mirror of https://github.com/acidanthera/audk.git
ArmPlatformPkg/ArmVExpress-FVP: enable UEFI Secure Boot
This allows the FVP target to be built with UEFI Secure Boot enabled, by passing -D SECURE_BOOT_ENABLE to the build command line. Note that this requires the Intel BDS, or you will not be able to enroll certificates, since the ARM BDS does not provide a GUI to do so. The FVP Base model is recommended in this case, since the certificate store is kept in NOR flash. Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org> Reviewed-by: Ryan Harkin <ryan.harkin@linaro.org> Reviewed-by: Leif Lindholm <leif.lindholm@linaro.org> git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@18379 6f19259b-4bc3-4df7-8a09-765794883524
This commit is contained in:
Ard Biesheuvel
abiesheuvel
parent
f46ac5fb69
commit
465be78e4d
|
|
@ -251,7 +251,15 @@
|
|||
#
|
||||
ArmPkg/Drivers/CpuDxe/CpuDxe.inf
|
||||
MdeModulePkg/Core/RuntimeDxe/RuntimeDxe.inf
|
||||
!if $(SECURE_BOOT_ENABLE) == TRUE
|
||||
MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf {
|
||||
<LibraryClasses>
|
||||
NULL|SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.inf
|
||||
}
|
||||
SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
|
||||
!else
|
||||
MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf
|
||||
!endif
|
||||
MdeModulePkg/Universal/CapsuleRuntimeDxe/CapsuleRuntimeDxe.inf
|
||||
MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf {
|
||||
<LibraryClasses>
|
||||
|
|
@ -272,7 +280,11 @@
|
|||
MdeModulePkg/Universal/HiiDatabaseDxe/HiiDatabaseDxe.inf
|
||||
|
||||
ArmPkg/Drivers/ArmGic/ArmGicDxe.inf
|
||||
!if $(SECURE_BOOT_ENABLE) == TRUE
|
||||
ArmPlatformPkg/Drivers/NorFlashDxe/NorFlashAuthenticatedDxe.inf
|
||||
!else
|
||||
ArmPlatformPkg/Drivers/NorFlashDxe/NorFlashDxe.inf
|
||||
!endif
|
||||
ArmPkg/Drivers/TimerDxe/TimerDxe.inf
|
||||
ArmPlatformPkg/Drivers/LcdGraphicsOutputDxe/PL111LcdGraphicsOutputDxe.inf
|
||||
ArmPlatformPkg/Drivers/SP805WatchdogDxe/SP805WatchdogDxe.inf
|
||||
|
|
|
|||
|
|
@ -139,6 +139,9 @@ FvNameGuid = 87940482-fc81-41c3-87e6-399cf85ac8a0
|
|||
INF MdeModulePkg/Core/RuntimeDxe/RuntimeDxe.inf
|
||||
INF MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf
|
||||
INF MdeModulePkg/Universal/CapsuleRuntimeDxe/CapsuleRuntimeDxe.inf
|
||||
!if $(SECURE_BOOT_ENABLE) == TRUE
|
||||
INF SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
|
||||
!endif
|
||||
INF MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf
|
||||
INF MdeModulePkg/Universal/FaultTolerantWriteDxe/FaultTolerantWriteDxe.inf
|
||||
INF MdeModulePkg/Universal/MonotonicCounterRuntimeDxe/MonotonicCounterRuntimeDxe.inf
|
||||
|
|
@ -159,7 +162,11 @@ FvNameGuid = 87940482-fc81-41c3-87e6-399cf85ac8a0
|
|||
|
||||
INF ArmPkg/Drivers/ArmGic/ArmGicDxe.inf
|
||||
INF ArmPkg/Drivers/TimerDxe/TimerDxe.inf
|
||||
!if $(SECURE_BOOT_ENABLE) == TRUE
|
||||
INF ArmPlatformPkg/Drivers/NorFlashDxe/NorFlashAuthenticatedDxe.inf
|
||||
