From nobody Tue Feb 10 10:19:19 2026 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) client-ip=66.175.222.108; envelope-from=bounce+27952+75545+1787277+3901457@groups.io; helo=mail02.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+75545+1787277+3901457@groups.io; dmarc=fail(p=none dis=none) header.from=arm.com ARC-Seal: i=1; a=rsa-sha256; t=1621889470; cv=none; d=zohomail.com; s=zohoarc; b=HUaAPDTlXzQ48ZGt2YhxoFxikbwJC4rxqKwTNQ1f6GesL/CPyxr2A6OA8UP+CchhWi9VFS44d32oB8NLxB3kR3ypd8RmGjfZAg2uF1Yip8zgY3CBPYwWBiz4WN+tOY+lgvuKOLLGo1yxZhfdtSAguruVaS1Bmc0UDryL6zyGyNQ= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1621889470; h=Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:References:Sender:Subject:To; bh=3Z2pt7DgggcxQV0l5RK6DObSgbpK4JwNyJmlGDdxm5g=; b=bUj8B3QzsQUxaQNm0WQBSF/BNW3wUoQftj1NYLvgDogO1rIypuFNlS2PJT8H0BwaQKk3rSJyeQx2P7XQjvGH3GLqBC+p8vCFlKosczLlb22CMiwGAAeZwzu3Sy3BY4MS1bDGiEncYFis68Gq58+3D8KioQFb2goRejgTklQ7vN4= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+75545+1787277+3901457@groups.io; dmarc=fail header.from= (p=none dis=none) header.from= Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by mx.zohomail.com with SMTPS id 1621889470407646.1888923600884; Mon, 24 May 2021 13:51:10 -0700 (PDT) Return-Path: X-Received: by 127.0.0.2 with SMTP id hOqjYY1788612xBp9tBS5WX0; Mon, 24 May 2021 13:51:10 -0700 X-Received: from foss.arm.com (foss.arm.com [217.140.110.172]) by mx.groups.io with SMTP id smtpd.web10.26735.1621876998609826722 for ; Mon, 24 May 2021 10:23:18 -0700 X-Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id 4386D6D; Mon, 24 May 2021 10:23:18 -0700 (PDT) X-Received: from usa.arm.com (a077432.blr.arm.com [10.162.4.31]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPA id 144BF3F73B; Mon, 24 May 2021 10:23:16 -0700 (PDT) From: "Sayanta Pattanayak" To: devel@edk2.groups.io Cc: Ard Biesheuvel , Sami Mujawar Subject: [edk2-devel] [edk2-platforms][PATCH V1 3/3] Platform/Sgi: enable support for UEFI secure boot Date: Mon, 24 May 2021 22:53:00 +0530 Message-Id: <20210524172300.28754-4-sayanta.pattanayak@arm.com> In-Reply-To: <20210524172300.28754-1-sayanta.pattanayak@arm.com> References: <20210524172300.28754-1-sayanta.pattanayak@arm.com> MIME-Version: 1.0 Precedence: Bulk List-Unsubscribe: List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,sayanta.pattanayak@arm.com X-Gm-Message-State: k7RjTzSTgzOpZ3YG5ZbyR3Vdx1787277AA= Content-Transfer-Encoding: quoted-printable DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1621889470; bh=SK8D9BbL3nucVBChZnoMQlpdOJKYtJCzIUaO7g/kuBQ=; h=Cc:Date:From:Reply-To:Subject:To; b=gvdRDdsNGpKtgATuRrl7166dVG9HrCvyKHratHlmiWhbiCWwKRKkI+2Q6eN82L5WQJE CytWJttZgiQvH3OUxgkXNy7sO3APb6FB1dNN1lYGMyHQ546zmT/xUB0n0IX4KkfN5lOhB 1hGR1NpBIE4nq3X1aDDQhhMo6s/AToOQS5I= X-ZohoMail-DKIM: pass (identity @groups.io) Content-Type: text/plain; charset="utf-8" Enable the use of UEFI secure boot for Arm's Neoverse reference design platforms. The UEFI authenticated variable store uses NOR flash 2 which is accessible from Standalone MM context residing in a secure partition. Signed-off-by: Sayanta Pattanayak Reviewed-by: Sami Mujawar --- Platform/ARM/SgiPkg/SgiPlatform.dsc.inc | 31 +++++++++++++++++++ Platform/ARM/SgiPkg/SgiPlatformMm.dsc.inc | 32 ++++++++++++++++++++ Platform/ARM/SgiPkg/PlatformStandaloneMm.dsc | 15 +++++++++ Platform/ARM/SgiPkg/PlatformStandaloneMm2.dsc | 15 +++++++++ Platform/ARM/SgiPkg/PlatformStandaloneMm.fdf | 5 +++ Platform/ARM/SgiPkg/SgiPlatform.fdf | 9 +++++- 6 files changed, 106 insertions(+), 1 deletion(-) diff --git a/Platform/ARM/SgiPkg/SgiPlatform.dsc.inc b/Platform/ARM/SgiPkg/= SgiPlatform.dsc.inc index 091de0c99c74..e4aee7a09acf 100644 --- a/Platform/ARM/SgiPkg/SgiPlatform.dsc.inc +++ b/Platform/ARM/SgiPkg/SgiPlatform.dsc.inc @@ -6,6 +6,14 @@ =20 !include Platform/ARM/VExpressPkg/ArmVExpress.dsc.inc =20 +[Defines] + # To allow the use of secure storage, set this to TRUE. + DEFINE SECURE_STORAGE_ENABLE =3D FALSE + + # To allow the use of UEFI secure boot, set this to TRUE. + # Secure boot requires secure storage to be enabled as well. + DEFINE SECURE_BOOT_ENABLE =3D FALSE + [BuildOptions] *_*_*_CC_FLAGS =3D -D DISABLE_NEW_DEPRECATED_INTERFACES =20 @@ -22,6 +30,9 @@ NorFlashPlatformLib|Platform/ARM/SgiPkg/Library/NorFlashLib/NorFlashLib.= inf HobLib|MdePkg/Library/DxeHobLib/DxeHobLib.inf TimerLib|ArmPkg/Library/ArmArchTimerLib/ArmArchTimerLib.inf +!if $(SECURE_BOOT_ENABLE) =3D=3D TRUE + MmUnblockMemoryLib|MdePkg/Library/MmUnblockMemoryLib/MmUnblockMemoryLibN= ull.inf +!endif =20 # Virtio Support VirtioLib|OvmfPkg/Library/VirtioLib/VirtioLib.inf @@ -84,6 +95,7 @@ [PcdsFeatureFlag.common] gArmSgiTokenSpaceGuid.PcdVirtioBlkSupported|TRUE gArmSgiTokenSpaceGuid.PcdVirtioNetSupported|TRUE + gEfiMdeModulePkgTokenSpaceGuid.PcdEnableVariableRuntimeCache|FALSE =20 [PcdsFixedAtBuild.common] gArmTokenSpaceGuid.PcdVFPEnabled|1 @@ -230,7 +242,15 @@ MdeModulePkg/Core/RuntimeDxe/RuntimeDxe.inf MdeModulePkg/Universal/CapsuleRuntimeDxe/CapsuleRuntimeDxe.inf MdeModulePkg/Universal/MonotonicCounterRuntimeDxe/MonotonicCounterRuntim= eDxe.inf +!if $(SECURE_BOOT_ENABLE) =3D=3D TRUE + MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf { + + NULL|SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificatio= nLib.inf + } + SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDx= e.inf +!else MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf +!endif OvmfPkg/VirtioBlkDxe/VirtioBlk.inf =20 MdeModulePkg/Universal/Console/ConPlatformDxe/ConPlatformDxe.inf @@ -238,6 +258,9 @@ MdeModulePkg/Universal/Console/GraphicsConsoleDxe/GraphicsConsoleDxe.inf MdeModulePkg/Universal/Console/TerminalDxe/TerminalDxe.inf MdeModulePkg/Universal/SerialDxe/SerialDxe.inf +!if $(SECURE_STORAGE_ENABLE) =3D=3D TRUE + MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmmRuntimeDxe.inf +!else MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf { NULL|MdeModulePkg/Library/VarCheckUefiLib/VarCheckUefiLib.inf @@ -245,6 +268,7 @@ BaseMemoryLib|MdePkg/Library/BaseMemoryLib/BaseMemoryLib.inf } MdeModulePkg/Universal/FaultTolerantWriteDxe/FaultTolerantWriteDxe.inf +!endif =20 # # ACPI Support @@ -314,4 +338,11 @@ # MdeModulePkg/Bus/Pci/SataControllerDxe/SataControllerDxe.inf =20 +!if $(SECURE_STORAGE_ENABLE) =3D=3D TRUE + ArmPkg/Drivers/MmCommunicationDxe/MmCommunication.inf { + + NULL|StandaloneMmPkg/Library/VariableMmDependency/VariableMmDependen= cy.inf + } +!else ArmPkg/Drivers/MmCommunicationDxe/MmCommunication.inf +!endif diff --git a/Platform/ARM/SgiPkg/SgiPlatformMm.dsc.inc b/Platform/ARM/SgiPk= g/SgiPlatformMm.dsc.inc index 3389ff676a91..6839ec35da8a 100644 --- a/Platform/ARM/SgiPkg/SgiPlatformMm.dsc.inc +++ b/Platform/ARM/SgiPkg/SgiPlatformMm.dsc.inc @@ -59,6 +59,19 @@ HobLib|StandaloneMmPkg/Library/StandaloneMmHobLib/StandaloneMmHobLib.inf MmServicesTableLib|MdePkg/Library/StandaloneMmServicesTableLib/Standalon= eMmServicesTableLib.inf