From patchwork Mon May  4 09:14:08 2015
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Ard Biesheuvel <ard.biesheuvel@linaro.org>
X-Patchwork-Id: 47998
Return-Path: <patchwork-forward+bncBDYNJBOFRECBBC7RTSVAKGQEA4COB7A@linaro.org>
X-Original-To: linaro@patches.linaro.org
Delivered-To: linaro@patches.linaro.org
Received: from mail-wg0-f70.google.com (mail-wg0-f70.google.com [74.125.82.70])
 by ip-10-151-82-157.ec2.internal (Postfix) with ESMTPS id 4E04E2121F
 for <linaro@patches.linaro.org>; Mon,  4 May 2015 09:14:52 +0000 (UTC)
Received: by wghm4 with SMTP id m4sf42928290wgh.2
 for <linaro@patches.linaro.org>; Mon, 04 May 2015 02:14:51 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20130820;
 h=x-gm-message-state:delivered-to:from:to:date:message-id:in-reply-to
 :references:subject:precedence:reply-to:list-id:list-unsubscribe
 :list-archive:list-post:list-help:list-subscribe:mime-version
 :content-type:content-transfer-encoding:errors-to:x-original-sender
 :x-original-authentication-results:mailing-list;
 bh=BMJ7MDWCm+lyZDj0lcZyxPQQjdTgkerKbf+7DD58nNU=;
 b=HQ32Kh42xo+9b+ypPveuqC1wbGKOfJ3/jOcQASbsgQsnfNqnydnHdxgbsThpDFFFSx
 1Vg7cDC1aImN77rEnygTNZ6mFgy/eyLNKZ0BVdsSJwomxGbD+DJjixN8XDXdB0p2HyLV
 M1PNffOkMnrmrEGoWPx4veRaZhLgcVIoFWc+fjnfxMELN8HteaKF9Z6f5g8JWltHpx6X
 FF++ShlCLBwUwyYLazk097Oj2Q+MxWUvXhfO0huDUEgNuQLNOeFwff9UoRVbkL0WpHCo
 vAM3RzhJm7osD3RP7YUCCkVueN7dvWe8U5lw5zdUEVbLr7zp4wKGjw1LlZJiB3HX4urM
 d4Sg==
X-Gm-Message-State: ALoCoQk9PwmRYdpuqlizfvxzw7QRWbUrw2zE7NCqwAVJsaCY/LAe4Z7zuORTodFeEtoQSc0eeaNt
X-Received: by 10.112.166.137 with SMTP id zg9mr17922936lbb.11.1430730891201; 
 Mon, 04 May 2015 02:14:51 -0700 (PDT)
X-BeenThere: patchwork-forward@linaro.org
Received: by 10.152.2.9 with SMTP id 9ls822978laq.89.gmail; Mon, 04 May 2015
 02:14:51 -0700 (PDT)
X-Received: by 10.112.17.68 with SMTP id m4mr18975138lbd.10.1430730891053;
 Mon, 04 May 2015 02:14:51 -0700 (PDT)
Received: from mail-la0-f47.google.com (mail-la0-f47.google.com.
 [209.85.215.47]) by mx.google.com with ESMTPS id
 ca5si9695253lad.28.2015.05.04.02.14.50
 for <patchwork-forward@linaro.org>
 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
 Mon, 04 May 2015 02:14:50 -0700 (PDT)
Received-SPF: pass (google.com: domain of
 patch+caf_=patchwork-forward=linaro.org@linaro.org designates
 209.85.215.47 as permitted sender) client-ip=209.85.215.47; 
Received: by lagv1 with SMTP id v1so99746804lag.3
 for <patchwork-forward@linaro.org>;
 Mon, 04 May 2015 02:14:50 -0700 (PDT)
X-Received: by 10.112.13.6 with SMTP id d6mr17249598lbc.117.1430730890567;
 Mon, 04 May 2015 02:14:50 -0700 (PDT)
X-Forwarded-To: patchwork-forward@linaro.org
X-Forwarded-For: patch@linaro.org patchwork-forward@linaro.org
Delivered-To: patch@linaro.org
Received: by 10.112.67.65 with SMTP id l1csp1548214lbt;
 Mon, 4 May 2015 02:14:49 -0700 (PDT)
X-Received: by 10.43.17.74 with SMTP id qb10mr23172587icb.94.1430730884348; 
 Mon, 04 May 2015 02:14:44 -0700 (PDT)
Received: from lists.sourceforge.net (lists.sourceforge.net. [216.34.181.88])
 by mx.google.com with ESMTPS id qb3si4617710igb.3.2015.05.04.02.14.43
 (version=TLSv1 cipher=RC4-SHA bits=128/128);
 Mon, 04 May 2015 02:14:44 -0700 (PDT)
Received-SPF: pass (google.com: domain of
 edk2-devel-bounces@lists.sourceforge.net designates
 216.34.181.88 as permitted sender) client-ip=216.34.181.88; 
Received: from localhost ([127.0.0.1] helo=sfs-ml-1.v29.ch3.sourceforge.com)
 by sfs-ml-1.v29.ch3.sourceforge.com with esmtp (Exim 4.76)
 (envelope-from <edk2-devel-bounces@lists.sourceforge.net>)
