.../PlatformSecureDefaultsLib.c | 952 --------------------- .../PlatformSecureDefaultsLib.inf | 69 -- .../Common/PlatformSettings/PlatformDxe/Platform.c | 17 +- .../PlatformSettings/PlatformDxe/PlatformDxe.inf | 3 +- .../PlatformSetupDxe/PlatformSetupDxe.c | 39 +- .../PlatformSetupDxe/PlatformSetupDxe.inf | 3 +- .../PlatformSettings/PlatformSetupDxe/Security.vfi | 37 +- .../PlatformSetupDxe/SetupInfoRecords.c | 89 +- .../PlatformSetupDxe/VfrStrings.uni | Bin 315770 -> 311660 bytes .../BroxtonPlatformPkg/PlatformDsc/Components.dsc | 18 +- .../PlatformDsc/LibraryClasses.dsc | 2 - Platform/BroxtonPlatformPkg/PlatformPkg.fdf | 11 +- 12 files changed, 69 insertions(+), 1171 deletions(-) delete mode 100644 Platform/BroxtonPlatformPkg/Common/Library/PlatformSecureDefaultsLib/PlatformSecureDefaultsLib.c delete mode 100644 Platform/BroxtonPlatformPkg/Common/Library/PlatformSecureDefaultsLib/PlatformSecureDefaultsLib.inf
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: lushifex <shifeix.a.lu@intel.com>
---
.../PlatformSecureDefaultsLib.c | 952 ---------------------
.../PlatformSecureDefaultsLib.inf | 69 --
.../Common/PlatformSettings/PlatformDxe/Platform.c | 17 +-
.../PlatformSettings/PlatformDxe/PlatformDxe.inf | 3 +-
.../PlatformSetupDxe/PlatformSetupDxe.c | 39 +-
.../PlatformSetupDxe/PlatformSetupDxe.inf | 3 +-
.../PlatformSettings/PlatformSetupDxe/Security.vfi | 37 +-
.../PlatformSetupDxe/SetupInfoRecords.c | 89 +-
.../PlatformSetupDxe/VfrStrings.uni | Bin 315770 -> 311660 bytes
.../BroxtonPlatformPkg/PlatformDsc/Components.dsc | 18 +-
.../PlatformDsc/LibraryClasses.dsc | 2 -
Platform/BroxtonPlatformPkg/PlatformPkg.fdf | 11 +-
12 files changed, 69 insertions(+), 1171 deletions(-)
delete mode 100644 Platform/BroxtonPlatformPkg/Common/Library/PlatformSecureDefaultsLib/PlatformSecureDefaultsLib.c
delete mode 100644 Platform/BroxtonPlatformPkg/Common/Library/PlatformSecureDefaultsLib/PlatformSecureDefaultsLib.inf
diff --git a/Platform/BroxtonPlatformPkg/Common/Library/PlatformSecureDefaultsLib/PlatformSecureDefaultsLib.c b/Platform/BroxtonPlatformPkg/Common/Library/PlatformSecureDefaultsLib/PlatformSecureDefaultsLib.c
deleted file mode 100644
index 2cdd01d..0000000
--- a/Platform/BroxtonPlatformPkg/Common/Library/PlatformSecureDefaultsLib/PlatformSecureDefaultsLib.c
+++ /dev/null
@@ -1,952 +0,0 @@
-/** @file
- IPC based PlatformFvbLib library instance.
-
- Copyright (c) 2009 - 2016, Intel Corporation. All rights reserved.<BR>
-
- This program and the accompanying materials
- are licensed and made available under the terms and conditions of the BSD License
- which accompanies this distribution. The full text of the license may be found at
- http://opensource.org/licenses/bsd-license.php.
-
- THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
- WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
-
-**/
-
-#include "Library/PlatformSecureDefaultsLib.h"
-#include <Guid/AuthenticatedVariableFormat.h>
-#include <Guid/SetupVariable.h>
-
-EFI_GUID mUefiImageSecurityDBGuid = EFI_IMAGE_SECURITY_DATABASE_GUID;
-EFI_GUID mUefiCertTypeRsa2048Guid = EFI_CERT_RSA2048_GUID;
-
-#define WIN_CERT_UEFI_RSA2048_SIZE 256
-#define EFI_SECURE_BOOT_ENABLE_NAME L"SecureBootEnable"
-
-extern EFI_GUID mUefiCertTypeRsa2048Guid;
-extern EFI_GUID gEfiSecureBootEnableDisableGuid;
-
-EFI_GUID gOwnerSignatureGUID = {0x77fa9abd, 0x0359, 0x4d32, {0xbd, 0x60, 0x28, 0xf4, 0xe7, 0x8f, 0x78, 0x4b}};
-static EFI_GUID gDbxUpdateImageGuid = {0xa3d48bb3, 0x350f, 0x4bcd, 0xa4, 0xad, 0x44, 0x5b, 0x93, 0x9f, 0x6d, 0x9c };
-
-/**
- Create a time based data payload by concatenating the EFI_VARIABLE_AUTHENTICATION_2
- descriptor with the input data. NO authentication is required in this function.
-
- @param[in, out] DataSize On input, the size of Data buffer in bytes.
- On output, the size of data returned in Data
- buffer in bytes.
- @param[in, out] Data On input, Pointer to data buffer to be wrapped or
- pointer to NULL to wrap an empty payload.
- On output, Pointer to the new payload date buffer allocated from pool,
- it's caller's responsibility to free the memory when finish using it.
-
- @retval EFI_SUCCESS Create time based payload successfully.
- @retval EFI_OUT_OF_RESOURCES There are not enough memory resourses to create time based payload.
- @retval EFI_INVALID_PARAMETER The parameter is invalid.
- @retval Others Unexpected error happens.
-
-**/
-EFI_STATUS
-CreateTimeBasedPayload (
- IN OUT UINTN *DataSize,
- IN OUT UINT8 **Data
- )
-{
- EFI_STATUS Status;
- UINT8 *NewData;
- UINT8 *Payload;
- UINTN PayloadSize;
- EFI_VARIABLE_AUTHENTICATION_2 *DescriptorData;
- UINTN DescriptorSize;
- EFI_TIME Time;
-
- if (Data == NULL || DataSize == NULL) {
- return EFI_INVALID_PARAMETER;
- }
-
- //
- // In Setup mode or Custom mode, the variable does not need to be signed but the
- // parameters to the SetVariable() call still need to be prepared as authenticated
- // variable. So we create EFI_VARIABLE_AUTHENTICATED_2 descriptor without certificate
- // data in it.
- //
- Payload = *Data;
- PayloadSize = *DataSize;
-
- DescriptorSize = OFFSET_OF (EFI_VARIABLE_AUTHENTICATION_2, AuthInfo) + OFFSET_OF (WIN_CERTIFICATE_UEFI_GUID, CertData);
- NewData = (UINT8 *) AllocateZeroPool (DescriptorSize + PayloadSize);
- if (NewData == NULL) {
- return EFI_OUT_OF_RESOURCES;
- }
-
- if ((Payload != NULL) && (PayloadSize != 0)) {
- CopyMem (NewData + DescriptorSize, Payload, PayloadSize);
- }
-
- DescriptorData = (EFI_VARIABLE_AUTHENTICATION_2 *) (NewData);
-
- ZeroMem (&Time, sizeof (EFI_TIME));
- Status = gRT->GetTime (&Time, NULL);
- if (EFI_ERROR (Status)) {
- FreePool(NewData);
- return Status;
- }
- Time.Pad1 = 0;
- Time.Nanosecond = 0;
- Time.TimeZone = 0;
- Time.Daylight = 0;
- Time.Pad2 = 0;
- CopyMem (&DescriptorData->TimeStamp, &Time, sizeof (EFI_TIME));
-
- DescriptorData->AuthInfo.Hdr.dwLength = OFFSET_OF (WIN_CERTIFICATE_UEFI_GUID, CertData);
- DescriptorData->AuthInfo.Hdr.wRevision = 0x0200;
- DescriptorData->AuthInfo.Hdr.wCertificateType = WIN_CERT_TYPE_EFI_GUID;
- CopyGuid (&DescriptorData->AuthInfo.CertType, &gEfiCertPkcs7Guid);
-
- if (Payload != NULL) {
- FreePool(Payload);
- }
-
- *DataSize = DescriptorSize + PayloadSize;
- *Data = NewData;
- return EFI_SUCCESS;
-}
-
-
-/**
- Generate the PK signature list from the X509 Certificate storing file (.cer)
-
- @param[in] X509Data FileHandle of X509 Certificate storing file.
- @param[in] X509DataSize The size of fileHandle of X509 Certificate storing file.
- @param[out] PkCert Point to the data buffer to store the signature list.
-
- @retval EFI_UNSUPPORTED Unsupported Key Length.
- @retval EFI_OUT_OF_RESOURCES There are not enough memory resourses to form the signature list.
-
-**/
-EFI_STATUS
-CreatePkX509SignatureList (
- IN UINT8 *X509Data,
- IN UINTN X509DataSize,
- OUT EFI_SIGNATURE_LIST **PkCert
- )
-{
- EFI_STATUS Status;
- EFI_SIGNATURE_DATA *PkCertData;
-
- PkCertData = NULL;
- Status = EFI_SUCCESS;
- ASSERT (X509Data != NULL);
-
- //
- // Allocate space for PK certificate list and initialize it.
- // Create PK database entry with SignatureHeaderSize equals 0.
- //
- *PkCert = (EFI_SIGNATURE_LIST *) AllocateZeroPool (
- sizeof (EFI_SIGNATURE_LIST) + sizeof (EFI_SIGNATURE_DATA) - 1
- + X509DataSize
- );
- if (*PkCert == NULL) {
- Status = EFI_OUT_OF_RESOURCES;
- goto ON_EXIT;
- }
-
- (*PkCert)->SignatureListSize = (UINT32) (sizeof (EFI_SIGNATURE_LIST)
- + sizeof (EFI_SIGNATURE_DATA) - 1
- + X509DataSize);
- (*PkCert)->SignatureSize = (UINT32) (sizeof (EFI_SIGNATURE_DATA) - 1 + X509DataSize);
- (*PkCert)->SignatureHeaderSize = 0;
- CopyGuid (&(*PkCert)->SignatureType, &gEfiCertX509Guid);
- PkCertData = (EFI_SIGNATURE_DATA *) ((UINTN) (*PkCert)
- + sizeof (EFI_SIGNATURE_LIST)
- + (*PkCert)->SignatureHeaderSize);
- CopyGuid (&PkCertData->SignatureOwner, &gEfiGlobalVariableGuid);
- //
- // Fill the PK database with PKpub data from X509 certificate file.
- //
- CopyMem (&(PkCertData->SignatureData[0]), X509Data, X509DataSize);
-
-ON_EXIT:
-
- if (EFI_ERROR(Status) && *PkCert != NULL) {
- FreePool (*PkCert);
- *PkCert = NULL;
- }
-
- return Status;
-}
-
-
-EFI_STATUS
-EnrollPlatformKey (
- IN VOID *Buf,
- IN UINTN BufSize
- )
-{
- EFI_STATUS Status;
- UINT32 Attr;
- UINTN DataSize;
- EFI_SIGNATURE_LIST *PkCert;
-
- PkCert = NULL;
-
- //
- // Prase the selected PK file and generature PK certificate list.
- //
- Status = CreatePkX509SignatureList (
- Buf,
- BufSize,
- &PkCert
- );
-
- if (EFI_ERROR (Status)) {
- goto ON_EXIT;
- }
- ASSERT (PkCert != NULL);
-
- //
- // Set Platform Key variable.
- //
- Attr = EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_RUNTIME_ACCESS
- | EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS;
- DataSize = PkCert->SignatureListSize;
- Status = CreateTimeBasedPayload (&DataSize, (UINT8 **) &PkCert);
- if (EFI_ERROR (Status)) {
- DEBUG ((EFI_D_ERROR, "Fail to create time-based data payload: %r", Status));
- goto ON_EXIT;
- }
-
- Status = gRT->SetVariable (
- EFI_PLATFORM_KEY_NAME,
- &gEfiGlobalVariableGuid,
- Attr,
- DataSize,
- PkCert
- );
- if (EFI_ERROR (Status)) {
- if (Status == EFI_OUT_OF_RESOURCES) {
- DEBUG ((EFI_D_ERROR, "Enroll PK failed with out of resource.\n"));
- }
- goto ON_EXIT;
- }
-
-ON_EXIT:
-
- if (PkCert != NULL) {
- FreePool (PkCert);
- }
-
- return Status;
-}
-
-
-/**
- Enroll a new KEK item from X509 certificate file.
-
- @param[in] PrivateData The module's private data.
-
- @retval EFI_SUCCESS New X509 is enrolled successfully.
- @retval EFI_INVALID_PARAMETER The parameter is invalid.
- @retval EFI_UNSUPPORTED Unsupported command.
- @retval EFI_OUT_OF_RESOURCES Could not allocate needed resources.
-
-**/
-EFI_STATUS
-EnrollX509ToKek (
- VOID *X509Data,
- UINTN X509DataSize
- )
-{
- EFI_STATUS Status;
- EFI_SIGNATURE_DATA *KEKSigData;
- EFI_SIGNATURE_LIST *KekSigList;
- UINTN DataSize;
- UINTN KekSigListSize;
- UINT32 Attr;
-
- KekSigList = NULL;
- KekSigListSize = 0;
- DataSize = 0;
- KEKSigData = NULL;
-
- ASSERT (X509Data != NULL);
-
- KekSigListSize = sizeof (EFI_SIGNATURE_LIST) + sizeof (EFI_SIGNATURE_DATA) - 1 + X509DataSize;
- KekSigList = (EFI_SIGNATURE_LIST *) AllocateZeroPool (KekSigListSize);
- if (KekSigList == NULL) {
- Status = EFI_OUT_OF_RESOURCES;
- goto ON_EXIT;
- }
-
- //
- // Fill Certificate Database parameters.
- //
- KekSigList->SignatureListSize = (UINT32) KekSigListSize;
- KekSigList->SignatureHeaderSize = 0;
- KekSigList->SignatureSize = (UINT32) (sizeof (EFI_SIGNATURE_DATA) - 1 + X509DataSize);
- CopyGuid (&KekSigList->SignatureType, &gEfiCertX509Guid);
-
- KEKSigData = (EFI_SIGNATURE_DATA *) ((UINT8 *) KekSigList + sizeof (EFI_SIGNATURE_LIST));
- CopyGuid (&KEKSigData->SignatureOwner, &gOwnerSignatureGUID);
- CopyMem (KEKSigData->SignatureData, X509Data, X509DataSize);
-
- //
- // Check if KEK been already existed.
- // If true, use EFI_VARIABLE_APPEND_WRITE attribute to append the
- // new kek to original variable
- //
- Attr = EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_RUNTIME_ACCESS
- | EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS;
- Status = CreateTimeBasedPayload (&KekSigListSize, (UINT8 **) &KekSigList);
- if (EFI_ERROR (Status)) {
- DEBUG ((EFI_D_ERROR, "Fail to create time-based data payload: %r", Status));
- goto ON_EXIT;
- }
-
- Status = gRT->GetVariable(
- EFI_KEY_EXCHANGE_KEY_NAME,
- &gEfiGlobalVariableGuid,
- NULL,
- &DataSize,
- NULL
- );
- if (Status == EFI_BUFFER_TOO_SMALL) {
- Attr |= EFI_VARIABLE_APPEND_WRITE;
- } else if (Status != EFI_NOT_FOUND) {
- goto ON_EXIT;
- }
-
- Status = gRT->SetVariable(
- EFI_KEY_EXCHANGE_KEY_NAME,
- &gEfiGlobalVariableGuid,
- Attr,
- KekSigListSize,
- KekSigList
- );
- if (EFI_ERROR (Status)) {
- goto ON_EXIT;
- }
-
-ON_EXIT:
-
- if (KekSigList != NULL) {
- FreePool (KekSigList);
- }
-
- return Status;
-}
-
-
-/**
- Enroll new KEK into the System without PK's authentication.
