[edk2-devel] [PATCH v2 2/6] UefiPayloadPkg: Add secureboot information HOBs

Subash Lakkimsetti Wed, 17 May 2023 16:56:53 -0700

From: Subash Lakkimsetti <subash.lakkimse...@intel.com>

This patch add the HOB fpr secure and measured boot
information. This is populated by bootloader phase
and uefipayload pkg uses this info to sync the TPM
info PCDs.


Cc: Guo Dong <guo.d...@intel.com>
Cc: Ray Ni <ray...@intel.com>
Cc: Sean Rhodes <sean@starlabs.systems>
Cc: James Lu <james...@intel.com>
Cc: Gua Guo <gua....@intel.com>
Signed-off-by: Subash Lakkimsetti <subash.lakkimse...@intel.com>
---
 UefiPayloadPkg/BlSupportDxe/BlSupportDxe.c   | 77 +++++++++++++++++++-
 UefiPayloadPkg/BlSupportDxe/BlSupportDxe.inf | 13 +++-
 UefiPayloadPkg/UefiPayloadPkg.dec            |  4 +-
 UefiPayloadPkg/UefiPayloadPkg.dsc            |  2 +
 4 files changed, 92 insertions(+), 4 deletions(-)

diff --git a/UefiPayloadPkg/BlSupportDxe/BlSupportDxe.c 
b/UefiPayloadPkg/BlSupportDxe/BlSupportDxe.c
index 2e70c4533c..13ac5582e2 100644
--- a/UefiPayloadPkg/BlSupportDxe/BlSupportDxe.c
+++ b/UefiPayloadPkg/BlSupportDxe/BlSupportDxe.c
@@ -2,11 +2,14 @@
   This driver will report some MMIO/IO resources to dxe core, extract smbios 
and acpi
   tables from bootloader.
 
-  Copyright (c) 2014 - 2021, Intel Corporation. All rights reserved.<BR>
+  Copyright (c) 2014 - 2023, Intel Corporation. All rights reserved.<BR>
   SPDX-License-Identifier: BSD-2-Clause-Patent
 
 **/
 #include "BlSupportDxe.h"
+#include <Library/DebugLib.h>
+#include <Library/PcdLib.h>
+#include <Include/UniversalPayload/SecureBootInfoGuid.h>
 
 /**
   Reserve MMIO/IO resource in GCD
@@ -86,6 +89,73 @@ ReserveResourceInGcd (
   return Status;
 }
 
