**
+ Uninstall TPM2 table
+
+ This performs uninstallation of TPM2 tables published by
+ bootloaders.
+
+ @retval EFI_SUCCESS The TPM2 table is uninstalled successfully if its found.
+ @retval Others Operation error.
+
+**/
+EFI_STATUS
+UnInstallTpm2Tables (
+ )
+{
+ UINTN TableIndex;
+ UINTN TableKey;
+ EFI_ACPI_TABLE_VERSION TableVersion;
+ VOID *TableHeader;
+ EFI_STATUS Status;
+ EFI_ACPI_SDT_PROTOCOL *mAcpiSdtProtocol;
+ EFI_ACPI_TABLE_PROTOCOL *mAcpiTableProtocol;
+
+ //
+ // Determine whether there is a TPM2 SSDT already in the ACPI table.
+ //
+ Status = EFI_SUCCESS;
+ TableIndex = 0;
+ TableKey = 0;
+ TableHeader = NULL;
+ mAcpiTableProtocol = NULL;
+ mAcpiSdtProtocol = NULL;
+
+ //
+ // Locate the EFI_ACPI_TABLE_PROTOCOL.
+ //
+ Status = gBS->LocateProtocol (
+ &gEfiAcpiTableProtocolGuid,
+ NULL,
+ (VOID **)&mAcpiTableProtocol
+ );
+ if (EFI_ERROR (Status)) {
+ DEBUG ((
+ DEBUG_INFO,
+ "UnInstallTpm2Tables: Cannot locate the EFI ACPI Table Protocol \n "
+ ));
+ return Status;
+ }
+
+ //
+ // Locate the EFI_ACPI_SDT_PROTOCOL.
+ //
+ Status = gBS->LocateProtocol (
+ &gEfiAcpiSdtProtocolGuid,
+ NULL,
+ (VOID **)&mAcpiSdtProtocol
+ );
+ if (EFI_ERROR (Status)) {
+ DEBUG ((
+ DEBUG_INFO,
+ "UnInstallTpm2Tables: Cannot locate the EFI ACPI Sdt Protocol, "
+ "\n"
+ ));
+ return Status;
+ }
+
+ while (!EFI_ERROR (Status)) {
+ Status = mAcpiSdtProtocol->GetAcpiTable (
+ TableIndex,
+ (EFI_ACPI_SDT_HEADER **)&TableHeader,
+ &TableVersion,
+ &TableKey
+ );
+
+ if (!EFI_ERROR (Status)) {
+ TableIndex++;
+
+ if (((EFI_ACPI_SDT_HEADER *)TableHeader)->Signature == EFI_ACPI_5_0_TRUSTED_COMPUTING_PLATFORM_2_TABLE_SIGNATURE ) {
+ DEBUG ((DEBUG_INFO, "Found Tpm2 Table ..\n"));
+ break;
+ }
+ }
+ }
+
+ if (!EFI_ERROR (Status)) {
+ //
+ // A TPM2 SSDT is already in the ACPI table.
+ //
+ DEBUG ((
+ DEBUG_INFO,
+ "A TPM2 table is already exist in the ACPI Table.\n"
+ ));
+
+ //
+ // Uninstall the origin TPM2 SSDT from the ACPI table.
+ //
+ Status = mAcpiTableProtocol->UninstallAcpiTable (
+ mAcpiTableProtocol,
+ TableKey
+ );
+ ASSERT_EFI_ERROR (Status);
+
+ if (EFI_ERROR (Status)) {
+ DEBUG ((DEBUG_INFO, "UnInstall Tpm2Tables failed \n "));
+
+ return Status;
+ }
+ }
+
+ return EFI_SUCCESS;
+}
+
/**
The driver's entry point.
@@ -894,6 +1135,16 @@ InitializeTcgAcpi (
return EFI_UNSUPPORTED;
}
+ //
+ // Bootloader might pulish the TPM2 ACPT tables
+ // Uninstall TPM tables if it exists
+ //
+ Status = UnInstallTpm2SSDTAcpiTables ();
+ ASSERT_EFI_ERROR (Status);
+
+ Status = UnInstallTpm2Tables ();
+ ASSERT_EFI_ERROR (Status);
+
Status = PublishAcpiTable ();
ASSERT_EFI_ERROR (Status);
diff --git a/SecurityPkg/Tcg/Tcg2Acpi/Tcg2Acpi.inf b/SecurityPkg/Tcg/Tcg2Acpi/Tcg2Acpi.inf
index f1c6ae5b1c..7e639b0522 100644
--- a/SecurityPkg/Tcg/Tcg2Acpi/Tcg2Acpi.inf
+++ b/SecurityPkg/Tcg/Tcg2Acpi/Tcg2Acpi.inf
@@ -63,10 +63,13 @@
gEfiTpmDeviceInstanceTpm20DtpmGuid ## PRODUCES ## GUID # TPM device identifier
gTpmNvsMmGuid ## CONSUMES
gEdkiiPiSmmCommunicationRegionTableGuid ## CONSUMES
+ gEfiAcpiTableGuid
[Protocols]
gEfiAcpiTableProtocolGuid ## CONSUMES
gEfiMmCommunicationProtocolGuid ## CONSUMES
+ gEfiAcpiSdtProtocolGuid ## CONSUMES
+
[FixedPcd]
gEfiSecurityPkgTokenSpaceGuid.PcdSmiCommandIoPort ## CONSUMES
--
2.39.1.windows.1
^ permalink raw reply related [flat|nested] 11+ messages in thread
* [PATCH v1 4/6] UefiPayloadPkg: Add secure boot configurations
2023-03-22 5:58 [PATCH v1 0/6] Universal payload secure boot and measured boot Subash Lakkimsetti
` (2 preceding siblings ...)
2023-03-22 5:58 ` [PATCH v1 3/6] TGC2ACPI: Uninstall the TPM2 ACPI if present Subash Lakkimsetti
@ 2023-03-22 5:58 ` Subash Lakkimsetti
2023-03-22 5:58 ` [PATCH v1 5/6] Uefipayloadpkg Enable TPM measured boot Subash Lakkimsetti
2023-03-22 5:58 ` [PATCH v1 6/6] UefiPayloadPkg: Add secure boot definitions to ci build Subash Lakkimsetti
5 siblings, 0 replies; 11+ messages in thread
From: Subash Lakkimsetti @ 2023-03-22 5:58 UTC (permalink / raw)
To: devel; +Cc: Subash Lakkimsetti, Guo Dong, Ray Ni, Sean Rhodes, James Lu,
Gua Guo
From: Subash Lakkimsetti <subash.lakkimsetti@intel.com>
Add the required modules for secure boot in
UefiPayloadPkg. SECURE_BOOT_ENABLE flag added to control
the secure boot feature. Requires SMM_SUPPORT and
flash to be SPI for the secure boot to function.
Cc: Guo Dong <guo.dong@intel.com>
Cc: Ray Ni <ray.ni@intel.com>
Cc: Sean Rhodes <sean@starlabs.systems>
Cc: James Lu <james.lu@intel.com>
Cc: Gua Guo <gua.guo@intel.com>
Signed-off-by: Subash Lakkimsetti <subash.lakkimsetti@intel.com>
---
UefiPayloadPkg/UefiPayloadPkg.dsc | 37 ++++++++++++++++++++++++++++---
UefiPayloadPkg/UefiPayloadPkg.fdf | 4 ++++
2 files changed, 38 insertions(+), 3 deletions(-)
diff --git a/UefiPayloadPkg/UefiPayloadPkg.dsc b/UefiPayloadPkg/UefiPayloadPkg.dsc
index 2f5c70ec9c..f31e5aac16 100644
--- a/UefiPayloadPkg/UefiPayloadPkg.dsc
+++ b/UefiPayloadPkg/UefiPayloadPkg.dsc
@@ -45,6 +45,8 @@
DEFINE BOOTSPLASH_IMAGE = FALSE
DEFINE NVME_ENABLE = TRUE
+ DEFINE SECURE_BOOT_ENABLE = FALSE
+
#
# NULL: NullMemoryTestDxe
# GENERIC: GenericMemoryTestDxe
@@ -287,7 +289,14 @@
DebugLib|MdeModulePkg/Library/PeiDxeDebugLibReportStatusCode/PeiDxeDebugLibReportStatusCode.inf
LockBoxLib|MdeModulePkg/Library/LockBoxNullLib/LockBoxNullLib.inf
FileExplorerLib|MdeModulePkg/Library/FileExplorerLib/FileExplorerLib.inf
+!if $(SECURE_BOOT_ENABLE)
+ AuthVariableLib|SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf
+ SecureBootVariableLib|SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf
+ PlatformPKProtectionLib|SecurityPkg/Library/PlatformPKProtectionLibVarPolicy/PlatformPKProtectionLibVarPolicy.inf
+ SecureBootVariableProvisionLib|SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootVariableProvisionLib.inf
+!else
AuthVariableLib|MdeModulePkg/Library/AuthVariableLibNull/AuthVariableLibNull.inf
+!endif
!if $(VARIABLE_SUPPORT) == "EMU"
TpmMeasurementLib|MdeModulePkg/Library/TpmMeasurementLibNull/TpmMeasurementLibNull.inf
!elseif $(VARIABLE_SUPPORT) == "SPI"
@@ -353,6 +362,9 @@
!if $(PERFORMANCE_MEASUREMENT_ENABLE)
PerformanceLib|MdeModulePkg/Library/DxePerformanceLib/DxePerformanceLib.inf
!endif
+!if $(VARIABLE_SUPPORT) == "SPI"
+ BaseCryptLib|CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf
+!endif
[LibraryClasses.common.UEFI_DRIVER,LibraryClasses.common.UEFI_APPLICATION]
PcdLib|MdePkg/Library/DxePcdLib/DxePcdLib.inf
@@ -469,6 +481,12 @@
gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.TlsSet.Family | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.TlsGet.Family | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
!endif
+!if $(SECURE_BOOT_ENABLE)
+ # override the default values from SecurityPkg to ensure images from all sources are verified in secure boot
+ gEfiSecurityPkgTokenSpaceGuid.PcdOptionRomImageVerificationPolicy|0x04
+ gEfiSecurityPkgTokenSpaceGuid.PcdFixedMediaImageVerificationPolicy|0x04
+ gEfiSecurityPkgTokenSpaceGuid.PcdRemovableMediaImageVerificationPolicy|0x04
+!endif
[PcdsPatchableInModule.X64]
!if $(NETWORK_DRIVER_ENABLE) == TRUE
@@ -629,9 +647,7 @@
#
# Components that produce the architectural protocols
#
-!if $(SECURITY_STUB_ENABLE) == TRUE
- MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf
-!endif
+
UefiCpuPkg/CpuDxe/CpuDxe.inf
MdeModulePkg/Universal/BdsDxe/BdsDxe.inf
!if $(BOOTSPLASH_IMAGE)
@@ -655,6 +671,17 @@
MdeModulePkg/Universal/MonotonicCounterRuntimeDxe/MonotonicCounterRuntimeDxe.inf
!if $(DISABLE_RESET_SYSTEM) == FALSE
MdeModulePkg/Universal/ResetSystemRuntimeDxe/ResetSystemRuntimeDxe.inf
+!endif
+ #
+ # Components that produce the architectural protocols
+ #
+!if $(SECURITY_STUB_ENABLE) == TRUE
+ MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf {
+ <LibraryClasses>
+!if $(SECURE_BOOT_ENABLE)
+ NULL|SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.inf
+!endif
+ }
!endif
PcAtChipsetPkg/PcatRealTimeClockRuntimeDxe/PcatRealTimeClockRuntimeDxe.inf
!if $(EMU_VARIABLE_ENABLE) == TRUE
@@ -811,6 +838,10 @@
MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmmRuntimeDxe.inf
!endif
+!if $(SECURE_BOOT_ENABLE)
+ SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
+!endif
+
#
# Misc
#
diff --git a/UefiPayloadPkg/UefiPayloadPkg.fdf b/UefiPayloadPkg/UefiPayloadPkg.fdf
index ee7d718b3f..b52e6c75a5 100644
--- a/UefiPayloadPkg/UefiPayloadPkg.fdf
+++ b/UefiPayloadPkg/UefiPayloadPkg.fdf
@@ -172,6 +172,10 @@ INF PcAtChipsetPkg/PcatRealTimeClockRuntimeDxe/PcatRealTimeClockRuntimeDxe.inf
INF MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmmRuntimeDxe.inf
!endif
+!if $(SECURE_BOOT_ENABLE) == TRUE
+ INF SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
+!endif
+
INF UefiCpuPkg/CpuIo2Dxe/CpuIo2Dxe.inf
INF MdeModulePkg/Universal/DevicePathDxe/DevicePathDxe.inf
!if $(MEMORY_TEST) == "GENERIC"
--
2.39.1.windows.1
^ permalink raw reply related [flat|nested] 11+ messages in thread
* [PATCH v1 5/6] Uefipayloadpkg Enable TPM measured boot
2023-03-22 5:58 [PATCH v1 0/6] Universal payload secure boot and measured boot Subash Lakkimsetti
` (3 preceding siblings ...)
