This adds all the required modules and library dependencies so that
the ArmVirtualizationQemu platform can be built with support for
UEFI Secure Boot. This support consists of the OpenSSL crypto
library (whose source needs to be downloaded separately), the
authenticated variable store, and authentication of executables
before launching them.
Contributed-under: TianoCore Contribution Agreement 1.0
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Olivier Martin <olivier.martin@arm.com>
Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@17356
6f19259b-4bc3-4df7-8a09-
765794883524
\r
XenIoMmioLib|OvmfPkg/Library/XenIoMmioLib/XenIoMmioLib.inf\r
\r
+ #\r
+ # Secure Boot dependencies\r
+ #\r
+!if $(SECURE_BOOT_ENABLE) == TRUE\r
+ IntrinsicLib|CryptoPkg/Library/IntrinsicLib/IntrinsicLib.inf\r
+ OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLib.inf\r
+ TpmMeasurementLib|SecurityPkg/Library/DxeTpmMeasurementLib/DxeTpmMeasurementLib.inf\r
+ BaseCryptLib|CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf\r
+\r
+ # re-use the UserPhysicalPresent() dummy implementation from the ovmf tree\r
+ PlatformSecureLib|OvmfPkg/Library/PlatformSecureLib/PlatformSecureLib.inf\r
+!endif\r
+\r
[LibraryClasses.common.SEC]\r
PcdLib|MdePkg/Library/BasePcdLibNull/BasePcdLibNull.inf\r
ArmPlatformSecExtraActionLib|ArmPlatformPkg/Library/DebugSecExtraActionLib/DebugSecExtraActionLib.inf\r
ReportStatusCodeLib|IntelFrameworkModulePkg/Library/DxeReportStatusCodeLibFramework/DxeReportStatusCodeLib.inf\r
CapsuleLib|MdeModulePkg/Library/DxeCapsuleLibNull/DxeCapsuleLibNull.inf\r
\r
+!if $(SECURE_BOOT_ENABLE) == TRUE\r
+ BaseCryptLib|CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf\r
+!endif\r
+\r
[LibraryClasses.ARM]\r
#\r
# It is not possible to prevent the ARM compiler for generic intrinsic functions.\r
#\r
gArmTokenSpaceGuid.PcdArmUncachedMemoryMask|0x0000000000000000\r
\r
+!if $(SECURE_BOOT_ENABLE) == TRUE\r
+ # override the default values from SecurityPkg to ensure images from all sources are verified in secure boot\r
+ gEfiSecurityPkgTokenSpaceGuid.PcdOptionRomImageVerificationPolicy|0x04\r
+ gEfiSecurityPkgTokenSpaceGuid.PcdFixedMediaImageVerificationPolicy|0x04\r
+ gEfiSecurityPkgTokenSpaceGuid.PcdRemovableMediaImageVerificationPolicy|0x04\r
+!endif\r
+\r
[Components.common]\r
#\r
# Networking stack\r
SKUID_IDENTIFIER = DEFAULT\r
FLASH_DEFINITION = ArmPlatformPkg/ArmVirtualizationPkg/ArmVirtualizationQemu.fdf\r
\r
+ #\r
+ # Defines for default states. These can be changed on the command line.\r
+ # -D FLAG=VALUE\r
+ #\r
+ DEFINE SECURE_BOOT_ENABLE = FALSE\r
+\r
!include ArmPlatformPkg/ArmVirtualizationPkg/ArmVirtualization.dsc.inc\r
\r
[LibraryClasses.AARCH64]\r
ArmPlatformSysConfigLib|ArmPlatformPkg/Library/ArmPlatformSysConfigLibNull/ArmPlatformSysConfigLibNull.inf\r
\r
TimerLib|ArmPkg/Library/ArmArchTimerLib/ArmArchTimerLib.inf\r
+ NorFlashPlatformLib|ArmPlatformPkg/ArmVirtualizationPkg/Library/NorFlashQemuLib/NorFlashQemuLib.inf\r
\r
!ifdef INTEL_BDS\r
CapsuleLib|MdeModulePkg/Library/DxeCapsuleLibNull/DxeCapsuleLibNull.inf\r
ArmPlatformPkg/MemoryInitPei/MemoryInitPeim.inf\r
ArmPkg/Drivers/CpuPei/CpuPei.inf\r
\r
+!if $(SECURE_BOOT_ENABLE) == TRUE\r
+ SecurityPkg/VariableAuthenticated/Pei/VariablePei.inf {\r
+ <LibraryClasses>\r
