Re: [edk2] [PATCH edk2-platforms v2 3/3] Platform/ARM/SgiPkg: add MM based UEFI secure boot support
On Fri, Mar 15, 2019 at 6:12 PM Ard Biesheuvel wrote: > > On Fri, 15 Mar 2019 at 13:30, Thomas Abraham wrote: > > > > On Fri, Mar 15, 2019 at 5:51 PM Ard Biesheuvel > > wrote: > > > > > > On Tue, 12 Mar 2019 at 17:06, Jagadeesh Ujja > > > wrote: > > > > > > > > This implements support for UEFI secure boot on SGI platforms using > > > > the standalone MM framework. This moves all of the software handling > > > > of the UEFI authenticated variable store into the standalone MM > > > > context residing in a secure partition. > > > > > > > > Contributed-under: TianoCore Contribution Agreement 1.1 > > > > Signed-off-by: Jagadeesh Ujja > > > > --- > > > > Platform/ARM/SgiPkg/PlatformStandaloneMm.dsc | 34 +++- > > > > Platform/ARM/SgiPkg/PlatformStandaloneMm.fdf | 5 +++ > > > > Platform/ARM/SgiPkg/SgiPlatform.dsc | 18 ++- > > > > Platform/ARM/SgiPkg/SgiPlatform.fdf | 7 +++- > > > > 4 files changed, 61 insertions(+), 3 deletions(-) > > > > > > > > diff --git a/Platform/ARM/SgiPkg/PlatformStandaloneMm.dsc > > > > b/Platform/ARM/SgiPkg/PlatformStandaloneMm.dsc > > > > index 49fc919..b6aa90b 100644 > > > > --- a/Platform/ARM/SgiPkg/PlatformStandaloneMm.dsc > > > > +++ b/Platform/ARM/SgiPkg/PlatformStandaloneMm.dsc > > > > @@ -26,6 +26,7 @@ > > > >SKUID_IDENTIFIER = DEFAULT > > > >FLASH_DEFINITION = > > > > Platform/ARM/SgiPkg/PlatformStandaloneMm.fdf > > > >DEFINE DEBUG_MESSAGE = TRUE > > > > + DEFINE SECURE_BOOT_ENABLE = FALSE > > > > > > > > > > Maybe I wasn't clear before, but I don't see the point of building the > > > MM component without secure boot enabled. So can we drop this from > > > this side? > > > > Hi Ard, > > > > On the SGI platforms, the MM component is used for platform RAS error > > handling as well and secure boot is not mandatory in such a build. So > > the build of MM component is being kept independent of secure boot. > > > > Hi Thomas, > > When building the MM side of the platform without secure boot, the > only MM modules that are included are > > > > >INF StandaloneMmPkg/Core/StandaloneMmCore.inf > > > >INF > > > > StandaloneMmPkg/Drivers/StandaloneMmCpu/AArch64/StandaloneMmCpu.inf > > neither of which implement RAS handling. So are you saying this is > functionality that runs in MM context, but it has not been upstreamed > yet? Hi Ard, Yes, this functionality is yet to be upstreamed and there is work happening in that direction. So the MM build is being kept independent of secure boot feature. Thanks, Thomas. > > > > > > > > > > > For the non-secure side, it is a different matter, obviously. > > > > > > ># LzmaF86 > > > >DEFINE COMPRESSION_TOOL_GUID = D42AE6BD-1352-4bfb-909A-CA72A6EAE889 > > > > @@ -83,7 +84,17 @@ > > > > > > > > HobLib|StandaloneMmPkg/Library/StandaloneMmHobLib/StandaloneMmHobLib.inf > > > > > > > > MmServicesTableLib|MdePkg/Library/StandaloneMmServicesTableLib/StandaloneMmServicesTableLib.inf > > > > > > > > MemoryAllocationLib|StandaloneMmPkg/Library/StandaloneMmMemoryAllocationLib/StandaloneMmMemoryAllocationLib.inf > > > > - > > > > +!if $(SECURE_BOOT_ENABLE) == TRUE > > > > + > > > > AuthVariableLib|SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf > > > > + BaseCryptLib|CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf > > > > + IntrinsicLib|CryptoPkg/Library/IntrinsicLib/IntrinsicLib.inf > > > > + > > > > NorFlashPlatformLib|Platform/ARM/SgiPkg/Library/NorFlashLib/StandaloneMmNorFlashLib.inf > > > > + OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLib.inf > > > > + > > > > PlatformSecureLib|SecurityPkg/Library/PlatformSecureLibNull/PlatformSecureLibNull.inf > > > > + > > > > SynchronizationLib|MdePkg/Library/BaseSynchronizationLib/BaseSynchronizationLib.inf > > > > + > > > > TimerLib|MdePkg/Library/BaseTimerLibNullTemplate/BaseTimerLibNullTemplate.inf > > > > + VarCheckLib|MdeModulePkg/Library/VarCheckLib/VarCheckLib.inf > > > > +!endif > > > > > > > > > > > > # > > > > # Pcd Section - list of all EDK II PCD Entries defined by this Platform > > > > @@ -100,6 +111,21 @@ > > > > > > > >gEfiMdePkgTokenSpaceGuid.PcdMaximumGuidedExtractHandler|0x2 > > > > > > > > +!if $(SECURE_BOOT_ENABLE) == TRUE > > > > + #Secure Storage > > > > + gEfiMdeModulePkgTokenSpaceGuid.PcdMaxVariableSize|0x2000 > > > > + gEfiSecurityPkgTokenSpaceGuid.PcdUserPhysicalPresence|TRUE > > > > + gEfiMdeModulePkgTokenSpaceGuid.PcdMaxAuthVariableSize|0x2800 > > > > + > > > > + ## NV Storage - 1MB*3 in NOR2 Flash > > > > + > > > > gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageVariableBase|0x1040 > > > > + > > > > gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageVariableSize|0x0010 > > > > + > > > > gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageFtwWorkingBase|0x1050 > > > > + > > > >
Re: [edk2] [PATCH edk2-platforms v2 3/3] Platform/ARM/SgiPkg: add MM based UEFI secure boot support
On Fri, 15 Mar 2019 at 13:47, Thomas Abraham wrote: > > On Fri, Mar 15, 2019 at 6:12 PM Ard Biesheuvel > wrote: > > > > On Fri, 15 Mar 2019 at 13:30, Thomas Abraham wrote: > > > > > > On Fri, Mar 15, 2019 at 5:51 PM Ard Biesheuvel > > > wrote: > > > > > > > > On Tue, 12 Mar 2019 at 17:06, Jagadeesh Ujja > > > > wrote: > > > > > > > > > > This implements support for UEFI secure boot on SGI platforms using > > > > > the standalone MM framework. This moves all of the software handling > > > > > of the UEFI authenticated variable store into the standalone MM > > > > > context residing in a secure partition. > > > > > > > > > > Contributed-under: TianoCore Contribution Agreement 1.1 > > > > > Signed-off-by: Jagadeesh Ujja > > > > > --- > > > > > Platform/ARM/SgiPkg/PlatformStandaloneMm.dsc | 34 > > > > > +++- > > > > > Platform/ARM/SgiPkg/PlatformStandaloneMm.fdf | 5 +++ > > > > > Platform/ARM/SgiPkg/SgiPlatform.dsc | 18 ++- > > > > > Platform/ARM/SgiPkg/SgiPlatform.fdf | 7 +++- > > > > > 4 files changed, 61 insertions(+), 3 deletions(-) > > > > > > > > > > diff --git a/Platform/ARM/SgiPkg/PlatformStandaloneMm.dsc > > > > > b/Platform/ARM/SgiPkg/PlatformStandaloneMm.dsc > > > > > index 49fc919..b6aa90b 100644 > > > > > --- a/Platform/ARM/SgiPkg/PlatformStandaloneMm.dsc > > > > > +++ b/Platform/ARM/SgiPkg/PlatformStandaloneMm.dsc > > > > > @@ -26,6 +26,7 @@ > > > > >SKUID_IDENTIFIER = DEFAULT > > > > >FLASH_DEFINITION = > > > > > Platform/ARM/SgiPkg/PlatformStandaloneMm.fdf > > > > >DEFINE DEBUG_MESSAGE = TRUE > > > > > + DEFINE SECURE_BOOT_ENABLE = FALSE > > > > > > > > > > > > > Maybe I wasn't clear before, but I don't see the point of building the > > > > MM component without secure boot enabled. So can we drop this from > > > > this side? > > > > > > Hi Ard, > > > > > > On the SGI platforms, the MM component is used for platform RAS error > > > handling as well and secure boot is not mandatory in such a build. So > > > the build of MM component is being kept independent of secure boot. > > > > > > > Hi Thomas, > > > > When building the MM side of the platform without secure boot, the > > only MM modules that are included are > > > > > > >INF StandaloneMmPkg/Core/StandaloneMmCore.inf > > > > >INF > > > > > StandaloneMmPkg/Drivers/StandaloneMmCpu/AArch64/StandaloneMmCpu.inf > > > > neither of which implement RAS handling. So are you saying this is > > functionality that runs in MM context, but it has not been upstreamed > > yet? > > Hi Ard, > > Yes, this functionality is yet to be upstreamed and there is work > happening in that direction. So the MM build is being kept independent > of secure boot feature. > OK, fair enough. I will look in more detail once the NorFlashDxe changes are reviewed and merged. ___ edk2-devel mailing list edk2-devel@lists.01.org https://lists.01.org/mailman/listinfo/edk2-devel
Re: [edk2] [PATCH edk2-platforms v2 3/3] Platform/ARM/SgiPkg: add MM based UEFI secure boot support
On Fri, 15 Mar 2019 at 13:30, Thomas Abraham wrote: > > On Fri, Mar 15, 2019 at 5:51 PM Ard Biesheuvel > wrote: > > > > On Tue, 12 Mar 2019 at 17:06, Jagadeesh Ujja wrote: > > > > > > This implements support for UEFI secure boot on SGI platforms using > > > the standalone MM framework. This moves all of the software handling > > > of the UEFI authenticated variable store into the standalone MM > > > context residing in a secure partition. > > > > > > Contributed-under: TianoCore Contribution Agreement 1.1 > > > Signed-off-by: Jagadeesh Ujja > > > --- > > > Platform/ARM/SgiPkg/PlatformStandaloneMm.dsc | 34 +++- > > > Platform/ARM/SgiPkg/PlatformStandaloneMm.fdf | 5 +++ > > > Platform/ARM/SgiPkg/SgiPlatform.dsc | 18 ++- > > > Platform/ARM/SgiPkg/SgiPlatform.fdf | 7 +++- > > > 4 files changed, 61 insertions(+), 3 deletions(-) > > > > > > diff --git a/Platform/ARM/SgiPkg/PlatformStandaloneMm.dsc > > > b/Platform/ARM/SgiPkg/PlatformStandaloneMm.dsc > > > index 49fc919..b6aa90b 100644 > > > --- a/Platform/ARM/SgiPkg/PlatformStandaloneMm.dsc > > > +++ b/Platform/ARM/SgiPkg/PlatformStandaloneMm.dsc > > > @@ -26,6 +26,7 @@ > > >SKUID_IDENTIFIER = DEFAULT > > >FLASH_DEFINITION = > > > Platform/ARM/SgiPkg/PlatformStandaloneMm.fdf > > >DEFINE DEBUG_MESSAGE = TRUE > > > + DEFINE SECURE_BOOT_ENABLE = FALSE > > > > > > > Maybe I wasn't clear before, but I don't see the point of building the > > MM component without secure boot enabled. So can we drop this from > > this side? > > Hi