Reviewed-by: Olivier Martin <olivier.mar...@arm.com>
On 04/05/15 10:14, Ard Biesheuvel wrote:
> This adds all the required modules and library dependencies so that
> the ArmVirtualizationQemu platform can be built with support for
> UEFI Secure Boot. This support consists of the OpenSSL crypto
> library (whose source needs to be downloaded separately), the
> authenticated variable store, and authentication of executables
> before launching them.
>
> Contributed-under: TianoCore Contribution Agreement 1.0
> Reviewed-by: Laszlo Ersek <ler...@redhat.com>
> Signed-off-by: Ard Biesheuvel <ard.biesheu...@linaro.org>
> ---
> ArmPlatformPkg/ArmVirtualizationPkg/ArmVirtualization.dsc.inc | 27
> +++++++++++++++++++++++++++
> ArmPlatformPkg/ArmVirtualizationPkg/ArmVirtualizationQemu.dsc | 29
> ++++++++++++++++++++++++++++-
> ArmPlatformPkg/ArmVirtualizationPkg/ArmVirtualizationQemu.fdf | 9 +++++++++
> 3 files changed, 64 insertions(+), 1 deletion(-)
>
> diff --git a/ArmPlatformPkg/ArmVirtualizationPkg/ArmVirtualization.dsc.inc
> b/ArmPlatformPkg/ArmVirtualizationPkg/ArmVirtualization.dsc.inc
> index 59a08640aec8..2c06470f6ee1 100644
> --- a/ArmPlatformPkg/ArmVirtualizationPkg/ArmVirtualization.dsc.inc
> +++ b/ArmPlatformPkg/ArmVirtualizationPkg/ArmVirtualization.dsc.inc
> @@ -113,6 +113,19 @@
>
> XenIoMmioLib|OvmfPkg/Library/XenIoMmioLib/XenIoMmioLib.inf
>
> + #
> + # Secure Boot dependencies
> + #
> +!if $(SECURE_BOOT_ENABLE) == TRUE
> + IntrinsicLib|CryptoPkg/Library/IntrinsicLib/IntrinsicLib.inf
> + OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLib.inf
> +
> TpmMeasurementLib|SecurityPkg/Library/DxeTpmMeasurementLib/DxeTpmMeasurementLib.inf
> + BaseCryptLib|CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf
> +
> + # re-use the UserPhysicalPresent() dummy implementation from the ovmf tree
> + PlatformSecureLib|OvmfPkg/Library/PlatformSecureLib/PlatformSecureLib.inf
> +!endif
> +
> [LibraryClasses.common.SEC]
> PcdLib|MdePkg/Library/BasePcdLibNull/BasePcdLibNull.inf
>
> ArmPlatformSecExtraActionLib|ArmPlatformPkg/Library/DebugSecExtraActionLib/DebugSecExtraActionLib.inf
> @@ -198,6 +211,10 @@
>
> ReportStatusCodeLib|IntelFrameworkModulePkg/Library/DxeReportStatusCodeLibFramework/DxeReportStatusCodeLib.inf
> CapsuleLib|MdeModulePkg/Library/DxeCapsuleLibNull/DxeCapsuleLibNull.inf
>
> +!if $(SECURE_BOOT_ENABLE) == TRUE
> + BaseCryptLib|CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf
> +!endif
> +
> [LibraryClasses.ARM]
> #
> # It is not possible to prevent the ARM compiler for generic intrinsic
> functions.
> @@ -324,6 +341,16 @@
> #
> gArmTokenSpaceGuid.PcdArmUncachedMemoryMask|0x0000000000000000
>
> +!if $(SECURE_BOOT_ENABLE) == TRUE
> + # override the default values from SecurityPkg to ensure images from all
> sources are verified in secure boot
> + gEfiSecurityPkgTokenSpaceGuid.PcdOptionRomImageVerificationPolicy|0x04
> + gEfiSecurityPkgTokenSpaceGuid.PcdFixedMediaImageVerificationPolicy|0x04
> + gEfiSecurityPkgTokenSpaceGuid.PcdRemovableMediaImageVerificationPolicy|0x04
> +
> + # use the authenticated variable GUID
> + gArmPlatformTokenSpaceGuid.PcdVarStoreVariableGuid|{ 0x78, 0x2c, 0xf3,
> 0xaa, 0x7b, 0x94, 0x9a, 0x43, 0xa1, 0x80, 0x2e, 0x14, 0x4e, 0xc3, 0x77, 0x92 }
> +!endif
> +
> [Components.common]
> #
> # Networking stack
> diff --git a/ArmPlatformPkg/ArmVirtualizationPkg/ArmVirtualizationQemu.dsc
> b/ArmPlatformPkg/ArmVirtualizationPkg/ArmVirtualizationQemu.dsc
> index 310c31b0883c..c00406540a00 100644
> --- a/ArmPlatformPkg/ArmVirtualizationPkg/ArmVirtualizationQemu.dsc
> +++ b/ArmPlatformPkg/ArmVirtualizationPkg/ArmVirtualizationQemu.dsc
> @@ -28,6 +28,12 @@
> SKUID_IDENTIFIER = DEFAULT
> FLASH_DEFINITION =
> ArmPlatformPkg/ArmVirtualizationPkg/ArmVirtualizationQemu.fdf
>
> + #
> + # Defines for default states. These can be changed on the command line.
> + # -D FLAG=VALUE
> + #
> + DEFINE SECURE_BOOT_ENABLE = FALSE
> +
> !include ArmPlatformPkg/ArmVirtualizationPkg/ArmVirtualization.dsc.inc
>
> [LibraryClasses.AARCH64]
> @@ -233,7 +239,15 @@
> ArmPlatformPkg/MemoryInitPei/MemoryInitPeim.inf
> ArmPkg/Drivers/CpuPei/CpuPei.inf
>
> +!if $(SECURE_BOOT_ENABLE) == TRUE
> + SecurityPkg/VariableAuthenticated/Pei/VariablePei.inf {
> + <LibraryClasses>
> + BaseCryptLib|CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf
> + }
> +!else
> MdeModulePkg/Universal/Variable/Pei/VariablePei.inf
> +!endif
> +
> MdeModulePkg/Core/DxeIplPeim/DxeIpl.inf {
> <LibraryClasses>
>
> NULL|MdeModulePkg/Library/LzmaCustomDecompressLib/LzmaCustomDecompressLib.inf
> @@ -253,9 +267,22 @@
> #
> ArmPkg/Drivers/CpuDxe/CpuDxe.inf
> MdeModulePkg/Core/RuntimeDxe/RuntimeDxe.inf
> +!if $(SECURE_BOOT_ENABLE) == TRUE
> + MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf {
> + <LibraryClasses>
> +
> NULL|SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.inf
> + }
> + SecurityPkg/VariableAuthenticated/RuntimeDxe/VariableRuntimeDxe.inf {
> + <LibraryClasses>
> + BaseCryptLib|CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf
> + OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLib.inf
> + }
> +
> SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
> +!else
> MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf
> - MdeModulePkg/Universal/CapsuleRuntimeDxe/CapsuleRuntimeDxe.inf
> MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf
> +!endif
> + MdeModulePkg/Universal/CapsuleRuntimeDxe/CapsuleRuntimeDxe.inf
> MdeModulePkg/Universal/FaultTolerantWriteDxe/FaultTolerantWriteDxe.inf
>
> MdeModulePkg/Universal/MonotonicCounterRuntimeDxe/MonotonicCounterRuntimeDxe.inf
> EmbeddedPkg/ResetRuntimeDxe/ResetRuntimeDxe.inf
> diff --git a/ArmPlatformPkg/ArmVirtualizationPkg/ArmVirtualizationQemu.fdf
> b/ArmPlatformPkg/ArmVirtualizationPkg/ArmVirtualizationQemu.fdf
> index 91c51ea31c4d..3594f3736f2f 100644
> --- a/ArmPlatformPkg/ArmVirtualizationPkg/ArmVirtualizationQemu.fdf
> +++ b/ArmPlatformPkg/ArmVirtualizationPkg/ArmVirtualizationQemu.fdf
> @@ -118,7 +118,12 @@ READ_LOCK_STATUS = TRUE
> INF MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf
> INF MdeModulePkg/Universal/CapsuleRuntimeDxe/CapsuleRuntimeDxe.inf
> INF MdeModulePkg/Universal/FaultTolerantWriteDxe/FaultTolerantWriteDxe.inf
> +!if $(SECURE_BOOT_ENABLE) == TRUE
> + INF SecurityPkg/VariableAuthenticated/RuntimeDxe/VariableRuntimeDxe.inf
> + INF
> SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
> +!else
> INF MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf
> +!endif
> INF
> MdeModulePkg/Universal/MonotonicCounterRuntimeDxe/MonotonicCounterRuntimeDxe.inf
> INF EmbeddedPkg/ResetRuntimeDxe/ResetRuntimeDxe.inf
> INF EmbeddedPkg/RealTimeClockRuntimeDxe/RealTimeClockRuntimeDxe.inf
> @@ -257,7 +262,11 @@ READ_LOCK_STATUS = TRUE
> INF ArmPlatformPkg/MemoryInitPei/MemoryInitPeim.inf
> INF ArmPkg/Drivers/CpuPei/CpuPei.inf
> INF MdeModulePkg/Universal/PCD/Pei/Pcd.inf
> +!if $(SECURE_BOOT_ENABLE) == TRUE
> + INF SecurityPkg/VariableAuthenticated/Pei/VariablePei.inf
> +!else
> INF MdeModulePkg/Universal/Variable/Pei/VariablePei.inf
> +!endif
> INF MdeModulePkg/Core/DxeIplPeim/DxeIpl.inf
>
> FILE FV_IMAGE = 9E21FD93-9C72-4c15-8C4B-E77F1DB2D792 {
-- IMPORTANT NOTICE: The contents of this email and any attachments are
confidential and may also be privileged. If you are not the intended recipient,
please notify the sender immediately and do not disclose the contents to any
other person, use it for any purpose, or store or copy the information in any
medium. Thank you.
ARM Limited, Registered office 110 Fulbourn Road, Cambridge CB1 9NJ, Registered
in England & Wales, Company No: 2557590
ARM Holdings plc, Registered office 110 Fulbourn Road, Cambridge CB1 9NJ,
Registered in England & Wales, Company No: 2548782
------------------------------------------------------------------------------
One dashboard for servers and applications across Physical-Virtual-Cloud
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable Insights
Deep dive visibility with transaction tracing using APM Insight.
http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
_______________________________________________
edk2-devel mailing list
edk2-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/edk2-devel
