diff options
author | raywu <raywu0301@gmail.com> | 2018-06-15 00:00:50 +0800 |
---|---|---|
committer | raywu <raywu0301@gmail.com> | 2018-06-15 00:00:50 +0800 |
commit | b7c51c9cf4864df6aabb99a1ae843becd577237c (patch) | |
tree | eebe9b0d0ca03062955223097e57da84dd618b9a /Core/EM/SecurityPkg/SecureMod.sdl | |
download | zprj-b7c51c9cf4864df6aabb99a1ae843becd577237c.tar.xz |
Diffstat (limited to 'Core/EM/SecurityPkg/SecureMod.sdl')
-rw-r--r-- | Core/EM/SecurityPkg/SecureMod.sdl | 315 |
1 files changed, 315 insertions, 0 deletions
diff --git a/Core/EM/SecurityPkg/SecureMod.sdl b/Core/EM/SecurityPkg/SecureMod.sdl new file mode 100644 index 0000000..c4a3338 --- /dev/null +++ b/Core/EM/SecurityPkg/SecureMod.sdl @@ -0,0 +1,315 @@ +TOKEN + Name = "SecureMod_SUPPORT" + Value = "1" + TokenType = Boolean + TargetMAK = Yes + TargetH = Yes + Master = Yes + Token = "CryptoAPI_SUPPORT" "=" "1" +End + +TOKEN + Name = "SECURE_FLASH_MODULE_REVISION" + Value = "17" + Help = "Version of Secure Flash module interfaces" + TokenType = Integer + TargetMAK = Yes + TargetH = Yes +End + +TOKEN + Name = "CREATE_FWCAPSULE" + Value = "1" + Help = "Mode selector for creating of digitally signed Aptio FW Capsule, to be used for Protected Flash Updates including Recovery.\0 - Enable Secure Flash interfaces, but skip FW Capsule signing;\1 - Create Aptio FW Capsule;\2 - Skip final FW Capsule signing process, e.g to hand off this task to signing server." + TokenType = Integer + TargetMAK = Yes + Range = "0-1-2" +End + +TOKEN + Name = "====FWCAPSULE FORMAT TUNE-UP====" + Value = "==============================" + TokenType = Expression +End + +TOKEN + Name = "FWCAPSULE_FILE_FORMAT" + Value = "1" + Help = "0 - Include Aptio FW Signature Block inside the BIOS ROM as a ROM Hole Ffs.\1 - FW Signature Block is attached on top of BIOS Image." + TokenType = Integer + TargetMAK = Yes + TargetH = Yes +End + +TOKEN + Name = "FWCAPSULE_CERT_FORMAT" + Value = "0" + Help = "0 - FwCapsule Hdr includes UEFI RSA2048_SHA256 certificates\1 - PKCS#7 Certificate. Signing keys delivered in PKCS#12 .pfx and X.509.cer" + TokenType = Integer + TargetMAK = Yes + TargetH = Yes +End + +TOKEN + Name = "UNSIGNED_BIOS_ROM" + Value = "$(AMI_ROM)" + Help = "File name of the BIOS image to be signed." + TokenType = Expression + TargetMAK = Yes +End + +TOKEN + Name = "FWCAPSULE_FILE_NAME" + Value = "$(PROJECT_TAG).ROM" + Help = "Signed BIOS file name. FwCapsule Hdr with Signature embedded inside the BIOS.ROM.\Note!!!Default Recovery image name is provided by RECOVERY_ROM" + TokenType = Expression + TargetMAK = Yes + TargetH = Yes + Token = "FWCAPSULE_FILE_FORMAT" "=" "0" +End + +TOKEN + Name = "FWCAPSULE_FILE_NAME" + Value = "$(PROJECT_TAG).CAP" + Help = "Signed BIOS file name. Aptio FwCapsule Hdr is attached on top of BIOS.ROM.