:p
atchew
Login
From: Subash Lakkimsetti <subash.lakkimsetti@intel.com> Support added in universal payload to enable secure boot and measured boot Hob structure header for universal payload for secure boot and measure boot information from bootloaders as per the universal payload spec defined at https://universalscalablefirmware.github.io/documentation/2_universal_payload.html TCG2ACPI: uninstall TPM2 ACPI if updated from Bootloaders and create a new ACPI tables. Secure boot configuration and flags are added to UefiPayloadPkg Measured boot and TPM configurations are added for UefiPayloadPkg Subash Lakkimsetti (6): MdeModulePkg: universal payload HOB for secure boot info UefiPayloadPkg: Add secureboot information HOBs TGC2ACPI: Uninstall the TPM2 ACPI if present UefiPayloadPkg: Add secure boot configurations Uefipayloadpkg Enable TPM measured boot UefiPayloadPkg: Add secure boot definitions to ci build .../UniversalPayload/SecureBootInfoGuid.h | 37 +++ SecurityPkg/Tcg/Tcg2Acpi/Tcg2Acpi.c | 251 ++++++++++++++++++ SecurityPkg/Tcg/Tcg2Acpi/Tcg2Acpi.inf | 3 + UefiPayloadPkg/BlSupportDxe/BlSupportDxe.c | 77 +++++- UefiPayloadPkg/BlSupportDxe/BlSupportDxe.inf | 13 +- UefiPayloadPkg/UefiPayloadPkg.ci.yaml | 4 + UefiPayloadPkg/UefiPayloadPkg.dec | 4 +- UefiPayloadPkg/UefiPayloadPkg.dsc | 127 ++++++++- UefiPayloadPkg/UefiPayloadPkg.fdf | 29 ++ 9 files changed, 534 insertions(+), 11 deletions(-) create mode 100644 MdeModulePkg/Include/UniversalPayload/SecureBootInfoGuid.h -- 2.39.1.windows.1 -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#101577): https://edk2.groups.io/g/devel/message/101577 Mute This Topic: https://groups.io/mt/97777993/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=-=-=-=-=-=-=-=-=-=-=-
From: Subash Lakkimsetti <subash.lakkimsetti@intel.com> Add the hob structure header for universal payload for secure boot and measure boot information from bootloaders. Universal payload spec definied at https://universalscalablefirmware.github.io/documentation/2_universal_payload.html Cc: Zhiguang Liu <zhiguang.liu@intel.com> Cc: Ray Ni <ray.ni@intel.com> Cc: Gua Guo <gua.guo@intel.com> Signed-off-by: Subash Lakkimsetti <subash.lakkimsetti@intel.com> --- .../UniversalPayload/SecureBootInfoGuid.h | 37 +++++++++++++++++++ 1 file changed, 37 insertions(+) create mode 100644 MdeModulePkg/Include/UniversalPayload/SecureBootInfoGuid.h diff --git a/MdeModulePkg/Include/UniversalPayload/SecureBootInfoGuid.h b/MdeModulePkg/Include/UniversalPayload/SecureBootInfoGuid.h new file mode 100644 index XXXXXXX..XXXXXXX --- /dev/null +++ b/MdeModulePkg/Include/UniversalPayload/SecureBootInfoGuid.h @@ -XXX,XX +XXX,XX @@ +/** @file + This file defines the hob structure for the Secure boot information. + + Copyright (c) 2023, Intel Corporation. All rights reserved.<BR> + SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ + +#ifndef SECUREBOOT_INFO_GUID_H_ +#define SECUREBOOT_INFO_GUID_H_ + +#include <UniversalPayload/UniversalPayload.h> + +/** + Secure Boot info Hob GUID +**/ +extern EFI_GUID gUniversalPayloadSecureBootInfoGuid; + +#define PAYLOAD_SECUREBOOT_INFO_HOB_REVISION 0x1 + +#define NO_TPM 0x0 +#define TPM_TYPE_12 0x1 +#define TPM_TYPE_20 0x2 + +#pragma pack(1) +typedef struct { + UNIVERSAL_PAYLOAD_GENERIC_HEADER Header; + UINT8 VerifiedBootEnabled; + UINT8 MeasuredBootEnabled; + UINT8 FirmwareDebuggerInitialized; + UINT8 TpmType; + UINT8 Reserved[3]; + UINT32 TpmPcrActivePcrBanks; +} UNIVERSAL_SECURE_BOOT_INFO; +#pragma pack() + +#endif // SECUREBOOT_INFO_GUID_H_ -- 2.39.1.windows.1 -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#101578): https://edk2.groups.io/g/devel/message/101578 Mute This Topic: https://groups.io/mt/97777994/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=-=-=-=-=-=-=-=-=-=-=-
From: Subash Lakkimsetti <subash.lakkimsetti@intel.com> This patch add the HOB fpr secure and measured boot information. This is populated by bootloader phase and uefipayload pkg uses this info to sync the TPM info PCDs. Cc: Guo Dong <guo.dong@intel.com> Cc: Ray Ni <ray.ni@intel.com> Cc: Sean Rhodes <sean@starlabs.systems> Cc: James Lu <james.lu@intel.com> Cc: Gua Guo <gua.guo@intel.com> Signed-off-by: Subash Lakkimsetti <subash.lakkimsetti@intel.com> --- UefiPayloadPkg/BlSupportDxe/BlSupportDxe.c | 77 +++++++++++++++++++- UefiPayloadPkg/BlSupportDxe/BlSupportDxe.inf | 13 +++- UefiPayloadPkg/UefiPayloadPkg.dec | 4 +- UefiPayloadPkg/UefiPayloadPkg.dsc | 2 + 4 files changed, 92 insertions(+), 4 deletions(-) diff --git a/UefiPayloadPkg/BlSupportDxe/BlSupportDxe.c b/UefiPayloadPkg/BlSupportDxe/BlSupportDxe.c index XXXXXXX..XXXXXXX 100644 --- a/UefiPayloadPkg/BlSupportDxe/BlSupportDxe.c +++ b/UefiPayloadPkg/BlSupportDxe/BlSupportDxe.c @@ -XXX,XX +XXX,XX @@ This driver will report some MMIO/IO resources to dxe core, extract smbios and acpi tables from bootloader. - Copyright (c) 2014 - 2021, Intel Corporation. All rights reserved.<BR> + Copyright (c) 2014 - 2023, Intel Corporation. All rights reserved.<BR> SPDX-License-Identifier: BSD-2-Clause-Patent **/ #include "BlSupportDxe.h" +#include <Library/DebugLib.h> +#include <Library/PcdLib.h> +#include <Include/UniversalPayload/SecureBootInfoGuid.h> /** Reserve MMIO/IO resource in GCD @@ -XXX,XX +XXX,XX @@ ReserveResourceInGcd ( return Status; } +/** +Sync the Secure boot hob info and TPM PCD as per the information passed from Bootloader. +**/ +EFI_STATUS +BlSupportSecurityPcdSync ( + VOID + ) +{ + EFI_STATUS Status; + EFI_HOB_GUID_TYPE *GuidHob; + UNIVERSAL_SECURE_BOOT_INFO *SecurebootInfoHob; + UINTN Size; + + GuidHob = GetFirstGuidHob (&gUniversalPayloadSecureBootInfoGuid); + if (GuidHob == NULL) { + DEBUG ((DEBUG_ERROR, "gUniversalPayloadSecureBootInfoGuid Not Found!\n")); + return EFI_UNSUPPORTED; + } + + SecurebootInfoHob = (UNIVERSAL_SECURE_BOOT_INFO *)GET_GUID_HOB_DATA (GuidHob); + + // Sync the Hash mask for TPM 2.0 as per active PCR banks. + // Make sure that the current PCR allocations, the TPM supported PCRs, + // and the PcdTpm2HashMask are all in agreement. + Status = PcdSet32S (PcdTpm2HashMask, SecurebootInfoHob->TpmPcrActivePcrBanks); + ASSERT_EFI_ERROR (Status); + DEBUG ((DEBUG_INFO, "TpmPcrActivePcrBanks 0x%x \n", SecurebootInfoHob->TpmPcrActivePcrBanks)); + + // Set the Firmware debugger PCD + Status = PcdSetBoolS (PcdFirmwareDebuggerInitialized, SecurebootInfoHob->FirmwareDebuggerInitialized); + ASSERT_EFI_ERROR (Status); + DEBUG ((DEBUG_INFO, " FirmwareDebugger Initialized 0x%x \n", SecurebootInfoHob->FirmwareDebuggerInitialized)); + + // Set the TPM Type instance GUID + if (SecurebootInfoHob->MeasuredBootEnabled) { + if (SecurebootInfoHob->TpmType == TPM_TYPE_20) { + DEBUG ((DEBUG_INFO, "%a: TPM2 detected\n", __FUNCTION__)); + Size = sizeof (gEfiTpmDeviceInstanceTpm20DtpmGuid); + Status = PcdSetPtrS ( + PcdTpmInstanceGuid, + &Size, + &gEfiTpmDeviceInstanceTpm20DtpmGuid + ); + } else if (SecurebootInfoHob->TpmType == TPM_TYPE_12) { + DEBUG ((DEBUG_INFO, "%a: TPM1.2 detected\n", __FUNCTION__)); + Size = sizeof (gEfiTpmDeviceInstanceTpm12Guid); + Status = PcdSetPtrS ( + PcdTpmInstanceGuid, + &Size, + &gEfiTpmDeviceInstanceTpm12Guid + ); + } else { + DEBUG ((DEBUG_INFO, "%a: No TPM detected\n", __FUNCTION__)); + Size = sizeof (gEfiTpmDeviceInstanceNoneGuid); + Status = PcdSetPtrS ( + PcdTpmInstanceGuid, + &Size, + &gEfiTpmDeviceInstanceNoneGuid + ); + } + + ASSERT_EFI_ERROR (Status); + } + + return Status; +} + /** Main entry for the bootloader support DXE module. @@ -XXX,XX +XXX,XX @@ BlDxeEntryPoint ( ASSERT_EFI_ERROR (Status); } + // + // Sync Bootloader info for TPM + // + BlSupportSecurityPcdSync (); + return EFI_SUCCESS; } diff --git a/UefiPayloadPkg/BlSupportDxe/BlSupportDxe.inf b/UefiPayloadPkg/BlSupportDxe/BlSupportDxe.inf index XXXXXXX..XXXXXXX 100644 --- a/UefiPayloadPkg/BlSupportDxe/BlSupportDxe.inf +++ b/UefiPayloadPkg/BlSupportDxe/BlSupportDxe.inf @@ -XXX,XX +XXX,XX @@ # # Report some MMIO/IO resources to dxe core, extract smbios and acpi tables # -# Copyright (c) 2014 - 2021, Intel Corporation. All rights reserved.<BR> +# Copyright (c) 2014 - 2023, Intel Corporation. All rights reserved.<BR> # # SPDX-License-Identifier: BSD-2-Clause-Patent # @@ -XXX,XX +XXX,XX @@ [Packages] MdePkg/MdePkg.dec MdeModulePkg/MdeModulePkg.dec + SecurityPkg/SecurityPkg.dec UefiPayloadPkg/UefiPayloadPkg.dec [LibraryClasses] @@ -XXX,XX +XXX,XX @@ [Guids] gUefiAcpiBoardInfoGuid gEfiGraphicsInfoHobGuid + gUniversalPayloadSecureBootInfoGuid + gEfiTpmDeviceInstanceTpm20DtpmGuid + gEfiTpmDeviceInstanceTpm12Guid + gEfiTpmDeviceInstanceNoneGuid [Pcd] gEfiMdeModulePkgTokenSpaceGuid.PcdVideoHorizontalResolution @@ -XXX,XX +XXX,XX @@ gEfiMdeModulePkgTokenSpaceGuid.PcdSetupVideoVerticalResolution gEfiMdePkgTokenSpaceGuid.PcdPciExpressBaseAddress gEfiMdePkgTokenSpaceGuid.PcdPciExpressBaseSize - + ## SOMETIMES_CONSUMES + ## SOMETIMES_PRODUCES + gEfiSecurityPkgTokenSpaceGuid.PcdTpm2HashMask + gEfiSecurityPkgTokenSpaceGuid.PcdFirmwareDebuggerInitialized + gEfiSecurityPkgTokenSpaceGuid.PcdTpmInstanceGuid [Depex] TRUE diff --git a/UefiPayloadPkg/UefiPayloadPkg.dec b/UefiPayloadPkg/UefiPayloadPkg.dec index XXXXXXX..XXXXXXX 100644 --- a/UefiPayloadPkg/UefiPayloadPkg.dec +++ b/UefiPayloadPkg/UefiPayloadPkg.dec @@ -XXX,XX +XXX,XX @@ # # Provides drivers and definitions to create uefi payload for bootloaders. # -# Copyright (c) 2014 - 2021, Intel Corporation. All rights reserved.