mirror of
https://github.com/acidanthera/audk.git
synced 2025-07-25 06:34:30 +02:00
UefiPayloadPkg: Add Secure Boot support
Introduce Secure Boot functionality within UefiPayloadPkg by adding necessary modules and configurations. A new build flag, `SECURE_BOOT_ENABLE`, is introduced to control the activation of Secure Boot. This patch also overrides values in SecurityPkg to enforce image verification from all sources. A new FV (`SECURITY_FV`) for security modules is added for components and the firmware volume sizes to accommodate additional Secure Boot components. Cc: Guo Dong <guo.dong@intel.com> Cc: Ray Ni <ray.ni@intel.com> Cc: James Lu <james.lu@intel.com> Cc: Gua Guo <gua.guo@intel.com> Signed-off-by: Sean Rhodes <sean@starlabs.systems>
This commit is contained in:
parent
7bac0a940e
commit
da1c6dd62a
@ -96,5 +96,6 @@
|
|||||||
"BLD_*_DISABLE_RESET_SYSTEM": "TRUE",
|
"BLD_*_DISABLE_RESET_SYSTEM": "TRUE",
|
||||||
"BLD_*_SERIAL_DRIVER_ENABLE": "FALSE",
|
"BLD_*_SERIAL_DRIVER_ENABLE": "FALSE",
|
||||||
"BLD_*_BUILD_ARCH": "",
|
"BLD_*_BUILD_ARCH": "",
|
||||||
|
"BLD_*_SECURE_BOOT_ENABLE": "TRUE",
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -154,6 +154,11 @@
|
|||||||
|
|
||||||
DEFINE MULTIPLE_DEBUG_PORT_SUPPORT = FALSE
|
DEFINE MULTIPLE_DEBUG_PORT_SUPPORT = FALSE
|
||||||
|
|
||||||
|
#
|
||||||
|
# Security
|
||||||
|
#
|
||||||
|
DEFINE SECURE_BOOT_ENABLE = FALSE
|
||||||
|
|
||||||
[BuildOptions]
|
[BuildOptions]
|
||||||
*_*_*_CC_FLAGS = -D DISABLE_NEW_DEPRECATED_INTERFACES
|
*_*_*_CC_FLAGS = -D DISABLE_NEW_DEPRECATED_INTERFACES
|
||||||
!if $(USE_CBMEM_FOR_CONSOLE) == FALSE
|
!if $(USE_CBMEM_FOR_CONSOLE) == FALSE
|
||||||
@ -305,7 +310,17 @@
|
|||||||
LockBoxLib|MdeModulePkg/Library/LockBoxNullLib/LockBoxNullLib.inf
|
LockBoxLib|MdeModulePkg/Library/LockBoxNullLib/LockBoxNullLib.inf
|
||||||
!endif
|
!endif
|
||||||
FileExplorerLib|MdeModulePkg/Library/FileExplorerLib/FileExplorerLib.inf
|
FileExplorerLib|MdeModulePkg/Library/FileExplorerLib/FileExplorerLib.inf
|
||||||
|
|
||||||
|
!if $(SECURE_BOOT_ENABLE) == TRUE
|
||||||
|
PlatformSecureLib|SecurityPkg/Library/PlatformSecureLibNull/PlatformSecureLibNull.inf
|
||||||
|
AuthVariableLib|SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf
|
||||||
|
SecureBootVariableLib|SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf
|
||||||
|
PlatformPKProtectionLib|SecurityPkg/Library/PlatformPKProtectionLibVarPolicy/PlatformPKProtectionLibVarPolicy.inf
|
||||||
|
SecureBootVariableProvisionLib|SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootVariableProvisionLib.inf
|
||||||
|
!else
|
||||||
AuthVariableLib|MdeModulePkg/Library/AuthVariableLibNull/AuthVariableLibNull.inf
|
AuthVariableLib|MdeModulePkg/Library/AuthVariableLibNull/AuthVariableLibNull.inf
|
||||||
|
!endif
|
||||||
|
|
||||||
!if $(VARIABLE_SUPPORT) == "EMU"
|
!if $(VARIABLE_SUPPORT) == "EMU"
|
||||||