+/**
+Sync the Secure boot hob info and TPM PCD as per the information passed from 
Bootloader.
+**/
+EFI_STATUS
+BlSupportSecurityPcdSync (
+  VOID
+  )
+{
+  EFI_STATUS                  Status;
+  EFI_HOB_GUID_TYPE           *GuidHob;
+  UNIVERSAL_SECURE_BOOT_INFO  *SecurebootInfoHob;
+  UINTN                       Size;
+
+  GuidHob = GetFirstGuidHob (&gUniversalPayloadSecureBootInfoGuid);
+  if (GuidHob == NULL) {
+    DEBUG ((DEBUG_ERROR, "gUniversalPayloadSecureBootInfoGuid Not Found!\n"));
+    return EFI_UNSUPPORTED;
+  }
+
+  SecurebootInfoHob = (UNIVERSAL_SECURE_BOOT_INFO *)GET_GUID_HOB_DATA 
(GuidHob);
+
+  // Sync the Hash mask for TPM 2.0 as per active PCR banks.
+  // Make sure that the current PCR allocations, the TPM supported PCRs,
+  // and the PcdTpm2HashMask are all in agreement.
+  Status = PcdSet32S (PcdTpm2HashMask, 
SecurebootInfoHob->TpmPcrActivePcrBanks);
+  ASSERT_EFI_ERROR (Status);
+  DEBUG ((DEBUG_INFO, "TpmPcrActivePcrBanks 0x%x \n", 
SecurebootInfoHob->TpmPcrActivePcrBanks));
+
+  // Set the Firmware debugger PCD
+  Status = PcdSetBoolS (PcdFirmwareDebuggerInitialized, 
SecurebootInfoHob->FirmwareDebuggerInitialized);
+  ASSERT_EFI_ERROR (Status);
+  DEBUG ((DEBUG_INFO, " FirmwareDebugger Initialized 0x%x \n", 
SecurebootInfoHob->FirmwareDebuggerInitialized));
+
+  // Set the TPM Type instance GUID
+  if (SecurebootInfoHob->MeasuredBootEnabled) {
+    if (SecurebootInfoHob->TpmType == TPM_TYPE_20) {
+      DEBUG ((DEBUG_INFO, "%a: TPM2 detected\n", __func__));
+      Size   = sizeof (gEfiTpmDeviceInstanceTpm20DtpmGuid);
+      Status = PcdSetPtrS (
+                 PcdTpmInstanceGuid,
+                 &Size,
+                 &gEfiTpmDeviceInstanceTpm20DtpmGuid
+                 );
+    } else if (SecurebootInfoHob->TpmType == TPM_TYPE_12) {
+      DEBUG ((DEBUG_INFO, "%a: TPM1.2 detected\n", __func__));
+      Size   = sizeof (gEfiTpmDeviceInstanceTpm12Guid);
+      Status = PcdSetPtrS (
+                 PcdTpmInstanceGuid,
+                 &Size,
+                 &gEfiTpmDeviceInstanceTpm12Guid
+                 );
+    } else {
+      DEBUG ((DEBUG_INFO, "%a: No TPM detected\n", __func__));
+      Size   = sizeof (gEfiTpmDeviceInstanceNoneGuid);
+      Status = PcdSetPtrS (
+                 PcdTpmInstanceGuid,
+                 &Size,
+                 &gEfiTpmDeviceInstanceNoneGuid
+                 );
+    }
+
+    ASSERT_EFI_ERROR (Status);
+  }
+
+  return Status;
+}
+
 /**
   Main entry for the bootloader support DXE module.
 
@@ -144,5 +214,10 @@ BlDxeEntryPoint (
     ASSERT_EFI_ERROR (Status);
   }
 
+  //
+  // Sync Bootloader info for TPM
+  //
+  BlSupportSecurityPcdSync ();
+
   return EFI_SUCCESS;
 }
diff --git a/UefiPayloadPkg/BlSupportDxe/BlSupportDxe.inf 
b/UefiPayloadPkg/BlSupportDxe/BlSupportDxe.inf
index 96d85d2b1d..162167e6bb 100644
--- a/UefiPayloadPkg/BlSupportDxe/BlSupportDxe.inf
+++ b/UefiPayloadPkg/BlSupportDxe/BlSupportDxe.inf
@@ -3,7 +3,7 @@
 #
 # Report some MMIO/IO resources to dxe core, extract smbios and acpi tables
 #
-#  Copyright (c) 2014 - 2021, Intel Corporation. All rights reserved.<BR>
+#  Copyright (c) 2014 - 2023, Intel Corporation. All rights reserved.<BR>
 #
 #  SPDX-License-Identifier: BSD-2-Clause-Patent
 #
@@ -30,6 +30,7 @@
 [Packages]
   MdePkg/MdePkg.dec
   MdeModulePkg/MdeModulePkg.dec
+  SecurityPkg/SecurityPkg.dec
   UefiPayloadPkg/UefiPayloadPkg.dec
 
 [LibraryClasses]
@@ -44,6 +45,10 @@
 [Guids]
   gUefiAcpiBoardInfoGuid
   gEfiGraphicsInfoHobGuid
+  gUniversalPayloadSecureBootInfoGuid
+  gEfiTpmDeviceInstanceTpm20DtpmGuid
+  gEfiTpmDeviceInstanceTpm12Guid
+  gEfiTpmDeviceInstanceNoneGuid
 