<BR> +# Copyright (c) 2014 - 2023, Intel Corporation. All rights reserved.<BR> # SPDX-License-Identifier: BSD-2-Clause-Patent # ## @@ -XXX,XX +XXX,XX @@ gSpiFlashInfoGuid = { 0x2d4aac1b, 0x91a5, 0x4cd5, { 0x9b, 0x5c, 0xb4, 0x0f, 0x5d, 0x28, 0x51, 0xa1 } } gSmmRegisterInfoGuid = { 0xaa9bd7a7, 0xcafb, 0x4499, { 0xa4, 0xa9, 0xb, 0x34, 0x6b, 0x40, 0xa6, 0x22 } } gS3CommunicationGuid = { 0x88e31ba1, 0x1856, 0x4b8b, { 0xbb, 0xdf, 0xf8, 0x16, 0xdd, 0x94, 0xa, 0xef } } + gUniversalPayloadSecureBootInfoGuid = { 0xd970f847, 0x07dd, 0x4b24, { 0x9e, 0x1e, 0xae, 0x6c, 0x80, 0x9b, 0x1d, 0x38 } } + [Ppis] gEfiPayLoadHobBasePpiGuid = { 0xdbe23aa1, 0xa342, 0x4b97, {0x85, 0xb6, 0xb2, 0x26, 0xf1, 0x61, 0x73, 0x89} } diff --git a/UefiPayloadPkg/UefiPayloadPkg.dsc b/UefiPayloadPkg/UefiPayloadPkg.dsc index XXXXXXX..XXXXXXX 100644 --- a/UefiPayloadPkg/UefiPayloadPkg.dsc +++ b/UefiPayloadPkg/UefiPayloadPkg.dsc @@ -XXX,XX +XXX,XX @@ gPcAtChipsetPkgTokenSpaceGuid.PcdRtcIndexRegister|$(RTC_INDEX_REGISTER) gPcAtChipsetPkgTokenSpaceGuid.PcdRtcTargetRegister|$(RTC_TARGET_REGISTER) + gEfiSecurityPkgTokenSpaceGuid.PcdFirmwareDebuggerInitialized|FALSE + gEfiSecurityPkgTokenSpaceGuid.PcdTpmInstanceGuid|{0x5a, 0xf2, 0x6b, 0x28, 0xc3, 0xc2, 0x8c, 0x40, 0xb3, 0xb4, 0x25, 0xe6, 0x75, 0x8b, 0x73, 0x17} ################################################################################ # -- 2.39.1.windows.1 -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#101579): https://edk2.groups.io/g/devel/message/101579 Mute This Topic: https://groups.io/mt/97777995/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=-=-=-=-=-=-=-=-=-=-=-
From: Subash Lakkimsetti <subash.lakkimsetti@intel.com> Bootloader supports multiple payload and TPM2 ACPI tables are updated at bootloader phase. When UEFI is used payload these will be duplicates. The tables are to be uninstalled before updating the TCG2ACPI tables to avoid duplicates. Cc: Qi Zhang <qi1.zhang@intel.com> Cc: Rahul Kumar <rahul1.kumar@intel.com> Signed-off-by: Subash Lakkimsetti <subash.lakkimsetti@intel.com> --- SecurityPkg/Tcg/Tcg2Acpi/Tcg2Acpi.c | 251 ++++++++++++++++++++++++++ SecurityPkg/Tcg/Tcg2Acpi/Tcg2Acpi.inf | 3 + 2 files changed, 254 insertions(+) diff --git a/SecurityPkg/Tcg/Tcg2Acpi/Tcg2Acpi.c b/SecurityPkg/Tcg/Tcg2Acpi/Tcg2Acpi.c index XXXXXXX..XXXXXXX 100644 --- a/SecurityPkg/Tcg/Tcg2Acpi/Tcg2Acpi.c +++ b/SecurityPkg/Tcg/Tcg2Acpi/Tcg2Acpi.c @@ -XXX,XX +XXX,XX @@ SPDX-License-Identifier: BSD-2-Clause-Patent #include <Library/Tpm2CommandLib.h> #include <Library/UefiLib.h> #include <Library/MmUnblockMemoryLib.h> +#include <IndustryStandard/Acpi.h> +#include <Protocol/AcpiSystemDescriptionTable.h> // // Physical Presence Interface Version supported by Platform @@ -XXX,XX +XXX,XX @@ PublishTpm2 ( return Status; } +/** + Uninstall TPM2 SSDT ACPI table + + This performs uninstallation of TPM2 SSDT tables published by + bootloaders. + + @retval EFI_SUCCESS The TPM2 ACPI table is uninstalled successfully if found. + @retval Others Operation error. + +**/ +EFI_STATUS +UnInstallTpm2SSDTAcpiTables ( + ) +{ + UINTN TableIndex; + UINTN TableKey; + EFI_ACPI_TABLE_VERSION TableVersion; + VOID *TableHeader; + EFI_STATUS Status; + EFI_ACPI_SDT_PROTOCOL *mAcpiSdtProtocol; + EFI_ACPI_TABLE_PROTOCOL *mAcpiTableProtocol; + CHAR8 TableIdString[8]; + UINT64 TableIdSignature; + + // + // Determine whether there is a TPM2 SSDT already in the ACPI table. + // + Status = EFI_SUCCESS; + TableIndex = 0; + TableKey = 0; + TableHeader = NULL; + mAcpiTableProtocol = NULL; + mAcpiSdtProtocol = NULL; + + // + // Locate the EFI_ACPI_TABLE_PROTOCOL. + // + Status = gBS->LocateProtocol ( + &gEfiAcpiTableProtocolGuid, + NULL, + (VOID **)&mAcpiTableProtocol + ); + if (EFI_ERROR (Status)) { + DEBUG (( + DEBUG_INFO, + "UnInstallTpm2SSDTAcpiTables: Cannot locate the EFI ACPI Table Protocol \n " + )); + return Status; + } + + // + // Locate the EFI_ACPI_SDT_PROTOCOL. + // + Status = gBS->LocateProtocol ( + &gEfiAcpiSdtProtocolGuid, + NULL, + (VOID **)&mAcpiSdtProtocol + ); + if (EFI_ERROR (Status)) { + DEBUG (( + DEBUG_INFO, + "UnInstallTpm2SSDTAcpiTables: Cannot locate the EFI ACPI Sdt Protocol, " + "\n" + )); + return Status; + } + + while (!EFI_ERROR (Status)) { + Status = mAcpiSdtProtocol->GetAcpiTable ( + TableIndex, + (EFI_ACPI_SDT_HEADER **)&TableHeader, + &TableVersion, + &TableKey + ); + + if (!EFI_ERROR (Status)) { + TableIndex++; + + if (((EFI_ACPI_SDT_HEADER *)TableHeader)->Signature == SIGNATURE_32 ('S', 'S', 'D', 'T')) { + CopyMem ((VOID *)TableIdString, (VOID *)((EFI_ACPI_SDT_HEADER *)TableHeader)->OemTableId, sizeof (TableIdString)); + + TableIdSignature = SIGNATURE_64 ( + TableIdString[0], + TableIdString[1], + TableIdString[2], + TableIdString[3], + TableIdString[4], + TableIdString[5], + TableIdString[6], + TableIdString[7] + ); + + if (TableIdSignature == SIGNATURE_64 ('T', 'p', 'm', '2', 'T', 'a', 'b', 'l')) { + DEBUG ((DEBUG_INFO, "Found Tpm2 SSDT Table for Physical Presence\n")); + break; + } + } + } + } + + if (!EFI_ERROR (Status)) { + // + // A TPM2 SSDT is already in the ACPI table. + // + DEBUG (( + DEBUG_INFO, + "A TPM2 SSDT is already exist in the ACPI Table.\n" + )); + + // + // Uninstall the origin TPM2 SSDT from the ACPI table. + // + Status = mAcpiTableProtocol->UninstallAcpiTable ( + mAcpiTableProtocol, + TableKey + ); + ASSERT_EFI_ERROR (Status); + + if (EFI_ERROR (Status)) { + DEBUG ((DEBUG_INFO, "UnInstall Tpm2SSDTAcpiTables failed \n ")); + + return Status; + } + } + + return EFI_SUCCESS; +} + +/** + Uninstall TPM2 table + + This performs uninstallation of TPM2 tables published by + bootloaders. + + @retval EFI_SUCCESS The TPM2 table is uninstalled successfully if its found. + @retval Others Operation error. + +**/ +EFI_STATUS +UnInstallTpm2Tables ( + ) +{ + UINTN TableIndex; + UINTN TableKey; + EFI_ACPI_TABLE_VERSION TableVersion; + VOID *TableHeader; + EFI_STATUS Status; + EFI_ACPI_SDT_PROTOCOL *mAcpiSdtProtocol; + EFI_ACPI_TABLE_PROTOCOL *mAcpiTableProtocol; + + // + // Determine whether there is a TPM2 SSDT already in the ACPI table. + // + Status = EFI_SUCCESS; + TableIndex = 0; + TableKey = 0; + TableHeader = NULL; + mAcpiTableProtocol = NULL; + mAcpiSdtProtocol = NULL; + + // + // Locate the EFI_ACPI_TABLE_PROTOCOL. + // + Status = gBS->LocateProtocol ( + &gEfiAcpiTableProtocolGuid, + NULL, + (VOID **)&mAcpiTableProtocol + ); + if (EFI_ERROR (Status)) { + DEBUG (( + DEBUG_INFO, + "UnInstallTpm2Tables: Cannot locate the EFI ACPI Table Protocol \n " + )); + return Status; + } + + // + // Locate the EFI_ACPI_SDT_PROTOCOL. + // + Status = gBS->LocateProtocol ( + &gEfiAcpiSdtProtocolGuid, + NULL, + (VOID **)&mAcpiSdtProtocol + ); + if (EFI_ERROR (Status)) { + DEBUG (( + DEBUG_INFO, + "UnInstallTpm2Tables: Cannot locate the EFI ACPI Sdt Protocol, " + "\n" + )); + return Status; + } + + while (!EFI_ERROR (Status)) { + Status = mAcpiSdtProtocol->GetAcpiTable ( + TableIndex, + (EFI_ACPI_SDT_HEADER **)&TableHeader, + &TableVersion, + &TableKey + ); + + if (!EFI_ERROR (Status)) { + TableIndex++; + + if (((EFI_ACPI_SDT_HEADER *)TableHeader)->Signature == EFI_ACPI_5_0_TRUSTED_COMPUTING_PLATFORM_2_TABLE_SIGNATURE ) { + DEBUG ((DEBUG_INFO, "Found Tpm2 Table ..\n")); + break; + } + } + } + + if (!EFI_ERROR (Status)) { + // + // A TPM2 SSDT is already in the ACPI table. + // + DEBUG (( + DEBUG_INFO, + "A TPM2 table is already exist in the ACPI Table.\n" + )); + + // + // Uninstall the origin TPM2 SSDT from the ACPI table. + // + Status = mAcpiTableProtocol->UninstallAcpiTable ( + mAcpiTableProtocol, + TableKey + ); + ASSERT_EFI_ERROR (Status); + + if (EFI_ERROR (Status)) { + DEBUG ((DEBUG_INFO, "UnInstall Tpm2Tables failed \n ")); + + return Status; + } + } + + return EFI_SUCCESS; +} + /** The driver's entry point. @@ -XXX,XX +XXX,XX @@ InitializeTcgAcpi ( return EFI_UNSUPPORTED; } + // + // Bootloader might pulish the TPM2 ACPT tables + // Uninstall TPM tables if it exists + // + Status = UnInstallTpm2SSDTAcpiTables (); + ASSERT_EFI_ERROR (Status); + + Status = UnInstallTpm2Tables (); + ASSERT_EFI_ERROR (Status); + Status = PublishAcpiTable (); ASSERT_EFI_ERROR (Status); diff --git a/SecurityPkg/Tcg/Tcg2Acpi/Tcg2Acpi.inf b/SecurityPkg/Tcg/Tcg2Acpi/Tcg2Acpi.inf index XXXXXXX..XXXXXXX 100644 --- a/SecurityPkg/Tcg/Tcg2Acpi/Tcg2Acpi.inf +++ b/SecurityPkg/Tcg/Tcg2Acpi/Tcg2Acpi.inf @@ -XXX,XX +XXX,XX @@ gEfiTpmDeviceInstanceTpm20DtpmGuid ## PRODUCES ## GUID # TPM device identifier gTpmNvsMmGuid ## CONSUMES gEdkiiPiSmmCommunicationRegionTableGuid ## CONSUMES + gEfiAcpiTableGuid [Protocols] gEfiAcpiTableProtocolGuid ## CONSUMES gEfiMmCommunicationProtocolGuid ## CONSUMES + gEfiAcpiSdtProtocolGuid ## CONSUMES + [FixedPcd] gEfiSecurityPkgTokenSpaceGuid.PcdSmiCommandIoPort ## CONSUMES -- 2.39.1.windows.1 -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#101580): https://edk2.groups.io/g/devel/message/101580 Mute This Topic: https://groups.io/mt/97777996/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=-=-=-=-=-=-=-=-=-=-=-