\Note!!!Default Recovery image name is provided by RECOVERY_ROM" + TokenType = Expression + TargetMAK = Yes + TargetH = Yes + Token = "FWCAPSULE_FILE_FORMAT" "=" "1" +End + +TOKEN + Name = "FWCAPSULE_IMAGE_ALLIGN" + Value = "4096" + Help = "FW Capsule file size alignment" + TokenType = Integer + TargetMAK = Yes + TargetH = Yes + Range = "Min FW Capsule file size allignment is 512" +End + +TOKEN + Name = "FWCAPSULE_MAX_HDR_SIZE" + Value = "4096" + Help = "Maximum Size of the embedded FW Capsule Header" + TokenType = Integer + TargetMAK = Yes + TargetH = Yes + Range = "Min FW Capsule Header size is 2048" +End + +TOKEN + Name = "FWCAPSULE_IMAGE_SIZE" + Value = "$(FLASH_SIZE)+0x4000" + Help = "This is the max size of the signed Recovery image with attached 16kb FwCapsule Hdr" + TokenType = Integer + TargetH = Yes +End + +TOKEN + Name = "FWSIG_SIGNHDR" + Value = "0" + Help = "FwCapsule Hdr Signature Calculation scheme\0-FwSig Cert signs hash of Rom Image and RomMap, FwRoot signs full FwSig Certificate. Fixed in Labels 0-008\1-Add FwCap hdr into a FwSig signature calculation, FwRoot signs FwSig certificate. Supported from Label 009" + TokenType = Integer + TargetMAK = Yes + TargetH = Yes +End + +TOKEN + Name = "FWSIG_PADDING" + Value = "1" + Help = "RSA Signature padding scheme.\0-PKCS1v1.5, 1-PSS (default for Secure Flash Module labels 0 to 009), 2-xx reserved" + TokenType = Integer + TargetMAK = Yes + TargetH = Yes +End + +TOKEN + Name = "FWKEY_FILE_FORMAT" + Value = "1" + Help = "Data format of Root FW Key FFS inside BIOS RTU (FV_BB).\0-n-modulus of RSA2048 key, 1-SHA256 Hash of RSA2048 n-modulus, 2-x.509 DER Certificate key, 3-xx reserved" + TokenType = Integer + TargetMAK = Yes + Token = "FWCAPSULE_CERT_FORMAT" "=" "0" +End + +TOKEN + Name = "FWKEY_FILE_FORMAT" + Value = "2" + Lock = Yes + Help = "Don't change the value." + TokenType = Integer + TargetMAK = Yes + Token = "FWCAPSULE_CERT_FORMAT" "=" "1" +End + +TOKEN + Name = "FWKEY_FILE_REPLACE" + Value = "1" + Help = "Directive to Cryptocon.exe to replace existing Root Platform Key inside BIOS.ROM with the Key used to sign FwCapsule" + TokenType = Boolean + TargetMAK = Yes +End + +TOKEN + Name = "ROM_LAYOUT_EX" + Value = "$(BUILD_DIR)\RomLayoutEx.bin" + Help = "Name of the extended rom map file used to sign ROM image" + TokenType = Expression + TargetMAK = Yes +End + +TOKEN + Name = "CRYPTCON" + Value = "$(SILENT)CryptoCon.exe" + TokenType = Expression + TargetMAK = Yes +End + +TOKEN + Name = "CRYPTCON" + Value = "$(SILENT)CryptoCon.exe -@" + TokenType = Expression + TargetMAK = Yes + Token = "BRIEF" "=" "1" +End + +TOKEN + Name = "CRYPTKEYGEN" + Value = "$(SILENT)keygen.exe" + TokenType = Expression + TargetMAK = Yes +End + +PATH + Name = "SecureMod_DIR" +End + +MODULE + File = "SecureMod.mak" + Token = "CREATE_FWCAPSULE" "!=" "0" +End + +ELINK + Name = "$(BUILD_DIR)\FwCapsuleHdr.ffs" + Parent = "FV_MAIN" + Token = "CREATE_FWCAPSULE" "!