From nobody Fri Apr 19 19:23:35 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of groups.io designates 66.175.222.12 as permitted sender) client-ip=66.175.222.12; envelope-from=bounce+27952+42123+1787277+3901457@groups.io; helo=web01.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zoho.com: domain of groups.io designates 66.175.222.12 as permitted sender) smtp.mailfrom=bounce+27952+42123+1787277+3901457@groups.io; dmarc=fail(p=none dis=none) header.from=intel.com ARC-Seal: i=1; a=rsa-sha256; t=1560191742; cv=none; d=zoho.com; s=zohoarc; b=c820PblJnjfMJKmyHgCUL2LsrndURBWR+rhrA+wDDAl53ag1cdorKYls/cG7fIpFGICarDyPHs1TE3/d4Po8QDZ5PEospWaP+Nhq2B1onPCFPUBgzWY1rjr5sh3GM3LAHZDIBAxFkFwkBLCkI3XZSTMBb49suypQ+iSH8kB1xbE= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zoho.com; s=zohoarc; t=1560191742; h=Cc:Date:From:In-Reply-To:List-Id:List-Unsubscribe:Message-ID:Reply-To:References:Sender:Subject:To:ARC-Authentication-Results; bh=cV1RxRYBqpF1NW9oh7tzsZTI3rZ9haA2Y9XMMvOyz7A=; b=cr9r5+YtZDWTBgrQBlvpOxKR8HCazIfLk3wQqEG2oOheT3kQhQLNUcI8rJwfShJSBCFmC7p7yNBlLe7uujJUGGc49iGoRxgtxPh8HSKtl3ln9aw2o8xPyNvADdoxP635xHqA/3IuqCyVRSrzBBXKNd5kZstp349cseUFKZf0Kow= ARC-Authentication-Results: i=1; mx.zoho.com; dkim=pass; spf=pass (zoho.com: domain of groups.io designates 66.175.222.12 as permitted sender) smtp.mailfrom=bounce+27952+42123+1787277+3901457@groups.io; dmarc=fail header.from= (p=none dis=none) header.from= Received: from web01.groups.io (web01.groups.io [66.175.222.12]) by mx.zohomail.com with SMTPS id 1560191742104482.13070740244905; Mon, 10 Jun 2019 11:35:42 -0700 (PDT) Return-Path: X-Received: from mga18.intel.com (mga18.intel.com []) by groups.io with SMTP; Mon, 10 Jun 2019 11:35:41 -0700 X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False X-Received: from fmsmga008.fm.intel.com ([10.253.24.58]) by orsmga106.jf.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 10 Jun 2019 11:35:40 -0700 X-ExtLoop1: 1 X-Received: from shwdeopenpsi777.ccr.corp.intel.com ([10.239.158.28]) by fmsmga008.fm.intel.com with ESMTP; 10 Jun 2019 11:35:39 -0700 From: "Wang, Jian J" To: devel@edk2.groups.io Cc: Chao Zhang , Jiewen Yao Subject: [edk2-devel] [PATCH v2 1/3] SecurityPkg: add definitions for OBB verification Date: Tue, 11 Jun 2019 02:35:34 +0800 Message-Id: <20190610183536.5628-2-jian.j.wang@intel.com> In-Reply-To: <20190610183536.5628-1-jian.j.wang@intel.com> References: <20190610183536.5628-1-jian.j.wang@intel.com> Precedence: Bulk List-Unsubscribe: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,jian.j.wang@intel.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1560191741; bh=ICv4vxWae3Kdh2gvlipmvE5A8jmMKSi9NyZZsgEh9Yc=; h=Cc:Date:From:Reply-To:Subject:To; b=NB2Hp/e7lP9fabi5PO45qfYiKWWh1R+nbKKrT48Fa1dapXRGk+tgn76olPfW+mPdk4t vBtXeeblxi+MAzhIx4OhuVc3HNaX7ouS+vLlZ3yj0S6X3040O24Di5RyekH/wr9bc7xDu fSz3dZv6uHuUsAAvECU52OXLnIQRHnqO2Lc= X-ZohoMail-DKIM: pass (identity @groups.io) Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" https://bugzilla.tianocore.org/show_bug.cgi?id=3D1617 gEdkiiPeiFirmwareVolumeInfoStoredHashFvPpiGuid should be installed by platform to pass FV hash information to the common FV verify/report driver, in which the hash value will be calculated again based on the information fed in and then verified. The information passed in this PPI include: - FVs location in flash and length - Hash values for different boot mode The hash value must be calculated in following way (if 3 FVs to calc): FV1 -> Hash1 FV2 -> Hash2 FV3 -> Hash3 Hash1 + Hash2 + Hash3 -> HashAll Only HashAll is stored in this PPI. The purposes for this algorithm are two: 1. To report each FV's hash to TCG driver and verify HashAll at the same time without the burden to calculate the hash twice; 2. To save hash value storage due to potential hardware limitation Different boot mode may have its own hash value so that each mode can decide which FV will be verified. For example, for the sake of performance, S3 may choose to skip some FVs verification and normal boot will verify all FVs it concerns. So in this PPI, each FV information has flag to indicate which boot mode it will be taken into hash calculation. And if multiple hash values passed in this PPI, each has a flag to indicate which boot mode it's used for. Note one hash value supports more than one boot modes if they're just the same. PcdStatusCodeFvVerificationPass and PcdStatusCodeFvVerificationFail are introduced to report status back to platform, and platform can choose how to act upon verification success and failure. Cc: Chao Zhang Cc: Jiewen Yao Signed-off-by: Jian J Wang --- .../Ppi/FirmwareVolumeInfoStoredHashFv.h | 61 +++++++++++++++++++ SecurityPkg/SecurityPkg.dec | 9 +++ 2 files changed, 70 insertions(+) create mode 100644 SecurityPkg/Include/Ppi/FirmwareVolumeInfoStoredHashFv.h diff --git a/SecurityPkg/Include/Ppi/FirmwareVolumeInfoStoredHashFv.h b/Sec= urityPkg/Include/Ppi/FirmwareVolumeInfoStoredHashFv.h new file mode 100644 index 0000000000..71d10728c5 --- /dev/null +++ b/SecurityPkg/Include/Ppi/FirmwareVolumeInfoStoredHashFv.h @@ -0,0 +1,61 @@ +/** @file +PPI to describe stored hash digest for FVs. + +Copyright (c) 2019, Intel Corporation. All rights reserved.
+SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ + +#ifndef __PEI_FIRMWARE_VOLUME_INFO_STORED_HASH_FV_H__ +#define __PEI_FIRMWARE_VOLUME_INFO_STORED_HASH_FV_H__ + +#include + +// {7F5E4E31-81B1-47E5-9E21-1E4B5BC2F61D} +#define EDKII_PEI_FIRMWARE_VOLUME_INFO_STORED_HASH_FV_PPI_GUID \ + {0x7f5e4e31, 0x81b1, 0x47e5, {0x9e, 0x21, 0x1e, 0x4b, 0x5b, 0xc2, 0xf6, = 0x1d}} + +// +// Hashed FV flags. +// +#define HASHED_FV_FLAG_REPORT_FV_INFO_PPI 0x0000000000000001 +#define HASHED_FV_FLAG_REPORT_FV_HOB 0x0000000000000002 +#define HASHED_FV_FLAG_VERIFIED_BOOT 0x0000000000000010 +#define HASHED_FV_FLAG_MEASURED_BOOT 0x0000000000000020 +#define HASHED_FV_FLAG_SKIP_ALL 0xFFFFFFFFFFFFFF00 +#define HASHED_FV_FLAG_SKIP_BOOT_MODE(Mode) LShiftU64 (0x100, (Mode)) + +#define HASHED_FV_MAX_NUMBER 10 + +#define FV_HASH_FLAG_BOOT_MODE(Mode) LShiftU64 (1, (Mode)) + +typedef struct _EDKII_PEI_FIRMWARE_VOLUME_INFO_STORED_HASH_FV_PPI + EDKII_PEI_FIRMWARE_VOLUME_INFO_STORED_HASH_FV_PPI; + +typedef struct _HASHED_FV_INFO { + UINT32 Base; + UINT32 Length; + UINT64 Flag; +} HASHED_FV_INFO; + +typedef struct _FV_HASH_INFO { + UINT64 HashFlag; + UINT16 HashAlgoId; + UINT16 HashSize; + UINT8 Hash[64]; +} FV_HASH_INFO; + +// +// PPI used to convey FVs and hash information of a specific platform. +// +struct _EDKII_PEI_FIRMWARE_VOLUME_INFO_STORED_HASH_FV_PPI { + UINTN FvNumber; + HASHED_FV_INFO FvInfo[HASHED_FV_MAX_NUMBER]; + UINTN HashNumber; + FV_HASH_INFO HashInfo[1]; +}; + +extern EFI_GUID gEdkiiPeiFirmwareVolumeInfoStoredHashFvPpiGuid; + +#endif + diff --git a/SecurityPkg/SecurityPkg.dec b/SecurityPkg/SecurityPkg.dec index 3314f1854b..f0c0581b17 100644 --- a/SecurityPkg/SecurityPkg.dec +++ b/SecurityPkg/SecurityPkg.dec @@ -187,6 +187,9 @@ =20 ## Include/Ppi/FirmwareVolumeInfoPrehashedFV.h gEdkiiPeiFirmwareVolumeInfoPrehashedFvPpiGuid =3D { 0x3ce1e631, 0x7008, = 0x477c, { 0xad, 0xa7, 0x5d, 0xcf, 0xc7, 0xc1, 0x49, 0x4b } } +=20 + ## Include/Ppi/FirmwareVolumeInfoStoredHashFv.h + gEdkiiPeiFirmwareVolumeInfoStoredHashFvPpiGuid =3D {0x7f5e4e31, 0x81b1, = 0x47e5, { 0x9e, 0x21, 0x1e, 0x4b, 0x5b, 0xc2, 0xf6, 0x1d } } =20 # # [Error.gEfiSecurityPkgTokenSpaceGuid] @@ -257,6 +260,12 @@ # @ValidList 0x80000003 | 0x010D0000 gEfiSecurityPkgTokenSpaceGuid.PcdStatusCodeSubClassTpmDevice|0x010D0000|= UINT32|0x00000007 =20 + ## Progress Code for FV verification result.

+ # (EFI_SOFTWARE_PEI_MODULE | EFI_SUBCLASS_SPECIFIC | XXX) + # @Prompt Status Code for FV verification result + gEfiSecurityPkgTokenSpaceGuid.PcdStatusCodeFvVerificationPass|0x0303100A= |UINT32|0x00010030 + gEfiSecurityPkgTokenSpaceGuid.PcdStatusCodeFvVerificationFail|0x0303100B= |UINT32|0x00010031 + [PcdsFixedAtBuild, PcdsPatchableInModule, PcdsDynamic, PcdsDynamicEx] ## Image verification policy for OptionRom. Only following values are va= lid:

# NOTE: Do NOT use 0x5 and 0x2 since it violates the UEFI specification= and has been removed.
--=20 2.17.1.windows.2 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#42123): https://edk2.groups.io/g/devel/message/42123 Mute This Topic: https://groups.io/mt/32007716/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- From nobody Fri Apr 19 19:23:35 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of groups.io designates 66.175.222.12 as permitted sender) client-ip=66.175.222.12; envelope-from=bounce+27952+42124+1787277+3901457@groups.io; helo=web01.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zoho.com: domain of groups.io designates 66.175.222.12 as permitted sender) smtp.mailfrom=bounce+27952+42124+1787277+3901457@groups.io; dmarc=fail(p=none dis=none) header.from=intel.com ARC-Seal: i=1; a=rsa-sha256; t=1560191743; cv=none; d=zoho.com; s=zohoarc; b=kTiKGYHlTtsUAt6q+JacPtwMIzKu10uykzkxupBFh1FnqlRM4QMO7+gKWdJFS05fVdmTi/OO3rdMmsXWHObTMIIE7CmykEM2jplVSh06DX7j6E98yX1L7xTLHa7uIhTetBhT6+yE9KUxb+XYvCC8Jw2ihxi+N22O0phtGQpd9xg= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zoho.com; s=zohoarc; t=1560191743; h=Cc:Date:From:In-Reply-To:List-Id:List-Unsubscribe:Message-ID:Reply-To:References:Sender:Subject:To:ARC-Authentication-Results; bh=aunTGVmWYgbCpAKgB7Fq31RXSDFccI/i+jK3bVCJQwE=; b=nVqeRlHV1qqPgGv5fz3KuPclkYL6X2/nBq01V2JHuU0TkIDlcZ51rSeHbA3Ni6YjRPRBY2biEHnehTISZngSpKYdIMIxDIYshzFcaZg0OARvrqQUsjgLyb8tO4wZZtlwm3nPKvQklmVSqAxNMQEsIXMuIr5cNSHlhZ5umA6a4YQ= ARC-Authentication-Results: i=1; mx.zoho.com; dkim=pass; spf=pass (zoho.com: domain of groups.io designates 66.175.222.12 as permitted sender) smtp.mailfrom=bounce+27952+42124+1787277+3901457@groups.io; dmarc=fail header.from= (p=none dis=none) header.from= Received: from web01.groups.io (web01.groups.io [66.175.222.12]) by mx.zohomail.com with SMTPS id 1560191743118511.89256526483223; Mon, 10 Jun 2019 11:35:43 -0700 (PDT) Return-Path: X-Received: from mga18.intel.com (mga18.intel.com []) by groups.io with SMTP; Mon, 10 Jun 2019 11:35:42 -0700 X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False X-Received: from fmsmga008.fm.intel.com ([10.253.24.58]) by orsmga106.jf.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 10 Jun 2019 11:35:41 -0700 X-ExtLoop1: 1 X-Received: from shwdeopenpsi777.ccr.corp.intel.com ([10.239.158.28]) by fmsmga008.fm.intel.com with ESMTP; 10 Jun 2019 11:35:40 -0700 From: "Wang, Jian J" To: devel@edk2.groups.io Cc: Chao Zhang , Jiewen Yao Subject: [edk2-devel] [PATCH v2 2/3] SecurityPkg/FvReportPei: implement a common FV verifier and reporter Date: Tue, 11 Jun 2019 02:35:35 +0800 Message-Id: <20190610183536.5628-3-jian.j.wang@intel.com> In-Reply-To: <20190610183536.5628-1-jian.j.wang@intel.com> References: <20190610183536.5628-1-jian.j.wang@intel.com> Precedence: Bulk List-Unsubscribe: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,jian.j.wang@intel.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1560191742; bh=imZncf/x51YQ9MjC+1iIB0gLc/gT6KPICCUczjH/Aco=; h=Cc:Date:From:Reply-To:Subject:To; b=DVE46nDuUgdRbHDGgNAoLcoMOOPclXhVvbogQ9We67Bi+1Alq4/x15LNGoc+vmHnebl GLae16gIT5pfQe9BrqKudynV7Geg1vbjc50hQ73DETMLo+WxV4XvtU8lzxAL1ZckcoxeL E26Z0dAGCk8oLVO8LECV9M4M8v0JQPzA8Vc= X-ZohoMail-DKIM: pass (identity @groups.io) Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" >v2: correct parameter and return value description for GetHashInfo() https://bugzilla.tianocore.org/show_bug.cgi?id=3D1617 This driver implements a common checker, verifier and reporter which is independent of hardware based root-of-trust. Usually the hardware based root-of-trust will not verify all BIOS but part of it. For example, Boot Guard will only verify IBB segment. The IBB needs to verify other part of BIOS, i.e. other FVs to transfer control to from IBB. This driver plays the role in IBB to verify FVs not covered by hardware root-of-trust to make sure integrity of the chain of trust. To be hardware/platform independent, PPI gEdkiiPeiFirmwareVolumeInfoStoredHashFvPpiGuid is introduced for platform to pass digest information to this driver. This PPI should include all information needed to verify required FVs in required boot mode. struct _EDKII_PEI_FIRMWARE_VOLUME_INFO_STORED_HASH_FV_PPI { UINTN FvNumber; HASHED_FV_INFO FvInfo[HASHED_FV_MAX_NUMBER]; UINTN HashNumber; FV_HASH_INFO HashInfo[1]; }; To avoid TOCTOU issue, all FVs to be verified will be copied to memory before hash calculation. That also means this driver has to be run after permanent memory has been discovered. For a measured boot, this driver will install gEdkiiPeiFirmwareVolumeInfoPrehashedFvPpiGuid to report digest of each FV to TCG driver. For a verified boot, this driver will verify the final hash value (calculated from the concatenation of each FV's hash) for indicated FVs against the hash got from platform/hardware. If pass, it will build EFI_HOB_TYPE_FV (consumed by DXE core) and/or install gEfiPeiFirmwareVolumeInfoPpiGuid (consumed by PEI core), and then report status code PcdStatusCodeFvVerificationPass. If fail, it just report status code PcdStatusCodeFvVerificationFail and go to dead loop if status report returns. The platform can register customized handler to process pass and fail cases differently. Currently, this driver only supports hash (sha256/384/512) verification for the performance consideration. Cc: Chao Zhang Cc: Jiewen Yao Signed-off-by: Jian J Wang --- SecurityPkg/FvReportPei/FvReportPei.c | 418 ++++++++++++++++++ SecurityPkg/FvReportPei/FvReportPei.h | 121 +++++ SecurityPkg/FvReportPei/FvReportPei.inf | 57 +++ SecurityPkg/FvReportPei/FvReportPei.uni | 14 + .../FvReportPei/FvReportPeiPeiExtra.uni | 12 + 5 files changed, 622 insertions(+) create mode 100644 SecurityPkg/FvReportPei/FvReportPei.c create mode 100644 SecurityPkg/FvReportPei/FvReportPei.h create mode 100644 SecurityPkg/FvReportPei/FvReportPei.inf create mode 100644 SecurityPkg/FvReportPei/FvReportPei.uni create mode 100644 SecurityPkg/FvReportPei/FvReportPeiPeiExtra.uni diff --git a/SecurityPkg/FvReportPei/FvReportPei.c b/SecurityPkg/FvReportPe= i/FvReportPei.c new file mode 100644 index 0000000000..07855774b4 --- /dev/null +++ b/SecurityPkg/FvReportPei/FvReportPei.c @@ -0,0 +1,418 @@ +/** @file + This driver verifies and reports OBB FVs. + +Copyright (c) 2019, Intel Corporation. All rights reserved.
+SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ + +#include "FvReportPei.h" + +STATIC CONST HASH_ALG_INFO mHashAlgInfo[] =3D { + {0, NULL, NULL, NULL, NULL}, // 0000 TPM_ALG_ERROR + {0, NULL, NULL, NULL, NULL}, // 0001 TPM_ALG_FIRST + {0, NULL, NULL, NULL, NULL}, // 0002 + {0, NULL, NULL, NULL, NULL}, // 0003 + {0, NULL, NULL, NULL, NULL}, // 0004 TPM_ALG_SHA1 + {0, NULL, NULL, NULL, NULL}, // 0005 + {0, NULL, NULL, NULL, NULL}, // 0006 TPM_ALG_AES + {0, NULL, NULL, NULL, NULL}, // 0007 + {0, NULL, NULL, NULL, NULL}, // 0008 TPM_ALG_KEYEDHASH + {0, NULL, NULL, NULL, NULL}, // 0009 + {0, NULL, NULL, NULL, NULL}, // 000A + {SHA256_DIGEST_SIZE, Sha256Init, Sha256Update, Sha256Final, Sha256HashAl= l}, // 000B TPM_ALG_SHA256 + {SHA384_DIGEST_SIZE, Sha384Init, Sha384Update, Sha384Final, Sha384HashAl= l}, // 000C TPM_ALG_SHA384 + {SHA512_DIGEST_SIZE, Sha512Init, Sha512Update, Sha512Final, Sha512HashAl= l}, // 000D TPM_ALG_SHA512 + {0, NULL, NULL, NULL, NULL}, // 000E + {0, NULL, NULL, NULL, NULL}, // 000F + {0, NULL, NULL, NULL, NULL}, // 0010 TPM_ALG_NULL +//{0, NULL, NULL, NULL, NULL}, // 0011 +//{0, NULL, NULL, NULL, NULL}, // 0012 TPM_ALG_SM3_256 +}; + +/** + Install a EDKII_PEI_FIRMWARE_VOLUME_INFO_PREHASHED_FV_PPI instance so th= at + TCG driver may use to extend PCRs. + + @param[in] FvBuffer Buffer containing the whole FV. + @param[in] FvLength Length of the FV. + @param[in] HashAlgoId Hash algorithm type id. + @param[in] HashSize Hash size. + @param[in] HashValue Hash value buffer. +**/ +STATIC +VOID +InstallPreHashFvPpi ( + IN VOID *FvBuffer, + IN UINTN FvLength, + IN UINT16 HashAlgoId, + IN UINT16 HashSize, + IN UINT8 *HashValue + ) +{ + EFI_STATUS Status; + EFI_PEI_PPI_DESCRIPTOR *FvInfoPpiDescriptor; + EDKII_PEI_FIRMWARE_VOLUME_INFO_PREHASHED_FV_PPI *PreHashedFvPpi; + UINTN PpiSize; + HASH_INFO *HashInfo; + + PpiSize =3D sizeof (EDKII_PEI_FIRMWARE_VOLUME_INFO_PREHASHED_FV_PPI) + + sizeof (sizeof (HASH_INFO)) + + HashSize; + + PreHashedFvPpi =3D AllocatePool (PpiSize); + ASSERT (PreHashedFvPpi !=3D NULL); + + PreHashedFvPpi->FvBase =3D (UINT32)(UINTN)FvBuffer; + PreHashedFvPpi->FvLength =3D (UINT32)FvLength; + PreHashedFvPpi->Count =3D 1; + + HashInfo =3D HASH_INFO_PTR (PreHashedFvPpi); + HashInfo->HashAlgoId =3D HashAlgoId; + HashInfo->HashSize =3D HashSize; + CopyMem (HASH_VALUE_PTR (HashInfo), HashValue, HashSize); + + FvInfoPpiDescriptor =3D AllocatePool (sizeof (EFI_PEI_PPI_DESCRIPTOR)); + ASSERT (FvInfoPpiDescriptor !=3D NULL); + + FvInfoPpiDescriptor->Guid =3D &gEdkiiPeiFirmwareVolumeInfoPrehashedFvPp= iGuid; + FvInfoPpiDescriptor->Flags =3D EFI_PEI_PPI_DESCRIPTOR_PPI | EFI_PEI_PPI_= DESCRIPTOR_TERMINATE_LIST; + FvInfoPpiDescriptor->Ppi =3D (VOID *) PreHashedFvPpi; + + Status =3D PeiServicesInstallPpi (FvInfoPpiDescriptor); + ASSERT_EFI_ERROR (Status); +} + +/** + Calculate and verify hash value for given FV. + + @param[in] HashInfo Hash information of the FV. + @param[in] FvInfo Information of FV used for verification. + @param[in] FvNumber Length of the FV. + @param[in] BootMode Length of the FV. + + @retval EFI_SUCCESS The given FV is integrate. + @retval EFI_VOLUME_CORRUPTED The given FV is corrupted (hash mismatch). + @retval EFI_UNSUPPORTED The hash algorithm is not supported. + @retval EFI_INVALID_PARAMETER FvInfo is NULL or FvNumber is zero. +**/ +STATIC +EFI_STATUS +VerifyHashedFv ( + IN FV_HASH_INFO *HashInfo, + IN HASHED_FV_INFO *FvInfo, + IN UINTN FvNumber, + IN EFI_BOOT_MODE BootMode + ) +{ + UINTN FvIndex; + CONST HASH_ALG_INFO *AlgInfo; + UINT8 *HashValue; + UINT8 *FvHashValue; + VOID *FvBuffer; + EFI_STATUS Status; + + if (HashInfo =3D=3D NULL || + HashInfo->HashSize =3D=3D 0 || + HashInfo->HashAlgoId =3D=3D TPM_ALG_NULL) { + DEBUG ((DEBUG_INFO, "Bypass FV hash verification\r\n")); + return EFI_SUCCESS; + } + + if (FvInfo =3D=3D NULL || FvNumber =3D=3D 0 ) { + return EFI_INVALID_PARAMETER; + } + + if (HashInfo->HashAlgoId >=3D ARRAY_SIZE (mHashAlgInfo) || + mHashAlgInfo[HashInfo->HashAlgoId].HashSize !