2023-03-22 5:58 ` [PATCH v1 4/6] UefiPayloadPkg: Add secure boot configurations Subash Lakkimsetti
@ 2023-03-22 5:58 ` Subash Lakkimsetti
2023-03-22 22:55 ` Guo, Gua
2023-03-22 5:58 ` [PATCH v1 6/6] UefiPayloadPkg: Add secure boot definitions to ci build Subash Lakkimsetti
5 siblings, 1 reply; 11+ messages in thread
From: Subash Lakkimsetti @ 2023-03-22 5:58 UTC (permalink / raw)
To: devel
Cc: Subash Lakkimsetti, Guo Dong, Ray Ni, Sean Rhodes, James Lu,
Gua Guo, Patrick Rudolph
From: Subash Lakkimsetti <subash.lakkimsetti@intel.com>
Update the packages to support TPM and measured
boot in uefi payload.
Measured boot can be controoled using flag MEASURED_BOOT_ENABLE
Cc: Guo Dong <guo.dong@intel.com>
Cc: Ray Ni <ray.ni@intel.com>
Cc: Sean Rhodes <sean@starlabs.systems>
Cc: James Lu <james.lu@intel.com>
Cc: Gua Guo <gua.guo@intel.com>
Signed-off-by: Patrick Rudolph <patrick.rudolph@9elements.com>
Signed-off-by: Subash Lakkimsetti <subash.lakkimsetti@intel.com>
---
UefiPayloadPkg/UefiPayloadPkg.dsc | 88 +++++++++++++++++++++++++++++--
UefiPayloadPkg/UefiPayloadPkg.fdf | 25 +++++++++
2 files changed, 109 insertions(+), 4 deletions(-)
diff --git a/UefiPayloadPkg/UefiPayloadPkg.dsc b/UefiPayloadPkg/UefiPayloadPkg.dsc
index f31e5aac16..86612338bf 100644
--- a/UefiPayloadPkg/UefiPayloadPkg.dsc
+++ b/UefiPayloadPkg/UefiPayloadPkg.dsc
@@ -46,6 +46,7 @@
DEFINE NVME_ENABLE = TRUE
DEFINE SECURE_BOOT_ENABLE = FALSE
+ DEFINE MEASURED_BOOT_ENABLE = FALSE
#
# NULL: NullMemoryTestDxe
@@ -297,14 +298,27 @@
!else
AuthVariableLib|MdeModulePkg/Library/AuthVariableLibNull/AuthVariableLibNull.inf
!endif
-!if $(VARIABLE_SUPPORT) == "EMU"
- TpmMeasurementLib|MdeModulePkg/Library/TpmMeasurementLibNull/TpmMeasurementLibNull.inf
-!elseif $(VARIABLE_SUPPORT) == "SPI"
- PlatformSecureLib|SecurityPkg/Library/PlatformSecureLibNull/PlatformSecureLibNull.inf
+ #
+ # TPM
+ #
+!if $(MEASURED_BOOT_ENABLE) == TRUE
+ Tpm12CommandLib|SecurityPkg/Library/Tpm12CommandLib/Tpm12CommandLib.inf
+ Tpm12DeviceLib|SecurityPkg/Library/Tpm12DeviceLibTcg/Tpm12DeviceLibTcg.inf
+ Tpm2CommandLib|SecurityPkg/Library/Tpm2CommandLib/Tpm2CommandLib.inf
+ Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibTcg2/Tpm2DeviceLibTcg2.inf
+ Tcg2PhysicalPresenceLib|SecurityPkg/Library/DxeTcg2PhysicalPresenceLib/DxeTcg2PhysicalPresenceLib.inf
+ Tcg2PpVendorLib|SecurityPkg/Library/Tcg2PpVendorLibNull/Tcg2PpVendorLibNull.inf
TpmMeasurementLib|SecurityPkg/Library/DxeTpmMeasurementLib/DxeTpmMeasurementLib.inf
+!else
+ TpmMeasurementLib|MdeModulePkg/Library/TpmMeasurementLibNull/TpmMeasurementLibNull.inf
+!endif
+!if $(VARIABLE_SUPPORT) == "SPI"
S3BootScriptLib|MdePkg/Library/BaseS3BootScriptLibNull/BaseS3BootScriptLibNull.inf
+!endif
+!if $(SECURE_BOOT_ENABLE) == TRUE || $(MEASURED_BOOT_ENABLE) == TRUE || $(VARIABLE_SUPPORT) == "SPI"
MmUnblockMemoryLib|MdePkg/Library/MmUnblockMemoryLib/MmUnblockMemoryLibNull.inf
!endif
+ PlatformSecureLib|SecurityPkg/Library/PlatformSecureLibNull/PlatformSecureLibNull.inf
VarCheckLib|MdeModulePkg/Library/VarCheckLib/VarCheckLib.inf
VariablePolicyLib|MdeModulePkg/Library/VariablePolicyLib/VariablePolicyLib.inf
VariablePolicyHelperLib|MdeModulePkg/Library/VariablePolicyHelperLib/VariablePolicyHelperLib.inf
@@ -412,6 +426,10 @@
BaseCryptLib|CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf
!endif
+!if $(MEASURED_BOOT_ENABLE) == TRUE
+ Tcg2PhysicalPresenceLib|SecurityPkg/Library/SmmTcg2PhysicalPresenceLib/SmmTcg2PhysicalPresenceLib.inf
+!endif
+
################################################################################
#
# Pcd Section - list of all EDK II PCD Entries defined by this Platform.
@@ -600,6 +618,13 @@
gEfiSecurityPkgTokenSpaceGuid.PcdFirmwareDebuggerInitialized|FALSE
gEfiSecurityPkgTokenSpaceGuid.PcdTpmInstanceGuid|{0x5a, 0xf2, 0x6b, 0x28, 0xc3, 0xc2, 0x8c, 0x40, 0xb3, 0xb4, 0x25, 0xe6, 0x75, 0x8b, 0x73, 0x17}
+!if $(MEASURED_BOOT_ENABLE) == TRUE
+
+ # (BIT0 - SHA1. BIT1 - SHA256, BIT2 - SHA384, BIT3 - SHA512, BIT4 - SM3_256)
+ gEfiSecurityPkgTokenSpaceGuid.PcdTpm2HashMask|0x000000016
+ gEfiSecurityPkgTokenSpaceGuid.PcdTcg2HashAlgorithmBitmap|0x000000016
+!endif
+
################################################################################
#
# Components Section - list of all EDK II Modules needed by this Platform.
@@ -680,6 +705,10 @@
<LibraryClasses>
!if $(SECURE_BOOT_ENABLE)
NULL|SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.inf
+!endif
+!if $(MEASURED_BOOT_ENABLE) == TRUE
+ NULL|SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLib.inf
+ NULL|SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLib.inf
!endif
}
!endif
@@ -842,6 +871,57 @@
SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
!endif
+!if $(MEASURED_BOOT_ENABLE) == TRUE
+ SecurityPkg/Tcg/TcgDxe/TcgDxe.inf {
+ <LibraryClasses>
+ Tpm12DeviceLib|SecurityPkg/Library/Tpm12DeviceLibDTpm/Tpm12DeviceLibDTpm.inf
+ }
+
+ SecurityPkg/Tcg/TcgConfigDxe/TcgConfigDxe.inf {
+ <LibraryClasses>
+ PcdLib|MdePkg/Library/DxePcdLib/DxePcdLib.inf
+ }
+
+!if $(SMM_SUPPORT) == TRUE
+ SecurityPkg/Tcg/TcgSmm/TcgSmm.inf {
+ <LibraryClasses>
+ TcgPpVendorLib|SecurityPkg/Library/TcgPpVendorLibNull/TcgPpVendorLibNull.inf
+
+ }
+!endif
+ SecurityPkg/Tcg/Tcg2Config/Tcg2ConfigDxe.inf {
+ <LibraryClasses>
+ Tpm2CommandLib|SecurityPkg/Library/Tpm2CommandLib/Tpm2CommandLib.inf
+ Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibRouter/Tpm2DeviceLibRouterDxe.inf
+ NULL|SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2InstanceLibDTpm.inf
+ }
+!if $(SMM_SUPPORT) == TRUE
+ SecurityPkg/Tcg/Tcg2Smm/Tcg2Smm.inf {
+ <LibraryClasses>
+ Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibTcg2/Tpm2DeviceLibTcg2.inf
+ }
+!endif
+ SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.inf {
+ <LibraryClasses>
+ Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibRouter/Tpm2DeviceLibRouterDxe.inf
+ HashLib|SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRouterDxe.inf
+ NULL|SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2InstanceLibDTpm.inf
+ NULL|SecurityPkg/Library/HashInstanceLibSha1/HashInstanceLibSha1.inf
+ NULL|SecurityPkg/Library/HashInstanceLibSha256/HashInstanceLibSha256.inf
+ NULL|SecurityPkg/Library/HashInstanceLibSha384/HashInstanceLibSha384.inf
+ NULL|SecurityPkg/Library/HashInstanceLibSm3/HashInstanceLibSm3.inf
+ }
+ SecurityPkg/Tcg/Tcg2Acpi/Tcg2Acpi.inf
+ SecurityPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.inf {
+ <LibraryClasses>
+ TpmPlatformHierarchyLib|SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf
+ }
+ SecurityPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.inf {
+ <LibraryClasses>
+ TpmPlatformHierarchyLib|SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf
+ }
+!endif #MEASURED_BOOT_ENABLE
+
#
# Misc
#
diff --git a/UefiPayloadPkg/UefiPayloadPkg.fdf b/UefiPayloadPkg/UefiPayloadPkg.fdf
index b52e6c75a5..ed9d42b022 100644
--- a/UefiPayloadPkg/UefiPayloadPkg.fdf
+++ b/UefiPayloadPkg/UefiPayloadPkg.fdf
@@ -176,6 +176,21 @@ INF PcAtChipsetPkg/PcatRealTimeClockRuntimeDxe/PcatRealTimeClockRuntimeDxe.inf
INF SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
!endif
+!if $(MEASURED_BOOT_ENABLE) == TRUE
+ INF SecurityPkg/Tcg/TcgDxe/TcgDxe.inf
+!if $(SMM_SUPPORT) == TRUE
+ INF SecurityPkg/Tcg/TcgSmm/TcgSmm.inf
+!endif
+ INF SecurityPkg/Tcg/TcgConfigDxe/TcgConfigDxe.inf
+ INF SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.inf
+ INF RuleOverride = DRIVER_ACPITABLE SecurityPkg/Tcg/Tcg2Acpi/Tcg2Acpi.inf
+ INF SecurityPkg/Tcg/Tcg2Config/Tcg2ConfigDxe.inf
+!if $(SMM_SUPPORT) == TRUE
+ INF SecurityPkg/Tcg/Tcg2Smm/Tcg2Smm.inf
+!endif
+ INF SecurityPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.inf
+!endif
+
INF UefiCpuPkg/CpuIo2Dxe/CpuIo2Dxe.inf
INF MdeModulePkg/Universal/DevicePathDxe/DevicePathDxe.inf
!if $(MEMORY_TEST) == "GENERIC"
@@ -419,3 +434,13 @@ INF ShellPkg/Application/Shell/Shell.inf
UI STRING="Enter Setup"
VERSION STRING="$(INF_VERSION)" Optional BUILD_NUM=$(BUILD_NUMBER)
}
+
+[Rule.Common.DXE_DRIVER.DRIVER_ACPITABLE]
+ FILE DRIVER = $(NAMED_GUID) {
+ DXE_DEPEX DXE_DEPEX Optional $(INF_OUTPUT)/$(MODULE_NAME).depex
+ PE32 PE32 $(INF_OUTPUT)/$(MODULE_NAME).efi
+ RAW ACPI Optional |.acpi
+ RAW ASL Optional |.aml
+ UI STRING="$(MODULE_NAME)" Optional
+ VERSION STRING="$(INF_VERSION)" Optional BUILD_NUM=$(BUILD_NUMBER)
+ }
--
2.39.1.windows.1
^ permalink raw reply related [flat|nested] 11+ messages in thread
* [PATCH v1 6/6] UefiPayloadPkg: Add secure boot definitions to ci build
2023-03-22 5:58 [PATCH v1 0/6] Universal payload secure boot and measured boot Subash Lakkimsetti
` (4 preceding siblings ...)
