Re: [edk2] [PATCH v3 5/5] ArmPlatformPkg/ArmVExpress-FVP: enable UEFI Secure Boot

Tue, 01 Sep 2015 09:45:35 -0700 

On Tue, Sep 01, 2015 at 11:58:24AM +0200, Ard Biesheuvel wrote:
> This allows the FVP target to be built with UEFI Secure Boot enabled,
> by passing -D SECURE_BOOT_ENABLE to the build command line. Note that
> you will need to disable the ARM BDS (-D USE_ARM_BDS=FALSE) or you will

I guess this message could also do with being reworded now?

> not be able to enroll certificates, since the ARM BDS does not provide
> a GUI to do so.
> 
> The FVP Base model is recommended in this case, since the certificate
> store is kept in NOR flash.
> 
> Contributed-under: TianoCore Contribution Agreement 1.0
> Signed-off-by: Ard Biesheuvel <ard.biesheu...@linaro.org>
> Reviewed-by: Ryan Harkin <ryan.har...@linaro.org>
> ---
>  ArmPlatformPkg/ArmVExpressPkg/ArmVExpress-FVP-AArch64.dsc | 12 ++++++++++
>  ArmPlatformPkg/ArmVExpressPkg/ArmVExpress-FVP-AArch64.fdf |  7 ++++++
>  ArmPlatformPkg/ArmVExpressPkg/ArmVExpress.dsc.inc         | 25 
> ++++++++++++++++++++
>  3 files changed, 44 insertions(+)
> 
> diff --git a/ArmPlatformPkg/ArmVExpressPkg/ArmVExpress-FVP-AArch64.dsc 
> b/ArmPlatformPkg/ArmVExpressPkg/ArmVExpress-FVP-AArch64.dsc
> index 159194c8c731..ec29e65e3de5 100644
> --- a/ArmPlatformPkg/ArmVExpressPkg/ArmVExpress-FVP-AArch64.dsc
> +++ b/ArmPlatformPkg/ArmVExpressPkg/ArmVExpress-FVP-AArch64.dsc
> @@ -251,7 +251,15 @@ [Components.common]
>    #
>    ArmPkg/Drivers/CpuDxe/CpuDxe.inf
>    MdeModulePkg/Core/RuntimeDxe/RuntimeDxe.inf
> +!if $(SECURE_BOOT_ENABLE) == TRUE
> +  MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf {
> +    <LibraryClasses>
> +      
> NULL|SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.inf
> +  }
> +  
> SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
> +!else
>    MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf
> +!endif
>    MdeModulePkg/Universal/CapsuleRuntimeDxe/CapsuleRuntimeDxe.inf
>    MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf {
>      <LibraryClasses>
> @@ -272,7 +280,11 @@ [Components.common]
>    MdeModulePkg/Universal/HiiDatabaseDxe/HiiDatabaseDxe.inf
>  
>    ArmPkg/Drivers/ArmGic/ArmGicDxe.inf
> +!if $(SECURE_BOOT_ENABLE) == TRUE
> +  ArmPlatformPkg/Drivers/NorFlashDxe/NorFlashAuthenticatedDxe.inf
> +!else
>    ArmPlatformPkg/Drivers/NorFlashDxe/NorFlashDxe.inf
> +!endif
>    ArmPkg/Drivers/TimerDxe/TimerDxe.inf
>    ArmPlatformPkg/Drivers/LcdGraphicsOutputDxe/PL111LcdGraphicsOutputDxe.inf
>    ArmPlatformPkg/Drivers/SP805WatchdogDxe/SP805WatchdogDxe.inf
> diff --git a/ArmPlatformPkg/ArmVExpressPkg/ArmVExpress-FVP-AArch64.fdf 
> b/ArmPlatformPkg/ArmVExpressPkg/ArmVExpress-FVP-AArch64.fdf
> index 2ab99e98c238..9b54e3967466 100644
> --- a/ArmPlatformPkg/ArmVExpressPkg/ArmVExpress-FVP-AArch64.fdf
> +++ b/ArmPlatformPkg/ArmVExpressPkg/ArmVExpress-FVP-AArch64.fdf
> @@ -139,6 +139,9 @@ [FV.FvMain]
>    INF MdeModulePkg/Core/RuntimeDxe/RuntimeDxe.inf
>    INF MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf
>    INF MdeModulePkg/Universal/CapsuleRuntimeDxe/CapsuleRuntimeDxe.inf
> +!if $(SECURE_BOOT_ENABLE) == TRUE
> +  INF 
> SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
> +!endif
>    INF MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf
>    INF MdeModulePkg/Universal/FaultTolerantWriteDxe/FaultTolerantWriteDxe.inf
>    INF 
> MdeModulePkg/Universal/MonotonicCounterRuntimeDxe/MonotonicCounterRuntimeDxe.inf
> @@ -159,7 +162,11 @@ [FV.FvMain]
>  
>    INF ArmPkg/Drivers/ArmGic/ArmGicDxe.inf
>    INF ArmPkg/Drivers/TimerDxe/TimerDxe.inf
