From 0ff38cbfa31468aaa96fb13aa489a684f22d647f Mon Sep 17 00:00:00 2001 From: leegrosenbaum Date: Wed, 11 Apr 2012 16:23:41 +0000 Subject: Nt32Pkg: Add Secure Boot build option including Custom Mode setup MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit If –D SECURE_BOOT_ENABLE is specified with the build command, Secure Boot support is enabled including custom mode setup. This allows Secure Boot to be configured through setup allowing Nt32Pkg to be a fully functional Secure Boot reference platforms. Signed-off-by: lee.g.rosenbaum@intel.com Reviewed-by: jiewen.yao@intel.com git-svn-id: https://edk2.svn.sourceforge.net/svnroot/edk2/trunk/edk2@13186 6f19259b-4bc3-4df7-8a09-765794883524 --- .../Library/PlatformSecureLib/PlatformSecureLib.c | 41 +++++++++++++++++ .../PlatformSecureLib/PlatformSecureLib.inf | 33 ++++++++++++++ Nt32Pkg/Nt32Pkg.dsc | 51 +++++++++++++++++++++- Nt32Pkg/Nt32Pkg.fdf | 18 ++++++++ 4 files changed, 142 insertions(+), 1 deletion(-) create mode 100644 Nt32Pkg/Library/PlatformSecureLib/PlatformSecureLib.c create mode 100644 Nt32Pkg/Library/PlatformSecureLib/PlatformSecureLib.inf (limited to 'Nt32Pkg') diff --git a/Nt32Pkg/Library/PlatformSecureLib/PlatformSecureLib.c b/Nt32Pkg/Library/PlatformSecureLib/PlatformSecureLib.c new file mode 100644 index 0000000000..e7f33277f5 --- /dev/null +++ b/Nt32Pkg/Library/PlatformSecureLib/PlatformSecureLib.c @@ -0,0 +1,41 @@ +/** @file + Provides a platform-specific method to enable Secure Boot Custom Mode setup. + + Copyright (c) 2006 - 2012, Intel Corporation. All rights reserved.
+ This program and the accompanying materials + are licensed and made available under the terms and conditions of the BSD License + which accompanies this distribution. The full text of the license may be found at + http://opensource.org/licenses/bsd-license.php + + THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS, + WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED. + +**/ +#include + + +/** + + This function provides a platform-specific method to detect whether the platform + is operating by a physically present user. + + Programmatic changing of platform security policy (such as disable Secure Boot, + or switch between Standard/Custom Secure Boot mode) MUST NOT be possible during + Boot Services or after exiting EFI Boot Services. Only a physically present user + is allowed to perform these operations. + + NOTE THAT: This function cannot depend on any EFI Variable Service since they are + not available when this function is called in AuthenticateVariable driver. + + @retval TRUE The platform is operated by a physically present user. + @retval FALSE The platform is NOT operated by a physically present user. + +**/ +BOOLEAN +EFIAPI +UserPhysicalPresent ( + VOID + ) +{ + return TRUE; +} diff --git a/Nt32Pkg/Library/PlatformSecureLib/PlatformSecureLib.inf b/Nt32Pkg/Library/PlatformSecureLib/PlatformSecureLib.inf new file mode 100644 index 0000000000..a6891dd5f3 --- /dev/null +++ b/Nt32Pkg/Library/PlatformSecureLib/PlatformSecureLib.inf @@ -0,0 +1,33 @@ +## @file +# Provides a platform-specific method to enable Secure Boot Custom Mode setup. +# +# Copyright (c) 2008 - 2012, Intel Corporation. All rights reserved.
+# +# This program and the accompanying materials +# are licensed and made available under the terms and conditions of the BSD License +# which accompanies this distribution. The full text of the license may be found at +# http://opensource.org/licenses/bsd-license.php +# THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS, +# WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED. +# +## + +[Defines] + INF_VERSION = 0x00010005 + BASE_NAME = PlatformSecureLib + FILE_GUID = F263EC2A-F0DB-4640-8B12-4ED22A506FB1 + MODULE_TYPE = DXE_DRIVER + VERSION_STRING = 1.0 + LIBRARY_CLASS = PlatformSecureLib|DXE_RUNTIME_DRIVER DXE_SMM_DRIVER DXE_DRIVER + +# +# The following information is for reference only and not required by the build tools. +# +# VALID_ARCHITECTURES = IA32 X64 IPF EBC +# + +[Sources] + PlatformSecureLib.c + +[Packages] + MdePkg/MdePkg.dec diff --git a/Nt32Pkg/Nt32Pkg.dsc b/Nt32Pkg/Nt32Pkg.dsc index e8aeee98da..9538d37d51 100644 --- a/Nt32Pkg/Nt32Pkg.dsc +++ b/Nt32Pkg/Nt32Pkg.dsc @@ -32,6 +32,11 @@ SKUID_IDENTIFIER = DEFAULT FLASH_DEFINITION = Nt32Pkg/Nt32Pkg.fdf + # + # Defines for default states. These can be changed on the command line. + # -D FLAG=VALUE + # + DEFINE SECURE_BOOT_ENABLE = FALSE ################################################################################ # @@ -113,6 +118,12 @@ PerformanceLib|MdePkg/Library/BasePerformanceLibNull/BasePerformanceLibNull.inf DebugAgentLib|MdeModulePkg/Library/DebugAgentLibNull/DebugAgentLibNull.inf CpuExceptionHandlerLib|MdeModulePkg/Library/CpuExceptionHandlerLibNull/CpuExceptionHandlerLibNull.inf + +!if $(SECURE_BOOT_ENABLE) == TRUE + PlatformSecureLib|Nt32Pkg/Library/PlatformSecureLib/PlatformSecureLib.inf + IntrinsicLib|CryptoPkg/Library/IntrinsicLib/IntrinsicLib.inf + OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLib.inf +!endif [LibraryClasses.common.USER_DEFINED] DebugLib|MdePkg/Library/BaseDebugLibNull/BaseDebugLibNull.inf @@ -143,6 +154,9 @@ [LibraryClasses.common.PEIM] PcdLib|MdePkg/Library/PeiPcdLib/PeiPcdLib.inf OemHookStatusCodeLib|Nt32Pkg/Library/PeiNt32OemHookStatusCodeLib/PeiNt32OemHookStatusCodeLib.inf +!if $(SECURE_BOOT_ENABLE) == TRUE + BaseCryptLib|CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf +!endif [LibraryClasses.common] # @@ -157,6 +171,9 @@ PeCoffExtraActionLib|Nt32Pkg/Library/DxeNt32PeCoffExtraActionLib/DxeNt32PeCoffExtraActionLib.inf ExtractGuidedSectionLib|MdePkg/Library/DxeExtractGuidedSectionLib/DxeExtractGuidedSectionLib.inf WinNtLib|Nt32Pkg/Library/DxeWinNtLib/DxeWinNtLib.inf +!if $(SECURE_BOOT_ENABLE) == TRUE + BaseCryptLib|CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf +!endif [LibraryClasses.common.DXE_CORE] HobLib|MdePkg/Library/DxeCoreHobLib/DxeCoreHobLib.inf @@ -172,6 +189,12 @@ [LibraryClasses.common.UEFI_APPLICATION] PcdLib|MdePkg/Library/BasePcdLibNull/BasePcdLibNull.inf PrintLib|MdeModulePkg/Library/DxePrintLibPrint2Protocol/DxePrintLibPrint2Protocol.inf + +[LibraryClasses.common.DXE_RUNTIME_DRIVER] + # + # Runtime + # + BaseCryptLib|CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf ################################################################################ # @@ -194,6 +217,16 @@ gEfiNt32PkgTokenSpaceGuid.PcdWinNtFirmwareBlockSize|0x10000 gEfiMdePkgTokenSpaceGuid.PcdReportStatusCodePropertyMask|0x0f gEfiMdeModulePkgTokenSpaceGuid.PcdResetOnMemoryTypeInformationChange|FALSE +!if $(SECURE_BOOT_ENABLE) == TRUE + gEfiMdeModulePkgTokenSpaceGuid.PcdMaxVariableSize|0x2000 +!endif + +!if $(SECURE_BOOT_ENABLE) == TRUE + # override the default values from SecurityPkg to ensure images from all sources are verified in secure boot + gEfiSecurityPkgTokenSpaceGuid.PcdOptionRomImageVerificationPolicy|0x05 + gEfiSecurityPkgTokenSpaceGuid.PcdFixedMediaImageVerificationPolicy|0x05 + gEfiSecurityPkgTokenSpaceGuid.PcdRemovableMediaImageVerificationPolicy|0x05 +!endif ################################################################################ # @@ -258,7 +291,13 @@ Nt32Pkg/BootModePei/BootModePei.inf Nt32Pkg/StallPei/StallPei.inf Nt32Pkg/WinNtFlashMapPei/WinNtFlashMapPei.inf + +!if $(SECURE_BOOT_ENABLE) == TRUE + SecurityPkg/VariableAuthenticated/Pei/VariablePei.inf +!else MdeModulePkg/Universal/Variable/Pei/VariablePei.inf +!endif + Nt32Pkg/WinNtAutoScanPei/WinNtAutoScanPei.inf Nt32Pkg/WinNtFirmwareVolumePei/WinNtFirmwareVolumePei.inf Nt32Pkg/WinNtThunkPPIToProtocolPei/WinNtThunkPPIToProtocolPei.inf @@ -282,7 +321,12 @@ Nt32Pkg/ResetRuntimeDxe/ResetRuntimeDxe.inf MdeModulePkg/Core/RuntimeDxe/RuntimeDxe.inf Nt32Pkg/FvbServicesRuntimeDxe/FvbServicesRuntimeDxe.inf - MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf + MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf { + +!if $(SECURE_BOOT_ENABLE) == TRUE + NULL|SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.inf +!endif + } MdeModulePkg/Universal/SmbiosDxe/SmbiosDxe.inf MdeModulePkg/Universal/EbcDxe/EbcDxe.inf MdeModulePkg/Universal/MemoryTest/NullMemoryTestDxe/NullMemoryTestDxe.inf @@ -294,7 +338,12 @@ MdeModulePkg/Universal/ReportStatusCodeRouter/RuntimeDxe/ReportStatusCodeRouterRuntimeDxe.inf MdeModulePkg/Universal/StatusCodeHandler/RuntimeDxe/StatusCodeHandlerRuntimeDxe.inf Nt32Pkg/WinNtOemHookStatusCodeHandlerDxe/WinNtOemHookStatusCodeHandlerDxe.inf +!if $(SECURE_BOOT_ENABLE) == TRUE + SecurityPkg/VariableAuthenticated/RuntimeDxe/VariableRuntimeDxe.inf + SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf +!else MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf +!endif MdeModulePkg/Universal/WatchdogTimerDxe/WatchdogTimer.inf MdeModulePkg/Universal/MonotonicCounterRuntimeDxe/MonotonicCounterRuntimeDxe.inf MdeModulePkg/Universal/CapsuleRuntimeDxe/CapsuleRuntimeDxe.inf diff --git a/Nt32Pkg/Nt32Pkg.fdf b/Nt32Pkg/Nt32Pkg.fdf index fafae8f03f..b00cb774d7 100644 --- a/Nt32Pkg/Nt32Pkg.fdf +++ b/Nt32Pkg/Nt32Pkg.fdf @@ -74,10 +74,17 @@ DATA = { #Blockmap[1]: End 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, ## This is the VARIABLE_STORE_HEADER +!if $(SECURE_BOOT_ENABLE) == TRUE + #Signature: gEfiAuthenticatedVariableGuid = + # { 0xaaf32c78, 0x947b, 0x439a, { 0xa1, 0x80, 0x2e, 0x14, 0x4e, 0xc3, 0x77, 0x92 }} + 0x78, 0x2c, 0xf3, 0xaa, 0x7b, 0x94, 0x9a, 0x43, + 0xa1, 0x80, 0x2e, 0x14, 0x4e, 0xc3, 0x77, 0x92, +!else #Signature: gEfiVariableGuid = # { 0xddcf3616, 0x3275, 0x4164, { 0x98, 0xb6, 0xfe, 0x85, 0x70, 0x7f, 0xfe, 0x7d }} 0x16, 0x36, 0xcf, 0xdd, 0x75, 0x32, 0x64, 0x41, 0x98, 0xb6, 0xfe, 0x85, 0x70, 0x7f, 0xfe, 0x7d, +!endif #Size: 0xc000 (gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageVariableSize) - 0x48 (size of EFI_FIRMWARE_VOLUME_HEADER) = 0xBFB8 # This can speed up the Variable Dispatch a bit. 0xB8, 0xBF, 0x00, 0x00, @@ -174,7 +181,13 @@ INF Nt32Pkg/StallPei/StallPei.inf INF Nt32Pkg/WinNtFlashMapPei/WinNtFlashMapPei.inf INF Nt32Pkg/WinNtAutoScanPei/WinNtAutoScanPei.inf INF Nt32Pkg/WinNtFirmwareVolumePei/WinNtFirmwareVolumePei.inf + +!if $(SECURE_BOOT_ENABLE) == TRUE +INF SecurityPkg/VariableAuthenticated/Pei/VariablePei.inf +!else INF MdeModulePkg/Universal/Variable/Pei/VariablePei.inf +!endif + INF Nt32Pkg/WinNtThunkPPIToProtocolPei/WinNtThunkPPIToProtocolPei.inf INF MdeModulePkg/Core/DxeIplPeim/DxeIpl.inf @@ -202,7 +215,12 @@ INF Nt32Pkg/TimerDxe/TimerDxe.inf INF MdeModulePkg/Universal/ReportStatusCodeRouter/RuntimeDxe/ReportStatusCodeRouterRuntimeDxe.inf INF MdeModulePkg/Universal/StatusCodeHandler/RuntimeDxe/StatusCodeHandlerRuntimeDxe.inf INF Nt32Pkg/WinNtOemHookStatusCodeHandlerDxe/WinNtOemHookStatusCodeHandlerDxe.inf +!if $(SECURE_BOOT_ENABLE) == TRUE +INF SecurityPkg/VariableAuthenticated/RuntimeDxe/VariableRuntimeDxe.inf +INF SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf +!else INF MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf +!endif INF MdeModulePkg/Universal/WatchdogTimerDxe/WatchdogTimer.inf INF MdeModulePkg/Universal/MonotonicCounterRuntimeDxe/MonotonicCounterRuntimeDxe.inf INF MdeModulePkg/Universal/CapsuleRuntimeDxe/CapsuleRuntimeDxe.inf -- cgit v1.2.3