From 465be78e4d7c2ac2c21e5a673afa323d097a4a7b Mon Sep 17 00:00:00 2001 From: Ard Biesheuvel Date: Tue, 1 Sep 2015 17:29:23 +0000 Subject: [PATCH] ArmPlatformPkg/ArmVExpress-FVP: enable UEFI Secure Boot This allows the FVP target to be built with UEFI Secure Boot enabled, by passing -D SECURE_BOOT_ENABLE to the build command line. Note that this requires the Intel BDS, or you will not be able to enroll certificates, since the ARM BDS does not provide a GUI to do so. The FVP Base model is recommended in this case, since the certificate store is kept in NOR flash. Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Ard Biesheuvel Reviewed-by: Ryan Harkin Reviewed-by: Leif Lindholm git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@18379 6f19259b-4bc3-4df7-8a09-765794883524 --- .../ArmVExpress-FVP-AArch64.dsc | 12 +++++++++ .../ArmVExpress-FVP-AArch64.fdf | 7 ++++++ .../ArmVExpressPkg/ArmVExpress.dsc.inc | 25 +++++++++++++++++++ 3 files changed, 44 insertions(+) diff --git a/ArmPlatformPkg/ArmVExpressPkg/ArmVExpress-FVP-AArch64.dsc b/ArmPlatformPkg/ArmVExpressPkg/ArmVExpress-FVP-AArch64.dsc index 159194c8c7..ec29e65e3d 100644 --- a/ArmPlatformPkg/ArmVExpressPkg/ArmVExpress-FVP-AArch64.dsc +++ b/ArmPlatformPkg/ArmVExpressPkg/ArmVExpress-FVP-AArch64.dsc @@ -251,7 +251,15 @@ # ArmPkg/Drivers/CpuDxe/CpuDxe.inf MdeModulePkg/Core/RuntimeDxe/RuntimeDxe.inf +!if $(SECURE_BOOT_ENABLE) == TRUE + MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf { + + NULL|SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.inf + } + SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf +!else MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf +!endif MdeModulePkg/Universal/CapsuleRuntimeDxe/CapsuleRuntimeDxe.inf MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf { @@ -272,7 +280,11 @@ MdeModulePkg/Universal/HiiDatabaseDxe/HiiDatabaseDxe.inf ArmPkg/Drivers/ArmGic/ArmGicDxe.inf +!if $(SECURE_BOOT_ENABLE) == TRUE + ArmPlatformPkg/Drivers/NorFlashDxe/NorFlashAuthenticatedDxe.inf +!else ArmPlatformPkg/Drivers/NorFlashDxe/NorFlashDxe.inf +!endif ArmPkg/Drivers/TimerDxe/TimerDxe.inf ArmPlatformPkg/Drivers/LcdGraphicsOutputDxe/PL111LcdGraphicsOutputDxe.inf ArmPlatformPkg/Drivers/SP805WatchdogDxe/SP805WatchdogDxe.inf diff --git a/ArmPlatformPkg/ArmVExpressPkg/ArmVExpress-FVP-AArch64.fdf b/ArmPlatformPkg/ArmVExpressPkg/ArmVExpress-FVP-AArch64.fdf index 2ab99e98c2..9b54e39674 100644 --- a/ArmPlatformPkg/ArmVExpressPkg/ArmVExpress-FVP-AArch64.fdf +++ b/ArmPlatformPkg/ArmVExpressPkg/ArmVExpress-FVP-AArch64.fdf @@ -139,6 +139,9 @@ FvNameGuid = 87940482-fc81-41c3-87e6-399cf85ac8a0 INF MdeModulePkg/Core/RuntimeDxe/RuntimeDxe.inf INF MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf INF MdeModulePkg/Universal/CapsuleRuntimeDxe/CapsuleRuntimeDxe.inf +!if $(SECURE_BOOT_ENABLE) == TRUE + INF SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf +!endif INF MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf INF MdeModulePkg/Universal/FaultTolerantWriteDxe/FaultTolerantWriteDxe.inf INF MdeModulePkg/Universal/MonotonicCounterRuntimeDxe/MonotonicCounterRuntimeDxe.inf @@ -159,7 +162,11 @@ FvNameGuid = 87940482-fc81-41c3-87e6-399cf85ac8a0 INF ArmPkg/Drivers/ArmGic/ArmGicDxe.inf INF ArmPkg/Drivers/TimerDxe/TimerDxe.inf +!if $(SECURE_BOOT_ENABLE) == TRUE + INF ArmPlatformPkg/Drivers/NorFlashDxe/NorFlashAuthenticatedDxe.inf +!else INF ArmPlatformPkg/Drivers/NorFlashDxe/NorFlashDxe.inf +!endif INF ArmPlatformPkg/Drivers/LcdGraphicsOutputDxe/PL111LcdGraphicsOutputDxe.inf INF ArmPlatformPkg/Drivers/SP805WatchdogDxe/SP805WatchdogDxe.inf diff --git a/ArmPlatformPkg/ArmVExpressPkg/ArmVExpress.dsc.inc b/ArmPlatformPkg/ArmVExpressPkg/ArmVExpress.dsc.inc index 03f8c2cd21..19af996f8e 100644 --- a/ArmPlatformPkg/ArmVExpressPkg/ArmVExpress.dsc.inc +++ b/ArmPlatformPkg/ArmVExpressPkg/ArmVExpress.dsc.inc @@ -14,6 +14,7 @@ [Defines] USE_ARM_BDS = FALSE + SECURE_BOOT_ENABLE = FALSE [BuildOptions.AARCH64.EDKII.DXE_RUNTIME_DRIVER] GCC:*_*_AARCH64_DLINK_FLAGS = -z common-page-size=0x10000 @@ -131,8 +132,22 @@ FileHandleLib|MdePkg/Library/UefiFileHandleLib/UefiFileHandleLib.inf SortLib|MdeModulePkg/Library/UefiSortLib/UefiSortLib.inf + # + # Secure Boot dependencies + # +!if $(SECURE_BOOT_ENABLE) == TRUE + IntrinsicLib|CryptoPkg/Library/IntrinsicLib/IntrinsicLib.inf + OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLib.inf + TpmMeasurementLib|SecurityPkg/Library/DxeTpmMeasurementLib/DxeTpmMeasurementLib.inf + AuthVariableLib|SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf + BaseCryptLib|CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf + + # re-use the UserPhysicalPresent() dummy implementation from the ovmf tree + PlatformSecureLib|OvmfPkg/Library/PlatformSecureLib/PlatformSecureLib.inf +!else TpmMeasurementLib|MdeModulePkg/Library/TpmMeasurementLibNull/TpmMeasurementLibNull.inf AuthVariableLib|MdeModulePkg/Library/AuthVariableLibNull/AuthVariableLibNull.inf +!endif VarCheckLib|MdeModulePkg/Library/VarCheckLib/VarCheckLib.inf !if $(USE_ARM_BDS) == FALSE @@ -236,6 +251,9 @@ ReportStatusCodeLib|IntelFrameworkModulePkg/Library/DxeReportStatusCodeLibFramework/DxeReportStatusCodeLib.inf CapsuleLib|MdeModulePkg/Library/DxeCapsuleLibNull/DxeCapsuleLibNull.inf ArmPlatformSysConfigLib|ArmPlatformPkg/ArmVExpressPkg/Library/ArmVExpressSysConfigRuntimeLib/ArmVExpressSysConfigRuntimeLib.inf +!if $(SECURE_BOOT_ENABLE) == TRUE + BaseCryptLib|CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf +!endif [LibraryClasses.AARCH64.DXE_RUNTIME_DRIVER] # @@ -413,6 +431,13 @@ gEfiIntelFrameworkModulePkgTokenSpaceGuid.PcdShellFile|{ 0x83, 0xA5, 0x04, 0x7C, 0x3E, 0x9E, 0x1C, 0x4F, 0xAD, 0x65, 0xE0, 0x52, 0x68, 0xD0, 0xB4, 0xD1 } !endif +!if $(SECURE_BOOT_ENABLE) == TRUE + # override the default values from SecurityPkg to ensure images from all sources are verified in secure boot + gEfiSecurityPkgTokenSpaceGuid.PcdOptionRomImageVerificationPolicy|0x04 + gEfiSecurityPkgTokenSpaceGuid.PcdFixedMediaImageVerificationPolicy|0x04 + gEfiSecurityPkgTokenSpaceGuid.PcdRemovableMediaImageVerificationPolicy|0x04 +!endif + [Components.common] MdeModulePkg/Universal/PCD/Dxe/Pcd.inf