From nobody Sat Dec 21 13:28:11 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) client-ip=66.175.222.108; envelope-from=bounce+27952+104994+1787277+3901457@groups.io; helo=mail02.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+104994+1787277+3901457@groups.io; dmarc=fail(p=none dis=none) header.from=intel.com ARC-Seal: i=1; a=rsa-sha256; t=1684367812; cv=none; d=zohomail.com; s=zohoarc; b=lL0iaY7SNp0Nkaf9Bk751urNXN5B17zeB85En+CJan0Zn9guvCG40QZj+mftnlhY/lW0SJPB96o2xbVGiw9+MQZFxHfDuQEp8oLofwQp2MsRcKf66dGM4+9VhflavFRU1E1k9yNOT0LngeP2eQGufvNXRkadyIxalLs3fN5IaeA= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1684367812; h=Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:References:Sender:Subject:To; bh=MUC6zmerFZKu5o9qzkMxAx6BWMBSRhY+UvhuyGdqw7Y=; b=YPhpVHYR23IAHNU1qG6Z7kG4Ajjz05zf0Q2nyR2CwETwcGE4ltrU7SMCWZi6+L3Fc0hlD7INncXoIUraX5Q+BP1aCc+2Gy7QWH2j2SUiNWvDH2j3D+1+L1hl/zxrjRSZO29u4xWhkroxCJfDI1zfYvc6K5ZcRMh0f4Ex01qu1Fo= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+104994+1787277+3901457@groups.io; dmarc=fail header.from= (p=none dis=none) Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by mx.zohomail.com with SMTPS id 1684367812434916.8530890962942; Wed, 17 May 2023 16:56:52 -0700 (PDT) Return-Path: X-Received: by 127.0.0.2 with SMTP id lOoZYY1788612xqYyXnwOqsj; Wed, 17 May 2023 16:56:52 -0700 X-Received: from mga17.intel.com (mga17.intel.com [192.55.52.151]) by mx.groups.io with SMTP id smtpd.web11.3155.1684367809597397300 for ; Wed, 17 May 2023 16:56:51 -0700 X-IronPort-AV: E=McAfee;i="6600,9927,10713"; a="332276041" X-IronPort-AV: E=Sophos;i="5.99,283,1677571200"; d="scan'208";a="332276041" X-Received: from orsmga005.jf.intel.com ([10.7.209.41]) by fmsmga107.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 17 May 2023 16:56:42 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=McAfee;i="6600,9927,10713"; a="876208962" X-IronPort-AV: E=Sophos;i="5.99,283,1677571200"; d="scan'208";a="876208962" X-Received: from slakkim-mobl.amr.corp.intel.com ([10.212.56.110]) by orsmga005-auth.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 17 May 2023 16:56:42 -0700 From: "Subash Lakkimsetti" To: devel@edk2.groups.io Cc: Subash Lakkimsetti , Guo Dong , Ray Ni , Sean Rhodes , James Lu , Gua Guo Subject: [edk2-devel] [PATCH v2 5/6] Uefipayloadpkg Enable TPM measured boot Date: Wed, 17 May 2023 16:55:33 -0700 Message-Id: In-Reply-To: References: MIME-Version: 1.0 Precedence: Bulk List-Unsubscribe: List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,subash.lakkimsetti@intel.com X-Gm-Message-State: L2p0hxMZC6cNXcTFJxtOidBox1787277AA= Content-Transfer-Encoding: quoted-printable DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1684367812; bh=mgpK3nunSpet5xh7DSSmlcIC/c1pWxFSK4niB3s5zGw=; h=Cc:Date:From:Reply-To:Subject:To; b=SehlqyayPlTKMTh5vB35PxmCa5WRW8G+fEU/wac/XonM98OgTib2BXJQenSRYW4fhiB 3cOhu7v9sMkxcZ+J8SEAMLtc5sXxv2pPG6NF29RTfJdZKuwgkbEJMYDk7jDStxUTEBxMx NTwuwojCwL1V9DCChN4bsIKTa9Ohpi7JiHI= X-ZohoMail-DKIM: pass (identity @groups.io) X-ZM-MESSAGEID: 1684367812789100007 Content-Type: text/plain; charset="utf-8" From: Subash Lakkimsetti Update the packages to support TPM and measured boot in uefi payload. Measured boot can be controlled using flag MEASURED_BOOT_ENABLE. Cc: Guo Dong Cc: Ray Ni Cc: Sean Rhodes Cc: James Lu Cc: Gua