Enable the use of UEFI secure boot for Arm's Neoverse reference design platforms. The UEFI authenticated variable store uses NOR flash 2 which is accessible from Standalone MM context residing in a secure partition.
Signed-off-by: Sayanta Pattanayak <sayanta.pattana...@arm.com> --- Platform/ARM/SgiPkg/SgiPlatform.dsc.inc | 31 +++++++++++++++++++ Platform/ARM/SgiPkg/SgiPlatformMm.dsc.inc | 32 ++++++++++++++++++++ Platform/ARM/SgiPkg/PlatformStandaloneMm.dsc | 15 +++++++++ Platform/ARM/SgiPkg/PlatformStandaloneMm2.dsc | 15 +++++++++ Platform/ARM/SgiPkg/PlatformStandaloneMm.fdf | 5 +++ Platform/ARM/SgiPkg/SgiPlatform.fdf | 9 +++++- 6 files changed, 106 insertions(+), 1 deletion(-) diff --git a/Platform/ARM/SgiPkg/SgiPlatform.dsc.inc b/Platform/ARM/SgiPkg/SgiPlatform.dsc.inc index 091de0c99c74..e4aee7a09acf 100644 --- a/Platform/ARM/SgiPkg/SgiPlatform.dsc.inc +++ b/Platform/ARM/SgiPkg/SgiPlatform.dsc.inc @@ -6,6 +6,14 @@ !include Platform/ARM/VExpressPkg/ArmVExpress.dsc.inc +[Defines] + # To allow the use of secure storage, set this to TRUE. + DEFINE SECURE_STORAGE_ENABLE = FALSE + + # To allow the use of UEFI secure boot, set this to TRUE. + # Secure boot requires secure storage to be enabled as well. + DEFINE SECURE_BOOT_ENABLE = FALSE + [BuildOptions] *_*_*_CC_FLAGS = -D DISABLE_NEW_DEPRECATED_INTERFACES @@ -22,6 +30,9 @@ NorFlashPlatformLib|Platform/ARM/SgiPkg/Library/NorFlashLib/NorFlashLib.inf HobLib|MdePkg/Library/DxeHobLib/DxeHobLib.inf TimerLib|ArmPkg/Library/ArmArchTimerLib/ArmArchTimerLib.inf +!if $(SECURE_BOOT_ENABLE) == TRUE + MmUnblockMemoryLib|MdePkg/Library/MmUnblockMemoryLib/MmUnblockMemoryLibNull.inf +!endif # Virtio Support VirtioLib|OvmfPkg/Library/VirtioLib/VirtioLib.inf @@ -84,6 +95,7 @@ [PcdsFeatureFlag.common] gArmSgiTokenSpaceGuid.PcdVirtioBlkSupported|TRUE gArmSgiTokenSpaceGuid.PcdVirtioNetSupported|TRUE + gEfiMdeModulePkgTokenSpaceGuid.PcdEnableVariableRuntimeCache|FALSE [PcdsFixedAtBuild.common] gArmTokenSpaceGuid.PcdVFPEnabled|1 @@ -230,7 +242,15 @@ MdeModulePkg/Core/RuntimeDxe/RuntimeDxe.inf MdeModulePkg/Universal/CapsuleRuntimeDxe/CapsuleRuntimeDxe.inf MdeModulePkg/Universal/MonotonicCounterRuntimeDxe/MonotonicCounterRuntimeDxe.inf +!if $(SECURE_BOOT_ENABLE) == TRUE + MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf { + <LibraryClasses> + NULL|SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.inf + } + SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf +!else MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf +!endif OvmfPkg/VirtioBlkDxe/VirtioBlk.inf MdeModulePkg/Universal/Console/ConPlatformDxe/ConPlatformDxe.inf @@ -238,6 +258,9 @@ MdeModulePkg/Universal/Console/GraphicsConsoleDxe/GraphicsConsoleDxe.inf MdeModulePkg/Universal/Console/TerminalDxe/TerminalDxe.inf MdeModulePkg/Universal/SerialDxe/SerialDxe.inf +!if $(SECURE_STORAGE_ENABLE) == TRUE + MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmmRuntimeDxe.inf +!else MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf { <LibraryClasses> NULL|MdeModulePkg/Library/VarCheckUefiLib/VarCheckUefiLib.inf @@ -245,6 +268,7 @@ BaseMemoryLib|MdePkg/Library/BaseMemoryLib/BaseMemoryLib.inf } MdeModulePkg/Universal/FaultTolerantWriteDxe/FaultTolerantWriteDxe.inf +!endif # # ACPI Support @@ -314,4 +338,11 @@ # MdeModulePkg/Bus/Pci/SataControllerDxe/SataControllerDxe.inf +!if $(SECURE_STORAGE_ENABLE) == TRUE + ArmPkg/Drivers/MmCommunicationDxe/MmCommunication.inf { + <LibraryClasses> + NULL|StandaloneMmPkg/Library/VariableMmDependency/VariableMmDependency.inf + } +!else ArmPkg/Drivers/MmCommunicationDxe/MmCommunication.inf +!endif diff --git a/Platform/ARM/SgiPkg/SgiPlatformMm.dsc.inc b/Platform/ARM/SgiPkg/SgiPlatformMm.dsc.inc index 3389ff676a91..6839ec35da8a 100644 --- a/Platform/ARM/SgiPkg/SgiPlatformMm.dsc.inc +++ b/Platform/ARM/SgiPkg/SgiPlatformMm.dsc.inc @@ -59,6 +59,19 @@ HobLib|StandaloneMmPkg/Library/StandaloneMmHobLib/StandaloneMmHobLib.inf MmServicesTableLib|MdePkg/Library/StandaloneMmServicesTableLib/StandaloneMmServicesTableLib.inf MemoryAllocationLib|StandaloneMmPkg/Library/StandaloneMmMemoryAllocationLib/StandaloneMmMemoryAllocationLib.inf +!if $(SECURE_STORAGE_ENABLE) == TRUE + AuthVariableLib|SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf + BaseCryptLib|CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf + IntrinsicLib|CryptoPkg/Library/IntrinsicLib/IntrinsicLib.inf + NorFlashPlatformLib|Platform/ARM/SgiPkg/Library/NorFlashLib/StandaloneMmNorFlashLib.inf + OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLib.inf + RngLib|MdePkg/Library/BaseRngLibTimerLib/BaseRngLibTimerLib.inf + PlatformSecureLib|SecurityPkg/Library/PlatformSecureLibNull/PlatformSecureLibNull.inf + SynchronizationLib|MdePkg/Library/BaseSynchronizationLib/BaseSynchronizationLib.inf + TimerLib|MdePkg/Library/BaseTimerLibNullTemplate/BaseTimerLibNullTemplate.inf + VarCheckLib|MdeModulePkg/Library/VarCheckLib/VarCheckLib.inf + SafeIntLib|MdePkg/Library/BaseSafeIntLib/BaseSafeIntLib.inf +!endif ################################################################################ # @@ -75,6 +88,12 @@ gEfiMdePkgTokenSpaceGuid.PcdMaximumGuidedExtractHandler|0x2 +!if $(SECURE_STORAGE_ENABLE) == TRUE + gEfiMdeModulePkgTokenSpaceGuid.PcdMaxVariableSize|0x2000 + gEfiMdeModulePkgTokenSpaceGuid.PcdMaxAuthVariableSize|0x2800 + gEfiSecurityPkgTokenSpaceGuid.PcdUserPhysicalPresence|TRUE +!endif + ################################################################################################### # # Components Section - list of the modules and components that will be processed by compilation @@ -101,6 +120,19 @@ [Components.AARCH64] StandaloneMmPkg/Drivers/StandaloneMmCpu/AArch64/StandaloneMmCpu.inf +!if $(SECURE_STORAGE_ENABLE) == TRUE + ArmPlatformPkg/Drivers/NorFlashDxe/NorFlashStandaloneMm.inf + MdeModulePkg/Universal/FaultTolerantWriteDxe/FaultTolerantWriteStandaloneMm.inf + MdeModulePkg/Universal/Variable/RuntimeDxe/VariableStandaloneMm.inf { + <LibraryClasses> + DevicePathLib|MdePkg/Library/UefiDevicePathLib/UefiDevicePathLib.inf + NULL|MdeModulePkg/Library/VarCheckUefiLib/VarCheckUefiLib.inf + NULL|MdeModulePkg/Library/VarCheckPolicyLib/VarCheckPolicyLibStandaloneMm.inf + BaseMemoryLib|MdePkg/Library/BaseMemoryLib/BaseMemoryLib.inf + VariablePolicyLib|MdeModulePkg/Library/VariablePolicyLib/VariablePolicyLib.inf + VariablePolicyHelperLib|MdeModulePkg/Library/VariablePolicyHelperLib/VariablePolicyHelperLib.inf + } +!endif ################################################################################################### # diff --git a/Platform/ARM/SgiPkg/PlatformStandaloneMm.dsc b/Platform/ARM/SgiPkg/PlatformStandaloneMm.dsc index cdf8aaa88f03..2cb4895cfcff 100644 --- a/Platform/ARM/SgiPkg/PlatformStandaloneMm.dsc +++ b/Platform/ARM/SgiPkg/PlatformStandaloneMm.dsc @@ -39,3 +39,18 @@ [PcdsFixedAtBuild] ## PL011 - Serial Terminal gEfiMdeModulePkgTokenSpaceGuid.PcdSerialRegisterBase|0x7FF70000 + +!if $(SECURE_STORAGE_ENABLE) == TRUE + ##Secure NOR Flash 2 + gArmSgiTokenSpaceGuid.PcdSmcCs2Base|0x10000000 + gArmSgiTokenSpaceGuid.PcdSysPeriphBase|0x1C000000 + gArmSgiTokenSpaceGuid.PcdSysPeriphSysRegBase|0x1C010000 + + ##Secure Variable Storage in NOR Flash 2 + gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageVariableBase|0x10000000 + gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageVariableSize|0x00100000 + gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageFtwWorkingBase|0x10100000 + gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageFtwWorkingSize|0x00100000 + gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageFtwSpareBase|0x10200000 + gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageFtwSpareSize|0x00100000 +!endif diff --git a/Platform/ARM/SgiPkg/PlatformStandaloneMm2.dsc b/Platform/ARM/SgiPkg/PlatformStandaloneMm2.dsc index bb359a15cc0d..46c2ae3529d1 100644 --- a/Platform/ARM/SgiPkg/PlatformStandaloneMm2.dsc +++ b/Platform/ARM/SgiPkg/PlatformStandaloneMm2.dsc @@ -38,3 +38,18 @@ [PcdsFixedAtBuild] ## PL011 - Serial Terminal gEfiMdeModulePkgTokenSpaceGuid.PcdSerialRegisterBase|0x0EF80000 + +!if $(SECURE_STORAGE_ENABLE) == TRUE + ##Secure NOR Flash 2 + gArmSgiTokenSpaceGuid.PcdSmcCs2Base|0x1054000000 + gArmSgiTokenSpaceGuid.PcdSysPeriphBase|0x0C000000 + gArmSgiTokenSpaceGuid.PcdSysPeriphSysRegBase|0x0C010000 + + ##Secure Variable Storage in NOR Flash 2 + gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageVariableBase64|0x1054000000 + gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageVariableSize|0x00100000 + gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageFtwWorkingBase64|0x1054100000 + gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageFtwWorkingSize|0x00100000 + gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageFtwSpareBase64|0x1054200000 + gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageFtwSpareSize|0x00100000 +!endif diff --git a/Platform/ARM/SgiPkg/PlatformStandaloneMm.fdf b/Platform/ARM/SgiPkg/PlatformStandaloneMm.fdf index 5a0772cd8522..474c9c0ce764 100644 --- a/Platform/ARM/SgiPkg/PlatformStandaloneMm.fdf +++ b/Platform/ARM/SgiPkg/PlatformStandaloneMm.fdf @@ -49,6 +49,11 @@ READ_LOCK_CAP = TRUE READ_LOCK_STATUS = TRUE INF StandaloneMmPkg/Core/StandaloneMmCore.inf +!if $(SECURE_STORAGE_ENABLE) == TRUE + INF ArmPlatformPkg/Drivers/NorFlashDxe/NorFlashStandaloneMm.inf + INF MdeModulePkg/Universal/FaultTolerantWriteDxe/FaultTolerantWriteStandaloneMm.inf + INF MdeModulePkg/Universal/Variable/RuntimeDxe/VariableStandaloneMm.inf +!endif INF StandaloneMmPkg/Drivers/StandaloneMmCpu/AArch64/StandaloneMmCpu.inf ################################################################################ diff --git a/Platform/ARM/SgiPkg/SgiPlatform.fdf b/Platform/ARM/SgiPkg/SgiPlatform.fdf index e11d943d6efc..d94e4633e36c 100644 --- a/Platform/ARM/SgiPkg/SgiPlatform.fdf +++ b/Platform/ARM/SgiPkg/SgiPlatform.fdf @@ -90,10 +90,17 @@ READ_LOCK_STATUS = TRUE INF EmbeddedPkg/ResetRuntimeDxe/ResetRuntimeDxe.inf INF MdeModulePkg/Core/RuntimeDxe/RuntimeDxe.inf INF MdeModulePkg/Universal/CapsuleRuntimeDxe/CapsuleRuntimeDxe.inf - INF MdeModulePkg/Universal/FaultTolerantWriteDxe/FaultTolerantWriteDxe.inf INF MdeModulePkg/Universal/MonotonicCounterRuntimeDxe/MonotonicCounterRuntimeDxe.inf INF MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf +!if $(SECURE_BOOT_ENABLE) == TRUE + INF SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf +!endif +!if $(SECURE_STORAGE_ENABLE) == TRUE + INF MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmmRuntimeDxe.inf +!else + INF MdeModulePkg/Universal/FaultTolerantWriteDxe/FaultTolerantWriteDxe.inf INF MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf +!endif # # ACPI Support -- 2.17.1 -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#75545): https://edk2.groups.io/g/devel/message/75545 Mute This Topic: https://groups.io/mt/83062022/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-