[edk2,edk2-platforms,7/7] Platform/DeveloperBox: add MM based UEFI secure boot support

Message ID 20190104144336.8941-8-ard.biesheuvel@linaro.org
State New
Headers show
Series
  • Silicon/SynQuacer: implement SMM based secure boot
Related show

Commit Message

Ard Biesheuvel Jan. 4, 2019, 2:43 p.m.
This implements support for UEFI secure boot on DeveloperBox using
the standalone MM framework. This moves all of the software handling
of the UEFI authenticated variable store into the standalone MM
context residing in a secure partition.

Note that SynQuacer as configured today is not a truly secure
platform, since the NOR flash registers are accessible to the
non-secure world. However, from a software point of view, all
of the required pieces are in place. (In particular, it is no
longer possible for the OS to stub out authentication checks
in the validation code residing in RuntimeServicesCode regions)

Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>

---
 Platform/Socionext/DeveloperBox/DeveloperBox.dsc | 23 +++++++++++++++++++-
 Platform/Socionext/DeveloperBox/DeveloperBox.fdf | 13 +++++++++++
 2 files changed, 35 insertions(+), 1 deletion(-)

-- 
2.17.1

_______________________________________________
edk2-devel mailing list
edk2-devel@lists.01.org
https://lists.01.org/mailman/listinfo/edk2-devel

Patch

diff --git a/Platform/Socionext/DeveloperBox/DeveloperBox.dsc b/Platform/Socionext/DeveloperBox/DeveloperBox.dsc
index 666bd2716336..d244048c5a6b 100644
--- a/Platform/Socionext/DeveloperBox/DeveloperBox.dsc
+++ b/Platform/Socionext/DeveloperBox/DeveloperBox.dsc
@@ -28,6 +28,8 @@  [Defines]
   FLASH_DEFINITION               = Platform/Socionext/DeveloperBox/DeveloperBox.fdf
   BUILD_NUMBER                   = 1
 
+  DEFINE SECURE_BOOT_ENABLE      = FALSE
+
 !include Platform/Socionext/DeveloperBox/DeveloperBox.dsc.inc
 
 [BuildOptions.common.EDKII.DXE_CORE,BuildOptions.common.EDKII.DXE_DRIVER,BuildOptions.common.EDKII.UEFI_DRIVER,BuildOptions.common.EDKII.UEFI_APPLICATION]
@@ -165,6 +167,13 @@  [PcdsFixedAtBuild]
   g96BoardsTokenSpaceGuid.PcdGpioPinK|24
   g96BoardsTokenSpaceGuid.PcdGpioPinL|25
 