- The SignatureOwner GUID will be Private->SignatureGUID.
-
- @param[in] PrivateData The module's private data.
-
- @retval EFI_SUCCESS New KEK enrolled successful.
- @retval EFI_INVALID_PARAMETER The parameter is invalid.
- @retval others Fail to enroll KEK data.
-
-**/
-EFI_STATUS
-EnrollKeyExchangeKey (
- IN VOID *DataBuf,
- IN UINTN BufSize
- )
-{
- return EnrollX509ToKek (DataBuf, BufSize);
-}
-
-
-EFI_STATUS
-EnrollX509toForbSigDB (
- IN CHAR16 *VariableName,
- IN VOID *X509Data,
- IN UINTN X509DataSize
- )
-{
- EFI_STATUS Status;
- VOID *Data;
- UINTN SigDBSize;
- UINT32 Attr;
- UINTN DataSize;
-
- SigDBSize = 0;
- DataSize = 0;
- Data = NULL;
-
- ASSERT (X509Data != NULL);
-
- SigDBSize = X509DataSize;
-
- Data = AllocateZeroPool (SigDBSize);
- if (Data == NULL) {
- Status = EFI_OUT_OF_RESOURCES;
- goto ON_EXIT;
- }
-
- CopyMem ((UINT8 *) Data, X509Data, X509DataSize);
-
- Attr = EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_RUNTIME_ACCESS
- | EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS;
-
- //
- // Check if signature database entry has been already existed.
- // If true, use EFI_VARIABLE_APPEND_WRITE attribute to append the
- // new signature data to original variable
- //
- Status = gRT->GetVariable(
- VariableName,
- &gEfiImageSecurityDatabaseGuid,
- NULL,
- &DataSize,
- NULL
- );
- if (Status == EFI_BUFFER_TOO_SMALL) {
- Attr |= EFI_VARIABLE_APPEND_WRITE;
- } else if (Status != EFI_NOT_FOUND) {
- goto ON_EXIT;
- }
-
- Status = gRT->SetVariable(
- VariableName,
- &gEfiImageSecurityDatabaseGuid,
- Attr,
- SigDBSize,
- Data
- );
-
- if (EFI_ERROR (Status)) {
- goto ON_EXIT;
- }
-
-ON_EXIT:
-
- if (Data != NULL) {
- FreePool (Data);
- }
-
- return Status;
-}
-
-
-/**
- Enroll X509 certificate into Forbidden Database (DBX) without
- KEK's authentication.
-
- @param[in] VariableName Variable name of signature database, must be
- @param[in] *DataBuf Pointer to Data Buffer
- @param[in] BufSize Data Buffer size
-
- @retval EFI_SUCCESS New X509 is enrolled successfully.
- @retval EFI_OUT_OF_RESOURCES Could not allocate needed resources.
-
-**/
-EFI_STATUS
-EnrollKeyForbiddenSignatureDatabase (
- IN CHAR16 *VariableName,
- IN VOID *DataBuf,
- IN UINTN BufSize
- )
-{
- return EnrollX509toForbSigDB (VariableName, DataBuf, BufSize);
-}
-
-
-/**
- Enroll a new X509 certificate into Signature Database (DB or DBX) without
- KEK's authentication.
-
- @param[in] PrivateData The module's private data.
- @param[in] VariableName Variable name of signature database, must be
- EFI_IMAGE_SECURITY_DATABASE or EFI_IMAGE_SECURITY_DATABASE1.
-
- @retval EFI_SUCCESS New X509 is enrolled successfully.
- @retval EFI_OUT_OF_RESOURCES Could not allocate needed resources.
-
-**/
-EFI_STATUS
-EnrollX509toSigDB (
- IN CHAR16 *VariableName,
- IN VOID *X509Data,
- IN UINTN X509DataSize
- )
-{
- EFI_STATUS Status;
- EFI_SIGNATURE_LIST *SigDBCert;
- EFI_SIGNATURE_DATA *SigDBCertData;
- VOID *Data;
- UINTN DataSize;
- UINTN SigDBSize;
- UINT32 Attr;
-
- SigDBSize = 0;
- DataSize = 0;
- SigDBCert = NULL;
- SigDBCertData = NULL;
- Data = NULL;
-
- ASSERT (X509Data != NULL);
-
- SigDBSize = sizeof (EFI_SIGNATURE_LIST) + sizeof (EFI_SIGNATURE_DATA) - 1 + X509DataSize;
-
- Data = AllocateZeroPool (SigDBSize);
- if (Data == NULL) {
- Status = EFI_OUT_OF_RESOURCES;
- goto ON_EXIT;
- }
-
- //
- // Fill Certificate Database parameters.
- //
- SigDBCert = (EFI_SIGNATURE_LIST *) Data;
- SigDBCert->SignatureListSize = (UINT32) SigDBSize;
- SigDBCert->SignatureHeaderSize = 0;
- SigDBCert->SignatureSize = (UINT32) (sizeof (EFI_SIGNATURE_DATA) - 1 + X509DataSize);
- CopyGuid (&SigDBCert->SignatureType, &gEfiCertX509Guid);
-
- SigDBCertData = (EFI_SIGNATURE_DATA *) ((UINT8 *) SigDBCert + sizeof (EFI_SIGNATURE_LIST));
- CopyGuid (&SigDBCertData->SignatureOwner, &gOwnerSignatureGUID);
- CopyMem ((UINT8 *) (SigDBCertData->SignatureData), X509Data, X509DataSize);
-
- //
- // Check if signature database entry has been already existed.
- // If true, use EFI_VARIABLE_APPEND_WRITE attribute to append the
- // new signature data to original variable
- //
- Attr = EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_RUNTIME_ACCESS
- | EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS;
- Status = CreateTimeBasedPayload (&SigDBSize, (UINT8 **) &Data);
- if (EFI_ERROR (Status)) {
- DEBUG ((EFI_D_ERROR, "Fail to create time-based data payload: %r", Status));
- goto ON_EXIT;
- }
-
- Status = gRT->GetVariable(
- VariableName,
- &gEfiImageSecurityDatabaseGuid,
- NULL,
- &DataSize,
- NULL
- );
- if (Status == EFI_BUFFER_TOO_SMALL) {
- Attr |= EFI_VARIABLE_APPEND_WRITE;
- } else if (Status != EFI_NOT_FOUND) {
- goto ON_EXIT;
- }
-
- Status = gRT->SetVariable(
- VariableName,
- &gEfiImageSecurityDatabaseGuid,
- Attr,
- SigDBSize,
- Data
- );
- if (EFI_ERROR (Status)) {
- goto ON_EXIT;
- }
-
-ON_EXIT:
-
- if (Data != NULL) {
- FreePool (Data);
- }
-
- return Status;
-}
-
-
-EFI_STATUS
-EnrollSignatureDatabase (
- IN CHAR16 *VariableName,
- IN VOID *DataBuf,
- IN UINTN BufSize
- )
-{
- return EnrollX509toSigDB (VariableName, DataBuf, BufSize);
-}
-
-
-/**
- Function to Load Secure Keys given the binary GUID
-
- @param[in] VendorGuid GUID of the Variable.
- @param[in] VariableName Name of the Variable.
- @param[in] VendorGuid GUID of the Variable.
-
- @retval EFI_SUCCESS Set the variable successfully.
- @retval Others Set variable failed.
-
-**/
-EFI_STATUS
-SetSecureVariabeKeys (
- IN EFI_GUID *ImageGuid,
- IN CHAR16 *VariableName,
- IN EFI_GUID *VendorGuid
- )
-{
- EFI_STATUS Status;
- EFI_FIRMWARE_VOLUME2_PROTOCOL *Fv;
- UINTN FvProtocolCount;
- EFI_HANDLE *FvHandles;
- UINTN Index1;
- UINT32 AuthenticationStatus;
- UINT8 *Buffer=NULL;
- UINTN BufferSize=0;
- UINT32 Attr;
-
- Attr = EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS;
-
- FvHandles = NULL;
-
- Status = gBS->LocateHandleBuffer (
- ByProtocol,
- &gEfiFirmwareVolume2ProtocolGuid,
- NULL,
- &FvProtocolCount,
- &FvHandles
- );
-
- if (!EFI_ERROR (Status)) {
- for (Index1 = 0; Index1 < FvProtocolCount; Index1++) {
- Status = gBS->HandleProtocol (
- FvHandles[Index1],
- &gEfiFirmwareVolume2ProtocolGuid,
- (VOID **) &Fv
- );
- BufferSize= 0;
-
- Status = Fv->ReadSection (
- Fv,
- ImageGuid,
- EFI_SECTION_RAW,
- 0,
- (VOID **) &Buffer,
- &BufferSize,
- &AuthenticationStatus
- );
-
- if (!EFI_ERROR (Status)) {
- Status = EFI_SUCCESS;
- break;
- }
- }
- }
-
- if (Buffer == NULL)
- return EFI_UNSUPPORTED;
- if (StrCmp (VariableName, L"PK") == 0){
- Status = EnrollPlatformKey (Buffer, BufferSize);
- } else if (StrCmp (VariableName, L"KEK") == 0) {
- Status = EnrollKeyExchangeKey (Buffer, BufferSize);
- } else if (CompareGuid (ImageGuid, &gDbxUpdateImageGuid)) {
- Status = EnrollKeyForbiddenSignatureDatabase (VariableName,Buffer, BufferSize);
- } else {
- Status = EnrollSignatureDatabase (VariableName, Buffer, BufferSize);
- }
- return Status;
-}
-
-
-/**
- Internal function to Update User Mode to Setup Mode given its name and GUID, no authentication
- required.
-
- @param[in] VariableName Name of the Variable.
- @param[in] VendorGuid GUID of the Variable.
-
- @retval EFI_SUCCESS Updated to Setup Mode successfully.
- @retval Others The driver failed to start the device.
-
-**/
-EFI_STATUS
-UpdateSetupModetoUserMode (
- IN CHAR16 *VariableName,
- IN EFI_GUID *VendorGuid
- )
-{
- EFI_STATUS Status;
- VOID* Variable;
- UINT8 SetupMode;
- UINT8 SecureBootEnable;
-
- SetupMode = 0;
- SecureBootEnable = 1;
-
- GetVariable2 (VariableName, VendorGuid, &Variable, NULL);
- if (Variable == NULL) {
- return EFI_SUCCESS;
- }
-
- Status = gRT->SetVariable (
- VariableName,
- VendorGuid,
- EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS,
- 1,
- &SetupMode
- );
-
- if (!EFI_ERROR (Status)) {
- Status = gRT->SetVariable (
- EFI_SECURE_BOOT_ENABLE_NAME,
- &gEfiSecureBootEnableDisableGuid,
- EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_ACCESS,
- sizeof (UINT8),
- &SecureBootEnable
- );
- }
- return Status;
-}
-
-
-/**
- Enrolls PK, KEK, Db and Dbx.
-
- Note: Setup variable uses UEFI Runtime Services.
- Do not call this function from PEI.
-
-**/
-VOID
-EnrollKeys (
- VOID
- )
-{
- EFI_STATUS Status;
- UINT8 SecureBootCstMde;
- UINTN DataSize;
- SYSTEM_CONFIGURATION SystemConfiguration;
- UINTN VarSize;
-
- EFI_GUID KekImageGuid = { 0x5d354a1f, 0x98d7, 0x4938, 0x8f, 0x18, 0xf8, 0x4e, 0x1c, 0x89, 0xb2, 0xed };
- EFI_GUID Db1ImageGuid = { 0x4de09060, 0x5864, 0x471a, 0xb3, 0x52, 0xd4, 0x50, 0x6e, 0xd7, 0xbb, 0xb0 };
- EFI_GUID DbxImageGuid = { 0x96b44e98, 0x6c49, 0x4c03, 0xa8, 0xa4, 0x77, 0x93, 0xef, 0x41, 0x68, 0x5a };
- EFI_GUID PkImageGuid = { 0xc43024ad, 0x8cb8, 0x4393, 0x8a, 0xe1, 0xf3, 0x5c, 0xbf, 0xc7, 0xcd, 0x56 };
- EFI_GUID Db2ImageGuid = { 0x0f97c7a2, 0xba0c, 0x4e8a, 0x90, 0xf9, 0xb1, 0xcc, 0x40, 0x57, 0x01, 0xf8 };
- EFI_GUID Db3ImageGuid = { 0x774491b2, 0x85ff, 0x47b0, 0x89, 0xa4, 0xcc, 0xd8, 0xb3, 0x99, 0xaa, 0xd4 };
- EFI_GUID Kek2ImageGuid = { 0xE989363D, 0x449F, 0x4b32, 0x96, 0xB0, 0xB2, 0x71, 0x73, 0x44, 0xD0, 0xEE };
- EFI_GUID Db4ImageGuid = { 0xB69B054C, 0x7EA4, 0x4f13, 0xB7, 0xFF, 0x72, 0xC6, 0x32, 0x3B, 0xC8, 0x5A };
- EFI_GUID Db5ImageGuid = { 0xB8FA2839, 0xE0C1, 0x4368, 0xA5, 0x1B, 0x5F, 0x4A, 0x21, 0x74, 0x61, 0x29 };
- EFI_GUID Db6ImageGuid = { 0x758FBB84, 0xEF4C, 0x4acf, 0xB1, 0xA6, 0xE8, 0x44, 0xD5, 0xFF, 0x6B, 0xA6 };
-
- VarSize = sizeof (SYSTEM_CONFIGURATION);
- Status = gRT->GetVariable (
- L"Setup",
- &gEfiSetupVariableGuid,
- NULL,
- &VarSize,
- &SystemConfiguration
- );
-
- ASSERT_EFI_ERROR (Status);
-
- //
- // Enroll Key Exchange Key
- //
- SetSecureVariabeKeys (&KekImageGuid, EFI_KEY_EXCHANGE_KEY_NAME, &gEfiGlobalVariableGuid);
- if (!(SystemConfiguration.UseProductKey)) {
- SetSecureVariabeKeys (&Kek2ImageGuid, EFI_KEY_EXCHANGE_KEY_NAME, &gEfiGlobalVariableGuid);
- //
- // Enroll Authenticated database.
- //
- SetSecureVariabeKeys (&Db1ImageGuid, EFI_IMAGE_SECURITY_DATABASE, &gEfiImageSecurityDatabaseGuid);
- SetSecureVariabeKeys (&Db4ImageGuid, EFI_IMAGE_SECURITY_DATABASE, &gEfiImageSecurityDatabaseGuid);
- SetSecureVariabeKeys (&Db5ImageGuid, EFI_IMAGE_SECURITY_DATABASE, &gEfiImageSecurityDatabaseGuid);
- SetSecureVariabeKeys (&Db6ImageGuid, EFI_IMAGE_SECURITY_DATABASE, &gEfiImageSecurityDatabaseGuid);
- //
- // Enroll Platform Key - 219_Microsoft_UEFI_Logo_Test_KEK.cer for WOS and common_PK.x509.cer for AOS
- //
- SetSecureVariabeKeys (&PkImageGuid, EFI_PLATFORM_KEY_NAME, &gEfiGlobalVariableGuid);
- } else {
- //
- // Enroll Platform Key - KEK_MSFTproductionKekCA.cer
- //
- SetSecureVariabeKeys (&KekImageGuid, EFI_PLATFORM_KEY_NAME, &gEfiGlobalVariableGuid);
- }
- SetSecureVariabeKeys (&Db2ImageGuid, EFI_IMAGE_SECURITY_DATABASE, &gEfiImageSecurityDatabaseGuid);
- SetSecureVariabeKeys (&Db3ImageGuid, EFI_IMAGE_SECURITY_DATABASE, &gEfiImageSecurityDatabaseGuid);
- //
- //Enroll Forbidden Database
- //
- SetSecureVariabeKeys (&DbxImageGuid, EFI_IMAGE_SECURITY_DATABASE1, &gEfiImageSecurityDatabaseGuid);
- SetSecureVariabeKeys (&gDbxUpdateImageGuid, EFI_IMAGE_SECURITY_DATABASE1, &gEfiImageSecurityDatabaseGuid);
-
- //
- // If secure boot mode in custom mode, change to standard mode.
