EmulatorPkg: Enable support for Secure Boot

SECURE_BOOT_ENABLE feature flag is introduced to enable Secure Boot.
The following gets enabled with this patch:
* Secure Boot Menu in "Device Manager" for enrolling keys
* Storage space for Authenticated Variables
* Authenticated execution of 3rd party images

Signed-off-by: Divneil Rai Wadhawan <divneil.r.wadhawan@intel.com>
Reviewed-by: Ray Ni <ray.ni@intel.com>

diff --git a/EmulatorPkg/EmulatorPkg.dsc b/EmulatorPkg/EmulatorPkg.dsc
index 86a62717353b12692b722acf1c73e3eeaf7893de..c6e25c745e7fb78e0857ed97d317c6236f9648e4 100644 (file)
--- a/EmulatorPkg/EmulatorPkg.dsc
+++ b/EmulatorPkg/EmulatorPkg.dsc
@@ -32,6 +32,7 @@
   DEFINE NETWORK_TLS_ENABLE       = FALSE\r
   DEFINE NETWORK_HTTP_BOOT_ENABLE = FALSE\r
   DEFINE NETWORK_ISCSI_ENABLE     = FALSE\r
+  DEFINE SECURE_BOOT_ENABLE       = FALSE\r
 \r
 [SkuIds]\r
   0|DEFAULT\r
@@ -106,12 +107,20 @@
   LockBoxLib|MdeModulePkg/Library/LockBoxNullLib/LockBoxNullLib.inf\r
   CpuExceptionHandlerLib|MdeModulePkg/Library/CpuExceptionHandlerLibNull/CpuExceptionHandlerLibNull.inf\r
   TpmMeasurementLib|MdeModulePkg/Library/TpmMeasurementLibNull/TpmMeasurementLibNull.inf\r
-  AuthVariableLib|MdeModulePkg/Library/AuthVariableLibNull/AuthVariableLibNull.inf\r
   VarCheckLib|MdeModulePkg/Library/VarCheckLib/VarCheckLib.inf\r
   SortLib|MdeModulePkg/Library/BaseSortLib/BaseSortLib.inf\r
   ShellLib|ShellPkg/Library/UefiShellLib/UefiShellLib.inf\r
   FileHandleLib|MdePkg/Library/UefiFileHandleLib/UefiFileHandleLib.inf\r
 \r
+!if $(SECURE_BOOT_ENABLE) == TRUE\r
+  IntrinsicLib|CryptoPkg/Library/IntrinsicLib/IntrinsicLib.inf\r
+  OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf\r
+  PlatformSecureLib|SecurityPkg/Library/PlatformSecureLibNull/PlatformSecureLibNull.inf\r
+  AuthVariableLib|SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf\r
+!else\r
+  AuthVariableLib|MdeModulePkg/Library/AuthVariableLibNull/AuthVariableLibNull.inf\r
+!endif\r
+\r
 [LibraryClasses.common.SEC]\r
   PeiServicesLib|EmulatorPkg/Library/SecPeiServicesLib/SecPeiServicesLib.inf\r
   PcdLib|MdePkg/Library/BasePcdLibNull/BasePcdLibNull.inf\r
@@ -162,6 +171,16 @@
   TimerLib|EmulatorPkg/Library/DxeCoreTimerLib/DxeCoreTimerLib.inf\r
   EmuThunkLib|EmulatorPkg/Library/DxeEmuLib/DxeEmuLib.inf\r
 \r
+[LibraryClasses.common.DXE_DRIVER, LibraryClasses.common.UEFI_DRIVER, LibraryClasses.common.UEFI_APPLICATION]\r
+!if $(SECURE_BOOT_ENABLE) == TRUE\r
+  BaseCryptLib|CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf\r
+!endif\r
+\r
+[LibraryClasses.common.DXE_RUNTIME_DRIVER]\r
+!if $(SECURE_BOOT_ENABLE) == TRUE\r
+  BaseCryptLib|CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf\r
+!endif\r
+\r
 [LibraryClasses.common.DXE_RUNTIME_DRIVER, LibraryClasses.common.UEFI_DRIVER, LibraryClasses.common.DXE_DRIVER, LibraryClasses.common.UEFI_APPLICATION]\r
   HobLib|MdePkg/Library/DxeHobLib/DxeHobLib.inf\r
   PcdLib|MdePkg/Library/DxePcdLib/DxePcdLib.inf\r
@@ -190,6 +209,10 @@
   gEmulatorPkgTokenSpaceGuid.PcdEmuFirmwareFdSize|0x002a0000\r
   gEmulatorPkgTokenSpaceGuid.PcdEmuFirmwareBlockSize|0x10000\r
   gEmulatorPkgTokenSpaceGuid.PcdEmuFirmwareVolume|L"../FV/FV_RECOVERY.fd"\r
+!if $(SECURE_BOOT_ENABLE) == TRUE\r
+  gEfiMdeModulePkgTokenSpaceGuid.PcdMaxAuthVariableSize|0x2800\r
+  gEfiSecurityPkgTokenSpaceGuid.PcdUserPhysicalPresence|TRUE\r
+!endif\r
 \r
   gEmulatorPkgTokenSpaceGuid.PcdEmuMemorySize|L"64!64"\r
 \r
@@ -306,7 +329,14 @@
   EmulatorPkg/ResetRuntimeDxe/Reset.inf\r
   MdeModulePkg/Core/RuntimeDxe/RuntimeDxe.inf\r
   EmulatorPkg/FvbServicesRuntimeDxe/FvbServicesRuntimeDxe.inf\r
-  MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf\r
+\r
+  MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf {\r
+    <LibraryClasses>\r
+!if $(SECURE_BOOT_ENABLE) == TRUE\r
+      NULL|SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.inf\r
+!endif\r
+  }\r
+\r
   MdeModulePkg/Universal/EbcDxe/EbcDxe.inf\r
   MdeModulePkg/Universal/MemoryTest/NullMemoryTestDxe/NullMemoryTestDxe.inf\r
   EmulatorPkg/EmuThunkDxe/EmuThunk.inf\r
@@ -315,6 +345,9 @@
   EmulatorPkg/PlatformSmbiosDxe/PlatformSmbiosDxe.inf\r
   EmulatorPkg/TimerDxe/Timer.inf\r
 \r
+!if $(SECURE_BOOT_ENABLE) == TRUE\r
+  SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf\r
+!endif\r
 \r
   MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf {\r
     <LibraryClasses>\r