!else
|
||||
INF ArmPlatformPkg/Drivers/NorFlashDxe/NorFlashDxe.inf
|
||||
!endif
|
||||
INF ArmPlatformPkg/Drivers/LcdGraphicsOutputDxe/PL111LcdGraphicsOutputDxe.inf
|
||||
INF ArmPlatformPkg/Drivers/SP805WatchdogDxe/SP805WatchdogDxe.inf
|
||||
|
||||
|
|
|
|||
|
|
@ -14,6 +14,7 @@
|
|||
|
||||
[Defines]
|
||||
USE_ARM_BDS = FALSE
|
||||
SECURE_BOOT_ENABLE = FALSE
|
||||
|
||||
[BuildOptions.AARCH64.EDKII.DXE_RUNTIME_DRIVER]
|
||||
GCC:*_*_AARCH64_DLINK_FLAGS = -z common-page-size=0x10000
|
||||
|
|
@ -131,8 +132,22 @@
|
|||
FileHandleLib|MdePkg/Library/UefiFileHandleLib/UefiFileHandleLib.inf
|
||||
SortLib|MdeModulePkg/Library/UefiSortLib/UefiSortLib.inf
|
||||
|
||||
#
|
||||
# Secure Boot dependencies
|
||||
#
|
||||
!if $(SECURE_BOOT_ENABLE) == TRUE
|
||||
IntrinsicLib|CryptoPkg/Library/IntrinsicLib/IntrinsicLib.inf
|
||||
OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLib.inf
|
||||
TpmMeasurementLib|SecurityPkg/Library/DxeTpmMeasurementLib/DxeTpmMeasurementLib.inf
|
||||
AuthVariableLib|SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf
|
||||
BaseCryptLib|CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf
|
||||
|
||||
# re-use the UserPhysicalPresent() dummy implementation from the ovmf tree
|
||||
PlatformSecureLib|OvmfPkg/Library/PlatformSecureLib/PlatformSecureLib.inf
|
||||
!else
|
||||
TpmMeasurementLib|MdeModulePkg/Library/TpmMeasurementLibNull/TpmMeasurementLibNull.inf
|
||||
AuthVariableLib|MdeModulePkg/Library/AuthVariableLibNull/AuthVariableLibNull.inf
|
||||
!endif
|
||||
VarCheckLib|MdeModulePkg/Library/VarCheckLib/VarCheckLib.inf
|
||||
|
||||
!if $(USE_ARM_BDS) == FALSE
|
||||
|
|
@ -236,6 +251,9 @@
|
|||
ReportStatusCodeLib|IntelFrameworkModulePkg/Library/DxeReportStatusCodeLibFramework/DxeReportStatusCodeLib.inf
|
||||
CapsuleLib|MdeModulePkg/Library/DxeCapsuleLibNull/DxeCapsuleLibNull.inf
|
||||
ArmPlatformSysConfigLib|ArmPlatformPkg/ArmVExpressPkg/Library/ArmVExpressSysConfigRuntimeLib/ArmVExpressSysConfigRuntimeLib.inf
|
||||
!if $(SECURE_BOOT_ENABLE) == TRUE
|
||||
BaseCryptLib|CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf
|
||||
!endif
|
||||
|
||||
[LibraryClasses.AARCH64.DXE_RUNTIME_DRIVER]
|
||||
#
|
||||
|
|
@ -413,6 +431,13 @@
|
|||
gEfiIntelFrameworkModulePkgTokenSpaceGuid.PcdShellFile|{ 0x83, 0xA5, 0x04, 0x7C, 0x3E, 0x9E, 0x1C, 0x4F, 0xAD, 0x65, 0xE0, 0x52, 0x68, 0xD0, 0xB4, 0xD1 }
|
||||
!endif
|
||||
|
||||
!if $(SECURE_BOOT_ENABLE) == TRUE
|
||||
# override the default values from SecurityPkg to ensure images from all sources are verified in secure boot
|
||||
gEfiSecurityPkgTokenSpaceGuid.PcdOptionRomImageVerificationPolicy|0x04
|
||||
gEfiSecurityPkgTokenSpaceGuid.PcdFixedMediaImageVerificationPolicy|0x04
|
||||
gEfiSecurityPkgTokenSpaceGuid.PcdRemovableMediaImageVerificationPolicy|0x04
|
||||
!endif
|
||||
|
||||
[Components.common]
|
||||
MdeModulePkg/Universal/PCD/Dxe/Pcd.inf
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue