From patchwork Thu May 7 06:16:40 2015 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ard Biesheuvel X-Patchwork-Id: 48076 Return-Path: X-Original-To: linaro@patches.linaro.org Delivered-To: linaro@patches.linaro.org Received: from mail-wg0-f69.google.com (mail-wg0-f69.google.com [74.125.82.69]) by ip-10-151-82-157.ec2.internal (Postfix) with ESMTPS id C1A0E20553 for ; Thu, 7 May 2015 06:17:26 +0000 (UTC) Received: by wghm4 with SMTP id m4sf9572027wgh.2 for ; Wed, 06 May 2015 23:17:26 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:delivered-to:from:to:date:message-id:in-reply-to :references:subject:precedence:reply-to:list-id:list-unsubscribe :list-archive:list-post:list-help:list-subscribe:mime-version :content-type:content-transfer-encoding:errors-to:x-original-sender :x-original-authentication-results:mailing-list; bh=UxYS5hMkCY/rmg451zy1c9BwtWp1BlQOb72Y41Z9mr0=; b=RQtNM25WDBJvwpPGJnNPPJdrvV5poCVX56fxTG1PUjbFN+S7Pe+8lmP3l6C7P61wyJ RIOV8TQuqWxRxUGLhv39h21ZL8LPGG8iwEJ9L2S5+rItOuoKzCQAjeoZenfiPJtsSuFf /Rn5Katy8kUmyCdPa4U1r92SnWmwgITv9jORIf6kOgOhDTYXzv1CzHxDx+TsbdaVKz+W ckbKmmh1b4VZZyQeMx/0UmVKAWNt8W4OvlG7k9n2UxRpXiTd4wORst7Q9j+hWOODGFF+ iemfiXT2wMp4d9nYUxAs7GCDPcOrA1mLhos/nsW7sDaoxYbZTvtPUJ7kdOKx9fOeotA1 YTjA== X-Gm-Message-State: ALoCoQnh75+quADqueCAGe++wHjm2UiZsWR0/oaHjn8tBXZO8s5xnrPczKMSLX1P7XgUDFjnCuVz X-Received: by 10.112.53.102 with SMTP id a6mr1349031lbp.16.1430979446031; Wed, 06 May 2015 23:17:26 -0700 (PDT) X-BeenThere: patchwork-forward@linaro.org Received: by 10.152.4.162 with SMTP id l2ls151788lal.93.gmail; Wed, 06 May 2015 23:17:25 -0700 (PDT) X-Received: by 10.112.150.100 with SMTP id uh4mr1744088lbb.112.1430979445837; Wed, 06 May 2015 23:17:25 -0700 (PDT) Received: from mail-lb0-f173.google.com (mail-lb0-f173.google.com. [209.85.217.173]) by mx.google.com with ESMTPS id xa2si629324lbb.156.2015.05.06.23.17.25 for (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 06 May 2015 23:17:25 -0700 (PDT) Received-SPF: pass (google.com: domain of patch+caf_=patchwork-forward=linaro.org@linaro.org designates 209.85.217.173 as permitted sender) client-ip=209.85.217.173; Received: by lbbuc2 with SMTP id uc2so23466561lbb.2 for ; Wed, 06 May 2015 23:17:25 -0700 (PDT) X-Received: by 10.112.204.104 with SMTP id kx8mr1752332lbc.72.1430979445386; Wed, 06 May 2015 23:17:25 -0700 (PDT) X-Forwarded-To: patchwork-forward@linaro.org X-Forwarded-For: patch@linaro.org patchwork-forward@linaro.org Delivered-To: patch@linaro.org Received: by 10.112.67.65 with SMTP id l1csp3252190lbt; Wed, 6 May 2015 23:17:24 -0700 (PDT) X-Received: by 10.42.238.14 with SMTP id kq14mr2022423icb.23.1430979441970; Wed, 06 May 2015 23:17:21 -0700 (PDT) Received: from lists.sourceforge.net (lists.sourceforge.net. [216.34.181.88]) by mx.google.com with ESMTPS id lq5si1053473igb.63.2015.05.06.23.17.21 (version=TLSv1 cipher=RC4-SHA bits=128/128); Wed, 06 May 2015 23:17:21 -0700 (PDT) Received-SPF: pass (google.com: domain of edk2-devel-bounces@lists.sourceforge.net designates 216.34.181.88 as permitted sender) client-ip=216.34.181.88; Received: from localhost ([127.0.0.1] helo=sfs-ml-4.v29.ch3.sourceforge.com) by sfs-ml-4.v29.ch3.sourceforge.com with esmtp (Exim 4.76) (envelope-from ) id 1YqF7M-0000XM-4c; Thu, 07 May 2015 06:17:08 +0000 Received: from sog-mx-4.v43.ch3.sourceforge.com ([172.29.43.194] helo=mx.sourceforge.net) by sfs-ml-4.v29.ch3.sourceforge.com