diff --git a/EmulatorPkg/EmulatorPkg.fdf b/EmulatorPkg/EmulatorPkg.fdf
index 295f6f1db8ab8ee38c9fa8f37628b93492fad798..b256aa939744375f4fd8f90be947e8a23d5a8e4c 100644 (file)
--- a/EmulatorPkg/EmulatorPkg.fdf
+++ b/EmulatorPkg/EmulatorPkg.fdf
@@ -46,10 +46,17 @@ DATA = {
   # Blockmap[1]: End\r
   0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,\r
   ## This is the VARIABLE_STORE_HEADER\r
+!if $(SECURE_BOOT_ENABLE) == FALSE\r
   #Signature: gEfiVariableGuid =\r
   #  { 0xddcf3616, 0x3275, 0x4164, { 0x98, 0xb6, 0xfe, 0x85, 0x70, 0x7f, 0xfe, 0x7d }}\r
   0x16, 0x36, 0xcf, 0xdd, 0x75, 0x32, 0x64, 0x41,\r
   0x98, 0xb6, 0xfe, 0x85, 0x70, 0x7f, 0xfe, 0x7d,\r
+!else\r
+  # Signature: gEfiAuthenticatedVariableGuid =\r
+  #  { 0xaaf32c78, 0x947b, 0x439a, { 0xa1, 0x80, 0x2e, 0x14, 0x4e, 0xc3, 0x77, 0x92 }}\r
+  0x78, 0x2c, 0xf3, 0xaa, 0x7b, 0x94, 0x9a, 0x43,\r
+  0xa1, 0x80, 0x2e, 0x14, 0x4e, 0xc3, 0x77, 0x92,\r
+!endif\r
   #Size: 0xc000 (gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageVariableSize) - 0x48 (size of EFI_FIRMWARE_VOLUME_HEADER) = 0xBFB8\r
   # This can speed up the Variable Dispatch a bit.\r
   0xB8, 0xBF, 0x00, 0x00,\r
@@ -186,6 +193,13 @@ INF  RuleOverride = UI MdeModulePkg/Application/UiApp/UiApp.inf
 INF  MdeModulePkg/Application/BootManagerMenuApp/BootManagerMenuApp.inf\r
 INF  MdeModulePkg/Universal/DriverSampleDxe/DriverSampleDxe.inf\r
 \r
+#\r
+# Secure Boot Key Enroll\r
+#\r
+!if $(SECURE_BOOT_ENABLE) == TRUE\r
+INF SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf\r
+!endif\r
+\r
 #\r
 # Network stack drivers\r
 #\r