Ard, > > On the SGI platforms, the MM component is used for platform RAS error > handling as well and secure boot is not mandatory in such a build. So > the build of MM component is being kept independent of secure boot. > Hi Thomas, When building the MM side of the platform without secure boot, the only MM modules that are included are > > >INF StandaloneMmPkg/Core/StandaloneMmCore.inf > > >INF StandaloneMmPkg/Drivers/StandaloneMmCpu/AArch64/StandaloneMmCpu.inf neither of which implement RAS handling. So are you saying this is functionality that runs in MM context, but it has not been upstreamed yet? > > > > > For the non-secure side, it is a different matter, obviously. > > > > ># LzmaF86 > > >DEFINE COMPRESSION_TOOL_GUID = D42AE6BD-1352-4bfb-909A-CA72A6EAE889 > > > @@ -83,7 +84,17 @@ > > > > > > HobLib|StandaloneMmPkg/Library/StandaloneMmHobLib/StandaloneMmHobLib.inf > > > > > > MmServicesTableLib|MdePkg/Library/StandaloneMmServicesTableLib/StandaloneMmServicesTableLib.inf > > > > > > MemoryAllocationLib|StandaloneMmPkg/Library/StandaloneMmMemoryAllocationLib/StandaloneMmMemoryAllocationLib.inf > > > - > > > +!if $(SECURE_BOOT_ENABLE) == TRUE > > > + AuthVariableLib|SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf > > > + BaseCryptLib|CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf > > > + IntrinsicLib|CryptoPkg/Library/IntrinsicLib/IntrinsicLib.inf > > > + > > > NorFlashPlatformLib|Platform/ARM/SgiPkg/Library/NorFlashLib/StandaloneMmNorFlashLib.inf > > > + OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLib.inf > > > + > > > PlatformSecureLib|SecurityPkg/Library/PlatformSecureLibNull/PlatformSecureLibNull.inf > > > + > > > SynchronizationLib|MdePkg/Library/BaseSynchronizationLib/BaseSynchronizationLib.inf > > > + > > > TimerLib|MdePkg/Library/BaseTimerLibNullTemplate/BaseTimerLibNullTemplate.inf > > > + VarCheckLib|MdeModulePkg/Library/VarCheckLib/VarCheckLib.inf > > > +!endif > > > > > > > > > # > > > # Pcd Section - list of all EDK II PCD Entries defined by this Platform > > > @@ -100,6 +111,21 @@ > > > > > >gEfiMdePkgTokenSpaceGuid.PcdMaximumGuidedExtractHandler|0x2 > > > > > > +!if $(SECURE_BOOT_ENABLE) == TRUE > > > + #Secure Storage > > > + gEfiMdeModulePkgTokenSpaceGuid.PcdMaxVariableSize|0x2000 > > > + gEfiSecurityPkgTokenSpaceGuid.PcdUserPhysicalPresence|TRUE > > > + gEfiMdeModulePkgTokenSpaceGuid.PcdMaxAuthVariableSize|0x2800 > > > + > > > + ## NV Storage - 1MB*3 in NOR2 Flash > > > + gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageVariableBase|0x1040 > > > + gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageVariableSize|0x0010 > > > + > > > gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageFtwWorkingBase|0x1050 > > > + > > > gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageFtwWorkingSize|0x0010 > > > + gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageFtwSpareBase|0x1060 > > > + gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageFtwSpareSize|0x0010 > > > +!endif > > > + > > > > > > ### > > > # > > > # Components Section - list of the modules and components that will be > > > processed by compilation > > > @@ -125,6 +151,12 @@ > > >
