[edk2-devel] [PATCH v2 2/6] UefiPayloadPkg: Add secureboot information HOBs
Subash Lakkimsetti
subash.lakkimsetti at intel.com
Wed May 17 23:55:30 UTC 2023
From: Subash Lakkimsetti <subash.lakkimsetti at intel.com>
This patch add the HOB fpr secure and measured boot
information. This is populated by bootloader phase
and uefipayload pkg uses this info to sync the TPM
info PCDs.
Cc: Guo Dong <guo.dong at intel.com>
Cc: Ray Ni <ray.ni at intel.com>
Cc: Sean Rhodes <sean at starlabs.systems>
Cc: James Lu <james.lu at intel.com>
Cc: Gua Guo <gua.guo at intel.com>
Signed-off-by: Subash Lakkimsetti <subash.lakkimsetti at intel.com>
---
UefiPayloadPkg/BlSupportDxe/BlSupportDxe.c | 77 +++++++++++++++++++-
UefiPayloadPkg/BlSupportDxe/BlSupportDxe.inf | 13 +++-
UefiPayloadPkg/UefiPayloadPkg.dec | 4 +-
UefiPayloadPkg/UefiPayloadPkg.dsc | 2 +
4 files changed, 92 insertions(+), 4 deletions(-)
diff --git a/UefiPayloadPkg/BlSupportDxe/BlSupportDxe.c b/UefiPayloadPkg/BlSupportDxe/BlSupportDxe.c
index 2e70c4533c..13ac5582e2 100644
--- a/UefiPayloadPkg/BlSupportDxe/BlSupportDxe.c
+++ b/UefiPayloadPkg/BlSupportDxe/BlSupportDxe.c
@@ -2,11 +2,14 @@
This driver will report some MMIO/IO resources to dxe core, extract smbios and acpi
tables from bootloader.
- Copyright (c) 2014 - 2021, Intel Corporation. All rights reserved.<BR>
+ Copyright (c) 2014 - 2023, Intel Corporation. All rights reserved.<BR>
SPDX-License-Identifier: BSD-2-Clause-Patent
**/
#include "BlSupportDxe.h"
+#include <Library/DebugLib.h>
+#include <Library/PcdLib.h>
+#include <Include/UniversalPayload/SecureBootInfoGuid.h>
/**
Reserve MMIO/IO resource in GCD
@@ -86,6 +89,73 @@ ReserveResourceInGcd (
return Status;
}
+/**
+Sync the Secure boot hob info and TPM PCD as per the information passed from Bootloader.
+**/
+EFI_STATUS
+BlSupportSecurityPcdSync (
+ VOID
+ )
+{
+ EFI_STATUS Status;
+ EFI_HOB_GUID_TYPE *GuidHob;
+ UNIVERSAL_SECURE_BOOT_INFO *SecurebootInfoHob;
+ UINTN Size;
+
+ GuidHob = GetFirstGuidHob (&gUniversalPayloadSecureBootInfoGuid);
+ if (GuidHob == NULL) {
+ DEBUG ((DEBUG_ERROR, "gUniversalPayloadSecureBootInfoGuid Not Found!\n"));
+ return EFI_UNSUPPORTED;
+ }
+
+ SecurebootInfoHob = (UNIVERSAL_SECURE_BOOT_INFO *)GET_GUID_HOB_DATA (GuidHob);
+
+ // Sync the Hash mask for TPM 2.0 as per active PCR banks.
+ // Make sure that the current PCR allocations, the TPM supported PCRs,
+ // and the PcdTpm2HashMask are all in agreement.