2023-03-22 5:58 ` [PATCH v1 5/6] Uefipayloadpkg Enable TPM measured boot Subash Lakkimsetti
@ 2023-03-22 5:58 ` Subash Lakkimsetti
5 siblings, 0 replies; 11+ messages in thread
From: Subash Lakkimsetti @ 2023-03-22 5:58 UTC (permalink / raw)
To: devel; +Cc: Subash Lakkimsetti
From: Subash Lakkimsetti <subash.lakkimsetti@intel.com>
Define the build flags for secure boot and measure boot
for ci builds
Signed-off-by: Subash Lakkimsetti <subash.lakkimsetti@intel.com>
---
UefiPayloadPkg/UefiPayloadPkg.ci.yaml | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/UefiPayloadPkg/UefiPayloadPkg.ci.yaml b/UefiPayloadPkg/UefiPayloadPkg.ci.yaml
index 909379eaac..f2410a8b11 100644
--- a/UefiPayloadPkg/UefiPayloadPkg.ci.yaml
+++ b/UefiPayloadPkg/UefiPayloadPkg.ci.yaml
@@ -91,5 +91,9 @@
"BLD_*_EMU_VARIABLE_ENABLE": "FALSE",
"BLD_*_DISABLE_RESET_SYSTEM": "TRUE",
"BLD_*_SERIAL_DRIVER_ENABLE": "FALSE",
+ "BLD_*_SMM_SUPPORT": "TRUE",
+ "BLD_*_SECURE_BOOT_ENABLE": "TRUE",
+ "BLD_*_MEASURED_BOOT_ENABLE": "TRUE",
+ "BLD_*_VARIABLE_SUPPORT": "SPI",
}
}
--
2.39.1.windows.1
^ permalink raw reply related [flat|nested] 11+ messages in thread
* Re: [edk2-devel] [PATCH v1 3/6] TGC2ACPI: Uninstall the TPM2 ACPI if present
2023-03-22 5:58 ` [PATCH v1 3/6] TGC2ACPI: Uninstall the TPM2 ACPI if present Subash Lakkimsetti
@ 2023-03-22 13:43 ` Yao, Jiewen
2023-03-23 4:37 ` Subash Lakkimsetti
0 siblings, 1 reply; 11+ messages in thread
From: Yao, Jiewen @ 2023-03-22 13:43 UTC (permalink / raw)
To: devel@edk2.groups.io, Lakkimsetti, Subash; +Cc: Zhang, Qi1, Kumar, Rahul R
Question: Why not uninstall it in the universal payload package? or even not populate it?
> -----Original Message-----
> From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of Subash
> Lakkimsetti
> Sent: Wednesday, March 22, 2023 1:59 PM
> To: devel@edk2.groups.io
> Cc: Lakkimsetti, Subash <subash.lakkimsetti@intel.com>; Zhang, Qi1
> <qi1.zhang@intel.com>; Kumar, Rahul R <rahul.r.kumar@intel.com>
> Subject: [edk2-devel] [PATCH v1 3/6] TGC2ACPI: Uninstall the TPM2 ACPI if
> present
>
> From: Subash Lakkimsetti <subash.lakkimsetti@intel.com>
>
> Bootloader supports multiple payload and TPM2 ACPI tables are updated
> at bootloader phase. When UEFI is used payload these will be duplicates.
> The tables are to be uninstalled before updating the TCG2ACPI tables
> to avoid duplicates.
>
> Cc: Qi Zhang <qi1.zhang@intel.com>
> Cc: Rahul Kumar <rahul1.kumar@intel.com>
> Signed-off-by: Subash Lakkimsetti <subash.lakkimsetti@intel.com>
> ---
> SecurityPkg/Tcg/Tcg2Acpi/Tcg2Acpi.c | 251
> ++++++++++++++++++++++++++
> SecurityPkg/Tcg/Tcg2Acpi/Tcg2Acpi.inf | 3 +
> 2 files changed, 254 insertions(+)
>
> diff --git a/SecurityPkg/Tcg/Tcg2Acpi/Tcg2Acpi.c
> b/SecurityPkg/Tcg/Tcg2Acpi/Tcg2Acpi.c
> index e8822cbeb0..4b35796ba7 100644
> --- a/SecurityPkg/Tcg/Tcg2Acpi/Tcg2Acpi.c
> +++ b/SecurityPkg/Tcg/Tcg2Acpi/Tcg2Acpi.c
> @@ -39,6 +39,8 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
> #include <Library/Tpm2CommandLib.h>
>
> #include <Library/UefiLib.h>
>
> #include <Library/MmUnblockMemoryLib.h>
>
> +#include <IndustryStandard/Acpi.h>
>
> +#include <Protocol/AcpiSystemDescriptionTable.h>
>
>
>
> //
>
> // Physical Presence Interface Version supported by Platform
>
> @@ -867,6 +869,245 @@ PublishTpm2 (
> return Status;
>
> }
>
>
>
> +/**
>
> + Uninstall TPM2 SSDT ACPI table
>
> +
>
> + This performs uninstallation of TPM2 SSDT tables published by
>
> + bootloaders.
>
> +
>
> + @retval EFI_SUCCESS The TPM2 ACPI table is uninstalled successfully if
> found.
>
> + @retval Others Operation error.
>
> +
>
> +**/
>
> +EFI_STATUS
>
> +UnInstallTpm2SSDTAcpiTables (
>
> + )
>
> +{
>
> + UINTN TableIndex;
>
> + UINTN TableKey;
>
> + EFI_ACPI_TABLE_VERSION TableVersion;
>
> + VOID *TableHeader;
>
> + EFI_STATUS Status;
>
> + EFI_ACPI_SDT_PROTOCOL *mAcpiSdtProtocol;
>
> + EFI_ACPI_TABLE_PROTOCOL *mAcpiTableProtocol;
>
> + CHAR8 TableIdString[8];
>
> + UINT64 TableIdSignature;
>
> +
>
> + //
>
> + // Determine whether there is a TPM2 SSDT already in the ACPI table.
>
> + //
>
> + Status = EFI_SUCCESS;
>
> + TableIndex = 0;
>
> + TableKey = 0;
>
> + TableHeader = NULL;
>
> + mAcpiTableProtocol = NULL;
>
> + mAcpiSdtProtocol = NULL;
>
> +
>
> + //
>
> + // Locate the EFI_ACPI_TABLE_PROTOCOL.
>
> + //
>
> + Status = gBS->LocateProtocol (
>
> + &gEfiAcpiTableProtocolGuid,
>
> + NULL,
>
> + (VOID **)&mAcpiTableProtocol
>
> + );
>
> + if (EFI_ERROR (Status)) {
>
> + DEBUG ((
>
> + DEBUG_INFO,
>
> + "UnInstallTpm2SSDTAcpiTables: Cannot locate the EFI ACPI Table
> Protocol \n "
>
> + ));
>
> + return Status;
>
> + }
>
> +
>
> + //
>
> + // Locate the EFI_ACPI_SDT_PROTOCOL.
>
> + //
>
> + Status = gBS->LocateProtocol (
>
> + &gEfiAcpiSdtProtocolGuid,
>
> + NULL,
>
> + (VOID **)&mAcpiSdtProtocol
>
> + );
>
> + if (EFI_ERROR (Status)) {
>
> + DEBUG ((
>
> + DEBUG_INFO,
>
> + "UnInstallTpm2SSDTAcpiTables: Cannot locate the EFI ACPI Sdt Protocol,
> "
>
> + "\n"
>
> + ));
>
> + return Status;
>
> + }
>
> +
>
> + while (!EFI_ERROR (Status)) {
>
> + Status = mAcpiSdtProtocol->GetAcpiTable (
>
> + TableIndex,
>
> + (EFI_ACPI_SDT_HEADER **)&TableHeader,
>
> + &TableVersion,
>
> + &TableKey
>
> + );
>
> +
>
> + if (!EFI_ERROR (Status)) {
>
> + TableIndex++;
>
> +
>
> + if (((EFI_ACPI_SDT_HEADER *)TableHeader)->Signature ==
> SIGNATURE_32 ('S', 'S', 'D', 'T')) {
>
> + CopyMem ((VOID *)TableIdString, (VOID *)((EFI_ACPI_SDT_HEADER
> *)TableHeader)->OemTableId, sizeof (TableIdString));
>
> +
>
> + TableIdSignature = SIGNATURE_64 (
>
> + TableIdString[0],
>
> + TableIdString[1],
>
> + TableIdString[2],
>
> + TableIdString[3],
>
> + TableIdString[4],
>
> + TableIdString[5],
>
> + TableIdString[6],
>
> + TableIdString[7]
>
> + );
>
> +
>
> + if (TableIdSignature == SIGNATURE_64 ('T', 'p', 'm', '2', 'T', 'a', 'b', 'l')) {
>
> + DEBUG ((DEBUG_INFO, "Found Tpm2 SSDT Table for Physical
> Presence\n"));
>
> + break;
>
> + }
>
> + }
>
> + }
>
> + }
>
> +
>
> + if (!EFI_ERROR (Status)) {
>
> + //
>
> + // A TPM2 SSDT is already in the ACPI table.
