Re: [edk2-devel] [PATCH v1 5/6] Uefipayloadpkg Enable TPM measured boot

Wed, 22 Mar 2023 15:55:37 -0700 

>From Uefi UPL side


Currently, SPI have silicon dependency so native is not support on 
UniversalPayload, please use SECURITY_SUPPORT
+------------------------------+
| UefiUPL.elf                   |
+------------------------------+
| .upld_info                     |
+------------------------------+
| .upld.uefi_fv                |
+------------------------------+
| .upld.bds_fv                 |
+------------------------------+
| .upld.security_fv          |<------------ SECURITY_SUPPORT (Use this macro to 
decide include it or not and default value is false)
+------------------------------+

Thanks,
Gua

-----Original Message-----
From: Lakkimsetti, Subash <subash.lakkimse...@intel.com> 
Sent: Wednesday, March 22, 2023 1:59 PM
To: devel@edk2.groups.io
Cc: Lakkimsetti, Subash <subash.lakkimse...@intel.com>; Dong, Guo 
<guo.d...@intel.com>; Ni, Ray <ray...@intel.com>; Rhodes, Sean 
<sean@starlabs.systems>; Lu, James <james...@intel.com>; Guo, Gua 
<gua....@intel.com>; Rudolph, Patrick <patrick.rudo...@9elements.com>
Subject: [PATCH v1 5/6] Uefipayloadpkg Enable TPM measured boot

From: Subash Lakkimsetti <subash.lakkimse...@intel.com>

Update the packages to support TPM and measured boot in uefi payload.

Measured boot can be controoled using flag MEASURED_BOOT_ENABLE

Cc: Guo Dong <guo.d...@intel.com>
Cc: Ray Ni <ray...@intel.com>
Cc: Sean Rhodes <sean@starlabs.systems>
Cc: James Lu <james...@intel.com>
Cc: Gua Guo <gua....@intel.com>
Signed-off-by: Patrick Rudolph <patrick.rudo...@9elements.com>
Signed-off-by: Subash Lakkimsetti <subash.lakkimse...@intel.com>
---
 UefiPayloadPkg/UefiPayloadPkg.dsc | 88 +++++++++++++++++++++++++++++--  
UefiPayloadPkg/UefiPayloadPkg.fdf | 25 +++++++++
 2 files changed, 109 insertions(+), 4 deletions(-)

diff --git a/UefiPayloadPkg/UefiPayloadPkg.dsc 
b/UefiPayloadPkg/UefiPayloadPkg.dsc
index f31e5aac16..86612338bf 100644
--- a/UefiPayloadPkg/UefiPayloadPkg.dsc
+++ b/UefiPayloadPkg/UefiPayloadPkg.dsc
@@ -46,6 +46,7 @@
   DEFINE NVME_ENABLE                  = TRUE    DEFINE SECURE_BOOT_ENABLE      
     = FALSE+  DEFINE MEASURED_BOOT_ENABLE         = FALSE    #   # NULL:    
NullMemoryTestDxe@@ -297,14 +298,27 @@
 !else   
AuthVariableLib|MdeModulePkg/Library/AuthVariableLibNull/AuthVariableLibNull.inf
 !endif-!if $(VARIABLE_SUPPORT) == "EMU"-  
TpmMeasurementLib|MdeModulePkg/Library/TpmMeasurementLibNull/TpmMeasurementLibNull.inf-!elseif
 $(VARIABLE_SUPPORT) == "SPI"-  
PlatformSecureLib|SecurityPkg/Library/PlatformSecureLibNull/PlatformSecureLibNull.inf+
  #+  # TPM+  #+!if $(MEASURED_BOOT_ENABLE) == TRUE+  
Tpm12CommandLib|SecurityPkg/Library/Tpm12CommandLib/Tpm12CommandLib.inf+  
Tpm12DeviceLib|SecurityPkg/Library/Tpm12DeviceLibTcg/Tpm12DeviceLibTcg.inf+  
Tpm2CommandLib|SecurityPkg/Library/Tpm2CommandLib/Tpm2CommandLib.inf+  
Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibTcg2/Tpm2DeviceLibTcg2.inf+  
Tcg2PhysicalPresenceLib|SecurityPkg/Library/DxeTcg2PhysicalPresenceLib/DxeTcg2PhysicalPresenceLib.inf+
  
Tcg2PpVendorLib|SecurityPkg/Library/Tcg2PpVendorLibNull/Tcg2PpVendorLibNull.inf 
  
TpmMeasurementLib|SecurityPkg/Library/DxeTpmMeasurementLib/DxeTpmMeasurementLib.inf+!else+
  
TpmMeasurementLib|MdeModulePkg/Library/TpmMeasurementLibNull/TpmMeasurementLibNull.inf+!endif+!if
 $(VARIABLE_SUPPORT) == "SPI"   
S3BootScriptLib|MdePkg/Library/BaseS3BootScriptLibNull/BaseS3BootScriptLibNull.inf+!endif+!if
 $(SECURE_BOOT_ENABLE) == TRUE || $(MEASURED_BOOT_ENABLE) == TRUE || 
$(VARIABLE_SUPPORT) == "SPI"   
MmUnblockMemoryLib|MdePkg/Library/MmUnblockMemoryLib/MmUnblockMemoryLibNull.inf 
!endif+  
PlatformSecureLib|SecurityPkg/Library/PlatformSecureLibNull/PlatformSecureLibNull.inf
   VarCheckLib|MdeModulePkg/Library/VarCheckLib/VarCheckLib.inf   
VariablePolicyLib|MdeModulePkg/Library/VariablePolicyLib/VariablePolicyLib.inf  
 
VariablePolicyHelperLib|MdeModulePkg/Library/VariablePolicyHelperLib/VariablePolicyHelperLib.inf@@
 -412,6 +426,10 @@
   BaseCryptLib|CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf !endif +!if 
$(MEASURED_BOOT_ENABLE) == TRUE+ 
Tcg2PhysicalPresenceLib|SecurityPkg/Library/SmmTcg2PhysicalPresenceLib/SmmTcg2PhysicalPresenceLib.inf+!endif+
 
################################################################################
 # # Pcd Section - list of all EDK II PCD Entries defined by this Platform.@@ 
-600,6 +618,13 @@
   gEfiSecurityPkgTokenSpaceGuid.PcdFirmwareDebuggerInitialized|FALSE   
gEfiSecurityPkgTokenSpaceGuid.PcdTpmInstanceGuid|{0x5a, 0xf2, 0x6b, 0x28, 0xc3, 
0xc2, 0x8c, 0x40, 0xb3, 0xb4, 0x25, 0xe6, 0x75, 0x8b, 0x73, 0x17} +!if 
$(MEASURED_BOOT_ENABLE) == TRUE++  # (BIT0 - SHA1. BIT1 - SHA256, BIT2 - 
SHA384, BIT3 - SHA512, BIT4 - SM3_256)+  
gEfiSecurityPkgTokenSpaceGuid.PcdTpm2HashMask|0x000000016+  
gEfiSecurityPkgTokenSpaceGuid.PcdTcg2HashAlgorithmBitmap|0x000000016+!endif+ 
################################################################################
 # # Components Section - list of all EDK II Modules needed by this Platform.@@ 
-680,6 +705,10 @@
     <LibraryClasses> !if $(SECURE_BOOT_ENABLE)       
NULL|SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.inf+!endif+!if
 $(MEASURED_BOOT_ENABLE) == TRUE+      
NULL|SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLib.inf+      
NULL|SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLib.inf !endif   
} !endif@@ -842,6 +871,57 @@
   
SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf 
!endif +!if $(MEASURED_BOOT_ENABLE) == TRUE+  SecurityPkg/Tcg/TcgDxe/TcgDxe.inf 
{+    <LibraryClasses>+      
Tpm12DeviceLib|SecurityPkg/Library/Tpm12DeviceLibDTpm/Tpm12DeviceLibDTpm.inf+   
}++   SecurityPkg/Tcg/TcgConfigDxe/TcgConfigDxe.inf {+    <LibraryClasses>+     
 PcdLib|MdePkg/Library/DxePcdLib/DxePcdLib.inf+  }++!if $(SMM_SUPPORT) == TRUE+ 
 SecurityPkg/Tcg/TcgSmm/TcgSmm.inf {+    <LibraryClasses>+    
TcgPpVendorLib|SecurityPkg/Library/TcgPpVendorLibNull/TcgPpVendorLibNull.inf++  
}+!endif+  SecurityPkg/Tcg/Tcg2Config/Tcg2ConfigDxe.inf {+  <LibraryClasses>+   
   Tpm2CommandLib|SecurityPkg/Library/Tpm2CommandLib/Tpm2CommandLib.inf+      
Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibRouter/Tpm2DeviceLibRouterDxe.inf+
      NULL|SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2InstanceLibDTpm.inf+  
}+!if $(SMM_SUPPORT) == TRUE+  SecurityPkg/Tcg/Tcg2Smm/Tcg2Smm.inf {+    
<LibraryClasses>+      
Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibTcg2/Tpm2DeviceLibTcg2.inf+  
}+!endif+  SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.inf {+    <LibraryClasses>+      
Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibRouter/Tpm2DeviceLibRouterDxe.inf+
      
HashLib|SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRouterDxe.inf+
      NULL|SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2InstanceLibDTpm.inf+      
NULL|SecurityPkg/Library/HashInstanceLibSha1/HashInstanceLibSha1.inf+      
NULL|SecurityPkg/Library/HashInstanceLibSha256/HashInstanceLibSha256.inf+      
NULL|SecurityPkg/Library/HashInstanceLibSha384/HashInstanceLibSha384.inf+      
NULL|SecurityPkg/Library/HashInstanceLibSm3/HashInstanceLibSm3.inf+  }+  
SecurityPkg/Tcg/Tcg2Acpi/Tcg2Acpi.inf+  
SecurityPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.inf {+    <LibraryClasses>+     
 
TpmPlatformHierarchyLib|SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf+
  }+  SecurityPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.inf {+    
<LibraryClasses>+      
TpmPlatformHierarchyLib|SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf+
  }+!endif #MEASURED_BOOT_ENABLE+   #   # Misc   #diff --git 
a/UefiPayloadPkg/UefiPayloadPkg.fdf b/UefiPayloadPkg/UefiPayloadPkg.fdf
index b52e6c75a5..ed9d42b022 100644
--- a/UefiPayloadPkg/UefiPayloadPkg.fdf
+++ b/UefiPayloadPkg/UefiPayloadPkg.fdf
@@ -176,6 +176,21 @@ INF 
PcAtChipsetPkg/PcatRealTimeClockRuntimeDxe/PcatRealTimeClockRuntimeDxe.inf
   INF 
SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf 
!endif +!if $(MEASURED_BOOT_ENABLE) == TRUE+  INF 
SecurityPkg/Tcg/TcgDxe/TcgDxe.inf+!if $(SMM_SUPPORT) == TRUE+  INF 
SecurityPkg/Tcg/TcgSmm/TcgSmm.inf+!endif+  INF 
SecurityPkg/Tcg/TcgConfigDxe/TcgConfigDxe.inf+  INF 
SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.inf+  INF RuleOverride = DRIVER_ACPITABLE 
SecurityPkg/Tcg/Tcg2Acpi/Tcg2Acpi.inf+  INF 
SecurityPkg/Tcg/Tcg2Config/Tcg2ConfigDxe.inf+!if $(SMM_SUPPORT) == TRUE+  INF 
SecurityPkg/Tcg/Tcg2Smm/Tcg2Smm.inf+!endif+  INF 
SecurityPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.inf+!endif+ INF 
UefiCpuPkg/CpuIo2Dxe/CpuIo2Dxe.inf INF 
MdeModulePkg/Universal/DevicePathDxe/DevicePathDxe.inf !if $(MEMORY_TEST) == 
"GENERIC"@@ -419,3 +434,13 @@ INF ShellPkg/Application/Shell/Shell.inf
     UI        STRING="Enter Setup"     VERSION   STRING="$(INF_VERSION)" 
Optional BUILD_NUM=$(BUILD_NUMBER)   
}++[Rule.Common.DXE_DRIVER.DRIVER_ACPITABLE]+  FILE DRIVER = $(NAMED_GUID) {+   
 DXE_DEPEX DXE_DEPEX Optional       $(INF_OUTPUT)/$(MODULE_NAME).depex+    PE32 
     PE32                     $(INF_OUTPUT)/$(MODULE_NAME).efi+    RAW ACPI  
Optional                |.acpi+    RAW ASL   Optional                |.aml+    
UI        STRING="$(MODULE_NAME)" Optional+    VERSION   
STRING="$(INF_VERSION)" Optional BUILD_NUM=$(BUILD_NUMBER)+  }-- 
2.39.1.windows.1



-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#101598): https://edk2.groups.io/g/devel/message/101598
Mute This Topic: https://groups.io/mt/97777998/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Reply via email to