From: Subash Lakkimsetti <subash.lakkimsetti@intel.com> Add the required modules for secure boot in UefiPayloadPkg. SECURE_BOOT_ENABLE flag added to control the secure boot feature. Requires SMM_SUPPORT and flash to be SPI for the secure boot to function. Cc: Guo Dong <guo.dong@intel.com> Cc: Ray Ni <ray.ni@intel.com> Cc: Sean Rhodes <sean@starlabs.systems> Cc: James Lu <james.lu@intel.com> Cc: Gua Guo <gua.guo@intel.com> Signed-off-by: Subash Lakkimsetti <subash.lakkimsetti@intel.com> --- UefiPayloadPkg/UefiPayloadPkg.dsc | 37 ++++++++++++++++++++++++++++--- UefiPayloadPkg/UefiPayloadPkg.fdf | 4 ++++ 2 files changed, 38 insertions(+), 3 deletions(-) diff --git a/UefiPayloadPkg/UefiPayloadPkg.dsc b/UefiPayloadPkg/UefiPayloadPkg.dsc index XXXXXXX..XXXXXXX 100644 --- a/UefiPayloadPkg/UefiPayloadPkg.dsc +++ b/UefiPayloadPkg/UefiPayloadPkg.dsc @@ -XXX,XX +XXX,XX @@ DEFINE BOOTSPLASH_IMAGE = FALSE DEFINE NVME_ENABLE = TRUE + DEFINE SECURE_BOOT_ENABLE = FALSE + # # NULL: NullMemoryTestDxe # GENERIC: GenericMemoryTestDxe @@ -XXX,XX +XXX,XX @@ DebugLib|MdeModulePkg/Library/PeiDxeDebugLibReportStatusCode/PeiDxeDebugLibReportStatusCode.inf LockBoxLib|MdeModulePkg/Library/LockBoxNullLib/LockBoxNullLib.inf FileExplorerLib|MdeModulePkg/Library/FileExplorerLib/FileExplorerLib.inf +!if $(SECURE_BOOT_ENABLE) + AuthVariableLib|SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf + SecureBootVariableLib|SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf + PlatformPKProtectionLib|SecurityPkg/Library/PlatformPKProtectionLibVarPolicy/PlatformPKProtectionLibVarPolicy.inf + SecureBootVariableProvisionLib|SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootVariableProvisionLib.inf +!else AuthVariableLib|MdeModulePkg/Library/AuthVariableLibNull/AuthVariableLibNull.inf +!endif !if $(VARIABLE_SUPPORT) == "EMU" TpmMeasurementLib|MdeModulePkg/Library/TpmMeasurementLibNull/TpmMeasurementLibNull.inf !elseif $(VARIABLE_SUPPORT) == "SPI" @@ -XXX,XX +XXX,XX @@ !if $(PERFORMANCE_MEASUREMENT_ENABLE) PerformanceLib|MdeModulePkg/Library/DxePerformanceLib/DxePerformanceLib.inf !endif +!if $(VARIABLE_SUPPORT) == "SPI" + BaseCryptLib|CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf +!endif [LibraryClasses.common.UEFI_DRIVER,LibraryClasses.common.UEFI_APPLICATION] PcdLib|MdePkg/Library/DxePcdLib/DxePcdLib.inf @@ -XXX,XX +XXX,XX @@ gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.TlsSet.Family | PCD_CRYPTO_SERVICE_ENABLE_FAMILY gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.TlsGet.Family | PCD_CRYPTO_SERVICE_ENABLE_FAMILY !endif +!if $(SECURE_BOOT_ENABLE) + # override the default values from SecurityPkg to ensure images from all sources are verified in secure boot + gEfiSecurityPkgTokenSpaceGuid.PcdOptionRomImageVerificationPolicy|0x04 + gEfiSecurityPkgTokenSpaceGuid.PcdFixedMediaImageVerificationPolicy|0x04 + gEfiSecurityPkgTokenSpaceGuid.PcdRemovableMediaImageVerificationPolicy|0x04 +!endif [PcdsPatchableInModule.X64] !if $(NETWORK_DRIVER_ENABLE) == TRUE @@ -XXX,XX +XXX,XX @@ # # Components that produce the architectural protocols # -!if $(SECURITY_STUB_ENABLE) == TRUE - MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf -!endif + UefiCpuPkg/CpuDxe/CpuDxe.inf MdeModulePkg/Universal/BdsDxe/BdsDxe.inf !if $(BOOTSPLASH_IMAGE) @@ -XXX,XX +XXX,XX @@ MdeModulePkg/Universal/MonotonicCounterRuntimeDxe/MonotonicCounterRuntimeDxe.inf !if $(DISABLE_RESET_SYSTEM) == FALSE MdeModulePkg/Universal/ResetSystemRuntimeDxe/ResetSystemRuntimeDxe.inf +!endif + # + # Components that produce the architectural protocols + # +!if $(SECURITY_STUB_ENABLE) == TRUE + MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf { + <LibraryClasses> +!if $(SECURE_BOOT_ENABLE) + NULL|SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.inf +!endif + } !endif PcAtChipsetPkg/PcatRealTimeClockRuntimeDxe/PcatRealTimeClockRuntimeDxe.inf !if $(EMU_VARIABLE_ENABLE) == TRUE @@ -XXX,XX +XXX,XX @@ MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmmRuntimeDxe.inf !endif +!if $(SECURE_BOOT_ENABLE) + SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf +!endif + # # Misc # diff --git a/UefiPayloadPkg/UefiPayloadPkg.fdf b/UefiPayloadPkg/UefiPayloadPkg.fdf index XXXXXXX..XXXXXXX 100644 --- a/UefiPayloadPkg/UefiPayloadPkg.fdf +++ b/UefiPayloadPkg/UefiPayloadPkg.fdf @@ -XXX,XX +XXX,XX @@ INF PcAtChipsetPkg/PcatRealTimeClockRuntimeDxe/PcatRealTimeClockRuntimeDxe.inf INF MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmmRuntimeDxe.inf !endif +!if $(SECURE_BOOT_ENABLE) == TRUE + INF SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf +!endif + INF UefiCpuPkg/CpuIo2Dxe/CpuIo2Dxe.inf INF MdeModulePkg/Universal/DevicePathDxe/DevicePathDxe.inf !if $(MEMORY_TEST) == "GENERIC" -- 2.39.1.windows.1 -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#101581): https://edk2.groups.io/g/devel/message/101581 Mute This Topic: https://groups.io/mt/97777997/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=-=-=-=-=-=-=-=-=-=-=-
From: Subash Lakkimsetti <subash.lakkimsetti@intel.com> Update the packages to support TPM and measured boot in uefi payload. Measured boot can be controoled using flag MEASURED_BOOT_ENABLE Cc: Guo Dong <guo.dong@intel.com> Cc: Ray Ni <ray.ni@intel.com> Cc: Sean Rhodes <sean@starlabs.systems> Cc: James Lu <james.lu@intel.com> Cc: Gua Guo <gua.guo@intel.com> Signed-off-by: Patrick Rudolph <patrick.rudolph@9elements.com> Signed-off-by: Subash Lakkimsetti <subash.lakkimsetti@intel.com> --- UefiPayloadPkg/UefiPayloadPkg.dsc | 88 +++++++++++++++++++++++++++++-- UefiPayloadPkg/UefiPayloadPkg.fdf | 25 +++++++++ 2 files changed, 109 insertions(+), 4 deletions(-) diff --git a/UefiPayloadPkg/UefiPayloadPkg.dsc b/UefiPayloadPkg/UefiPayloadPkg.dsc index XXXXXXX..XXXXXXX 100644 --- a/UefiPayloadPkg/UefiPayloadPkg.dsc +++ b/UefiPayloadPkg/UefiPayloadPkg.dsc @@ -XXX,XX +XXX,XX @@ DEFINE NVME_ENABLE = TRUE DEFINE SECURE_BOOT_ENABLE = FALSE + DEFINE MEASURED_BOOT_ENABLE = FALSE # # NULL: NullMemoryTestDxe @@ -XXX,XX +XXX,XX @@ !else AuthVariableLib|MdeModulePkg/Library/AuthVariableLibNull/AuthVariableLibNull.inf !endif -!if $(VARIABLE_SUPPORT) == "EMU" - TpmMeasurementLib|MdeModulePkg/Library/TpmMeasurementLibNull/TpmMeasurementLibNull.inf -!elseif $(VARIABLE_SUPPORT) == "SPI" - PlatformSecureLib|SecurityPkg/Library/PlatformSecureLibNull/PlatformSecureLibNull.inf + # + # TPM + # +!if $(MEASURED_BOOT_ENABLE) == TRUE + Tpm12CommandLib|SecurityPkg/Library/Tpm12CommandLib/Tpm12CommandLib.inf + Tpm12DeviceLib|SecurityPkg/Library/Tpm12DeviceLibTcg/Tpm12DeviceLibTcg.inf + Tpm2CommandLib|SecurityPkg/Library/Tpm2CommandLib/Tpm2CommandLib.inf + Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibTcg2/Tpm2DeviceLibTcg2.inf + Tcg2PhysicalPresenceLib|SecurityPkg/Library/DxeTcg2PhysicalPresenceLib/DxeTcg2PhysicalPresenceLib.inf + Tcg2PpVendorLib|SecurityPkg/Library/Tcg2PpVendorLibNull/Tcg2PpVendorLibNull.inf TpmMeasurementLib|SecurityPkg/Library/DxeTpmMeasurementLib/DxeTpmMeasurementLib.inf +!else + TpmMeasurementLib|MdeModulePkg/Library/TpmMeasurementLibNull/TpmMeasurementLibNull.inf +!endif +!if $(VARIABLE_SUPPORT) == "SPI" S3BootScriptLib|MdePkg/Library/BaseS3BootScriptLibNull/BaseS3BootScriptLibNull.inf +!endif +!if $(SECURE_BOOT_ENABLE) == TRUE || $(MEASURED_BOOT_ENABLE) == TRUE || $(VARIABLE_SUPPORT) == "SPI" MmUnblockMemoryLib|MdePkg/Library/MmUnblockMemoryLib/MmUnblockMemoryLibNull.inf !endif + PlatformSecureLib|SecurityPkg/Library/PlatformSecureLibNull/PlatformSecureLibNull.inf VarCheckLib|MdeModulePkg/Library/VarCheckLib/VarCheckLib.inf VariablePolicyLib|MdeModulePkg/Library/VariablePolicyLib/VariablePolicyLib.inf VariablePolicyHelperLib|MdeModulePkg/Library/VariablePolicyHelperLib/VariablePolicyHelperLib.inf @@ -XXX,XX +XXX,XX @@ BaseCryptLib|CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf !endif +!if $(MEASURED_BOOT_ENABLE) == TRUE + Tcg2PhysicalPresenceLib|SecurityPkg/Library/SmmTcg2PhysicalPresenceLib/SmmTcg2PhysicalPresenceLib.inf +!endif + ################################################################################ # # Pcd Section - list of all EDK II PCD Entries defined by this Platform. @@ -XXX,XX +XXX,XX @@ gEfiSecurityPkgTokenSpaceGuid.PcdFirmwareDebuggerInitialized|FALSE gEfiSecurityPkgTokenSpaceGuid.PcdTpmInstanceGuid|{0x5a, 0xf2, 0x6b, 0x28, 0xc3, 0xc2, 0x8c, 0x40, 0xb3, 0xb4, 0x25, 0xe6, 0x75, 0x8b, 0x73, 0x17} +!if $(MEASURED_BOOT_ENABLE) == TRUE + + # (BIT0 - SHA1. BIT1 - SHA256, BIT2 - SHA384, BIT3 - SHA512, BIT4 - SM3_256) + gEfiSecurityPkgTokenSpaceGuid.PcdTpm2HashMask|0x000000016 + gEfiSecurityPkgTokenSpaceGuid.PcdTcg2HashAlgorithmBitmap|0x000000016 +!endif + ################################################################################ # # Components Section - list of all EDK II Modules needed by this Platform. @@ -XXX,XX +XXX,XX @@ <LibraryClasses> !if $(SECURE_BOOT_ENABLE) NULL|SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.inf +!endif +!if $(MEASURED_BOOT_ENABLE) == TRUE + NULL|SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLib.inf + NULL|SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLib.inf !endif } !endif @@ -XXX,XX +XXX,XX @@ SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf !endif +!if $(MEASURED_BOOT_ENABLE) == TRUE + SecurityPkg/Tcg/TcgDxe/TcgDxe.inf { + <LibraryClasses> + Tpm12DeviceLib|SecurityPkg/Library/Tpm12DeviceLibDTpm/Tpm12DeviceLibDTpm.inf + } + + SecurityPkg/Tcg/TcgConfigDxe/TcgConfigDxe.inf { + <LibraryClasses> + PcdLib|MdePkg/Library/DxePcdLib/DxePcdLib.inf + } + +!if $(SMM_SUPPORT) == TRUE + SecurityPkg/Tcg/TcgSmm/TcgSmm.inf { + <LibraryClasses> + TcgPpVendorLib|SecurityPkg/Library/TcgPpVendorLibNull/TcgPpVendorLibNull.inf + + } +!endif + SecurityPkg/Tcg/Tcg2Config/Tcg2ConfigDxe.inf { + <LibraryClasses> + Tpm2CommandLib|SecurityPkg/Library/Tpm2CommandLib/Tpm2CommandLib.inf + Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibRouter/Tpm2DeviceLibRouterDxe.inf + NULL|SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2InstanceLibDTpm.inf + } +!if $(SMM_SUPPORT) == TRUE + SecurityPkg/Tcg/Tcg2Smm/Tcg2Smm.inf { + <LibraryClasses> + Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibTcg2/Tpm2DeviceLibTcg2.inf + } +!endif + SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.inf { + <LibraryClasses> + Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibRouter/Tpm2DeviceLibRouterDxe.inf + HashLib|SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRouterDxe.inf + NULL|SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2InstanceLibDTpm.inf + NULL|SecurityPkg/Library/HashInstanceLibSha1/HashInstanceLibSha1.inf + NULL|SecurityPkg/Library/HashInstanceLibSha256/HashInstanceLibSha256.inf + NULL|SecurityPkg/Library/HashInstanceLibSha384/HashInstanceLibSha384.inf + NULL|SecurityPkg/Library/HashInstanceLibSm3/HashInstanceLibSm3.inf + } + SecurityPkg/Tcg/Tcg2Acpi/Tcg2Acpi.inf + SecurityPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.inf { + <LibraryClasses> + TpmPlatformHierarchyLib|SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf + } + SecurityPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.inf { + <LibraryClasses> + TpmPlatformHierarchyLib|SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf + } +!endif #MEASURED_BOOT_ENABLE + # # Misc # diff --git a/UefiPayloadPkg/UefiPayloadPkg.fdf b/UefiPayloadPkg/UefiPayloadPkg.fdf index XXXXXXX..XXXXXXX 100644 --- a/UefiPayloadPkg/UefiPayloadPkg.fdf +++ b/UefiPayloadPkg/UefiPayloadPkg.fdf @@ -XXX,XX +XXX,XX @@ INF PcAtChipsetPkg/PcatRealTimeClockRuntimeDxe/PcatRealTimeClockRuntimeDxe.inf INF SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf !endif +!if $(MEASURED_BOOT_ENABLE) == TRUE + INF SecurityPkg/Tcg/TcgDxe/TcgDxe.inf +!if $(SMM_SUPPORT) == TRUE + INF SecurityPkg/Tcg/TcgSmm/TcgSmm.inf +!endif + INF SecurityPkg/Tcg/TcgConfigDxe/TcgConfigDxe.inf + INF SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.inf + INF RuleOverride = DRIVER_ACPITABLE SecurityPkg/Tcg/Tcg2Acpi/Tcg2Acpi.inf + INF SecurityPkg/Tcg/Tcg2Config/Tcg2ConfigDxe.inf +!if $(SMM_SUPPORT) == TRUE + INF SecurityPkg/Tcg/Tcg2Smm/Tcg2Smm.inf +!endif + INF SecurityPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.inf +!endif + INF UefiCpuPkg/CpuIo2Dxe/CpuIo2Dxe.inf INF MdeModulePkg/Universal/DevicePathDxe/DevicePathDxe.inf !if $(MEMORY_TEST) == "GENERIC" @@ -XXX,XX +XXX,XX @@ INF ShellPkg/Application/Shell/Shell.inf UI STRING="Enter Setup" VERSION STRING="$(INF_VERSION)" Optional BUILD_NUM=$(BUILD_NUMBER) } + +[Rule.Common.DXE_DRIVER.DRIVER_ACPITABLE] + FILE DRIVER = $(NAMED_GUID) { + DXE_DEPEX DXE_DEPEX Optional $(INF_OUTPUT)/$(MODULE_NAME).depex + PE32 PE32 $(INF_OUTPUT)/$(MODULE_NAME).efi + RAW ACPI Optional |.acpi + RAW ASL Optional |.aml + UI STRING="$(MODULE_NAME)" Optional + VERSION STRING="$(INF_VERSION)" Optional BUILD_NUM=$(BUILD_NUMBER) + } -- 2.39.1.windows.1 -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#101582): https://edk2.groups.io/g/devel/message/101582 Mute This Topic: https://groups.io/mt/97777998/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=-=-=-=-=-=-=-=-=-=-=-
From: Subash Lakkimsetti <subash.lakkimsetti@intel.com> Define the build flags for secure boot and measure boot for ci builds Signed-off-by: Subash Lakkimsetti <subash.lakkimsetti@intel.com> --- UefiPayloadPkg/UefiPayloadPkg.ci.yaml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/UefiPayloadPkg/UefiPayloadPkg.ci.yaml b/UefiPayloadPkg/UefiPayloadPkg.ci.yaml index XXXXXXX..XXXXXXX 100644 --- a/UefiPayloadPkg/UefiPayloadPkg.ci.yaml +++ b/UefiPayloadPkg/UefiPayloadPkg.ci.yaml @@ -XXX,XX +XXX,XX @@ "BLD_*_EMU_VARIABLE_ENABLE": "FALSE", "BLD_*_DISABLE_RESET_SYSTEM": "TRUE", "BLD_*_SERIAL_DRIVER_ENABLE": "FALSE", + "BLD_*_SMM_SUPPORT": "TRUE", + "BLD_*_SECURE_BOOT_ENABLE": "TRUE", + "BLD_*_MEASURED_BOOT_ENABLE": "TRUE", + "BLD_*_VARIABLE_SUPPORT": "SPI", } } -- 2.39.1.windows.1 -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#101583): https://edk2.groups.io/g/devel/message/101583 Mute This Topic: https://groups.io/mt/97777999/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=-=-=-=-=-=-=-=-=-=-=-
From: Subash Lakkimsetti <subash.lakkimsetti@intel.com> Support added in universal payload to enable secure boot and measured boot Hob structure header for universal payload for secure boot and measure boot information from bootloaders as per the universal payload spec defined at https://universalscalablefirmware.github.io/documentation/2_universal_payload.html TCG2ACPI: uninstall TPM2 ACPI if updated from Bootloaders and create a new ACPI tables. Secure boot configuration and flags are added to UefiPayloadPkg Measured boot and TPM configurations are added for UefiPayloadPkg edk2 poull request: https://github.com/tianocore/edk2/pull/3872 Subash Lakkimsetti (6): MdeModulePkg: universal payload HOB for secure boot info UefiPayloadPkg: Add secureboot information HOBs UefiPayloadPkg: Uninstall the TPM2 ACPI if present UefiPayloadPkg: Add secure boot configurations Uefipayloadpkg Enable TPM measured boot UefiPayloadPkg: Add secure boot definitions to ci build .../UniversalPayload/SecureBootInfoGuid.h | 37 +++ UefiPayloadPkg/BlSupportDxe/BlSupportDxe.c | 77 ++++- UefiPayloadPkg/BlSupportDxe/BlSupportDxe.inf | 13 +- UefiPayloadPkg/TcgSupportDxe/TcgSupportDxe.c | 282 ++++++++++++++++++ UefiPayloadPkg/TcgSupportDxe/TcgSupportDxe.h | 28 ++ .../TcgSupportDxe/TcgSupportDxe.inf | 54 ++++ UefiPayloadPkg/UefiPayloadPkg.ci.yaml | 2 + UefiPayloadPkg/UefiPayloadPkg.dec | 4 +- UefiPayloadPkg/UefiPayloadPkg.dsc | 148 ++++++++- UefiPayloadPkg/UefiPayloadPkg.fdf | 74 +++++ UefiPayloadPkg/UniversalPayloadBuild.py | 1 + 11 files changed, 709 insertions(+), 11 deletions(-) create mode 100644 MdeModulePkg/Include/UniversalPayload/SecureBootInfoGuid.h create mode 100644 UefiPayloadPkg/TcgSupportDxe/TcgSupportDxe.c create mode 100644 UefiPayloadPkg/TcgSupportDxe/TcgSupportDxe.h create mode 100644 UefiPayloadPkg/TcgSupportDxe/TcgSupportDxe.inf -- 2.39.1.windows.1 -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#104990): https://edk2.groups.io/g/devel/message/104990 Mute This Topic: https://groups.io/mt/98982068/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=-=-=-=-=-=-=-=-=-=-=-
From: Subash Lakkimsetti <subash.lakkimsetti@intel.com> Add the hob structure header for universal payload for secure boot and measure boot information from bootloaders. Universal payload spec definied at https://universalscalablefirmware.github.io/documentation/2_universal_payload.html Cc: Zhiguang Liu <zhiguang.liu@intel.com> Cc: Ray Ni <ray.ni@intel.com> Cc: Gua Guo <gua.guo@intel.com> Signed-off-by: Subash Lakkimsetti <subash.lakkimsetti@intel.com> --- .../UniversalPayload/SecureBootInfoGuid.h | 37 +++++++++++++++++++ 1 file changed, 37 insertions(+) create mode 100644 MdeModulePkg/Include/UniversalPayload/SecureBootInfoGuid.h diff --git a/MdeModulePkg/Include/UniversalPayload/SecureBootInfoGuid.h b/MdeModulePkg/Include/UniversalPayload/SecureBootInfoGuid.h new file mode 100644 index XXXXXXX..XXXXXXX --- /dev/null +++ b/MdeModulePkg/Include/UniversalPayload/SecureBootInfoGuid.h @@ -XXX,XX +XXX,XX @@ +/** @file + This file defines the hob structure for the Secure boot information. + + Copyright (c) 2023, Intel Corporation. All rights reserved.<BR> + SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ + +#ifndef SECUREBOOT_INFO_GUID_H_ +#define SECUREBOOT_INFO_GUID_H_ + +#include <UniversalPayload/UniversalPayload.h> + +/** + Secure Boot info Hob GUID +**/ +extern EFI_GUID gUniversalPayloadSecureBootInfoGuid; + +#define PAYLOAD_SECUREBOOT_INFO_HOB_REVISION 0x1 + +#define NO_TPM 0x0 +#define TPM_TYPE_12 0x1 +#define TPM_TYPE_20 0x2 + +#pragma pack(1) +typedef struct { + UNIVERSAL_PAYLOAD_GENERIC_HEADER Header; + UINT8 VerifiedBootEnabled; + UINT8 MeasuredBootEnabled; + UINT8 FirmwareDebuggerInitialized; + UINT8 TpmType; + UINT8 Reserved[3]; + UINT32 TpmPcrActivePcrBanks; +} UNIVERSAL_SECURE_BOOT_INFO; +#pragma pack() + +#endif // SECUREBOOT_INFO_GUID_H_ -- 2.39.1.windows.1 -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#104991): https://edk2.groups.io/g/devel/message/104991 Mute This Topic: https://groups.io/mt/98982069/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=-=-=-=-=-=-=-=-=-=-=-
