2011-09-02 09:49:32 +02:00
## @file SecurityPkg.dec
# This package includes the security drivers, defintions(including PPIs/PROTOCOLs/GUIDs
# and library classes) and libraries instances.
#
2014-01-10 02:24:51 +01:00
# Copyright (c) 2009 - 2014, Intel Corporation. All rights reserved.<BR>
2011-09-02 09:49:32 +02:00
# This program and the accompanying materials are licensed and made available under
# the terms and conditions of the BSD License which accompanies this distribution.
# The full text of the license may be found at
# http://opensource.org/licenses/bsd-license.php
#
# THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
# WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
#
##
[Defines]
DEC_SPECIFICATION = 0x00010005
PACKAGE_NAME = SecurityPkg
PACKAGE_GUID = 24369CAC-6AA6-4fb8-88DB-90BF061668AD
2014-01-10 02:24:51 +01:00
PACKAGE_VERSION = 0.93
2011-09-02 09:49:32 +02:00
[Includes]
Include
[LibraryClasses]
2014-01-28 08:00:06 +01:00
## @libraryclass Provides hash interfaces from different implementations.
#
2013-10-09 04:52:51 +02:00
HashLib|Include/Library/HashLib.h
2014-01-28 08:00:06 +01:00
## @libraryclass Provides a platform specific interface to detect physically present user.
#
2013-10-09 04:52:51 +02:00
PlatformSecureLib|Include/Library/PlatformSecureLib.h
2014-01-28 08:00:06 +01:00
## @libraryclass Provides interfaces to handle TPM 1.2 request.
#
2013-10-09 04:52:51 +02:00
TcgPhysicalPresenceLib|Include/Library/TcgPhysicalPresenceLib.h
2014-01-28 08:00:06 +01:00
## @libraryclass Provides interfaces for other modules to send TPM 2.0 command.
#
2013-09-18 07:31:18 +02:00
Tpm2CommandLib|Include/Library/Tpm2CommandLib.h
2014-01-28 08:00:06 +01:00
## @libraryclass Provides interfaces on how to access TPM 2.0 hardware device.
#
2013-09-18 07:31:18 +02:00
Tpm2DeviceLib|Include/Library/Tpm2DeviceLib.h
2014-01-28 08:00:06 +01:00
## @libraryclass Provides interfaces for other modules to send TPM 1.2 command.
#
2013-10-09 04:52:51 +02:00
Tpm12CommandLib|Include/Library/Tpm12CommandLib.h
2014-01-28 08:00:06 +01:00
## @libraryclass Provides interfaces on how to access TPM 1.2 hardware device.
#
2013-10-09 04:52:51 +02:00
Tpm12DeviceLib|Include/Library/Tpm12DeviceLib.h
2014-01-28 08:00:06 +01:00
## @libraryclass Provides TPM Interface Specification (TIS) interfaces for TPM command.
#
2013-10-09 04:52:51 +02:00
TpmCommLib|Include/Library/TpmCommLib.h
2014-01-28 08:00:06 +01:00
## @libraryclass Provides common interfaces about TPM measurement for other modules.
#
2013-09-18 07:31:18 +02:00
TpmMeasurementLib|Include/Library/TpmMeasurementLib.h
2014-01-28 08:00:06 +01:00
## @libraryclass Provides interfaces to handle TPM 2.0 request.
#
2013-10-09 04:52:51 +02:00
TrEEPhysicalPresenceLib|Include/Library/TrEEPhysicalPresenceLib.h
2011-09-02 09:49:32 +02:00
[Guids]
## Security package token space guid
# Include/Guid/SecurityPkgTokenSpace.h
2012-03-31 06:42:20 +02:00
gEfiSecurityPkgTokenSpaceGuid = { 0xd3fb176, 0x9569, 0x4d51, { 0xa3, 0xef, 0x7d, 0x61, 0xc6, 0x4f, 0xea, 0xba }}
2014-01-28 08:00:06 +01:00
2011-09-02 09:49:32 +02:00
## Guid acted as the authenticated variable store header's signature, and to specify the variable list entries put in the EFI system table.
