From patchwork Mon May 4 09:14:08 2015 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ard Biesheuvel X-Patchwork-Id: 47998 Return-Path: X-Original-To: linaro@patches.linaro.org Delivered-To: linaro@patches.linaro.org Received: from mail-wg0-f70.google.com (mail-wg0-f70.google.com [74.125.82.70]) by ip-10-151-82-157.ec2.internal (Postfix) with ESMTPS id 4E04E2121F for ; Mon, 4 May 2015 09:14:52 +0000 (UTC) Received: by wghm4 with SMTP id m4sf42928290wgh.2 for ; Mon, 04 May 2015 02:14:51 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:delivered-to:from:to:date:message-id:in-reply-to :references:subject:precedence:reply-to:list-id:list-unsubscribe :list-archive:list-post:list-help:list-subscribe:mime-version :content-type:content-transfer-encoding:errors-to:x-original-sender :x-original-authentication-results:mailing-list; bh=BMJ7MDWCm+lyZDj0lcZyxPQQjdTgkerKbf+7DD58nNU=; b=HQ32Kh42xo+9b+ypPveuqC1wbGKOfJ3/jOcQASbsgQsnfNqnydnHdxgbsThpDFFFSx 1Vg7cDC1aImN77rEnygTNZ6mFgy/eyLNKZ0BVdsSJwomxGbD+DJjixN8XDXdB0p2HyLV M1PNffOkMnrmrEGoWPx4veRaZhLgcVIoFWc+fjnfxMELN8HteaKF9Z6f5g8JWltHpx6X FF++ShlCLBwUwyYLazk097Oj2Q+MxWUvXhfO0huDUEgNuQLNOeFwff9UoRVbkL0WpHCo vAM3RzhJm7osD3RP7YUCCkVueN7dvWe8U5lw5zdUEVbLr7zp4wKGjw1LlZJiB3HX4urM d4Sg== X-Gm-Message-State: ALoCoQk9PwmRYdpuqlizfvxzw7QRWbUrw2zE7NCqwAVJsaCY/LAe4Z7zuORTodFeEtoQSc0eeaNt X-Received: by 10.112.166.137 with SMTP id zg9mr17922936lbb.11.1430730891201; Mon, 04 May 2015 02:14:51 -0700 (PDT) X-BeenThere: patchwork-forward@linaro.org Received: by 10.152.2.9 with SMTP id 9ls822978laq.89.gmail; Mon, 04 May 2015 02:14:51 -0700 (PDT) X-Received: by 10.112.17.68 with SMTP id m4mr18975138lbd.10.1430730891053; Mon, 04 May 2015 02:14:51 -0700 (PDT) Received: from mail-la0-f47.google.com (mail-la0-f47.google.com. [209.85.215.47]) by mx.google.com with ESMTPS id ca5si9695253lad.28.2015.05.04.02.14.50 for (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 04 May 2015 02:14:50 -0700 (PDT) Received-SPF: pass (google.com: domain of patch+caf_=patchwork-forward=linaro.org@linaro.org designates 209.85.215.47 as permitted sender) client-ip=209.85.215.47; Received: by lagv1 with SMTP id v1so99746804lag.3 for ; Mon, 04 May 2015 02:14:50 -0700 (PDT) X-Received: by 10.112.13.6 with SMTP id d6mr17249598lbc.117.1430730890567; Mon, 04 May 2015 02:14:50 -0700 (PDT) X-Forwarded-To: patchwork-forward@linaro.org X-Forwarded-For: patch@linaro.org patchwork-forward@linaro.org Delivered-To: patch@linaro.org Received: by 10.112.67.65 with SMTP id l1csp1548214lbt; Mon, 4 May 2015 02:14:49 -0700 (PDT) X-Received: by 10.43.17.74 with SMTP id qb10mr23172587icb.94.1430730884348; Mon, 04 May 2015 02:14:44 -0700 (PDT) Received: from lists.sourceforge.net (lists.sourceforge.net. [216.34.181.88]) by mx.google.com with ESMTPS id qb3si4617710igb.3.2015.05.04.02.14.43 (version=TLSv1 cipher=RC4-SHA bits=128/128); Mon, 04 May 2015 02:14:44 -0700 (PDT) Received-SPF: pass (google.com: domain of edk2-devel-bounces@lists.sourceforge.net designates 216.34.181.88 as permitted sender) client-ip=216.34.181.88; Received: from localhost ([127.0.0.1] helo=sfs-ml-1.v29.ch3.sourceforge.com) by