Hi Sayanta,
Thank you for this patch.
Please find my response inline marked [SAMI].
Regards,
Sami Mujawar
On 24/05/2021 06:23 PM, Sayanta Pattanayak wrote:
Enable the use of UEFI secure boot for Arm's Neoverse reference design
platforms. The UEFI authenticated variable store uses NOR flash 2 which
is accessible from Standalone MM context residing in a secure partition.
Signed-off-by: Sayanta Pattanayak <sayanta.pattana...@arm.com>
---
Platform/ARM/SgiPkg/SgiPlatform.dsc.inc | 31 +++++++++++++++++++
Platform/ARM/SgiPkg/SgiPlatformMm.dsc.inc | 32 ++++++++++++++++++++
Platform/ARM/SgiPkg/PlatformStandaloneMm.dsc | 15 +++++++++
Platform/ARM/SgiPkg/PlatformStandaloneMm2.dsc | 15 +++++++++
Platform/ARM/SgiPkg/PlatformStandaloneMm.fdf | 5 +++
Platform/ARM/SgiPkg/SgiPlatform.fdf | 9 +++++-
6 files changed, 106 insertions(+), 1 deletion(-)
diff --git a/Platform/ARM/SgiPkg/SgiPlatform.dsc.inc
b/Platform/ARM/SgiPkg/SgiPlatform.dsc.inc
index 091de0c99c74..e4aee7a09acf 100644
--- a/Platform/ARM/SgiPkg/SgiPlatform.dsc.inc
+++ b/Platform/ARM/SgiPkg/SgiPlatform.dsc.inc
@@ -6,6 +6,14 @@
!include Platform/ARM/VExpressPkg/ArmVExpress.dsc.inc
+[Defines]
+ # To allow the use of secure storage, set this to TRUE.
+ DEFINE SECURE_STORAGE_ENABLE = FALSE
+
+ # To allow the use of UEFI secure boot, set this to TRUE.
+ # Secure boot requires secure storage to be enabled as well.
+ DEFINE SECURE_BOOT_ENABLE = FALSE
+
[BuildOptions]
*_*_*_CC_FLAGS = -D DISABLE_NEW_DEPRECATED_INTERFACES
@@ -22,6 +30,9 @@
NorFlashPlatformLib|Platform/ARM/SgiPkg/Library/NorFlashLib/NorFlashLib.inf
HobLib|MdePkg/Library/DxeHobLib/DxeHobLib.inf
TimerLib|ArmPkg/Library/ArmArchTimerLib/ArmArchTimerLib.inf
+!if $(SECURE_BOOT_ENABLE) == TRUE
+
MmUnblockMemoryLib|MdePkg/Library/MmUnblockMemoryLib/MmUnblockMemoryLibNull.inf
+!endif
# Virtio Support
VirtioLib|OvmfPkg/Library/VirtioLib/VirtioLib.inf
@@ -84,6 +95,7 @@
[PcdsFeatureFlag.common]
gArmSgiTokenSpaceGuid.PcdVirtioBlkSupported|TRUE
gArmSgiTokenSpaceGuid.PcdVirtioNetSupported|TRUE
+ gEfiMdeModulePkgTokenSpaceGuid.PcdEnableVariableRuntimeCache|FALSE
[PcdsFixedAtBuild.common]
gArmTokenSpaceGuid.PcdVFPEnabled|1
@@ -230,7 +242,15 @@
MdeModulePkg/Core/RuntimeDxe/RuntimeDxe.inf
MdeModulePkg/Universal/CapsuleRuntimeDxe/CapsuleRuntimeDxe.inf
MdeModulePkg/Universal/MonotonicCounterRuntimeDxe/MonotonicCounterRuntimeDxe.inf
+!if $(SECURE_BOOT_ENABLE) == TRUE
+ MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf {
+ <LibraryClasses>
+
NULL|SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.inf
+ }
+ SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
+!else
MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf
+!endif
OvmfPkg/VirtioBlkDxe/VirtioBlk.inf
MdeModulePkg/Universal/Console/ConPlatformDxe/ConPlatformDxe.inf
@@ -238,6 +258,9 @@
MdeModulePkg/Universal/Console/GraphicsConsoleDxe/GraphicsConsoleDxe.inf
MdeModulePkg/Universal/Console/TerminalDxe/TerminalDxe.inf
MdeModulePkg/Universal/SerialDxe/SerialDxe.inf
+!if $(SECURE_STORAGE_ENABLE) == TRUE
+ MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmmRuntimeDxe.inf
+!else
MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf {
<LibraryClasses>
NULL|MdeModulePkg/Library/VarCheckUefiLib/VarCheckUefiLib.inf
@@ -245,6 +268,7 @@
BaseMemoryLib|MdePkg/Library/BaseMemoryLib/BaseMemoryLib.inf
}
MdeModulePkg/Universal/FaultTolerantWriteDxe/FaultTolerantWriteDxe.inf
+!endif
#
# ACPI Support
@@ -314,4 +338,11 @@
#
MdeModulePkg/Bus/Pci/SataControllerDxe/SataControllerDxe.inf
+!if $(SECURE_STORAGE_ENABLE) == TRUE
+ ArmPkg/Drivers/MmCommunicationDxe/MmCommunication.inf {
+ <LibraryClasses>
+
NULL|StandaloneMmPkg/Library/VariableMmDependency/VariableMmDependency.inf
+ }
+!else
ArmPkg/Drivers/MmCommunicationDxe/MmCommunication.inf
+!endif
diff --git a/Platform/ARM/SgiPkg/SgiPlatformMm.dsc.inc
b/Platform/ARM/SgiPkg/SgiPlatformMm.dsc.inc
index 3389ff676a91..6839ec35da8a 100644
--- a/Platform/ARM/SgiPkg/SgiPlatformMm.dsc.inc
+++ b/Platform/ARM/SgiPkg/SgiPlatformMm.dsc.inc
@@ -59,6 +59,19 @@
HobLib|StandaloneMmPkg/Library/StandaloneMmHobLib/StandaloneMmHobLib.inf
MmServicesTableLib|MdePkg/Library/StandaloneMmServicesTableLib/StandaloneMmServicesTableLib.inf
MemoryAllocationLib|StandaloneMmPkg/Library/StandaloneMmMemoryAllocationLib/StandaloneMmMemoryAllocationLib.inf
+!if $(SECURE_STORAGE_ENABLE) == TRUE
+ AuthVariableLib|SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf
+ BaseCryptLib|CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf
+ IntrinsicLib|CryptoPkg/Library/IntrinsicLib/IntrinsicLib.inf
+
NorFlashPlatformLib|Platform/ARM/SgiPkg/Library/NorFlashLib/StandaloneMmNorFlashLib.inf
+ OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLib.inf
+ RngLib|MdePkg/Library/BaseRngLibTimerLib/BaseRngLibTimerLib.inf
[SAMI] There is a recent patch series that adds ARMv8.5 FEAT_RNG support
to BaseRngLib
see
https://github.com/tianocore/edk2/commit/9301e5644cef5a5234f71b178373dd508cabb9ee.
Can this be used instead of BaseRngLibTimerLib? BaseRngLibTimerLib is
for non-production use so it would be good to avoid.
Indeed, this would require that Sgi platforms are ARMv8.5 or above. If
not, then can we conditionally use BaseRngLibTimerLib for platforms that
do not support FEAT_RNG.