+  gArmTokenSpaceGuid.PcdMmBufferBase|0xFFC00000
+  gArmTokenSpaceGuid.PcdMmBufferSize|0x00200000
+
+  gEfiSecurityPkgTokenSpaceGuid.PcdOptionRomImageVerificationPolicy|0x04
+  gEfiSecurityPkgTokenSpaceGuid.PcdFixedMediaImageVerificationPolicy|0x04
+  gEfiSecurityPkgTokenSpaceGuid.PcdRemovableMediaImageVerificationPolicy|0x04
+
 [PcdsDynamicExDefault.common.DEFAULT]
   gEfiSignedCapsulePkgTokenSpaceGuid.PcdEdkiiSystemFirmwareImageDescriptor|{0x0}|VOID*|0x100
   gEfiSignedCapsulePkgTokenSpaceGuid.PcdEdkiiSystemFirmwareFileGuid|{0xf7, 0x89, 0x9b, 0xe9, 0x20, 0xc1, 0x25, 0x4b, 0x4d, 0xb1, 0x83, 0x94, 0xed, 0xb0, 0xb4, 0xf5}
@@ -223,7 +232,13 @@  [Components.common]
   }
   MdeModulePkg/Universal/ResetSystemRuntimeDxe/ResetSystemRuntimeDxe.inf
   MdeModulePkg/Core/RuntimeDxe/RuntimeDxe.inf
-  MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf
+  MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf {
+!if $(SECURE_BOOT_ENABLE) == TRUE
+    <LibraryClasses>
+      NULL|SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.inf
+!endif
+  }
+
   ArmPkg/Drivers/TimerDxe/TimerDxe.inf
   ArmPkg/Drivers/GenericWatchdogDxe/GenericWatchdogDxe.inf
   MdeModulePkg/Universal/CapsuleRuntimeDxe/CapsuleRuntimeDxe.inf
@@ -251,6 +266,7 @@  [Components.common]
   # Variable services
   #
   Silicon/Socionext/SynQuacer/Drivers/Fip006Dxe/Fip006Dxe.inf
+!if $(SECURE_BOOT_ENABLE) == FALSE
   MdeModulePkg/Universal/FaultTolerantWriteDxe/FaultTolerantWriteDxe.inf
   MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf {
     <LibraryClasses>
@@ -260,6 +276,11 @@  [Components.common]
       TpmMeasurementLib|MdeModulePkg/Library/TpmMeasurementLibNull/TpmMeasurementLibNull.inf
       VarCheckLib|MdeModulePkg/Library/VarCheckLib/VarCheckLib.inf
   }
+!else
+  ArmPkg/Drivers/MmCommunicationDxe/MmCommunication.inf
+  MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmmRuntimeDxe.inf
+  SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
+!endif
 
   #
   # UEFI application (Shell Embedded Boot Loader)
diff --git a/Platform/Socionext/DeveloperBox/DeveloperBox.fdf b/Platform/Socionext/DeveloperBox/DeveloperBox.fdf
index 4a234a36525e..7be40380efb4 100644
--- a/Platform/Socionext/DeveloperBox/DeveloperBox.fdf
+++ b/Platform/Socionext/DeveloperBox/DeveloperBox.fdf
@@ -51,7 +51,11 @@  [FD.SPI_NOR_IMAGE]
 ################################################################################
 
 0x00000000|0x00078000
+!if $(SECURE_BOOT_ENABLE) == FALSE
 FILE = Platform/Socionext/DeveloperBox/fip_all_arm_tf.bin
+!else
+FILE = Platform/Socionext/DeveloperBox/fip_all_arm_tf_mm.bin
+!endif
 
 0x00078000|0x00008000
 FILE = $(OUTPUT_DIRECTORY)/$(TARGET)_$(TOOL_CHAIN_TAG)/$(ARCH)/Silicon/Socionext/SynQuacer/Stage2Tables/Stage2Tables/OUTPUT/Stage2Tables.bin
@@ -122,9 +126,15 @@  [FV.FvMain]
   #
   # Variable services
   #
+!if $(SECURE_BOOT_ENABLE) == FALSE
   INF Silicon/Socionext/SynQuacer/Drivers/Fip006Dxe/Fip006Dxe.inf
   INF MdeModulePkg/Universal/FaultTolerantWriteDxe/FaultTolerantWriteDxe.inf
   INF MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf
+!else
+  INF ArmPkg/Drivers/MmCommunicationDxe/MmCommunication.inf
+  INF MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmmRuntimeDxe.inf
+  INF SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
+!endif
 
   #
   # UEFI applications
@@ -328,6 +338,9 @@  [FV.CapsuleDispatchFv]
 READ_LOCK_CAP      = TRUE
 READ_LOCK_STATUS   = TRUE
 
+!if $(SECURE_BOOT_ENABLE) == TRUE
+  INF  Silicon/Socionext/SynQuacer/Drivers/Fip006Dxe/Fip006Dxe.inf
+!endif
   INF  SignedCapsulePkg/Universal/SystemFirmwareUpdate/SystemFirmwareUpdateDxe.inf
 
 [FV.SystemFirmwareUpdateCargo]