From patchwork Thu Apr 23 12:52:05 2015 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ard Biesheuvel X-Patchwork-Id: 47457 Return-Path: X-Original-To: linaro@patches.linaro.org Delivered-To: linaro@patches.linaro.org Received: from mail-wi0-f198.google.com (mail-wi0-f198.google.com [209.85.212.198]) by ip-10-151-82-157.ec2.internal (Postfix) with ESMTPS id 87F482121F for ; Thu, 23 Apr 2015 12:52:51 +0000 (UTC) Received: by wixv7 with SMTP id v7sf19195658wix.0 for ; Thu, 23 Apr 2015 05:52:50 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:delivered-to:from:to:date:message-id:in-reply-to :references:subject:precedence:reply-to:list-id:list-unsubscribe :list-archive:list-post:list-help:list-subscribe:mime-version :content-type:content-transfer-encoding:errors-to:x-original-sender :x-original-authentication-results:mailing-list; bh=RBV0L/dAUMDp2OVAikBMFNvKWHywBZp9MGYTluc3wz0=; b=hy1bJNsFqdZj5kgpIt/a3Gd9P/7ARCVREobl6OHwQWWoEqhy4sd2IpEA9pKUrEvb4C LWLIrH8lP9LfOVaEVKD7+eWj+Olo6mITMOIDb9hVHAS9mOg5WUsVl7VFvnOMHeuLjL97 ERzO2ck9PVpkki32G8zTHcN7BF6xxoLMp7txES5x1yynxOI2wzKzXq3bqdIdugxo1ANb 5qkKyrPA1T8RWbAKHRxRkx9XAcKcQFRYBUtPka927hd15vk7EFYkVV0RNEqdpkoJYJWB cLlmVYP21e5PRaMELBFWwYsjc/QNNzNzJwUPpr2dXJvCHNxVZILKBgeB0A7KG/yoaIKE SuPA== X-Gm-Message-State: ALoCoQkICl969g19xViWS3OmC1M/g1fd1PRDS+3wWHkhCYwui2s2uomkU6/jTpUe0YsIdepEYMKw X-Received: by 10.194.241.200 with SMTP id wk8mr1333039wjc.7.1429793570875; Thu, 23 Apr 2015 05:52:50 -0700 (PDT) X-BeenThere: patchwork-forward@linaro.org Received: by 10.152.29.169 with SMTP id l9ls343967lah.52.gmail; Thu, 23 Apr 2015 05:52:50 -0700 (PDT) X-Received: by 10.112.135.131 with SMTP id ps3mr2343601lbb.84.1429793570708; Thu, 23 Apr 2015 05:52:50 -0700 (PDT) Received: from mail-la0-f42.google.com (mail-la0-f42.google.com. [209.85.215.42]) by mx.google.com with ESMTPS id as7si5923388lbc.107.2015.04.23.05.52.50 for (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 23 Apr 2015 05:52:50 -0700 (PDT) Received-SPF: pass (google.com: domain of patch+caf_=patchwork-forward=linaro.org@linaro.org designates 209.85.215.42 as permitted sender) client-ip=209.85.215.42; Received: by layy10 with SMTP id y10so11894814lay.0 for ; Thu, 23 Apr 2015 05:52:50 -0700 (PDT) X-Received: by 10.112.199.133 with SMTP id jk5mr2438993lbc.32.1429793570271; Thu, 23 Apr 2015 05:52:50 -0700 (PDT) X-Forwarded-To: patchwork-forward@linaro.org X-Forwarded-For: patch@linaro.org patchwork-forward@linaro.org Delivered-To: patch@linaro.org Received: by 10.112.67.65 with SMTP id l1csp552530lbt; Thu, 23 Apr 2015 05:52:49 -0700 (PDT) X-Received: by 10.50.80.19 with SMTP id n19mr325433igx.30.1429793567764; Thu, 23 Apr 2015 05:52:47 -0700 (PDT) Received: from lists.sourceforge.net (lists.sourceforge.net. [216.34.181.88]) by mx.google.com with ESMTPS id fk1si15903328igb.51.2015.04.23.05.52.46 (version=TLSv1 cipher=RC4-SHA bits=128/128); Thu, 23 Apr 2015 05:52:47 -0700 (PDT) Received-SPF: pass (google.com: domain of edk2-devel-bounces@lists.sourceforge.net designates 216.34.181.88 as permitted sender) client-ip=216.34.181.88; Received: from localhost ([127.0.0.1] helo=sfs-ml-2.v29.ch3.sourceforge.com) by sfs-ml-2.v29.ch3.sourceforge.com with esmtp (Exim 4.76) (envelope-from ) id 1YlGcQ-0007mO-VV; Thu, 23 Apr 2015 12:52:38 +0000 Received: from sog-mx-1.v43.ch3.sourceforge.com ([172.29.43.191] helo=mx.sourceforge.net) by sfs-ml-2.v29.ch3.sourceforge.com with esmtp (Exim 4.76) (envelope-from ) id 1YlGcP-0007m8-IG for edk2-devel@lists.sourceforge.net; Thu, 23 Apr 2015 12:52:37 +0000 Received-SPF: pass (sog-mx-1.v43.ch3.sourceforge.com: domain of linaro.org designates 74.125.82.43 as permitted sender) client-ip=74.125.82.43; envelope-from=ard.biesheuvel@linaro.org; helo=mail-wg0-f43.google.com; Received: from mail-wg0-f43.google.com ([74.125.82.43]) by sog-mx-1.v43.ch3.sourceforge.com with esmtps (TLSv1:RC4-SHA:128) (Exim 4.76) id 1YlGcO-00037S-CR for edk2-devel@lists.sourceforge.net; Thu, 23 Apr 2015 12:52:37 +0000 Received: by wgyo15 with SMTP id o15so17224484wgy.2 for ; Thu, 23 Apr 2015 05:52:30 -0700 (PDT) X-Received: by 10.194.184.10 with SMTP id eq10mr5188580wjc.147.1429793550060; Thu, 23 Apr 2015 05:52:30 -0700 (PDT) Received: from ards-macbook-pro.local ([84.78.25.77]) by mx.google.com with ESMTPSA id z12sm12018090wjw.39.2015.04.23.05.52.28 (version=TLSv1.1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Thu, 23 Apr 2015 05:52:29 -0700 (PDT) From: Ard Biesheuvel To: edk2-devel@lists.sourceforge.net, lersek@redhat.com, olivier.martin@arm.com Date: Thu, 23 Apr 2015 14:52:05 +0200 Message-Id: <1429793525-28290-4-git-send-email-ard.biesheuvel@linaro.org> X-Mailer: git-send-email 1.8.3.2 In-Reply-To: <1429793525-28290-1-git-send-email-ard.biesheuvel@linaro.org> References: <1429793525-28290-1-git-send-email-ard.biesheuvel@linaro.org> X-Spam-Score: -1.5 (-) X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. -1.5 SPF_CHECK_PASS SPF reports sender host as permitted sender for sender-domain -0.0 SPF_PASS SPF: sender matches SPF record -0.0 AWL AWL: Adjusted score from AWL reputation of From: address X-Headers-End: 1YlGcO-00037S-CR Subject: [edk2] [PATCH 3/3] ArmVirtualizationPkg: enable secure boot for ArmVirtualizationQemu X-BeenThere: edk2-devel@lists.sourceforge.net X-Mailman-Version: 2.1.9 Precedence: list Reply-To: edk2-devel@lists.sourceforge.net List-Id: List-Unsubscribe: , List-Archive: List-Post: , List-Help: , List-Subscribe: , MIME-Version: 1.0 Errors-To: edk2-devel-bounces@lists.sourceforge.net X-Removed-Original-Auth: Dkim didn't pass. X-Original-Sender: ard.biesheuvel@linaro.org X-Original-Authentication-Results: mx.google.com; spf=pass (google.com: domain of patch+caf_=patchwork-forward=linaro.org@linaro.org designates 209.85.215.42 as permitted sender) smtp.mail=patch+caf_=patchwork-forward=linaro.org@linaro.org Mailing-list: list patchwork-forward@linaro.org; contact patchwork-forward+owners@linaro.org X-Google-Group-Id: 836684582541 Signed-off-by: Ard Biesheuvel --- ArmPlatformPkg/ArmVirtualizationPkg/ArmVirtualization.dsc.inc | 27 ++++++++++++++++++ ArmPlatformPkg/ArmVirtualizationPkg/ArmVirtualizationQemu.dsc | 29 +++++++++++++++++++- ArmPlatformPkg/ArmVirtualizationPkg/ArmVirtualizationQemu.fdf | 9 ++++++ 3 files changed, 64 insertions(+), 1 deletion(-) diff --git a/ArmPlatformPkg/ArmVirtualizationPkg/ArmVirtualization.dsc.inc b/ArmPlatformPkg/ArmVirtualizationPkg/ArmVirtualization.dsc.inc index 59a08640aec8..2c06470f6ee1 100644 --- a/ArmPlatformPkg/ArmVirtualizationPkg/ArmVirtualization.dsc.inc +++ b/ArmPlatformPkg/ArmVirtualizationPkg/ArmVirtualization.dsc.inc @@ -113,6 +113,19 @@ XenIoMmioLib|OvmfPkg/Library/XenIoMmioLib/XenIoMmioLib.inf + # + # Secure Boot dependencies + # +!if $(SECURE_BOOT_ENABLE) == TRUE + IntrinsicLib|CryptoPkg/Library/IntrinsicLib/IntrinsicLib.inf + OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLib.inf + TpmMeasurementLib|SecurityPkg/Library/DxeTpmMeasurementLib/DxeTpmMeasurementLib.inf + BaseCryptLib|CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf + + # re-use the UserPhysicalPresent() dummy implementation from the ovmf tree + PlatformSecureLib|OvmfPkg/Library/PlatformSecureLib/PlatformSecureLib.inf +!endif + [LibraryClasses.common.SEC] PcdLib|MdePkg/Library/BasePcdLibNull/BasePcdLibNull.inf ArmPlatformSecExtraActionLib|ArmPlatformPkg/Library/DebugSecExtraActionLib/DebugSecExtraActionLib.inf @@ -198,6 +211,10 @@ ReportStatusCodeLib|IntelFrameworkModulePkg/Library/DxeReportStatusCodeLibFramework/DxeReportStatusCodeLib.inf CapsuleLib|MdeModulePkg/Library/DxeCapsuleLibNull/DxeCapsuleLibNull.inf +!if $(SECURE_BOOT_ENABLE) == TRUE + BaseCryptLib|CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf +!endif + [LibraryClasses.ARM] # # It is not possible to prevent the ARM compiler for generic intrinsic functions. @@ -324,6 +341,16 @@ # gArmTokenSpaceGuid.PcdArmUncachedMemoryMask|0x0000000000000000 +!if $(SECURE_BOOT_ENABLE) == TRUE + # override the default values from SecurityPkg to ensure images from all sources are verified in secure boot + gEfiSecurityPkgTokenSpaceGuid.PcdOptionRomImageVerificationPolicy|0x04 + gEfiSecurityPkgTokenSpaceGuid.PcdFixedMediaImageVerificationPolicy|0x04 + gEfiSecurityPkgTokenSpaceGuid.PcdRemovableMediaImageVerificationPolicy|0x04 + + # use the authenticated variable GUID + gArmPlatformTokenSpaceGuid.PcdVarStoreVariableGuid|{ 0x78, 0x2c, 0xf3, 0xaa, 0x7b, 0x94, 0x9a, 0x43, 0xa1, 0x80, 0x2e, 0x14, 0x4e, 0xc3, 0x77, 0x92 } +!endif + [Components.common] # # Networking stack diff --git a/ArmPlatformPkg/ArmVirtualizationPkg/ArmVirtualizationQemu.dsc b/ArmPlatformPkg/ArmVirtualizationPkg/ArmVirtualizationQemu.dsc index 310c31b0883c..c00406540a00 100644 --- a/ArmPlatformPkg/ArmVirtualizationPkg/ArmVirtualizationQemu.dsc +++ b/ArmPlatformPkg/ArmVirtualizationPkg/ArmVirtualizationQemu.dsc @@ -28,6 +28,12 @@ SKUID_IDENTIFIER = DEFAULT FLASH_DEFINITION = ArmPlatformPkg/ArmVirtualizationPkg/ArmVirtualizationQemu.fdf + # + # Defines for default states. These can be changed on the command line. + # -D FLAG=VALUE + # + DEFINE SECURE_BOOT_ENABLE = FALSE + !include ArmPlatformPkg/ArmVirtualizationPkg/ArmVirtualization.dsc.inc [LibraryClasses.AARCH64] @@ -233,7 +239,15 @@ ArmPlatformPkg/MemoryInitPei/MemoryInitPeim.inf ArmPkg/Drivers/CpuPei/CpuPei.inf +!if $(SECURE_BOOT_ENABLE) == TRUE + SecurityPkg/VariableAuthenticated/Pei/VariablePei.inf { + + BaseCryptLib|CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf + } +!else MdeModulePkg/Universal/Variable/Pei/VariablePei.inf +!endif + MdeModulePkg/Core/DxeIplPeim/DxeIpl.inf { NULL|MdeModulePkg/Library/LzmaCustomDecompressLib/LzmaCustomDecompressLib.inf @@ -253,9 +267,22 @@ # ArmPkg/Drivers/CpuDxe/CpuDxe.inf MdeModulePkg/Core/RuntimeDxe/RuntimeDxe.inf +!if $(SECURE_BOOT_ENABLE) == TRUE + MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf { + + NULL|SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.inf + } + SecurityPkg/VariableAuthenticated/RuntimeDxe/VariableRuntimeDxe.inf { + + BaseCryptLib|CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf + OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLib.inf + } + SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf +!else MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf - MdeModulePkg/Universal/CapsuleRuntimeDxe/CapsuleRuntimeDxe.inf MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf +!endif + MdeModulePkg/Universal/CapsuleRuntimeDxe/CapsuleRuntimeDxe.inf MdeModulePkg/Universal/FaultTolerantWriteDxe/FaultTolerantWriteDxe.inf MdeModulePkg/Universal/MonotonicCounterRuntimeDxe/MonotonicCounterRuntimeDxe.inf EmbeddedPkg/ResetRuntimeDxe/ResetRuntimeDxe.inf diff --git a/ArmPlatformPkg/ArmVirtualizationPkg/ArmVirtualizationQemu.fdf b/ArmPlatformPkg/ArmVirtualizationPkg/ArmVirtualizationQemu.fdf index 91c51ea31c4d..3594f3736f2f 100644 --- a/ArmPlatformPkg/ArmVirtualizationPkg/ArmVirtualizationQemu.fdf +++ b/ArmPlatformPkg/ArmVirtualizationPkg/ArmVirtualizationQemu.fdf @@ -118,7 +118,12 @@ READ_LOCK_STATUS = TRUE INF MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf INF MdeModulePkg/Universal/CapsuleRuntimeDxe/CapsuleRuntimeDxe.inf INF MdeModulePkg/Universal/FaultTolerantWriteDxe/FaultTolerantWriteDxe.inf +!if $(SECURE_BOOT_ENABLE) == TRUE + INF SecurityPkg/VariableAuthenticated/RuntimeDxe/VariableRuntimeDxe.inf + INF SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf +!else INF MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf +!endif INF MdeModulePkg/Universal/MonotonicCounterRuntimeDxe/MonotonicCounterRuntimeDxe.inf INF EmbeddedPkg/ResetRuntimeDxe/ResetRuntimeDxe.inf INF EmbeddedPkg/RealTimeClockRuntimeDxe/RealTimeClockRuntimeDxe.inf @@ -257,7 +262,11 @@ READ_LOCK_STATUS = TRUE INF ArmPlatformPkg/MemoryInitPei/MemoryInitPeim.inf INF ArmPkg/Drivers/CpuPei/CpuPei.inf INF MdeModulePkg/Universal/PCD/Pei/Pcd.inf +!if $(SECURE_BOOT_ENABLE) == TRUE + INF SecurityPkg/VariableAuthenticated/Pei/VariablePei.inf +!else INF MdeModulePkg/Universal/Variable/Pei/VariablePei.inf +!endif INF MdeModulePkg/Core/DxeIplPeim/DxeIpl.inf FILE FV_IMAGE = 9E21FD93-9C72-4c15-8C4B-E77F1DB2D792 {