MemoryAllocationLib|StandaloneMmPkg/Library/StandaloneMmMemoryAllocation= Lib/StandaloneMmMemoryAllocationLib.inf +!if $(SECURE_STORAGE_ENABLE) =3D=3D TRUE + AuthVariableLib|SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf + BaseCryptLib|CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf + IntrinsicLib|CryptoPkg/Library/IntrinsicLib/IntrinsicLib.inf + NorFlashPlatformLib|Platform/ARM/SgiPkg/Library/NorFlashLib/StandaloneMm= NorFlashLib.inf + OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLib.inf + RngLib|MdePkg/Library/BaseRngLibTimerLib/BaseRngLibTimerLib.inf + PlatformSecureLib|SecurityPkg/Library/PlatformSecureLibNull/PlatformSecu= reLibNull.inf + SynchronizationLib|MdePkg/Library/BaseSynchronizationLib/BaseSynchroniza= tionLib.inf + TimerLib|MdePkg/Library/BaseTimerLibNullTemplate/BaseTimerLibNullTemplat= e.inf + VarCheckLib|MdeModulePkg/Library/VarCheckLib/VarCheckLib.inf + SafeIntLib|MdePkg/Library/BaseSafeIntLib/BaseSafeIntLib.inf +!endif =20 ##########################################################################= ###### # @@ -75,6 +88,12 @@ =20 gEfiMdePkgTokenSpaceGuid.PcdMaximumGuidedExtractHandler|0x2 =20 +!if $(SECURE_STORAGE_ENABLE) =3D=3D TRUE + gEfiMdeModulePkgTokenSpaceGuid.PcdMaxVariableSize|0x2000 + gEfiMdeModulePkgTokenSpaceGuid.PcdMaxAuthVariableSize|0x2800 + gEfiSecurityPkgTokenSpaceGuid.PcdUserPhysicalPresence|TRUE +!endif + ##########################################################################= ######################### # # Components Section - list of the modules and components that will be pro= cessed by compilation @@ -101,6 +120,19 @@ =20 [Components.AARCH64] StandaloneMmPkg/Drivers/StandaloneMmCpu/AArch64/StandaloneMmCpu.inf +!if $(SECURE_STORAGE_ENABLE) =3D=3D TRUE + ArmPlatformPkg/Drivers/NorFlashDxe/NorFlashStandaloneMm.inf + MdeModulePkg/Universal/FaultTolerantWriteDxe/FaultTolerantWriteStandalon= eMm.inf + MdeModulePkg/Universal/Variable/RuntimeDxe/VariableStandaloneMm.inf { + + DevicePathLib|MdePkg/Library/UefiDevicePathLib/UefiDevicePathLib.inf + NULL|MdeModulePkg/Library/VarCheckUefiLib/VarCheckUefiLib.inf + NULL|MdeModulePkg/Library/VarCheckPolicyLib/VarCheckPolicyLibStandal= oneMm.inf + BaseMemoryLib|MdePkg/Library/BaseMemoryLib/BaseMemoryLib.inf + VariablePolicyLib|MdeModulePkg/Library/VariablePolicyLib/VariablePol= icyLib.inf + VariablePolicyHelperLib|MdeModulePkg/Library/VariablePolicyHelperLib= /VariablePolicyHelperLib.inf + } +!endif =20 ##########################################################################= ######################### # diff --git a/Platform/ARM/SgiPkg/PlatformStandaloneMm.dsc b/Platform/ARM/Sg= iPkg/PlatformStandaloneMm.dsc index cdf8aaa88f03..2cb4895cfcff 100644 --- a/Platform/ARM/SgiPkg/PlatformStandaloneMm.dsc +++ b/Platform/ARM/SgiPkg/PlatformStandaloneMm.dsc @@ -39,3 +39,18 @@ [PcdsFixedAtBuild] ## PL011 - Serial Terminal gEfiMdeModulePkgTokenSpaceGuid.PcdSerialRegisterBase|0x7FF70000 + +!if $(SECURE_STORAGE_ENABLE) =3D=3D TRUE + ##Secure NOR Flash 2 + gArmSgiTokenSpaceGuid.PcdSmcCs2Base|0x10000000 + gArmSgiTokenSpaceGuid.PcdSysPeriphBase|0x1C000000 + gArmSgiTokenSpaceGuid.PcdSysPeriphSysRegBase|0x1C010000 + + ##Secure Variable Storage in NOR Flash 2 + gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageVariableBase|0x10000000 + gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageVariableSize|0x00100000 + gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageFtwWorkingBase|0x10100000 + gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageFtwWorkingSize|0x00100000 + gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageFtwSpareBase|0x10200000 + gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageFtwSpareSize|0x00100000 +!endif diff --git a/Platform/ARM/SgiPkg/PlatformStandaloneMm2.dsc b/Platform/ARM/S= giPkg/PlatformStandaloneMm2.dsc index bb359a15cc0d..46c2ae3529d1 100644 --- a/Platform/ARM/SgiPkg/PlatformStandaloneMm2.dsc +++ b/Platform/ARM/SgiPkg/PlatformStandaloneMm2.dsc @@ -38,3 +38,18 @@ [PcdsFixedAtBuild] ## PL011 - Serial Terminal gEfiMdeModulePkgTokenSpaceGuid.PcdSerialRegisterBase|0x0EF80000 + +!if $(SECURE_STORAGE_ENABLE) =3D=3D TRUE + ##Secure NOR Flash 2 + gArmSgiTokenSpaceGuid.PcdSmcCs2Base|0x1054000000 + gArmSgiTokenSpaceGuid.PcdSysPeriphBase|0x0C000000 + gArmSgiTokenSpaceGuid.PcdSysPeriphSysRegBase|0x0C010000 + + ##Secure Variable Storage in NOR Flash 2 + gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageVariableBase64|0x1054000= 000 + gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageVariableSize|0x00100000 + gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageFtwWorkingBase64|0x10541= 00000 + gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageFtwWorkingSize|0x00100000 + gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageFtwSpareBase64|0x1054200= 000 + gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageFtwSpareSize|0x00100000 +!endif diff --git a/Platform/ARM/SgiPkg/PlatformStandaloneMm.fdf b/Platform/ARM/Sg= iPkg/PlatformStandaloneMm.fdf index 5a0772cd8522..474c9c0ce764 100644 --- a/Platform/ARM/SgiPkg/PlatformStandaloneMm.fdf +++ b/Platform/ARM/SgiPkg/PlatformStandaloneMm.fdf @@ -49,6 +49,11 @@ READ_LOCK_CAP =3D TRUE READ_LOCK_STATUS =3D TRUE =20 INF StandaloneMmPkg/Core/StandaloneMmCore.inf +!if $(SECURE_STORAGE_ENABLE) =3D=3D TRUE + INF ArmPlatformPkg/Drivers/NorFlashDxe/NorFlashStandaloneMm.inf + INF MdeModulePkg/Universal/FaultTolerantWriteDxe/FaultTolerantWriteStand= aloneMm.inf + INF MdeModulePkg/Universal/Variable/RuntimeDxe/VariableStandaloneMm.inf +!endif INF StandaloneMmPkg/Drivers/StandaloneMmCpu/AArch64/StandaloneMmCpu.inf =20 ##########################################################################= ###### diff --git a/Platform/ARM/SgiPkg/SgiPlatform.fdf b/Platform/ARM/SgiPkg/SgiP= latform.fdf index e11d943d6efc..d94e4633e36c 100644 --- a/Platform/ARM/SgiPkg/SgiPlatform.fdf +++ b/Platform/ARM/SgiPkg/SgiPlatform.fdf @@ -90,10 +90,17 @@ READ_LOCK_STATUS =3D TRUE INF EmbeddedPkg/ResetRuntimeDxe/ResetRuntimeDxe.inf INF MdeModulePkg/Core/RuntimeDxe/RuntimeDxe.inf INF MdeModulePkg/Universal/CapsuleRuntimeDxe/CapsuleRuntimeDxe.inf - INF MdeModulePkg/Universal/FaultTolerantWriteDxe/FaultTolerantWriteDxe.i= nf INF MdeModulePkg/Universal/MonotonicCounterRuntimeDxe/MonotonicCounterRu= ntimeDxe.inf INF MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf +!if $(SECURE_BOOT_ENABLE) =3D=3D TRUE + INF SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConf= igDxe.inf +!endif +!if $(SECURE_STORAGE_ENABLE) =3D=3D TRUE + INF MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmmRuntimeDxe.inf +!else + INF MdeModulePkg/Universal/FaultTolerantWriteDxe/FaultTolerantWriteDxe.i= nf INF MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf +!endif =20 # # ACPI Support --=20 2.17.1 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#75545): https://edk2.groups.io/g/devel/message/75545 Mute This Topic: https://groups.io/mt/83062022/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-