>
> + //
>
> + DEBUG ((
>
> + DEBUG_INFO,
>
> + "A TPM2 SSDT is already exist in the ACPI Table.\n"
>
> + ));
>
> +
>
> + //
>
> + // Uninstall the origin TPM2 SSDT from the ACPI table.
>
> + //
>
> + Status = mAcpiTableProtocol->UninstallAcpiTable (
>
> + mAcpiTableProtocol,
>
> + TableKey
>
> + );
>
> + ASSERT_EFI_ERROR (Status);
>
> +
>
> + if (EFI_ERROR (Status)) {
>
> + DEBUG ((DEBUG_INFO, "UnInstall Tpm2SSDTAcpiTables failed \n "));
>
> +
>
> + return Status;
>
> + }
>
> + }
>
> +
>
> + return EFI_SUCCESS;
>
> +}
>
> +
>
> +/**
>
> + Uninstall TPM2 table
>
> +
>
> + This performs uninstallation of TPM2 tables published by
>
> + bootloaders.
>
> +
>
> + @retval EFI_SUCCESS The TPM2 table is uninstalled successfully if its
> found.
>
> + @retval Others Operation error.
>
> +
>
> +**/
>
> +EFI_STATUS
>
> +UnInstallTpm2Tables (
>
> + )
>
> +{
>
> + UINTN TableIndex;
>
> + UINTN TableKey;
>
> + EFI_ACPI_TABLE_VERSION TableVersion;
>
> + VOID *TableHeader;
>
> + EFI_STATUS Status;
>
> + EFI_ACPI_SDT_PROTOCOL *mAcpiSdtProtocol;
>
> + EFI_ACPI_TABLE_PROTOCOL *mAcpiTableProtocol;
>
> +
>
> + //
>
> + // Determine whether there is a TPM2 SSDT already in the ACPI table.
>
> + //
>
> + Status = EFI_SUCCESS;
>
> + TableIndex = 0;
>
> + TableKey = 0;
>
> + TableHeader = NULL;
>
> + mAcpiTableProtocol = NULL;
>
> + mAcpiSdtProtocol = NULL;
>
> +
>
> + //
>
> + // Locate the EFI_ACPI_TABLE_PROTOCOL.
>
> + //
>
> + Status = gBS->LocateProtocol (
>
> + &gEfiAcpiTableProtocolGuid,
>
> + NULL,
>
> + (VOID **)&mAcpiTableProtocol
>
> + );
>
> + if (EFI_ERROR (Status)) {
>
> + DEBUG ((
>
> + DEBUG_INFO,
>
> + "UnInstallTpm2Tables: Cannot locate the EFI ACPI Table Protocol \n "
>
> + ));
>
> + return Status;
>
> + }
>
> +
>
> + //
>
> + // Locate the EFI_ACPI_SDT_PROTOCOL.
>
> + //
>
> + Status = gBS->LocateProtocol (
>
> + &gEfiAcpiSdtProtocolGuid,
>
> + NULL,
>
> + (VOID **)&mAcpiSdtProtocol
>
> + );
>
> + if (EFI_ERROR (Status)) {
>
> + DEBUG ((
>
> + DEBUG_INFO,
>
> + "UnInstallTpm2Tables: Cannot locate the EFI ACPI Sdt Protocol, "
>
> + "\n"
>
> + ));
>
> + return Status;
>
> + }
>
> +
>
> + while (!EFI_ERROR (Status)) {
>
> + Status = mAcpiSdtProtocol->GetAcpiTable (
>
> + TableIndex,
>
> + (EFI_ACPI_SDT_HEADER **)&TableHeader,
>
> + &TableVersion,
>
> + &TableKey
>
> + );
>
> +
>
> + if (!EFI_ERROR (Status)) {
>
> + TableIndex++;
>
> +
>
> + if (((EFI_ACPI_SDT_HEADER *)TableHeader)->Signature ==
> EFI_ACPI_5_0_TRUSTED_COMPUTING_PLATFORM_2_TABLE_SIGNATURE ) {
>
> + DEBUG ((DEBUG_INFO, "Found Tpm2 Table ..\n"));
>
> + break;
>
> + }
>
> + }
>
> + }
>
> +
>
> + if (!EFI_ERROR (Status)) {
>
> + //
>
> + // A TPM2 SSDT is already in the ACPI table.
>
> + //
>
> + DEBUG ((
>
> + DEBUG_INFO,
>
> + "A TPM2 table is already exist in the ACPI Table.\n"
>
> + ));
>
> +
>
> + //
>
> + // Uninstall the origin TPM2 SSDT from the ACPI table.
>
> + //
>
> + Status = mAcpiTableProtocol->UninstallAcpiTable (
>
> + mAcpiTableProtocol,
>
> + TableKey
>
> + );
>
> + ASSERT_EFI_ERROR (Status);
>
> +
>
> + if (EFI_ERROR (Status)) {
>
> + DEBUG ((DEBUG_INFO, "UnInstall Tpm2Tables failed \n "));
>
> +
>
> + return Status;
>
> + }
>
> + }
>
> +
>
> + return EFI_SUCCESS;
>
> +}
>
> +
>
> /**
>
> The driver's entry point.
>
>
>
> @@ -894,6 +1135,16 @@ InitializeTcgAcpi (
> return EFI_UNSUPPORTED;
>
> }
>
>
>
> + //
>
> + // Bootloader might pulish the TPM2 ACPT tables
>
> + // Uninstall TPM tables if it exists
>
> + //
>
> + Status = UnInstallTpm2SSDTAcpiTables ();
>
> + ASSERT_EFI_ERROR (Status);
>
> +
>
> + Status = UnInstallTpm2Tables ();
>
> + ASSERT_EFI_ERROR (Status);
>
> +
>
> Status = PublishAcpiTable ();
>
> ASSERT_EFI_ERROR (Status);
>
>
>
> diff --git a/SecurityPkg/Tcg/Tcg2Acpi/Tcg2Acpi.inf
> b/SecurityPkg/Tcg/Tcg2Acpi/Tcg2Acpi.inf
> index f1c6ae5b1c..7e639b0522 100644
> --- a/SecurityPkg/Tcg/Tcg2Acpi/Tcg2Acpi.inf
> +++ b/SecurityPkg/Tcg/Tcg2Acpi/Tcg2Acpi.inf
> @@ -63,10 +63,13 @@
> gEfiTpmDeviceInstanceTpm20DtpmGuid ## PRODUCES
> ## GUID # TPM device identifier
>
> gTpmNvsMmGuid ## CONSUMES
>
> gEdkiiPiSmmCommunicationRegionTableGuid ## CONSUMES
>
> + gEfiAcpiTableGuid
>
>
>
> [Protocols]
>
> gEfiAcpiTableProtocolGuid ## CONSUMES
>
> gEfiMmCommunicationProtocolGuid ## CONSUMES
>
> + gEfiAcpiSdtProtocolGuid ## CONSUMES
>
> +
>
>
>
> [FixedPcd]
>
> gEfiSecurityPkgTokenSpaceGuid.PcdSmiCommandIoPort ##
> CONSUMES
>
> --
> 2.39.1.windows.1
>
>
>
> -=-=-=-=-=-=
> Groups.io Links: You receive all messages sent to this group.
> View/Reply Online (#101580):
> https://edk2.groups.io/g/devel/message/101580
> Mute This Topic: https://groups.io/mt/97777996/1772286
> Group Owner: devel+owner@edk2.groups.io
> Unsubscribe: https://edk2.groups.io/g/devel/unsub [jiewen.yao@intel.com]
> -=-=-=-=-=-=
>
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [PATCH v1 5/6] Uefipayloadpkg Enable TPM measured boot
2023-03-22 5:58 ` [PATCH v1 5/6] Uefipayloadpkg Enable TPM measured boot Subash Lakkimsetti
@ 2023-03-22 22:55 ` Guo, Gua
0 siblings, 0 replies; 11+ messages in thread
From: Guo, Gua @ 2023-03-22 22:55 UTC (permalink / raw)
To: Lakkimsetti, Subash, devel@edk2.groups.io
Cc: Dong, Guo, Ni, Ray, Rhodes, Sean, Lu, James, Rudolph, Patrick
>From Uefi UPL side
Currently, SPI have silicon dependency so native is not support on UniversalPayload, please use SECURITY_SUPPORT
+------------------------------+
| UefiUPL.elf |
+------------------------------+
| .upld_info |
+------------------------------+
| .upld.uefi_fv |
+------------------------------+
| .upld.bds_fv |
+------------------------------+
| .upld.security_fv |<------------ SECURITY_SUPPORT (Use this macro to decide include it or not and default value is false)
+------------------------------+
Thanks,
Gua
-----Original Message-----
From: Lakkimsetti, Subash <subash.lakkimsetti@intel.com>
Sent: Wednesday, March 22, 2023 1:59 PM
To: devel@edk2.groups.io
Cc: Lakkimsetti, Subash <subash.lakkimsetti@intel.com>; Dong, Guo <guo.dong@intel.com>; Ni, Ray <ray.ni@intel.com>; Rhodes, Sean <sean@starlabs.systems>; Lu, James <james.lu@intel.com>; Guo, Gua <gua.guo@intel.com>; Rudolph, Patrick <patrick.rudolph@9elements.com>
Subject: [PATCH v1 5/6] Uefipayloadpkg Enable TPM measured boot
From: Subash Lakkimsetti <subash.lakkimsetti@intel.com>
Update the packages to support TPM and measured boot in uefi payload.