 id 1YpCSR-0001CU-MX; Mon, 04 May 2015 09:14:35 +0000
Received: from sog-mx-2.v43.ch3.sourceforge.com ([172.29.43.192]
 helo=mx.sourceforge.net)
 by sfs-ml-1.v29.ch3.sourceforge.com with esmtp (Exim 4.76)
 (envelope-from <ard.biesheuvel@linaro.org>) id 1YpCSQ-0001CL-I9
 for edk2-devel@lists.sourceforge.net; Mon, 04 May 2015 09:14:34 +0000
Received-SPF: pass (sog-mx-2.v43.ch3.sourceforge.com: domain of linaro.org
 designates 209.85.212.172 as permitted sender)
 client-ip=209.85.212.172;
 envelope-from=ard.biesheuvel@linaro.org;
 helo=mail-wi0-f172.google.com;
Received: from mail-wi0-f172.google.com ([209.85.212.172])
 by sog-mx-2.v43.ch3.sourceforge.com with esmtps (TLSv1:RC4-SHA:128)
 (Exim 4.76) id 1YpCSP-0006Dm-BG
 for edk2-devel@lists.sourceforge.net; Mon, 04 May 2015 09:14:34 +0000
Received: by widdi4 with SMTP id di4so103174769wid.0
 for <edk2-devel@lists.sourceforge.net>;
 Mon, 04 May 2015 02:14:27 -0700 (PDT)
X-Received: by 10.194.142.168 with SMTP id rx8mr40411919wjb.43.1430730866933; 
 Mon, 04 May 2015 02:14:26 -0700 (PDT)
Received: from localhost.localdomain (cag06-7-83-153-85-71.fbx.proxad.net.
 [83.153.85.71]) by mx.google.com with ESMTPSA id
 z12sm19621767wjw.39.2015.05.04.02.14.25
 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-SHA bits=128/128);
 Mon, 04 May 2015 02:14:26 -0700 (PDT)
From: Ard Biesheuvel <ard.biesheuvel@linaro.org>
To: olivier.martin@arm.com, lersek@redhat.com, edk2-devel@lists.sourceforge.net
Date: Mon,  4 May 2015 11:14:08 +0200
Message-Id: <1430730848-5099-4-git-send-email-ard.biesheuvel@linaro.org>
X-Mailer: git-send-email 1.9.1
In-Reply-To: <1430730848-5099-1-git-send-email-ard.biesheuvel@linaro.org>
References: <1430730848-5099-1-git-send-email-ard.biesheuvel@linaro.org>
X-Spam-Score: -1.5 (-)
X-Spam-Report: Spam Filtering performed by mx.sourceforge.net.
 See http://spamassassin.org/tag/ for more details.
 -1.5 SPF_CHECK_PASS SPF reports sender host as permitted sender for
 sender-domain
 -0.0 SPF_PASS               SPF: sender matches SPF record
 -0.0 AWL AWL: Adjusted score from AWL reputation of From: address
X-Headers-End: 1YpCSP-0006Dm-BG
Subject: [edk2] [PATCH v2 3/3] ArmVirtualizationPkg: enable secure boot for
 ArmVirtualizationQemu
X-BeenThere: edk2-devel@lists.sourceforge.net
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: edk2-devel@lists.sourceforge.net
List-Id: <patchwork-forward.linaro.org>
List-Unsubscribe: <mailto:googlegroups-manage+836684582541+unsubscribe@googlegroups.com>, 
 <http://groups.google.com/a/linaro.org/group/patchwork-forward/subscribe>
List-Archive: <http://groups.google.com/a/linaro.org/group/patchwork-forward/>
List-Post: <http://groups.google.com/a/linaro.org/group/patchwork-forward/post>, 
 <mailto:patchwork-forward@linaro.org>
List-Help: <http://support.google.com/a/linaro.org/bin/topic.py?topic=25838>, 
 <mailto:patchwork-forward+help@linaro.org>
List-Subscribe: <https://lists.sourceforge.net/lists/listinfo/edk2-devel>,
 <mailto:edk2-devel-request@lists.sourceforge.net?subject=subscribe>
MIME-Version: 1.0
Errors-To: edk2-devel-bounces@lists.sourceforge.net
X-Removed-Original-Auth: Dkim didn't pass.
X-Original-Sender: ard.biesheuvel@linaro.org
X-Original-Authentication-Results: mx.google.com; spf=pass (google.com:
 domain of
 patch+caf_=patchwork-forward=linaro.org@linaro.org designates
 209.85.215.47 as permitted sender)
 smtp.mail=patch+caf_=patchwork-forward=linaro.org@linaro.org
Mailing-list: list patchwork-forward@linaro.org;
 contact patchwork-forward+owners@linaro.org
X-Google-Group-Id: 836684582541

This adds all the required modules and library dependencies so that
the ArmVirtualizationQemu platform can be built with support for
UEFI Secure Boot. This support consists of the OpenSSL crypto
library (whose source needs to be downloaded separately), the
authenticated variable store, and authentication of executables
before launching them.

Contributed-under: TianoCore Contribution Agreement 1.0
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
---
 ArmPlatformPkg/ArmVirtualizationPkg/ArmVirtualization.dsc.inc | 27 +++++++++++++++++++++++++++
 ArmPlatformPkg/ArmVirtualizationPkg/ArmVirtualizationQemu.dsc | 29 ++++++++++++++++++++++++++++-
 ArmPlatformPkg/ArmVirtualizationPkg/ArmVirtualizationQemu.fdf |  9 +++++++++
 3 files changed, 64 insertions(+), 1 deletion(-)

diff --git a/ArmPlatformPkg/ArmVirtualizationPkg/ArmVirtualization.dsc.inc b/ArmPlatformPkg/ArmVirtualizationPkg/ArmVirtualization.dsc.inc
index 59a08640aec8..2c06470f6ee1 100644
--- a/ArmPlatformPkg/ArmVirtualizationPkg/ArmVirtualization.dsc.inc
+++ b/ArmPlatformPkg/ArmVirtualizationPkg/ArmVirtualization.dsc.inc
@@ -113,6 +113,19 @@
 
