From 8cee3de7e9f44180b63effa6f62cb083fcba4f03 Mon Sep 17 00:00:00 2001 From: jljusten Date: Fri, 9 Mar 2012 17:38:53 +0000 Subject: [PATCH] OvmfPkg: Enable secure-boot support when SECURE_BOOT_ENABLE==TRUE Adjust PCD settings, library mappings and driver usage to enable secure-boot when -D SECURE_BOOT_ENABLE=TRUE is used on the build command line. Signed-off-by: lgrosenb Reviewed-by: jljusten Reviewed-by: mdkinney git-svn-id: https://edk2.svn.sourceforge.net/svnroot/edk2/trunk/edk2@13093 6f19259b-4bc3-4df7-8a09-765794883524 --- OvmfPkg/OvmfPkgIa32.dsc | 45 +++++++++++++++++++++++++++++++++++++- OvmfPkg/OvmfPkgIa32.fdf | 6 ++++- OvmfPkg/OvmfPkgIa32X64.dsc | 45 +++++++++++++++++++++++++++++++++++++- OvmfPkg/OvmfPkgIa32X64.fdf | 8 ++++++- OvmfPkg/OvmfPkgX64.dsc | 45 +++++++++++++++++++++++++++++++++++++- OvmfPkg/OvmfPkgX64.fdf | 8 ++++++- 6 files changed, 151 insertions(+), 6 deletions(-) diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc index 03fde20b43..1b35b8c05b 100644 --- a/OvmfPkg/OvmfPkgIa32.dsc +++ b/OvmfPkg/OvmfPkgIa32.dsc @@ -105,7 +105,18 @@ ResetSystemLib|OvmfPkg/Library/ResetSystemLib/ResetSystemLib.inf LocalApicLib|UefiCpuPkg/Library/BaseXApicLib/BaseXApicLib.inf - DebugPrintErrorLevelLib|MdePkg/Library/BaseDebugPrintErrorLevelLib/BaseDebugPrintErrorLevelLib.inf + DebugPrintErrorLevelLib|MdePkg/Library/BaseDebugPrintErrorLevelLib/BaseDebugPrintErrorLevelLib.inf + +!if $(SECURE_BOOT_ENABLE) == TRUE + PlatformSecureLib|OvmfPkg/Library/PlatformSecureLib/PlatformSecureLib.inf + IntrinsicLib|CryptoPkg/Library/IntrinsicLib/IntrinsicLib.inf + OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLib.inf +!endif + +[LibraryClasses.common] +!if $(SECURE_BOOT_ENABLE) == TRUE + BaseCryptLib|CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf +!endif [LibraryClasses.common.SEC] DebugLib|MdePkg/Library/BaseDebugLibSerialPort/BaseDebugLibSerialPort.inf @@ -169,6 +180,9 @@ PcdLib|MdePkg/Library/DxePcdLib/DxePcdLib.inf UefiRuntimeLib|MdePkg/Library/UefiRuntimeLib/UefiRuntimeLib.inf DxeServicesTableLib|MdePkg/Library/DxeServicesTableLib/DxeServicesTableLib.inf +!if $(SECURE_BOOT_ENABLE) == TRUE + BaseCryptLib|CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf +!endif [LibraryClasses.common.UEFI_DRIVER] HobLib|MdePkg/Library/DxeHobLib/DxeHobLib.inf @@ -222,7 +236,11 @@ gEfiMdePkgTokenSpaceGuid.PcdMaximumGuidedExtractHandler|0x10 gEfiMdeModulePkgTokenSpaceGuid.PcdPeiCoreMaxFvSupported|6 gEfiMdeModulePkgTokenSpaceGuid.PcdPeiCoreMaxPeimPerFv|32 +!if $(SECURE_BOOT_ENABLE) == TRUE + gEfiMdeModulePkgTokenSpaceGuid.PcdMaxVariableSize|0x10000 +!else gEfiMdeModulePkgTokenSpaceGuid.PcdMaxVariableSize|0x400 +!endif gEfiMdeModulePkgTokenSpaceGuid.PcdMaxHardwareErrorVariableSize|0x8000 gEfiMdeModulePkgTokenSpaceGuid.PcdVariableStoreSize|0xc000 gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageVariableSize|0xc000 @@ -239,6 +257,13 @@ gEfiMdePkgTokenSpaceGuid.PcdDebugPropertyMask|0x2F !endif +!if $(SECURE_BOOT_ENABLE) == TRUE + # override the default values from SecurityPkg to ensure images from all sources are verified in secure boot + gEfiSecurityPkgTokenSpaceGuid.PcdOptionRomImageVerificationPolicy|0x05 + gEfiSecurityPkgTokenSpaceGuid.PcdFixedMediaImageVerificationPolicy|0x05 + gEfiSecurityPkgTokenSpaceGuid.PcdRemovableMediaImageVerificationPolicy|0x05 +!endif + !ifdef $(SOURCE_DEBUG_ENABLE) gEfiSourceLevelDebugPkgTokenSpaceGuid.PcdDebugLoadImageMethod|0x2 !endif @@ -309,7 +334,18 @@ } MdeModulePkg/Core/RuntimeDxe/RuntimeDxe.inf + +!if $(SECURE_BOOT_ENABLE) == TRUE + MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf { + + NULL|SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.inf + BaseCryptLib|CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf + OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLib.inf + } +!else MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf +!endif + MdeModulePkg/Universal/EbcDxe/EbcDxe.inf PcAtChipsetPkg/8259InterruptControllerDxe/8259.inf UefiCpuPkg/CpuIo2Dxe/CpuIo2Dxe.inf @@ -451,3 +487,10 @@ } !endif +!if $(SECURE_BOOT_ENABLE) == TRUE + SecurityPkg/VariableAuthenticated/RuntimeDxe/VariableRuntimeDxe.inf { + + BaseCryptLib|CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf + OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLib.inf + } +!endif diff --git a/OvmfPkg/OvmfPkgIa32.fdf b/OvmfPkg/OvmfPkgIa32.fdf index c67a7829b2..235e322777 100644 --- a/OvmfPkg/OvmfPkgIa32.fdf +++ b/OvmfPkg/OvmfPkgIa32.fdf @@ -167,7 +167,11 @@ INF PcAtChipsetPkg/PcatRealTimeClockRuntimeDxe/PcatRealTimeClockRuntimeDxe.inf INF OvmfPkg/BlockMmioToBlockIoDxe/BlockIo.inf INF OvmfPkg/EmuVariableFvbRuntimeDxe/Fvb.inf INF MdeModulePkg/Universal/FaultTolerantWriteDxe/FaultTolerantWriteDxe.inf -INF MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf +!if $(SECURE_BOOT_ENABLE) == TRUE + INF SecurityPkg/VariableAuthenticated/RuntimeDxe/VariableRuntimeDxe.inf +!else + INF MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf +!endif INF MdeModulePkg/Universal/WatchdogTimerDxe/WatchdogTimer.inf INF MdeModulePkg/Universal/MonotonicCounterRuntimeDxe/MonotonicCounterRuntimeDxe.inf INF MdeModulePkg/Universal/CapsuleRuntimeDxe/CapsuleRuntimeDxe.inf diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc index 1ee74376ec..be10ba6f6c 100644 --- a/OvmfPkg/OvmfPkgIa32X64.dsc +++ b/OvmfPkg/OvmfPkgIa32X64.dsc @@ -106,7 +106,18 @@ ResetSystemLib|OvmfPkg/Library/ResetSystemLib/ResetSystemLib.inf LocalApicLib|UefiCpuPkg/Library/BaseXApicLib/BaseXApicLib.inf - DebugPrintErrorLevelLib|MdePkg/Library/BaseDebugPrintErrorLevelLib/BaseDebugPrintErrorLevelLib.inf + DebugPrintErrorLevelLib|MdePkg/Library/BaseDebugPrintErrorLevelLib/BaseDebugPrintErrorLevelLib.inf + +!if $(SECURE_BOOT_ENABLE) == TRUE + PlatformSecureLib|OvmfPkg/Library/PlatformSecureLib/PlatformSecureLib.inf + IntrinsicLib|CryptoPkg/Library/IntrinsicLib/IntrinsicLib.inf + OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLib.inf +!endif + +[LibraryClasses.common] +!if $(SECURE_BOOT_ENABLE) == TRUE + BaseCryptLib|CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf +!endif [LibraryClasses.common.SEC] DebugLib|MdePkg/Library/BaseDebugLibSerialPort/BaseDebugLibSerialPort.inf @@ -170,6 +181,9 @@ PcdLib|MdePkg/Library/DxePcdLib/DxePcdLib.inf UefiRuntimeLib|MdePkg/Library/UefiRuntimeLib/UefiRuntimeLib.inf DxeServicesTableLib|MdePkg/Library/DxeServicesTableLib/DxeServicesTableLib.inf +!if $(SECURE_BOOT_ENABLE) == TRUE + BaseCryptLib|CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf +!endif [LibraryClasses.common.UEFI_DRIVER] HobLib|MdePkg/Library/DxeHobLib/DxeHobLib.inf @@ -223,7 +237,11 @@ gEfiMdePkgTokenSpaceGuid.PcdMaximumGuidedExtractHandler|0x10 gEfiMdeModulePkgTokenSpaceGuid.PcdPeiCoreMaxFvSupported|6 gEfiMdeModulePkgTokenSpaceGuid.PcdPeiCoreMaxPeimPerFv|32 +!if $(SECURE_BOOT_ENABLE) == TRUE + gEfiMdeModulePkgTokenSpaceGuid.PcdMaxVariableSize|0x10000 +!else gEfiMdeModulePkgTokenSpaceGuid.PcdMaxVariableSize|0x400 +!endif gEfiMdeModulePkgTokenSpaceGuid.PcdMaxHardwareErrorVariableSize|0x8000 gEfiMdeModulePkgTokenSpaceGuid.PcdVariableStoreSize|0xc000 gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageVariableSize|0xc000 @@ -240,6 +258,13 @@ gEfiMdePkgTokenSpaceGuid.PcdDebugPropertyMask|0x2F !endif +!if $(SECURE_BOOT_ENABLE) == TRUE + # override the default values from SecurityPkg to ensure images from all sources are verified in secure boot + gEfiSecurityPkgTokenSpaceGuid.PcdOptionRomImageVerificationPolicy|0x05 + gEfiSecurityPkgTokenSpaceGuid.PcdFixedMediaImageVerificationPolicy|0x05 + gEfiSecurityPkgTokenSpaceGuid.PcdRemovableMediaImageVerificationPolicy|0x05 +!endif + !ifdef $(SOURCE_DEBUG_ENABLE) gEfiSourceLevelDebugPkgTokenSpaceGuid.PcdDebugLoadImageMethod|0x2 !endif @@ -311,7 +336,18 @@ } MdeModulePkg/Core/RuntimeDxe/RuntimeDxe.inf + +!if $(SECURE_BOOT_ENABLE) == TRUE + MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf { + + NULL|SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.inf + BaseCryptLib|CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf + OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLib.inf + } +!else MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf +!endif + MdeModulePkg/Universal/EbcDxe/EbcDxe.inf PcAtChipsetPkg/8259InterruptControllerDxe/8259.inf UefiCpuPkg/CpuIo2Dxe/CpuIo2Dxe.inf @@ -453,3 +489,10 @@ } !endif +!if $(SECURE_BOOT_ENABLE) == TRUE + SecurityPkg/VariableAuthenticated/RuntimeDxe/VariableRuntimeDxe.inf { + + BaseCryptLib|CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf + OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLib.inf + } +!endif diff --git a/OvmfPkg/OvmfPkgIa32X64.fdf b/OvmfPkg/OvmfPkgIa32X64.fdf index c2dde19ff4..2351e563ab 100644 --- a/OvmfPkg/OvmfPkgIa32X64.fdf +++ b/OvmfPkg/OvmfPkgIa32X64.fdf @@ -167,7 +167,13 @@ INF PcAtChipsetPkg/PcatRealTimeClockRuntimeDxe/PcatRealTimeClockRuntimeDxe.inf INF OvmfPkg/BlockMmioToBlockIoDxe/BlockIo.inf INF OvmfPkg/EmuVariableFvbRuntimeDxe/Fvb.inf INF MdeModulePkg/Universal/FaultTolerantWriteDxe/FaultTolerantWriteDxe.inf -INF MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf + +!if $(SECURE_BOOT_ENABLE) == TRUE + INF SecurityPkg/VariableAuthenticated/RuntimeDxe/VariableRuntimeDxe.inf +!else + INF MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf +!endif + INF MdeModulePkg/Universal/WatchdogTimerDxe/WatchdogTimer.inf INF MdeModulePkg/Universal/MonotonicCounterRuntimeDxe/MonotonicCounterRuntimeDxe.inf INF MdeModulePkg/Universal/CapsuleRuntimeDxe/CapsuleRuntimeDxe.inf diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc index 855ded45a7..f4a5eec107 100644 --- a/OvmfPkg/OvmfPkgX64.dsc +++ b/OvmfPkg/OvmfPkgX64.dsc @@ -106,7 +106,18 @@ ResetSystemLib|OvmfPkg/Library/ResetSystemLib/ResetSystemLib.inf LocalApicLib|UefiCpuPkg/Library/BaseXApicLib/BaseXApicLib.inf - DebugPrintErrorLevelLib|MdePkg/Library/BaseDebugPrintErrorLevelLib/BaseDebugPrintErrorLevelLib.inf + DebugPrintErrorLevelLib|MdePkg/Library/BaseDebugPrintErrorLevelLib/BaseDebugPrintErrorLevelLib.inf + +!if $(SECURE_BOOT_ENABLE) == TRUE + PlatformSecureLib|OvmfPkg/Library/PlatformSecureLib/PlatformSecureLib.inf + IntrinsicLib|CryptoPkg/Library/IntrinsicLib/IntrinsicLib.inf + OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLib.inf +!endif + +[LibraryClasses.common] +!if $(SECURE_BOOT_ENABLE) == TRUE + BaseCryptLib|CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf +!endif [LibraryClasses.common.SEC] DebugLib|MdePkg/Library/BaseDebugLibSerialPort/BaseDebugLibSerialPort.inf @@ -170,6 +181,9 @@ PcdLib|MdePkg/Library/DxePcdLib/DxePcdLib.inf UefiRuntimeLib|MdePkg/Library/UefiRuntimeLib/UefiRuntimeLib.inf DxeServicesTableLib|MdePkg/Library/DxeServicesTableLib/DxeServicesTableLib.inf +!if $(SECURE_BOOT_ENABLE) == TRUE + BaseCryptLib|CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf +!endif [LibraryClasses.common.UEFI_DRIVER] HobLib|MdePkg/Library/DxeHobLib/DxeHobLib.inf @@ -223,7 +237,11 @@ gEfiMdePkgTokenSpaceGuid.PcdMaximumGuidedExtractHandler|0x10 gEfiMdeModulePkgTokenSpaceGuid.PcdPeiCoreMaxFvSupported|6 gEfiMdeModulePkgTokenSpaceGuid.PcdPeiCoreMaxPeimPerFv|32 +!if $(SECURE_BOOT_ENABLE) == TRUE + gEfiMdeModulePkgTokenSpaceGuid.PcdMaxVariableSize|0x10000 +!else gEfiMdeModulePkgTokenSpaceGuid.PcdMaxVariableSize|0x400 +!endif gEfiMdeModulePkgTokenSpaceGuid.PcdMaxHardwareErrorVariableSize|0x8000 gEfiMdeModulePkgTokenSpaceGuid.PcdVariableStoreSize|0xc000 gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageVariableSize|0xc000 @@ -240,6 +258,13 @@ gEfiMdePkgTokenSpaceGuid.PcdDebugPropertyMask|0x2F !endif +!if $(SECURE_BOOT_ENABLE) == TRUE + # override the default values from SecurityPkg to ensure images from all sources are verified in secure boot + gEfiSecurityPkgTokenSpaceGuid.PcdOptionRomImageVerificationPolicy|0x05 + gEfiSecurityPkgTokenSpaceGuid.PcdFixedMediaImageVerificationPolicy|0x05 + gEfiSecurityPkgTokenSpaceGuid.PcdRemovableMediaImageVerificationPolicy|0x05 +!endif + !ifdef $(SOURCE_DEBUG_ENABLE) gEfiSourceLevelDebugPkgTokenSpaceGuid.PcdDebugLoadImageMethod|0x2 !endif @@ -310,7 +335,18 @@ } MdeModulePkg/Core/RuntimeDxe/RuntimeDxe.inf + +!if $(SECURE_BOOT_ENABLE) == TRUE + MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf { + + NULL|SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.inf + BaseCryptLib|CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf + OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLib.inf + } +!else MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf +!endif + MdeModulePkg/Universal/EbcDxe/EbcDxe.inf PcAtChipsetPkg/8259InterruptControllerDxe/8259.inf UefiCpuPkg/CpuIo2Dxe/CpuIo2Dxe.inf @@ -452,3 +488,10 @@ } !endif +!if $(SECURE_BOOT_ENABLE) == TRUE + SecurityPkg/VariableAuthenticated/RuntimeDxe/VariableRuntimeDxe.inf { + + BaseCryptLib|CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf + OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLib.inf + } +!endif diff --git a/OvmfPkg/OvmfPkgX64.fdf b/OvmfPkg/OvmfPkgX64.fdf index b08be66443..16f21fe3c8 100644 --- a/OvmfPkg/OvmfPkgX64.fdf +++ b/OvmfPkg/OvmfPkgX64.fdf @@ -167,7 +167,13 @@ INF PcAtChipsetPkg/PcatRealTimeClockRuntimeDxe/PcatRealTimeClockRuntimeDxe.inf INF OvmfPkg/BlockMmioToBlockIoDxe/BlockIo.inf INF OvmfPkg/EmuVariableFvbRuntimeDxe/Fvb.inf INF MdeModulePkg/Universal/FaultTolerantWriteDxe/FaultTolerantWriteDxe.inf -INF MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf + +!if $(SECURE_BOOT_ENABLE) == TRUE + INF SecurityPkg/VariableAuthenticated/RuntimeDxe/VariableRuntimeDxe.inf +!else + INF MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf +!endif + INF MdeModulePkg/Universal/WatchdogTimerDxe/WatchdogTimer.inf INF MdeModulePkg/Universal/MonotonicCounterRuntimeDxe/MonotonicCounterRuntimeDxe.inf INF MdeModulePkg/Universal/CapsuleRuntimeDxe/CapsuleRuntimeDxe.inf