From: Subash Lakkimsetti <subash.lakkimsetti@intel.com> This patch add the HOB fpr secure and measured boot information. This is populated by bootloader phase and uefipayload pkg uses this info to sync the TPM info PCDs. Cc: Guo Dong <guo.dong@intel.com> Cc: Ray Ni <ray.ni@intel.com> Cc: Sean Rhodes <sean@starlabs.systems> Cc: James Lu <james.lu@intel.com> Cc: Gua Guo <gua.guo@intel.com> Signed-off-by: Subash Lakkimsetti <subash.lakkimsetti@intel.com> --- UefiPayloadPkg/BlSupportDxe/BlSupportDxe.c | 77 +++++++++++++++++++- UefiPayloadPkg/BlSupportDxe/BlSupportDxe.inf | 13 +++- UefiPayloadPkg/UefiPayloadPkg.dec | 4 +- UefiPayloadPkg/UefiPayloadPkg.dsc | 2 + 4 files changed, 92 insertions(+), 4 deletions(-) diff --git a/UefiPayloadPkg/BlSupportDxe/BlSupportDxe.c b/UefiPayloadPkg/BlSupportDxe/BlSupportDxe.c index XXXXXXX..XXXXXXX 100644 --- a/UefiPayloadPkg/BlSupportDxe/BlSupportDxe.c +++ b/UefiPayloadPkg/BlSupportDxe/BlSupportDxe.c @@ -XXX,XX +XXX,XX @@ This driver will report some MMIO/IO resources to dxe core, extract smbios and acpi tables from bootloader. - Copyright (c) 2014 - 2021, Intel Corporation. All rights reserved.<BR> + Copyright (c) 2014 - 2023, Intel Corporation. All rights reserved.<BR> SPDX-License-Identifier: BSD-2-Clause-Patent **/ #include "BlSupportDxe.h" +#include <Library/DebugLib.h> +#include <Library/PcdLib.h> +#include <Include/UniversalPayload/SecureBootInfoGuid.h> /** Reserve MMIO/IO resource in GCD @@ -XXX,XX +XXX,XX @@ ReserveResourceInGcd ( return Status; } +/** +Sync the Secure boot hob info and TPM PCD as per the information passed from Bootloader. +**/ +EFI_STATUS +BlSupportSecurityPcdSync ( + VOID + ) +{ + EFI_STATUS Status; + EFI_HOB_GUID_TYPE *GuidHob; + UNIVERSAL_SECURE_BOOT_INFO *SecurebootInfoHob; + UINTN Size; + + GuidHob = GetFirstGuidHob (&gUniversalPayloadSecureBootInfoGuid); + if (GuidHob == NULL) { + DEBUG ((DEBUG_ERROR, "gUniversalPayloadSecureBootInfoGuid Not Found!\n")); + return EFI_UNSUPPORTED; + } + + SecurebootInfoHob = (UNIVERSAL_SECURE_BOOT_INFO *)GET_GUID_HOB_DATA (GuidHob); + + // Sync the Hash mask for TPM 2.0 as per active PCR banks. + // Make sure that the current PCR allocations, the TPM supported PCRs, + // and the PcdTpm2HashMask are all in agreement. + Status = PcdSet32S (PcdTpm2HashMask, SecurebootInfoHob->TpmPcrActivePcrBanks); + ASSERT_EFI_ERROR (Status); + DEBUG ((DEBUG_INFO, "TpmPcrActivePcrBanks 0x%x \n", SecurebootInfoHob->TpmPcrActivePcrBanks)); + + // Set the Firmware debugger PCD + Status = PcdSetBoolS (PcdFirmwareDebuggerInitialized, SecurebootInfoHob->FirmwareDebuggerInitialized); + ASSERT_EFI_ERROR (Status); + DEBUG ((DEBUG_INFO, " FirmwareDebugger Initialized 0x%x \n", SecurebootInfoHob->FirmwareDebuggerInitialized)); + + // Set the TPM Type instance GUID + if (SecurebootInfoHob->MeasuredBootEnabled) { + if (SecurebootInfoHob->TpmType == TPM_TYPE_20) { + DEBUG ((DEBUG_INFO, "%a: TPM2 detected\n", __func__)); + Size = sizeof (gEfiTpmDeviceInstanceTpm20DtpmGuid); + Status = PcdSetPtrS ( + PcdTpmInstanceGuid, + &Size, + &gEfiTpmDeviceInstanceTpm20DtpmGuid + ); + } else if (SecurebootInfoHob->TpmType == TPM_TYPE_12) { + DEBUG ((DEBUG_INFO, "%a: TPM1.2 detected\n", __func__)); + Size = sizeof (gEfiTpmDeviceInstanceTpm12Guid); + Status = PcdSetPtrS ( + PcdTpmInstanceGuid, + &Size, + &gEfiTpmDeviceInstanceTpm12Guid + ); + } else { + DEBUG ((DEBUG_INFO, "%a: No TPM detected\n", __func__)); + Size = sizeof (gEfiTpmDeviceInstanceNoneGuid); + Status = PcdSetPtrS ( + PcdTpmInstanceGuid, + &Size, + &gEfiTpmDeviceInstanceNoneGuid + ); + } + + ASSERT_EFI_ERROR (Status); + } + + return Status; +} + /** Main entry for the bootloader support DXE module. @@ -XXX,XX +XXX,XX @@ BlDxeEntryPoint ( ASSERT_EFI_ERROR (Status); } + // + // Sync Bootloader info for TPM + // + BlSupportSecurityPcdSync (); + return EFI_SUCCESS; } diff --git a/UefiPayloadPkg/BlSupportDxe/BlSupportDxe.inf b/UefiPayloadPkg/BlSupportDxe/BlSupportDxe.inf index XXXXXXX..XXXXXXX 100644 --- a/UefiPayloadPkg/BlSupportDxe/BlSupportDxe.inf +++ b/UefiPayloadPkg/BlSupportDxe/BlSupportDxe.inf @@ -XXX,XX +XXX,XX @@ # # Report some MMIO/IO resources to dxe core, extract smbios and acpi tables # -# Copyright (c) 2014 - 2021, Intel Corporation. All rights reserved.<BR> +# Copyright (c) 2014 - 2023, Intel Corporation. All rights reserved.<BR> # # SPDX-License-Identifier: BSD-2-Clause-Patent # @@ -XXX,XX +XXX,XX @@ [Packages] MdePkg/MdePkg.dec MdeModulePkg/MdeModulePkg.dec + SecurityPkg/SecurityPkg.dec UefiPayloadPkg/UefiPayloadPkg.dec [LibraryClasses] @@ -XXX,XX +XXX,XX @@ [Guids] gUefiAcpiBoardInfoGuid gEfiGraphicsInfoHobGuid + gUniversalPayloadSecureBootInfoGuid + gEfiTpmDeviceInstanceTpm20DtpmGuid + gEfiTpmDeviceInstanceTpm12Guid + gEfiTpmDeviceInstanceNoneGuid [Pcd] gEfiMdeModulePkgTokenSpaceGuid.PcdVideoHorizontalResolution @@ -XXX,XX +XXX,XX @@ gEfiMdeModulePkgTokenSpaceGuid.PcdSetupVideoVerticalResolution gEfiMdePkgTokenSpaceGuid.PcdPciExpressBaseAddress gEfiMdePkgTokenSpaceGuid.PcdPciExpressBaseSize - + ## SOMETIMES_CONSUMES + ## SOMETIMES_PRODUCES + gEfiSecurityPkgTokenSpaceGuid.PcdTpm2HashMask + gEfiSecurityPkgTokenSpaceGuid.PcdFirmwareDebuggerInitialized + gEfiSecurityPkgTokenSpaceGuid.PcdTpmInstanceGuid [Depex] TRUE diff --git a/UefiPayloadPkg/UefiPayloadPkg.dec b/UefiPayloadPkg/UefiPayloadPkg.dec index XXXXXXX..XXXXXXX 100644 --- a/UefiPayloadPkg/UefiPayloadPkg.dec +++ b/UefiPayloadPkg/UefiPayloadPkg.dec @@ -XXX,XX +XXX,XX @@ # # Provides drivers and definitions to create uefi payload for bootloaders. # -# Copyright (c) 2014 - 2021, Intel Corporation. All rights reserved.<BR> +# Copyright (c) 2014 - 2023, Intel Corporation. All rights reserved.<BR> # SPDX-License-Identifier: BSD-2-Clause-Patent # ## @@ -XXX,XX +XXX,XX @@ gSpiFlashInfoGuid = { 0x2d4aac1b, 0x91a5, 0x4cd5, { 0x9b, 0x5c, 0xb4, 0x0f, 0x5d, 0x28, 0x51, 0xa1 } } gSmmRegisterInfoGuid = { 0xaa9bd7a7, 0xcafb, 0x4499, { 0xa4, 0xa9, 0xb, 0x34, 0x6b, 0x40, 0xa6, 0x22 } } gS3CommunicationGuid = { 0x88e31ba1, 0x1856, 0x4b8b, { 0xbb, 0xdf, 0xf8, 0x16, 0xdd, 0x94, 0xa, 0xef } } + gUniversalPayloadSecureBootInfoGuid = { 0xd970f847, 0x07dd, 0x4b24, { 0x9e, 0x1e, 0xae, 0x6c, 0x80, 0x9b, 0x1d, 0x38 } } + [Ppis] gEfiPayLoadHobBasePpiGuid = { 0xdbe23aa1, 0xa342, 0x4b97, {0x85, 0xb6, 0xb2, 0x26, 0xf1, 0x61, 0x73, 0x89} } diff --git a/UefiPayloadPkg/UefiPayloadPkg.dsc b/UefiPayloadPkg/UefiPayloadPkg.dsc index XXXXXXX..XXXXXXX 100644 --- a/UefiPayloadPkg/UefiPayloadPkg.dsc +++ b/UefiPayloadPkg/UefiPayloadPkg.dsc @@ -XXX,XX +XXX,XX @@ gPcAtChipsetPkgTokenSpaceGuid.PcdRtcIndexRegister|$(RTC_INDEX_REGISTER) gPcAtChipsetPkgTokenSpaceGuid.PcdRtcTargetRegister|$(RTC_TARGET_REGISTER) + gEfiSecurityPkgTokenSpaceGuid.PcdFirmwareDebuggerInitialized|FALSE + gEfiSecurityPkgTokenSpaceGuid.PcdTpmInstanceGuid|{0x5a, 0xf2, 0x6b, 0x28, 0xc3, 0xc2, 0x8c, 0x40, 0xb3, 0xb4, 0x25, 0xe6, 0x75, 0x8b, 0x73, 0x17} ################################################################################ # -- 2.39.1.windows.1 -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#104992): https://edk2.groups.io/g/devel/message/104992 Mute This Topic: https://groups.io/mt/98982073/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=-=-=-=-=-=-=-=-=-=-=-