# Include/Guid/AuthenticatedVariableFormat.h
2012-03-31 06:42:20 +02:00
gEfiAuthenticatedVariableGuid = { 0xaaf32c78, 0x947b, 0x439a, { 0xa1, 0x80, 0x2e, 0x14, 0x4e, 0xc3, 0x77, 0x92 } }
2011-09-02 09:49:32 +02:00
2014-01-28 08:00:06 +01:00
## GUID used to "SecureBootEnable" variable for the Secure Boot feature enable/disable.
# This variable is used for allowing a physically present user to disable Secure Boot via firmware setup without the possession of PKpriv.
2011-10-28 05:46:20 +02:00
# Include/Guid/AuthenticatedVariableFormat.h
2012-03-31 06:42:20 +02:00
gEfiSecureBootEnableDisableGuid = { 0xf0a30bc7, 0xaf08, 0x4556, { 0x99, 0xc4, 0x0, 0x10, 0x9, 0xc9, 0x3a, 0x44 } }
2012-03-27 10:17:23 +02:00
2014-01-28 08:00:06 +01:00
## GUID used to "CustomMode" variable for two Secure Boot modes feature: "Custom" and "Standard".
# Standard Secure Boot mode is the default mode as UEFI Spec's description.
# Custom Secure Boot mode allows for more flexibility as specified in the following:
# Can enroll or delete PK without existing PK's private key.
# Can enroll or delete KEK without existing PK's private key.
# Can enroll or delete signature from DB/DBX without KEK's private key.
2012-03-27 10:17:23 +02:00
# Include/Guid/AuthenticatedVariableFormat.h
gEfiCustomModeEnableGuid = { 0xc076ec0c, 0x7028, 0x4399, { 0xa0, 0x72, 0x71, 0xee, 0x5c, 0x44, 0x8b, 0x9f } }
2012-03-31 06:42:20 +02:00
2014-01-28 08:00:06 +01:00
## GUID used to "VendorKeysNv" variable to record the out of band secure boot keys modification.
# This variable is a read-only NV varaible that indicates whether someone other than the platform vendor has used a
# mechanism not defined by the UEFI Specification to transition the system to setup mode or to update secure boot keys.
2013-09-12 07:23:28 +02:00
# Include/Guid/AuthenticatedVariableFormat.h
gEfiVendorKeysNvGuid = { 0x9073e4e0, 0x60ec, 0x4b6e, { 0x99, 0x3, 0x4c, 0x22, 0x3c, 0x26, 0xf, 0x3c } }
2014-01-28 08:00:06 +01:00
## GUID used to "certdb" variable to store the signer's certificates for common variables with EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS attribute.
2012-03-31 06:42:20 +02:00
# Include/Guid/AuthenticatedVariableFormat.h
gEfiCertDbGuid = { 0xd9bee56e, 0x75dc, 0x49d9, { 0xb4, 0xd7, 0xb5, 0x34, 0x21, 0xf, 0x63, 0x7a } }
2011-10-28 05:46:20 +02:00
2014-01-28 08:00:06 +01:00
## Hob GUID used to pass a TCG_PCR_EVENT from a TPM PEIM to a TPM DXE Driver.
# Include/Guid/TcgEventHob.h
2013-08-09 07:23:22 +02:00
gTcgEventEntryHobGuid = { 0x2b9ffb52, 0x1b13, 0x416f, { 0xa8, 0x7b, 0xbc, 0x93, 0xd, 0xef, 0x92, 0xa8 }}
2011-09-02 09:49:32 +02:00
2014-01-28 08:00:06 +01:00
## HOB GUID used to pass all PEI measured FV info to DXE Driver.
# Include/Guid/MeasuredFvHob.h
2012-09-28 02:57:02 +02:00
gMeasuredFvHobGuid = { 0xb2360b42, 0x7173, 0x420a, { 0x86, 0x96, 0x46, 0xca, 0x6b, 0xab, 0x10, 0x60 }}
