]> git.proxmox.com Git - mirror_edk2.git/commitdiff
projects / mirror_edk2.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (from parent 1: 6cf1269)
ArmVirtualizationPkg: Enable secure boot for ArmVirtualizationQemu
authorArd Biesheuvel <ard.biesheuvel@linaro.org>
Thu, 7 May 2015 15:22:31 +0000 (15:22 +0000)
committeroliviermartin <oliviermartin@Edk2>
Thu, 7 May 2015 15:22:31 +0000 (15:22 +0000)
This adds all the required modules and library dependencies so that
the ArmVirtualizationQemu platform can be built with support for
UEFI Secure Boot. This support consists of the OpenSSL crypto
library (whose source needs to be downloaded separately), the
authenticated variable store, and authentication of executables
before launching them.

Contributed-under: TianoCore Contribution Agreement 1.0
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Olivier Martin <olivier.martin@arm.com>
Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@17356 6f19259b-4bc3-4df7-8a09-765794883524

ArmPlatformPkg/ArmVirtualizationPkg/ArmVirtualization.dsc.inc patch | blob | blame | history
ArmPlatformPkg/ArmVirtualizationPkg/ArmVirtualizationQemu.dsc patch | blob | blame | history
ArmPlatformPkg/ArmVirtualizationPkg/ArmVirtualizationQemu.fdf patch | blob | blame | history

diff --git a/ArmPlatformPkg/ArmVirtualizationPkg/ArmVirtualization.dsc.inc b/ArmPlatformPkg/ArmVirtualizationPkg/ArmVirtualization.dsc.inc
index 59a08640aec8a0e2052898f1ebf2863939b86d84..2fa0aeba19dfb1d755f187b2cc49f4d6b0d907ac 100644 (file)
--- a/ArmPlatformPkg/ArmVirtualizationPkg/ArmVirtualization.dsc.inc
+++ b/ArmPlatformPkg/ArmVirtualizationPkg/ArmVirtualization.dsc.inc
@@ -113,6 +113,19 @@
 \r
   XenIoMmioLib|OvmfPkg/Library/XenIoMmioLib/XenIoMmioLib.inf\r
 \r
+  #\r
+  # Secure Boot dependencies\r
+  #\r
+!if $(SECURE_BOOT_ENABLE) == TRUE\r
+  IntrinsicLib|CryptoPkg/Library/IntrinsicLib/IntrinsicLib.inf\r
+  OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLib.inf\r
+  TpmMeasurementLib|SecurityPkg/Library/DxeTpmMeasurementLib/DxeTpmMeasurementLib.inf\r
+  BaseCryptLib|CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf\r
+\r
+  # re-use the UserPhysicalPresent() dummy implementation from the ovmf tree\r
+  PlatformSecureLib|OvmfPkg/Library/PlatformSecureLib/PlatformSecureLib.inf\r
+!endif\r
+\r
 [LibraryClasses.common.SEC]\r
   PcdLib|MdePkg/Library/BasePcdLibNull/BasePcdLibNull.inf\r
   ArmPlatformSecExtraActionLib|ArmPlatformPkg/Library/DebugSecExtraActionLib/DebugSecExtraActionLib.inf\r
@@ -198,6 +211,10 @@
   ReportStatusCodeLib|IntelFrameworkModulePkg/Library/DxeReportStatusCodeLibFramework/DxeReportStatusCodeLib.inf\r
   CapsuleLib|MdeModulePkg/Library/DxeCapsuleLibNull/DxeCapsuleLibNull.inf\r
 \r
+!if $(SECURE_BOOT_ENABLE) == TRUE\r
+  BaseCryptLib|CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf\r
+!endif\r
+\r
 [LibraryClasses.ARM]\r
   #\r
   # It is not possible to prevent the ARM compiler for generic intrinsic functions.\r
@@ -324,6 +341,13 @@
   #\r
   gArmTokenSpaceGuid.PcdArmUncachedMemoryMask|0x0000000000000000\r
 \r
+!if $(SECURE_BOOT_ENABLE) == TRUE\r
+  # override the default values from SecurityPkg to ensure images from all sources are verified in secure boot\r
+  gEfiSecurityPkgTokenSpaceGuid.PcdOptionRomImageVerificationPolicy|0x04\r
+  gEfiSecurityPkgTokenSpaceGuid.PcdFixedMediaImageVerificationPolicy|0x04\r
+  gEfiSecurityPkgTokenSpaceGuid.PcdRemovableMediaImageVerificationPolicy|0x04\r
+!endif\r
+\r
 [Components.common]\r
   #\r
   # Networking stack\r
diff --git a/ArmPlatformPkg/ArmVirtualizationPkg/ArmVirtualizationQemu.dsc b/ArmPlatformPkg/ArmVirtualizationPkg/ArmVirtualizationQemu.dsc
index a25fd7a45bc8e4aba889f5acfbeb02df92e22d25..69bf34e29a38391c16bf2bd09c13e26f42a3564e 100644 (file)
--- a/ArmPlatformPkg/ArmVirtualizationPkg/ArmVirtualizationQemu.dsc
+++ b/ArmPlatformPkg/ArmVirtualizationPkg/ArmVirtualizationQemu.dsc
@@ -28,6 +28,12 @@
   SKUID_IDENTIFIER               = DEFAULT\r
   FLASH_DEFINITION               = ArmPlatformPkg/ArmVirtualizationPkg/ArmVirtualizationQemu.fdf\r
 \r
+  #\r
+  # Defines for default states.  These can be changed on the command line.\r
+  # -D FLAG=VALUE\r
+  #\r
+  DEFINE SECURE_BOOT_ENABLE      = FALSE\r
+\r
 !include ArmPlatformPkg/ArmVirtualizationPkg/ArmVirtualization.dsc.inc\r
 \r
 [LibraryClasses.AARCH64]\r
@@ -48,6 +54,7 @@
   ArmPlatformSysConfigLib|ArmPlatformPkg/Library/ArmPlatformSysConfigLibNull/ArmPlatformSysConfigLibNull.inf\r
 \r
   TimerLib|ArmPkg/Library/ArmArchTimerLib/ArmArchTimerLib.inf\r
+  NorFlashPlatformLib|ArmPlatformPkg/ArmVirtualizationPkg/Library/NorFlashQemuLib/NorFlashQemuLib.inf\r
 \r
 !ifdef INTEL_BDS\r
   CapsuleLib|MdeModulePkg/Library/DxeCapsuleLibNull/DxeCapsuleLibNull.inf\r
@@ -233,7 +240,15 @@
   ArmPlatformPkg/MemoryInitPei/MemoryInitPeim.inf\r
   ArmPkg/Drivers/CpuPei/CpuPei.inf\r
 \r
+!if $(SECURE_BOOT_ENABLE) == TRUE\r
+  SecurityPkg/VariableAuthenticated/Pei/VariablePei.inf {\r
+    <LibraryClasses>\r
+      BaseCryptLib|CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf\r
+  }\r
+!else\r
   MdeModulePkg/Universal/Variable/Pei/VariablePei.inf\r
+!endif\r
+\r
   MdeModulePkg/Core/DxeIplPeim/DxeIpl.inf {\r
     <LibraryClasses>\r
       NULL|MdeModulePkg/Library/LzmaCustomDecompressLib/LzmaCustomDecompressLib.inf\r
@@ -253,9 +268,22 @@
   #\r
   ArmPkg/Drivers/CpuDxe/CpuDxe.inf\r
   MdeModulePkg/Core/RuntimeDxe/RuntimeDxe.inf\r
+!if $(SECURE_BOOT_ENABLE) == TRUE\r
+  MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf {\r
+    <LibraryClasses>\r
+      NULL|SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.inf\r
+  }\r
+  SecurityPkg/VariableAuthenticated/RuntimeDxe/VariableRuntimeDxe.inf {\r
+    <LibraryClasses>\r
+      BaseCryptLib|CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf\r
+      OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLib.inf\r
+  }\r
+  SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf\r
+!else\r
   MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf\r
-  MdeModulePkg/Universal/CapsuleRuntimeDxe/CapsuleRuntimeDxe.inf\r
   MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf\r
+!endif\r
+  MdeModulePkg/Universal/CapsuleRuntimeDxe/CapsuleRuntimeDxe.inf\r
   MdeModulePkg/Universal/FaultTolerantWriteDxe/FaultTolerantWriteDxe.inf\r
   MdeModulePkg/Universal/MonotonicCounterRuntimeDxe/MonotonicCounterRuntimeDxe.inf\r
   EmbeddedPkg/ResetRuntimeDxe/ResetRuntimeDxe.inf\r
@@ -272,10 +300,11 @@
 \r
   ArmPkg/Drivers/ArmGic/ArmGicDxe.inf\r
   ArmPkg/Drivers/TimerDxe/TimerDxe.inf\r
-  ArmPlatformPkg/Drivers/NorFlashDxe/NorFlashDxe.inf {\r
-    <LibraryClasses>\r
-    NorFlashPlatformLib|ArmPlatformPkg/ArmVirtualizationPkg/Library/NorFlashQemuLib/NorFlashQemuLib.inf\r
-  }\r
+!if $(SECURE_BOOT_ENABLE) == TRUE\r
+  ArmPlatformPkg/Drivers/NorFlashDxe/NorFlashAuthenticatedDxe.inf\r
+!else\r
+  ArmPlatformPkg/Drivers/NorFlashDxe/NorFlashDxe.inf\r
+!endif\r
   MdeModulePkg/Universal/WatchdogTimerDxe/WatchdogTimer.inf\r
 \r
   #\r
diff --git a/ArmPlatformPkg/ArmVirtualizationPkg/ArmVirtualizationQemu.fdf b/ArmPlatformPkg/ArmVirtualizationPkg/ArmVirtualizationQemu.fdf
index e0ec44bf3f4fbab560211be47cbe0cc4a238af69..33cb495222530673146bfa07e50b2178b7ca26a9 100644 (file)
--- a/ArmPlatformPkg/ArmVirtualizationPkg/ArmVirtualizationQemu.fdf
+++ b/ArmPlatformPkg/ArmVirtualizationPkg/ArmVirtualizationQemu.fdf
@@ -116,7 +116,12 @@ READ_LOCK_STATUS   = TRUE
   INF MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf\r
   INF MdeModulePkg/Universal/CapsuleRuntimeDxe/CapsuleRuntimeDxe.inf\r
   INF MdeModulePkg/Universal/FaultTolerantWriteDxe/FaultTolerantWriteDxe.inf\r
+!if $(SECURE_BOOT_ENABLE) == TRUE\r
+  INF SecurityPkg/VariableAuthenticated/RuntimeDxe/VariableRuntimeDxe.inf\r
+  INF SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf\r
+!else\r
   INF MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf\r
+!endif\r
   INF MdeModulePkg/Universal/MonotonicCounterRuntimeDxe/MonotonicCounterRuntimeDxe.inf\r
   INF EmbeddedPkg/ResetRuntimeDxe/ResetRuntimeDxe.inf\r
   INF EmbeddedPkg/RealTimeClockRuntimeDxe/RealTimeClockRuntimeDxe.inf\r
@@ -134,7 +139,11 @@ READ_LOCK_STATUS   = TRUE
 \r
   INF ArmPkg/Drivers/ArmGic/ArmGicDxe.inf\r
   INF ArmPkg/Drivers/TimerDxe/TimerDxe.inf\r
+!if $(SECURE_BOOT_ENABLE) == TRUE\r
+  INF ArmPlatformPkg/Drivers/NorFlashDxe/NorFlashAuthenticatedDxe.inf\r
+!else\r
   INF ArmPlatformPkg/Drivers/NorFlashDxe/NorFlashDxe.inf\r
+!endif\r
   INF MdeModulePkg/Universal/WatchdogTimerDxe/WatchdogTimer.inf\r
 \r
   #\r
@@ -255,7 +264,11 @@ READ_LOCK_STATUS   = TRUE
   INF ArmPlatformPkg/MemoryInitPei/MemoryInitPeim.inf\r
   INF ArmPkg/Drivers/CpuPei/CpuPei.inf\r
   INF MdeModulePkg/Universal/PCD/Pei/Pcd.inf\r
+!if $(SECURE_BOOT_ENABLE) == TRUE\r
+  INF SecurityPkg/VariableAuthenticated/Pei/VariablePei.inf\r
+!else\r
   INF MdeModulePkg/Universal/Variable/Pei/VariablePei.inf\r
+!endif\r
   INF MdeModulePkg/Core/DxeIplPeim/DxeIpl.inf\r
 \r
   FILE FV_IMAGE = 9E21FD93-9C72-4c15-8C4B-E77F1DB2D792 {\r
EFI Development Kit II mirror for PVE