with esmtp (Exim 4.76) (envelope-from ) id 1YqF7K-0000XG-Oy for edk2-devel@lists.sourceforge.net; Thu, 07 May 2015 06:17:06 +0000 Received-SPF: pass (sog-mx-4.v43.ch3.sourceforge.com: domain of linaro.org designates 74.125.82.47 as permitted sender) client-ip=74.125.82.47; envelope-from=ard.biesheuvel@linaro.org; helo=mail-wg0-f47.google.com; Received: from mail-wg0-f47.google.com ([74.125.82.47]) by sog-mx-4.v43.ch3.sourceforge.com with esmtps (TLSv1:RC4-SHA:128) (Exim 4.76) id 1YqF7H-0008Uk-3E for edk2-devel@lists.sourceforge.net; Thu, 07 May 2015 06:17:06 +0000 Received: by wgic8 with SMTP id c8so6300329wgi.1 for ; Wed, 06 May 2015 23:16:57 -0700 (PDT) X-Received: by 10.180.74.104 with SMTP id s8mr3660185wiv.40.1430979417042; Wed, 06 May 2015 23:16:57 -0700 (PDT) Received: from localhost.localdomain (cag06-7-83-153-85-71.fbx.proxad.net. [83.153.85.71]) by mx.google.com with ESMTPSA id vy5sm1626296wjc.33.2015.05.06.23.16.54 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Wed, 06 May 2015 23:16:56 -0700 (PDT) From: Ard Biesheuvel To: edk2-devel@lists.sourceforge.net, olivier.martin@arm.com Date: Thu, 7 May 2015 08:16:40 +0200 Message-Id: <1430979400-24189-4-git-send-email-ard.biesheuvel@linaro.org> X-Mailer: git-send-email 1.9.1 In-Reply-To: <1430979400-24189-1-git-send-email-ard.biesheuvel@linaro.org> References: <1430979400-24189-1-git-send-email-ard.biesheuvel@linaro.org> X-Spam-Score: -1.5 (-) X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. -1.5 SPF_CHECK_PASS SPF reports sender host as permitted sender for sender-domain -0.0 SPF_PASS SPF: sender matches SPF record 0.0 AWL AWL: Adjusted score from AWL reputation of From: address X-Headers-End: 1YqF7H-0008Uk-3E Subject: [edk2] [PATCH v3 3/3] ArmVirtualizationPkg: enable secure boot for ArmVirtualizationQemu X-BeenThere: edk2-devel@lists.sourceforge.net X-Mailman-Version: 2.1.9 Precedence: list Reply-To: edk2-devel@lists.sourceforge.net List-Id: List-Unsubscribe: , List-Archive: List-Post: , List-Help: , List-Subscribe: , MIME-Version: 1.0 Errors-To: edk2-devel-bounces@lists.sourceforge.net X-Removed-Original-Auth: Dkim didn't pass. X-Original-Sender: ard.biesheuvel@linaro.org X-Original-Authentication-Results: mx.google.com; spf=pass (google.com: domain of patch+caf_=patchwork-forward=linaro.org@linaro.org designates 209.85.217.173 as permitted sender) smtp.mail=patch+caf_=patchwork-forward=linaro.org@linaro.org Mailing-list: list patchwork-forward@linaro.org; contact patchwork-forward+owners@linaro.org X-Google-Group-Id: 836684582541 This adds all the required modules and library dependencies so that the ArmVirtualizationQemu platform can be built with support for UEFI Secure Boot. This support consists of the OpenSSL crypto library (whose source needs to be downloaded separately), the authenticated variable store, and authentication of executables before launching them. Contributed-under: TianoCore Contribution Agreement 1.0 Reviewed-by: Laszlo Ersek Reviewed-by: Olivier Martin Signed-off-by: Ard Biesheuvel --- ArmPlatformPkg/ArmVirtualizationPkg/ArmVirtualization.dsc.inc | 24 ++++++++++++ ArmPlatformPkg/ArmVirtualizationPkg/ArmVirtualizationQemu.dsc | 39 +++++++++++++++++--- ArmPlatformPkg/ArmVirtualizationPkg/ArmVirtualizationQemu.fdf | 13 +++++++ 3 files changed, 71 insertions(+), 5 deletions(-) diff --git a/ArmPlatformPkg/ArmVirtualizationPkg/ArmVirtualization.dsc.inc