2012-09-11 04:26:50 +02:00
2014-01-28 08:00:06 +01:00
## GUID used to "PhysicalPresence" variable and "PhysicalPresenceFlags" variable for TPM request and response.
# Include/Guid/PhysicalPresenceData.h
2011-09-02 09:49:32 +02:00
gEfiPhysicalPresenceGuid = { 0xf6499b1, 0xe9ad, 0x493d, { 0xb9, 0xc2, 0x2f, 0x90, 0x81, 0x5c, 0x6c, 0xbc }}
2011-09-18 14:25:27 +02:00
2014-01-28 08:00:06 +01:00
## GUID used for form browser, password credential and provider identifier.
# Include/Guid/PwdCredentialProviderHii.h
2011-09-18 14:25:27 +02:00
gPwdCredentialProviderGuid = { 0x78b9ec8b, 0xc000, 0x46c5, { 0xac, 0x93, 0x24, 0xa0, 0xc1, 0xbb, 0x0, 0xce }}
2014-01-28 08:00:06 +01:00
## GUID used for form browser, USB credential and provider identifier.
# Include/Guid/UsbCredentialProviderHii.h
2011-09-18 14:25:27 +02:00
gUsbCredentialProviderGuid = { 0xd0849ed1, 0xa88c, 0x4ba6, { 0xb1, 0xd6, 0xab, 0x50, 0xe2, 0x80, 0xb7, 0xa9 }}
2014-01-28 08:00:06 +01:00
## GUID used for FormSet guid and user profile variable.
# Include/Guid/UserIdentifyManagerHii.h
2011-09-18 14:25:27 +02:00
gUserIdentifyManagerGuid = { 0x3ccd3dd8, 0x8d45, 0x4fed, { 0x96, 0x2d, 0x2b, 0x38, 0xcd, 0x82, 0xb3, 0xc4 }}
2014-01-28 08:00:06 +01:00
## GUID used for FormSet.
# Include/Guid/UserProfileManagerHii.h
2011-09-18 14:25:27 +02:00
gUserProfileManagerGuid = { 0xc35f272c, 0x97c2, 0x465a, { 0xa2, 0x16, 0x69, 0x6b, 0x66, 0x8a, 0x8c, 0xfe }}
2014-01-28 08:00:06 +01:00
## GUID used for FormSet.
# Include/Guid/TcgConfigHii.h
2011-09-18 14:25:27 +02:00
gTcgConfigFormSetGuid = { 0xb0f901e4, 0xc424, 0x45de, { 0x90, 0x81, 0x95, 0xe2, 0xb, 0xde, 0x6f, 0xb5 }}
2011-10-28 05:46:20 +02:00
2014-01-28 08:00:06 +01:00
## GUID used for FormSet.
# Include/Guid/SecureBootConfigHii.h
2011-10-28 05:46:20 +02:00
gSecureBootConfigFormSetGuid = { 0x5daf50a5, 0xea81, 0x4de2, {0x8f, 0x9b, 0xca, 0xbd, 0xa9, 0xcf, 0x5c, 0x14}}
2014-01-28 08:00:06 +01:00
## GUID used to "TrEEPhysicalPresence" variable and "TrEEPhysicalPresenceFlags" variable for TPM2 request and response.
# Include/Guid/TrEEPhysicalPresenceData.h
2013-09-18 07:31:18 +02:00
gEfiTrEEPhysicalPresenceGuid = { 0xf24643c2, 0xc622, 0x494e, { 0x8a, 0xd, 0x46, 0x32, 0x57, 0x9c, 0x2d, 0x5b }}
2014-01-28 08:00:06 +01:00
## GUID value used for PcdTpmInstanceGuid to indicate TPM is disabled.
# Include/Guid/TpmInstance.h
2013-09-18 07:31:18 +02:00
gEfiTpmDeviceInstanceNoneGuid = { 0x00000000, 0x0000, 0x0000, { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 } }
2014-01-28 08:00:06 +01:00
## GUID value used for PcdTpmInstanceGuid to indicate TPM 1.2 device is selected to support.
# Include/Guid/TpmInstance.h
2013-09-18 07:31:18 +02:00
gEfiTpmDeviceInstanceTpm12Guid = { 0x8b01e5b6, 0x4f19, 0x46e8, { 0xab, 0x93, 0x1c, 0x53, 0x67, 0x1b, 0x90, 0xcc } }