TpmMeasurementLib|MdeModulePkg/Library/TpmMeasurementLibNull/TpmMeasurementLibNull.inf
|
TpmMeasurementLib|MdeModulePkg/Library/TpmMeasurementLibNull/TpmMeasurementLibNull.inf
|
||||||
!elseif $(VARIABLE_SUPPORT) == "SPI"
|
!elseif $(VARIABLE_SUPPORT) == "SPI"
|
||||||
@ -396,6 +411,9 @@
|
|||||||
!endif
|
!endif
|
||||||
|
|
||||||
[LibraryClasses.common.DXE_RUNTIME_DRIVER]
|
[LibraryClasses.common.DXE_RUNTIME_DRIVER]
|
||||||
|
!if $(SECURE_BOOT_ENABLE) == TRUE
|
||||||
|
BaseCryptLib|CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf
|
||||||
|
!endif
|
||||||
PcdLib|MdePkg/Library/DxePcdLib/DxePcdLib.inf
|
PcdLib|MdePkg/Library/DxePcdLib/DxePcdLib.inf
|
||||||
MemoryAllocationLib|MdePkg/Library/UefiMemoryAllocationLib/UefiMemoryAllocationLib.inf
|
MemoryAllocationLib|MdePkg/Library/UefiMemoryAllocationLib/UefiMemoryAllocationLib.inf
|
||||||
ReportStatusCodeLib|MdeModulePkg/Library/RuntimeDxeReportStatusCodeLib/RuntimeDxeReportStatusCodeLib.inf
|
ReportStatusCodeLib|MdeModulePkg/Library/RuntimeDxeReportStatusCodeLib/RuntimeDxeReportStatusCodeLib.inf
|
||||||
@ -527,6 +545,13 @@
|
|||||||
!endif
|
!endif
|
||||||
|
|
||||||
|
|
||||||
|
!if $(SECURE_BOOT_ENABLE) == TRUE
|
||||||
|
# Override the default values from SecurityPkg to ensure images from all sources are verified in secure boot
|
||||||
|
gEfiSecurityPkgTokenSpaceGuid.PcdOptionRomImageVerificationPolicy|0x04
|
||||||
|
gEfiSecurityPkgTokenSpaceGuid.PcdFixedMediaImageVerificationPolicy|0x04
|
||||||
|
gEfiSecurityPkgTokenSpaceGuid.PcdRemovableMediaImageVerificationPolicy|0x04
|
||||||
|
!endif
|
||||||
|
|
||||||
[PcdsPatchableInModule.X64]
|
[PcdsPatchableInModule.X64]
|
||||||
!if $(NETWORK_DRIVER_ENABLE) == TRUE
|
!if $(NETWORK_DRIVER_ENABLE) == TRUE
|
||||||
gEfiNetworkPkgTokenSpaceGuid.PcdAllowHttpConnections|TRUE
|
gEfiNetworkPkgTokenSpaceGuid.PcdAllowHttpConnections|TRUE
|
||||||
@ -716,8 +741,18 @@
|
|||||||
# Components that produce the architectural protocols
|
# Components that produce the architectural protocols
|
||||||
#
|
#
|
||||||
!if $(SECURITY_STUB_ENABLE) == TRUE
|
!if $(SECURITY_STUB_ENABLE) == TRUE
|
||||||
MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf
|
MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf {
|
||||||
|
<LibraryClasses>
|
||||||
|
!if $(SECURE_BOOT_ENABLE) == TRUE
|
||||||
|
NULL|SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.inf
|
||||||
!endif
|
!endif
|
||||||
|
}
|
||||||
|
!endif
|
||||||
|
|
||||||
|
!if $(SECURE_BOOT_ENABLE) == TRUE
|
||||||
|
SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
|
||||||
|
!endif
|
||||||
|
|
||||||
UefiCpuPkg/CpuDxe/CpuDxe.inf
|
UefiCpuPkg/CpuDxe/CpuDxe.inf
|
||||||
MdeModulePkg/Universal/BdsDxe/BdsDxe.inf
|
MdeModulePkg/Universal/BdsDxe/BdsDxe.inf
|
||||||
!if $(BOOTSPLASH_IMAGE)
|
!if $(BOOTSPLASH_IMAGE)
|
||||||
|
@ -17,8 +17,8 @@ DEFINE FD_SIZE = 0x00850000
|
|||||||
DEFINE NUM_BLOCKS = 0x850
|
DEFINE NUM_BLOCKS = 0x850