Measured boot can be controoled using flag MEASURED_BOOT_ENABLE
Cc: Guo Dong <guo.dong@intel.com>
Cc: Ray Ni <ray.ni@intel.com>
Cc: Sean Rhodes <sean@starlabs.systems>
Cc: James Lu <james.lu@intel.com>
Cc: Gua Guo <gua.guo@intel.com>
Signed-off-by: Patrick Rudolph <patrick.rudolph@9elements.com>
Signed-off-by: Subash Lakkimsetti <subash.lakkimsetti@intel.com>
---
UefiPayloadPkg/UefiPayloadPkg.dsc | 88 +++++++++++++++++++++++++++++-- UefiPayloadPkg/UefiPayloadPkg.fdf | 25 +++++++++
2 files changed, 109 insertions(+), 4 deletions(-)
diff --git a/UefiPayloadPkg/UefiPayloadPkg.dsc b/UefiPayloadPkg/UefiPayloadPkg.dsc
index f31e5aac16..86612338bf 100644
--- a/UefiPayloadPkg/UefiPayloadPkg.dsc
+++ b/UefiPayloadPkg/UefiPayloadPkg.dsc
@@ -46,6 +46,7 @@
DEFINE NVME_ENABLE = TRUE DEFINE SECURE_BOOT_ENABLE = FALSE+ DEFINE MEASURED_BOOT_ENABLE = FALSE # # NULL: NullMemoryTestDxe@@ -297,14 +298,27 @@
!else AuthVariableLib|MdeModulePkg/Library/AuthVariableLibNull/AuthVariableLibNull.inf !endif-!if $(VARIABLE_SUPPORT) == "EMU"- TpmMeasurementLib|MdeModulePkg/Library/TpmMeasurementLibNull/TpmMeasurementLibNull.inf-!elseif $(VARIABLE_SUPPORT) == "SPI"- PlatformSecureLib|SecurityPkg/Library/PlatformSecureLibNull/PlatformSecureLibNull.inf+ #+ # TPM+ #+!if $(MEASURED_BOOT_ENABLE) == TRUE+ Tpm12CommandLib|SecurityPkg/Library/Tpm12CommandLib/Tpm12CommandLib.inf+ Tpm12DeviceLib|SecurityPkg/Library/Tpm12DeviceLibTcg/Tpm12DeviceLibTcg.inf+ Tpm2CommandLib|SecurityPkg/Library/Tpm2CommandLib/Tpm2CommandLib.inf+ Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibTcg2/Tpm2DeviceLibTcg2.inf+ Tcg2PhysicalPresenceLib|SecurityPkg/Library/DxeTcg2PhysicalPresenceLib/DxeTcg2PhysicalPresenceLib.inf+ Tcg2PpVendorLib|SecurityPkg/Library/Tcg2PpVendorLibNull/Tcg2PpVendorLibNull.inf TpmMeasurementLib|SecurityPkg/Library/DxeTpmMeasurementLib/DxeTpmMeasurementLib.inf+!else+ TpmMeasurementLib|MdeModulePkg/Library/TpmMeasurementLibNull/TpmMeasurementLibNull.inf+!endif+!if $(VARIABLE_SUPPORT) == "SPI" S3BootScriptLib|MdePkg/Library/BaseS3BootScriptLibNull/BaseS3BootScriptLibNull.inf+!endif+!if $(SECURE_BOOT_ENABLE) == TRUE || $(MEASURED_BOOT_ENABLE) == TRUE || $(VARIABLE_SUPPORT) == "SPI" MmUnblockMemoryLib|MdePkg/Library/MmUnblockMemoryLib/MmUnblockMemoryLibNull.inf !endif+ PlatformSecureLib|SecurityPkg/Library/PlatformSecureLibNull/PlatformSecureLibNull.inf VarCheckLib|MdeModulePkg/Library/VarCheckLib/VarCheckLib.inf VariablePolicyLib|MdeModulePkg/Library/VariablePolicyLib/VariablePolicyLib.inf VariablePolicyHelperLib|MdeModulePkg/Library/VariablePolicyHelperLib/VariablePolicyHelperLib.inf@@ -412,6 +426,10 @@
BaseCryptLib|CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf !endif +!if $(MEASURED_BOOT_ENABLE) == TRUE+ Tcg2PhysicalPresenceLib|SecurityPkg/Library/SmmTcg2PhysicalPresenceLib/SmmTcg2PhysicalPresenceLib.inf+!endif+ ################################################################################ # # Pcd Section - list of all EDK II PCD Entries defined by this Platform.@@ -600,6 +618,13 @@
gEfiSecurityPkgTokenSpaceGuid.PcdFirmwareDebuggerInitialized|FALSE gEfiSecurityPkgTokenSpaceGuid.PcdTpmInstanceGuid|{0x5a, 0xf2, 0x6b, 0x28, 0xc3, 0xc2, 0x8c, 0x40, 0xb3, 0xb4, 0x25, 0xe6, 0x75, 0x8b, 0x73, 0x17} +!if $(MEASURED_BOOT_ENABLE) == TRUE++ # (BIT0 - SHA1. BIT1 - SHA256, BIT2 - SHA384, BIT3 - SHA512, BIT4 - SM3_256)+ gEfiSecurityPkgTokenSpaceGuid.PcdTpm2HashMask|0x000000016+ gEfiSecurityPkgTokenSpaceGuid.PcdTcg2HashAlgorithmBitmap|0x000000016+!endif+ ################################################################################ # # Components Section - list of all EDK II Modules needed by this Platform.@@ -680,6 +705,10 @@
<LibraryClasses> !if $(SECURE_BOOT_ENABLE) NULL|SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.inf+!endif+!if $(MEASURED_BOOT_ENABLE) == TRUE+ NULL|SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLib.inf+ NULL|SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLib.inf !endif } !endif@@ -842,6 +871,57 @@
SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf !endif +!if $(MEASURED_BOOT_ENABLE) == TRUE+ SecurityPkg/Tcg/TcgDxe/TcgDxe.inf {+ <LibraryClasses>+ Tpm12DeviceLib|SecurityPkg/Library/Tpm12DeviceLibDTpm/Tpm12DeviceLibDTpm.inf+ }++ SecurityPkg/Tcg/TcgConfigDxe/TcgConfigDxe.inf {+ <LibraryClasses>+ PcdLib|MdePkg/Library/DxePcdLib/DxePcdLib.inf+ }++!if $(SMM_SUPPORT) == TRUE+ SecurityPkg/Tcg/TcgSmm/TcgSmm.inf {+ <LibraryClasses>+ TcgPpVendorLib|SecurityPkg/Library/TcgPpVendorLibNull/TcgPpVendorLibNull.inf++ }+!endif+ SecurityPkg/Tcg/Tcg2Config/Tcg2ConfigDxe.inf {+ <LibraryClasses>+ Tpm2CommandLib|SecurityPkg/Library/Tpm2CommandLib/Tpm2CommandLib.inf+ Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibRouter/Tpm2DeviceLibRouterDxe.inf+ NULL|SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2InstanceLibDTpm.inf+ }+!if $(SMM_SUPPORT) == TRUE+ SecurityPkg/Tcg/Tcg2Smm/Tcg2Smm.inf {+ <LibraryClasses>+ Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibTcg2/Tpm2DeviceLibTcg2.inf+ }+!endif+ SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.inf {+ <LibraryClasses>+ Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibRouter/Tpm2DeviceLibRouterDxe.inf+ HashLib|SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRouterDxe.inf+ NULL|SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2InstanceLibDTpm.inf+ NULL|SecurityPkg/Library/HashInstanceLibSha1/HashInstanceLibSha1.inf+ NULL|SecurityPkg/Library/HashInstanceLibSha256/HashInstanceLibSha256.inf+ NULL|SecurityPkg/Library/HashInstanceLibSha384/HashInstanceLibSha384.inf+ NULL|SecurityPkg/Library/HashInstanceLibSm3/HashInstanceLibSm3.inf+ }+ SecurityPkg/Tcg/Tcg2Acpi/Tcg2Acpi.inf+ SecurityPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.inf {+ <LibraryClasses>+ TpmPlatformHierarchyLib|SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf+ }+ SecurityPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.inf {+ <LibraryClasses>+ TpmPlatformHierarchyLib|SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf+ }+!endif #MEASURED_BOOT_ENABLE+ # # Misc #diff --git a/UefiPayloadPkg/UefiPayloadPkg.fdf b/UefiPayloadPkg/UefiPayloadPkg.fdf
index b52e6c75a5..ed9d42b022 100644
--- a/UefiPayloadPkg/UefiPayloadPkg.fdf
+++ b/UefiPayloadPkg/UefiPayloadPkg.fdf
@@ -176,6 +176,21 @@ INF PcAtChipsetPkg/PcatRealTimeClockRuntimeDxe/PcatRealTimeClockRuntimeDxe.inf
INF SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf !endif +!if $(MEASURED_BOOT_ENABLE) == TRUE+ INF SecurityPkg/Tcg/TcgDxe/TcgDxe.inf+!if $(SMM_SUPPORT) == TRUE+ INF SecurityPkg/Tcg/TcgSmm/TcgSmm.inf+!endif+ INF SecurityPkg/Tcg/TcgConfigDxe/TcgConfigDxe.inf+ INF SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.inf+ INF RuleOverride = DRIVER_ACPITABLE SecurityPkg/Tcg/Tcg2Acpi/Tcg2Acpi.inf+ INF SecurityPkg/Tcg/Tcg2Config/Tcg2ConfigDxe.inf+!if $(SMM_SUPPORT) == TRUE+ INF SecurityPkg/Tcg/Tcg2Smm/Tcg2Smm.inf+!endif+ INF SecurityPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.inf+!endif+ INF UefiCpuPkg/CpuIo2Dxe/CpuIo2Dxe.inf INF MdeModulePkg/Universal/DevicePathDxe/DevicePathDxe.inf !if $(MEMORY_TEST) == "GENERIC"@@ -419,3 +434,13 @@ INF ShellPkg/Application/Shell/Shell.inf
UI STRING="Enter Setup" VERSION STRING="$(INF_VERSION)" Optional BUILD_NUM=$(BUILD_NUMBER) }++[Rule.Common.DXE_DRIVER.DRIVER_ACPITABLE]+ FILE DRIVER = $(NAMED_GUID) {+ DXE_DEPEX DXE_DEPEX Optional $(INF_OUTPUT)/$(MODULE_NAME).depex+ PE32 PE32 $(INF_OUTPUT)/$(MODULE_NAME).efi+ RAW ACPI Optional |.acpi+ RAW ASL Optional |.aml+ UI STRING="$(MODULE_NAME)" Optional+ VERSION STRING="$(INF_VERSION)" Optional BUILD_NUM=$(BUILD_NUMBER)+ }--
2.39.1.windows.1
^ permalink raw reply related [flat|nested] 11+ messages in thread
* Re: [edk2-devel] [PATCH v1 3/6] TGC2ACPI: Uninstall the TPM2 ACPI if present
2023-03-22 13:43 ` [edk2-devel] " Yao, Jiewen
@ 2023-03-23 4:37 ` Subash Lakkimsetti
2023-03-25 2:36 ` Yao, Jiewen
0 siblings, 1 reply; 11+ messages in thread
From: Subash Lakkimsetti @ 2023-03-23 4:37 UTC (permalink / raw)
To: Yao, Jiewen, devel@edk2.groups.io; +Cc: Zhang, Qi1, Kumar, Rahul R
Hi Jiewen,
Bootloaders as SBL, coreboot supports multiple payloads and they would have TPM acpi tables populated at bootloader phase.
These tables gets populated in bootloaders well before the payload gets loaded. Its population cannot be avoided due to generic implementations.
Uninstallation from universal payload package need a separate module to handle this.
It is dependent on gEfiAcpiTableProtocolGuid & gEfiAcpiSdtProtocolGuid which are populated from AcpiTableDxe.
We might need add a dependency in TCG2ACPI on this module. Otherwise TPM2tables published from TCG2ACPI can be installed as per the dispatch order.
In order to adapt the TCG drivers for UEFI payload, TCG2ACPI has to updated to support payload. We can either follow one of the methods,
* Uninstall the TPM2 ACPI tables if they get published from bootloader phase. The current patch address it.
* Another method, Modify the ACPI tables updated from bootloader as per the EDK2 requirements. This also has to be done in TCG2ACPI.
Regards,
Subash
-----Original Message-----
From: Yao, Jiewen <jiewen.yao@intel.com>
Sent: Wednesday, March 22, 2023 6:43 AM
To: devel@edk2.groups.io; Lakkimsetti, Subash <subash.lakkimsetti@intel.com>
Cc: Zhang, Qi1 <qi1.zhang@intel.com>; Kumar, Rahul R <rahul.r.kumar@intel.com>
Subject: RE: [edk2-devel] [PATCH v1 3/6] TGC2ACPI: Uninstall the TPM2 ACPI if present
Question: Why not uninstall it in the universal payload package? or even not populate it?
