mirror of
https://github.com/acidanthera/audk.git
synced 2025-07-22 21:24:35 +02:00
UefiPayloadPkg: Add Secure Boot support
Introduce Secure Boot functionality within UefiPayloadPkg by adding necessary modules and configurations. A new build flag, `SECURE_BOOT_ENABLE`, is introduced to control the activation of Secure Boot. This patch also overrides values in SecurityPkg to enforce image verification from all sources. A new FV (`SECURITY_FV`) for security modules is added for components and the firmware volume sizes to accommodate additional Secure Boot components. Cc: Guo Dong <guo.dong@intel.com> Cc: Ray Ni <ray.ni@intel.com> Cc: James Lu <james.lu@intel.com> Cc: Gua Guo <gua.guo@intel.com> Signed-off-by: Sean Rhodes <sean@starlabs.systems>
This commit is contained in:
parent
7bac0a940e
commit
da1c6dd62a
@ -96,5 +96,6 @@
|
||||
"BLD_*_DISABLE_RESET_SYSTEM": "TRUE",
|
||||
"BLD_*_SERIAL_DRIVER_ENABLE": "FALSE",
|
||||
"BLD_*_BUILD_ARCH": "",
|
||||
"BLD_*_SECURE_BOOT_ENABLE": "TRUE",
|
||||
}
|
||||
}
|
||||
|
@ -154,6 +154,11 @@
|
||||
|
||||
DEFINE MULTIPLE_DEBUG_PORT_SUPPORT = FALSE
|
||||
|
||||
#
|
||||
# Security
|
||||
#
|
||||
DEFINE SECURE_BOOT_ENABLE = FALSE
|
||||
|
||||
[BuildOptions]
|
||||
*_*_*_CC_FLAGS = -D DISABLE_NEW_DEPRECATED_INTERFACES
|
||||
!if $(USE_CBMEM_FOR_CONSOLE) == FALSE
|
||||
@ -305,7 +310,17 @@
|
||||
LockBoxLib|MdeModulePkg/Library/LockBoxNullLib/LockBoxNullLib.inf
|
||||
!endif
|
||||
FileExplorerLib|MdeModulePkg/Library/FileExplorerLib/FileExplorerLib.inf
|
||||
|
||||
!if $(SECURE_BOOT_ENABLE) == TRUE
|
||||
PlatformSecureLib|SecurityPkg/Library/PlatformSecureLibNull/PlatformSecureLibNull.inf
|
||||
AuthVariableLib|SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf
|
||||
SecureBootVariableLib|SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf
|
||||
PlatformPKProtectionLib|SecurityPkg/Library/PlatformPKProtectionLibVarPolicy/PlatformPKProtectionLibVarPolicy.inf
|
||||
SecureBootVariableProvisionLib|SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootVariableProvisionLib.inf
|
||||
!else
|
||||
AuthVariableLib|MdeModulePkg/Library/AuthVariableLibNull/AuthVariableLibNull.inf
|
||||
!endif
|
||||
|
||||
!if $(VARIABLE_SUPPORT) == "EMU"
|
||||
TpmMeasurementLib|MdeModulePkg/Library/TpmMeasurementLibNull/TpmMeasurementLibNull.inf
|
||||
!elseif $(VARIABLE_SUPPORT) == "SPI"
|
||||
@ -396,6 +411,9 @@
|
||||
!endif
|
||||
|
||||
[LibraryClasses.common.DXE_RUNTIME_DRIVER]
|
||||
!if $(SECURE_BOOT_ENABLE) == TRUE
|
||||
BaseCryptLib|CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf
|
||||
!endif
|
||||
PcdLib|MdePkg/Library/DxePcdLib/DxePcdLib.inf
|
||||