|
||||||
!else
|
!else
|
||||||
|
|
||||||
DEFINE FD_SIZE = 0x00590000
|
DEFINE FD_SIZE = 0x00700000
|
||||||
DEFINE NUM_BLOCKS = 0x590
|
DEFINE NUM_BLOCKS = 0x700
|
||||||
!endif
|
!endif
|
||||||
|
|
||||||
################################################################################
|
################################################################################
|
||||||
@ -208,6 +208,12 @@ INF PcAtChipsetPkg/PcatRealTimeClockRuntimeDxe/PcatRealTimeClockRuntimeDxe.inf
|
|||||||
INF MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmmRuntimeDxe.inf
|
INF MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmmRuntimeDxe.inf
|
||||||
!endif
|
!endif
|
||||||
|
|
||||||
|
!if $(UNIVERSAL_PAYLOAD) == FALSE
|
||||||
|
!if $(SECURE_BOOT_ENABLE) == TRUE
|
||||||
|
INF SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
|
||||||
|
!endif
|
||||||
|
!endif
|
||||||
|
|
||||||
INF UefiCpuPkg/CpuIo2Dxe/CpuIo2Dxe.inf
|
INF UefiCpuPkg/CpuIo2Dxe/CpuIo2Dxe.inf
|
||||||
INF MdeModulePkg/Universal/DevicePathDxe/DevicePathDxe.inf
|
INF MdeModulePkg/Universal/DevicePathDxe/DevicePathDxe.inf
|
||||||
!if $(MEMORY_TEST) == "GENERIC"
|
!if $(MEMORY_TEST) == "GENERIC"
|
||||||
@ -333,6 +339,35 @@ INF ShellPkg/DynamicCommand/DpDynamicCommand/DpDynamicCommand.inf
|
|||||||
INF ShellPkg/Application/Shell/Shell.inf
|
INF ShellPkg/Application/Shell/Shell.inf
|
||||||
!endif
|
!endif
|
||||||
|
|
||||||
|
!if $(UNIVERSAL_PAYLOAD) == TRUE
|
||||||
|
!if $(SECURE_BOOT_ENABLE) == TRUE
|
||||||
|
|
||||||
|
[FV.SECFV]
|
||||||
|
FvNameGuid = 2700E2F3-19D2-4E2D-9F13-BC891B9FC62C
|
||||||
|
BlockSize = $(FD_BLOCK_SIZE)
|
||||||
|
FvForceRebase = FALSE
|
||||||
|
FvAlignment = 16
|
||||||
|
ERASE_POLARITY = 1
|
||||||
|
MEMORY_MAPPED = TRUE
|
||||||
|
STICKY_WRITE = TRUE
|
||||||
|
LOCK_CAP = TRUE
|
||||||
|
LOCK_STATUS = TRUE
|
||||||
|
WRITE_DISABLED_CAP = TRUE
|
||||||
|
WRITE_ENABLED_CAP = TRUE
|
||||||
|
WRITE_STATUS = TRUE
|
||||||
|
WRITE_LOCK_CAP = TRUE
|
||||||
|
WRITE_LOCK_STATUS = TRUE
|
||||||
|
READ_DISABLED_CAP = TRUE
|
||||||
|
READ_ENABLED_CAP = TRUE
|
||||||
|
READ_STATUS = TRUE
|
||||||
|
READ_LOCK_CAP = TRUE
|
||||||
|
READ_LOCK_STATUS = TRUE
|
||||||
|
|
||||||
|
INF SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
|
||||||
|
|
||||||
|
!endif
|
||||||
|
!endif
|
||||||
|
|
||||||
|
|
||||||
################################################################################
|
################################################################################
|
||||||
#
|
#
|
||||||
|
@ -144,6 +144,7 @@ def BuildUniversalPayload(Args):
|
|||||||
EntryModuleInf = os.path.normpath("UefiPayloadPkg/UefiPayloadEntry/{}.inf".format (UpldEntryFile))
|
EntryModuleInf = os.path.normpath("UefiPayloadPkg/UefiPayloadEntry/{}.inf".format (UpldEntryFile))
|
||||||
DxeFvOutputDir = os.path.join(BuildDir, "{}_{}".format (BuildTarget, ToolChain), os.path.normpath("FV/DXEFV.Fv"))
|