   XenIoMmioLib|OvmfPkg/Library/XenIoMmioLib/XenIoMmioLib.inf
 
+  #
+  # Secure Boot dependencies
+  #
+!if $(SECURE_BOOT_ENABLE) == TRUE
+  IntrinsicLib|CryptoPkg/Library/IntrinsicLib/IntrinsicLib.inf
+  OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLib.inf
+  TpmMeasurementLib|SecurityPkg/Library/DxeTpmMeasurementLib/DxeTpmMeasurementLib.inf
+  BaseCryptLib|CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf
+
+  # re-use the UserPhysicalPresent() dummy implementation from the ovmf tree
+  PlatformSecureLib|OvmfPkg/Library/PlatformSecureLib/PlatformSecureLib.inf
+!endif
+
 [LibraryClasses.common.SEC]
   PcdLib|MdePkg/Library/BasePcdLibNull/BasePcdLibNull.inf
   ArmPlatformSecExtraActionLib|ArmPlatformPkg/Library/DebugSecExtraActionLib/DebugSecExtraActionLib.inf
@@ -198,6 +211,10 @@
   ReportStatusCodeLib|IntelFrameworkModulePkg/Library/DxeReportStatusCodeLibFramework/DxeReportStatusCodeLib.inf
   CapsuleLib|MdeModulePkg/Library/DxeCapsuleLibNull/DxeCapsuleLibNull.inf
 
+!if $(SECURE_BOOT_ENABLE) == TRUE
+  BaseCryptLib|CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf
+!endif
+
 [LibraryClasses.ARM]
   #
   # It is not possible to prevent the ARM compiler for generic intrinsic functions.
@@ -324,6 +341,16 @@
   #
   gArmTokenSpaceGuid.PcdArmUncachedMemoryMask|0x0000000000000000
 
+!if $(SECURE_BOOT_ENABLE) == TRUE
+  # override the default values from SecurityPkg to ensure images from all sources are verified in secure boot
+  gEfiSecurityPkgTokenSpaceGuid.PcdOptionRomImageVerificationPolicy|0x04
+  gEfiSecurityPkgTokenSpaceGuid.PcdFixedMediaImageVerificationPolicy|0x04
+  gEfiSecurityPkgTokenSpaceGuid.PcdRemovableMediaImageVerificationPolicy|0x04
+
+  # use the authenticated variable GUID
+  gArmPlatformTokenSpaceGuid.PcdVarStoreVariableGuid|{ 0x78, 0x2c, 0xf3, 0xaa, 0x7b, 0x94, 0x9a, 0x43, 0xa1, 0x80, 0x2e, 0x14, 0x4e, 0xc3, 0x77, 0x92 }
+!endif
+
 [Components.common]
   #
   # Networking stack
diff --git a/ArmPlatformPkg/ArmVirtualizationPkg/ArmVirtualizationQemu.dsc b/ArmPlatformPkg/ArmVirtualizationPkg/ArmVirtualizationQemu.dsc
index 310c31b0883c..c00406540a00 100644
--- a/ArmPlatformPkg/ArmVirtualizationPkg/ArmVirtualizationQemu.dsc
+++ b/ArmPlatformPkg/ArmVirtualizationPkg/ArmVirtualizationQemu.dsc
@@ -28,6 +28,12 @@
   SKUID_IDENTIFIER               = DEFAULT
   FLASH_DEFINITION               = ArmPlatformPkg/ArmVirtualizationPkg/ArmVirtualizationQemu.fdf
 
+  #
+  # Defines for default states.  These can be changed on the command line.
+  # -D FLAG=VALUE
+  #
+  DEFINE SECURE_BOOT_ENABLE      = FALSE
+
 !include ArmPlatformPkg/ArmVirtualizationPkg/ArmVirtualization.dsc.inc
 
 [LibraryClasses.AARCH64]
@@ -233,7 +239,15 @@
   ArmPlatformPkg/MemoryInitPei/MemoryInitPeim.inf
   ArmPkg/Drivers/CpuPei/CpuPei.inf
 