2014-01-28 08:00:06 +01:00
## GUID value used for PcdTpmInstanceGuid to indicate discrete TPM 2.0 device is selected to support.
# Include/Guid/TpmInstance.h
2013-09-18 07:31:18 +02:00
gEfiTpmDeviceInstanceTpm20DtpmGuid = { 0x286bf25a, 0xc2c3, 0x408c, { 0xb3, 0xb4, 0x25, 0xe6, 0x75, 0x8b, 0x73, 0x17 } }
2014-01-28 08:00:06 +01:00
## GUID used to select supported TPM instance from UI.
# Include/Guid/TpmInstance.h
2013-09-18 07:31:18 +02:00
gEfiTpmDeviceSelectedGuid = { 0x7f4158d3, 0x74d, 0x456d, { 0x8c, 0xb2, 0x1, 0xf9, 0xc8, 0xf7, 0x9d, 0xaa } }
2014-01-28 08:00:06 +01:00
## GUID used for FormSet and config variable.
# Include/Guid/TrEEConfigHii.h
2013-09-18 07:31:18 +02:00
gTrEEConfigFormSetGuid = {0xc54b425f, 0xaa79, 0x48b4, { 0x98, 0x1f, 0x99, 0x8b, 0x3c, 0x4b, 0x64, 0x1c }}
2011-09-02 09:49:32 +02:00
[Ppis]
## Include/Ppi/LockPhysicalPresence.h
gPeiLockPhysicalPresencePpiGuid = { 0xef9aefe5, 0x2bd3, 0x4031, { 0xaf, 0x7d, 0x5e, 0xfe, 0x5a, 0xbb, 0x9a, 0xd } }
## Include/Ppi/TpmInitialized.h
gPeiTpmInitializedPpiGuid = { 0xe9db0d58, 0xd48d, 0x47f6, { 0x9c, 0x6e, 0x6f, 0x40, 0xe8, 0x6c, 0x7b, 0x41 }}
2013-09-18 07:31:18 +02:00
## Include/Ppi/FirmwareVolumeInfoMeasurementExcluded.h
gEfiPeiFirmwareVolumeInfoMeasurementExcludedPpiGuid = { 0x6e056ff9, 0xc695, 0x4364, { 0x9e, 0x2c, 0x61, 0x26, 0xf5, 0xce, 0xea, 0xae } }
2011-09-02 09:49:32 +02:00
[PcdsFixedAtBuild]
## Pcd for OptionRom.
# Image verification policy settings:
# ALWAYS_EXECUTE 0x00000000
# NEVER_EXECUTE 0x00000001
# ALLOW_EXECUTE_ON_SECURITY_VIOLATION 0x00000002
# DEFER_EXECUTE_ON_SECURITY_VIOLATION 0x00000003
# DENY_EXECUTE_ON_SECURITY_VIOLATION 0x00000004
# QUERY_USER_ON_SECURITY_VIOLATION 0x00000005
2013-12-02 08:52:35 +01:00
# NOTE: Do NOT use QUERY_USER_ON_SECURITY_VIOLATION and ALLOW_EXECUTE_ON_SECURITY_VIOLATION since
# it violates the UEFI specification and has been removed.
2013-08-28 11:06:40 +02:00
gEfiSecurityPkgTokenSpaceGuid.PcdOptionRomImageVerificationPolicy|0x04|UINT32|0x00000001
2011-09-02 09:49:32 +02:00
## Pcd for removable media.
# Removable media include CD-ROM, Floppy, USB and network.
# Image verification policy settings:
# ALWAYS_EXECUTE 0x00000000
# NEVER_EXECUTE 0x00000001
# ALLOW_EXECUTE_ON_SECURITY_VIOLATION 0x00000002
# DEFER_EXECUTE_ON_SECURITY_VIOLATION 0x00000003
# DENY_EXECUTE_ON_SECURITY_VIOLATION 0x00000004
# QUERY_USER_ON_SECURITY_VIOLATION 0x00000005
2013-12-02 08:52:35 +01:00
# NOTE: Do NOT use QUERY_USER_ON_SECURITY_VIOLATION and ALLOW_EXECUTE_ON_SECURITY_VIOLATION since
# it violates the UEFI specification and has been removed.
2013-08-28 11:06:40 +02:00
gEfiSecurityPkgTokenSpaceGuid.PcdRemovableMediaImageVerificationPolicy|0x04|UINT32|0x00000002