=3D HashInfo->HashSize)= { + DEBUG ((DEBUG_ERROR, "Unsupported or wrong hash algorithm: %04X (size= =3D%d)\r\n", + HashInfo->HashAlgoId, HashInfo->HashSize)); + return EFI_UNSUPPORTED; + } + + AlgInfo =3D &mHashAlgInfo[HashInfo->HashAlgoId]; + + // + // We need a hash value for each FV as well as one for all FVs. + // + HashValue =3D AllocateZeroPool (AlgInfo->HashSize * (FvNumber + 1)); + ASSERT (HashValue !=3D NULL); + + // + // Calcuate hash value for each FV first. + // + FvHashValue =3D HashValue; + for (FvIndex =3D 0; FvIndex < FvNumber; ++FvIndex) { + // + // Skip any FV not meant for verified boot and measured boot. + // + if ((FvInfo[FvIndex].Flag & HASHED_FV_FLAG_VERIFIED_BOOT) =3D=3D 0 && + (FvInfo[FvIndex].Flag & HASHED_FV_FLAG_MEASURED_BOOT) =3D=3D 0) { + continue; + } + + // + // Skip any FV not meant for current boot mode. + // + if ((FvInfo[FvIndex].Flag & HASHED_FV_FLAG_SKIP_BOOT_MODE (BootMode)) = !=3D 0) { + continue; + } + + DEBUG (( + DEBUG_INFO, + "Pre-hashed[alg=3D%04X,size=3D%d,flag=3D%016lX] FV: 0x%08X (%X) (Fla= g=3D%016lX)\r\n", + HashInfo->HashAlgoId, + HashInfo->HashSize, + HashInfo->HashFlag, + FvInfo[FvIndex].Base, + FvInfo[FvIndex].Length, + FvInfo[FvIndex].Flag + )); + + // + // Copy FV to permanent memory to avoid potential TOC/TOU. + // + FvBuffer =3D AllocatePages (EFI_SIZE_TO_PAGES(FvInfo[FvIndex].Length)); + ASSERT (FvBuffer !=3D NULL); + CopyMem (FvBuffer, (CONST VOID *)(UINTN)FvInfo[FvIndex].Base, FvInfo[F= vIndex].Length); + + if (AlgInfo->HashAll (FvBuffer, FvInfo[FvIndex].Length, FvHashValue) = =3D=3D FALSE) { + Status =3D EFI_ABORTED; + goto Done; + } + + // + // Report the FV measurement. + // + if ((FvInfo[FvIndex].Flag & HASHED_FV_FLAG_MEASURED_BOOT) !=3D 0) { + InstallPreHashFvPpi ( + FvBuffer, + FvInfo[FvIndex].Length, + HashInfo->HashAlgoId, + HashInfo->HashSize, + FvHashValue + ); + } + + // + // Don't keep the hash value of current FV if we don't need to verify = it. + // + if ((FvInfo[FvIndex].Flag & HASHED_FV_FLAG_VERIFIED_BOOT) !=3D 0) { + FvHashValue +=3D AlgInfo->HashSize; + } + + // + // Use memory copy of the FV from now on. + // + FvInfo[FvIndex].Base =3D (UINT32)(UINTN)FvBuffer; + } + + // + // Check final hash for all FVs. + // + if (FvHashValue =3D=3D HashValue || + (AlgInfo->HashAll (HashValue, FvHashValue - HashValue, FvHashValue) = && + CompareMem (HashInfo->Hash, FvHashValue, AlgInfo->HashSize) =3D=3D = 0)) { + Status =3D EFI_SUCCESS; + } else { + Status =3D EFI_VOLUME_CORRUPTED; + } + +Done: + FreePool (HashValue); + return Status; +} + +/** + Report FV to PEI and/or DXE core for dispatch. + + @param[in] FvInfo Information of a FV. + +**/ +STATIC +VOID +ReportHashedFv ( + IN HASHED_FV_INFO *FvInfo + ) +{ + CONST EFI_GUID *FvFormat; + + if ((FvInfo->Flag & HASHED_FV_FLAG_REPORT_FV_HOB) !=3D 0) { + // + // Require DXE core to process this FV. + // + BuildFvHob ( + (EFI_PHYSICAL_ADDRESS)(UINTN)FvInfo->Base, + (UINT64)FvInfo->Length + ); + DEBUG ((DEBUG_INFO, "Reported FV HOB: %08X (%X)\r\n", FvInfo->Base, Fv= Info->Length)); + } + + if ((FvInfo->Flag & HASHED_FV_FLAG_REPORT_FV_INFO_PPI) !=3D 0) { + // + // Require PEI core to process this FV. + // + FvFormat =3D &((EFI_FIRMWARE_VOLUME_HEADER *)(UINTN)FvInfo->Base)->Fil= eSystemGuid; + PeiServicesInstallFvInfoPpi ( + FvFormat, + (VOID *)(UINTN)FvInfo->Base, + FvInfo->Length, + NULL, + NULL + ); + DEBUG ((DEBUG_INFO, "Reported FV PPI: %08X (%X)\r\n", FvInfo->Base, Fv= Info->Length)); + } +} + +/** + Verify and report pre-hashed FVs. + + Doing this must be at post-memory to make sure there's enough memory to = hold + all FVs to be verified. This is necessary for mitigating TOCTOU issue. + + This function will never