+!if $(SECURE_BOOT_ENABLE) == TRUE
+  SecurityPkg/VariableAuthenticated/Pei/VariablePei.inf {
+    <LibraryClasses>
+      BaseCryptLib|CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf
+  }
+!else
   MdeModulePkg/Universal/Variable/Pei/VariablePei.inf
+!endif
+
   MdeModulePkg/Core/DxeIplPeim/DxeIpl.inf {
     <LibraryClasses>
       NULL|MdeModulePkg/Library/LzmaCustomDecompressLib/LzmaCustomDecompressLib.inf
@@ -253,9 +267,22 @@
   #
   ArmPkg/Drivers/CpuDxe/CpuDxe.inf
   MdeModulePkg/Core/RuntimeDxe/RuntimeDxe.inf
+!if $(SECURE_BOOT_ENABLE) == TRUE
+  MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf {
+    <LibraryClasses>
+      NULL|SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.inf
+  }
+  SecurityPkg/VariableAuthenticated/RuntimeDxe/VariableRuntimeDxe.inf {
+    <LibraryClasses>
+      BaseCryptLib|CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf
+      OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLib.inf
+  }
+  SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
+!else
   MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf
-  MdeModulePkg/Universal/CapsuleRuntimeDxe/CapsuleRuntimeDxe.inf
   MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf
+!endif
+  MdeModulePkg/Universal/CapsuleRuntimeDxe/CapsuleRuntimeDxe.inf
   MdeModulePkg/Universal/FaultTolerantWriteDxe/FaultTolerantWriteDxe.inf
   MdeModulePkg/Universal/MonotonicCounterRuntimeDxe/MonotonicCounterRuntimeDxe.inf
   EmbeddedPkg/ResetRuntimeDxe/ResetRuntimeDxe.inf
diff --git a/ArmPlatformPkg/ArmVirtualizationPkg/ArmVirtualizationQemu.fdf b/ArmPlatformPkg/ArmVirtualizationPkg/ArmVirtualizationQemu.fdf
index 91c51ea31c4d..3594f3736f2f 100644
--- a/ArmPlatformPkg/ArmVirtualizationPkg/ArmVirtualizationQemu.fdf
+++ b/ArmPlatformPkg/ArmVirtualizationPkg/ArmVirtualizationQemu.fdf
@@ -118,7 +118,12 @@ READ_LOCK_STATUS   = TRUE
   INF MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf
   INF MdeModulePkg/Universal/CapsuleRuntimeDxe/CapsuleRuntimeDxe.inf
   INF MdeModulePkg/Universal/FaultTolerantWriteDxe/FaultTolerantWriteDxe.inf
+!if $(SECURE_BOOT_ENABLE) == TRUE
+  INF SecurityPkg/VariableAuthenticated/RuntimeDxe/VariableRuntimeDxe.inf
+  INF SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
+!else
   INF MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf
+!endif
   INF MdeModulePkg/Universal/MonotonicCounterRuntimeDxe/MonotonicCounterRuntimeDxe.inf
   INF EmbeddedPkg/ResetRuntimeDxe/ResetRuntimeDxe.inf
   INF EmbeddedPkg/RealTimeClockRuntimeDxe/RealTimeClockRuntimeDxe.inf
@@ -257,7 +262,11 @@ READ_LOCK_STATUS   = TRUE
   INF ArmPlatformPkg/MemoryInitPei/MemoryInitPeim.inf
   INF ArmPkg/Drivers/CpuPei/CpuPei.inf
   INF MdeModulePkg/Universal/PCD/Pei/Pcd.inf
+!if $(SECURE_BOOT_ENABLE) == TRUE
+  INF SecurityPkg/VariableAuthenticated/Pei/VariablePei.inf
+!else
   INF MdeModulePkg/Universal/Variable/Pei/VariablePei.inf
+!endif
   INF MdeModulePkg/Core/DxeIplPeim/DxeIpl.inf
 
   FILE FV_IMAGE = 9E21FD93-9C72-4c15-8C4B-E77F1DB2D792 {