+ BaseCryptLib|CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf\r
+ }\r
+!else\r
MdeModulePkg/Universal/Variable/Pei/VariablePei.inf\r
+!endif\r
+\r
MdeModulePkg/Core/DxeIplPeim/DxeIpl.inf {\r
<LibraryClasses>\r
NULL|MdeModulePkg/Library/LzmaCustomDecompressLib/LzmaCustomDecompressLib.inf\r
#\r
ArmPkg/Drivers/CpuDxe/CpuDxe.inf\r
MdeModulePkg/Core/RuntimeDxe/RuntimeDxe.inf\r
+!if $(SECURE_BOOT_ENABLE) == TRUE\r
+ MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf {\r
+ <LibraryClasses>\r
+ NULL|SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.inf\r
+ }\r
+ SecurityPkg/VariableAuthenticated/RuntimeDxe/VariableRuntimeDxe.inf {\r
+ <LibraryClasses>\r
+ BaseCryptLib|CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf\r
+ OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLib.inf\r
+ }\r
+ SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf\r
+!else\r
MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf\r
- MdeModulePkg/Universal/CapsuleRuntimeDxe/CapsuleRuntimeDxe.inf\r
MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf\r
+!endif\r
+ MdeModulePkg/Universal/CapsuleRuntimeDxe/CapsuleRuntimeDxe.inf\r
MdeModulePkg/Universal/FaultTolerantWriteDxe/FaultTolerantWriteDxe.inf\r
MdeModulePkg/Universal/MonotonicCounterRuntimeDxe/MonotonicCounterRuntimeDxe.inf\r
EmbeddedPkg/ResetRuntimeDxe/ResetRuntimeDxe.inf\r
\r
ArmPkg/Drivers/ArmGic/ArmGicDxe.inf\r
ArmPkg/Drivers/TimerDxe/TimerDxe.inf\r
- ArmPlatformPkg/Drivers/NorFlashDxe/NorFlashDxe.inf {\r
- <LibraryClasses>\r
- NorFlashPlatformLib|ArmPlatformPkg/ArmVirtualizationPkg/Library/NorFlashQemuLib/NorFlashQemuLib.inf\r
- }\r
+!if $(SECURE_BOOT_ENABLE) == TRUE\r
+ ArmPlatformPkg/Drivers/NorFlashDxe/NorFlashAuthenticatedDxe.inf\r
+!else\r
+ ArmPlatformPkg/Drivers/NorFlashDxe/NorFlashDxe.inf\r
+!endif\r
MdeModulePkg/Universal/WatchdogTimerDxe/WatchdogTimer.inf\r
\r
#\r
INF MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf\r
INF MdeModulePkg/Universal/CapsuleRuntimeDxe/CapsuleRuntimeDxe.inf\r
INF MdeModulePkg/Universal/FaultTolerantWriteDxe/FaultTolerantWriteDxe.inf\r
+!if $(SECURE_BOOT_ENABLE) == TRUE\r
+ INF SecurityPkg/VariableAuthenticated/RuntimeDxe/VariableRuntimeDxe.inf\r
+ INF SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf\r
+!else\r
INF MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf\r
+!endif\r
INF MdeModulePkg/Universal/MonotonicCounterRuntimeDxe/MonotonicCounterRuntimeDxe.inf\r
INF EmbeddedPkg/ResetRuntimeDxe/ResetRuntimeDxe.inf\r
INF EmbeddedPkg/RealTimeClockRuntimeDxe/RealTimeClockRuntimeDxe.inf\r
\r
INF ArmPkg/Drivers/ArmGic/ArmGicDxe.inf\r
INF ArmPkg/Drivers/TimerDxe/TimerDxe.inf\r
+!if $(SECURE_BOOT_ENABLE) == TRUE\r
+ INF ArmPlatformPkg/Drivers/NorFlashDxe/NorFlashAuthenticatedDxe.inf\r
+!else\r
INF ArmPlatformPkg/Drivers/NorFlashDxe/NorFlashDxe.inf\r
+!endif\r
INF MdeModulePkg/Universal/WatchdogTimerDxe/WatchdogTimer.inf\r
\r
#\r
INF ArmPlatformPkg/MemoryInitPei/MemoryInitPeim.inf\r
INF ArmPkg/Drivers/CpuPei/CpuPei.inf\r
INF MdeModulePkg/Universal/PCD/Pei/Pcd.inf\r
+!if $(SECURE_BOOT_ENABLE) == TRUE\r
+ INF SecurityPkg/VariableAuthenticated/Pei/VariablePei.inf\r
+!else\r
INF MdeModulePkg/Universal/Variable/Pei/VariablePei.inf\r
+!endif\r
INF MdeModulePkg/Core/DxeIplPeim/DxeIpl.inf\r
\r
FILE FV_IMAGE = 9E21FD93-9C72-4c15-8C4B-E77F1DB2D792 {\r