On Tue, Sep 01, 2015 at 11:58:24AM +0200, Ard Biesheuvel wrote: > This allows the FVP target to be built with UEFI Secure Boot enabled, > by passing -D SECURE_BOOT_ENABLE to the build command line. Note that > you will need to disable the ARM BDS (-D USE_ARM_BDS=FALSE) or you will
I guess this message could also do with being reworded now? > not be able to enroll certificates, since the ARM BDS does not provide > a GUI to do so. > > The FVP Base model is recommended in this case, since the certificate > store is kept in NOR flash. > > Contributed-under: TianoCore Contribution Agreement 1.0 > Signed-off-by: Ard Biesheuvel <ard.biesheu...@linaro.org> > Reviewed-by: Ryan Harkin <ryan.har...@linaro.org> > --- > ArmPlatformPkg/ArmVExpressPkg/ArmVExpress-FVP-AArch64.dsc | 12 ++++++++++ > ArmPlatformPkg/ArmVExpressPkg/ArmVExpress-FVP-AArch64.fdf | 7 ++++++ > ArmPlatformPkg/ArmVExpressPkg/ArmVExpress.dsc.inc | 25 > ++++++++++++++++++++ > 3 files changed, 44 insertions(+) > > diff --git a/ArmPlatformPkg/ArmVExpressPkg/ArmVExpress-FVP-AArch64.dsc > b/ArmPlatformPkg/ArmVExpressPkg/ArmVExpress-FVP-AArch64.dsc > index 159194c8c731..ec29e65e3de5 100644 > --- a/ArmPlatformPkg/ArmVExpressPkg/ArmVExpress-FVP-AArch64.dsc > +++ b/ArmPlatformPkg/ArmVExpressPkg/ArmVExpress-FVP-AArch64.dsc > @@ -251,7 +251,15 @@ [Components.common] > # > ArmPkg/Drivers/CpuDxe/CpuDxe.inf > MdeModulePkg/Core/RuntimeDxe/RuntimeDxe.inf > +!if $(SECURE_BOOT_ENABLE) == TRUE > + MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf { > + <LibraryClasses> > + > NULL|SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.inf > + } > + > SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf > +!else > MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf > +!endif > MdeModulePkg/Universal/CapsuleRuntimeDxe/CapsuleRuntimeDxe.inf > MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf { > <LibraryClasses> > @@ -272,7 +280,11 @@ [Components.common] > MdeModulePkg/Universal/HiiDatabaseDxe/HiiDatabaseDxe.inf > > ArmPkg/Drivers/ArmGic/ArmGicDxe.inf > +!if $(SECURE_BOOT_ENABLE) == TRUE > + ArmPlatformPkg/Drivers/NorFlashDxe/NorFlashAuthenticatedDxe.inf > +!else > ArmPlatformPkg/Drivers/NorFlashDxe/NorFlashDxe.inf > +!endif > ArmPkg/Drivers/TimerDxe/TimerDxe.inf > ArmPlatformPkg/Drivers/LcdGraphicsOutputDxe/PL111LcdGraphicsOutputDxe.inf > ArmPlatformPkg/Drivers/SP805WatchdogDxe/SP805WatchdogDxe.inf > diff --git a/ArmPlatformPkg/ArmVExpressPkg/ArmVExpress-FVP-AArch64.fdf > b/ArmPlatformPkg/ArmVExpressPkg/ArmVExpress-FVP-AArch64.fdf > index 2ab99e98c238..9b54e3967466 100644 > --- a/ArmPlatformPkg/ArmVExpressPkg/ArmVExpress-FVP-AArch64.fdf > +++ b/ArmPlatformPkg/ArmVExpressPkg/ArmVExpress-FVP-AArch64.fdf > @@ -139,6 +139,9 @@ [FV.FvMain] > INF MdeModulePkg/Core/RuntimeDxe/RuntimeDxe.inf > INF MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf > INF MdeModulePkg/Universal/CapsuleRuntimeDxe/CapsuleRuntimeDxe.inf > +!if $(SECURE_BOOT_ENABLE) == TRUE > + INF > SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf > +!endif > INF MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf > INF MdeModulePkg/Universal/FaultTolerantWriteDxe/FaultTolerantWriteDxe.inf > INF > MdeModulePkg/Universal/MonotonicCounterRuntimeDxe/MonotonicCounterRuntimeDxe.inf > @@ -159,7 +162,11 @@ [FV.FvMain] > > INF ArmPkg/Drivers/ArmGic/ArmGicDxe.inf > INF ArmPkg/Drivers/TimerDxe/TimerDxe.inf > +!if $(SECURE_BOOT_ENABLE) == TRUE > + INF ArmPlatformPkg/Drivers/NorFlashDxe/NorFlashAuthenticatedDxe.inf > +!else > INF ArmPlatformPkg/Drivers/NorFlashDxe/NorFlashDxe.inf > +!endif > INF > ArmPlatformPkg/Drivers/LcdGraphicsOutputDxe/PL111LcdGraphicsOutputDxe.inf > INF ArmPlatformPkg/Drivers/SP805WatchdogDxe/SP805WatchdogDxe.inf > > diff --git a/ArmPlatformPkg/ArmVExpressPkg/ArmVExpress.dsc.inc > b/ArmPlatformPkg/ArmVExpressPkg/ArmVExpress.dsc.inc > index 03f8c2cd2160..19af996f8eda 100644 > --- a/ArmPlatformPkg/ArmVExpressPkg/ArmVExpress.dsc.inc > +++ b/ArmPlatformPkg/ArmVExpressPkg/ArmVExpress.dsc.inc > @@ -14,6 +14,7 @@ > > [Defines] > USE_ARM_BDS = FALSE > + SECURE_BOOT_ENABLE = FALSE > > [BuildOptions.AARCH64.EDKII.DXE_RUNTIME_DRIVER] > GCC:*_*_AARCH64_DLINK_FLAGS = -z common-page-size=0x10000 > @@ -131,8 +132,22 @@ [LibraryClasses.common] > FileHandleLib|MdePkg/Library/UefiFileHandleLib/UefiFileHandleLib.inf > SortLib|MdeModulePkg/Library/UefiSortLib/UefiSortLib.inf > > + # > + # Secure Boot dependencies > + # > +!if $(SECURE_BOOT_ENABLE) == TRUE > + IntrinsicLib|CryptoPkg/Library/IntrinsicLib/IntrinsicLib.inf > + OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLib.inf > + > TpmMeasurementLib|SecurityPkg/Library/DxeTpmMeasurementLib/DxeTpmMeasurementLib.inf > + AuthVariableLib|SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf > + BaseCryptLib|CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf > + > + # re-use the UserPhysicalPresent() dummy implementation from the ovmf tree > + PlatformSecureLib|OvmfPkg/Library/PlatformSecureLib/PlatformSecureLib.inf > +!else > > TpmMeasurementLib|MdeModulePkg/Library/TpmMeasurementLibNull/TpmMeasurementLibNull.inf > > AuthVariableLib|MdeModulePkg/Library/AuthVariableLibNull/AuthVariableLibNull.inf > +!endif > VarCheckLib|MdeModulePkg/Library/VarCheckLib/VarCheckLib.inf > > !if $(USE_ARM_BDS) == FALSE > @@ -236,6 +251,9 @@ [LibraryClasses.common.DXE_RUNTIME_DRIVER] > > ReportStatusCodeLib|IntelFrameworkModulePkg/Library/DxeReportStatusCodeLibFramework/DxeReportStatusCodeLib.inf > CapsuleLib|MdeModulePkg/Library/DxeCapsuleLibNull/DxeCapsuleLibNull.inf > > ArmPlatformSysConfigLib|ArmPlatformPkg/ArmVExpressPkg/Library/ArmVExpressSysConfigRuntimeLib/ArmVExpressSysConfigRuntimeLib.inf > +!if $(SECURE_BOOT_ENABLE) == TRUE > + BaseCryptLib|CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf > +!endif > > [LibraryClasses.AARCH64.DXE_RUNTIME_DRIVER] > # > @@ -413,6 +431,13 @@ [PcdsFixedAtBuild.common] > gEfiIntelFrameworkModulePkgTokenSpaceGuid.PcdShellFile|{ 0x83, 0xA5, 0x04, > 0x7C, 0x3E, 0x9E, 0x1C, 0x4F, 0xAD, 0x65, 0xE0, 0x52, 0x68, 0xD0, 0xB4, 0xD1 } > !endif > > +!if $(SECURE_BOOT_ENABLE) == TRUE > + # override the default values from SecurityPkg to ensure images from all > sources are verified in secure boot > + gEfiSecurityPkgTokenSpaceGuid.PcdOptionRomImageVerificationPolicy|0x04 > + gEfiSecurityPkgTokenSpaceGuid.PcdFixedMediaImageVerificationPolicy|0x04 > + gEfiSecurityPkgTokenSpaceGuid.PcdRemovableMediaImageVerificationPolicy|0x04 > +!endif > + > [Components.common] > MdeModulePkg/Universal/PCD/Dxe/Pcd.inf > > -- > 1.9.1 Reviewed-by: Leif Lindholm <leif.lindh...@linaro.org> (I could say tested-by, but I've only verified I could enroll keys if I wanted to, not actually tried to do it.) _______________________________________________ edk2-devel mailing list edk2-devel@lists.01.org https://lists.01.org/mailman/listinfo/edk2-devel