- //
- Status = gRT->GetVariable (
- EFI_CUSTOM_MODE_NAME,
- &gEfiCustomModeEnableGuid,
- NULL,
- &DataSize,
- &SecureBootCstMde
- );
-
- if (SecureBootCstMde) {
- SecureBootCstMde = !SecureBootCstMde;
- Status = gRT->SetVariable (
- EFI_CUSTOM_MODE_NAME,
- &gEfiCustomModeEnableGuid,
- EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_ACCESS,
- sizeof (UINT8),
- &SecureBootCstMde
- );
- }
-}
-
-
-/**
- Internal function to delete a Variable given its name and GUID, no authentication
- required.
-
- @param[in] VariableName Name of the Variable.
- @param[in] VendorGuid GUID of the Variable.
-
- @retval EFI_SUCCESS Variable deleted successfully.
- @retval Others The driver failed to start the device.
-
-**/
-EFI_STATUS
-DeleteVariable (
- IN CHAR16 *VariableName,
- IN EFI_GUID *VendorGuid
- )
-{
- EFI_STATUS Status;
- VOID* Variable;
- UINT8 *Data;
- UINTN DataSize;
- UINT32 Attr;
-
- GetVariable2 (VariableName, VendorGuid, &Variable, NULL);
- if (Variable == NULL) {
- return EFI_SUCCESS;
- }
-
- Data = NULL;
- DataSize = 0;
- Attr = EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS
- | EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS;
-
- Status = CreateTimeBasedPayload (&DataSize, &Data);
- if (EFI_ERROR (Status)) {
- DEBUG ((EFI_D_ERROR, "Fail to create time-based data payload: %r", Status));
- return Status;
- }
-
- Status = gRT->SetVariable (
- VariableName,
- VendorGuid,
- Attr,
- DataSize,
- Data
- );
- if (Data != NULL) {
- FreePool (Data);
- }
- return Status;
-}
-
-
-/**
- Internal function to Update User Mode to Setup Mode given its name and GUID, no authentication
- required.
-
- @param[in] VariableName Name of the Variable.
- @param[in] VendorGuid GUID of the Variable.
-
- @retval EFI_SUCCESS Updated to Setup Mode successfully.
- @retval Others The driver failed to start the device.
-
-**/
-EFI_STATUS
-UpdateUserModetoSetupMode (
- IN CHAR16 *VariableName,
- IN EFI_GUID *VendorGuid
- )
-{
- EFI_STATUS Status;
- VOID* Variable;
- UINT8 SetupMode;
- UINT8 SecureBootDisable;
-
- SetupMode = 1;
- SecureBootDisable = 0;
-
- GetVariable2 (VariableName, VendorGuid, &Variable, NULL);
- if (Variable == NULL) {
- return EFI_SUCCESS;
- }
-
- Status = gRT->SetVariable (
- VariableName,
- VendorGuid,
- EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS,
- 1,
- &SetupMode
- );
-
- if (!EFI_ERROR (Status)) {
- GetVariable2 (EFI_SECURE_BOOT_ENABLE_NAME, &gEfiSecureBootEnableDisableGuid, &Variable, NULL);
- Status = gRT->SetVariable (
- EFI_SECURE_BOOT_ENABLE_NAME,
- &gEfiSecureBootEnableDisableGuid,
- EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_ACCESS,
- sizeof (UINT8),
- &SecureBootDisable
- );
- }
- return Status;
-}
-
-
-/**
- Deletes PK, KEK, Db and Dbx.
-
-**/
-VOID
-DeleteKeys (
- )
-{
- //
- // 1. Clear PK.
- //
- DeleteVariable (EFI_PLATFORM_KEY_NAME, &gEfiGlobalVariableGuid);
-
- //
- // 2. Update "SetupMode" variable to SETUP_MODE.
- //
- UpdateUserModetoSetupMode (EFI_SETUP_MODE_NAME, &gEfiGlobalVariableGuid);
-
- //
- // 3. Clear KEK, DB and DBX.
- //
- DeleteVariable (EFI_KEY_EXCHANGE_KEY_NAME, &gEfiGlobalVariableGuid);
- DeleteVariable (EFI_IMAGE_SECURITY_DATABASE, &gEfiImageSecurityDatabaseGuid);
- DeleteVariable (EFI_IMAGE_SECURITY_DATABASE1, &gEfiImageSecurityDatabaseGuid);
-}
-
-
-/**
- Enable Custom Mode.
-
-**/
- VOID
- EnableCustomMode (
- )
-{
- UINT8 CustomMode;
- EFI_STATUS Status;
-
- CustomMode = 1;
-
- Status = gRT->SetVariable (
- EFI_CUSTOM_MODE_NAME,
- &gEfiCustomModeEnableGuid,
- EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_ACCESS,
- sizeof (UINT8),
- &CustomMode
- );
-
-}
-
diff --git a/Platform/BroxtonPlatformPkg/Common/Library/PlatformSecureDefaultsLib/PlatformSecureDefaultsLib.inf b/Platform/BroxtonPlatformPkg/Common/Library/PlatformSecureDefaultsLib/PlatformSecureDefaultsLib.inf
deleted file mode 100644
index 72a001d..0000000
--- a/Platform/BroxtonPlatformPkg/Common/Library/PlatformSecureDefaultsLib/PlatformSecureDefaultsLib.inf
+++ /dev/null
@@ -1,69 +0,0 @@
-## @file
-# NULL PlatformFvbLib library instance.
-# This library handles hooks for the EMU Variable FVB driver.
-#
-# Copyright (c) 2006 - 2016, Intel Corporation. All rights reserved.<BR>
-#
-# This program and the accompanying materials
-# are licensed and made available under the terms and conditions of the BSD License
-# which accompanies this distribution. The full text of the license may be found at
-# http://opensource.org/licenses/bsd-license.php.
-#
-# THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
-# WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
-#
-##
-
-[Defines]
- INF_VERSION = 0x00010005
- BASE_NAME = PlatformSecureDefaultsLib
- FILE_GUID = 402B0508-781A-4016-A1D7-9740FFE001A0
- MODULE_TYPE = BASE
- VERSION_STRING = 1.0
- LIBRARY_CLASS = PlatformSecureDefaultsLib | DXE_DRIVER DXE_RUNTIME_DRIVER
-
-#
-# The following information is for reference only and not required by the build tools.
-#
-# VALID_ARCHITECTURES = IA32 X64 IPF EBC
-#
-
-[Sources]
- PlatformSecureDefaultsLib.c
-
-[Packages]
- MdePkg/MdePkg.dec
- MdeModulePkg/MdeModulePkg.dec
- IntelFrameworkPkg/IntelFrameworkPkg.dec
- IntelFrameworkModulePkg/IntelFrameworkModulePkg.dec
- SecurityPkg/SecurityPkg.dec
- BroxtonPlatformPkg/PlatformPkg.dec
- BroxtonSiPkg/BroxtonSiPkg.dec
-
-[LibraryClasses]
- DebugLib
- DxeServicesTableLib
- UefiBootServicesTableLib
- DevicePathLib
- BaseMemoryLib
- BaseLib
- IoLib
- TimerLib
- MemoryAllocationLib
- PcdLib
-
-[Protocols]
- gEfiFirmwareVolume2ProtocolGuid
-
-[Guids]
- gEfiGlobalVariableGuid ## PRODUCES ## Variable Guid
- gEfiSetupVariableGuid
- gEfiVariableGuid
- gEfiImageSecurityDatabaseGuid
- gEfiCertX509Guid
- gEfiCertPkcs7Guid
- gEfiCustomModeEnableGuid
-
-[Depex]
- TRUE
-
diff --git a/Platform/BroxtonPlatformPkg/Common/PlatformSettings/PlatformDxe/Platform.c b/Platform/BroxtonPlatformPkg/Common/PlatformSettings/PlatformDxe/Platform.c
index 02dcc27..187eb21 100644
--- a/Platform/BroxtonPlatformPkg/Common/PlatformSettings/PlatformDxe/Platform.c
+++ b/Platform/BroxtonPlatformPkg/Common/PlatformSettings/PlatformDxe/Platform.c
@@ -1,7 +1,7 @@
/** @file
Platform Initialization Driver.
- Copyright (c) 1999 - 2016, Intel Corporation. All rights reserved.<BR>
+ Copyright (c) 1999 - 2017, Intel Corporation. All rights reserved.<BR>
This program and the accompanying materials
are licensed and made available under the terms and conditions of the BSD License
@@ -641,7 +641,7 @@ InitPlatformResolution (
PcdSet32S (PcdVideoVerticalResolution, PanelResolution[mSystemConfiguration.IgdFlatPanel].VerticalResolution);
}
-VOID
+VOID
OverrideSdCardPresence (
VOID
)
@@ -670,7 +670,7 @@ OverrideSdCardPresence (
} else {
P2sbMmioBar &= B_P2SB_BAR_BA;
}
-
+
Gpio177PadConfigDW0RegAdd = P2SB_MMIO_ADDR (P2sbMmioBar, SOUTHWEST, 0x5D0);
Gpio177RxState = MmioRead32(Gpio177PadConfigDW0RegAdd) & BIT1;
DEBUG ((DEBUG_INFO, "Gpio177PadConfigDW0RegAdd: 0x%X\n", Gpio177PadConfigDW0RegAdd));
@@ -868,11 +868,6 @@ InitializePlatform (
FdoEnabledGuidHob = GetFirstGuidHob (&gFdoModeEnabledHobGuid);
if (FdoEnabledGuidHob != NULL) {
- //
- // Secure boot must be disabled in Flash Descriptor Override (FDO) boot
- //
- EnableCustomMode ();
- DeleteKeys ();
}
#if (ENBDT_PF_ENABLE == 1) //BXTP
@@ -916,9 +911,9 @@ InitializePlatform (
&EfiExitBootServicesEvent
);
-
- OverrideSdCardPresence();
-
+
+ OverrideSdCardPresence();
+
return EFI_SUCCESS;
}
diff --git a/Platform/BroxtonPlatformPkg/Common/PlatformSettings/PlatformDxe/PlatformDxe.inf b/Platform/BroxtonPlatformPkg/Common/PlatformSettings/PlatformDxe/PlatformDxe.inf
index c2714a6..cf8ca08 100644
--- a/Platform/BroxtonPlatformPkg/Common/PlatformSettings/PlatformDxe/PlatformDxe.inf
+++ b/Platform/BroxtonPlatformPkg/Common/PlatformSettings/PlatformDxe/PlatformDxe.inf
@@ -1,7 +1,7 @@
## @file
# Component description file for platform DXE driver
#
-# Copyright (c) 1999 - 2016, Intel Corporation. All rights reserved.<BR>
+# Copyright (c) 1999 - 2017, Intel Corporation. All rights reserved.<BR>
#
# This program and the accompanying materials
# are licensed and made available under the terms and conditions of the BSD License
@@ -50,7 +50,6 @@
UefiBootServicesTableLib
UefiDriverEntryPoint
UefiRuntimeServicesTableLib
- PlatformSecureDefaultsLib
DxeServicesTableLib
DebugLib
HiiLib
diff --git a/Platform/BroxtonPlatformPkg/Common/PlatformSettings/PlatformSetupDxe/PlatformSetupDxe.c b/Platform/BroxtonPlatformPkg/Common/PlatformSettings/PlatformSetupDxe/PlatformSetupDxe.c
index 02b03ff..5cbe136 100644
--- a/Platform/BroxtonPlatformPkg/Common/PlatformSettings/PlatformSetupDxe/PlatformSetupDxe.c
+++ b/Platform/BroxtonPlatformPkg/Common/PlatformSettings/PlatformSetupDxe/PlatformSetupDxe.c
@@ -13,7 +13,7 @@
4. It save all the mapping info in NV variables which will be consumed
by platform override protocol driver to publish the platform override protocol.
- Copyright (c) 2007 - 2016, Intel Corporation. All rights reserved.<BR>
+ Copyright (c) 2007 - 2017, Intel Corporation. All rights reserved.<BR>
This program and the accompanying materials
are licensed and made available under the terms and conditions of the BSD License
@@ -508,43 +508,6 @@ SystemConfigCallback (
if (Key.UnicodeChar == CHAR_CARRIAGE_RETURN) {
}
- } else if (KeyValue == 0x1237 /*KEY_CLEAR_KEK_AND_PK*/ ) {
- //
- //Delete PK, KEK, DB, DBx
- //
- EnableCustomMode ();
- DeleteKeys ();
- StrCpyS (StringBuffer1, 200, L"Clear Keys Completed");
- StrCpyS (StringBuffer2, 200, L"Please Restart System");
-
- //
- // Popup a menu to notice user
- //
- do {
- CreatePopUp (EFI_LIGHTGRAY | EFI_BACKGROUND_BLUE, &Key, StringBuffer1, StringBuffer2, NULL);
- } while ((Key.ScanCode != SCAN_ESC) && (Key.UnicodeChar != CHAR_CARRIAGE_RETURN));
-
- gRT->ResetSystem (EfiResetCold, EFI_SUCCESS, 0, NULL);
- } else if (KeyValue == 0x1238 /*KEY_LOAD_DEFAULTS_KEYS*/ ) {
- //
- // Enroll PK, KEK, DB and DBx
- //
- EnrollKeys ();
- StrCpyS (StringBuffer1, 200, L"Restore Keys Completed");
- StrCpyS (StringBuffer2, 200, L"Please Restart System");
-
- //
- // Popup a notification menu
- //
- do {
- CreatePopUp(EFI_LIGHTGRAY | EFI_BACKGROUND_BLUE, &Key, StringBuffer1, StringBuffer2, NULL);
- } while ((Key.ScanCode != SCAN_ESC) && (Key.UnicodeChar != CHAR_CARRIAGE_RETURN));
-
- //
- // Reset the system
- //
- gRT->ResetSystem (EfiResetCold, EFI_SUCCESS, 0, NULL);
-
} else if (KeyValue == 0x1239) {
//
// Popup a notification menu
diff --git a/Platform/BroxtonPlatformPkg/Common/PlatformSettings/PlatformSetupDxe/PlatformSetupDxe.inf b/Platform/BroxtonPlatformPkg/Common/PlatformSettings/PlatformSetupDxe/PlatformSetupDxe.inf
index 09a16c8..0cbcb71 100644
--- a/Platform/BroxtonPlatformPkg/Common/PlatformSettings/PlatformSetupDxe/PlatformSetupDxe.inf
+++ b/Platform/BroxtonPlatformPkg/Common/PlatformSettings/PlatformSetupDxe/PlatformSetupDxe.inf
@@ -16,7 +16,7 @@
# 4. It save all the mapping info in NV variables for the following boot,
# which will be consumed by GetDriver API of the produced the platform override protocol.
#
-# Copyright (c) 2007 - 2016, Intel Corporation. All rights reserved.<BR>
+# Copyright (c) 2007 - 2017, Intel Corporation. All rights reserved.<BR>
#
# This program and the accompanying materials
# are licensed and made available under the terms and conditions of the BSD License
@@ -92,7 +92,6 @@
BiosIdLib
CpuIA32Lib
IoLib
- PlatformSecureDefaultsLib
BaseIpcLib
HeciMsgLib
SteppingLib
diff --git a/Platform/BroxtonPlatformPkg/Common/PlatformSettings/PlatformSetupDxe/Security.vfi b/Platform/BroxtonPlatformPkg/Common/PlatformSettings/PlatformSetupDxe/Security.vfi
index f79e81b..9d0855e 100644
--- a/Platform/BroxtonPlatformPkg/Common/PlatformSettings/PlatformSetupDxe/Security.vfi
+++ b/Platform/BroxtonPlatformPkg/Common/PlatformSettings/PlatformSetupDxe/Security.vfi
@@ -107,39 +107,6 @@ form formid = SECURITY_CONFIGURATION_FORM_ID,
endif;
endif;
- subtitle text = STRING_TOKEN(STR_NULL_STRING);
-
-
- subtitle text = STRING_TOKEN(STR_NULL_STRING);
-
- oneof varid = Setup.SecureBootCustomMode,
- prompt = STRING_TOKEN(STR_SECURE_BOOT_MODE_PROMPT),
- help = STRING_TOKEN(STR_SECURE_BOOT_MODE_HELP),
- option text = STRING_TOKEN(STR_SB_STANDARD_MODE), value=0x00, flags = DEFAULT | MANUFACTURING;
- option text = STRING_TOKEN(STR_SB_CUSTOM_MODE), value=0x01, flags = 0;
- endoneof;
- oneof varid = Setup.UseProductKey,
- prompt = STRING_TOKEN(STR_SECURE_BOOT_PRO_KEY_PROMPT),
- help = STRING_TOKEN(STR_SECURE_BOOT_PRO_KEY_HELP),
- option text = STRING_TOKEN(STR_DEV_KEY), value=0x00, flags = DEFAULT | RESET_REQUIRED;
- option text = STRING_TOKEN(STR_PRO_KEY), value=0x01, flags = RESET_REQUIRED;
- endoneof;
- text
- help = STRING_TOKEN(STR_CLEAR_ALL_KEYS_HELP),
- text = STRING_TOKEN(STR_CLEAR_ALL_KEYS),
- text = STRING_TOKEN(STR_NULL_STRING),
- flags = INTERACTIVE,
- key = 0x1237; //KEY_CLEAR_KEK_AND_PK;
-
- text
- help = STRING_TOKEN(STR_LOAD_DEFAULTS_KEYS_HELP),
- text = STRING_TOKEN(STR_LOAD_DEFAULTS_KEYS),
- text = STRING_TOKEN(STR_NULL_STRING),
- flags = INTERACTIVE,
- key = 0x1238; //KEY_LOAD_DEFAULTS_KEYS;
-
- subtitle text = STRING_TOKEN(STR_NULL_STRING);
-
//
//TPM related
//
@@ -154,7 +121,7 @@ form formid = SECURITY_CONFIGURATION_FORM_ID,
option text = STRING_TOKEN(STR_TPM_DTPM_2_0), value = 0x03, flags = RESET_REQUIRED;
endoneof;
- suppressif NOT ideqval Setup.TPM == 1;
+ suppressif NOT ideqval Setup.TPM == 1;
oneof varid = Setup.TPMSupportedBanks,
prompt = STRING_TOKEN(STR_TPM2_PCR_ALLOCATE_PROMPT),
help = STRING_TOKEN(STR_TPM2_PCR_ALLOCATE_HELP),
@@ -164,6 +131,6 @@ form formid = SECURITY_CONFIGURATION_FORM_ID,
option text = STRING_TOKEN(STR_TPM2_PCR_ALLOCATE_BOTH), value = TPM2_SUPPORTED_BANK_BOTH, flags = RESET_REQUIRED;
endoneof;
endif;
-
+
endform;
diff --git a/Platform/BroxtonPlatformPkg/Common/PlatformSettings/PlatformSetupDxe/SetupInfoRecords.c b/Platform/BroxtonPlatformPkg/Common/PlatformSettings/PlatformSetupDxe/SetupInfoRecords.c
index 8f7a534..d504995 100644
--- a/Platform/BroxtonPlatformPkg/Common/PlatformSettings/PlatformSetupDxe/SetupInfoRecords.c
+++ b/Platform/BroxtonPlatformPkg/Common/PlatformSettings/PlatformSetupDxe/SetupInfoRecords.c
@@ -1,7 +1,7 @@
/** @file
To retrieve various platform info data for Setup menu.
- Copyright (c) 1999 - 2016, Intel Corporation. All rights reserved.<BR>
+ Copyright (c) 1999 - 2017, Intel Corporation. All rights reserved.<BR>
This program and the accompanying materials
are licensed and made available under the terms and conditions of the BSD License
@@ -47,8 +47,6 @@
#include "ScAccess.h"
#include "SetupMode.h"
-#define EFI_CUSTOM_MODE_NAME L"CustomMode"
-extern EFI_GUID gEfiCustomModeEnableGuid;
#define LEFT_JUSTIFY 0x01
#define PREFIX_SIGN 0x02
@@ -65,7 +63,6 @@ EFI_GUID mProcessorProducerGuid;
EFI_HII_HANDLE mHiiHandle;
SYSTEM_CONFIGURATION mSystemConfiguration;
EFI_PLATFORM_INFO_HOB *mPlatformInfo;
-UINT8 mUseProductKey = 0;
#define memset SetMem
@@ -1720,14 +1717,30 @@ SetupInfo (
VOID
CheckSystemConfigLoad (
- SYSTEM_CONFIGURATION *SystemConfigPtr
+ SYSTEM_CONFIGURATION *SystemConfigPtr
)
{
EFI_STATUS Status;
SEC_OPERATION_PROTOCOL *SeCOp;
SEC_INFOMATION SeCInfo;
+ UINT8 SecureBoot;
+ UINTN DataSize;
+
+ DataSize = sizeof (SecureBoot);
+ Status = gRT->GetVariable (
+ EFI_SECURE_BOOT_MODE_NAME,
+ &gEfiGlobalVariableGuid,
+ NULL,
+ &DataSize,
+ &SecureBoot
+ );
+
+ if (EFI_ERROR (Status)) {
+ SystemConfigPtr->SecureBoot = 0;
+ } else {
+ SystemConfigPtr->SecureBoot = SecureBoot;
+ }
- mUseProductKey = SystemConfigPtr->UseProductKey;
Status = gBS->LocateProtocol (
&gEfiSeCOperationProtocolGuid,
NULL,
@@ -1787,7 +1800,7 @@ CheckTPMActivePcrBanks (
VOID
CheckSystemConfigSave (
- SYSTEM_CONFIGURATION *SystemConfigPtr
+ SYSTEM_CONFIGURATION *SystemConfigPtr
)
{
EFI_STATUS Status;
@@ -1795,51 +1808,7 @@ CheckSystemConfigSave (
SEC_INFOMATION SeCInfo;
UINT8 SecureBootCfg;
UINTN DataSize;
- UINT8 CustomMode;
-
- if (mUseProductKey != SystemConfigPtr->UseProductKey) {
- EnableCustomMode ();
- DeleteKeys ();
- EnrollKeys ();
- }
- DataSize = sizeof (CustomMode);
- Status = gRT->GetVariable (
- EFI_CUSTOM_MODE_NAME,
- &gEfiCustomModeEnableGuid,
- NULL,
- &DataSize,
- &CustomMode
- );
-
- if (EFI_ERROR (Status)) {
- DeleteKeys ();
- EnrollKeys ();
- DataSize = sizeof (CustomMode);
- Status = gRT->GetVariable (
- EFI_CUSTOM_MODE_NAME,
- &gEfiCustomModeEnableGuid,
- NULL,
- &DataSize,
- &CustomMode
- );
- }
-
- if (CustomMode != SystemConfigPtr->SecureBootCustomMode) {
- if (CustomMode == 1) {
- DeleteKeys ();
- EnrollKeys ();
- CustomMode = 0;
- } else {
- CustomMode = 1;
- Status = gRT->SetVariable (
- EFI_CUSTOM_MODE_NAME,
- &gEfiCustomModeEnableGuid,
- EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_ACCESS,
- sizeof (UINT8),
- &CustomMode
- );
- }
- }
+ BOOLEAN SecureBootNotFound;
Status = gBS->LocateProtocol (
&gEfiSeCOperationProtocolGuid,
@@ -1861,6 +1830,8 @@ CheckSystemConfigSave (
//
// Secure Boot configuration changes
//
+ DataSize = sizeof (SecureBootCfg);
+ SecureBootNotFound = FALSE;
Status = gRT->GetVariable (
EFI_SECURE_BOOT_ENABLE_NAME,
&gEfiSecureBootEnableDisableGuid,
@@ -1870,12 +1841,22 @@ CheckSystemConfigSave (
);
if (EFI_ERROR (Status)) {
- SecureBootCfg = 0;
+ SecureBootNotFound = TRUE;
+ }
+
+ if (SecureBootNotFound) {
+ Status = gRT->GetVariable (
+ EFI_SECURE_BOOT_ENABLE_NAME,
+ &gEfiSecureBootEnableDisableGuid,
+ NULL,
+ &DataSize,
+ &SecureBootCfg
+ );
+ ASSERT_EFI_ERROR (Status);
}
if ((SecureBootCfg) != SystemConfigPtr->SecureBoot) {
SecureBootCfg = !SecureBootCfg;
-
Status = gRT->SetVariable (
EFI_SECURE_BOOT_ENABLE_NAME,
&gEfiSecureBootEnableDisableGuid,
diff --git a/Platform/BroxtonPlatformPkg/Common/PlatformSettings/PlatformSetupDxe/VfrStrings.uni b/Platform/BroxtonPlatformPkg/Common/PlatformSettings/PlatformSetupDxe/VfrStrings.uni
index 47b84ee6a0ac53bef15b322024a47c9935285ffb..9ff9a80ba62edb19ac8982991e2dcc364d1df52a 100644
GIT binary patch
delta 42
zcmV+_0M-Bcq7&?b6Oh6MHvlXEAd}HFBZ2CL>H&r70=4P`rpuSC=K&74tlR_6^p{B#
AVgLXD
delta 1706
zcmbtUOHUI~6h1T45<nXv1hhfJOe-ZpMG^3|k?F(4P%Po$V_|9oMVcV3v{f`wf(h(2
zCbPIZ1s80HuZ3X?Y%xUt0d6#DG=}KPmEW16wnGXM&CT4o_uTXN?m6dvUmw-{dQtOq
z#d(U3l4^Wx_fF-ebJBE9ewS0`S4Gts`G8U7FWWajy%eG-`6+_YFJg7_S&_Q$Xg1!=
zsAA}WTqV})EM1pPSA1Jl0-`e_`NXR|j>?dqk{B6MsT=<xieq&QUx2cdhCE5Pu=C;T
z!!AZ+(23DFW&ngN&bG$u8EvxI1KaUwKk0Odf|z?TtMHYNk%SM9GGJ;&5WR59o-;H;
z2_R5u5G#&*)5K=U;xvpA#~CA!VV#-8mR+W?y@PcN*18FIQ(^Ob9RD=FjClbL!&fc<
zyNj@+7%IH6Ru=y;?EZEor-xirDO#U9BI3rP+%8gSd2h&LrfAUg!g2m7-9qn{yj=Dz
zrPN!cLMh8#dEcdgxNJa-hKEh=0EN*)T$w25Fh-QRAh{;ANx9KbbLX@G@(?%6%{jEP
z(gn#qWUy3}dJihPjfpYWsqGN+(|7s0u|DEBoj2#w_W%$#1H-abL1d7za2u*<DL+k=
zMAA`=WY?}l^%IBpkPg35d?C7k#0(%Y{ivcXIkQ(zUJRp`V<rrK1*J+HgnSq}S>z;R
z_HrJ02(S~7l}cj3gNXm>TErG)Z$kv|ce=`yE_aB|dHHag6|Rscd%`ESq`VaB;|0{a
zaw9f=C|YeF3K-qW6XJH0W6)(I53#%=Yt@!^5ofTbE@l@bU&SA(SUxCe{8$=nyoVY_
z(NDc#%gss}8{s}?ODFeNT<BTZYkbhk-9@x&H!-xPHfGLdvG!6aXVZjfisz802d+4i
z&nOC*0;$B&sLW8-qfsGcit544JeW24D}gl=jHScv9<VW<DHlmu+Fw6psxprxOp_v#
z7J5WEQW2ud*7bz`SUGQ`8c(>l1ti`EapR?{4yT!ryhV#x`mB`ImP9A!zDVxHXYZA@
GpT7a+n_%An
diff --git a/Platform/BroxtonPlatformPkg/PlatformDsc/Components.dsc b/Platform/BroxtonPlatformPkg/PlatformDsc/Components.dsc
index eb47ea0..d3be2da 100644
--- a/Platform/BroxtonPlatformPkg/PlatformDsc/Components.dsc
+++ b/Platform/BroxtonPlatformPkg/PlatformDsc/Components.dsc
@@ -234,6 +234,16 @@
!endif
#
+ # Secure Boot
+ #
+!if $(SECURE_BOOT_ENABLE) == TRUE
+ SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf {
+ <LibraryClasses>
+ PlatformSecureLib|SecurityPkg/Library/PlatformSecureLibNull/PlatformSecureLibNull.inf
+ }
+!endif
+
+ #
# SMM
#
MdeModulePkg/Core/PiSmmCore/PiSmmIpl.inf
@@ -367,10 +377,10 @@
$(PLATFORM_SI_PACKAGE)/SouthCluster/Sdio/Dxe/MMC/MmcHostDxe/MmcHostDxe.inf
$(PLATFORM_SI_PACKAGE)/SouthCluster/Sdio/Dxe/MMC/MmcMediaDeviceDxe/MmcMediaDeviceDxe.inf
-
+
$(PLATFORM_SI_PACKAGE)/SouthCluster/Sdio/Dxe/SD/SdControllerDxe/SdControllerDxe.inf
$(PLATFORM_SI_PACKAGE)/SouthCluster/Sdio/Dxe/SD/SdMediaDeviceDxe/SdMediaDeviceDxe.inf
-
+
!if $(ACPI50_ENABLE) == TRUE
MdeModulePkg/Universal/SmmCommunicationBufferDxe/SmmCommunicationBufferDxe.inf
@@ -474,12 +484,12 @@
PcAtChipsetPkg/8259InterruptControllerDxe/8259.inf
$(PLATFORM_PACKAGE_COMMON)/Features/UsbDeviceDxe/UsbDeviceDxe.inf
-
+
#
# USB TypeC
#
$(PLATFORM_PACKAGE_COMMON)/Acpi/UsbTypeCDxe/UsbTypeCDxe.inf
-
+
#
# Application
#
diff --git a/Platform/BroxtonPlatformPkg/PlatformDsc/LibraryClasses.dsc b/Platform/BroxtonPlatformPkg/PlatformDsc/LibraryClasses.dsc
index c2424f0..971dc4a 100644
--- a/Platform/BroxtonPlatformPkg/PlatformDsc/LibraryClasses.dsc
+++ b/Platform/BroxtonPlatformPkg/PlatformDsc/LibraryClasses.dsc
@@ -237,8 +237,6 @@
!if $(SECURE_BOOT_ENABLE) == TRUE
BaseCryptLib|CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf
!endif
-
- PlatformSecureDefaultsLib|$(PLATFORM_PACKAGE_COMMON)/Library/PlatformSecureDefaultsLib/PlatformSecureDefaultsLib.inf
SmmCpuPlatformHookLib|UefiCpuPkg/Library/SmmCpuPlatformHookLibNull/SmmCpuPlatformHookLibNull.inf
BasePlatformCmosLib|$(PLATFORM_PACKAGE_COMMON)/Library/PlatformCmosLib/PlatformCmosLib.inf
diff --git a/Platform/BroxtonPlatformPkg/PlatformPkg.fdf b/Platform/BroxtonPlatformPkg/PlatformPkg.fdf
index a5a3555..2476407 100644
--- a/Platform/BroxtonPlatformPkg/PlatformPkg.fdf
+++ b/Platform/BroxtonPlatformPkg/PlatformPkg.fdf
@@ -450,7 +450,7 @@ APRIORI DXE {
INF $(PLATFORM_SI_PACKAGE)/SouthCluster/Sdio/Dxe/SD/SdControllerDxe/SdControllerDxe.inf
INF $(PLATFORM_SI_PACKAGE)/SouthCluster/Sdio/Dxe/SD/SdMediaDeviceDxe/SdMediaDeviceDxe.inf
-
+
INF IntelFrameworkModulePkg/Universal/Acpi/AcpiS3SaveDxe/AcpiS3SaveDxe.inf
#
@@ -575,6 +575,13 @@ APRIORI DXE {
INF $(PLATFORM_PACKAGE_COMMON)/PnpDxe/PnpDxe.inf
#
+ # Secure Boot
+ #
+!if $(SECURE_BOOT_ENABLE) == TRUE
+ INF SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
+!endif
+
+ #
# SMM
#
INF MdeModulePkg/Core/PiSmmCore/PiSmmIpl.inf
@@ -710,7 +717,7 @@ APRIORI DXE {
SECTION PE32 = ShellBinPkg/UefiShell/$(IA32_X64_LC)/Shell.efi
}
- INF $(PLATFORM_PACKAGE_COMMON)/Features/UsbDeviceDxe/UsbDeviceDxe.inf
+ INF $(PLATFORM_PACKAGE_COMMON)/Features/UsbDeviceDxe/UsbDeviceDxe.inf
#
# USB TypeC
--
2.7.0.windows.1