> -----Original Message-----
> From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of Subash
> Lakkimsetti
> Sent: Wednesday, March 22, 2023 1:59 PM
> To: devel@edk2.groups.io
> Cc: Lakkimsetti, Subash <subash.lakkimsetti@intel.com>; Zhang, Qi1
> <qi1.zhang@intel.com>; Kumar, Rahul R <rahul.r.kumar@intel.com>
> Subject: [edk2-devel] [PATCH v1 3/6] TGC2ACPI: Uninstall the TPM2 ACPI
> if present
>
> From: Subash Lakkimsetti <subash.lakkimsetti@intel.com>
>
> Bootloader supports multiple payload and TPM2 ACPI tables are updated
> at bootloader phase. When UEFI is used payload these will be duplicates.
> The tables are to be uninstalled before updating the TCG2ACPI tables
> to avoid duplicates.
>
> Cc: Qi Zhang <qi1.zhang@intel.com>
> Cc: Rahul Kumar <rahul1.kumar@intel.com>
> Signed-off-by: Subash Lakkimsetti <subash.lakkimsetti@intel.com>
> ---
> SecurityPkg/Tcg/Tcg2Acpi/Tcg2Acpi.c | 251
> ++++++++++++++++++++++++++
> SecurityPkg/Tcg/Tcg2Acpi/Tcg2Acpi.inf | 3 +
> 2 files changed, 254 insertions(+)
>
> diff --git a/SecurityPkg/Tcg/Tcg2Acpi/Tcg2Acpi.c
> b/SecurityPkg/Tcg/Tcg2Acpi/Tcg2Acpi.c
> index e8822cbeb0..4b35796ba7 100644
> --- a/SecurityPkg/Tcg/Tcg2Acpi/Tcg2Acpi.c
> +++ b/SecurityPkg/Tcg/Tcg2Acpi/Tcg2Acpi.c
> @@ -39,6 +39,8 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
> #include <Library/Tpm2CommandLib.h>
>
> #include <Library/UefiLib.h>
>
> #include <Library/MmUnblockMemoryLib.h>
>
> +#include <IndustryStandard/Acpi.h>
>
> +#include <Protocol/AcpiSystemDescriptionTable.h>
>
>
>
> //
>
> // Physical Presence Interface Version supported by Platform
>
> @@ -867,6 +869,245 @@ PublishTpm2 (
> return Status;
>
> }
>
>
>
> +/**
>
> + Uninstall TPM2 SSDT ACPI table
>
> +
>
> + This performs uninstallation of TPM2 SSDT tables published by
>
> + bootloaders.
>
> +
>
> + @retval EFI_SUCCESS The TPM2 ACPI table is uninstalled successfully if
> found.
>
> + @retval Others Operation error.
>
> +
>
> +**/
>
> +EFI_STATUS
>
> +UnInstallTpm2SSDTAcpiTables (
>
> + )
>
> +{
>
> + UINTN TableIndex;
>
> + UINTN TableKey;
>
> + EFI_ACPI_TABLE_VERSION TableVersion;
>
> + VOID *TableHeader;
>
> + EFI_STATUS Status;
>
> + EFI_ACPI_SDT_PROTOCOL *mAcpiSdtProtocol;
>
> + EFI_ACPI_TABLE_PROTOCOL *mAcpiTableProtocol;
>
> + CHAR8 TableIdString[8];
>
> + UINT64 TableIdSignature;
>
> +
>
> + //
>
> + // Determine whether there is a TPM2 SSDT already in the ACPI table.
>
> + //
>
> + Status = EFI_SUCCESS;
>
> + TableIndex = 0;
>
> + TableKey = 0;
>
> + TableHeader = NULL;
>
> + mAcpiTableProtocol = NULL;
>
> + mAcpiSdtProtocol = NULL;
>
> +
>
> + //
>
> + // Locate the EFI_ACPI_TABLE_PROTOCOL.
>
> + //
>
> + Status = gBS->LocateProtocol (
>
> + &gEfiAcpiTableProtocolGuid,
>
> + NULL,
>
> + (VOID **)&mAcpiTableProtocol
>
> + );
>
> + if (EFI_ERROR (Status)) {
>
> + DEBUG ((
>
> + DEBUG_INFO,
>
> + "UnInstallTpm2SSDTAcpiTables: Cannot locate the EFI ACPI Table
> Protocol \n "
>
> + ));
>
> + return Status;
>
> + }
>
> +
>
> + //
>
> + // Locate the EFI_ACPI_SDT_PROTOCOL.
>
> + //
>
> + Status = gBS->LocateProtocol (
>
> + &gEfiAcpiSdtProtocolGuid,
>
> + NULL,
>
> + (VOID **)&mAcpiSdtProtocol
>
> + );
>
> + if (EFI_ERROR (Status)) {
>
> + DEBUG ((
>
> + DEBUG_INFO,
>
> + "UnInstallTpm2SSDTAcpiTables: Cannot locate the EFI ACPI Sdt
> + Protocol,
> "
>
> + "\n"
>
> + ));
>
> + return Status;
>
> + }
>
> +
>
> + while (!EFI_ERROR (Status)) {
>
> + Status = mAcpiSdtProtocol->GetAcpiTable (
>
> + TableIndex,
>
> + (EFI_ACPI_SDT_HEADER
> + **)&TableHeader,
>
> + &TableVersion,
>
> + &TableKey
>
> + );
>
> +
>
> + if (!EFI_ERROR (Status)) {
>
> + TableIndex++;
>
> +
>
> + if (((EFI_ACPI_SDT_HEADER *)TableHeader)->Signature ==
> SIGNATURE_32 ('S', 'S', 'D', 'T')) {
>
> + CopyMem ((VOID *)TableIdString, (VOID *)((EFI_ACPI_SDT_HEADER
> *)TableHeader)->OemTableId, sizeof (TableIdString));
>
> +
>
> + TableIdSignature = SIGNATURE_64 (
>
> + TableIdString[0],
>
> + TableIdString[1],
>
> + TableIdString[2],
>
> + TableIdString[3],
>
> + TableIdString[4],
>
> + TableIdString[5],
>
> + TableIdString[6],
>
> + TableIdString[7]
>
> + );
>
> +
>
> + if (TableIdSignature == SIGNATURE_64 ('T', 'p', 'm', '2',
> + 'T', 'a', 'b', 'l')) {
>
> + DEBUG ((DEBUG_INFO, "Found Tpm2 SSDT Table for Physical
> Presence\n"));
>
> + break;
>
> + }
>
> + }
>
> + }
>
> + }
>
> +
>
> + if (!EFI_ERROR (Status)) {
>
> + //
>
> + // A TPM2 SSDT is already in the ACPI table.
>
> + //
>
> + DEBUG ((
>
> + DEBUG_INFO,
>
> + "A TPM2 SSDT is already exist in the ACPI Table.\n"
>
> + ));
>
> +
>
> + //
>
> + // Uninstall the origin TPM2 SSDT from the ACPI table.
>
> + //
>
> + Status = mAcpiTableProtocol->UninstallAcpiTable (
>
> + mAcpiTableProtocol,
>
> + TableKey
>
> + );
>
> + ASSERT_EFI_ERROR (Status);
>
> +
>
> + if (EFI_ERROR (Status)) {
>
> + DEBUG ((DEBUG_INFO, "UnInstall Tpm2SSDTAcpiTables failed \n
> + "));
>
> +
>
> + return Status;
>
> + }
>
> + }
>
> +
>
> + return EFI_SUCCESS;
>
> +}
>
> +
>
> +/**
>
> + Uninstall TPM2 table
>
> +
>
> + This performs uninstallation of TPM2 tables published by
>
> + bootloaders.
>
> +
>
> + @retval EFI_SUCCESS The TPM2 table is uninstalled successfully if its
> found.
>
> + @retval Others Operation error.
>
> +
>
> +**/
>
> +EFI_STATUS
>
> +UnInstallTpm2Tables (
>
> + )
>
> +{
>
> + UINTN TableIndex;
>
> + UINTN TableKey;
>
> + EFI_ACPI_TABLE_VERSION TableVersion;
>
> + VOID *TableHeader;
>
> + EFI_STATUS Status;
>
> + EFI_ACPI_SDT_PROTOCOL *mAcpiSdtProtocol;
>
> + EFI_ACPI_TABLE_PROTOCOL *mAcpiTableProtocol;
>
> +
>
> + //
>
> + // Determine whether there is a TPM2 SSDT already in the ACPI table.
>
> + //
>
> + Status = EFI_SUCCESS;
>
> + TableIndex = 0;
>
> + TableKey = 0;
>
> + TableHeader = NULL;
>
> + mAcpiTableProtocol = NULL;
>
> + mAcpiSdtProtocol = NULL;
>
> +
>
> + //
>
> + // Locate the EFI_ACPI_TABLE_PROTOCOL.
>
> + //
>
> + Status = gBS->LocateProtocol (
>
> + &gEfiAcpiTableProtocolGuid,
>
> + NULL,
>
> + (VOID **)&mAcpiTableProtocol
>
> + );
>
> + if (EFI_ERROR (Status)) {
>
> + DEBUG ((
>
> + DEBUG_INFO,
>
> + "UnInstallTpm2Tables: Cannot locate the EFI ACPI Table Protocol \n "
>
> + ));
>
> + return Status;
>
> + }
>
> +
>
> + //
>
> + // Locate the EFI_ACPI_SDT_PROTOCOL.
>
> + //
>
> + Status = gBS->LocateProtocol (
>
> + &gEfiAcpiSdtProtocolGuid,
>
> + NULL,
>
> + (VOID **)&mAcpiSdtProtocol
>
> + );
>
> + if (EFI_ERROR (Status)) {
>
> + DEBUG ((
>
> + DEBUG_INFO,
>
> + "UnInstallTpm2Tables: Cannot locate the EFI ACPI Sdt Protocol, "
>
> + "\n"
>
> + ));
>
> + return Status;
>
> + }
>
> +
>
> + while (!EFI_ERROR (Status)) {
>
> + Status = mAcpiSdtProtocol->GetAcpiTable (
>
> + TableIndex,
>
> + (EFI_ACPI_SDT_HEADER
> + **)&TableHeader,
>
> + &TableVersion,
>
> + &TableKey
>
> + );
>
> +
>
> + if (!EFI_ERROR (Status)) {
>
> + TableIndex++;
>
> +
>
> + if (((EFI_ACPI_SDT_HEADER *)TableHeader)->Signature ==
> EFI_ACPI_5_0_TRUSTED_COMPUTING_PLATFORM_2_TABLE_SIGNATURE ) {
>
> + DEBUG ((DEBUG_INFO, "Found Tpm2 Table ..\n"));
>
> + break;
>
> + }
>
> + }
>
> + }
>
> +
>
> + if (!EFI_ERROR (Status)) {
>
> + //
>
> + // A TPM2 SSDT is already in the ACPI table.
>
> + //
>
> + DEBUG ((
>
> + DEBUG_INFO,
>
> + "A TPM2 table is already exist in the ACPI Table.\n"
>
> + ));
>
> +
>
> + //
>
> + // Uninstall the origin TPM2 SSDT from the ACPI table.
>
> + //
>
> + Status = mAcpiTableProtocol->UninstallAcpiTable (
>
> + mAcpiTableProtocol,
>
> + TableKey
>
> + );
>
> + ASSERT_EFI_ERROR (Status);
>
> +
>
> + if (EFI_ERROR (Status)) {
>
> + DEBUG ((DEBUG_INFO, "UnInstall Tpm2Tables failed \n "));
>
> +
>
> + return Status;
>
> + }
>
> + }
>
> +
>
> + return EFI_SUCCESS;
>
> +}
>
> +
>
> /**
>
> The driver's entry point.