MemoryAllocationLib|MdePkg/Library/UefiMemoryAllocationLib/UefiMemoryAllocationLib.inf
|
||||
ReportStatusCodeLib|MdeModulePkg/Library/RuntimeDxeReportStatusCodeLib/RuntimeDxeReportStatusCodeLib.inf
|
||||
@ -527,6 +545,13 @@
|
||||
!endif
|
||||
|
||||
|
||||
!if $(SECURE_BOOT_ENABLE) == TRUE
|
||||
# Override the default values from SecurityPkg to ensure images from all sources are verified in secure boot
|
||||
gEfiSecurityPkgTokenSpaceGuid.PcdOptionRomImageVerificationPolicy|0x04
|
||||
gEfiSecurityPkgTokenSpaceGuid.PcdFixedMediaImageVerificationPolicy|0x04
|
||||
gEfiSecurityPkgTokenSpaceGuid.PcdRemovableMediaImageVerificationPolicy|0x04
|
||||
!endif
|
||||
|
||||
[PcdsPatchableInModule.X64]
|
||||
!if $(NETWORK_DRIVER_ENABLE) == TRUE
|
||||
gEfiNetworkPkgTokenSpaceGuid.PcdAllowHttpConnections|TRUE
|
||||
@ -716,8 +741,18 @@
|
||||
# Components that produce the architectural protocols
|
||||
#
|
||||
!if $(SECURITY_STUB_ENABLE) == TRUE
|
||||
MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf
|
||||
MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf {
|
||||
<LibraryClasses>
|
||||
!if $(SECURE_BOOT_ENABLE) == TRUE
|
||||
NULL|SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.inf
|
||||
!endif
|
||||
}
|
||||
!endif
|
||||
|
||||
!if $(SECURE_BOOT_ENABLE) == TRUE
|
||||
SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
|
||||
!endif
|
||||
|
||||
UefiCpuPkg/CpuDxe/CpuDxe.inf
|
||||
MdeModulePkg/Universal/BdsDxe/BdsDxe.inf
|
||||
!if $(BOOTSPLASH_IMAGE)
|
||||
|
@ -17,8 +17,8 @@ DEFINE FD_SIZE = 0x00850000
|
||||
DEFINE NUM_BLOCKS = 0x850
|
||||
!else
|
||||
|
||||
DEFINE FD_SIZE = 0x00590000
|
||||
DEFINE NUM_BLOCKS = 0x590
|
||||
DEFINE FD_SIZE = 0x00700000
|
||||
DEFINE NUM_BLOCKS = 0x700
|
||||
!endif
|
||||
|
||||
################################################################################
|
||||
@ -208,6 +208,12 @@ INF PcAtChipsetPkg/PcatRealTimeClockRuntimeDxe/PcatRealTimeClockRuntimeDxe.inf
|
||||
INF MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmmRuntimeDxe.inf
|
||||
!endif
|
||||
|
||||
!if $(UNIVERSAL_PAYLOAD) == FALSE
|
||||
!if $(SECURE_BOOT_ENABLE) == TRUE
|
||||
INF SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
|
||||
!endif
|
||||
!endif
|
||||
|
||||
INF UefiCpuPkg/CpuIo2Dxe/CpuIo2Dxe.inf
|
||||
INF MdeModulePkg/Universal/DevicePathDxe/DevicePathDxe.inf
|
||||
!if $(MEMORY_TEST) == "GENERIC"
|
||||
@ -333,6 +339,35 @@ INF ShellPkg/DynamicCommand/DpDynamicCommand/DpDynamicCommand.inf
|
||||
INF ShellPkg/Application/Shell/Shell.inf
|
||||
!endif
|
||||
|
||||
!if $(UNIVERSAL_PAYLOAD) == TRUE
|
||||
!if $(SECURE_BOOT_ENABLE) == TRUE
|
||||
|
||||
[FV.SECFV]
|
||||
FvNameGuid = 2700E2F3-19D2-4E2D-9F13-BC891B9FC62C