_______________________________________________
edk2-devel mailing list
edk2-devel@lists.01.org
https://lists.01.org/mailman/listinfo/edk2-devel
Reviewed-by: zwei4 <david.wei@intel.com> Thanks, David Wei -----Original Message----- From: edk2-devel [mailto:edk2-devel-bounces@lists.01.org] On Behalf Of lushifex Sent: Wednesday, February 22, 2017 2:35 PM To: edk2-devel@lists.01.org Cc: Wei, David <david.wei@intel.com> Subject: [edk2] [Patch][edk2-platforms/devel-MinnowBoard3] Enable Secure Boot. Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: lushifex <shifeix.a.lu@intel.com> --- .../PlatformSecureDefaultsLib.c | 952 --------------------- .../PlatformSecureDefaultsLib.inf | 69 -- .../Common/PlatformSettings/PlatformDxe/Platform.c | 17 +- .../PlatformSettings/PlatformDxe/PlatformDxe.inf | 3 +- .../PlatformSetupDxe/PlatformSetupDxe.c | 39 +- .../PlatformSetupDxe/PlatformSetupDxe.inf | 3 +- .../PlatformSettings/PlatformSetupDxe/Security.vfi | 37 +- .../PlatformSetupDxe/SetupInfoRecords.c | 89 +- .../PlatformSetupDxe/VfrStrings.uni | Bin 315770 -> 311660 bytes .../BroxtonPlatformPkg/PlatformDsc/Components.dsc | 18 +- .../PlatformDsc/LibraryClasses.dsc | 2 - Platform/BroxtonPlatformPkg/PlatformPkg.fdf | 11 +- 12 files changed, 69 insertions(+), 1171 deletions(-) delete mode 100644 Platform/BroxtonPlatformPkg/Common/Library/PlatformSecureDefaultsLib/PlatformSecureDefaultsLib.c delete mode 100644 Platform/BroxtonPlatformPkg/Common/Library/PlatformSecureDefaultsLib/PlatformSecureDefaultsLib.inf diff --git a/Platform/BroxtonPlatformPkg/Common/Library/PlatformSecureDefaultsLib/PlatformSecureDefaultsLib.c b/Platform/BroxtonPlatformPkg/Common/Library/PlatformSecureDefaultsLib/PlatformSecureDefaultsLib.c deleted file mode 100644 index 2cdd01d..0000000 --- a/Platform/BroxtonPlatformPkg/Common/Library/PlatformSecureDefaultsLib/PlatformSecureDefaultsLib.c +++ /dev/null @@ -1,952 +0,0 @@ -/** @file - IPC based PlatformFvbLib library instance. - - Copyright (c) 2009 - 2016, Intel Corporation. All rights reserved.<BR> - - This program and the accompanying materials - are licensed and made available under the terms and conditions of the BSD License - which accompanies this distribution. The full text of the license may be found at - http://opensource.org/licenses/bsd-license.php. - - THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS, - WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED. - -**/ - -#include "Library/PlatformSecureDefaultsLib.h" -#include <Guid/AuthenticatedVariableFormat.h> -#include <Guid/SetupVariable.h> - -EFI_GUID mUefiImageSecurityDBGuid = EFI_IMAGE_SECURITY_DATABASE_GUID; -EFI_GUID mUefiCertTypeRsa2048Guid = EFI_CERT_RSA2048_GUID; - -#define WIN_CERT_UEFI_RSA2048_SIZE 256 -#define EFI_SECURE_BOOT_ENABLE_NAME L"SecureBootEnable" - -extern EFI_GUID mUefiCertTypeRsa2048Guid; -extern EFI_GUID gEfiSecureBootEnableDisableGuid; - -EFI_GUID gOwnerSignatureGUID = {0x77fa9abd, 0x0359, 0x4d32, {0xbd, 0x60, 0x28, 0xf4, 0xe7, 0x8f, 0x78, 0x4b}}; -static EFI_GUID gDbxUpdateImageGuid = {0xa3d48bb3, 0x350f, 0x4bcd, 0xa4, 0xad, 0x44, 0x5b, 0x93, 0x9f, 0x6d, 0x9c }; - -/** - Create a time based data payload by concatenating the EFI_VARIABLE_AUTHENTICATION_2 - descriptor with the input data. NO authentication is required in this function. - - @param[in, out] DataSize On input, the size of Data buffer in bytes. - On output, the size of data returned in Data - buffer in bytes. - @param[in, out] Data On input, Pointer to data buffer to be wrapped or - pointer to NULL to wrap an empty payload. - On output, Pointer to the new payload date buffer allocated from pool, - it's caller's responsibility to free the memory when finish using it. - - @retval EFI_SUCCESS Create time based payload successfully. - @retval EFI_OUT_OF_RESOURCES There are not enough memory resourses to create time based payload. - @retval EFI_INVALID_PARAMETER The parameter is invalid. - @retval Others Unexpected error happens. - -**/ -EFI_STATUS -CreateTimeBasedPayload ( - IN OUT UINTN *DataSize, - IN OUT UINT8 **Data - ) -{ - EFI_STATUS Status; - UINT8 *NewData; - UINT8 *Payload; - UINTN PayloadSize; - EFI_VARIABLE_AUTHENTICATION_2 *DescriptorData; - UINTN DescriptorSize; - EFI_TIME Time; - - if (Data == NULL || DataSize == NULL) { - return EFI_INVALID_PARAMETER; - } - - // - // In Setup mode or Custom mode, the variable does not need to be signed but the - // parameters to the SetVariable() call still need to be prepared as authenticated - // variable. So we create EFI_VARIABLE_AUTHENTICATED_2 descriptor without certificate - // data in it. - // - Payload = *Data; - PayloadSize = *DataSize; - - DescriptorSize = OFFSET_OF (EFI_VARIABLE_AUTHENTICATION_2, AuthInfo) + OFFSET_OF (WIN_CERTIFICATE_UEFI_GUID, CertData); - NewData = (UINT8 *) AllocateZeroPool (DescriptorSize + PayloadSize); - if (NewData == NULL) { - return EFI_OUT_OF_RESOURCES; - } - - if ((Payload != NULL) && (PayloadSize != 0)) { - CopyMem (NewData + DescriptorSize, Payload, PayloadSize); - } - - DescriptorData = (EFI_VARIABLE_AUTHENTICATION_2 *) (NewData); - - ZeroMem (&Time, sizeof (EFI_TIME)); - Status = gRT->GetTime (&Time, NULL); - if (EFI_ERROR (Status)) { - FreePool(NewData); - return Status; - } - Time.Pad1 = 0; - Time.Nanosecond = 0; - Time.TimeZone = 0; - Time.Daylight = 0; - Time.Pad2 = 0; - CopyMem (&DescriptorData->TimeStamp, &Time, sizeof (EFI_TIME)); - - DescriptorData->AuthInfo.Hdr.dwLength = OFFSET_OF (WIN_CERTIFICATE_UEFI_GUID, CertData); - DescriptorData->AuthInfo.Hdr.wRevision = 0x0200; - DescriptorData->AuthInfo.Hdr.wCertificateType = WIN_CERT_TYPE_EFI_GUID; - CopyGuid (&DescriptorData->AuthInfo.CertType, &gEfiCertPkcs7Guid); - - if (Payload != NULL) { - FreePool(Payload); - } - - *DataSize = DescriptorSize + PayloadSize; - *Data = NewData; - return EFI_SUCCESS; -} - - -/** - Generate the PK signature list from the X509 Certificate storing file (.cer) - - @param[in] X509Data FileHandle of X509 Certificate storing file. - @param[in] X509DataSize The size of fileHandle of X509 Certificate storing file. - @param[out] PkCert Point to the data buffer to store the signature list. - - @retval EFI_UNSUPPORTED Unsupported Key Length. - @retval EFI_OUT_OF_RESOURCES There are not enough memory resourses to form the signature list. - -**/ -EFI_STATUS -CreatePkX509SignatureList ( - IN UINT8 *X509Data, - IN UINTN X509DataSize, - OUT EFI_SIGNATURE_LIST **PkCert - ) -{ - EFI_STATUS Status; - EFI_SIGNATURE_DATA *PkCertData; - - PkCertData = NULL; - Status = EFI_SUCCESS; - ASSERT (X509Data != NULL); - - // - // Allocate space for PK certificate list and initialize it. - // Create PK database entry with SignatureHeaderSize equals 0. - // - *PkCert = (EFI_SIGNATURE_LIST *) AllocateZeroPool ( - sizeof (EFI_SIGNATURE_LIST) + sizeof (EFI_SIGNATURE_DATA) - 1 - + X509DataSize - ); - if (*PkCert == NULL) { - Status = EFI_OUT_OF_RESOURCES; - goto ON_EXIT; - } - - (*PkCert)->SignatureListSize = (UINT32) (sizeof (EFI_SIGNATURE_LIST) - + sizeof (EFI_SIGNATURE_DATA) - 1 - + X509DataSize); - (*PkCert)->SignatureSize = (UINT32) (sizeof (EFI_SIGNATURE_DATA) - 1 + X509DataSize); - (*PkCert)->SignatureHeaderSize = 0; - CopyGuid (&(*PkCert)->SignatureType, &gEfiCertX509Guid); - PkCertData = (EFI_SIGNATURE_DATA *) ((UINTN) (*PkCert) - + sizeof (EFI_SIGNATURE_LIST) - + (*PkCert)->SignatureHeaderSize); - CopyGuid (&PkCertData->SignatureOwner, &gEfiGlobalVariableGuid); - // - // Fill the PK database with PKpub data from X509 certificate file. - // - CopyMem (&(PkCertData->SignatureData[0]), X509Data, X509DataSize); - -ON_EXIT: - - if (EFI_ERROR(Status) && *PkCert != NULL) { - FreePool (*PkCert); - *PkCert = NULL; - } - - return Status; -} - - -EFI_STATUS -EnrollPlatformKey ( - IN VOID *Buf, - IN UINTN BufSize - ) -{ - EFI_STATUS Status; - UINT32 Attr; - UINTN DataSize; - EFI_SIGNATURE_LIST *PkCert; - - PkCert = NULL; - - // - // Prase the selected PK file and generature PK certificate list. - // - Status = CreatePkX509SignatureList ( - Buf, - BufSize, - &PkCert - ); - - if (EFI_ERROR (Status)) { - goto ON_EXIT; - } - ASSERT (PkCert != NULL); - - // - // Set Platform Key variable. - // - Attr = EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_RUNTIME_ACCESS - | EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS; - DataSize = PkCert->SignatureListSize; - Status = CreateTimeBasedPayload (&DataSize, (UINT8 **) &PkCert); - if (EFI_ERROR (Status)) { - DEBUG ((EFI_D_ERROR, "Fail to create time-based data payload: %r", Status)); - goto ON_EXIT; - } - - Status = gRT->SetVariable ( - EFI_PLATFORM_KEY_NAME, - &gEfiGlobalVariableGuid, - Attr, - DataSize, - PkCert - ); - if (EFI_ERROR (Status)) { - if (Status == EFI_OUT_OF_RESOURCES) { - DEBUG ((EFI_D_ERROR, "Enroll PK failed with out of resource.\n")); - } - goto ON_EXIT; - } - -ON_EXIT: - - if (PkCert != NULL) { - FreePool (PkCert); - } - - return Status; -} - - -/** - Enroll a new KEK item from X509 certificate file. - - @param[in] PrivateData The module's private data. - - @retval EFI_SUCCESS New X509 is enrolled successfully. - @retval EFI_INVALID_PARAMETER The parameter is invalid. - @retval EFI_UNSUPPORTED Unsupported command. - @retval EFI_OUT_OF_RESOURCES Could not allocate needed resources. - -**/ -EFI_STATUS -EnrollX509ToKek ( - VOID *X509Data, - UINTN X509DataSize - ) -{ - EFI_STATUS Status; - EFI_SIGNATURE_DATA *KEKSigData; - EFI_SIGNATURE_LIST *KekSigList; - UINTN DataSize; - UINTN KekSigListSize; - UINT32 Attr; - - KekSigList = NULL; - KekSigListSize = 0; - DataSize = 0; - KEKSigData = NULL; - - ASSERT (X509Data != NULL); - - KekSigListSize = sizeof (EFI_SIGNATURE_LIST) + sizeof (EFI_SIGNATURE_DATA) - 1 + X509DataSize; - KekSigList = (EFI_SIGNATURE_LIST *) AllocateZeroPool (KekSigListSize); - if (KekSigList == NULL) { - Status = EFI_OUT_OF_RESOURCES; - goto ON_EXIT; - } - - // - // Fill Certificate Database parameters. - // - KekSigList->SignatureListSize = (UINT32) KekSigListSize; - KekSigList->SignatureHeaderSize = 0; - KekSigList->SignatureSize = (UINT32) (sizeof (EFI_SIGNATURE_DATA) - 1 + X509DataSize); - CopyGuid (&KekSigList->SignatureType, &gEfiCertX509Guid); - - KEKSigData = (EFI_SIGNATURE_DATA *) ((UINT8 *) KekSigList + sizeof (EFI_SIGNATURE_LIST)); - CopyGuid (&KEKSigData->SignatureOwner, &gOwnerSignatureGUID); - CopyMem (KEKSigData->SignatureData, X509Data, X509DataSize); - - // - // Check if KEK been already existed. - // If true, use EFI_VARIABLE_APPEND_WRITE attribute to append the - // new kek to original variable - // - Attr = EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_RUNTIME_ACCESS - | EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS; - Status = CreateTimeBasedPayload (&KekSigListSize, (UINT8 **) &KekSigList); - if (EFI_ERROR (Status)) { - DEBUG ((EFI_D_ERROR, "Fail to create time-based data payload: %r", Status)); - goto ON_EXIT; - } - - Status = gRT->GetVariable( - EFI_KEY_EXCHANGE_KEY_NAME, - &gEfiGlobalVariableGuid, - NULL, - &DataSize, - NULL - ); - if (Status == EFI_BUFFER_TOO_SMALL) { - Attr |= EFI_VARIABLE_APPEND_WRITE; - } else if (Status != EFI_NOT_FOUND) { - goto ON_EXIT; - } - - Status = gRT->SetVariable( - EFI_KEY_EXCHANGE_KEY_NAME, - &gEfiGlobalVariableGuid, - Attr, - KekSigListSize, - KekSigList - ); - if (EFI_ERROR (Status)) { - goto ON_EXIT; - } - -ON_EXIT: - - if (KekSigList != NULL) { - FreePool (KekSigList); - } - - return Status; -} - - -/** - Enroll new KEK into the System without PK's authentication. - The SignatureOwner GUID will be Private->SignatureGUID. - - @param[in] PrivateData The module's private data. - - @retval EFI_SUCCESS New KEK enrolled successful. - @retval EFI_INVALID_PARAMETER The parameter is invalid. - @retval others Fail to enroll KEK data. - -**/ -EFI_STATUS -EnrollKeyExchangeKey ( - IN VOID *DataBuf, - IN UINTN BufSize - ) -{ - return EnrollX509ToKek (DataBuf, BufSize); -} - - -EFI_STATUS -EnrollX509toForbSigDB ( - IN CHAR16 *VariableName, - IN VOID *X509Data, - IN UINTN X509DataSize - ) -{ - EFI_STATUS Status; - VOID *Data; - UINTN SigDBSize; - UINT32 Attr; - UINTN DataSize; - - SigDBSize = 0; - DataSize = 0; - Data = NULL; - - ASSERT (X509Data != NULL); - - SigDBSize = X509DataSize; - - Data = AllocateZeroPool (SigDBSize); - if (Data == NULL) { - Status = EFI_OUT_OF_RESOURCES; - goto ON_EXIT; - } - - CopyMem ((UINT8 *) Data, X509Data, X509DataSize); - - Attr = EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_RUNTIME_ACCESS - | EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS; - - // - // Check if signature database entry has been already existed. - // If true, use EFI_VARIABLE_APPEND_WRITE attribute to append the - // new signature data to original variable - // - Status = gRT->GetVariable( - VariableName, - &gEfiImageSecurityDatabaseGuid, - NULL, - &DataSize, - NULL - ); - if (Status == EFI_BUFFER_TOO_SMALL) { - Attr |= EFI_VARIABLE_APPEND_WRITE; - } else if (Status != EFI_NOT_FOUND) { - goto ON_EXIT; - } - - Status = gRT->SetVariable( - VariableName, - &gEfiImageSecurityDatabaseGuid, - Attr, - SigDBSize, - Data - ); - - if (EFI_ERROR (Status)) { - goto ON_EXIT; - } - -ON_EXIT: - - if (Data != NULL) { - FreePool (Data); - } - - return Status; -} - - -/** - Enroll X509 certificate into Forbidden Database (DBX) without - KEK's authentication. - - @param[in] VariableName Variable name of signature database, must be - @param[in] *DataBuf Pointer to Data Buffer - @param[in] BufSize Data Buffer size - - @retval EFI_SUCCESS New X509 is enrolled successfully. - @retval EFI_OUT_OF_RESOURCES Could not allocate needed resources. - -**/ -EFI_STATUS -EnrollKeyForbiddenSignatureDatabase ( - IN CHAR16 *VariableName, - IN VOID *DataBuf, - IN UINTN BufSize - ) -{ - return EnrollX509toForbSigDB (VariableName, DataBuf, BufSize); -} - - -/** - Enroll a new X509 certificate into Signature Database (DB or DBX) without - KEK's authentication. - - @param[in] PrivateData The module's private data. - @param[in] VariableName Variable name of signature database, must be - EFI_IMAGE_SECURITY_DATABASE or EFI_IMAGE_SECURITY_DATABASE1. - - @retval EFI_SUCCESS New X509 is enrolled successfully. - @retval EFI_OUT_OF_RESOURCES Could not allocate needed resources. - -**/ -EFI_STATUS -EnrollX509toSigDB ( - IN CHAR16 *VariableName, - IN VOID *X509Data, - IN UINTN X509DataSize - ) -{ - EFI_STATUS Status; - EFI_SIGNATURE_LIST *SigDBCert; - EFI_SIGNATURE_DATA *SigDBCertData; - VOID *Data; - UINTN DataSize; - UINTN SigDBSize; - UINT32 Attr; - - SigDBSize = 0; - DataSize = 0; - SigDBCert = NULL; - SigDBCertData = NULL; - Data = NULL; - - ASSERT (X509Data != NULL); - - SigDBSize = sizeof (EFI_SIGNATURE_LIST) + sizeof (EFI_SIGNATURE_DATA) - 1 + X509DataSize; - - Data = AllocateZeroPool (SigDBSize); - if (Data == NULL) { - Status = EFI_OUT_OF_RESOURCES; - goto ON_EXIT; - } - - // - // Fill Certificate Database parameters. - // - SigDBCert = (EFI_SIGNATURE_LIST *) Data; - SigDBCert->SignatureListSize = (UINT32) SigDBSize; - SigDBCert->SignatureHeaderSize = 0; - SigDBCert->SignatureSize = (UINT32) (sizeof (EFI_SIGNATURE_DATA) - 1 + X509DataSize); - CopyGuid (&SigDBCert->SignatureType, &gEfiCertX509Guid); - - SigDBCertData = (EFI_SIGNATURE_DATA *) ((UINT8 *) SigDBCert + sizeof (EFI_SIGNATURE_LIST)); - CopyGuid (&SigDBCertData->SignatureOwner, &gOwnerSignatureGUID); - CopyMem ((UINT8 *) (SigDBCertData->SignatureData), X509Data, X509DataSize); - - // - // Check if signature database entry has been already existed. - // If true, use EFI_VARIABLE_APPEND_WRITE attribute to append the - // new signature data to original variable - // - Attr = EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_RUNTIME_ACCESS - | EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS; - Status = CreateTimeBasedPayload (&SigDBSize, (UINT8 **) &Data); - if (EFI_ERROR (Status)) { - DEBUG ((EFI_D_ERROR, "Fail to create time-based data payload: %r", Status)); - goto ON_EXIT; - } - - Status = gRT->GetVariable( - VariableName, - &gEfiImageSecurityDatabaseGuid, - NULL, - &DataSize, - NULL - ); - if (Status == EFI_BUFFER_TOO_SMALL) { - Attr |= EFI_VARIABLE_APPEND_WRITE; - } else if (Status != EFI_NOT_FOUND) { - goto ON_EXIT; - } - - Status = gRT->SetVariable( - VariableName, - &gEfiImageSecurityDatabaseGuid, - Attr, - SigDBSize, - Data - ); - if (EFI_ERROR (Status)) { - goto ON_EXIT; - } - -ON_EXIT: - - if (Data != NULL) { - FreePool (Data); - } - - return Status; -} - - -EFI_STATUS -EnrollSignatureDatabase ( - IN CHAR16 *VariableName, - IN VOID *DataBuf, - IN UINTN BufSize - ) -{ - return EnrollX509toSigDB (VariableName, DataBuf, BufSize); -} - - -/** - Function to Load Secure Keys given the binary GUID - - @param[in] VendorGuid GUID of the Variable. - @param[in] VariableName Name of the Variable. - @param[in] VendorGuid GUID of the Variable. - - @retval EFI_SUCCESS Set the variable successfully. - @retval Others Set variable failed. - -**/ -EFI_STATUS -SetSecureVariabeKeys ( - IN EFI_GUID *ImageGuid, - IN CHAR16 *VariableName, - IN EFI_GUID *VendorGuid - ) -{ - EFI_STATUS Status; - EFI_FIRMWARE_VOLUME2_PROTOCOL *Fv; - UINTN FvProtocolCount; - EFI_HANDLE *FvHandles; - UINTN Index1; - UINT32 AuthenticationStatus; - UINT8 *Buffer=NULL; - UINTN BufferSize=0; - UINT32 Attr; - - Attr = EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS; - - FvHandles = NULL; - - Status = gBS->LocateHandleBuffer ( - ByProtocol, - &gEfiFirmwareVolume2ProtocolGuid, - NULL, - &FvProtocolCount, - &FvHandles - ); - - if (!EFI_ERROR (Status)) { - for (Index1 = 0; Index1 < FvProtocolCount; Index1++) { - Status = gBS->HandleProtocol ( - FvHandles[Index1], - &gEfiFirmwareVolume2ProtocolGuid, - (VOID **) &Fv - ); - BufferSize= 0; - - Status = Fv->ReadSection ( - Fv, - ImageGuid, - EFI_SECTION_RAW, - 0, - (VOID **) &Buffer, - &BufferSize, - &AuthenticationStatus - ); - - if (!EFI_ERROR (Status)) { - Status = EFI_SUCCESS; - break; - } - } - } - - if (Buffer == NULL) - return EFI_UNSUPPORTED; - if (StrCmp (VariableName, L"PK") == 0){ - Status = EnrollPlatformKey (Buffer, BufferSize); - } else if (StrCmp (VariableName, L"KEK") == 0) { - Status = EnrollKeyExchangeKey (Buffer, BufferSize); - } else if (CompareGuid (ImageGuid, &gDbxUpdateImageGuid)) { - Status = EnrollKeyForbiddenSignatureDatabase (VariableName,Buffer, BufferSize); - } else { - Status = EnrollSignatureDatabase (VariableName, Buffer, BufferSize); - } - return Status; -} - - -/** - Internal function to Update User Mode to Setup Mode given its name and GUID, no authentication - required. - - @param[in] VariableName Name of the Variable. - @param[in] VendorGuid GUID of the Variable. - - @retval EFI_SUCCESS Updated to Setup Mode successfully. - @retval Others The driver failed to start the device. - -**/ -EFI_STATUS -UpdateSetupModetoUserMode ( - IN CHAR16 *VariableName, - IN EFI_GUID *VendorGuid - ) -{ - EFI_STATUS Status; - VOID* Variable; - UINT8 SetupMode; - UINT8 SecureBootEnable; - - SetupMode = 0; - SecureBootEnable = 1; - - GetVariable2 (VariableName, VendorGuid, &Variable, NULL); - if (Variable == NULL) { - return EFI_SUCCESS; - } - - Status = gRT->SetVariable ( - VariableName, - VendorGuid, - EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS, - 1, - &SetupMode - ); - - if (!EFI_ERROR (Status)) { - Status = gRT->SetVariable ( - EFI_SECURE_BOOT_ENABLE_NAME, - &gEfiSecureBootEnableDisableGuid, - EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_ACCESS, - sizeof (UINT8), - &SecureBootEnable - ); - } - return Status; -} - - -/** - Enrolls PK, KEK, Db and Dbx. - - Note: Setup variable uses UEFI Runtime Services. - Do not call this function from PEI. - -**/ -VOID -EnrollKeys ( - VOID - ) -{ - EFI_STATUS Status; - UINT8 SecureBootCstMde; - UINTN DataSize; - SYSTEM_CONFIGURATION SystemConfiguration; - UINTN VarSize; - - EFI_GUID KekImageGuid = { 0x5d354a1f, 0x98d7, 0x4938, 0x8f, 0x18, 0xf8, 0x4e, 0x1c, 0x89, 0xb2, 0xed }; - EFI_GUID Db1ImageGuid = { 0x4de09060, 0x5864, 0x471a, 0xb3, 0x52, 0xd4, 0x50, 0x6e, 0xd7, 0xbb, 0xb0 }; - EFI_GUID DbxImageGuid = { 0x96b44e98, 0x6c49, 0x4c03, 0xa8, 0xa4, 0x77, 0x93, 0xef, 0x41, 0x68, 0x5a }; - EFI_GUID PkImageGuid = { 0xc43024ad, 0x8cb8, 0x4393, 0x8a, 0xe1, 0xf3, 0x5c, 0xbf, 0xc7, 0xcd, 0x56 }; - EFI_GUID Db2ImageGuid = { 0x0f97c7a2, 0xba0c, 0x4e8a, 0x90, 0xf9, 0xb1, 0xcc, 0x40, 0x57, 0x01, 0xf8 }; - EFI_GUID Db3ImageGuid = { 0x774491b2, 0x85ff, 0x47b0, 0x89, 0xa4, 0xcc, 0xd8, 0xb3, 0x99, 0xaa, 0xd4 }; - EFI_GUID Kek2ImageGuid = { 0xE989363D, 0x449F, 0x4b32, 0x96, 0xB0, 0xB2, 0x71, 0x73, 0x44, 0xD0, 0xEE }; - EFI_GUID Db4ImageGuid = { 0xB69B054C, 0x7EA4, 0x4f13, 0xB7, 0xFF, 0x72, 0xC6, 0x32, 0x3B, 0xC8, 0x5A }; - EFI_GUID Db5ImageGuid = { 0xB8FA2839, 0xE0C1, 0x4368, 0xA5, 0x1B, 0x5F, 0x4A, 0x21, 0x74, 0x61, 0x29 }; - EFI_GUID Db6ImageGuid = { 0x758FBB84, 0xEF4C, 0x4acf, 0xB1, 0xA6, 0xE8, 0x44, 0xD5, 0xFF, 0x6B, 0xA6 }; - - VarSize = sizeof (SYSTEM_CONFIGURATION); - Status = gRT->GetVariable ( - L"Setup", - &gEfiSetupVariableGuid, - NULL, - &VarSize, - &SystemConfiguration - ); - - ASSERT_EFI_ERROR (Status); - - // - // Enroll Key Exchange Key - // - SetSecureVariabeKeys (&KekImageGuid, EFI_KEY_EXCHANGE_KEY_NAME, &gEfiGlobalVariableGuid); - if (!