>
>
>
> @@ -894,6 +1135,16 @@ InitializeTcgAcpi (
> return EFI_UNSUPPORTED;
>
> }
>
>
>
> + //
>
> + // Bootloader might pulish the TPM2 ACPT tables
>
> + // Uninstall TPM tables if it exists
>
> + //
>
> + Status = UnInstallTpm2SSDTAcpiTables ();
>
> + ASSERT_EFI_ERROR (Status);
>
> +
>
> + Status = UnInstallTpm2Tables ();
>
> + ASSERT_EFI_ERROR (Status);
>
> +
>
> Status = PublishAcpiTable ();
>
> ASSERT_EFI_ERROR (Status);
>
>
>
> diff --git a/SecurityPkg/Tcg/Tcg2Acpi/Tcg2Acpi.inf
> b/SecurityPkg/Tcg/Tcg2Acpi/Tcg2Acpi.inf
> index f1c6ae5b1c..7e639b0522 100644
> --- a/SecurityPkg/Tcg/Tcg2Acpi/Tcg2Acpi.inf
> +++ b/SecurityPkg/Tcg/Tcg2Acpi/Tcg2Acpi.inf
> @@ -63,10 +63,13 @@
> gEfiTpmDeviceInstanceTpm20DtpmGuid ## PRODUCES
> ## GUID # TPM device identifier
>
> gTpmNvsMmGuid ## CONSUMES
>
> gEdkiiPiSmmCommunicationRegionTableGuid ## CONSUMES
>
> + gEfiAcpiTableGuid
>
>
>
> [Protocols]
>
> gEfiAcpiTableProtocolGuid ## CONSUMES
>
> gEfiMmCommunicationProtocolGuid ## CONSUMES
>
> + gEfiAcpiSdtProtocolGuid ## CONSUMES
>
> +
>
>
>
> [FixedPcd]
>
> gEfiSecurityPkgTokenSpaceGuid.PcdSmiCommandIoPort ##
> CONSUMES
>
> --
> 2.39.1.windows.1
>
>
>
> -=-=-=-=-=-=
> Groups.io Links: You receive all messages sent to this group.
> View/Reply Online (#101580):
> https://edk2.groups.io/g/devel/message/101580
> Mute This Topic: https://groups.io/mt/97777996/1772286
> Group Owner: devel+owner@edk2.groups.io
> Unsubscribe: https://edk2.groups.io/g/devel/unsub
> [jiewen.yao@intel.com] -=-=-=-=-=-=
>
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [edk2-devel] [PATCH v1 3/6] TGC2ACPI: Uninstall the TPM2 ACPI if present
2023-03-23 4:37 ` Subash Lakkimsetti
@ 2023-03-25 2:36 ` Yao, Jiewen
0 siblings, 0 replies; 11+ messages in thread
From: Yao, Jiewen @ 2023-03-25 2:36 UTC (permalink / raw)
To: Lakkimsetti, Subash, devel@edk2.groups.io; +Cc: Zhang, Qi1, Kumar, Rahul R
If there are two drivers to produce same resource, it should be a platform policy decision for which one takes precedent.
Maybe a platform wants to say: The ACPI is there, I want to skip myself, instead of override.
I feel uncomfortable to include such policy in TCG2 ACPI driver, to enforce the policy to override.
My suggestion is to keep SecurityPkg as is.
Yes, coreboot and slimboot will populate ACPI table. But it does not mean UniversalPayloadPkg must install them. I still believe that work should be done in UniversalPayloadPkg.
> -----Original Message-----
> From: Lakkimsetti, Subash <subash.lakkimsetti@intel.com>
> Sent: Thursday, March 23, 2023 12:38 PM
> To: Yao, Jiewen <jiewen.yao@intel.com>; devel@edk2.groups.io
> Cc: Zhang, Qi1 <qi1.zhang@intel.com>; Kumar, Rahul R
> <rahul.r.kumar@intel.com>
> Subject: RE: [edk2-devel] [PATCH v1 3/6] TGC2ACPI: Uninstall the TPM2 ACPI
> if present
>
> Hi Jiewen,
>
> Bootloaders as SBL, coreboot supports multiple payloads and they would
> have TPM acpi tables populated at bootloader phase.
> These tables gets populated in bootloaders well before the payload gets
> loaded. Its population cannot be avoided due to generic implementations.
>
> Uninstallation from universal payload package need a separate module to
> handle this.
> It is dependent on gEfiAcpiTableProtocolGuid & gEfiAcpiSdtProtocolGuid
> which are populated from AcpiTableDxe.
>
> We might need add a dependency in TCG2ACPI on this module. Otherwise
> TPM2tables published from TCG2ACPI can be installed as per the dispatch
> order.
>
> In order to adapt the TCG drivers for UEFI payload, TCG2ACPI has to updated
> to support payload. We can either follow one of the methods,
> * Uninstall the TPM2 ACPI tables if they get published from bootloader
> phase. The current patch address it.
> * Another method, Modify the ACPI tables updated from bootloader as
> per the EDK2 requirements. This also has to be done in TCG2ACPI.
>
> Regards,
> Subash
>
> -----Original Message-----
> From: Yao, Jiewen <jiewen.yao@intel.com>
> Sent: Wednesday, March 22, 2023 6:43 AM
> To: devel@edk2.groups.io; Lakkimsetti, Subash
> <subash.lakkimsetti@intel.com>
> Cc: Zhang, Qi1 <qi1.zhang@intel.com>; Kumar, Rahul R
> <rahul.r.kumar@intel.com>
> Subject: RE: [edk2-devel] [PATCH v1 3/6] TGC2ACPI: Uninstall the TPM2 ACPI
> if present
>
> Question: Why not uninstall it in the universal payload package? or even not
> populate it?
>
>
> > -----Original Message-----
> > From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of Subash
> > Lakkimsetti
> > Sent: Wednesday, March 22, 2023 1:59 PM
> > To: devel@edk2.groups.io
> > Cc: Lakkimsetti, Subash <subash.lakkimsetti@intel.com>; Zhang, Qi1
> > <qi1.zhang@intel.com>; Kumar, Rahul R <rahul.r.kumar@intel.com>
> > Subject: [edk2-devel] [PATCH v1 3/6] TGC2ACPI: Uninstall the TPM2 ACPI
> > if present
> >
> > From: Subash Lakkimsetti <subash.lakkimsetti@intel.com>
> >
> > Bootloader supports multiple payload and TPM2 ACPI tables are updated
> > at bootloader phase. When UEFI is used payload these will be duplicates.
> > The tables are to be uninstalled before updating the TCG2ACPI tables
> > to avoid duplicates.
> >
> > Cc: Qi Zhang <qi1.zhang@intel.com>
> > Cc: Rahul Kumar <rahul1.kumar@intel.com>
> > Signed-off-by: Subash Lakkimsetti <subash.lakkimsetti@intel.com>
> > ---
> > SecurityPkg/Tcg/Tcg2Acpi/Tcg2Acpi.c | 251
> > ++++++++++++++++++++++++++
> > SecurityPkg/Tcg/Tcg2Acpi/Tcg2Acpi.inf | 3 +
> > 2 files changed, 254 insertions(+)
> >
> > diff --git a/SecurityPkg/Tcg/Tcg2Acpi/Tcg2Acpi.c
> > b/SecurityPkg/Tcg/Tcg2Acpi/Tcg2Acpi.c
> > index e8822cbeb0..4b35796ba7 100644
> > --- a/SecurityPkg/Tcg/Tcg2Acpi/Tcg2Acpi.c
> > +++ b/SecurityPkg/Tcg/Tcg2Acpi/Tcg2Acpi.c
> > @@ -39,6 +39,8 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
> > #include <Library/Tpm2CommandLib.h>
> >
> > #include <Library/UefiLib.h>
> >
> > #include <Library/MmUnblockMemoryLib.h>
> >
> > +#include <IndustryStandard/Acpi.h>
> >
> > +#include <Protocol/AcpiSystemDescriptionTable.h>
> >
> >
> >
> > //
> >
> > // Physical Presence Interface Version supported by Platform
> >
> > @@ -867,6 +869,245 @@ PublishTpm2 (
> > return Status;
> >
> > }
> >
> >
> >
> > +/**
> >
> > + Uninstall TPM2 SSDT ACPI table
> >
> > +
> >
> > + This performs uninstallation of TPM2 SSDT tables published by
> >
> > + bootloaders.
> >
> > +
> >
> > + @retval EFI_SUCCESS The TPM2 ACPI table is uninstalled successfully
> if
> > found.
> >
> > + @retval Others Operation error.
> >
> > +
> >
> > +**/
> >
> > +EFI_STATUS
> >
> > +UnInstallTpm2SSDTAcpiTables (
> >
> > + )
> >
> > +{
> >
> > + UINTN TableIndex;
> >
> > + UINTN TableKey;
> >
> > + EFI_ACPI_TABLE_VERSION TableVersion;
> >
> > + VOID *TableHeader;
> >
> > + EFI_STATUS Status;
> >
> > + EFI_ACPI_SDT_PROTOCOL *mAcpiSdtProtocol;
> >
> > + EFI_ACPI_TABLE_PROTOCOL *mAcpiTableProtocol;
> >
> > + CHAR8 TableIdString[8];
> >
> > + UINT64 TableIdSignature;
> >
> > +
> >
> > + //
> >
> > + // Determine whether there is a TPM2 SSDT already in the ACPI table.
> >
> > + //
> >
> > + Status = EFI_SUCCESS;
> >
> > + TableIndex = 0;
> >
> > + TableKey = 0;
> >
> > + TableHeader = NULL;
> >
> > + mAcpiTableProtocol = NULL;
> >
> > + mAcpiSdtProtocol = NULL;
> >
> > +
> >
> > + //
> >
> > + // Locate the EFI_ACPI_TABLE_PROTOCOL.
> >
> > + //
> >
> > + Status = gBS->LocateProtocol (
> >
> > + &gEfiAcpiTableProtocolGuid,
> >
> > + NULL,
> >
> > + (VOID **)&mAcpiTableProtocol
> >
> > + );
> >
> > + if (EFI_ERROR (Status)) {
> >
> > + DEBUG ((
> >
> > + DEBUG_INFO,
> >
> > + "UnInstallTpm2SSDTAcpiTables: Cannot locate the EFI ACPI Table
> > Protocol \n "
> >
> > + ));
> >
> > + return Status;
> >
> > + }
> >
> > +
> >
> > + //
> >
> > + // Locate the EFI_ACPI_SDT_PROTOCOL.
> >
> > + //
> >
> > + Status = gBS->LocateProtocol (
> >
> > + &gEfiAcpiSdtProtocolGuid,
> >
> > + NULL,
> >
> > + (VOID **)&mAcpiSdtProtocol
> >
> > + );
> >
> > + if (EFI_ERROR (Status)) {
> >
> > + DEBUG ((
> >
> > + DEBUG_INFO,
> >
> > + "UnInstallTpm2SSDTAcpiTables: Cannot locate the EFI ACPI Sdt
> > + Protocol,
> > "
> >
> > + "\n"
> >
> > + ));
> >
> > + return Status;
> >
> > + }
> >
> > +
> >
> > + while (!EFI_ERROR (Status)) {
> >
> > + Status = mAcpiSdtProtocol->GetAcpiTable (
> >
> > + TableIndex,
> >
> > + (EFI_ACPI_SDT_HEADER
> > + **)&TableHeader,
> >
> > + &TableVersion,
> >
> > + &TableKey
> >
> > + );
> >
> > +
> >
> > + if (!EFI_ERROR (Status)) {
> >
> > + TableIndex++;
> >
> > +
> >
> > + if (((EFI_ACPI_SDT_HEADER *)TableHeader)->Signature ==
> > SIGNATURE_32 ('S', 'S', 'D', 'T')) {
> >
> > + CopyMem ((VOID *)TableIdString, (VOID *)((EFI_ACPI_SDT_HEADER
> > *)TableHeader)->OemTableId, sizeof (TableIdString));
> >
> > +
> >
> > + TableIdSignature = SIGNATURE_64 (
> >
> > + TableIdString[0],
> >
> > + TableIdString[1],
> >
> > + TableIdString[2],
> >
> > + TableIdString[3],
> >
> > + TableIdString[4],
> >
> > + TableIdString[5],
> >
> > + TableIdString[6],
> >
> > + TableIdString[7]
> >
> > + );
> >
> > +
> >
> > + if (TableIdSignature == SIGNATURE_64 ('T', 'p', 'm', '2',
> > + 'T', 'a', 'b', 'l')) {
> >
> > + DEBUG ((DEBUG_INFO, "Found Tpm2 SSDT Table for Physical
> > Presence\n"));
> >
> > + break;
> >
> > + }
> >
> > + }
> >
> > + }
> >
> > + }
> >
> > +
> >
> > + if (!EFI_ERROR (Status)) {
> >
> > + //
> >
> > + // A TPM2 SSDT is already in the ACPI table.
> >
> > + //
> >
> > + DEBUG ((
> >
> > + DEBUG_INFO,
> >
> > + "A TPM2 SSDT is already exist in the ACPI Table.\n"
> >
> > + ));
> >
> > +
> >
> > + //
> >
> > + // Uninstall the origin TPM2 SSDT from the ACPI table.
> >
> > + //
> >
> > + Status = mAcpiTableProtocol->UninstallAcpiTable (
> >
> > + mAcpiTableProtocol,
> >
> > + TableKey
> >
> > + );
> >
> > + ASSERT_EFI_ERROR (Status);
> >
> > +
> >
> > + if (EFI_ERROR (Status)) {
> >
> > + DEBUG ((DEBUG_INFO, "UnInstall Tpm2SSDTAcpiTables failed \n
> > + "));
> >
> > +
> >
> > + return Status;
> >
> > + }
> >
> > + }
> >
> > +
> >
> > + return EFI_SUCCESS;
> >
> > +}
> >
> > +
> >
> > +/**
> >
> > + Uninstall TPM2 table
> >
> > +
> >
> > + This performs uninstallation of TPM2 tables published by
> >
> > + bootloaders.
> >
> > +
> >
> > + @retval EFI_SUCCESS The TPM2 table is uninstalled successfully if its
> > found.
> >
> > + @retval Others Operation error.
> >
> > +
> >
> > +**/
> >
> > +EFI_STATUS
> >
> > +UnInstallTpm2Tables (
> >
> > + )
> >
> > +{
> >
> > + UINTN TableIndex;
> >
> > + UINTN TableKey;
> >
> > + EFI_ACPI_TABLE_VERSION TableVersion;
> >
> > + VOID *TableHeader;
> >
> > + EFI_STATUS Status;
> >
> > + EFI_ACPI_SDT_PROTOCOL *mAcpiSdtProtocol;
> >
> > + EFI_ACPI_TABLE_PROTOCOL *mAcpiTableProtocol;
> >
> > +
> >
> > + //
> >
> > + // Determine whether there is a TPM2 SSDT already in the ACPI table.
> >
> > + //
> >
> > + Status = EFI_SUCCESS;
> >
> > + TableIndex = 0;
> >
> > + TableKey = 0;
> >
> > + TableHeader = NULL;
> >
> > + mAcpiTableProtocol = NULL;
> >
> > + mAcpiSdtProtocol = NULL;
> >
> > +
> >
> > + //
> >
> > + // Locate the EFI_ACPI_TABLE_PROTOCOL.
> >
> > + //
> >
> > + Status = gBS->LocateProtocol (
> >
> > + &gEfiAcpiTableProtocolGuid,
> >
> > + NULL,
> >
> > + (VOID **)&mAcpiTableProtocol
> >
> > + );
> >
> > + if (EFI_ERROR (Status)) {
> >
> > + DEBUG ((
> >
> > + DEBUG_INFO,
> >
> > + "UnInstallTpm2Tables: Cannot locate the EFI ACPI Table Protocol \n "
> >
> > + ));
> >
> > + return Status;
> >
> > + }
> >
> > +
> >
> > + //
> >
> > + // Locate the EFI_ACPI_SDT_PROTOCOL.
> >
> > + //
> >
> > + Status = gBS->LocateProtocol (
> >
> > + &gEfiAcpiSdtProtocolGuid,
> >
> > + NULL,
> >
> > + (VOID **)&mAcpiSdtProtocol
> >
> > + );
> >
> > + if (EFI_ERROR (Status)) {
> >
> > + DEBUG ((
> >
> > + DEBUG_INFO,
> >
> > + "UnInstallTpm2Tables: Cannot locate the EFI ACPI Sdt Protocol, "
> >
> > + "\n"
> >
> > + ));
> >
> > + return Status;
> >
> > + }
> >
> > +
> >
> > + while (!EFI_ERROR (Status)) {
> >
> > + Status = mAcpiSdtProtocol->GetAcpiTable (
> >
> > + TableIndex,
> >
> > + (EFI_ACPI_SDT_HEADER
> > + **)&TableHeader,
> >
> > + &TableVersion,
> >
> > + &TableKey
> >
> > + );
> >
> > +
> >
> > + if (!EFI_ERROR (Status)) {
> >
> > + TableIndex++;
> >
> > +
> >
> > + if (((EFI_ACPI_SDT_HEADER *)TableHeader)->Signature ==
> > EFI_ACPI_5_0_TRUSTED_COMPUTING_PLATFORM_2_TABLE_SIGNATURE )
> {
> >
> > + DEBUG ((DEBUG_INFO, "Found Tpm2 Table ..\n"));
> >
> > + break;
> >
> > + }
> >
> > + }
> >
> > + }
> >
> > +
> >
> > + if (!EFI_ERROR (Status)) {
> >
> > + //
> >
> > + // A TPM2 SSDT is already in the ACPI table.
> >
> > + //
> >
> > + DEBUG ((
> >
> > + DEBUG_INFO,
> >
> > + "A TPM2 table is already exist in the ACPI Table.\n"
> >
> > + ));
> >
> > +
> >
> > + //
> >
> > + // Uninstall the origin TPM2 SSDT from the ACPI table.
> >
> > + //
> >
> > + Status = mAcpiTableProtocol->UninstallAcpiTable (
> >
> > + mAcpiTableProtocol,
> >
> > + TableKey
> >
> > + );
> >
> > + ASSERT_EFI_ERROR (Status);
> >
> > +
> >
> > + if (EFI_ERROR (Status)) {
> >
> > + DEBUG ((DEBUG_INFO, "UnInstall Tpm2Tables failed \n "));
> >
> > +
> >
> > + return Status;
> >
> > + }
> >
> > + }
> >
> > +
> >
> > + return EFI_SUCCESS;
> >
> > +}
> >
> > +
> >
> > /**
> >
> > The driver's entry point.
> >
> >
> >
> > @@ -894,6 +1135,16 @@ InitializeTcgAcpi (
> > return EFI_UNSUPPORTED;
> >
> > }
> >
> >
> >
> > + //
> >
> > + // Bootloader might pulish the TPM2 ACPT tables
> >
> > + // Uninstall TPM tables if it exists
> >
> > + //
> >
> > + Status = UnInstallTpm2SSDTAcpiTables ();
> >
> > + ASSERT_EFI_ERROR (Status);
> >
> > +
> >
> > + Status = UnInstallTpm2Tables ();
> >
> > + ASSERT_EFI_ERROR (Status);
> >
> > +
> >
> > Status = PublishAcpiTable ();
> >
> > ASSERT_EFI_ERROR (Status);
> >
> >
> >
> > diff --git a/SecurityPkg/Tcg/Tcg2Acpi/Tcg2Acpi.inf
> > b/SecurityPkg/Tcg/Tcg2Acpi/Tcg2Acpi.inf
> > index f1c6ae5b1c..7e639b0522 100644
> > --- a/SecurityPkg/Tcg/Tcg2Acpi/Tcg2Acpi.inf
> > +++ b/SecurityPkg/Tcg/Tcg2Acpi/Tcg2Acpi.inf
> > @@ -63,10 +63,13 @@
> > gEfiTpmDeviceInstanceTpm20DtpmGuid ## PRODUCES
> > ## GUID # TPM device identifier
> >
> > gTpmNvsMmGuid ## CONSUMES
> >
> > gEdkiiPiSmmCommunicationRegionTableGuid ## CONSUMES
> >
> > + gEfiAcpiTableGuid
> >
> >
> >
> > [Protocols]
> >
> > gEfiAcpiTableProtocolGuid ## CONSUMES
> >
> > gEfiMmCommunicationProtocolGuid ## CONSUMES
> >
> > + gEfiAcpiSdtProtocolGuid ## CONSUMES
> >
> > +
> >
> >
> >
> > [FixedPcd]
> >
> > gEfiSecurityPkgTokenSpaceGuid.PcdSmiCommandIoPort ##
> > CONSUMES
> >
> > --
> > 2.39.1.windows.1
> >
> >
> >
> > -=-=-=-=-=-=
> > Groups.io Links: You receive all messages sent to this group.
> > View/Reply Online (#101580):
> > https://edk2.groups.io/g/devel/message/101580
> > Mute This Topic: https://groups.io/mt/97777996/1772286
> > Group Owner: devel+owner@edk2.groups.io
> > Unsubscribe: https://edk2.groups.io/g/devel/unsub
> > [jiewen.yao@intel.com] -=-=-=-=-=-=
> >
^ permalink raw reply [flat|nested] 11+ messages in thread
end of thread, other threads:[~2023-03-25 2:37 UTC | newest]
Thread overview: 11+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2023-03-22 5:58 [PATCH v1 0/6] Universal payload secure boot and measured boot Subash Lakkimsetti
2023-03-22 5:58 ` [PATCH v1 1/6] MdeModulePkg: universal payload HOB for secure boot info Subash Lakkimsetti
2023-03-22 5:58 ` [PATCH v1 2/6] UefiPayloadPkg: Add secureboot information HOBs Subash Lakkimsetti
2023-03-22 5:58 ` [PATCH v1 3/6] TGC2ACPI: Uninstall the TPM2 ACPI if present Subash Lakkimsetti
2023-03-22 13:43 ` [edk2-devel] " Yao, Jiewen
2023-03-23 4:37 ` Subash Lakkimsetti
2023-03-25 2:36 ` Yao, Jiewen
2023-03-22 5:58 ` [PATCH v1 4/6] UefiPayloadPkg: Add secure boot configurations Subash Lakkimsetti
2023-03-22 5:58 ` [PATCH v1 5/6] Uefipayloadpkg Enable TPM measured boot Subash Lakkimsetti
2023-03-22 22:55 ` Guo, Gua
2023-03-22 5:58 ` [PATCH v1 6/6] UefiPayloadPkg: Add secure boot definitions to ci build Subash Lakkimsetti
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox