UefiPayloadPkg: Add Secure Boot support

Introduce Secure Boot functionality within UefiPayloadPkg by adding
necessary modules and configurations. A new build flag,
`SECURE_BOOT_ENABLE`, is introduced to control the activation of
Secure Boot.

This patch also overrides values in SecurityPkg to enforce image
verification from all sources.

A new FV (`SECURITY_FV`) for security modules is added for components
and the firmware volume sizes to accommodate additional Secure Boot
components.

Cc: Guo Dong <guo.dong@intel.com>
Cc: Ray Ni <ray.ni@intel.com>
Cc: James Lu <james.lu@intel.com>
Cc: Gua Guo <gua.guo@intel.com>
Signed-off-by: Sean Rhodes <sean@starlabs.systems>
This commit is contained in:
Sean Rhodes 2024-09-19 20:36:50 +01:00 committed by mergify[bot]
parent 7bac0a940e
commit da1c6dd62a
4 changed files with 77 additions and 3 deletions

View File

@ -96,5 +96,6 @@
"BLD_*_DISABLE_RESET_SYSTEM": "TRUE",
"BLD_*_SERIAL_DRIVER_ENABLE": "FALSE",
"BLD_*_BUILD_ARCH": "",
"BLD_*_SECURE_BOOT_ENABLE": "TRUE",
}
}

View File

@ -154,6 +154,11 @@
DEFINE MULTIPLE_DEBUG_PORT_SUPPORT = FALSE
#
# Security
#
DEFINE SECURE_BOOT_ENABLE = FALSE
[BuildOptions]
*_*_*_CC_FLAGS = -D DISABLE_NEW_DEPRECATED_INTERFACES
!if $(USE_CBMEM_FOR_CONSOLE) == FALSE
@ -305,7 +310,17 @@
LockBoxLib|MdeModulePkg/Library/LockBoxNullLib/LockBoxNullLib.inf
!endif
FileExplorerLib|MdeModulePkg/Library/FileExplorerLib/FileExplorerLib.inf
!if $(SECURE_BOOT_ENABLE) == TRUE
PlatformSecureLib|SecurityPkg/Library/PlatformSecureLibNull/PlatformSecureLibNull.inf
AuthVariableLib|SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf
SecureBootVariableLib|SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf
PlatformPKProtectionLib|SecurityPkg/Library/PlatformPKProtectionLibVarPolicy/PlatformPKProtectionLibVarPolicy.inf
SecureBootVariableProvisionLib|SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootVariableProvisionLib.inf
!else
AuthVariableLib|MdeModulePkg/Library/AuthVariableLibNull/AuthVariableLibNull.inf
!endif
!if $(VARIABLE_SUPPORT) == "EMU"
TpmMeasurementLib|MdeModulePkg/Library/TpmMeasurementLibNull/TpmMeasurementLibNull.inf
!elseif $(VARIABLE_SUPPORT) == "SPI"
@ -396,6 +411,9 @@
!endif
[LibraryClasses.common.DXE_RUNTIME_DRIVER]
!if $(SECURE_BOOT_ENABLE) == TRUE
BaseCryptLib|CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf
!endif
PcdLib|MdePkg/Library/DxePcdLib/DxePcdLib.inf
MemoryAllocationLib|MdePkg/Library/UefiMemoryAllocationLib/UefiMemoryAllocationLib.inf
ReportStatusCodeLib|MdeModulePkg/Library/RuntimeDxeReportStatusCodeLib/RuntimeDxeReportStatusCodeLib.inf
@ -527,6 +545,13 @@
!endif
!if $(SECURE_BOOT_ENABLE) == TRUE
# Override the default values from SecurityPkg to ensure images from all sources are verified in secure boot
gEfiSecurityPkgTokenSpaceGuid.PcdOptionRomImageVerificationPolicy|0x04
gEfiSecurityPkgTokenSpaceGuid.PcdFixedMediaImageVerificationPolicy|0x04
gEfiSecurityPkgTokenSpaceGuid.PcdRemovableMediaImageVerificationPolicy|0x04
!endif
[PcdsPatchableInModule.X64]
!if $(NETWORK_DRIVER_ENABLE) == TRUE
gEfiNetworkPkgTokenSpaceGuid.PcdAllowHttpConnections|TRUE
@ -716,8 +741,18 @@
# Components that produce the architectural protocols
#
!if $(SECURITY_STUB_ENABLE) == TRUE
MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf
MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf {
<LibraryClasses>
!if $(SECURE_BOOT_ENABLE) == TRUE
NULL|SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.inf
!endif
}
!endif
!if $(SECURE_BOOT_ENABLE) == TRUE
SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
!endif
UefiCpuPkg/CpuDxe/CpuDxe.inf
MdeModulePkg/Universal/BdsDxe/BdsDxe.inf
!if $(BOOTSPLASH_IMAGE)

View File

@ -17,8 +17,8 @@ DEFINE FD_SIZE = 0x00850000
DEFINE NUM_BLOCKS = 0x850
!else
DEFINE FD_SIZE = 0x00590000
DEFINE NUM_BLOCKS = 0x590
DEFINE FD_SIZE = 0x00700000
DEFINE NUM_BLOCKS = 0x700
!endif
################################################################################
@ -208,6 +208,12 @@ INF PcAtChipsetPkg/PcatRealTimeClockRuntimeDxe/PcatRealTimeClockRuntimeDxe.inf
INF MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmmRuntimeDxe.inf
!endif
!if $(UNIVERSAL_PAYLOAD) == FALSE
!if $(SECURE_BOOT_ENABLE) == TRUE
INF SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
!endif
!endif
INF UefiCpuPkg/CpuIo2Dxe/CpuIo2Dxe.inf
INF MdeModulePkg/Universal/DevicePathDxe/DevicePathDxe.inf
!if $(MEMORY_TEST) == "GENERIC"
@ -333,6 +339,35 @@ INF ShellPkg/DynamicCommand/DpDynamicCommand/DpDynamicCommand.inf
INF ShellPkg/Application/Shell/Shell.inf
!endif
!if $(UNIVERSAL_PAYLOAD) == TRUE
!if $(SECURE_BOOT_ENABLE) == TRUE
[FV.SECFV]
FvNameGuid = 2700E2F3-19D2-4E2D-9F13-BC891B9FC62C
BlockSize = $(FD_BLOCK_SIZE)
FvForceRebase = FALSE
FvAlignment = 16
ERASE_POLARITY = 1
MEMORY_MAPPED = TRUE
STICKY_WRITE = TRUE
LOCK_CAP = TRUE
LOCK_STATUS = TRUE
WRITE_DISABLED_CAP = TRUE
WRITE_ENABLED_CAP = TRUE
WRITE_STATUS = TRUE
WRITE_LOCK_CAP = TRUE
WRITE_LOCK_STATUS = TRUE
READ_DISABLED_CAP = TRUE
READ_ENABLED_CAP = TRUE
READ_STATUS = TRUE
READ_LOCK_CAP = TRUE
READ_LOCK_STATUS = TRUE
INF SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
!endif
!endif
################################################################################
#

View File

@ -144,6 +144,7 @@ def BuildUniversalPayload(Args):
EntryModuleInf = os.path.normpath("UefiPayloadPkg/UefiPayloadEntry/{}.inf".format (UpldEntryFile))
DxeFvOutputDir = os.path.join(BuildDir, "{}_{}".format (BuildTarget, ToolChain), os.path.normpath("FV/DXEFV.Fv"))
BdsFvOutputDir = os.path.join(BuildDir, "{}_{}".format (BuildTarget, ToolChain), os.path.normpath("FV/BDSFV.Fv"))
SecFvOutputDir = os.path.join(BuildDir, "{}_{}".format (BuildTarget, ToolChain), os.path.normpath("FV/SECFV.Fv"))
NetworkFvOutputDir = os.path.join(BuildDir, "{}_{}".format (BuildTarget, ToolChain), os.path.normpath("FV/NETWORKFV.Fv"))
PayloadReportPath = os.path.join(BuildDir, "UefiUniversalPayload.txt")
ModuleReportPath = os.path.join(BuildDir, "UefiUniversalPayloadEntry.txt")
@ -212,6 +213,7 @@ def BuildUniversalPayload(Args):
MultiFvList = [
['uefi_fv', os.path.join(BuildDir, "{}_{}".format (BuildTarget, ToolChain), os.path.normpath("FV/DXEFV.Fv")) ],
['bds_fv', os.path.join(BuildDir, "{}_{}".format (BuildTarget, ToolChain), os.path.normpath("FV/BDSFV.Fv")) ],
['sec_fv', os.path.join(BuildDir, "{}_{}".format (BuildTarget, ToolChain), os.path.normpath("FV/SECFV.Fv")) ],
['network_fv', os.path.join(BuildDir, "{}_{}".format (BuildTarget, ToolChain), os.path.normpath("FV/NETWORKFV.Fv"))],
]
@ -234,6 +236,7 @@ def BuildUniversalPayload(Args):
fit_image_info_header.TargetPath = os.path.join(BuildDir, 'UniversalPayload.fit')
fit_image_info_header.UefifvPath = DxeFvOutputDir
fit_image_info_header.BdsfvPath = BdsFvOutputDir
fit_image_info_header.SecfvPath = SecFvOutputDir
fit_image_info_header.NetworkfvPath = NetworkFvOutputDir
fit_image_info_header.DataOffset = 0x1000
fit_image_info_header.LoadAddr = Args.LoadAddress