> +!if $(SECURE_BOOT_ENABLE) == TRUE
> +  INF ArmPlatformPkg/Drivers/NorFlashDxe/NorFlashAuthenticatedDxe.inf
> +!else
>    INF ArmPlatformPkg/Drivers/NorFlashDxe/NorFlashDxe.inf
> +!endif
>    INF 
> ArmPlatformPkg/Drivers/LcdGraphicsOutputDxe/PL111LcdGraphicsOutputDxe.inf
>    INF ArmPlatformPkg/Drivers/SP805WatchdogDxe/SP805WatchdogDxe.inf
>  
> diff --git a/ArmPlatformPkg/ArmVExpressPkg/ArmVExpress.dsc.inc 
> b/ArmPlatformPkg/ArmVExpressPkg/ArmVExpress.dsc.inc
> index 03f8c2cd2160..19af996f8eda 100644
> --- a/ArmPlatformPkg/ArmVExpressPkg/ArmVExpress.dsc.inc
> +++ b/ArmPlatformPkg/ArmVExpressPkg/ArmVExpress.dsc.inc
> @@ -14,6 +14,7 @@
>  
>  [Defines]
>    USE_ARM_BDS         = FALSE
> +  SECURE_BOOT_ENABLE  = FALSE
>  
>  [BuildOptions.AARCH64.EDKII.DXE_RUNTIME_DRIVER]
>    GCC:*_*_AARCH64_DLINK_FLAGS = -z common-page-size=0x10000
> @@ -131,8 +132,22 @@ [LibraryClasses.common]
>    FileHandleLib|MdePkg/Library/UefiFileHandleLib/UefiFileHandleLib.inf
>    SortLib|MdeModulePkg/Library/UefiSortLib/UefiSortLib.inf
>  
> +  #
> +  # Secure Boot dependencies
> +  #
> +!if $(SECURE_BOOT_ENABLE) == TRUE
> +  IntrinsicLib|CryptoPkg/Library/IntrinsicLib/IntrinsicLib.inf
> +  OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLib.inf
> +  
> TpmMeasurementLib|SecurityPkg/Library/DxeTpmMeasurementLib/DxeTpmMeasurementLib.inf
> +  AuthVariableLib|SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf
> +  BaseCryptLib|CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf
> +
> +  # re-use the UserPhysicalPresent() dummy implementation from the ovmf tree
> +  PlatformSecureLib|OvmfPkg/Library/PlatformSecureLib/PlatformSecureLib.inf
> +!else
>    
> TpmMeasurementLib|MdeModulePkg/Library/TpmMeasurementLibNull/TpmMeasurementLibNull.inf
>    
> AuthVariableLib|MdeModulePkg/Library/AuthVariableLibNull/AuthVariableLibNull.inf
> +!endif
>    VarCheckLib|MdeModulePkg/Library/VarCheckLib/VarCheckLib.inf
>  
>  !if $(USE_ARM_BDS) == FALSE
> @@ -236,6 +251,9 @@ [LibraryClasses.common.DXE_RUNTIME_DRIVER]
>    
> ReportStatusCodeLib|IntelFrameworkModulePkg/Library/DxeReportStatusCodeLibFramework/DxeReportStatusCodeLib.inf
>    CapsuleLib|MdeModulePkg/Library/DxeCapsuleLibNull/DxeCapsuleLibNull.inf
>    
> ArmPlatformSysConfigLib|ArmPlatformPkg/ArmVExpressPkg/Library/ArmVExpressSysConfigRuntimeLib/ArmVExpressSysConfigRuntimeLib.inf
> +!if $(SECURE_BOOT_ENABLE) == TRUE
> +  BaseCryptLib|CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf
> +!endif
>  
>  [LibraryClasses.AARCH64.DXE_RUNTIME_DRIVER]
>    #
> @@ -413,6 +431,13 @@ [PcdsFixedAtBuild.common]
>    gEfiIntelFrameworkModulePkgTokenSpaceGuid.PcdShellFile|{ 0x83, 0xA5, 0x04, 
> 0x7C, 0x3E, 0x9E, 0x1C, 0x4F, 0xAD, 0x65, 0xE0, 0x52, 0x68, 0xD0, 0xB4, 0xD1 }
>  !endif
>  
> +!if $(SECURE_BOOT_ENABLE) == TRUE
> +  # override the default values from SecurityPkg to ensure images from all 
> sources are verified in secure boot
> +  gEfiSecurityPkgTokenSpaceGuid.PcdOptionRomImageVerificationPolicy|0x04
> +  gEfiSecurityPkgTokenSpaceGuid.PcdFixedMediaImageVerificationPolicy|0x04
> +  gEfiSecurityPkgTokenSpaceGuid.PcdRemovableMediaImageVerificationPolicy|0x04
> +!endif
> +
>  [Components.common]
>    MdeModulePkg/Universal/PCD/Dxe/Pcd.inf
>  
> -- 
> 1.9.1

Reviewed-by: Leif Lindholm <leif.lindh...@linaro.org>
(I could say tested-by, but I've only verified I could enroll keys if
I wanted to, not actually tried to do it.)
 
_______________________________________________
edk2-devel mailing list
edk2-devel@lists.01.org
https://lists.01.org/mailman/listinfo/edk2-devel

Reply via email to