From: Subash Lakkimsetti <subash.lakkimsetti@intel.com> Bootloader supports multiple payload and TPM2 ACPI tables are updated at bootloader phase. When UEFI is used payload these will be duplicates. The tables are to be uninstalled before updating the TCG2ACPI tables to avoid duplicates. Cc: Guo Dong <guo.dong@intel.com> Cc: Ray Ni <ray.ni@intel.com> Cc: Sean Rhodes <sean@starlabs.systems> Cc: James Lu <james.lu@intel.com> Cc: Gua Guo <gua.guo@intel.com> Signed-off-by: Subash Lakkimsetti <subash.lakkimsetti@intel.com> --- UefiPayloadPkg/TcgSupportDxe/TcgSupportDxe.c | 282 ++++++++++++++++++ UefiPayloadPkg/TcgSupportDxe/TcgSupportDxe.h | 28 ++ .../TcgSupportDxe/TcgSupportDxe.inf | 54 ++++ 3 files changed, 364 insertions(+) create mode 100644 UefiPayloadPkg/TcgSupportDxe/TcgSupportDxe.c create mode 100644 UefiPayloadPkg/TcgSupportDxe/TcgSupportDxe.h create mode 100644 UefiPayloadPkg/TcgSupportDxe/TcgSupportDxe.inf diff --git a/UefiPayloadPkg/TcgSupportDxe/TcgSupportDxe.c b/UefiPayloadPkg/TcgSupportDxe/TcgSupportDxe.c new file mode 100644 index XXXXXXX..XXXXXXX --- /dev/null +++ b/UefiPayloadPkg/TcgSupportDxe/TcgSupportDxe.c @@ -XXX,XX +XXX,XX @@ +/** @file + This module will provide bootloader support TCG configurations. + + Copyright (c) 22023, Intel Corporation. All rights reserved.<BR> + SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ +#include "TcgSupportDxe.h" + +/** + Uninstall TPM2 SSDT ACPI table + + This performs uninstallation of TPM2 SSDT tables published by + bootloaders. + + @retval EFI_SUCCESS The TPM2 ACPI table is uninstalled successfully if found. + @retval Others Operation error. + +**/ +EFI_STATUS +UnInstallTpm2SSDTAcpiTables ( + ) +{ + UINTN TableIndex; + UINTN TableKey; + EFI_ACPI_TABLE_VERSION TableVersion; + VOID *TableHeader; + EFI_STATUS Status; + EFI_ACPI_SDT_PROTOCOL *mAcpiSdtProtocol; + EFI_ACPI_TABLE_PROTOCOL *mAcpiTableProtocol; + CHAR8 TableIdString[8]; + UINT64 TableIdSignature; + + // + // Determine whether there is a TPM2 SSDT already in the ACPI table. + // + Status = EFI_SUCCESS; + TableIndex = 0; + TableKey = 0; + TableHeader = NULL; + mAcpiTableProtocol = NULL; + mAcpiSdtProtocol = NULL; + + // + // Locate the EFI_ACPI_TABLE_PROTOCOL. + // + Status = gBS->LocateProtocol ( + &gEfiAcpiTableProtocolGuid, + NULL, + (VOID **)&mAcpiTableProtocol + ); + if (EFI_ERROR (Status)) { + DEBUG (( + DEBUG_INFO, + "UnInstallTpm2SSDTAcpiTables: Cannot locate the EFI ACPI Table Protocol \n " + )); + return Status; + } + + // + // Locate the EFI_ACPI_SDT_PROTOCOL. + // + Status = gBS->LocateProtocol ( + &gEfiAcpiSdtProtocolGuid, + NULL, + (VOID **)&mAcpiSdtProtocol + ); + if (EFI_ERROR (Status)) { + DEBUG (( + DEBUG_INFO, + "UnInstallTpm2SSDTAcpiTables: Cannot locate the EFI ACPI Sdt Protocol, " + "\n" + )); + return Status; + } + + while (!EFI_ERROR (Status)) { + Status = mAcpiSdtProtocol->GetAcpiTable ( + TableIndex, + (EFI_ACPI_SDT_HEADER **)&TableHeader, + &TableVersion, + &TableKey + ); + + if (!EFI_ERROR (Status)) { + TableIndex++; + + if (((EFI_ACPI_SDT_HEADER *)TableHeader)->Signature == SIGNATURE_32 ('S', 'S', 'D', 'T')) { + CopyMem ((VOID *)TableIdString, (VOID *)((EFI_ACPI_SDT_HEADER *)TableHeader)->OemTableId, sizeof (TableIdString)); + + TableIdSignature = SIGNATURE_64 ( + TableIdString[0], + TableIdString[1], + TableIdString[2], + TableIdString[3], + TableIdString[4], + TableIdString[5], + TableIdString[6], + TableIdString[7] + ); + + if (TableIdSignature == SIGNATURE_64 ('T', 'p', 'm', '2', 'T', 'a', 'b', 'l')) { + DEBUG ((DEBUG_INFO, "Found Tpm2 SSDT Table for Physical Presence\n")); + break; + } + } + } + } + + if (!EFI_ERROR (Status)) { + // + // A TPM2 SSDT is already in the ACPI table. + // + DEBUG (( + DEBUG_INFO, + "A TPM2 SSDT is already exist in the ACPI Table.\n" + )); + + // + // Uninstall the origin TPM2 SSDT from the ACPI table. + // + Status = mAcpiTableProtocol->UninstallAcpiTable ( + mAcpiTableProtocol, + TableKey + ); + ASSERT_EFI_ERROR (Status); + + if (EFI_ERROR (Status)) { + DEBUG ((DEBUG_INFO, "UnInstall Tpm2SSDTAcpiTables failed \n ")); + + return Status; + } + } + + return EFI_SUCCESS; +} + +/** + Uninstall TPM2 table + + This performs uninstallation of TPM2 tables published by + bootloaders. + + @retval EFI_SUCCESS The TPM2 table is uninstalled successfully if its found. + @retval Others Operation error. + +**/ +EFI_STATUS +UnInstallTpm2Tables ( + ) +{ + UINTN TableIndex; + UINTN TableKey; + EFI_ACPI_TABLE_VERSION TableVersion; + VOID *TableHeader; + EFI_STATUS Status; + EFI_ACPI_SDT_PROTOCOL *mAcpiSdtProtocol; + EFI_ACPI_TABLE_PROTOCOL *mAcpiTableProtocol; + + // + // Determine whether there is a TPM2 SSDT already in the ACPI table. + // + Status = EFI_SUCCESS; + TableIndex = 0; + TableKey = 0; + TableHeader = NULL; + mAcpiTableProtocol = NULL; + mAcpiSdtProtocol = NULL; + + // + // Locate the EFI_ACPI_TABLE_PROTOCOL. + // + Status = gBS->LocateProtocol ( + &gEfiAcpiTableProtocolGuid, + NULL, + (VOID **)&mAcpiTableProtocol + ); + if (EFI_ERROR (Status)) { + DEBUG (( + DEBUG_INFO, + "UnInstallTpm2Tables: Cannot locate the EFI ACPI Table Protocol \n " + )); + return Status; + } + + // + // Locate the EFI_ACPI_SDT_PROTOCOL. + // + Status = gBS->LocateProtocol ( + &gEfiAcpiSdtProtocolGuid, + NULL, + (VOID **)&mAcpiSdtProtocol + ); + if (EFI_ERROR (Status)) { + DEBUG (( + DEBUG_INFO, + "UnInstallTpm2Tables: Cannot locate the EFI ACPI Sdt Protocol, " + "\n" + )); + return Status; + } + + while (!EFI_ERROR (Status)) { + Status = mAcpiSdtProtocol->GetAcpiTable ( + TableIndex, + (EFI_ACPI_SDT_HEADER **)&TableHeader, + &TableVersion, + &TableKey + ); + + if (!EFI_ERROR (Status)) { + TableIndex++; + + if (((EFI_ACPI_SDT_HEADER *)TableHeader)->Signature == EFI_ACPI_5_0_TRUSTED_COMPUTING_PLATFORM_2_TABLE_SIGNATURE ) { + DEBUG ((DEBUG_INFO, "Found Tpm2 Table ..\n")); + break; + } + } + } + + if (!EFI_ERROR (Status)) { + // + // A TPM2 SSDT is already in the ACPI table. + // + DEBUG (( + DEBUG_INFO, + "A TPM2 table is already exist in the ACPI Table.\n" + )); + + // + // Uninstall the origin TPM2 SSDT from the ACPI table. + // + Status = mAcpiTableProtocol->UninstallAcpiTable ( + mAcpiTableProtocol, + TableKey + ); + ASSERT_EFI_ERROR (Status); + + if (EFI_ERROR (Status)) { + DEBUG ((DEBUG_INFO, "UnInstall Tpm2Tables failed \n ")); + + return Status; + } + } + + return EFI_SUCCESS; +} + +/** + The driver's entry point. + + It patches and installs ACPI tables used for handling TPM physical presence + and Memory Clear requests through ACPI method. + + @param[in] ImageHandle The firmware allocated handle for the EFI image. + @param[in] SystemTable A pointer to the EFI System Table. + + @retval EFI_SUCCESS The entry point is executed successfully. + @retval Others Some error occurs when executing this entry point. + +**/ +EFI_STATUS +EFIAPI +TcgSupportEntryPoint ( + IN EFI_HANDLE ImageHandle, + IN EFI_SYSTEM_TABLE *SystemTable + ) +{ + EFI_STATUS Status; + + // + // Bootloader might pulish the TPM2 ACPT tables + // Uninstall TPM tables if it exists + // + Status = UnInstallTpm2SSDTAcpiTables (); + ASSERT_EFI_ERROR (Status); + + Status = UnInstallTpm2Tables (); + ASSERT_EFI_ERROR (Status); + + return EFI_SUCCESS; +} diff --git a/UefiPayloadPkg/TcgSupportDxe/TcgSupportDxe.h b/UefiPayloadPkg/TcgSupportDxe/TcgSupportDxe.h new file mode 100644 index XXXXXXX..XXXXXXX --- /dev/null +++ b/UefiPayloadPkg/TcgSupportDxe/TcgSupportDxe.h @@ -XXX,XX +XXX,XX @@ +/** @file + The header file of bootloader support TCG configurations. + +Copyright (c) 2023, Intel Corporation. All rights reserved.<BR> +SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ + +#ifndef DXE_BOOTLOADER_SUPPORT_H_ +#define DXE_BOOTLOADER_SUPPORT_H_ + +#include <PiDxe.h> + +#include <IndustryStandard/Tpm2Acpi.h> +#include <Protocol/AcpiTable.h> +#include <Library/BaseLib.h> +#include <Library/BaseMemoryLib.h> +#include <Library/DxeServicesLib.h> +#include <Library/UefiBootServicesTableLib.h> +#include <Library/DebugLib.h> +#include <Library/PcdLib.h> +#include <Library/PrintLib.h> +#include <Library/UefiLib.h> +#include <Library/MmUnblockMemoryLib.h> +#include <IndustryStandard/Acpi.h> +#include <Protocol/AcpiSystemDescriptionTable.h> + +#endif diff --git a/UefiPayloadPkg/TcgSupportDxe/TcgSupportDxe.inf b/UefiPayloadPkg/TcgSupportDxe/TcgSupportDxe.inf new file mode 100644 index XXXXXXX..XXXXXXX --- /dev/null +++ b/UefiPayloadPkg/TcgSupportDxe/TcgSupportDxe.inf @@ -XXX,XX +XXX,XX @@ +## @file +# Bootloader Support DXE Module +# +# Report some MMIO/IO resources to dxe core, extract smbios and acpi tables +# +# Copyright (c) 2023, Intel Corporation. All rights reserved.<BR> +# +# SPDX-License-Identifier: BSD-2-Clause-Patent +# +## + +[Defines] + INF_VERSION = 0x00010005 + BASE_NAME = TcgSupportDxe + FILE_GUID = E0E7E6A4-DD57-11ED-B5EA-0242AC120002 + MODULE_TYPE = DXE_DRIVER + VERSION_STRING = 1.0 + ENTRY_POINT = TcgSupportEntryPoint + +# +# The following information is for reference only and not required by the build tools. +# +# VALID_ARCHITECTURES = IA32 X64 EBC +# + +[Sources] + TcgSupportDxe.c + TcgSupportDxe.h + +[Packages] + MdePkg/MdePkg.dec + MdeModulePkg/MdeModulePkg.dec + SecurityPkg/SecurityPkg.dec + UefiPayloadPkg/UefiPayloadPkg.dec + +[LibraryClasses] + UefiDriverEntryPoint + UefiBootServicesTableLib + DebugLib + BaseMemoryLib + UefiLib + IoLib + HobLib + +[Protocols] + gEfiAcpiTableProtocolGuid ## CONSUMES + gEfiMmCommunicationProtocolGuid ## CONSUMES + gEfiAcpiSdtProtocolGuid ## CONSUMES + +[Guids] + gEfiAcpiTableGuid + +[Depex] + gEfiAcpiTableProtocolGuid -- 2.39.1.windows.1 -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#104993): https://edk2.groups.io/g/devel/message/104993 Mute This Topic: https://groups.io/mt/98982074/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=-=-=-=-=-=-=-=-=-=-=-