return if the verification is failed. + + @param[in] StoredHashFvPpi Pointer to PPI containing hash information. + @param[in] BootMode Current boot mode. + + @retval Pointer to structure containning valid hash information for curr= ent boot mode. + @retval NULL if there's no hash associated with current boot mode. +**/ +STATIC +FV_HASH_INFO * +GetHashInfo ( + IN EDKII_PEI_FIRMWARE_VOLUME_INFO_STORED_HASH_FV_PPI *StoredHashFvPpi, + IN EFI_BOOT_MODE BootMode + ) +{ + FV_HASH_INFO *HashInfo; + UINTN HashIndex; + + for (HashIndex =3D 0, HashInfo =3D NULL; + HashIndex < StoredHashFvPpi->HashNumber && HashInfo =3D=3D NULL; + ++HashIndex) { + + if ((StoredHashFvPpi->HashInfo[HashIndex].HashFlag + & FV_HASH_FLAG_BOOT_MODE (BootMode)) !=3D 0) { + HashInfo =3D &StoredHashFvPpi->HashInfo[HashIndex]; + break; + } + + } + + return HashInfo; +} + +/** + Verify and report pre-hashed FVs. + + Doing this must be at post-memory to make sure there's enough memory to = hold + all FVs to be verified. This is necessary for mitigating TOCTOU issue. + + This function will never return if the verification is failed. + + @param[in] PeiServices General purpose services available to every = PEIM. + @param[in] BootMode Current boot mode. + + @retval EFI_SUCCESS The function completed successfully. +**/ +STATIC +EFI_STATUS +CheckStoredHashFv ( + IN CONST EFI_PEI_SERVICES **PeiServices, + IN EFI_BOOT_MODE BootMode + ) +{ + EFI_STATUS Status; + UINT32 Instance; + EDKII_PEI_FIRMWARE_VOLUME_INFO_STORED_HASH_FV_PPI *StoredHashFvPpi; + FV_HASH_INFO *HashInfo; + UINTN FvIndex; + + // + // Check pre-hashed FV list + // + Instance =3D 0; + StoredHashFvPpi =3D NULL; + do { + Status =3D PeiServicesLocatePpi ( + &gEdkiiPeiFirmwareVolumeInfoStoredHashFvPpiGuid, + Instance, + NULL, + (VOID**)&StoredHashFvPpi + ); + if (!EFI_ERROR(Status) && StoredHashFvPpi !=3D NULL && StoredHashFvPpi= ->FvNumber > 0) { + + HashInfo =3D GetHashInfo(StoredHashFvPpi, BootMode); + Status =3D VerifyHashedFv (HashInfo, StoredHashFvPpi->FvInfo, + StoredHashFvPpi->FvNumber, BootMode); + if (!EFI_ERROR (Status)) { + // + // Report the FVs to PEI core and/or DXE core. + // + for (FvIndex =3D 0; FvIndex < StoredHashFvPpi->FvNumber; ++FvIndex= ) { + if ((StoredHashFvPpi->FvInfo[FvIndex].Flag + & HASHED_FV_FLAG_SKIP_BOOT_MODE (BootMode)) =3D=3D 0) { + ReportHashedFv (&StoredHashFvPpi->FvInfo[FvIndex]); + } + } + + } else { + + DEBUG ((DEBUG_ERROR, "ERROR: Failed to verify OBB FVs (%r)\r\n", S= tatus)); + + REPORT_STATUS_CODE_EX ( + EFI_PROGRESS_CODE, + PcdGet32 (PcdStatusCodeFvVerificationFail), + Instance, + NULL, + &gEdkiiPeiFirmwareVolumeInfoStoredHashFvPpiGuid, + StoredHashFvPpi, + sizeof (*StoredHashFvPpi) + ); + + ASSERT (FALSE); + CpuDeadLoop (); + + } + } + + Instance++; + + } while (!EFI_ERROR(Status)); + + REPORT_STATUS_CODE ( + EFI_PROGRESS_CODE, + PcdGet32 (PcdStatusCodeFvVerificationPass) + ); + + return EFI_SUCCESS; +} + +/** + Main entry for FvReport PEIM. + + @param[in] FileHandle Handle of the file being invoked. + @param[in] PeiServices Pointer to PEI Services table. + + @retval EFI_SUCCESS If all FVs reported by StoredHashFvPpi are verified. + +**/ +EFI_STATUS +EFIAPI +FvReportEntryPoint ( + IN EFI_PEI_FILE_HANDLE FileHandle, + IN CONST EFI_PEI_SERVICES **PeiServices + ) +{ + EFI_STATUS Status; + EFI_BOOT_MODE BootMode; + + Status =3D PeiServicesGetBootMode (&BootMode); + ASSERT_EFI_ERROR (Status); + + Status =3D CheckStoredHashFv (PeiServices, BootMode); + ASSERT_EFI_ERROR (Status); + + return Status; +} diff --git a/SecurityPkg/FvReportPei/FvReportPei.h b/SecurityPkg/FvReportPe= i/FvReportPei.h new file mode 100644 index 0000000000..fb7d205f73 --- /dev/null +++ b/SecurityPkg/FvReportPei/FvReportPei.h @@ -0,0 +1,121 @@ +/** @file + Definitions for OBB FVs verification. + +Copyright (c) 2019, Intel Corporation. All rights reserved.
+SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ + +#ifndef __FV_REPORT_PEI_H__ +#define __FV_REPORT_PEI_H__ + +#include + +#include + +#include + +#include +#include +#include +#include +#include +#include +#include +#include + +#define HASH_INFO_PTR(PreHashedFvPpi) \ + (HASH_INFO *)((UINT8 *)(PreHashedFvPpi) + sizeof (EDKII_PEI_FIRMWARE_VOL= UME_INFO_PREHASHED_FV_PPI)) + +#define HASH_VALUE_PTR(HashInfo) \ + (VOID *)((UINT8 *)(HashInfo) + sizeof (HASH_INFO)) + +/** + Computes the message digest of a input data buffer. + + This function performs message digest of a given data buffer, and places + the digest value into the specified memory. + + If this interface is not supported, then return FALSE. + + @param[in] Data Pointer to the buffer containing the data to be= hashed. + @param[in] DataSize Size of Data buffer in bytes. + @param[out] HashValue Pointer to a buffer that receives digest value. + + @retval TRUE The digest computation succeeded. + @retval FALSE The digest computation failed. + +**/ +typedef +BOOLEAN +(EFIAPI *HASH_ALL_METHOD) ( + IN CONST VOID *Data, + IN UINTN DataSize, + OUT UINT8 *HashValue + ); + +/** + Initializes user-supplied memory as hash context for subsequent use. + + @param[out] HashContext Pointer to hash context being initialized. + + @retval TRUE Hash context initialization succeeded. + @retval FALSE Hash context initialization failed. + @retval FALSE This interface is not supported. + +**/ +typedef +BOOLEAN +(EFIAPI *HASH_INIT_METHOD) ( + OUT VOID *HashContext + ); + +/** + Digests the input data and updates hash context. + + @param[in, out] HashContext Pointer to the hash context. + @param[in] Data Pointer to the buffer containing the data = to be hashed. + @param[in] DataSize Size of Data buffer in bytes. + + @retval TRUE Hash data digest succeeded. + @retval FALSE Hash data digest failed. + @retval FALSE This interface is not supported. + +**/ +typedef +BOOLEAN +(EFIAPI *HASH_UPDATE_METHOD) ( + IN OUT VOID *HashContext, + IN CONST VOID *Data, + IN UINTN DataSize + ); + +/** + Completes computation of the hash digest value. + + @param[in, out] HashContext Pointer to the hash context. + @param[out] HashValue Pointer to a buffer that receives the hash= digest + value. + + @retval TRUE Hash digest computation succeeded. + @retval FALSE Hash digest computation failed. + @retval FALSE This interface is not supported. + +**/ +typedef +BOOLEAN +(EFIAPI *HASH_FINAL_METHOD) ( + IN OUT VOID *HashContext, + OUT UINT8 *HashValue + ); + +typedef struct { + UINTN HashSize; + HASH_INIT_METHOD HashInit; + HASH_UPDATE_METHOD HashUpdate; + HASH_FINAL_METHOD HashFinal; + HASH_ALL_METHOD HashAll; +} HASH_ALG_INFO; + +#endif //__FV_REPORT_PEI_H__ + diff --git a/SecurityPkg/FvReportPei/FvReportPei.inf b/SecurityPkg/FvReport= Pei/FvReportPei.inf new file mode 100644 index 0000000000..2f1188509b --- /dev/null +++ b/SecurityPkg/FvReportPei/FvReportPei.inf @@ -0,0 +1,57 @@ +## @file +# FV Report/Verify PEI Driver. +# +# Copyright (c) 2019, Intel Corporation. All rights reserved.
+# SPDX-License-Identifier: BSD-2-Clause-Patent +# +## + +[Defines] + INF_VERSION =3D 0x00010005 + BASE_NAME =3D FvReportPei + MODULE_UNI_FILE =3D FvReportPei.uni + FILE_GUID =3D 72405B40-38DA-4ABA-9283-CA8321C23E63 + MODULE_TYPE =3D PEIM + VERSION_STRING =3D 1.0 + ENTRY_POINT =3D FvReportEntryPoint + +# +# The following information is for reference only and not required by the = build tools. +# +# VALID_ARCHITECTURES =3D IA32 X64 +# + +[Sources] + FvReportPei.c + +[Packages] + MdePkg/MdePkg.dec + MdeModulePkg/MdeModulePkg.dec + CryptoPkg/CryptoPkg.dec + SecurityPkg/SecurityPkg.dec + +[LibraryClasses] + PeimEntryPoint + PeiServicesLib + BaseLib + DebugLib + BaseMemoryLib + PcdLib + HobLib + MemoryAllocationLib + BaseCryptLib + ReportStatusCodeLib + +[Ppis] + gEdkiiPeiFirmwareVolumeInfoPrehashedFvPpiGuid ## PRODUCES + gEdkiiPeiFirmwareVolumeInfoStoredHashFvPpiGuid ## CONSUMES + +[Pcd] + gEfiSecurityPkgTokenSpaceGuid.PcdStatusCodeFvVerificationPass + gEfiSecurityPkgTokenSpaceGuid.PcdStatusCodeFvVerificationFail + +[Depex] + gEdkiiPeiFirmwareVolumeInfoStoredHashFvPpiGuid AND gEfiPeiMemoryDiscover= edPpiGuid + +[UserExtensions.TianoCore."ExtraFiles"] + FvReportPeiPeiExtra.uni diff --git a/SecurityPkg/FvReportPei/FvReportPei.uni b/SecurityPkg/FvReport= Pei/FvReportPei.uni new file mode 100644 index 0000000000..bad43403c4 --- /dev/null +++ b/SecurityPkg/FvReportPei/FvReportPei.uni @@ -0,0 +1,14 @@ +// /** @file +// FV Verify/Report PEI Driver. +// +// Copyright (c) 2019, Intel Corporation. All rights reserved.
+// SPDX-License-Identifier: BSD-2-Clause-Patent +// +// **/ + + +#string STR_MODULE_ABSTRACT #language en-US "This module verif= ies and reports FVs." + +#string STR_MODULE_DESCRIPTION #language en-US "This module verif= ies FVs' digest passed through gEdkiiPeiFirmwareVolumeInfoStoredHashFvPpiGu= id, " + "and installs gEdk= iiPeiFirmwareVolumeInfoPrehashedFvPpiGuid, gEfiPeiFirmwareVolumeInfoPpiGuid= and/or FV HOB if passed." + diff --git a/SecurityPkg/FvReportPei/FvReportPeiPeiExtra.uni b/SecurityPkg/= FvReportPei/FvReportPeiPeiExtra.uni new file mode 100644 index 0000000000..6214bbdaa9 --- /dev/null +++ b/SecurityPkg/FvReportPei/FvReportPeiPeiExtra.uni @@ -0,0 +1,12 @@ +// /** @file +// FV Verify/Report PEI Driver. +// +// Copyright (c) 2019, Intel Corporation. All rights reserved.
+// SPDX-License-Identifier: BSD-2-Clause-Patent +// +// **/ + +#string STR_PROPERTIES_MODULE_NAME +#language en-US "FV Verify/Report PEI Driver" + + --=20 2.17.1.windows.2 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#42124): https://edk2.groups.io/g/devel/message/42124 Mute This Topic: https://groups.io/mt/32007717/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- From nobody Fri Apr 19 19:23:35 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of groups.io designates 66.175.222.12 as permitted sender) client-ip=66.175.222.12; envelope-from=bounce+27952+42125+1787277+3901457@groups.io; helo=web01.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zoho.com: domain of groups.io designates 66.175.222.12 as permitted sender) smtp.mailfrom=bounce+27952+42125+1787277+3901457@groups.io; dmarc=fail(p=none dis=none) header.from=intel.com ARC-Seal: i=1; a=rsa-sha256; t=1560191743; cv=none; d=zoho.com; s=zohoarc; b=llWTlmZ4tf0H1QOJt97r1AFyHoQ9GCEqgQkIHPPbRbFyZ1TCfYaD20EwVRMh4BDpz2F4WRqfxcEWdM0EmLffhi21/n7t1woTepM+v31GXOZsI3isaUV/9X3p55YyXBoEHryq2QyPFtqntkf3BxOM4ekcufeXd8gYzsrkZFzEcNA= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zoho.com; s=zohoarc; t=1560191743; h=Cc:Date:From:In-Reply-To:List-Id:List-Unsubscribe:Message-ID:Reply-To:References:Sender:Subject:To:ARC-Authentication-Results; bh=tH+j7KSspQ2OETPN9ATm4DA/VYW1wl4kGIybqagViaU=; b=W9Q++ImDPp5qYr2T/uTjBT9t19/mJIZhzjpwqU0XoQxlVxVeye3iRQLnaLAkV+wf4KcfdNUoiV3u28ujY3q6YYZMhwXfMEg7wAN7QKj+gGRnmpX/ZswHJQg7AiQRTmCgeugYM4PLJk9OPCqB6hH46i09mUmZqodkX4B5jQ9QG7Y= ARC-Authentication-Results: i=1; mx.zoho.com; dkim=pass; spf=pass (zoho.com: domain of groups.io designates 66.175.222.12 as permitted sender) smtp.mailfrom=bounce+27952+42125+1787277+3901457@groups.io; dmarc=fail header.from= (p=none dis=none) header.from= Received: from web01.groups.io (web01.groups.io [66.175.222.12]) by mx.zohomail.com with SMTPS id 1560191743754922.550503012165; Mon, 10 Jun 2019 11:35:43 -0700 (PDT) Return-Path: X-Received: from mga18.intel.com (mga18.intel.com []) by groups.io with SMTP; Mon, 10 Jun 2019 11:35:42 -0700 X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False X-Received: from fmsmga008.fm.intel.com ([10.253.24.58]) by orsmga106.jf.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 10 Jun 2019 11:35:42 -0700 X-ExtLoop1: 1 X-Received: from shwdeopenpsi777.ccr.corp.intel.com ([10.239.158.28]) by fmsmga008.fm.intel.com with ESMTP; 10 Jun 2019 11:35:41 -0700 From: "Wang, Jian J" To: devel@edk2.groups.io Cc: Chao Zhang , Jiewen Yao Subject: [edk2-devel] [PATCH v2 3/3] SecurityPkg: add FvReportPei.inf in dsc for build validation Date: Tue, 11 Jun 2019 02:35:36 +0800 Message-Id: <20190610183536.5628-4-jian.j.wang@intel.com> In-Reply-To: <20190610183536.5628-1-jian.j.wang@intel.com> References: <20190610183536.5628-1-jian.j.wang@intel.com> Precedence: Bulk List-Unsubscribe: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,jian.j.wang@intel.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1560191743; bh=9zlLdiKwrKOMCIHgrulzzySx9WG0pZH8vR5+c7z+byc=; h=Cc:Date:From:Reply-To:Subject:To; b=MgPkOhsCdWDufyYxRqFKCC8c2KN/TvAHpcP7xfohWazIFwrE4ypBS5ZFZ5LnrrTpZLN o2BErHUNP7swJCDb1jMYGcMVZ65ffAPVYqMwQDLxK6d+YRkC9h5hyZ+wcQpH+KbI5UxpU 07HVy3EZ0GIIFrmOQmRkXkH0XMQsydHdOaU= X-ZohoMail-DKIM: pass (identity @groups.io) Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" https://bugzilla.tianocore.org/show_bug.cgi?id=3D1617 Cc: Chao Zhang Cc: Jiewen Yao Signed-off-by: Jian J Wang --- SecurityPkg/SecurityPkg.dsc | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/SecurityPkg/SecurityPkg.dsc b/SecurityPkg/SecurityPkg.dsc index a2ee0528f0..4451bd1271 100644 --- a/SecurityPkg/SecurityPkg.dsc +++ b/SecurityPkg/SecurityPkg.dsc @@ -287,6 +287,11 @@ SecurityPkg/HddPassword/HddPasswordDxe.inf SecurityPkg/HddPassword/HddPasswordPei.inf =20 + # + # Common FV checker/verifier/reporter + # + SecurityPkg/FvReportPei/FvReportPei.inf + [BuildOptions] MSFT:*_*_IA32_DLINK_FLAGS =3D /ALIGN:256 INTEL:*_*_IA32_DLINK_FLAGS =3D /ALIGN:256 --=20 2.17.1.windows.2 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#42125): https://edk2.groups.io/g/devel/message/42125 Mute This Topic: https://groups.io/mt/32007718/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-