--- /dev/null
+/** @file\r
+ Provides a platform-specific method to enable Secure Boot Custom Mode setup.\r
+\r
+ Copyright (c) 2006 - 2012, Intel Corporation. All rights reserved.<BR>\r
+ This program and the accompanying materials\r
+ are licensed and made available under the terms and conditions of the BSD License\r
+ which accompanies this distribution. The full text of the license may be found at\r
+ http://opensource.org/licenses/bsd-license.php\r
+\r
+ THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,\r
+ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.\r
+\r
+**/\r
+#include <Library/PcdLib.h>\r
+\r
+\r
+/**\r
+\r
+ This function provides a platform-specific method to detect whether the platform\r
+ is operating by a physically present user. \r
+\r
+ Programmatic changing of platform security policy (such as disable Secure Boot,\r
+ or switch between Standard/Custom Secure Boot mode) MUST NOT be possible during\r
+ Boot Services or after exiting EFI Boot Services. Only a physically present user\r
+ is allowed to perform these operations.\r
+\r
+ NOTE THAT: This function cannot depend on any EFI Variable Service since they are\r
+ not available when this function is called in AuthenticateVariable driver.\r
+ \r
+ @retval TRUE The platform is operated by a physically present user.\r
+ @retval FALSE The platform is NOT operated by a physically present user.\r
+\r
+**/\r
+BOOLEAN\r
+EFIAPI\r
+UserPhysicalPresent (\r
+ VOID\r
+ )\r
+{\r
+ return TRUE;\r
+}\r
--- /dev/null
+## @file\r
+# Provides a platform-specific method to enable Secure Boot Custom Mode setup.\r
+#\r
+# Copyright (c) 2008 - 2012, Intel Corporation. All rights reserved.<BR>\r
+#\r
+# This program and the accompanying materials\r
+# are licensed and made available under the terms and conditions of the BSD License\r
+# which accompanies this distribution. The full text of the license may be found at\r
+# http://opensource.org/licenses/bsd-license.php\r
+# THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,\r
+# WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.\r
+#\r
+##\r
+\r
+[Defines]\r
+ INF_VERSION = 0x00010005\r
+ BASE_NAME = PlatformSecureLib\r
+ FILE_GUID = F263EC2A-F0DB-4640-8B12-4ED22A506FB1\r
+ MODULE_TYPE = DXE_DRIVER\r
+ VERSION_STRING = 1.0\r
+ LIBRARY_CLASS = PlatformSecureLib|DXE_RUNTIME_DRIVER DXE_SMM_DRIVER DXE_DRIVER\r
+\r
+#\r
+# The following information is for reference only and not required by the build tools.\r
+#\r
+# VALID_ARCHITECTURES = IA32 X64 IPF EBC\r
+#\r
+\r
+[Sources]\r
+ PlatformSecureLib.c\r
+\r
+[Packages]\r
+ MdePkg/MdePkg.dec\r
SKUID_IDENTIFIER = DEFAULT\r
FLASH_DEFINITION = Nt32Pkg/Nt32Pkg.fdf\r
\r
+ #\r
+ # Defines for default states. These can be changed on the command line.\r
+ # -D FLAG=VALUE\r
+ #\r
+ DEFINE SECURE_BOOT_ENABLE = FALSE\r
\r
################################################################################\r
#\r
PerformanceLib|MdePkg/Library/BasePerformanceLibNull/BasePerformanceLibNull.inf\r
DebugAgentLib|MdeModulePkg/Library/DebugAgentLibNull/DebugAgentLibNull.inf\r
CpuExceptionHandlerLib|MdeModulePkg/Library/CpuExceptionHandlerLibNull/CpuExceptionHandlerLibNull.inf\r