2011-09-02 09:49:32 +02:00
## Pcd for fixed media.
# Fixed media include hard disk.
# Image verification policy settings:
# ALWAYS_EXECUTE 0x00000000
# NEVER_EXECUTE 0x00000001
# ALLOW_EXECUTE_ON_SECURITY_VIOLATION 0x00000002
# DEFER_EXECUTE_ON_SECURITY_VIOLATION 0x00000003
# DENY_EXECUTE_ON_SECURITY_VIOLATION 0x00000004
# QUERY_USER_ON_SECURITY_VIOLATION 0x00000005
2013-12-02 08:52:35 +01:00
# NOTE: Do NOT use QUERY_USER_ON_SECURITY_VIOLATION and ALLOW_EXECUTE_ON_SECURITY_VIOLATION since
# it violates the UEFI specification and has been removed.
2013-08-28 11:06:40 +02:00
gEfiSecurityPkgTokenSpaceGuid.PcdFixedMediaImageVerificationPolicy|0x04|UINT32|0x00000003
2011-09-02 09:49:32 +02:00
## Defer Image Load policy settings.
# The policy is bitwise.
# If bit is set, the image from corresponding device will be trust when loading.
#
# IMAGE_UNKNOWN 0x00000001
# IMAGE_FROM_FV 0x00000002
# IMAGE_FROM_OPTION_ROM 0x00000004
# IMAGE_FROM_REMOVABLE_MEDIA 0x00000008
# IMAGE_FROM_FIXED_MEDIA 0x00000010
gEfiSecurityPkgTokenSpaceGuid.PcdDeferImageLoadPolicy|0x0000001F|UINT32|0x0000004
## The token file name used to save credential in USB credential provider driver.
# The specified file should be saved at the root directory of USB storage disk.
gEfiSecurityPkgTokenSpaceGuid.PcdFixedUsbCredentialProviderTokenFileName|L"Token.bin"|VOID*|0x00000005
## The size of Append variable buffer. This buffer is reserved for runtime use, OS can append data into one existing variable.
gEfiSecurityPkgTokenSpaceGuid.PcdMaxAppendVariableSize|0x2000|UINT32|0x30000005
## This PCD specifies the type of TCG platform that contains TPM chip.
# This PCD is only avaiable when PcdTpmPhysicalPresence is TRUE.
# If 0, TCG platform type is PC client.
# If 1, TCG platform type is server.
gEfiSecurityPkgTokenSpaceGuid.PcdTpmPlatformClass|0|UINT8|0x00000006
[PcdsFixedAtBuild, PcdsPatchableInModule, PcdsDynamic, PcdsDynamicEx]
## This PCD indicates the presence or absence of the platform operator.
gEfiSecurityPkgTokenSpaceGuid.PcdTpmPhysicalPresence|TRUE|BOOLEAN|0x00010001
2012-07-26 07:11:47 +02:00
[PcdsFixedAtBuild, PcdsPatchableInModule, PcdsDynamic, PcdsDynamicEx]
## This PCD indicates whether to set TPM physicalPresenceLifetimeLock bit.
2014-01-23 04:19:38 +01:00
# Once this bit is set, it can not be cleared (It is locked for TPM life time).
2012-07-26 07:11:47 +02:00
gEfiSecurityPkgTokenSpaceGuid.PcdPhysicalPresenceLifetimeLock|FALSE|BOOLEAN|0x00010003
[PcdsFixedAtBuild, PcdsPatchableInModule, PcdsDynamic, PcdsDynamicEx]
## This PCD is used to specify the default value for physicalPresenceCMDEnable bit when setting physicalPresenceLifetimeLock bit.
2014-01-23 04:19:38 +01:00
# If PcdPhysicalPresenceCmdEnable is set to TRUE, physicalPresenceCMDEnable bit will be set, else this bit will be cleared.
2012-07-26 07:11:47 +02:00
gEfiSecurityPkgTokenSpaceGuid.PcdPhysicalPresenceCmdEnable|TRUE|BOOLEAN|0x00010004
[PcdsFixedAtBuild, PcdsPatchableInModule, PcdsDynamic, PcdsDynamicEx]
## This PCD is used to specify the default value for physicalPresenceHWEnable bit when setting physicalPresenceLifetimeLock bit.