DxeFvOutputDir = os.path.join(BuildDir, "{}_{}".format (BuildTarget, ToolChain), os.path.normpath("FV/DXEFV.Fv"))
|
||||||
BdsFvOutputDir = os.path.join(BuildDir, "{}_{}".format (BuildTarget, ToolChain), os.path.normpath("FV/BDSFV.Fv"))
|
BdsFvOutputDir = os.path.join(BuildDir, "{}_{}".format (BuildTarget, ToolChain), os.path.normpath("FV/BDSFV.Fv"))
|
||||||
|
SecFvOutputDir = os.path.join(BuildDir, "{}_{}".format (BuildTarget, ToolChain), os.path.normpath("FV/SECFV.Fv"))
|
||||||
NetworkFvOutputDir = os.path.join(BuildDir, "{}_{}".format (BuildTarget, ToolChain), os.path.normpath("FV/NETWORKFV.Fv"))
|
NetworkFvOutputDir = os.path.join(BuildDir, "{}_{}".format (BuildTarget, ToolChain), os.path.normpath("FV/NETWORKFV.Fv"))
|
||||||
PayloadReportPath = os.path.join(BuildDir, "UefiUniversalPayload.txt")
|
PayloadReportPath = os.path.join(BuildDir, "UefiUniversalPayload.txt")
|
||||||
ModuleReportPath = os.path.join(BuildDir, "UefiUniversalPayloadEntry.txt")
|
ModuleReportPath = os.path.join(BuildDir, "UefiUniversalPayloadEntry.txt")
|
||||||
@ -212,6 +213,7 @@ def BuildUniversalPayload(Args):
|
|||||||
MultiFvList = [
|
MultiFvList = [
|
||||||
['uefi_fv', os.path.join(BuildDir, "{}_{}".format (BuildTarget, ToolChain), os.path.normpath("FV/DXEFV.Fv")) ],
|
['uefi_fv', os.path.join(BuildDir, "{}_{}".format (BuildTarget, ToolChain), os.path.normpath("FV/DXEFV.Fv")) ],
|
||||||
['bds_fv', os.path.join(BuildDir, "{}_{}".format (BuildTarget, ToolChain), os.path.normpath("FV/BDSFV.Fv")) ],
|
['bds_fv', os.path.join(BuildDir, "{}_{}".format (BuildTarget, ToolChain), os.path.normpath("FV/BDSFV.Fv")) ],
|
||||||
|
['sec_fv', os.path.join(BuildDir, "{}_{}".format (BuildTarget, ToolChain), os.path.normpath("FV/SECFV.Fv")) ],
|
||||||
['network_fv', os.path.join(BuildDir, "{}_{}".format (BuildTarget, ToolChain), os.path.normpath("FV/NETWORKFV.Fv"))],
|
['network_fv', os.path.join(BuildDir, "{}_{}".format (BuildTarget, ToolChain), os.path.normpath("FV/NETWORKFV.Fv"))],
|
||||||
]
|
]
|
||||||
|
|
||||||
@ -234,6 +236,7 @@ def BuildUniversalPayload(Args):
|
|||||||
fit_image_info_header.TargetPath = os.path.join(BuildDir, 'UniversalPayload.fit')
|
fit_image_info_header.TargetPath = os.path.join(BuildDir, 'UniversalPayload.fit')
|
||||||
fit_image_info_header.UefifvPath = DxeFvOutputDir
|
fit_image_info_header.UefifvPath = DxeFvOutputDir
|
||||||
fit_image_info_header.BdsfvPath = BdsFvOutputDir
|
fit_image_info_header.BdsfvPath = BdsFvOutputDir
|
||||||
|
fit_image_info_header.SecfvPath = SecFvOutputDir
|
||||||
fit_image_info_header.NetworkfvPath = NetworkFvOutputDir
|
fit_image_info_header.NetworkfvPath = NetworkFvOutputDir
|
||||||
fit_image_info_header.DataOffset = 0x1000
|
fit_image_info_header.DataOffset = 0x1000
|
||||||
fit_image_info_header.LoadAddr = Args.LoadAddress
|
fit_image_info_header.LoadAddr = Args.LoadAddress
|
||||||
|
Loading…
x
Reference in New Issue
Block a user