+ \r
+!if $(SECURE_BOOT_ENABLE) == TRUE\r
+ PlatformSecureLib|Nt32Pkg/Library/PlatformSecureLib/PlatformSecureLib.inf\r
+ IntrinsicLib|CryptoPkg/Library/IntrinsicLib/IntrinsicLib.inf\r
+ OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLib.inf\r
+!endif\r
\r
[LibraryClasses.common.USER_DEFINED]\r
DebugLib|MdePkg/Library/BaseDebugLibNull/BaseDebugLibNull.inf\r
[LibraryClasses.common.PEIM]\r
PcdLib|MdePkg/Library/PeiPcdLib/PeiPcdLib.inf\r
OemHookStatusCodeLib|Nt32Pkg/Library/PeiNt32OemHookStatusCodeLib/PeiNt32OemHookStatusCodeLib.inf\r
+!if $(SECURE_BOOT_ENABLE) == TRUE \r
+ BaseCryptLib|CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf\r
+!endif\r
\r
[LibraryClasses.common]\r
#\r
PeCoffExtraActionLib|Nt32Pkg/Library/DxeNt32PeCoffExtraActionLib/DxeNt32PeCoffExtraActionLib.inf\r
ExtractGuidedSectionLib|MdePkg/Library/DxeExtractGuidedSectionLib/DxeExtractGuidedSectionLib.inf\r
WinNtLib|Nt32Pkg/Library/DxeWinNtLib/DxeWinNtLib.inf\r
+!if $(SECURE_BOOT_ENABLE) == TRUE\r
+ BaseCryptLib|CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf\r
+!endif\r
\r
[LibraryClasses.common.DXE_CORE]\r
HobLib|MdePkg/Library/DxeCoreHobLib/DxeCoreHobLib.inf\r
[LibraryClasses.common.UEFI_APPLICATION]\r
PcdLib|MdePkg/Library/BasePcdLibNull/BasePcdLibNull.inf\r
PrintLib|MdeModulePkg/Library/DxePrintLibPrint2Protocol/DxePrintLibPrint2Protocol.inf\r
+ \r
+[LibraryClasses.common.DXE_RUNTIME_DRIVER]\r
+ #\r
+ # Runtime\r
+ #\r
+ BaseCryptLib|CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf\r
\r
################################################################################\r
#\r
gEfiNt32PkgTokenSpaceGuid.PcdWinNtFirmwareBlockSize|0x10000\r
gEfiMdePkgTokenSpaceGuid.PcdReportStatusCodePropertyMask|0x0f\r
gEfiMdeModulePkgTokenSpaceGuid.PcdResetOnMemoryTypeInformationChange|FALSE\r
+!if $(SECURE_BOOT_ENABLE) == TRUE\r
+ gEfiMdeModulePkgTokenSpaceGuid.PcdMaxVariableSize|0x2000\r
+!endif\r
+\r
+!if $(SECURE_BOOT_ENABLE) == TRUE\r
+ # override the default values from SecurityPkg to ensure images from all sources are verified in secure boot\r
+ gEfiSecurityPkgTokenSpaceGuid.PcdOptionRomImageVerificationPolicy|0x05\r
+ gEfiSecurityPkgTokenSpaceGuid.PcdFixedMediaImageVerificationPolicy|0x05\r
+ gEfiSecurityPkgTokenSpaceGuid.PcdRemovableMediaImageVerificationPolicy|0x05\r
+!endif\r
\r
################################################################################\r
#\r
Nt32Pkg/BootModePei/BootModePei.inf\r
Nt32Pkg/StallPei/StallPei.inf\r
Nt32Pkg/WinNtFlashMapPei/WinNtFlashMapPei.inf\r
+ \r
+!if $(SECURE_BOOT_ENABLE) == TRUE\r
+ SecurityPkg/VariableAuthenticated/Pei/VariablePei.inf\r
+!else\r
MdeModulePkg/Universal/Variable/Pei/VariablePei.inf\r
+!endif\r
+\r
Nt32Pkg/WinNtAutoScanPei/WinNtAutoScanPei.inf\r
Nt32Pkg/WinNtFirmwareVolumePei/WinNtFirmwareVolumePei.inf\r
Nt32Pkg/WinNtThunkPPIToProtocolPei/WinNtThunkPPIToProtocolPei.inf\r
Nt32Pkg/ResetRuntimeDxe/ResetRuntimeDxe.inf\r
MdeModulePkg/Core/RuntimeDxe/RuntimeDxe.inf\r
Nt32Pkg/FvbServicesRuntimeDxe/FvbServicesRuntimeDxe.inf\r
- MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf\r
+ MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf {\r
+ <LibraryClasses>\r
+!if $(SECURE_BOOT_ENABLE) == TRUE\r
+ NULL|SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.inf\r
+!endif \r
+ }\r
MdeModulePkg/Universal/SmbiosDxe/SmbiosDxe.inf\r
MdeModulePkg/Universal/EbcDxe/EbcDxe.inf\r
MdeModulePkg/Universal/MemoryTest/NullMemoryTestDxe/NullMemoryTestDxe.inf\r
MdeModulePkg/Universal/ReportStatusCodeRouter/RuntimeDxe/ReportStatusCodeRouterRuntimeDxe.inf\r
MdeModulePkg/Universal/StatusCodeHandler/RuntimeDxe/StatusCodeHandlerRuntimeDxe.inf\r
Nt32Pkg/WinNtOemHookStatusCodeHandlerDxe/WinNtOemHookStatusCodeHandlerDxe.inf\r
+!if $(SECURE_BOOT_ENABLE) == TRUE\r
+ SecurityPkg/VariableAuthenticated/RuntimeDxe/VariableRuntimeDxe.inf \r
+ SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf\r
+!else\r
MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf\r
+!endif\r
MdeModulePkg/Universal/WatchdogTimerDxe/WatchdogTimer.inf\r
MdeModulePkg/Universal/MonotonicCounterRuntimeDxe/MonotonicCounterRuntimeDxe.inf\r
MdeModulePkg/Universal/CapsuleRuntimeDxe/CapsuleRuntimeDxe.inf\r
#Blockmap[1]: End\r
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,\r
## This is the VARIABLE_STORE_HEADER\r
+!if $(SECURE_BOOT_ENABLE) == TRUE\r
+ #Signature: gEfiAuthenticatedVariableGuid =\r
+ # { 0xaaf32c78, 0x947b, 0x439a, { 0xa1, 0x80, 0x2e, 0x14, 0x4e, 0xc3, 0x77, 0x92 }}\r
+ 0x78, 0x2c, 0xf3, 0xaa, 0x7b, 0x94, 0x9a, 0x43,\r
+ 0xa1, 0x80, 0x2e, 0x14, 0x4e, 0xc3, 0x77, 0x92,\r
+!else\r
#Signature: gEfiVariableGuid =\r
# { 0xddcf3616, 0x3275, 0x4164, { 0x98, 0xb6, 0xfe, 0x85, 0x70, 0x7f, 0xfe, 0x7d }}\r
0x16, 0x36, 0xcf, 0xdd, 0x75, 0x32, 0x64, 0x41,\r
0x98, 0xb6, 0xfe, 0x85, 0x70, 0x7f, 0xfe, 0x7d,\r
+!endif\r
#Size: 0xc000 (gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageVariableSize) - 0x48 (size of EFI_FIRMWARE_VOLUME_HEADER) = 0xBFB8\r
# This can speed up the Variable Dispatch a bit.\r
0xB8, 0xBF, 0x00, 0x00,\r
INF Nt32Pkg/WinNtFlashMapPei/WinNtFlashMapPei.inf\r
INF Nt32Pkg/WinNtAutoScanPei/WinNtAutoScanPei.inf\r
INF Nt32Pkg/WinNtFirmwareVolumePei/WinNtFirmwareVolumePei.inf\r
+\r
+!if $(SECURE_BOOT_ENABLE) == TRUE\r
+INF SecurityPkg/VariableAuthenticated/Pei/VariablePei.inf\r
+!else\r
INF MdeModulePkg/Universal/Variable/Pei/VariablePei.inf\r
+!endif\r
+\r
INF Nt32Pkg/WinNtThunkPPIToProtocolPei/WinNtThunkPPIToProtocolPei.inf\r
INF MdeModulePkg/Core/DxeIplPeim/DxeIpl.inf\r
\r
INF MdeModulePkg/Universal/ReportStatusCodeRouter/RuntimeDxe/ReportStatusCodeRouterRuntimeDxe.inf\r
INF MdeModulePkg/Universal/StatusCodeHandler/RuntimeDxe/StatusCodeHandlerRuntimeDxe.inf\r
INF Nt32Pkg/WinNtOemHookStatusCodeHandlerDxe/WinNtOemHookStatusCodeHandlerDxe.inf\r
+!if $(SECURE_BOOT_ENABLE) == TRUE\r
+INF SecurityPkg/VariableAuthenticated/RuntimeDxe/VariableRuntimeDxe.inf\r
+INF SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf\r
+!else\r
INF MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf\r
+!endif\r
INF MdeModulePkg/Universal/WatchdogTimerDxe/WatchdogTimer.inf\r
INF MdeModulePkg/Universal/MonotonicCounterRuntimeDxe/MonotonicCounterRuntimeDxe.inf\r
INF MdeModulePkg/Universal/CapsuleRuntimeDxe/CapsuleRuntimeDxe.inf\r