Guo Signed-off-by: Subash Lakkimsetti --- UefiPayloadPkg/UefiPayloadPkg.dsc | 96 +++++++++++++++++++++++++++++-- UefiPayloadPkg/UefiPayloadPkg.fdf | 53 +++++++++++++++-- 2 files changed, 139 insertions(+), 10 deletions(-) diff --git a/UefiPayloadPkg/UefiPayloadPkg.dsc b/UefiPayloadPkg/UefiPayload= Pkg.dsc index df078a1b28..0c4c0297ca 100644 --- a/UefiPayloadPkg/UefiPayloadPkg.dsc +++ b/UefiPayloadPkg/UefiPayloadPkg.dsc @@ -137,6 +137,7 @@ # Security # DEFINE SECURE_BOOT_ENABLE =3D FALSE + DEFINE MEASURED_BOOT_ENABLE =3D FALSE =20 [BuildOptions] *_*_*_CC_FLAGS =3D -D DISABLE_NEW_DEPRECATED_INTERFACES @@ -309,14 +310,29 @@ AuthVariableLib|MdeModulePkg/Library/AuthVariableLibNull/AuthVariableLib= Null.inf !endif =20 -!if $(VARIABLE_SUPPORT) =3D=3D "EMU" - TpmMeasurementLib|MdeModulePkg/Library/TpmMeasurementLibNull/TpmMeasurem= entLibNull.inf -!elseif $(VARIABLE_SUPPORT) =3D=3D "SPI" - PlatformSecureLib|SecurityPkg/Library/PlatformSecureLibNull/PlatformSecu= reLibNull.inf - TpmMeasurementLib|SecurityPkg/Library/DxeTpmMeasurementLib/DxeTpmMeasure= mentLib.inf +!if $(VARIABLE_SUPPORT) =3D=3D "SPI" S3BootScriptLib|MdePkg/Library/BaseS3BootScriptLibNull/BaseS3BootScriptL= ibNull.inf - MmUnblockMemoryLib|MdePkg/Library/MmUnblockMemoryLib/MmUnblockMemoryLibN= ull.inf !endif + +!if $(SECURE_BOOT_ENABLE) =3D=3D TRUE || $(MEASURED_BOOT_ENABLE) =3D=3D TR= UE || $(VARIABLE_SUPPORT) =3D=3D "SPI" + MmUnblockMemoryLib|MdePkg/Library/MmUnblockMemoryLib/MmUnblockMemoryLib= Null.inf +!endif + + # + # TPM + # +!if $(MEASURED_BOOT_ENABLE) =3D=3D TRUE + Tpm12CommandLib|SecurityPkg/Library/Tpm12CommandLib/Tpm12CommandLib.inf + Tpm12DeviceLib|SecurityPkg/Library/Tpm12DeviceLibTcg/Tpm12DeviceLibTcg.i= nf + Tpm2CommandLib|SecurityPkg/Library/Tpm2CommandLib/Tpm2CommandLib.inf + Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibTcg2/Tpm2DeviceLibTcg2.inf + Tcg2PpVendorLib|SecurityPkg/Library/Tcg2PpVendorLibNull/Tcg2PpVendorLibN= ull.inf + TpmMeasurementLib|SecurityPkg/Library/DxeTpmMeasurementLib/DxeTpmMeasure= mentLib.inf + Tcg2PhysicalPresenceLib|SecurityPkg/Library/DxeTcg2PhysicalPresenceLib/D= xeTcg2PhysicalPresenceLib.inf +!else + TpmMeasurementLib|MdeModulePkg/Library/TpmMeasurementLibNull/TpmMeasurem= entLibNull.inf +!endif + VarCheckLib|MdeModulePkg/Library/VarCheckLib/VarCheckLib.inf VariablePolicyLib|MdeModulePkg/Library/VariablePolicyLib/VariablePolicyL= ib.inf VariablePolicyHelperLib|MdeModulePkg/Library/VariablePolicyHelperLib/Var= iablePolicyHelperLib.inf @@ -424,6 +440,11 @@ BaseCryptLib|CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf !endif =20 +!if $(MEASURED_BOOT_ENABLE) =3D=3D TRUE && $(SMM_SUPPORT) =3D=3D TRUE + Tcg2PhysicalPresenceLib|SecurityPkg/Library/SmmTcg2PhysicalPresenceLib/Sm= mTcg2PhysicalPresenceLib.inf +!endif + + [LibraryClasses.common.DXE_DRIVER, LibraryClasses.common.UEFI_DRIVER, Libr= aryClasses.common.UEFI_APPLICATION] !if $(SECURE_BOOT_ENABLE) =3D=3D TRUE BaseCryptLib|CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf @@ -625,6 +646,14 @@ gEfiSecurityPkgTokenSpaceGuid.PcdFirmwareDebuggerInitialized|FALSE gEfiSecurityPkgTokenSpaceGuid.PcdTpmInstanceGuid|{0x5a, 0xf2, 0x6b, 0x28= , 0xc3, 0xc2, 0x8c, 0x40, 0xb3, 0xb4, 0x25, 0xe6, 0x75, 0x8b, 0x73, 0x17} =20 +!if $(MEASURED_BOOT_ENABLE) =3D=3D TRUE + + # (BIT0 - SHA1. BIT1 - SHA256, BIT2 - SHA384, BIT3 - SHA512, BIT4 - SM3_= 256) + gEfiSecurityPkgTokenSpaceGuid.PcdTpm2HashMask|0x000000016 + gEfiSecurityPkgTokenSpaceGuid.PcdTcg2HashAlgorithmBitmap|0x000000016 +!endif + + ##########################################################################= ###### # # Components Section - list of all EDK II Modules needed by this Platform. @@ -677,6 +706,10 @@ !if $(SECURE_BOOT_ENABLE) =3D=3D TRUE NULL|SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificatio= nLib.inf +!if $(MEASURED_BOOT_ENABLE) =3D=3D TRUE + NULL|SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLib= .inf + NULL|SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLib.i= nf + !endif !endif } !endif @@ -685,6 +718,57 @@ SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDx= e.inf !endif =20 +!if $(MEASURED_BOOT_ENABLE) =3D=3D TRUE + SecurityPkg/Tcg/TcgDxe/TcgDxe.inf { + + Tpm12DeviceLib|SecurityPkg/Library/Tpm12DeviceLibDTpm/Tpm12DeviceLib= DTpm.inf + } + + SecurityPkg/Tcg/TcgConfigDxe/TcgConfigDxe.inf { + + PcdLib|MdePkg/Library/DxePcdLib/DxePcdLib.inf + } + +!if $(SMM_SUPPORT) =3D=3D TRUE + SecurityPkg/Tcg/TcgSmm/TcgSmm.inf { + + TcgPpVendorLib|SecurityPkg/Library/TcgPpVendorLibNull/TcgPpVendorLibNu= ll.inf + + } +!endif + SecurityPkg/Tcg/Tcg2Config/Tcg2ConfigDxe.inf { + + Tpm2CommandLib|SecurityPkg/Library/Tpm2CommandLib/Tpm2CommandLib.inf + Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibRouter/Tpm2DeviceLibR= outerDxe.inf + NULL|SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2InstanceLibDTpm.inf + } +!if $(SMM_SUPPORT) =3D=3D TRUE + SecurityPkg/Tcg/Tcg2Smm/Tcg2Smm.inf { + + Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibTcg2/Tpm2DeviceLibTcg= 2.inf + } +!endif + SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.inf { + + Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibRouter/Tpm2DeviceLibR= outerDxe.inf + HashLib|SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCrypt= oRouterDxe.inf + NULL|SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2InstanceLibDTpm.inf + NULL|SecurityPkg/Library/HashInstanceLibSha1/HashInstanceLibSha1.inf + NULL|SecurityPkg/Library/HashInstanceLibSha256/HashInstanceLibSha256= .inf + NULL|SecurityPkg/Library/HashInstanceLibSha384/HashInstanceLibSha384= .inf + NULL|SecurityPkg/Library/HashInstanceLibSm3/HashInstanceLibSm3.inf + } + SecurityPkg/Tcg/Tcg2Acpi/Tcg2Acpi.inf + SecurityPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.inf { + + TpmPlatformHierarchyLib|SecurityPkg/Library/PeiDxeTpmPlatformHierarc= hyLib/PeiDxeTpmPlatformHierarchyLib.inf + } + SecurityPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.inf { + + TpmPlatformHierarchyLib|SecurityPkg/Library/PeiDxeTpmPlatformHierarc= hyLib/PeiDxeTpmPlatformHierarchyLib.inf + } +!endif #MEASURED_BOOT_ENABLE + UefiCpuPkg/CpuDxe/CpuDxe.inf MdeModulePkg/Universal/BdsDxe/BdsDxe.inf !if $(BOOTSPLASH_IMAGE) diff --git a/UefiPayloadPkg/UefiPayloadPkg.fdf b/UefiPayloadPkg/UefiPayload= Pkg.fdf index d1f76b1e56..6629ec8993 100644 --- a/UefiPayloadPkg/UefiPayloadPkg.fdf +++ b/UefiPayloadPkg/UefiPayloadPkg.fdf @@ -60,6 +60,7 @@ FILE FV_IMAGE =3D 4E35FD93-9C72-4c15-8C4B-E77F1DB2D793 { SECTION FV_IMAGE =3D DXEFV } =20 + !if $(NETWORK_DRIVER_ENABLE) =3D=3D TRUE ##########################################################################= ###### [FV.NETWORKFV] @@ -201,10 +202,6 @@ INF PcAtChipsetPkg/PcatRealTimeClockRuntimeDxe/PcatRea= lTimeClockRuntimeDxe.inf INF MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmmRuntimeDxe.inf !endif =20 -!if $(SECURE_BOOT_ENABLE) =3D=3D TRUE - INF SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConf= igDxe.inf -!endif - INF UefiCpuPkg/CpuIo2Dxe/CpuIo2Dxe.inf INF MdeModulePkg/Universal/DevicePathDxe/DevicePathDxe.inf !if $(MEMORY_TEST) =3D=3D "GENERIC" @@ -307,6 +304,7 @@ INF MdeModulePkg/Universal/Acpi/AcpiPlatformDxe/AcpiPl= atformDxe.inf INF MdeModulePkg/Universal/Acpi/BootGraphicsResourceTableDxe/BootGraphics= ResourceTableDxe.inf !endif =20 + !if $(UNIVERSAL_PAYLOAD) =3D=3D FALSE INF MdeModulePkg/Universal/BdsDxe/BdsDxe.inf # @@ -328,6 +326,29 @@ INF ShellPkg/DynamicCommand/DpDynamicCommand/DpDynamic= Command.inf INF ShellPkg/Application/Shell/Shell.inf !endif =20 +!if $(UNIVERSAL_PAYLOAD) =3D=3D FALSE + +!if $(SECURE_BOOT_ENABLE) =3D=3D TRUE +INF SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfig= Dxe.inf +!endif + +!if $(MEASURED_BOOT_ENABLE) =3D=3D TRUE + INF SecurityPkg/Tcg/TcgDxe/TcgDxe.inf +!if $(SMM_SUPPORT) =3D=3D TRUE + INF SecurityPkg/Tcg/TcgSmm/TcgSmm.inf +!endif + INF SecurityPkg/Tcg/TcgConfigDxe/TcgConfigDxe.inf + INF SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.inf + INF RuleOverride =3D DRIVER_ACPITABLE SecurityPkg/Tcg/Tcg2Acpi/Tcg2Acpi.= inf + INF SecurityPkg/Tcg/Tcg2Config/Tcg2ConfigDxe.inf +!if $(SMM_SUPPORT) =3D=3D TRUE + INF SecurityPkg/Tcg/Tcg2Smm/Tcg2Smm.inf +!endif + INF SecurityPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.inf +!endif #MEASURED_BOOT_ENABLE + +!endif + [FV.SECFV] FvNameGuid =3D 2700E2F3-19D2-4E2D-9F13-BC891B9FC62C BlockSize =3D $(FD_BLOCK_SIZE) @@ -353,6 +374,20 @@ READ_LOCK_STATUS =3D TRUE INF SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfig= Dxe.inf !endif =20 +!if $(MEASURED_BOOT_ENABLE) =3D=3D TRUE + INF SecurityPkg/Tcg/TcgDxe/TcgDxe.inf +!if $(SMM_SUPPORT) =3D=3D TRUE + INF SecurityPkg/Tcg/TcgSmm/TcgSmm.inf +!endif + INF SecurityPkg/Tcg/TcgConfigDxe/TcgConfigDxe.inf + INF SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.inf + INF RuleOverride =3D DRIVER_ACPITABLE SecurityPkg/Tcg/Tcg2Acpi/Tcg2Acpi.= inf + INF SecurityPkg/Tcg/Tcg2Config/Tcg2ConfigDxe.inf +!if $(SMM_SUPPORT) =3D=3D TRUE + INF SecurityPkg/Tcg/Tcg2Smm/Tcg2Smm.inf +!endif + INF SecurityPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.inf +!endif #MEASURED_BOOT_ENABLE =20 ##########################################################################= ###### # @@ -472,3 +507,13 @@ INF SecurityPkg/VariableAuthenticated/SecureBootConfig= Dxe/SecureBootConfigDxe.in UI STRING=3D"Enter Setup" VERSION STRING=3D"$(INF_VERSION)" Optional BUILD_NUM=3D$(BUILD_NUMBE= R) } + +[Rule.Common.DXE_DRIVER.DRIVER_ACPITABLE] + FILE DRIVER =3D $(NAMED_GUID) { + DXE_DEPEX DXE_DEPEX Optional $(INF_OUTPUT)/$(MODULE_NAME).depex + PE32 PE32 $(INF_OUTPUT)/$(MODULE_NAME).efi + RAW ACPI Optional |.acpi + RAW ASL Optional |.aml + UI STRING=3D"$(MODULE_NAME)" Optional + VERSION STRING=3D"$(INF_VERSION)" Optional BUILD_NUM=3D$(BUILD_NUMBE= R) + } --=20 2.39.1.windows.1 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#104994): https://edk2.groups.io/g/devel/message/104994 Mute This Topic: https://groups.io/mt/98982075/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-