[/SAMI]
+
PlatformSecureLib|SecurityPkg/Library/PlatformSecureLibNull/PlatformSecureLibNull.inf
+
SynchronizationLib|MdePkg/Library/BaseSynchronizationLib/BaseSynchronizationLib.inf
+ TimerLib|MdePkg/Library/BaseTimerLibNullTemplate/BaseTimerLibNullTemplate.inf
+ VarCheckLib|MdeModulePkg/Library/VarCheckLib/VarCheckLib.inf
+ SafeIntLib|MdePkg/Library/BaseSafeIntLib/BaseSafeIntLib.inf
+!endif
################################################################################
#
@@ -75,6 +88,12 @@
gEfiMdePkgTokenSpaceGuid.PcdMaximumGuidedExtractHandler|0x2
+!if $(SECURE_STORAGE_ENABLE) == TRUE
+ gEfiMdeModulePkgTokenSpaceGuid.PcdMaxVariableSize|0x2000
+ gEfiMdeModulePkgTokenSpaceGuid.PcdMaxAuthVariableSize|0x2800
+ gEfiSecurityPkgTokenSpaceGuid.PcdUserPhysicalPresence|TRUE
+!endif
+
###################################################################################################
#
# Components Section - list of the modules and components that will be
processed by compilation
@@ -101,6 +120,19 @@
[Components.AARCH64]
StandaloneMmPkg/Drivers/StandaloneMmCpu/AArch64/StandaloneMmCpu.inf
+!if $(SECURE_STORAGE_ENABLE) == TRUE
+ ArmPlatformPkg/Drivers/NorFlashDxe/NorFlashStandaloneMm.inf
+
MdeModulePkg/Universal/FaultTolerantWriteDxe/FaultTolerantWriteStandaloneMm.inf
+ MdeModulePkg/Universal/Variable/RuntimeDxe/VariableStandaloneMm.inf {
+ <LibraryClasses>
+ DevicePathLib|MdePkg/Library/UefiDevicePathLib/UefiDevicePathLib.inf
+ NULL|MdeModulePkg/Library/VarCheckUefiLib/VarCheckUefiLib.inf
+
NULL|MdeModulePkg/Library/VarCheckPolicyLib/VarCheckPolicyLibStandaloneMm.inf
+ BaseMemoryLib|MdePkg/Library/BaseMemoryLib/BaseMemoryLib.inf
+
VariablePolicyLib|MdeModulePkg/Library/VariablePolicyLib/VariablePolicyLib.inf
+
VariablePolicyHelperLib|MdeModulePkg/Library/VariablePolicyHelperLib/VariablePolicyHelperLib.inf
+ }
+!endif
###################################################################################################
#
diff --git a/Platform/ARM/SgiPkg/PlatformStandaloneMm.dsc
b/Platform/ARM/SgiPkg/PlatformStandaloneMm.dsc
index cdf8aaa88f03..2cb4895cfcff 100644
--- a/Platform/ARM/SgiPkg/PlatformStandaloneMm.dsc
+++ b/Platform/ARM/SgiPkg/PlatformStandaloneMm.dsc
@@ -39,3 +39,18 @@
[PcdsFixedAtBuild]
## PL011 - Serial Terminal
gEfiMdeModulePkgTokenSpaceGuid.PcdSerialRegisterBase|0x7FF70000
+
+!if $(SECURE_STORAGE_ENABLE) == TRUE
+ ##Secure NOR Flash 2
+ gArmSgiTokenSpaceGuid.PcdSmcCs2Base|0x10000000
+ gArmSgiTokenSpaceGuid.PcdSysPeriphBase|0x1C000000
+ gArmSgiTokenSpaceGuid.PcdSysPeriphSysRegBase|0x1C010000
+
+ ##Secure Variable Storage in NOR Flash 2
+ gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageVariableBase|0x10000000
+ gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageVariableSize|0x00100000
+ gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageFtwWorkingBase|0x10100000
+ gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageFtwWorkingSize|0x00100000
+ gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageFtwSpareBase|0x10200000
+ gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageFtwSpareSize|0x00100000
+!endif
diff --git a/Platform/ARM/SgiPkg/PlatformStandaloneMm2.dsc
b/Platform/ARM/SgiPkg/PlatformStandaloneMm2.dsc
index bb359a15cc0d..46c2ae3529d1 100644
--- a/Platform/ARM/SgiPkg/PlatformStandaloneMm2.dsc
+++ b/Platform/ARM/SgiPkg/PlatformStandaloneMm2.dsc
@@ -38,3 +38,18 @@
[PcdsFixedAtBuild]
## PL011 - Serial Terminal
gEfiMdeModulePkgTokenSpaceGuid.PcdSerialRegisterBase|0x0EF80000
+
+!if $(SECURE_STORAGE_ENABLE) == TRUE
+ ##Secure NOR Flash 2
+ gArmSgiTokenSpaceGuid.PcdSmcCs2Base|0x1054000000
+ gArmSgiTokenSpaceGuid.PcdSysPeriphBase|0x0C000000
+ gArmSgiTokenSpaceGuid.PcdSysPeriphSysRegBase|0x0C010000
+
+ ##Secure Variable Storage in NOR Flash 2
+ gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageVariableBase64|0x1054000000
+ gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageVariableSize|0x00100000
+ gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageFtwWorkingBase64|0x1054100000
+ gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageFtwWorkingSize|0x00100000
+ gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageFtwSpareBase64|0x1054200000
+ gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageFtwSpareSize|0x00100000
+!endif
diff --git a/Platform/ARM/SgiPkg/PlatformStandaloneMm.fdf
b/Platform/ARM/SgiPkg/PlatformStandaloneMm.fdf
index 5a0772cd8522..474c9c0ce764 100644
--- a/Platform/ARM/SgiPkg/PlatformStandaloneMm.fdf
+++ b/Platform/ARM/SgiPkg/PlatformStandaloneMm.fdf
@@ -49,6 +49,11 @@ READ_LOCK_CAP = TRUE
READ_LOCK_STATUS = TRUE
INF StandaloneMmPkg/Core/StandaloneMmCore.inf
+!if $(SECURE_STORAGE_ENABLE) == TRUE
+ INF ArmPlatformPkg/Drivers/NorFlashDxe/NorFlashStandaloneMm.inf
+ INF
MdeModulePkg/Universal/FaultTolerantWriteDxe/FaultTolerantWriteStandaloneMm.inf
+ INF MdeModulePkg/Universal/Variable/RuntimeDxe/VariableStandaloneMm.inf
+!endif
INF StandaloneMmPkg/Drivers/StandaloneMmCpu/AArch64/StandaloneMmCpu.inf
################################################################################
diff --git a/Platform/ARM/SgiPkg/SgiPlatform.fdf
b/Platform/ARM/SgiPkg/SgiPlatform.fdf
index e11d943d6efc..d94e4633e36c 100644
--- a/Platform/ARM/SgiPkg/SgiPlatform.fdf
+++ b/Platform/ARM/SgiPkg/SgiPlatform.fdf
@@ -90,10 +90,17 @@ READ_LOCK_STATUS = TRUE
INF EmbeddedPkg/ResetRuntimeDxe/ResetRuntimeDxe.inf
INF MdeModulePkg/Core/RuntimeDxe/RuntimeDxe.inf
INF MdeModulePkg/Universal/CapsuleRuntimeDxe/CapsuleRuntimeDxe.inf
- INF MdeModulePkg/Universal/FaultTolerantWriteDxe/FaultTolerantWriteDxe.inf
INF
MdeModulePkg/Universal/MonotonicCounterRuntimeDxe/MonotonicCounterRuntimeDxe.inf
INF MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf
+!if $(SECURE_BOOT_ENABLE) == TRUE
+ INF
SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
+!endif
+!if $(SECURE_STORAGE_ENABLE) == TRUE
+ INF MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmmRuntimeDxe.inf
+!else
+ INF MdeModulePkg/Universal/FaultTolerantWriteDxe/FaultTolerantWriteDxe.inf
INF MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf
+!endif
#
# ACPI Support
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#75581): https://edk2.groups.io/g/devel/message/75581
Mute This Topic: https://groups.io/mt/83062022/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-