b/ArmPlatformPkg/ArmVirtualizationPkg/ArmVirtualization.dsc.inc index 59a08640aec8..2fa0aeba19df 100644 --- a/ArmPlatformPkg/ArmVirtualizationPkg/ArmVirtualization.dsc.inc +++ b/ArmPlatformPkg/ArmVirtualizationPkg/ArmVirtualization.dsc.inc @@ -113,6 +113,19 @@ XenIoMmioLib|OvmfPkg/Library/XenIoMmioLib/XenIoMmioLib.inf + # + # Secure Boot dependencies + # +!if $(SECURE_BOOT_ENABLE) == TRUE + IntrinsicLib|CryptoPkg/Library/IntrinsicLib/IntrinsicLib.inf + OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLib.inf + TpmMeasurementLib|SecurityPkg/Library/DxeTpmMeasurementLib/DxeTpmMeasurementLib.inf + BaseCryptLib|CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf + + # re-use the UserPhysicalPresent() dummy implementation from the ovmf tree + PlatformSecureLib|OvmfPkg/Library/PlatformSecureLib/PlatformSecureLib.inf +!endif + [LibraryClasses.common.SEC] PcdLib|MdePkg/Library/BasePcdLibNull/BasePcdLibNull.inf ArmPlatformSecExtraActionLib|ArmPlatformPkg/Library/DebugSecExtraActionLib/DebugSecExtraActionLib.inf @@ -198,6 +211,10 @@ ReportStatusCodeLib|IntelFrameworkModulePkg/Library/DxeReportStatusCodeLibFramework/DxeReportStatusCodeLib.inf CapsuleLib|MdeModulePkg/Library/DxeCapsuleLibNull/DxeCapsuleLibNull.inf +!if $(SECURE_BOOT_ENABLE) == TRUE + BaseCryptLib|CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf +!endif + [LibraryClasses.ARM] # # It is not possible to prevent the ARM compiler for generic intrinsic functions. @@ -324,6 +341,13 @@ # gArmTokenSpaceGuid.PcdArmUncachedMemoryMask|0x0000000000000000 +!if $(SECURE_BOOT_ENABLE) == TRUE + # override the default values from SecurityPkg to ensure images from all sources are verified in secure boot + gEfiSecurityPkgTokenSpaceGuid.PcdOptionRomImageVerificationPolicy|0x04 + gEfiSecurityPkgTokenSpaceGuid.PcdFixedMediaImageVerificationPolicy|0x04 + gEfiSecurityPkgTokenSpaceGuid.PcdRemovableMediaImageVerificationPolicy|0x04 +!endif + [Components.common] # # Networking stack diff --git a/ArmPlatformPkg/ArmVirtualizationPkg/ArmVirtualizationQemu.dsc b/ArmPlatformPkg/ArmVirtualizationPkg/ArmVirtualizationQemu.dsc index 310c31b0883c..5f53d91958a6 100644 --- a/ArmPlatformPkg/ArmVirtualizationPkg/ArmVirtualizationQemu.dsc +++ b/ArmPlatformPkg/ArmVirtualizationPkg/ArmVirtualizationQemu.dsc @@ -28,6 +28,12 @@ SKUID_IDENTIFIER = DEFAULT FLASH_DEFINITION = ArmPlatformPkg/ArmVirtualizationPkg/ArmVirtualizationQemu.fdf + # + # Defines for default states. These can be changed on the command line. + # -D FLAG=VALUE + # + DEFINE SECURE_BOOT_ENABLE = FALSE + !include ArmPlatformPkg/ArmVirtualizationPkg/ArmVirtualization.dsc.inc [LibraryClasses.AARCH64] @@ -48,6 +54,7 @@ ArmPlatformSysConfigLib|ArmPlatformPkg/Library/ArmPlatformSysConfigLibNull/ArmPlatformSysConfigLibNull.inf TimerLib|ArmPkg/Library/ArmArchTimerLib/ArmArchTimerLib.inf + NorFlashPlatformLib|ArmPlatformPkg/ArmVirtualizationPkg/Library/NorFlashQemuLib/NorFlashQemuLib.inf !ifdef INTEL_BDS CapsuleLib|MdeModulePkg/Library/DxeCapsuleLibNull/DxeCapsuleLibNull.inf @@ -233,7 +240,15 @@ ArmPlatformPkg/MemoryInitPei/MemoryInitPeim.inf ArmPkg/Drivers/CpuPei/CpuPei.inf +!if $(SECURE_BOOT_ENABLE) == TRUE + SecurityPkg/VariableAuthenticated/Pei/VariablePei.inf { + + BaseCryptLib|CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf + } +!else MdeModulePkg/Universal/Variable/Pei/VariablePei.inf +!endif + MdeModulePkg/Core/DxeIplPeim/DxeIpl.inf { NULL|MdeModulePkg/Library/LzmaCustomDecompressLib/LzmaCustomDecompressLib.inf @@ -253,9 +268,22 @@ # ArmPkg/Drivers/CpuDxe/CpuDxe.inf MdeModulePkg/Core/RuntimeDxe/RuntimeDxe.inf +!if $(SECURE_BOOT_ENABLE) == TRUE + MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf { + + NULL|SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.inf + } + SecurityPkg/VariableAuthenticated/RuntimeDxe/VariableRuntimeDxe.inf { + + BaseCryptLib|CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf + OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLib.inf + } + SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf +!else MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf - MdeModulePkg/Universal/CapsuleRuntimeDxe/CapsuleRuntimeDxe.inf MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf +!endif + MdeModulePkg/Universal/CapsuleRuntimeDxe/CapsuleRuntimeDxe.inf MdeModulePkg/Universal/FaultTolerantWriteDxe/FaultTolerantWriteDxe.inf MdeModulePkg/Universal/MonotonicCounterRuntimeDxe/MonotonicCounterRuntimeDxe.inf EmbeddedPkg/ResetRuntimeDxe/ResetRuntimeDxe.inf @@ -272,10 +300,11 @@ ArmPkg/Drivers/ArmGic/ArmGicDxe.inf ArmPkg/Drivers/TimerDxe/TimerDxe.inf - ArmPlatformPkg/Drivers/NorFlashDxe/NorFlashDxe.inf { - - NorFlashPlatformLib|ArmPlatformPkg/ArmVirtualizationPkg/Library/NorFlashQemuLib/NorFlashQemuLib.inf - } +!if $(SECURE_BOOT_ENABLE) == TRUE + ArmPlatformPkg/Drivers/NorFlashDxe/NorFlashAuthenticatedDxe.inf +!else + ArmPlatformPkg/Drivers/NorFlashDxe/NorFlashDxe.inf +!endif MdeModulePkg/Universal/WatchdogTimerDxe/WatchdogTimer.inf # diff --git a/ArmPlatformPkg/ArmVirtualizationPkg/ArmVirtualizationQemu.fdf b/ArmPlatformPkg/ArmVirtualizationPkg/ArmVirtualizationQemu.fdf index e0ec44bf3f4f..33cb49522253 100644 --- a/ArmPlatformPkg/ArmVirtualizationPkg/ArmVirtualizationQemu.fdf +++ b/ArmPlatformPkg/ArmVirtualizationPkg/ArmVirtualizationQemu.fdf @@ -116,7 +116,12 @@ READ_LOCK_STATUS = TRUE INF MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf INF MdeModulePkg/Universal/CapsuleRuntimeDxe/CapsuleRuntimeDxe.inf INF MdeModulePkg/Universal/FaultTolerantWriteDxe/FaultTolerantWriteDxe.inf +!if $(SECURE_BOOT_ENABLE) == TRUE + INF SecurityPkg/VariableAuthenticated/RuntimeDxe/VariableRuntimeDxe.inf + INF SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf +!else INF MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf +!endif INF MdeModulePkg/Universal/MonotonicCounterRuntimeDxe/MonotonicCounterRuntimeDxe.inf INF EmbeddedPkg/ResetRuntimeDxe/ResetRuntimeDxe.inf INF EmbeddedPkg/RealTimeClockRuntimeDxe/RealTimeClockRuntimeDxe.inf @@ -134,7 +139,11 @@ READ_LOCK_STATUS = TRUE INF ArmPkg/Drivers/ArmGic/ArmGicDxe.inf INF ArmPkg/Drivers/TimerDxe/TimerDxe.inf +!if $(SECURE_BOOT_ENABLE) == TRUE + INF ArmPlatformPkg/Drivers/NorFlashDxe/NorFlashAuthenticatedDxe.inf +!else INF ArmPlatformPkg/Drivers/NorFlashDxe/NorFlashDxe.inf +!endif INF MdeModulePkg/Universal/WatchdogTimerDxe/WatchdogTimer.inf # @@ -255,7 +264,11 @@ READ_LOCK_STATUS = TRUE INF ArmPlatformPkg/MemoryInitPei/MemoryInitPeim.inf INF ArmPkg/Drivers/CpuPei/CpuPei.inf INF MdeModulePkg/Universal/PCD/Pei/Pcd.inf +!if $(SECURE_BOOT_ENABLE) == TRUE + INF SecurityPkg/VariableAuthenticated/Pei/VariablePei.inf +!else INF MdeModulePkg/Universal/Variable/Pei/VariablePei.inf +!endif INF MdeModulePkg/Core/DxeIplPeim/DxeIpl.inf FILE FV_IMAGE = 9E21FD93-9C72-4c15-8C4B-E77F1DB2D792 {