 [Pcd]
   gEfiMdeModulePkgTokenSpaceGuid.PcdVideoHorizontalResolution
@@ -52,6 +57,10 @@
   gEfiMdeModulePkgTokenSpaceGuid.PcdSetupVideoVerticalResolution
   gEfiMdePkgTokenSpaceGuid.PcdPciExpressBaseAddress
   gEfiMdePkgTokenSpaceGuid.PcdPciExpressBaseSize
-
+  ## SOMETIMES_CONSUMES
+  ## SOMETIMES_PRODUCES
+  gEfiSecurityPkgTokenSpaceGuid.PcdTpm2HashMask
+  gEfiSecurityPkgTokenSpaceGuid.PcdFirmwareDebuggerInitialized
+  gEfiSecurityPkgTokenSpaceGuid.PcdTpmInstanceGuid
 [Depex]
   TRUE
diff --git a/UefiPayloadPkg/UefiPayloadPkg.dec 
b/UefiPayloadPkg/UefiPayloadPkg.dec
index 8d111f3a90..63138500dd 100644
--- a/UefiPayloadPkg/UefiPayloadPkg.dec
+++ b/UefiPayloadPkg/UefiPayloadPkg.dec
@@ -3,7 +3,7 @@
 #
 # Provides drivers and definitions to create uefi payload for bootloaders.
 #
-# Copyright (c) 2014 - 2021, Intel Corporation. All rights reserved.<BR>
+# Copyright (c) 2014 - 2023, Intel Corporation. All rights reserved.<BR>
 # SPDX-License-Identifier: BSD-2-Clause-Patent
 #
 ##
@@ -42,6 +42,8 @@
   gSpiFlashInfoGuid        = { 0x2d4aac1b, 0x91a5, 0x4cd5, { 0x9b, 0x5c, 0xb4, 
0x0f, 0x5d, 0x28, 0x51, 0xa1 } }
   gSmmRegisterInfoGuid     = { 0xaa9bd7a7, 0xcafb, 0x4499, { 0xa4, 0xa9, 0xb, 
0x34, 0x6b, 0x40, 0xa6, 0x22 } }
   gS3CommunicationGuid     = { 0x88e31ba1, 0x1856, 0x4b8b, { 0xbb, 0xdf, 0xf8, 
0x16, 0xdd, 0x94, 0xa, 0xef } }
+  gUniversalPayloadSecureBootInfoGuid      = { 0xd970f847, 0x07dd, 0x4b24, { 
0x9e, 0x1e, 0xae, 0x6c, 0x80, 0x9b, 0x1d, 0x38 } }
+
 
 [Ppis]
   gEfiPayLoadHobBasePpiGuid = { 0xdbe23aa1, 0xa342, 0x4b97, {0x85, 0xb6, 0xb2, 
0x26, 0xf1, 0x61, 0x73, 0x89} }
diff --git a/UefiPayloadPkg/UefiPayloadPkg.dsc 
b/UefiPayloadPkg/UefiPayloadPkg.dsc
index 998d222909..0e7093cc7d 100644
--- a/UefiPayloadPkg/UefiPayloadPkg.dsc
+++ b/UefiPayloadPkg/UefiPayloadPkg.dsc
@@ -584,6 +584,8 @@
 
   gPcAtChipsetPkgTokenSpaceGuid.PcdRtcIndexRegister|$(RTC_INDEX_REGISTER)
   gPcAtChipsetPkgTokenSpaceGuid.PcdRtcTargetRegister|$(RTC_TARGET_REGISTER)
+  gEfiSecurityPkgTokenSpaceGuid.PcdFirmwareDebuggerInitialized|FALSE
+  gEfiSecurityPkgTokenSpaceGuid.PcdTpmInstanceGuid|{0x5a, 0xf2, 0x6b, 0x28, 
0xc3, 0xc2, 0x8c, 0x40, 0xb3, 0xb4, 0x25, 0xe6, 0x75, 0x8b, 0x73, 0x17}
 
 
################################################################################
 #
-- 
2.39.1.windows.1



-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#104992): https://edk2.groups.io/g/devel/message/104992
Mute This Topic: https://groups.io/mt/98982073/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[edk2-devel] [PATCH v2 2/6] UefiPayloadPkg: Add secureboot information HOBs

Reply via email to