|
||||
BlockSize = $(FD_BLOCK_SIZE)
|
||||
FvForceRebase = FALSE
|
||||
FvAlignment = 16
|
||||
ERASE_POLARITY = 1
|
||||
MEMORY_MAPPED = TRUE
|
||||
STICKY_WRITE = TRUE
|
||||
LOCK_CAP = TRUE
|
||||
LOCK_STATUS = TRUE
|
||||
WRITE_DISABLED_CAP = TRUE
|
||||
WRITE_ENABLED_CAP = TRUE
|
||||
WRITE_STATUS = TRUE
|
||||
WRITE_LOCK_CAP = TRUE
|
||||
WRITE_LOCK_STATUS = TRUE
|
||||
READ_DISABLED_CAP = TRUE
|
||||
READ_ENABLED_CAP = TRUE
|
||||
READ_STATUS = TRUE
|
||||
READ_LOCK_CAP = TRUE
|
||||
READ_LOCK_STATUS = TRUE
|
||||
|
||||
INF SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
|
||||
|
||||
!endif
|
||||
!endif
|
||||
|
||||
|
||||
################################################################################
|
||||
#
|
||||
|
@ -144,6 +144,7 @@ def BuildUniversalPayload(Args):
|
||||
EntryModuleInf = os.path.normpath("UefiPayloadPkg/UefiPayloadEntry/{}.inf".format (UpldEntryFile))
|
||||
DxeFvOutputDir = os.path.join(BuildDir, "{}_{}".format (BuildTarget, ToolChain), os.path.normpath("FV/DXEFV.Fv"))
|
||||
BdsFvOutputDir = os.path.join(BuildDir, "{}_{}".format (BuildTarget, ToolChain), os.path.normpath("FV/BDSFV.Fv"))
|
||||
SecFvOutputDir = os.path.join(BuildDir, "{}_{}".format (BuildTarget, ToolChain), os.path.normpath("FV/SECFV.Fv"))
|
||||
NetworkFvOutputDir = os.path.join(BuildDir, "{}_{}".format (BuildTarget, ToolChain), os.path.normpath("FV/NETWORKFV.Fv"))
|
||||
PayloadReportPath = os.path.join(BuildDir, "UefiUniversalPayload.txt")
|
||||
ModuleReportPath = os.path.join(BuildDir, "UefiUniversalPayloadEntry.txt")
|
||||
@ -212,6 +213,7 @@ def BuildUniversalPayload(Args):
|
||||
MultiFvList = [
|
||||
['uefi_fv', os.path.join(BuildDir, "{}_{}".format (BuildTarget, ToolChain), os.path.normpath("FV/DXEFV.Fv")) ],
|
||||
['bds_fv', os.path.join(BuildDir, "{}_{}".format (BuildTarget, ToolChain), os.path.normpath("FV/BDSFV.Fv")) ],
|
||||
['sec_fv', os.path.join(BuildDir, "{}_{}".format (BuildTarget, ToolChain), os.path.normpath("FV/SECFV.Fv")) ],
|
||||
['network_fv', os.path.join(BuildDir, "{}_{}".format (BuildTarget, ToolChain), os.path.normpath("FV/NETWORKFV.Fv"))],
|
||||
]
|
||||
|
||||
@ -234,6 +236,7 @@ def BuildUniversalPayload(Args):
|
||||
fit_image_info_header.TargetPath = os.path.join(BuildDir, 'UniversalPayload.fit')
|
||||
fit_image_info_header.UefifvPath = DxeFvOutputDir
|
||||
fit_image_info_header.BdsfvPath = BdsFvOutputDir
|
||||
fit_image_info_header.SecfvPath = SecFvOutputDir
|
||||
fit_image_info_header.NetworkfvPath = NetworkFvOutputDir
|
||||
fit_image_info_header.DataOffset = 0x1000
|
||||
fit_image_info_header.LoadAddr = Args.LoadAddress
|
||||
|
Loading…
x
Reference in New Issue
Block a user