From: Subash Lakkimsetti <subash.lakkimsetti@intel.com> Add the required modules for secure boot in UefiPayloadPkg. SECURE_BOOT_ENABLE flag added to control the secure boot feature. Security modules are added as seperate FV. Cc: Guo Dong <guo.dong@intel.com> Cc: Ray Ni <ray.ni@intel.com> Cc: Sean Rhodes <sean@starlabs.systems> Cc: James Lu <james.lu@intel.com> Cc: Gua Guo <gua.guo@intel.com> Signed-off-by: Subash Lakkimsetti <subash.lakkimsetti@intel.com> --- UefiPayloadPkg/UefiPayloadPkg.dsc | 50 ++++++++++++++++++++++++- UefiPayloadPkg/UefiPayloadPkg.fdf | 29 ++++++++++++++ UefiPayloadPkg/UniversalPayloadBuild.py | 1 + 3 files changed, 79 insertions(+), 1 deletion(-) diff --git a/UefiPayloadPkg/UefiPayloadPkg.dsc b/UefiPayloadPkg/UefiPayloadPkg.dsc index XXXXXXX..XXXXXXX 100644 --- a/UefiPayloadPkg/UefiPayloadPkg.dsc +++ b/UefiPayloadPkg/UefiPayloadPkg.dsc @@ -XXX,XX +XXX,XX @@ DEFINE MULTIPLE_DEBUG_PORT_SUPPORT = FALSE + # + # Security + # + DEFINE SECURE_BOOT_ENABLE = FALSE + [BuildOptions] *_*_*_CC_FLAGS = -D DISABLE_NEW_DEPRECATED_INTERFACES !if $(USE_CBMEM_FOR_CONSOLE) == FALSE @@ -XXX,XX +XXX,XX @@ DebugLib|MdeModulePkg/Library/PeiDxeDebugLibReportStatusCode/PeiDxeDebugLibReportStatusCode.inf LockBoxLib|MdeModulePkg/Library/LockBoxNullLib/LockBoxNullLib.inf FileExplorerLib|MdeModulePkg/Library/FileExplorerLib/FileExplorerLib.inf + +!if $(SECURE_BOOT_ENABLE) == TRUE + RngLib|MdePkg/Library/BaseRngLibTimerLib/BaseRngLibTimerLib.inf + IntrinsicLib|CryptoPkg/Library/IntrinsicLib/IntrinsicLib.inf + OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf + PlatformSecureLib|SecurityPkg/Library/PlatformSecureLibNull/PlatformSecureLibNull.inf + AuthVariableLib|SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf + SecureBootVariableLib|SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf + PlatformPKProtectionLib|SecurityPkg/Library/PlatformPKProtectionLibVarPolicy/PlatformPKProtectionLibVarPolicy.inf + SecureBootVariableProvisionLib|SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootVariableProvisionLib.inf +!else AuthVariableLib|MdeModulePkg/Library/AuthVariableLibNull/AuthVariableLibNull.inf +!endif + !if $(VARIABLE_SUPPORT) == "EMU" TpmMeasurementLib|MdeModulePkg/Library/TpmMeasurementLibNull/TpmMeasurementLibNull.inf !elseif $(VARIABLE_SUPPORT) == "SPI" @@ -XXX,XX +XXX,XX @@ BaseCryptLib|CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf !endif +[LibraryClasses.common.DXE_DRIVER, LibraryClasses.common.UEFI_DRIVER, LibraryClasses.common.UEFI_APPLICATION] +!if $(SECURE_BOOT_ENABLE) == TRUE + BaseCryptLib|CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf +!endif + +[LibraryClasses.common.DXE_RUNTIME_DRIVER] +!if $(SECURE_BOOT_ENABLE) == TRUE + BaseCryptLib|CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf +!endif + ################################################################################ # # Pcd Section - list of all EDK II PCD Entries defined by this Platform. @@ -XXX,XX +XXX,XX @@ gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.TlsGet.Family | PCD_CRYPTO_SERVICE_ENABLE_FAMILY !endif +!if $(SECURE_BOOT_ENABLE) == TRUE + gEfiMdeModulePkgTokenSpaceGuid.PcdMaxAuthVariableSize|0x2800 + gEfiSecurityPkgTokenSpaceGuid.PcdUserPhysicalPresence|TRUE + + # override the default values from SecurityPkg to ensure images from all sources are verified in secure boot + gEfiSecurityPkgTokenSpaceGuid.PcdOptionRomImageVerificationPolicy|0x04 + gEfiSecurityPkgTokenSpaceGuid.PcdFixedMediaImageVerificationPolicy|0x04 + gEfiSecurityPkgTokenSpaceGuid.PcdRemovableMediaImageVerificationPolicy|0x04 +!endif + [PcdsPatchableInModule.X64] !if $(NETWORK_DRIVER_ENABLE) == TRUE gEfiNetworkPkgTokenSpaceGuid.PcdAllowHttpConnections|TRUE @@ -XXX,XX +XXX,XX @@ # Components that produce the architectural protocols # !if $(SECURITY_STUB_ENABLE) == TRUE - MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf + MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf { + <LibraryClasses> +!if $(SECURE_BOOT_ENABLE) == TRUE + NULL|SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.inf !endif + } +!endif + +!if $(SECURE_BOOT_ENABLE) == TRUE + SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf +!endif + UefiCpuPkg/CpuDxe/CpuDxe.inf MdeModulePkg/Universal/BdsDxe/BdsDxe.inf !if $(BOOTSPLASH_IMAGE) diff --git a/UefiPayloadPkg/UefiPayloadPkg.fdf b/UefiPayloadPkg/UefiPayloadPkg.fdf index XXXXXXX..XXXXXXX 100644 --- a/UefiPayloadPkg/UefiPayloadPkg.fdf +++ b/UefiPayloadPkg/UefiPayloadPkg.fdf @@ -XXX,XX +XXX,XX @@ INF PcAtChipsetPkg/PcatRealTimeClockRuntimeDxe/PcatRealTimeClockRuntimeDxe.inf INF MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmmRuntimeDxe.inf !endif +!if $(SECURE_BOOT_ENABLE) == TRUE + INF SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf +!endif + INF UefiCpuPkg/CpuIo2Dxe/CpuIo2Dxe.inf INF MdeModulePkg/Universal/DevicePathDxe/DevicePathDxe.inf !if $(MEMORY_TEST) == "GENERIC" @@ -XXX,XX +XXX,XX @@ INF ShellPkg/DynamicCommand/DpDynamicCommand/DpDynamicCommand.inf INF ShellPkg/Application/Shell/Shell.inf !endif +[FV.SECFV] +FvNameGuid = 2700E2F3-19D2-4E2D-9F13-BC891B9FC62C +BlockSize = $(FD_BLOCK_SIZE) +FvForceRebase = FALSE +FvAlignment = 16 +ERASE_POLARITY = 1 +MEMORY_MAPPED = TRUE +STICKY_WRITE = TRUE +LOCK_CAP = TRUE +LOCK_STATUS = TRUE +WRITE_DISABLED_CAP = TRUE +WRITE_ENABLED_CAP = TRUE +WRITE_STATUS = TRUE +WRITE_LOCK_CAP = TRUE +WRITE_LOCK_STATUS = TRUE +READ_DISABLED_CAP = TRUE +READ_ENABLED_CAP = TRUE +READ_STATUS = TRUE +READ_LOCK_CAP = TRUE +READ_LOCK_STATUS = TRUE + +!if $(SECURE_BOOT_ENABLE) == TRUE +INF SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf +!endif + ################################################################################ # diff --git a/UefiPayloadPkg/UniversalPayloadBuild.py b/UefiPayloadPkg/UniversalPayloadBuild.py index XXXXXXX..XXXXXXX 100644 --- a/UefiPayloadPkg/UniversalPayloadBuild.py +++ b/UefiPayloadPkg/UniversalPayloadBuild.py @@ -XXX,XX +XXX,XX @@ def BuildUniversalPayload(Args): ['uefi_fv', os.path.join(BuildDir, "{}_{}".format (BuildTarget, ToolChain), os.path.normpath("FV/DXEFV.Fv")) ], ['bds_fv', os.path.join(BuildDir, "{}_{}".format (BuildTarget, ToolChain), os.path.normpath("FV/BDSFV.Fv")) ], ['network_fv', os.path.join(BuildDir, "{}_{}".format (BuildTarget, ToolChain), os.path.normpath("FV/NETWORKFV.Fv")) ], + ['security_fv', os.path.join(BuildDir, "{}_{}".format (BuildTarget, ToolChain), os.path.normpath("FV/SECFV.Fv")) ], ] AddSectionName = '.upld_info' ReplaceFv (EntryOutputDir, UpldInfoFile, AddSectionName, Alignment = 4) -- 2.39.1.windows.1 -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#104995): https://edk2.groups.io/g/devel/message/104995 Mute This Topic: https://groups.io/mt/98982076/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=-=-=-=-=-=-=-=-=-=-=-
From: Subash Lakkimsetti <subash.lakkimsetti@intel.com> Update the packages to support TPM and measured boot in uefi payload. Measured boot can be controlled using flag MEASURED_BOOT_ENABLE. Cc: Guo Dong <guo.dong@intel.com> Cc: Ray Ni <ray.ni@intel.com> Cc: Sean Rhodes <sean@starlabs.systems> Cc: James Lu <james.lu@intel.com> Cc: Gua Guo <gua.guo@intel.com> Signed-off-by: Subash Lakkimsetti <subash.lakkimsetti@intel.com> --- UefiPayloadPkg/UefiPayloadPkg.dsc | 96 +++++++++++++++++++++++++++++-- UefiPayloadPkg/UefiPayloadPkg.fdf | 53 +++++++++++++++-- 2 files changed, 139 insertions(+), 10 deletions(-) diff --git a/UefiPayloadPkg/UefiPayloadPkg.dsc b/UefiPayloadPkg/UefiPayloadPkg.dsc index XXXXXXX..XXXXXXX 100644 --- a/UefiPayloadPkg/UefiPayloadPkg.dsc +++ b/UefiPayloadPkg/UefiPayloadPkg.dsc @@ -XXX,XX +XXX,XX @@ # Security # DEFINE SECURE_BOOT_ENABLE = FALSE + DEFINE MEASURED_BOOT_ENABLE = FALSE [BuildOptions] *_*_*_CC_FLAGS = -D DISABLE_NEW_DEPRECATED_INTERFACES @@ -XXX,XX +XXX,XX @@ AuthVariableLib|MdeModulePkg/Library/AuthVariableLibNull/AuthVariableLibNull.inf !endif -!if $(VARIABLE_SUPPORT) == "EMU" - TpmMeasurementLib|MdeModulePkg/Library/TpmMeasurementLibNull/TpmMeasurementLibNull.inf -!elseif $(VARIABLE_SUPPORT) == "SPI" - PlatformSecureLib|SecurityPkg/Library/PlatformSecureLibNull/PlatformSecureLibNull.inf - TpmMeasurementLib|SecurityPkg/Library/DxeTpmMeasurementLib/DxeTpmMeasurementLib.inf +!if $(VARIABLE_SUPPORT) == "SPI" S3BootScriptLib|MdePkg/Library/BaseS3BootScriptLibNull/BaseS3BootScriptLibNull.inf - MmUnblockMemoryLib|MdePkg/Library/MmUnblockMemoryLib/MmUnblockMemoryLibNull.inf !endif + +!if $(SECURE_BOOT_ENABLE) == TRUE || $(MEASURED_BOOT_ENABLE) == TRUE || $(VARIABLE_SUPPORT) == "SPI" + MmUnblockMemoryLib|MdePkg/Library/MmUnblockMemoryLib/MmUnblockMemoryLibNull.inf +!endif + + # + # TPM + # +!if $(MEASURED_BOOT_ENABLE) == TRUE + Tpm12CommandLib|SecurityPkg/Library/Tpm12CommandLib/Tpm12CommandLib.inf + Tpm12DeviceLib|SecurityPkg/Library/Tpm12DeviceLibTcg/Tpm12DeviceLibTcg.inf + Tpm2CommandLib|SecurityPkg/Library/Tpm2CommandLib/Tpm2CommandLib.inf + Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibTcg2/Tpm2DeviceLibTcg2.inf + Tcg2PpVendorLib|SecurityPkg/Library/Tcg2PpVendorLibNull/Tcg2PpVendorLibNull.inf + TpmMeasurementLib|SecurityPkg/Library/DxeTpmMeasurementLib/DxeTpmMeasurementLib.inf + Tcg2PhysicalPresenceLib|SecurityPkg/Library/DxeTcg2PhysicalPresenceLib/DxeTcg2PhysicalPresenceLib.inf +!else + TpmMeasurementLib|MdeModulePkg/Library/TpmMeasurementLibNull/TpmMeasurementLibNull.inf +!endif + VarCheckLib|MdeModulePkg/Library/VarCheckLib/VarCheckLib.inf VariablePolicyLib|MdeModulePkg/Library/VariablePolicyLib/VariablePolicyLib.inf VariablePolicyHelperLib|MdeModulePkg/Library/VariablePolicyHelperLib/VariablePolicyHelperLib.inf @@ -XXX,XX +XXX,XX @@ BaseCryptLib|CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf !endif +!if $(MEASURED_BOOT_ENABLE) == TRUE && $(SMM_SUPPORT) == TRUE + Tcg2PhysicalPresenceLib|SecurityPkg/Library/SmmTcg2PhysicalPresenceLib/SmmTcg2PhysicalPresenceLib.inf +!endif + + [LibraryClasses.common.DXE_DRIVER, LibraryClasses.common.UEFI_DRIVER, LibraryClasses.common.UEFI_APPLICATION] !if $(SECURE_BOOT_ENABLE) == TRUE BaseCryptLib|CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf @@ -XXX,XX +XXX,XX @@ gEfiSecurityPkgTokenSpaceGuid.PcdFirmwareDebuggerInitialized|FALSE gEfiSecurityPkgTokenSpaceGuid.PcdTpmInstanceGuid|{0x5a, 0xf2, 0x6b, 0x28, 0xc3, 0xc2, 0x8c, 0x40, 0xb3, 0xb4, 0x25, 0xe6, 0x75, 0x8b, 0x73, 0x17} +!if $(MEASURED_BOOT_ENABLE) == TRUE + + # (BIT0 - SHA1. BIT1 - SHA256, BIT2 - SHA384, BIT3 - SHA512, BIT4 - SM3_256) + gEfiSecurityPkgTokenSpaceGuid.PcdTpm2HashMask|0x000000016 + gEfiSecurityPkgTokenSpaceGuid.PcdTcg2HashAlgorithmBitmap|0x000000016 +!endif + + ################################################################################ # # Components Section - list of all EDK II Modules needed by this Platform. @@ -XXX,XX +XXX,XX @@ <LibraryClasses> !if $(SECURE_BOOT_ENABLE) == TRUE NULL|SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.inf +!if $(MEASURED_BOOT_ENABLE) == TRUE + NULL|SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLib.inf + NULL|SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLib.inf + !endif !endif } !endif @@ -XXX,XX +XXX,XX @@ SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf !endif +!if $(MEASURED_BOOT_ENABLE) == TRUE + SecurityPkg/Tcg/TcgDxe/TcgDxe.inf { + <LibraryClasses> + Tpm12DeviceLib|SecurityPkg/Library/Tpm12DeviceLibDTpm/Tpm12DeviceLibDTpm.inf + } + + SecurityPkg/Tcg/TcgConfigDxe/TcgConfigDxe.inf { + <LibraryClasses> + PcdLib|MdePkg/Library/DxePcdLib/DxePcdLib.inf + } + +!if $(SMM_SUPPORT) == TRUE + SecurityPkg/Tcg/TcgSmm/TcgSmm.inf { + <LibraryClasses> + TcgPpVendorLib|SecurityPkg/Library/TcgPpVendorLibNull/TcgPpVendorLibNull.inf + + } +!endif + SecurityPkg/Tcg/Tcg2Config/Tcg2ConfigDxe.inf { + <LibraryClasses> + Tpm2CommandLib|SecurityPkg/Library/Tpm2CommandLib/Tpm2CommandLib.inf + Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibRouter/Tpm2DeviceLibRouterDxe.inf + NULL|SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2InstanceLibDTpm.inf + } +!if $(SMM_SUPPORT) == TRUE + SecurityPkg/Tcg/Tcg2Smm/Tcg2Smm.inf { + <LibraryClasses> + Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibTcg2/Tpm2DeviceLibTcg2.inf + } +!endif + SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.inf { + <LibraryClasses> + Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibRouter/Tpm2DeviceLibRouterDxe.inf + HashLib|SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRouterDxe.inf + NULL|SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2InstanceLibDTpm.inf + NULL|SecurityPkg/Library/HashInstanceLibSha1/HashInstanceLibSha1.inf + NULL|SecurityPkg/Library/HashInstanceLibSha256/HashInstanceLibSha256.inf + NULL|SecurityPkg/Library/HashInstanceLibSha384/HashInstanceLibSha384.inf + NULL|SecurityPkg/Library/HashInstanceLibSm3/HashInstanceLibSm3.inf + } + SecurityPkg/Tcg/Tcg2Acpi/Tcg2Acpi.inf + SecurityPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.inf { + <LibraryClasses> + TpmPlatformHierarchyLib|SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf + } + SecurityPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.inf { + <LibraryClasses> + TpmPlatformHierarchyLib|SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf + } +!endif #MEASURED_BOOT_ENABLE + UefiCpuPkg/CpuDxe/CpuDxe.inf MdeModulePkg/Universal/BdsDxe/BdsDxe.inf !if $(BOOTSPLASH_IMAGE) diff --git a/UefiPayloadPkg/UefiPayloadPkg.fdf b/UefiPayloadPkg/UefiPayloadPkg.fdf index XXXXXXX..XXXXXXX 100644 --- a/UefiPayloadPkg/UefiPayloadPkg.fdf +++ b/UefiPayloadPkg/UefiPayloadPkg.fdf @@ -XXX,XX +XXX,XX @@ FILE FV_IMAGE = 4E35FD93-9C72-4c15-8C4B-E77F1DB2D793 { SECTION FV_IMAGE = DXEFV } + !if $(NETWORK_DRIVER_ENABLE) == TRUE ################################################################################ [FV.NETWORKFV] @@ -XXX,XX +XXX,XX @@ INF PcAtChipsetPkg/PcatRealTimeClockRuntimeDxe/PcatRealTimeClockRuntimeDxe.inf INF MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmmRuntimeDxe.inf !endif -!if $(SECURE_BOOT_ENABLE) == TRUE - INF SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf -!endif - INF UefiCpuPkg/CpuIo2Dxe/CpuIo2Dxe.inf INF MdeModulePkg/Universal/DevicePathDxe/DevicePathDxe.inf !if $(MEMORY_TEST) == "GENERIC" @@ -XXX,XX +XXX,XX @@ INF MdeModulePkg/Universal/Acpi/AcpiPlatformDxe/AcpiPlatformDxe.inf INF MdeModulePkg/Universal/Acpi/BootGraphicsResourceTableDxe/BootGraphicsResourceTableDxe.inf !endif + !if $(UNIVERSAL_PAYLOAD) == FALSE INF MdeModulePkg/Universal/BdsDxe/BdsDxe.inf # @@ -XXX,XX +XXX,XX @@ INF ShellPkg/DynamicCommand/DpDynamicCommand/DpDynamicCommand.inf INF ShellPkg/Application/Shell/Shell.inf !endif +!if $(UNIVERSAL_PAYLOAD) == FALSE + +!if $(SECURE_BOOT_ENABLE) == TRUE +INF SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf +!endif + +!if $(MEASURED_BOOT_ENABLE) == TRUE + INF SecurityPkg/Tcg/TcgDxe/TcgDxe.inf +!if $(SMM_SUPPORT) == TRUE + INF SecurityPkg/Tcg/TcgSmm/TcgSmm.inf +!endif + INF SecurityPkg/Tcg/TcgConfigDxe/TcgConfigDxe.inf + INF SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.inf + INF RuleOverride = DRIVER_ACPITABLE SecurityPkg/Tcg/Tcg2Acpi/Tcg2Acpi.inf + INF SecurityPkg/Tcg/Tcg2Config/Tcg2ConfigDxe.inf +!if $(SMM_SUPPORT) == TRUE + INF SecurityPkg/Tcg/Tcg2Smm/Tcg2Smm.inf +!endif + INF SecurityPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.inf +!endif #MEASURED_BOOT_ENABLE + +!endif + [FV.SECFV] FvNameGuid = 2700E2F3-19D2-4E2D-9F13-BC891B9FC62C BlockSize = $(FD_BLOCK_SIZE) @@ -XXX,XX +XXX,XX @@ READ_LOCK_STATUS = TRUE INF SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf !endif +!if $(MEASURED_BOOT_ENABLE) == TRUE + INF SecurityPkg/Tcg/TcgDxe/TcgDxe.inf +!if $(SMM_SUPPORT) == TRUE + INF SecurityPkg/Tcg/TcgSmm/TcgSmm.inf +!endif + INF SecurityPkg/Tcg/TcgConfigDxe/TcgConfigDxe.inf + INF SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.inf + INF RuleOverride = DRIVER_ACPITABLE SecurityPkg/Tcg/Tcg2Acpi/Tcg2Acpi.inf + INF SecurityPkg/Tcg/Tcg2Config/Tcg2ConfigDxe.inf +!if $(SMM_SUPPORT) == TRUE + INF SecurityPkg/Tcg/Tcg2Smm/Tcg2Smm.inf +!endif + INF SecurityPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.inf +!endif #MEASURED_BOOT_ENABLE ################################################################################ # @@ -XXX,XX +XXX,XX @@ INF SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.in UI STRING="Enter Setup" VERSION STRING="$(INF_VERSION)" Optional BUILD_NUM=$(BUILD_NUMBER) } + +[Rule.Common.DXE_DRIVER.DRIVER_ACPITABLE] + FILE DRIVER = $(NAMED_GUID) { + DXE_DEPEX DXE_DEPEX Optional $(INF_OUTPUT)/$(MODULE_NAME).depex + PE32 PE32 $(INF_OUTPUT)/$(MODULE_NAME).efi + RAW ACPI Optional |.acpi + RAW ASL Optional |.aml + UI STRING="$(MODULE_NAME)" Optional + VERSION STRING="$(INF_VERSION)" Optional BUILD_NUM=$(BUILD_NUMBER) + } -- 2.39.1.windows.1 -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#104994): https://edk2.groups.io/g/devel/message/104994 Mute This Topic: https://groups.io/mt/98982075/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=-=-=-=-=-=-=-=-=-=-=-
From: Subash Lakkimsetti <subash.lakkimsetti@intel.com> Define the build flags for secure boot and measure boot for ci builds Cc: Guo Dong <guo.dong@intel.com> Cc: Ray Ni <ray.ni@intel.com> Cc: Sean Rhodes <sean@starlabs.systems> Cc: James Lu <james.lu@intel.com> Cc: Gua Guo <gua.guo@intel.com> Signed-off-by: Subash Lakkimsetti <subash.lakkimsetti@intel.com> --- UefiPayloadPkg/UefiPayloadPkg.ci.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/UefiPayloadPkg/UefiPayloadPkg.ci.yaml b/UefiPayloadPkg/UefiPayloadPkg.ci.yaml index XXXXXXX..XXXXXXX 100644 --- a/UefiPayloadPkg/UefiPayloadPkg.ci.yaml +++ b/UefiPayloadPkg/UefiPayloadPkg.ci.yaml @@ -XXX,XX +XXX,XX @@ "BLD_*_EMU_VARIABLE_ENABLE": "FALSE", "BLD_*_DISABLE_RESET_SYSTEM": "TRUE", "BLD_*_SERIAL_DRIVER_ENABLE": "FALSE", + "BLD_*_SECURE_BOOT_ENABLE": "TRUE", + "BLD_*_MEASURED_BOOT_ENABLE": "TRUE", } } -- 2.39.1.windows.1 -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#104996): https://edk2.groups.io/g/devel/message/104996 Mute This Topic: https://groups.io/mt/98982077/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=-=-=-=-=-=-=-=-=-=-=-