=" "0" + Token = "LZMA_SUPPORT" "=" "0" + InvokeOrder = AfterParent +End + +ELINK + Name = "$(BUILD_DIR)\FwCapsuleHdr.ffs" + Parent = "FV_MAIN_OUTSIDE_NESTED" + Token = "CREATE_FWCAPSULE" "!=" "0" + Token = "LZMA_SUPPORT" "=" "1" + InvokeOrder = AfterParent +End + +ELINK + Name = "CRYPTOCON_CMDLINE" + InvokeOrder = ReplaceParent + Help = "Cryptocon.exe command line to create signed FwCapsule" +End + +ELINK + Name = "CRYPTOCON_CMDLINE_SIG" + InvokeOrder = ReplaceParent + Help = "Cryptocon.exe command line to create signed FwCapsule" +End + +ELINK + Name = "CRYPTOCON_CMDLINE_MAP" + InvokeOrder = ReplaceParent + Help = "Cryptocon.exe command line to prepare embedded signature block FwCapsule" +End + +ELINK + Name = "-c $(FWrootKey) -k $(FWpriv)" + Parent = "CRYPTOCON_CMDLINE" + Token = "FWCAPSULE_CERT_FORMAT" "=" "0" + InvokeOrder = AfterParent +End + +ELINK + Name = "-c2 -x $(FWpriv),$(FW_PFX_Password)" + Parent = "CRYPTOCON_CMDLINE" + Token = "FWCAPSULE_CERT_FORMAT" "=" "1" + InvokeOrder = AfterParent +End + +ELINK + Name = "-n" + Parent = "CRYPTOCON_CMDLINE" + Help = "-n ia a directive to replace Platform Root Key embedded inside BIOS.ROM with the Key used to sign new FwCapsule" + Token = "FWKEY_FILE_REPLACE" "=" "1" + Token = "FWCAPSULE_CERT_FORMAT" "=" "0" + InvokeOrder = AfterParent +End + +ELINK + Name = "-n -k $(FWpub)" + Parent = "CRYPTOCON_CMDLINE" + Token = "FWKEY_FILE_REPLACE" "=" "1" + Token = "FWCAPSULE_CERT_FORMAT" "=" "1" + InvokeOrder = AfterParent +End + +ELINK + Name = "-m -r $(ROM_LAYOUT_EX)" + Parent = "CRYPTOCON_CMDLINE_MAP" + InvokeOrder = AfterParent +End + +ELINK + Name = "-y" + Parent = "CRYPTOCON_CMDLINE_MAP" + Token = "FWCAPSULE_FILE_FORMAT" "=" "0" + InvokeOrder = AfterParent +End + +ELINK + Name = "-l $(FWCAPSULE_IMAGE_ALLIGN)" + Parent = "CRYPTOCON_CMDLINE_MAP" + Token = "FWCAPSULE_FILE_FORMAT" "=" "1" + InvokeOrder = AfterParent +End + +ELINK + Name = "-q" + Parent = "CRYPTOCON_CMDLINE_MAP" + Help = "Extended FwCapsule Hdr Signature Calculation scheme" + Token = "FWCAPSULE_CERT_FORMAT" "=" "0" + Token = "FWSIG_SIGNHDR" "=" "1" + InvokeOrder = AfterParent +End + +ELINK + Name = "-p" + Parent = "CRYPTOCON_CMDLINE_MAP" + Help = "RSA-PSS Signature padding scheme. (Default - PKCS#1v1.5)" + Token = "FWCAPSULE_CERT_FORMAT" "=" "0" + Token = "FWSIG_PADDING" "=" "1" + Token = "FWSIG_SIGNHDR" "=" "1" + InvokeOrder = AfterParent +End + +ELINK + Name = "-p" + Parent = "CRYPTOCON_CMDLINE_MAP" + Token = "FWCAPSULE_CERT_FORMAT" "=" "0" + Token = "FWSIG_SIGNHDR" "=" "0" + InvokeOrder = AfterParent +End + +ELINK + Name = "$(CRYPTOCON_CMDLINE) -f $(UNSIGNED_BIOS_ROM) -o $(FWCAPSULE_FILE_NAME)" + Parent = "CRYPTOCON_CMDLINE_SIG" + InvokeOrder = AfterParent +End + +ELINK + Name = "$(CRYPTOCON_CMDLINE) -f $(UNSIGNED_BIOS_ROM) -o $(UNSIGNED_BIOS_ROM)" + Parent = "CRYPTOCON_CMDLINE_MAP" + InvokeOrder = AfterParent +End |