2014-01-23 04:19:38 +01:00
# If PcdPhysicalPresenceHwEnable is set to TRUE, physicalPresenceHWEnable bit will be set, else this bit will be cleared.
2012-07-26 07:11:47 +02:00
gEfiSecurityPkgTokenSpaceGuid.PcdPhysicalPresenceHwEnable|TRUE|BOOLEAN|0x00010005
2013-09-18 07:31:18 +02:00
[PcdsFixedAtBuild, PcdsPatchableInModule, PcdsDynamic, PcdsDynamicEx]
## This PCD indicates if debugger exists.
gEfiSecurityPkgTokenSpaceGuid.PcdFirmwareDebuggerInitialized|FALSE|BOOLEAN|0x00010009
2014-01-13 14:42:42 +01:00
## This PCD indicates the TPM2 initialization policy.
2014-01-23 04:19:38 +01:00
# 0: No initialization needed - most likely used for chipset SRTM solution, in which TPM is already initialized.
# 1: Initialization needed.
2013-09-18 07:31:18 +02:00
gEfiSecurityPkgTokenSpaceGuid.PcdTpm2InitializationPolicy|1|UINT8|0x0001000A
2014-01-13 14:42:42 +01:00
## This PCD indicates the TPM initialization policy.
2014-01-23 04:19:38 +01:00
# 0: No initialization needed - most likely used for chipset SRTM solution, in which TPM is already initialized.
# 1: Initialization needed.
2013-09-18 07:31:18 +02:00
gEfiSecurityPkgTokenSpaceGuid.PcdTpmInitializationPolicy|1|UINT8|0x0001000B
## This PCD indicates the TPM2 SelfTest policy.
2014-01-23 04:19:38 +01:00
# 0: No SelfTest needed - most likely used for fTPM, because it might already be tested.
# 1: SelfTest needed.
2013-09-18 07:31:18 +02:00
gEfiSecurityPkgTokenSpaceGuid.PcdTpm2SelfTestPolicy|1|UINT8|0x0001000C
## This PCD indicates the TPM2 SCRTM policy.
2014-01-23 04:19:38 +01:00
# 0: No SCRTM needed - In this case, it is already done.
# 1: SCRTM done by BIOS.
2013-09-18 07:31:18 +02:00
gEfiSecurityPkgTokenSpaceGuid.PcdTpm2ScrtmPolicy|1|UINT8|0x0001000D
## This PCD indicates the TPM SCRTM policy.
2014-01-23 04:19:38 +01:00
# 0: No SCRTM needed - In this case, it is already done.
# 1: SCRTM done by BIOS.
2013-09-18 07:31:18 +02:00
gEfiSecurityPkgTokenSpaceGuid.PcdTpmScrtmPolicy|1|UINT8|0x0001000E
## Guid name to identify TPM instance
2014-01-23 04:19:38 +01:00
# TPM_DEVICE_INTERFACE_NONE means disable
# TPM_DEVICE_INTERFACE_TPM12 means TPM1.2 DTPM
# TPM_DEVICE_INTERFACE_DTPM2 means TPM2 DTPM
2013-09-18 07:31:18 +02:00
gEfiSecurityPkgTokenSpaceGuid.PcdTpmInstanceGuid |{ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }|VOID*|0x0001000F
## This PCD indicates the TPM2 Hash mask.
2014-01-23 04:19:38 +01:00
# BIT0: SHA1
# BIT1: SHA256
# BIT2: SHA384
# BIT3: SHA512
# If this bit is set, that means this algorithm is needed to extend to PCR.
# If this bit is clear, that means this algorithm is NOT needed to extend to PCR.
# 0xFFFFFFFF means extend all.
2013-09-18 07:31:18 +02:00
gEfiSecurityPkgTokenSpaceGuid.PcdTpm2HashMask|0xFFFFFFFF|UINT32|0x00010010
## This PCD indicates if BIOS auto detect TPM1.2 or dTPM2.0.
2014-01-23 04:19:38 +01:00
# 0: No auto detection.
# 1: Auto detection.
2013-09-18 07:31:18 +02:00
gEfiSecurityPkgTokenSpaceGuid.PcdTpmAutoDetection|TRUE|BOOLEAN|0x00010011
## This PCD indicates TPM base address.
gEfiSecurityPkgTokenSpaceGuid.PcdTpmBaseAddress|0xFED40000|UINT64|0x00010012
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Michael Kinney <michael.d.kinney@intel.com>
Reviewed-by: Dong, Guo <guo.dong@intel.com>
Add support for RSA 2048 SHA 256 signing and verification encoded in a PI FFS GUIDED Encapsulation Section. The primary use case of this feature is in support of signing and verification of encapsulated FVs for Recovery and Capsule Update, but can potentially be used for signing and verification of any content that can be stored in a PI conformant FFS file. Signing operations are performed from python scripts that wrap OpenSsl command line utilities. Verification operations are performed using the OpenSsl libraries in the CryptoPkg.
The guided encapsulation sections uses the UEFI 2.4 Specification defined GUID called EFI_CERT_TYPE_RSA2048_SHA256_GUID. The data layout for the encapsulation section starts with the UEFI 2.4 Specification defined structure called EFI_CERT_BLOCK_RSA_2048_SHA256 followed immediately by the data. The signing tool included in these patches performs encode/decode operations using this data layout. HashType is set to the UEFI 2.4 Specification defined GUID called EFI_HASH_ALGORITHM_SHA256_GUID.
MdePkg/Include/Guid/WinCertificate.h
=================================
//
// WIN_CERTIFICATE_UEFI_GUID.CertType
//
#define EFI_CERT_TYPE_RSA2048_SHA256_GUID \
{0xa7717414, 0xc616, 0x4977, {0x94, 0x20, 0x84, 0x47, 0x12, 0xa7, 0x35, 0xbf } }
///
/// WIN_CERTIFICATE_UEFI_GUID.CertData
///
typedef struct {
EFI_GUID HashType;
UINT8 PublicKey[256];
UINT8 Signature[256];
} EFI_CERT_BLOCK_RSA_2048_SHA256;
MdePkg/Include/Protocol/Hash.h
=================================
#define EFI_HASH_ALGORITHM_SHA256_GUID \
{ \
0x51aa59de, 0xfdf2, 0x4ea3, {0xbc, 0x63, 0x87, 0x5f, 0xb7, 0x84, 0x2e, 0xe9 } \
}
The verification operations require the use of public key(s). A new PCD called gEfiSecurityPkgTokenSpaceGuid.PcdRsa2048Sha256PublicKeyBuffer is added to the SecurityPkg that supports one or more SHA 256 hashes of the public keys. A SHA 256 hash is performed to minimize the FLASH overhead of storing the public keys. When a verification operation is performed, a SHA 256 hash is performed on EFI_CERT_BLOCK_RSA_2048_SHA256.PublicKey and a check is made to see if that hash matches any of the hashes in the new PCD. It is recommended that this PCD always be configured in the DSC file as storage type of [PcdsDynamixExVpd], so the public keys are stored in a protected read-only region.
While working on this feature, I noticed that the CRC32 signing and verification feature was incomplete. It only supported CRC32 based verification in the DXE Phase, so the attached patches also provide support for CRC32 based verification in the PEI Phase.
I also noticed that the most common method for incorporating guided section extraction libraries was to directly link them to the DXE Core, which is not very flexible. The attached patches also add a generic section extraction PEIM and a generic section extraction DXE driver that can each be linked against one or more section extraction libraries. This provides a platform developer with the option of providing section extraction services with the DXE Core or providing section extraction services with these generic PEIM/DXE Drivers.
Patch Summary
==============
1) BaseTools - Rsa2049Sha256Sign python script that can perform test signing or custom signing of PI FFS file GUIDed sections
a. Wrapper for a set of OpenSsl command line utility operations
b. OpenSsl command line tool must be installed in location that is in standard OS path or in path specified by OS environment variable called OPENSSL_PATH
c. Provides standard EDK II command line arguments for a tool that encodes/decodes guided encapsulation section
Rsa2048Sha256Sign - Copyright (c) 2013 - 2014, Intel Corporation. All rights reserved.
usage: Rsa2048Sha256Sign -e|-d [options] <input_file>
positional arguments:
input_file specify the input filename
optional arguments:
-e encode file
-d decode file
-o filename, --output filename
specify the output filename
--private-key PRIVATEKEYFILE
specify the private key filename. If not specified, a
test signing key is used.
