From 7a616e5b77655ece707b132b746c8df565edaf05 Mon Sep 17 00:00:00 2001 From: leegrosenbaum Date: Wed, 4 Apr 2012 17:35:06 +0000 Subject: [PATCH] OvmfPkg: Add custom mode setup if the Secure Boot build option is specified. MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit If –D SECURE_BOOT_ENABLE is specified with the build command, Secure Boot support is enabled including custom mode setup. This allows Secure Boot to be configured through setup allowing OvmfPkgX64, OvmfPkgIa32 and OvmfPkg3264 to be a fully functional Secure Boot reference platforms. Remove redundant library class definitions for BaseCryptLib and OpenSslLib. Signed-off-by: Lee Rosenbaum Reviewed-by: Jordan Justen Reviewed-by: Erik Bjorge git-svn-id: https://edk2.svn.sourceforge.net/svnroot/edk2/trunk/edk2@13160 6f19259b-4bc3-4df7-8a09-765794883524 --- .../PlatformSecureLib/PlatformSecureLib.c | 35 +++++-------------- OvmfPkg/OvmfPkgIa32.dsc | 3 +- OvmfPkg/OvmfPkgIa32.fdf | 5 ++- OvmfPkg/OvmfPkgIa32X64.dsc | 3 +- OvmfPkg/OvmfPkgIa32X64.fdf | 3 +- OvmfPkg/OvmfPkgX64.dsc | 3 +- OvmfPkg/OvmfPkgX64.fdf | 3 +- 7 files changed, 20 insertions(+), 35 deletions(-) diff --git a/OvmfPkg/Library/PlatformSecureLib/PlatformSecureLib.c b/OvmfPkg/Library/PlatformSecureLib/PlatformSecureLib.c index 956ff9e2c5..de0e4fa938 100644 --- a/OvmfPkg/Library/PlatformSecureLib/PlatformSecureLib.c +++ b/OvmfPkg/Library/PlatformSecureLib/PlatformSecureLib.c @@ -15,36 +15,19 @@ /** - This function detects whether a secure platform-specific method to clear PK(Platform Key) - is configured by platform owner. This method is provided for users force to clear PK - in case incorrect enrollment mis-haps. + This function provides a platform-specific method to detect whether the platform + is operating by a physically present user. - UEFI231 spec chapter 27.5.2 stipulates: The platform key may also be cleared using - a secure platform-specific method. In this case, the global variable SetupMode - must also be updated to 1. + Programmatic changing of platform security policy (such as disable Secure Boot, + or switch between Standard/Custom Secure Boot mode) MUST NOT be possible during + Boot Services or after exiting EFI Boot Services. Only a physically present user + is allowed to perform these operations. NOTE THAT: This function cannot depend on any EFI Variable Service since they are not available when this function is called in AuthenticateVariable driver. - - @retval TRUE The Platform owner wants to force clear PK. - @retval FALSE The Platform owner doesn't want to force clear PK. - -**/ -BOOLEAN -EFIAPI -ForceClearPK ( - VOID - ) -{ - return TRUE; -} - -/** - - This function detects whether current platform is operated by a physical present user. - - @retval TRUE The Platform is operated by a physical present user. - @retval FALSE The Platform is NOT operated by a physical persent user. + + @retval TRUE The platform is operated by a physically present user. + @retval FALSE The platform is NOT operated by a physically present user. **/ BOOLEAN diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc index 2b0011cf55..c7d50e4718 100644 --- a/OvmfPkg/OvmfPkgIa32.dsc +++ b/OvmfPkg/OvmfPkgIa32.dsc @@ -340,8 +340,6 @@ MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf { NULL|SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.inf - BaseCryptLib|CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf - OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLib.inf } !else MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf @@ -494,4 +492,5 @@ BaseCryptLib|CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLib.inf } + SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf !endif diff --git a/OvmfPkg/OvmfPkgIa32.fdf b/OvmfPkg/OvmfPkgIa32.fdf index 235e322777..eda00ce097 100644 --- a/OvmfPkg/OvmfPkgIa32.fdf +++ b/OvmfPkg/OvmfPkgIa32.fdf @@ -1,7 +1,7 @@ ## @file # Open Virtual Machine Firmware: FDF # -# Copyright (c) 2006 - 2011, Intel Corporation. All rights reserved.
+# Copyright (c) 2006 - 2012, Intel Corporation. All rights reserved.
# # This program and the accompanying materials # are licensed and made available under the terms and conditions of the BSD License @@ -167,11 +167,14 @@ INF PcAtChipsetPkg/PcatRealTimeClockRuntimeDxe/PcatRealTimeClockRuntimeDxe.inf INF OvmfPkg/BlockMmioToBlockIoDxe/BlockIo.inf INF OvmfPkg/EmuVariableFvbRuntimeDxe/Fvb.inf INF MdeModulePkg/Universal/FaultTolerantWriteDxe/FaultTolerantWriteDxe.inf + !if $(SECURE_BOOT_ENABLE) == TRUE INF SecurityPkg/VariableAuthenticated/RuntimeDxe/VariableRuntimeDxe.inf + INF SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf !else INF MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf !endif + INF MdeModulePkg/Universal/WatchdogTimerDxe/WatchdogTimer.inf INF MdeModulePkg/Universal/MonotonicCounterRuntimeDxe/MonotonicCounterRuntimeDxe.inf INF MdeModulePkg/Universal/CapsuleRuntimeDxe/CapsuleRuntimeDxe.inf diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc index 3b8257daa2..df3b24a4b1 100644 --- a/OvmfPkg/OvmfPkgIa32X64.dsc +++ b/OvmfPkg/OvmfPkgIa32X64.dsc @@ -342,8 +342,6 @@ MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf { NULL|SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.inf - BaseCryptLib|CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf - OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLib.inf } !else MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf @@ -496,4 +494,5 @@ BaseCryptLib|CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLib.inf } + SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf !endif diff --git a/OvmfPkg/OvmfPkgIa32X64.fdf b/OvmfPkg/OvmfPkgIa32X64.fdf index 2351e563ab..7c98a6a2a8 100644 --- a/OvmfPkg/OvmfPkgIa32X64.fdf +++ b/OvmfPkg/OvmfPkgIa32X64.fdf @@ -1,7 +1,7 @@ ## @file # Open Virtual Machine Firmware: FDF # -# Copyright (c) 2006 - 2011, Intel Corporation. All rights reserved.
+# Copyright (c) 2006 - 2012, Intel Corporation. All rights reserved.
# # This program and the accompanying materials # are licensed and made available under the terms and conditions of the BSD License @@ -170,6 +170,7 @@ INF MdeModulePkg/Universal/FaultTolerantWriteDxe/FaultTolerantWriteDxe.inf !if $(SECURE_BOOT_ENABLE) == TRUE INF SecurityPkg/VariableAuthenticated/RuntimeDxe/VariableRuntimeDxe.inf + INF SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf !else INF MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf !endif diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc index 2c174ba05b..eec0f1b07d 100644 --- a/OvmfPkg/OvmfPkgX64.dsc +++ b/OvmfPkg/OvmfPkgX64.dsc @@ -341,8 +341,6 @@ MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf { NULL|SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.inf - BaseCryptLib|CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf - OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLib.inf } !else MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf @@ -495,4 +493,5 @@ BaseCryptLib|CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLib.inf } + SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf !endif diff --git a/OvmfPkg/OvmfPkgX64.fdf b/OvmfPkg/OvmfPkgX64.fdf index 16f21fe3c8..4908298448 100644 --- a/OvmfPkg/OvmfPkgX64.fdf +++ b/OvmfPkg/OvmfPkgX64.fdf @@ -1,7 +1,7 @@ ## @file # Open Virtual Machine Firmware: FDF # -# Copyright (c) 2006 - 2011, Intel Corporation. All rights reserved.
+# Copyright (c) 2006 - 2012, Intel Corporation. All rights reserved.
# # This program and the accompanying materials # are licensed and made available under the terms and conditions of the BSD License @@ -170,6 +170,7 @@ INF MdeModulePkg/Universal/FaultTolerantWriteDxe/FaultTolerantWriteDxe.inf !if $(SECURE_BOOT_ENABLE) == TRUE INF SecurityPkg/VariableAuthenticated/RuntimeDxe/VariableRuntimeDxe.inf + INF SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf !else INF MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf !endif -- 2.39.2