(SystemConfiguration.UseProductKey)) { - SetSecureVariabeKeys (&Kek2ImageGuid, EFI_KEY_EXCHANGE_KEY_NAME, &gEfiGlobalVariableGuid); - // - // Enroll Authenticated database. - // - SetSecureVariabeKeys (&Db1ImageGuid, EFI_IMAGE_SECURITY_DATABASE, &gEfiImageSecurityDatabaseGuid); - SetSecureVariabeKeys (&Db4ImageGuid, EFI_IMAGE_SECURITY_DATABASE, &gEfiImageSecurityDatabaseGuid); - SetSecureVariabeKeys (&Db5ImageGuid, EFI_IMAGE_SECURITY_DATABASE, &gEfiImageSecurityDatabaseGuid); - SetSecureVariabeKeys (&Db6ImageGuid, EFI_IMAGE_SECURITY_DATABASE, &gEfiImageSecurityDatabaseGuid); - // - // Enroll Platform Key - 219_Microsoft_UEFI_Logo_Test_KEK.cer for WOS and common_PK.x509.cer for AOS - // - SetSecureVariabeKeys (&PkImageGuid, EFI_PLATFORM_KEY_NAME, &gEfiGlobalVariableGuid); - } else { - // - // Enroll Platform Key - KEK_MSFTproductionKekCA.cer - // - SetSecureVariabeKeys (&KekImageGuid, EFI_PLATFORM_KEY_NAME, &gEfiGlobalVariableGuid); - } - SetSecureVariabeKeys (&Db2ImageGuid, EFI_IMAGE_SECURITY_DATABASE, &gEfiImageSecurityDatabaseGuid); - SetSecureVariabeKeys (&Db3ImageGuid, EFI_IMAGE_SECURITY_DATABASE, &gEfiImageSecurityDatabaseGuid); - // - //Enroll Forbidden Database - // - SetSecureVariabeKeys (&DbxImageGuid, EFI_IMAGE_SECURITY_DATABASE1, &gEfiImageSecurityDatabaseGuid); - SetSecureVariabeKeys (&gDbxUpdateImageGuid, EFI_IMAGE_SECURITY_DATABASE1, &gEfiImageSecurityDatabaseGuid); - - // - // If secure boot mode in custom mode, change to standard mode. - // - Status = gRT->GetVariable ( - EFI_CUSTOM_MODE_NAME, - &gEfiCustomModeEnableGuid, - NULL, - &DataSize, - &SecureBootCstMde - ); - - if (SecureBootCstMde) { - SecureBootCstMde = !SecureBootCstMde; - Status = gRT->SetVariable ( - EFI_CUSTOM_MODE_NAME, - &gEfiCustomModeEnableGuid, - EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_ACCESS, - sizeof (UINT8), - &SecureBootCstMde - ); - } -} - - -/** - Internal function to delete a Variable given its name and GUID, no authentication - required. - - @param[in] VariableName Name of the Variable. - @param[in] VendorGuid GUID of the Variable. - - @retval EFI_SUCCESS Variable deleted successfully. - @retval Others The driver failed to start the device. - -**/ -EFI_STATUS -DeleteVariable ( - IN CHAR16 *VariableName, - IN EFI_GUID *VendorGuid - ) -{ - EFI_STATUS Status; - VOID* Variable; - UINT8 *Data; - UINTN DataSize; - UINT32 Attr; - - GetVariable2 (VariableName, VendorGuid, &Variable, NULL); - if (Variable == NULL) { - return EFI_SUCCESS; - } - - Data = NULL; - DataSize = 0; - Attr = EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS - | EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS; - - Status = CreateTimeBasedPayload (&DataSize, &Data); - if (EFI_ERROR (Status)) { - DEBUG ((EFI_D_ERROR, "Fail to create time-based data payload: %r", Status)); - return Status; - } - - Status = gRT->SetVariable ( - VariableName, - VendorGuid, - Attr, - DataSize, - Data - ); - if (Data != NULL) { - FreePool (Data); - } - return Status; -} - - -/** - Internal function to Update User Mode to Setup Mode given its name and GUID, no authentication - required. - - @param[in] VariableName Name of the Variable. - @param[in] VendorGuid GUID of the Variable. - - @retval EFI_SUCCESS Updated to Setup Mode successfully. - @retval Others The driver failed to start the device. - -**/ -EFI_STATUS -UpdateUserModetoSetupMode ( - IN CHAR16 *VariableName, - IN EFI_GUID *VendorGuid - ) -{ - EFI_STATUS Status; - VOID* Variable; - UINT8 SetupMode; - UINT8 SecureBootDisable; - - SetupMode = 1; - SecureBootDisable = 0; - - GetVariable2 (VariableName, VendorGuid, &Variable, NULL); - if (Variable == NULL) { - return EFI_SUCCESS; - } - - Status = gRT->SetVariable ( - VariableName, - VendorGuid, - EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS, - 1, - &SetupMode - ); - - if (!EFI_ERROR (Status)) { - GetVariable2 (EFI_SECURE_BOOT_ENABLE_NAME, &gEfiSecureBootEnableDisableGuid, &Variable, NULL); - Status = gRT->SetVariable ( - EFI_SECURE_BOOT_ENABLE_NAME, - &gEfiSecureBootEnableDisableGuid, - EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_ACCESS, - sizeof (UINT8), - &SecureBootDisable - ); - } - return Status; -} - - -/** - Deletes PK, KEK, Db and Dbx. - -**/ -VOID -DeleteKeys ( - ) -{ - // - // 1. Clear PK. - // - DeleteVariable (EFI_PLATFORM_KEY_NAME, &gEfiGlobalVariableGuid); - - // - // 2. Update "SetupMode" variable to SETUP_MODE. - // - UpdateUserModetoSetupMode (EFI_SETUP_MODE_NAME, &gEfiGlobalVariableGuid); - - // - // 3. Clear KEK, DB and DBX. - // - DeleteVariable (EFI_KEY_EXCHANGE_KEY_NAME, &gEfiGlobalVariableGuid); - DeleteVariable (EFI_IMAGE_SECURITY_DATABASE, &gEfiImageSecurityDatabaseGuid); - DeleteVariable (EFI_IMAGE_SECURITY_DATABASE1, &gEfiImageSecurityDatabaseGuid); -} - - -/** - Enable Custom Mode. - -**/ - VOID - EnableCustomMode ( - ) -{ - UINT8 CustomMode; - EFI_STATUS Status; - - CustomMode = 1; - - Status = gRT->SetVariable ( - EFI_CUSTOM_MODE_NAME, - &gEfiCustomModeEnableGuid, - EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_ACCESS, - sizeof (UINT8), - &CustomMode - ); - -} - diff --git a/Platform/BroxtonPlatformPkg/Common/Library/PlatformSecureDefaultsLib/PlatformSecureDefaultsLib.inf b/Platform/BroxtonPlatformPkg/Common/Library/PlatformSecureDefaultsLib/PlatformSecureDefaultsLib.inf deleted file mode 100644 index 72a001d..0000000 --- a/Platform/BroxtonPlatformPkg/Common/Library/PlatformSecureDefaultsLib/PlatformSecureDefaultsLib.inf +++ /dev/null @@ -1,69 +0,0 @@ -## @file -# NULL PlatformFvbLib library instance. -# This library handles hooks for the EMU Variable FVB driver. -# -# Copyright (c) 2006 - 2016, Intel Corporation. All rights reserved.<BR> -# -# This program and the accompanying materials -# are licensed and made available under the terms and conditions of the BSD License -# which accompanies this distribution. The full text of the license may be found at -# http://opensource.org/licenses/bsd-license.php. -# -# THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS, -# WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED. -# -## - -[Defines] - INF_VERSION = 0x00010005 - BASE_NAME = PlatformSecureDefaultsLib - FILE_GUID = 402B0508-781A-4016-A1D7-9740FFE001A0 - MODULE_TYPE = BASE - VERSION_STRING = 1.0 - LIBRARY_CLASS = PlatformSecureDefaultsLib | DXE_DRIVER DXE_RUNTIME_DRIVER - -# -# The following information is for reference only and not required by the build tools. -# -# VALID_ARCHITECTURES = IA32 X64 IPF EBC -# - -[Sources] - PlatformSecureDefaultsLib.c - -[Packages] - MdePkg/MdePkg.dec - MdeModulePkg/MdeModulePkg.dec - IntelFrameworkPkg/IntelFrameworkPkg.dec - IntelFrameworkModulePkg/IntelFrameworkModulePkg.dec - SecurityPkg/SecurityPkg.dec - BroxtonPlatformPkg/PlatformPkg.dec - BroxtonSiPkg/BroxtonSiPkg.dec - -[LibraryClasses] - DebugLib - DxeServicesTableLib - UefiBootServicesTableLib - DevicePathLib - BaseMemoryLib - BaseLib - IoLib - TimerLib - MemoryAllocationLib - PcdLib - -[Protocols] - gEfiFirmwareVolume2ProtocolGuid - -[Guids] - gEfiGlobalVariableGuid ## PRODUCES ## Variable Guid - gEfiSetupVariableGuid - gEfiVariableGuid - gEfiImageSecurityDatabaseGuid - gEfiCertX509Guid - gEfiCertPkcs7Guid - gEfiCustomModeEnableGuid - -[Depex] - TRUE - diff --git a/Platform/BroxtonPlatformPkg/Common/PlatformSettings/PlatformDxe/Platform.c b/Platform/BroxtonPlatformPkg/Common/PlatformSettings/PlatformDxe/Platform.c index 02dcc27..187eb21 100644 --- a/Platform/BroxtonPlatformPkg/Common/PlatformSettings/PlatformDxe/Platform.c +++ b/Platform/BroxtonPlatformPkg/Common/PlatformSettings/PlatformDxe/Platform.c @@ -1,7 +1,7 @@ /** @file Platform Initialization Driver. - Copyright (c) 1999 - 2016, Intel Corporation. All rights reserved.<BR> + Copyright (c) 1999 - 2017, Intel Corporation. All rights reserved.<BR> This program and the accompanying materials are licensed and made available under the terms and conditions of the BSD License @@ -641,7 +641,7 @@ InitPlatformResolution ( PcdSet32S (PcdVideoVerticalResolution, PanelResolution[mSystemConfiguration.IgdFlatPanel].VerticalResolution); } -VOID +VOID OverrideSdCardPresence ( VOID ) @@ -670,7 +670,7 @@ OverrideSdCardPresence ( } else { P2sbMmioBar &= B_P2SB_BAR_BA; } - + Gpio177PadConfigDW0RegAdd = P2SB_MMIO_ADDR (P2sbMmioBar, SOUTHWEST, 0x5D0); Gpio177RxState = MmioRead32(Gpio177PadConfigDW0RegAdd) & BIT1; DEBUG ((DEBUG_INFO, "Gpio177PadConfigDW0RegAdd: 0x%X\n", Gpio177PadConfigDW0RegAdd)); @@ -868,11 +868,6 @@ InitializePlatform ( FdoEnabledGuidHob = GetFirstGuidHob (&gFdoModeEnabledHobGuid); if (FdoEnabledGuidHob != NULL) { - // - // Secure boot must be disabled in Flash Descriptor Override (FDO) boot - // - EnableCustomMode (); - DeleteKeys (); } #if (ENBDT_PF_ENABLE == 1) //BXTP @@ -916,9 +911,9 @@ InitializePlatform ( &EfiExitBootServicesEvent ); - - OverrideSdCardPresence(); - + + OverrideSdCardPresence(); + return EFI_SUCCESS; } diff --git a/Platform/BroxtonPlatformPkg/Common/PlatformSettings/PlatformDxe/PlatformDxe.inf b/Platform/BroxtonPlatformPkg/Common/PlatformSettings/PlatformDxe/PlatformDxe.inf index c2714a6..cf8ca08 100644 --- a/Platform/BroxtonPlatformPkg/Common/PlatformSettings/PlatformDxe/PlatformDxe.inf +++ b/Platform/BroxtonPlatformPkg/Common/PlatformSettings/PlatformDxe/PlatformDxe.inf @@ -1,7 +1,7 @@ ## @file # Component description file for platform DXE driver # -# Copyright (c) 1999 - 2016, Intel Corporation. All rights reserved.<BR> +# Copyright (c) 1999 - 2017, Intel Corporation. All rights reserved.<BR> # # This program and the accompanying materials # are licensed and made available under the terms and conditions of the BSD License @@ -50,7 +50,6 @@ UefiBootServicesTableLib UefiDriverEntryPoint UefiRuntimeServicesTableLib - PlatformSecureDefaultsLib DxeServicesTableLib DebugLib HiiLib diff --git a/Platform/BroxtonPlatformPkg/Common/PlatformSettings/PlatformSetupDxe/PlatformSetupDxe.c b/Platform/BroxtonPlatformPkg/Common/PlatformSettings/PlatformSetupDxe/PlatformSetupDxe.c index 02b03ff..5cbe136 100644 --- a/Platform/BroxtonPlatformPkg/Common/PlatformSettings/PlatformSetupDxe/PlatformSetupDxe.c +++ b/Platform/BroxtonPlatformPkg/Common/PlatformSettings/PlatformSetupDxe/PlatformSetupDxe.c @@ -13,7 +13,7 @@ 4. It save all the mapping info in NV variables which will be consumed by platform override protocol driver to publish the platform override protocol. - Copyright (c) 2007 - 2016, Intel Corporation. All rights reserved.<BR> + Copyright (c) 2007 - 2017, Intel Corporation. All rights reserved.<BR> This program and the accompanying materials are licensed and made available under the terms and conditions of the BSD License @@ -508,43 +508,6 @@ SystemConfigCallback ( if (Key.UnicodeChar == CHAR_CARRIAGE_RETURN) { } - } else if (KeyValue == 0x1237 /*KEY_CLEAR_KEK_AND_PK*/ ) { - // - //Delete PK, KEK, DB, DBx - // - EnableCustomMode (); - DeleteKeys (); - StrCpyS (StringBuffer1, 200, L"Clear Keys Completed"); - StrCpyS (StringBuffer2, 200, L"Please Restart System"); - - // - // Popup a menu to notice user - // - do { - CreatePopUp (EFI_LIGHTGRAY | EFI_BACKGROUND_BLUE, &Key, StringBuffer1, StringBuffer2, NULL); - } while ((Key.ScanCode != SCAN_ESC) && (Key.UnicodeChar != CHAR_CARRIAGE_RETURN)); - - gRT->ResetSystem (EfiResetCold, EFI_SUCCESS, 0, NULL); - } else if (KeyValue == 0x1238 /*KEY_LOAD_DEFAULTS_KEYS*/ ) { - // - // Enroll PK, KEK, DB and DBx - // - EnrollKeys (); - StrCpyS (StringBuffer1, 200, L"Restore Keys Completed"); - StrCpyS (StringBuffer2, 200, L"Please Restart System"); - - // - // Popup a notification menu - // - do { - CreatePopUp(EFI_LIGHTGRAY | EFI_BACKGROUND_BLUE, &Key, StringBuffer1, StringBuffer2, NULL); - } while ((Key.ScanCode != SCAN_ESC) && (Key.UnicodeChar != CHAR_CARRIAGE_RETURN)); - - // - // Reset the system - // - gRT->ResetSystem (EfiResetCold, EFI_SUCCESS, 0, NULL); - } else if (KeyValue == 0x1239) { // // Popup a notification menu diff --git a/Platform/BroxtonPlatformPkg/Common/PlatformSettings/PlatformSetupDxe/PlatformSetupDxe.inf b/Platform/BroxtonPlatformPkg/Common/PlatformSettings/PlatformSetupDxe/PlatformSetupDxe.inf index 09a16c8..0cbcb71 100644 --- a/Platform/BroxtonPlatformPkg/Common/PlatformSettings/PlatformSetupDxe/PlatformSetupDxe.inf +++ b/Platform/BroxtonPlatformPkg/Common/PlatformSettings/PlatformSetupDxe/PlatformSetupDxe.inf @@ -16,7 +16,7 @@ # 4. It save all the mapping info in NV variables for the following boot, # which will be consumed by GetDriver API of the produced the platform override protocol. # -# Copyright (c) 2007 - 2016, Intel Corporation. All rights reserved.<BR> +# Copyright (c) 2007 - 2017, Intel Corporation. All rights reserved.