sfs-ml-1.v29.ch3.sourceforge.com with esmtp (Exim 4.76) (envelope-from ) id 1YpCSR-0001CU-MX; Mon, 04 May 2015 09:14:35 +0000 Received: from sog-mx-2.v43.ch3.sourceforge.com ([172.29.43.192] helo=mx.sourceforge.net) by sfs-ml-1.v29.ch3.sourceforge.com with esmtp (Exim 4.76) (envelope-from ) id 1YpCSQ-0001CL-I9 for edk2-devel@lists.sourceforge.net; Mon, 04 May 2015 09:14:34 +0000 Received-SPF: pass (sog-mx-2.v43.ch3.sourceforge.com: domain of linaro.org designates 209.85.212.172 as permitted sender) client-ip=209.85.212.172; envelope-from=ard.biesheuvel@linaro.org; helo=mail-wi0-f172.google.com; Received: from mail-wi0-f172.google.com ([209.85.212.172]) by sog-mx-2.v43.ch3.sourceforge.com with esmtps (TLSv1:RC4-SHA:128) (Exim 4.76) id 1YpCSP-0006Dm-BG for edk2-devel@lists.sourceforge.net; Mon, 04 May 2015 09:14:34 +0000 Received: by widdi4 with SMTP id di4so103174769wid.0 for ; Mon, 04 May 2015 02:14:27 -0700 (PDT) X-Received: by 10.194.142.168 with SMTP id rx8mr40411919wjb.43.1430730866933; Mon, 04 May 2015 02:14:26 -0700 (PDT) Received: from localhost.localdomain (cag06-7-83-153-85-71.fbx.proxad.net. [83.153.85.71]) by mx.google.com with ESMTPSA id z12sm19621767wjw.39.2015.05.04.02.14.25 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Mon, 04 May 2015 02:14:26 -0700 (PDT) From: Ard Biesheuvel To: olivier.martin@arm.com, lersek@redhat.com, edk2-devel@lists.sourceforge.net Date: Mon, 4 May 2015 11:14:08 +0200 Message-Id: <1430730848-5099-4-git-send-email-ard.biesheuvel@linaro.org> X-Mailer: git-send-email 1.9.1 In-Reply-To: <1430730848-5099-1-git-send-email-ard.biesheuvel@linaro.org> References: <1430730848-5099-1-git-send-email-ard.biesheuvel@linaro.org> X-Spam-Score: -1.5 (-) X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. -1.5 SPF_CHECK_PASS SPF reports sender host as permitted sender for sender-domain -0.0 SPF_PASS SPF: sender matches SPF record -0.0 AWL AWL: Adjusted score from AWL reputation of From: address X-Headers-End: 1YpCSP-0006Dm-BG Subject: [edk2] [PATCH v2 3/3] ArmVirtualizationPkg: enable secure boot for ArmVirtualizationQemu X-BeenThere: edk2-devel@lists.sourceforge.net X-Mailman-Version: 2.1.9 Precedence: list Reply-To: edk2-devel@lists.sourceforge.net List-Id: List-Unsubscribe: , List-Archive: List-Post: , List-Help: , List-Subscribe: , MIME-Version: 1.0 Errors-To: edk2-devel-bounces@lists.sourceforge.net X-Removed-Original-Auth: Dkim didn't pass. X-Original-Sender: ard.biesheuvel@linaro.org X-Original-Authentication-Results: mx.google.com; spf=pass (google.com: domain of patch+caf_=patchwork-forward=linaro.org@linaro.org designates 209.85.215.47 as permitted sender) smtp.mail=patch+caf_=patchwork-forward=linaro.org@linaro.org Mailing-list: list patchwork-forward@linaro.org; contact patchwork-forward+owners@linaro.org X-Google-Group-Id: 836684582541 This adds all the required modules and library dependencies so that the ArmVirtualizationQemu platform can be built with support for UEFI Secure Boot. This support consists of the OpenSSL crypto library (whose source needs to be downloaded separately), the authenticated variable store, and authentication of