Re: [edk2] [PATCH edk2-platforms v2 3/3] Platform/ARM/SgiPkg: add MM based UEFI secure boot support
On Fri, Mar 15, 2019 at 5:51 PM Ard Biesheuvel wrote: > > On Tue, 12 Mar 2019 at 17:06, Jagadeesh Ujja wrote: > > > > This implements support for UEFI secure boot on SGI platforms using > > the standalone MM framework. This moves all of the software handling > > of the UEFI authenticated variable store into the standalone MM > > context residing in a secure partition. > > > > Contributed-under: TianoCore Contribution Agreement 1.1 > > Signed-off-by: Jagadeesh Ujja > > --- > > Platform/ARM/SgiPkg/PlatformStandaloneMm.dsc | 34 +++- > > Platform/ARM/SgiPkg/PlatformStandaloneMm.fdf | 5 +++ > > Platform/ARM/SgiPkg/SgiPlatform.dsc | 18 ++- > > Platform/ARM/SgiPkg/SgiPlatform.fdf | 7 +++- > > 4 files changed, 61 insertions(+), 3 deletions(-) > > > > diff --git a/Platform/ARM/SgiPkg/PlatformStandaloneMm.dsc > > b/Platform/ARM/SgiPkg/PlatformStandaloneMm.dsc > > index 49fc919..b6aa90b 100644 > > --- a/Platform/ARM/SgiPkg/PlatformStandaloneMm.dsc > > +++ b/Platform/ARM/SgiPkg/PlatformStandaloneMm.dsc > > @@ -26,6 +26,7 @@ > >SKUID_IDENTIFIER = DEFAULT > >FLASH_DEFINITION = > > Platform/ARM/SgiPkg/PlatformStandaloneMm.fdf > >DEFINE DEBUG_MESSAGE = TRUE > > + DEFINE SECURE_BOOT_ENABLE = FALSE > > > > Maybe I wasn't clear before, but I don't see the point of building the > MM component without secure boot enabled. So can we drop this from > this side? Hi Ard, On the SGI platforms, the MM component is used for platform RAS error handling as well and secure boot is not mandatory in such a build. So the build of MM component is being kept independent of secure boot. Thanks, Thomas. > > For the non-secure side, it is a different matter, obviously. > > ># LzmaF86 > >DEFINE COMPRESSION_TOOL_GUID = D42AE6BD-1352-4bfb-909A-CA72A6EAE889 > > @@ -83,7 +84,17 @@ > >HobLib|StandaloneMmPkg/Library/StandaloneMmHobLib/StandaloneMmHobLib.inf > > > > MmServicesTableLib|MdePkg/Library/StandaloneMmServicesTableLib/StandaloneMmServicesTableLib.inf > > > > MemoryAllocationLib|StandaloneMmPkg/Library/StandaloneMmMemoryAllocationLib/StandaloneMmMemoryAllocationLib.inf > > - > > +!if $(SECURE_BOOT_ENABLE) == TRUE > > + AuthVariableLib|SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf > > + BaseCryptLib|CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf > > + IntrinsicLib|CryptoPkg/Library/IntrinsicLib/IntrinsicLib.inf > > + > > NorFlashPlatformLib|Platform/ARM/SgiPkg/Library/NorFlashLib/StandaloneMmNorFlashLib.inf > > + OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLib.inf > > + > > PlatformSecureLib|SecurityPkg/Library/PlatformSecureLibNull/PlatformSecureLibNull.inf > > + > > SynchronizationLib|MdePkg/Library/BaseSynchronizationLib/BaseSynchronizationLib.inf > > + > > TimerLib|MdePkg/Library/BaseTimerLibNullTemplate/BaseTimerLibNullTemplate.inf > > + VarCheckLib|MdeModulePkg/Library/VarCheckLib/VarCheckLib.inf > > +!endif > > > > > > # > > # Pcd Section - list of all EDK II PCD Entries defined by this Platform > > @@ -100,6 +111,21 @@ > > > >gEfiMdePkgTokenSpaceGuid.PcdMaximumGuidedExtractHandler|0x2 > > > > +!if $(SECURE_BOOT_ENABLE) == TRUE > > + #Secure Storage > > + gEfiMdeModulePkgTokenSpaceGuid.PcdMaxVariableSize|0x2000 > > + gEfiSecurityPkgTokenSpaceGuid.PcdUserPhysicalPresence|TRUE > > + gEfiMdeModulePkgTokenSpaceGuid.PcdMaxAuthVariableSize|0x2800 > > + > > + ## NV Storage - 1MB*3 in NOR2 Flash > > + gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageVariableBase|0x1040 > > + gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageVariableSize|0x0010 > > + gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageFtwWorkingBase|0x1050 > > + gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageFtwWorkingSize|0x0010 > > + gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageFtwSpareBase|0x1060 > > + gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageFtwSpareSize|0x0010 > > +!endif > > + > > > > ### > > # > > # Components Section - list of the modules and components that will be > > processed by compilation > > @@ -125,6 +151,12 @@ > >StandaloneMmPkg/Core/StandaloneMmCore.inf > > > > [Components.AARCH64] > > +!if $(SECURE_BOOT_ENABLE) == TRUE > > + ArmPlatformPkg/Drivers/NorFlashDxe/NorFlashStandaloneMm.inf > > + > > MdeModulePkg/Universal/FaultTolerantWriteDxe/FaultTolerantWriteStandaloneMm.inf > > + MdeModulePkg/Universal/Variable/RuntimeDxe/VariableStandaloneMm.inf > > +!endif > > + > >StandaloneMmPkg/Drivers/StandaloneMmCpu/AArch64/StandaloneMmCpu.inf > > > > > > ### > > diff --git a/Platform/ARM/SgiPkg/PlatformStandaloneMm.fdf > > b/Platform/ARM/SgiPkg/PlatformStandaloneMm.fdf > >
Re: [edk2] [PATCH edk2-platforms v2 3/3] Platform/ARM/SgiPkg: add MM based UEFI secure boot support
On Tue, 12 Mar 2019 at 17:06, Jagadeesh Ujja wrote: > > This implements support for UEFI secure boot on SGI platforms using > the standalone MM framework. This moves all of the software handling > of the UEFI authenticated variable store into the standalone MM > context residing in a secure partition. > > Contributed-under: TianoCore Contribution Agreement 1.1 > Signed-off-by: Jagadeesh Ujja > --- > Platform/ARM/SgiPkg/PlatformStandaloneMm.dsc | 34 +++- > Platform/ARM/SgiPkg/PlatformStandaloneMm.fdf | 5 +++ > Platform/ARM/SgiPkg/SgiPlatform.dsc | 18 ++- > Platform/ARM/SgiPkg/SgiPlatform.fdf | 7 +++- > 4 files changed, 61 insertions(+), 3 deletions(-) > > diff --git a/Platform/ARM/SgiPkg/PlatformStandaloneMm.dsc > b/Platform/ARM/SgiPkg/PlatformStandaloneMm.dsc > index 49fc919..b6aa90b 100644 > --- a/Platform/ARM/SgiPkg/PlatformStandaloneMm.dsc > +++ b/Platform/ARM/SgiPkg/PlatformStandaloneMm.dsc > @@ -26,6 +26,7 @@ >SKUID_IDENTIFIER = DEFAULT >FLASH_DEFINITION = > Platform/ARM/SgiPkg/PlatformStandaloneMm.fdf >DEFINE DEBUG_MESSAGE = TRUE > + DEFINE SECURE_BOOT_ENABLE = FALSE > Maybe I wasn't clear before, but I don't see the point of building the MM component without secure boot enabled. So can we drop this from this side? For the non-secure side, it is a different matter, obviously. ># LzmaF86 >DEFINE COMPRESSION_TOOL_GUID = D42AE6BD-1352-4bfb-909A-CA72A6EAE889 > @@ -83,7 +84,17 @@ >HobLib|StandaloneMmPkg/Library/StandaloneMmHobLib/StandaloneMmHobLib.inf > > MmServicesTableLib|MdePkg/Library/StandaloneMmServicesTableLib/StandaloneMmServicesTableLib.inf > > MemoryAllocationLib|StandaloneMmPkg/Library/StandaloneMmMemoryAllocationLib/StandaloneMmMemoryAllocationLib.inf > - > +!if $(SECURE_BOOT_ENABLE) == TRUE > + AuthVariableLib|SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf > + BaseCryptLib|CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf > + IntrinsicLib|CryptoPkg/Library/IntrinsicLib/IntrinsicLib.inf > + > NorFlashPlatformLib|Platform/ARM/SgiPkg/Library/NorFlashLib/StandaloneMmNorFlashLib.inf > + OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLib.inf > + > PlatformSecureLib|SecurityPkg/Library/PlatformSecureLibNull/PlatformSecureLibNull.inf > + > SynchronizationLib|MdePkg/Library/BaseSynchronizationLib/BaseSynchronizationLib.inf > + > TimerLib|MdePkg/Library/BaseTimerLibNullTemplate/BaseTimerLibNullTemplate.inf > + VarCheckLib|MdeModulePkg/Library/VarCheckLib/VarCheckLib.inf > +!endif > > > # > # Pcd Section - list of all EDK II PCD Entries defined by this Platform > @@ -100,6 +111,21 @@ > >gEfiMdePkgTokenSpaceGuid.PcdMaximumGuidedExtractHandler|0x2 > > +!if $(SECURE_BOOT_ENABLE) == TRUE > + #Secure Storage > + gEfiMdeModulePkgTokenSpaceGuid.PcdMaxVariableSize|0x2000 > + gEfiSecurityPkgTokenSpaceGuid.PcdUserPhysicalPresence|TRUE > + gEfiMdeModulePkgTokenSpaceGuid.PcdMaxAuthVariableSize|0x2800 > + > + ## NV Storage - 1MB*3 in NOR2 Flash > + gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageVariableBase|0x1040 > + gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageVariableSize|0x0010 > + gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageFtwWorkingBase|0x1050 > + gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageFtwWorkingSize|0x0010 > + gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageFtwSpareBase|0x1060 > + gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageFtwSpareSize|0x0010 > +!endif > + > > ### > # > # Components Section - list of the modules and components that will be > processed by compilation > @@ -125,6 +151,12 @@ >StandaloneMmPkg/Core/StandaloneMmCore.inf > > [Components.AARCH64] > +!if $(SECURE_BOOT_ENABLE) == TRUE > + ArmPlatformPkg/Drivers/NorFlashDxe/NorFlashStandaloneMm.inf > + > MdeModulePkg/Universal/FaultTolerantWriteDxe/FaultTolerantWriteStandaloneMm.inf > + MdeModulePkg/Universal/Variable/RuntimeDxe/VariableStandaloneMm.inf > +!endif > + >StandaloneMmPkg/Drivers/StandaloneMmCpu/AArch64/StandaloneMmCpu.inf > > > ### > diff --git a/Platform/ARM/SgiPkg/PlatformStandaloneMm.fdf > b/Platform/ARM/SgiPkg/PlatformStandaloneMm.fdf > index 810460c..8c05a03 100644 > --- a/Platform/ARM/SgiPkg/PlatformStandaloneMm.fdf > +++ b/Platform/ARM/SgiPkg/PlatformStandaloneMm.fdf > @@ -55,6 +55,11 @@ READ_LOCK_CAP = TRUE > READ_LOCK_STATUS = TRUE > >INF StandaloneMmPkg/Core/StandaloneMmCore.inf > +!if $(SECURE_BOOT_ENABLE) == TRUE > + INF ArmPlatformPkg/Drivers/NorFlashDxe/NorFlashStandaloneMm.inf > + INF > MdeModulePkg/Universal/FaultTolerantWriteDxe/FaultTolerantWriteStandaloneMm.inf > + INF