-v, --verbose increase output messages
-q, --quiet reduce output messages
--debug [0-9] set debug level
--version display the program version and exit
-h, --help display this help text
2) BaseTools - Rsa2049Sha256GenerateKeys python script that can generate new private/public key and PCD value that is SHA 256 hash of public key using OpenSsl command line utilities.
a. Wrapper for a set of OpenSsl command line utility operations
b. OpenSsl command line tool must be installed in location that is in standard path or in path specified by OS environment variable called OPENSSL_PATH
Rsa2048Sha256GenerateKeys - Copyright (c) 2013 - 2014, Intel Corporation. All rights reserved.
usage: Rsa2048Sha256GenerateKeys [options]
optional arguments:
-o [filename [filename ...]], --output [filename [filename ...]]
specify the output private key filename in PEM format
-i [filename [filename ...]], --input [filename [filename ...]]
specify the input private key filename in PEM format
--public-key-hash PUBLICKEYHASHFILE
specify the public key hash filename that is SHA 256
hash of 2048 bit RSA public key in binary format
--public-key-hash-c PUBLICKEYHASHCFILE
specify the public key hash filename that is SHA 256
hash of 2048 bit RSA public key in C structure format
-v, --verbose increase output messages
-q, --quiet reduce output messages
--debug [0-9] set debug level
--version display the program version and exit
-h, --help display this help text
3) BaseTools\Conf\tools_def.template
a. Define GUID/Tool to perform RSA 2048 SHA 256 test signing and instructions on how to use alternate private/public key
b. GUID is EFI_CERT_TYPE_RSA2048_SHA256_GUID
c. Tool is Rsa2049Sha256Sign
4) MdeModulePkg\Library\PeiCrc32GuidedSectionExtractionLib
a. Add peer for DxeCrc32GuidedSectionExtractionLib so both PEI and DXE phases can perform basic integrity checks of PEI and DXE components
5) MdeModulePkg\Universal\SectionExtractionPei
a. Generic PEIM that can link against one or more NULL section extraction library instances to provided one or more GUIDED Section Extraction PPIs
6) MdeModulePkg\Universal\SectionExtractionDxe
a. Generic DXE Driver that can link against one or more NULL section extraction library instances to provide one or more GUIDED Section Extraction Protocols.
7) SecurityPkg\Library\PeiRsa2048Sha256GuidedSectionExtractLib
a. NULL library instances that performs PEI phase RSA 2048 SHA 256 signature verification using OpenSsl libraries from CryptoPkg.
b. Based on algorithms from SecurityPkg Authenticated Variable services
c. Uses public key from gEfiSecurityPkgTokenSpaceGuid.PcdRsa2048Sha256PublicKeyBuffer.
8) SecurityPkg\Library\DxeRsa2048Sha256GuidedSectionExtractLib
a. NULL library instances that performs DXE phase RSA 2048 SHA 256 signature verification using OpenSsl libraries from CryptoPkg.
b. Based on algorithms from SecurityPkg Authenticated Variable services
c. Uses public key from gEfiSecurityPkgTokenSpaceGuid.PcdRsa2048Sha256PublicKeyBuffer.
git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@15801 6f19259b-4bc3-4df7-8a09-765794883524
2014-08-14 08:31:34 +02:00
## Provides one or more SHA 256 Hashes of the RSA 2048 public keys used to verify Recovery and Capsule Update images
#
# @Prompt One or more SHA 256 Hashes of RSA 2048 bit public keys used to verify Recovery and Capsule Update images
#
gEfiSecurityPkgTokenSpaceGuid.PcdRsa2048Sha256PublicKeyBuffer|{0x91, 0x29, 0xc4, 0xbd, 0xea, 0x6d, 0xda, 0xb3, 0xaa, 0x6f, 0x50, 0x16, 0xfc, 0xdb, 0x4b, 0x7e, 0x3c, 0xd6, 0xdc, 0xa4, 0x7a, 0x0e, 0xdd, 0xe6, 0x15, 0x8c, 0x73, 0x96, 0xa2, 0xd4, 0xa6, 0x4d}|VOID*|0x00010013