executables before launching them. Contributed-under: TianoCore Contribution Agreement 1.0 Reviewed-by: Laszlo Ersek Signed-off-by: Ard Biesheuvel --- ArmPlatformPkg/ArmVirtualizationPkg/ArmVirtualization.dsc.inc | 27 +++++++++++++++++++++++++++ ArmPlatformPkg/ArmVirtualizationPkg/ArmVirtualizationQemu.dsc | 29 ++++++++++++++++++++++++++++- ArmPlatformPkg/ArmVirtualizationPkg/ArmVirtualizationQemu.fdf | 9 +++++++++ 3 files changed, 64 insertions(+), 1 deletion(-) diff --git a/ArmPlatformPkg/ArmVirtualizationPkg/ArmVirtualization.dsc.inc b/ArmPlatformPkg/ArmVirtualizationPkg/ArmVirtualization.dsc.inc index 59a08640aec8..2c06470f6ee1 100644 --- a/ArmPlatformPkg/ArmVirtualizationPkg/ArmVirtualization.dsc.inc +++ b/ArmPlatformPkg/ArmVirtualizationPkg/ArmVirtualization.dsc.inc @@ -113,6 +113,19 @@ XenIoMmioLib|OvmfPkg/Library/XenIoMmioLib/XenIoMmioLib.inf + # + # Secure Boot dependencies + # +!if $(SECURE_BOOT_ENABLE) == TRUE + IntrinsicLib|CryptoPkg/Library/IntrinsicLib/IntrinsicLib.inf + OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLib.inf + TpmMeasurementLib|SecurityPkg/Library/DxeTpmMeasurementLib/DxeTpmMeasurementLib.inf + BaseCryptLib|CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf + + # re-use the UserPhysicalPresent() dummy implementation from the ovmf tree + PlatformSecureLib|OvmfPkg/Library/PlatformSecureLib/PlatformSecureLib.inf +!endif + [LibraryClasses.common.SEC] PcdLib|MdePkg/Library/BasePcdLibNull/BasePcdLibNull.inf ArmPlatformSecExtraActionLib|ArmPlatformPkg/Library/DebugSecExtraActionLib/DebugSecExtraActionLib.inf @@ -198,6 +211,10 @@ ReportStatusCodeLib|IntelFrameworkModulePkg/Library/DxeReportStatusCodeLibFramework/DxeReportStatusCodeLib.inf CapsuleLib|MdeModulePkg/Library/DxeCapsuleLibNull/DxeCapsuleLibNull.inf +!if $(SECURE_BOOT_ENABLE) == TRUE + BaseCryptLib|CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf +!endif + [LibraryClasses.ARM] # # It is not possible to prevent the ARM compiler for generic intrinsic functions. @@ -324,6 +341,16 @@ # gArmTokenSpaceGuid.PcdArmUncachedMemoryMask|0x0000000000000000 +!if $(SECURE_BOOT_ENABLE) == TRUE + # override the default values from SecurityPkg to ensure images from all sources are verified in secure boot + gEfiSecurityPkgTokenSpaceGuid.PcdOptionRomImageVerificationPolicy|0x04 + gEfiSecurityPkgTokenSpaceGuid.PcdFixedMediaImageVerificationPolicy|0x04 + gEfiSecurityPkgTokenSpaceGuid.PcdRemovableMediaImageVerificationPolicy|0x04 + + # use the authenticated variable GUID + gArmPlatformTokenSpaceGuid.PcdVarStoreVariableGuid|{ 0x78, 0x2c, 0xf3, 0xaa, 0x7b, 0x94, 0x9a, 0x43, 0xa1, 0x80, 0x2e, 0x14, 0x4e, 0xc3, 0x77, 0x92 } +!endif + [Components.common] # # Networking stack diff --git a/ArmPlatformPkg/ArmVirtualizationPkg/ArmVirtualizationQemu.dsc b/ArmPlatformPkg/ArmVirtualizationPkg/ArmVirtualizationQemu.dsc index 310c31b0883c..c00406540a00 100644 --- a/ArmPlatformPkg/ArmVirtualizationPkg/ArmVirtualizationQemu.dsc +++ b/ArmPlatformPkg/ArmVirtualizationPkg/ArmVirtualizationQemu.dsc @@ -28,6 +28,12 @@ SKUID_IDENTIFIER = DEFAULT FLASH_DEFINITION = ArmPlatformPkg/ArmVirtualizationPkg/ArmVirtualizationQemu.fdf + # + # Defines for default states. These can be changed on the command line. + # -D FLAG=VALUE + # + DEFINE SECURE_BOOT_ENABLE = FALSE + !include ArmPlatformPkg/ArmVirtualizationPkg/ArmVirtualization.dsc.inc [LibraryClasses.AARCH64] @@ -233,7 +239,15 @@ ArmPlatformPkg/MemoryInitPei/MemoryInitPeim.inf ArmPkg/Drivers/CpuPei/CpuPei.inf +!if $(SECURE_BOOT_ENABLE) == TRUE + SecurityPkg/VariableAuthenticated/Pei/VariablePei.inf { + + BaseCryptLib|CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf + } +!else MdeModulePkg/Universal/Variable/Pei/VariablePei.inf +!endif + MdeModulePkg/Core/DxeIplPeim/DxeIpl.inf { NULL|MdeModulePkg/Library/LzmaCustomDecompressLib/LzmaCustomDecompressLib.inf @@ -253,9 +267,22 @@ # ArmPkg/Drivers/CpuDxe/CpuDxe.inf MdeModulePkg/Core/RuntimeDxe/RuntimeDxe.inf +!if $(SECURE_BOOT_ENABLE) == TRUE + MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf { + + NULL|SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.inf + } + SecurityPkg/VariableAuthenticated/RuntimeDxe/VariableRuntimeDxe.inf { + + BaseCryptLib|CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf + OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLib.inf + } + SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf +!else MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf - MdeModulePkg/Universal/CapsuleRuntimeDxe/CapsuleRuntimeDxe.inf MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf +!endif + MdeModulePkg/Universal/CapsuleRuntimeDxe/CapsuleRuntimeDxe.inf MdeModulePkg/Universal/FaultTolerantWriteDxe/FaultTolerantWriteDxe.inf MdeModulePkg/Universal/MonotonicCounterRuntimeDxe/MonotonicCounterRuntimeDxe.inf EmbeddedPkg/ResetRuntimeDxe/ResetRuntimeDxe.inf diff --git a/ArmPlatformPkg/ArmVirtualizationPkg/ArmVirtualizationQemu.fdf b/ArmPlatformPkg/ArmVirtualizationPkg/ArmVirtualizationQemu.fdf index 91c51ea31c4d..3594f3736f2f 100644 --- a/ArmPlatformPkg/ArmVirtualizationPkg/ArmVirtualizationQemu.fdf +++ b/ArmPlatformPkg/ArmVirtualizationPkg/ArmVirtualizationQemu.fdf @@ -118,7 +118,12 @@ READ_LOCK_STATUS = TRUE INF MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf INF MdeModulePkg/Universal/CapsuleRuntimeDxe/CapsuleRuntimeDxe.inf INF MdeModulePkg/Universal/FaultTolerantWriteDxe/FaultTolerantWriteDxe.inf +!if $(SECURE_BOOT_ENABLE) == TRUE + INF SecurityPkg/VariableAuthenticated/RuntimeDxe/VariableRuntimeDxe.inf + INF SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf +!else INF MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf +!endif INF MdeModulePkg/Universal/MonotonicCounterRuntimeDxe/MonotonicCounterRuntimeDxe.inf INF EmbeddedPkg/ResetRuntimeDxe/ResetRuntimeDxe.inf INF EmbeddedPkg/RealTimeClockRuntimeDxe/RealTimeClockRuntimeDxe.inf @@ -257,7 +262,11 @@ READ_LOCK_STATUS = TRUE INF ArmPlatformPkg/MemoryInitPei/MemoryInitPeim.inf INF ArmPkg/Drivers/CpuPei/CpuPei.inf INF MdeModulePkg/Universal/PCD/Pei/Pcd.inf +!if $(SECURE_BOOT_ENABLE) == TRUE + INF SecurityPkg/VariableAuthenticated/Pei/VariablePei.inf +!else INF MdeModulePkg/Universal/Variable/Pei/VariablePei.inf +!endif INF MdeModulePkg/Core/DxeIplPeim/DxeIpl.inf FILE FV_IMAGE = 9E21FD93-9C72-4c15-8C4B-E77F1DB2D792 {