<BR> # # This program and the accompanying materials # are licensed and made available under the terms and conditions of the BSD License @@ -92,7 +92,6 @@ BiosIdLib CpuIA32Lib IoLib - PlatformSecureDefaultsLib BaseIpcLib HeciMsgLib SteppingLib diff --git a/Platform/BroxtonPlatformPkg/Common/PlatformSettings/PlatformSetupDxe/Security.vfi b/Platform/BroxtonPlatformPkg/Common/PlatformSettings/PlatformSetupDxe/Security.vfi index f79e81b..9d0855e 100644 --- a/Platform/BroxtonPlatformPkg/Common/PlatformSettings/PlatformSetupDxe/Security.vfi +++ b/Platform/BroxtonPlatformPkg/Common/PlatformSettings/PlatformSetupDxe/Security.vfi @@ -107,39 +107,6 @@ form formid = SECURITY_CONFIGURATION_FORM_ID, endif; endif; - subtitle text = STRING_TOKEN(STR_NULL_STRING); - - - subtitle text = STRING_TOKEN(STR_NULL_STRING); - - oneof varid = Setup.SecureBootCustomMode, - prompt = STRING_TOKEN(STR_SECURE_BOOT_MODE_PROMPT), - help = STRING_TOKEN(STR_SECURE_BOOT_MODE_HELP), - option text = STRING_TOKEN(STR_SB_STANDARD_MODE), value=0x00, flags = DEFAULT | MANUFACTURING; - option text = STRING_TOKEN(STR_SB_CUSTOM_MODE), value=0x01, flags = 0; - endoneof; - oneof varid = Setup.UseProductKey, - prompt = STRING_TOKEN(STR_SECURE_BOOT_PRO_KEY_PROMPT), - help = STRING_TOKEN(STR_SECURE_BOOT_PRO_KEY_HELP), - option text = STRING_TOKEN(STR_DEV_KEY), value=0x00, flags = DEFAULT | RESET_REQUIRED; - option text = STRING_TOKEN(STR_PRO_KEY), value=0x01, flags = RESET_REQUIRED; - endoneof; - text - help = STRING_TOKEN(STR_CLEAR_ALL_KEYS_HELP), - text = STRING_TOKEN(STR_CLEAR_ALL_KEYS), - text = STRING_TOKEN(STR_NULL_STRING), - flags = INTERACTIVE, - key = 0x1237; //KEY_CLEAR_KEK_AND_PK; - - text - help = STRING_TOKEN(STR_LOAD_DEFAULTS_KEYS_HELP), - text = STRING_TOKEN(STR_LOAD_DEFAULTS_KEYS), - text = STRING_TOKEN(STR_NULL_STRING), - flags = INTERACTIVE, - key = 0x1238; //KEY_LOAD_DEFAULTS_KEYS; - - subtitle text = STRING_TOKEN(STR_NULL_STRING); - // //TPM related // @@ -154,7 +121,7 @@ form formid = SECURITY_CONFIGURATION_FORM_ID, option text = STRING_TOKEN(STR_TPM_DTPM_2_0), value = 0x03, flags = RESET_REQUIRED; endoneof; - suppressif NOT ideqval Setup.TPM == 1; + suppressif NOT ideqval Setup.TPM == 1; oneof varid = Setup.TPMSupportedBanks, prompt = STRING_TOKEN(STR_TPM2_PCR_ALLOCATE_PROMPT), help = STRING_TOKEN(STR_TPM2_PCR_ALLOCATE_HELP), @@ -164,6 +131,6 @@ form formid = SECURITY_CONFIGURATION_FORM_ID, option text = STRING_TOKEN(STR_TPM2_PCR_ALLOCATE_BOTH), value = TPM2_SUPPORTED_BANK_BOTH, flags = RESET_REQUIRED; endoneof; endif; - + endform; diff --git a/Platform/BroxtonPlatformPkg/Common/PlatformSettings/PlatformSetupDxe/SetupInfoRecords.c b/Platform/BroxtonPlatformPkg/Common/PlatformSettings/PlatformSetupDxe/SetupInfoRecords.c index 8f7a534..d504995 100644 --- a/Platform/BroxtonPlatformPkg/Common/PlatformSettings/PlatformSetupDxe/SetupInfoRecords.c +++ b/Platform/BroxtonPlatformPkg/Common/PlatformSettings/PlatformSetupDxe/SetupInfoRecords.c @@ -1,7 +1,7 @@ /** @file To retrieve various platform info data for Setup menu. - Copyright (c) 1999 - 2016, Intel Corporation. All rights reserved.<BR> + Copyright (c) 1999 - 2017, Intel Corporation. All rights reserved.<BR> This program and the accompanying materials are licensed and made available under the terms and conditions of the BSD License @@ -47,8 +47,6 @@ #include "ScAccess.h" #include "SetupMode.h" -#define EFI_CUSTOM_MODE_NAME L"CustomMode" -extern EFI_GUID gEfiCustomModeEnableGuid; #define LEFT_JUSTIFY 0x01 #define PREFIX_SIGN 0x02 @@ -65,7 +63,6 @@ EFI_GUID mProcessorProducerGuid; EFI_HII_HANDLE mHiiHandle; SYSTEM_CONFIGURATION mSystemConfiguration; EFI_PLATFORM_INFO_HOB *mPlatformInfo; -UINT8 mUseProductKey = 0; #define memset SetMem @@ -1720,14 +1717,30 @@ SetupInfo ( VOID CheckSystemConfigLoad ( - SYSTEM_CONFIGURATION *SystemConfigPtr + SYSTEM_CONFIGURATION *SystemConfigPtr ) { EFI_STATUS Status; SEC_OPERATION_PROTOCOL *SeCOp; SEC_INFOMATION SeCInfo; + UINT8 SecureBoot; + UINTN DataSize; + + DataSize = sizeof (SecureBoot); + Status = gRT->GetVariable ( + EFI_SECURE_BOOT_MODE_NAME, + &gEfiGlobalVariableGuid, + NULL, + &DataSize, + &SecureBoot + ); + + if (EFI_ERROR (Status)) { + SystemConfigPtr->SecureBoot = 0; + } else { + SystemConfigPtr->SecureBoot = SecureBoot; + } - mUseProductKey = SystemConfigPtr->UseProductKey; Status = gBS->LocateProtocol ( &gEfiSeCOperationProtocolGuid, NULL, @@ -1787,7 +1800,7 @@ CheckTPMActivePcrBanks ( VOID CheckSystemConfigSave ( - SYSTEM_CONFIGURATION *SystemConfigPtr + SYSTEM_CONFIGURATION *SystemConfigPtr ) { EFI_STATUS Status; @@ -1795,51 +1808,7 @@ CheckSystemConfigSave ( SEC_INFOMATION SeCInfo; UINT8 SecureBootCfg; UINTN DataSize; - UINT8 CustomMode; - - if (mUseProductKey != SystemConfigPtr->UseProductKey) { - EnableCustomMode (); - DeleteKeys (); - EnrollKeys (); - } - DataSize = sizeof (CustomMode); - Status = gRT->GetVariable ( - EFI_CUSTOM_MODE_NAME, - &gEfiCustomModeEnableGuid, - NULL, - &DataSize, - &CustomMode - ); - - if (EFI_ERROR (Status)) { - DeleteKeys (); - EnrollKeys (); - DataSize = sizeof (CustomMode); - Status = gRT->GetVariable ( - EFI_CUSTOM_MODE_NAME, - &gEfiCustomModeEnableGuid, - NULL, - &DataSize, - &CustomMode - ); - } - - if (CustomMode != SystemConfigPtr->SecureBootCustomMode) { - if (CustomMode == 1) { - DeleteKeys (); - EnrollKeys (); - CustomMode = 0; - } else { - CustomMode = 1; - Status = gRT->SetVariable ( - EFI_CUSTOM_MODE_NAME, - &gEfiCustomModeEnableGuid, - EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_ACCESS, - sizeof (UINT8), - &CustomMode - ); - } - } + BOOLEAN SecureBootNotFound; Status = gBS->LocateProtocol ( &gEfiSeCOperationProtocolGuid, @@ -1861,6 +1830,8 @@ CheckSystemConfigSave ( // // Secure Boot configuration changes // + DataSize = sizeof (SecureBootCfg); + SecureBootNotFound = FALSE; Status = gRT->GetVariable ( EFI_SECURE_BOOT_ENABLE_NAME, &gEfiSecureBootEnableDisableGuid, @@ -1870,12 +1841,22 @@ CheckSystemConfigSave ( ); if (EFI_ERROR (Status)) { - SecureBootCfg = 0; + SecureBootNotFound = TRUE; + } + + if (SecureBootNotFound) { + Status = gRT->GetVariable ( + EFI_SECURE_BOOT_ENABLE_NAME, + &gEfiSecureBootEnableDisableGuid, + NULL, + &DataSize, + &SecureBootCfg + ); + ASSERT_EFI_ERROR (Status); } if ((SecureBootCfg) != SystemConfigPtr->SecureBoot) { SecureBootCfg = !SecureBootCfg; - Status = gRT->SetVariable ( EFI_SECURE_BOOT_ENABLE_NAME, &gEfiSecureBootEnableDisableGuid, diff --git a/Platform/BroxtonPlatformPkg/Common/PlatformSettings/PlatformSetupDxe/VfrStrings.uni b/Platform/BroxtonPlatformPkg/Common/PlatformSettings/PlatformSetupDxe/VfrStrings.uni index 47b84ee6a0ac53bef15b322024a47c9935285ffb..9ff9a80ba62edb19ac8982991e2dcc364d1df52a 100644 GIT binary patch delta 42 zcmV+_0M-Bcq7&?b6Oh6MHvlXEAd}HFBZ2CL>H&r70=4P`rpuSC=K&74tlR_6^p{B# AVgLXD delta 1706 zcmbtUOHUI~6h1T45<nXv1hhfJOe-ZpMG^3|k?F(4P%Po$V_|9oMVcV3v{f`wf(h(2 zCbPIZ1s80HuZ3X?Y%xUt0d6#DG=}KPmEW16wnGXM&CT4o_uTXN?m6dvUmw-{dQtOq z#d(U3l4^Wx_fF-ebJBE9ewS0`S4Gts`G8U7FWWajy%eG-`6+_YFJg7_S&_Q$Xg1!= zsAA}WTqV})EM1pPSA1Jl0-`e_`NXR|j>?dqk{B6MsT=<xieq&QUx2cdhCE5Pu=C;T z!!AZ+(23DFW&ngN&bG$u8EvxI1KaUwKk0Odf|z?TtMHYNk%SM9GGJ;&5WR59o-;H; z2_R5u5G#&*)5K=U;xvpA#~CA!VV#-8mR+W?y@PcN*18FIQ(^Ob9RD=FjClbL!&fc< zyNj@+7%IH6Ru=y;?EZEor-xirDO#U9BI3rP+%8gSd2h&LrfAUg!g2m7-9qn{yj=Dz zrPN!cLMh8#dEcdgxNJa-hKEh=0EN*)T$w25Fh-QRAh{;ANx9KbbLX@G@(?%6%{jEP z(gn#qWUy3}dJihPjfpYWsqGN+(|7s0u|DEBoj2#w_W%$#1H-abL1d7za2u*<DL+k= zMAA`=WY?}l^%IBpkPg35d?C7k#0(%Y{ivcXIkQ(zUJRp`V<rrK1*J+HgnSq}S>z;R z_HrJ02(S~7l}cj3gNXm>TErG)Z$kv|ce=`yE_aB|dHHag6|Rscd%`ESq`VaB;|0{a zaw9f=C|YeF3K-qW6XJH0W6)(I53#%=Yt@!^5ofTbE@l@bU&SA(SUxCe{8$=nyoVY_ z(NDc#%gss}8{s}?ODFeNT<BTZYkbhk-9@x&H!-xPHfGLdvG!6aXVZjfisz802d+4i z&nOC*0;$B&sLW8-qfsGcit544JeW24D}gl=jHScv9<VW<DHlmu+Fw6psxprxOp_v# z7J5WEQW2ud*7bz`SUGQ`8c(>l1ti`EapR?{4yT!ryhV#x`mB`ImP9A!zDVxHXYZA@ GpT7a+n_%An diff --git a/Platform/BroxtonPlatformPkg/PlatformDsc/Components.dsc b/Platform/BroxtonPlatformPkg/PlatformDsc/Components.dsc index eb47ea0..d3be2da 100644 --- a/Platform/BroxtonPlatformPkg/PlatformDsc/Components.dsc +++ b/Platform/BroxtonPlatformPkg/PlatformDsc/Components.dsc @@ -234,6 +234,16 @@ !endif # + # Secure Boot + # +!if $(SECURE_BOOT_ENABLE) == TRUE + SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf { + <LibraryClasses> + PlatformSecureLib|SecurityPkg/Library/PlatformSecureLibNull/PlatformSecureLibNull.inf + } +!endif + + # # SMM # MdeModulePkg/Core/PiSmmCore/PiSmmIpl.inf @@ -367,10 +377,10 @@ $(PLATFORM_SI_PACKAGE)/SouthCluster/Sdio/Dxe/MMC/MmcHostDxe/MmcHostDxe.inf $(PLATFORM_SI_PACKAGE)/SouthCluster/Sdio/Dxe/MMC/MmcMediaDeviceDxe/MmcMediaDeviceDxe.inf - + $(PLATFORM_SI_PACKAGE)/SouthCluster/Sdio/Dxe/SD/SdControllerDxe/SdControllerDxe.inf $(PLATFORM_SI_PACKAGE)/SouthCluster/Sdio/Dxe/SD/SdMediaDeviceDxe/SdMediaDeviceDxe.inf - + !if $(ACPI50_ENABLE) == TRUE MdeModulePkg/Universal/SmmCommunicationBufferDxe/SmmCommunicationBufferDxe.inf @@ -474,12 +484,12 @@ PcAtChipsetPkg/8259InterruptControllerDxe/8259.inf $(PLATFORM_PACKAGE_COMMON)/Features/UsbDeviceDxe/UsbDeviceDxe.inf - + # # USB TypeC # $(PLATFORM_PACKAGE_COMMON)/Acpi/UsbTypeCDxe/UsbTypeCDxe.inf - + # # Application # diff --git a/Platform/BroxtonPlatformPkg/PlatformDsc/LibraryClasses.dsc b/Platform/BroxtonPlatformPkg/PlatformDsc/LibraryClasses.dsc index c2424f0..971dc4a 100644 --- a/Platform/BroxtonPlatformPkg/PlatformDsc/LibraryClasses.dsc +++ b/Platform/BroxtonPlatformPkg/PlatformDsc/LibraryClasses.dsc @@ -237,8 +237,6 @@ !if $(SECURE_BOOT_ENABLE) == TRUE BaseCryptLib|CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf !endif - - PlatformSecureDefaultsLib|$(PLATFORM_PACKAGE_COMMON)/Library/PlatformSecureDefaultsLib/PlatformSecureDefaultsLib.inf SmmCpuPlatformHookLib|UefiCpuPkg/Library/SmmCpuPlatformHookLibNull/SmmCpuPlatformHookLibNull.inf BasePlatformCmosLib|$(PLATFORM_PACKAGE_COMMON)/Library/PlatformCmosLib/PlatformCmosLib.inf diff --git a/Platform/BroxtonPlatformPkg/PlatformPkg.fdf b/Platform/BroxtonPlatformPkg/PlatformPkg.fdf index a5a3555..2476407 100644 --- a/Platform/BroxtonPlatformPkg/PlatformPkg.fdf +++ b/Platform/BroxtonPlatformPkg/PlatformPkg.fdf @@ -450,7 +450,7 @@ APRIORI DXE { INF $(PLATFORM_SI_PACKAGE)/SouthCluster/Sdio/Dxe/SD/SdControllerDxe/SdControllerDxe.inf INF $(PLATFORM_SI_PACKAGE)/SouthCluster/Sdio/Dxe/SD/SdMediaDeviceDxe/SdMediaDeviceDxe.inf - + INF IntelFrameworkModulePkg/Universal/Acpi/AcpiS3SaveDxe/AcpiS3SaveDxe.inf # @@ -575,6 +575,13 @@ APRIORI DXE { INF $(PLATFORM_PACKAGE_COMMON)/PnpDxe/PnpDxe.inf # + # Secure Boot + # +!if $(SECURE_BOOT_ENABLE) == TRUE + INF SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf +!endif + + # # SMM # INF MdeModulePkg/Core/PiSmmCore/PiSmmIpl.inf @@ -710,7 +717,7 @@ APRIORI DXE { SECTION PE32 = ShellBinPkg/UefiShell/$(IA32_X64_LC)/Shell.efi } - INF $(PLATFORM_PACKAGE_COMMON)/Features/UsbDeviceDxe/UsbDeviceDxe.inf + INF $(PLATFORM_PACKAGE_COMMON)/Features/UsbDeviceDxe/UsbDeviceDxe.inf # # USB TypeC -- 2.7.0.windows.1 _______________________________________________ edk2-devel mailing list edk2-devel@lists.01.org https://lists.01.org/mailman/listinfo/edk2-devel _______________________________________________ edk2-devel mailing list edk2-devel@lists.01.org https://lists.01.org/mailman/listinfo/edk2-devel
© 2016 - 2024 Red Hat, Inc.