+ Status = PcdSet32S (PcdTpm2HashMask, SecurebootInfoHob->TpmPcrActivePcrBanks);
+ ASSERT_EFI_ERROR (Status);
+ DEBUG ((DEBUG_INFO, "TpmPcrActivePcrBanks 0x%x \n", SecurebootInfoHob->TpmPcrActivePcrBanks));
+
+ // Set the Firmware debugger PCD
+ Status = PcdSetBoolS (PcdFirmwareDebuggerInitialized, SecurebootInfoHob->FirmwareDebuggerInitialized);
+ ASSERT_EFI_ERROR (Status);
+ DEBUG ((DEBUG_INFO, " FirmwareDebugger Initialized 0x%x \n", SecurebootInfoHob->FirmwareDebuggerInitialized));
+
+ // Set the TPM Type instance GUID
+ if (SecurebootInfoHob->MeasuredBootEnabled) {
+ if (SecurebootInfoHob->TpmType == TPM_TYPE_20) {
+ DEBUG ((DEBUG_INFO, "%a: TPM2 detected\n", __func__));
+ Size = sizeof (gEfiTpmDeviceInstanceTpm20DtpmGuid);
+ Status = PcdSetPtrS (
+ PcdTpmInstanceGuid,
+ &Size,
+ &gEfiTpmDeviceInstanceTpm20DtpmGuid
+ );
+ } else if (SecurebootInfoHob->TpmType == TPM_TYPE_12) {
+ DEBUG ((DEBUG_INFO, "%a: TPM1.2 detected\n", __func__));
+ Size = sizeof (gEfiTpmDeviceInstanceTpm12Guid);
+ Status = PcdSetPtrS (
+ PcdTpmInstanceGuid,
+ &Size,
+ &gEfiTpmDeviceInstanceTpm12Guid
+ );
+ } else {
+ DEBUG ((DEBUG_INFO, "%a: No TPM detected\n", __func__));
+ Size = sizeof (gEfiTpmDeviceInstanceNoneGuid);
+ Status = PcdSetPtrS (
+ PcdTpmInstanceGuid,
+ &Size,
+ &gEfiTpmDeviceInstanceNoneGuid
+ );
+ }
+
+ ASSERT_EFI_ERROR (Status);
+ }
+
+ return Status;
+}
+
/**
Main entry for the bootloader support DXE module.
@@ -144,5 +214,10 @@ BlDxeEntryPoint (
ASSERT_EFI_ERROR (Status);
}
+ //
+ // Sync Bootloader info for TPM
+ //
+ BlSupportSecurityPcdSync ();
+
return EFI_SUCCESS;
}
diff --git a/UefiPayloadPkg/BlSupportDxe/BlSupportDxe.inf b/UefiPayloadPkg/BlSupportDxe/BlSupportDxe.inf
index 96d85d2b1d..162167e6bb 100644
--- a/UefiPayloadPkg/BlSupportDxe/BlSupportDxe.inf
+++ b/UefiPayloadPkg/BlSupportDxe/BlSupportDxe.inf
@@ -3,7 +3,7 @@
#
# Report some MMIO/IO resources to dxe core, extract smbios and acpi tables
#
-# Copyright (c) 2014 - 2021, Intel Corporation. All rights reserved.<BR>
+# Copyright (c) 2014 - 2023, Intel Corporation. All rights reserved.<BR>
#
# SPDX-License-Identifier: BSD-2-Clause-Patent
#
@@ -30,6 +30,7 @@
[Packages]
MdePkg/MdePkg.dec
MdeModulePkg/MdeModulePkg.dec
+ SecurityPkg/SecurityPkg.dec
UefiPayloadPkg/UefiPayloadPkg.dec
[LibraryClasses]
@@ -44,6 +45,10 @@
[Guids]
gUefiAcpiBoardInfoGuid
gEfiGraphicsInfoHobGuid
+ gUniversalPayloadSecureBootInfoGuid
+ gEfiTpmDeviceInstanceTpm20DtpmGuid
+ gEfiTpmDeviceInstanceTpm12Guid
+ gEfiTpmDeviceInstanceNoneGuid
[Pcd]
gEfiMdeModulePkgTokenSpaceGuid.PcdVideoHorizontalResolution
@@ -52,6 +57,10 @@
gEfiMdeModulePkgTokenSpaceGuid.PcdSetupVideoVerticalResolution
gEfiMdePkgTokenSpaceGuid.PcdPciExpressBaseAddress
gEfiMdePkgTokenSpaceGuid.PcdPciExpressBaseSize
-
+ ## SOMETIMES_CONSUMES
+ ## SOMETIMES_PRODUCES
+ gEfiSecurityPkgTokenSpaceGuid.PcdTpm2HashMask
+ gEfiSecurityPkgTokenSpaceGuid.PcdFirmwareDebuggerInitialized
+ gEfiSecurityPkgTokenSpaceGuid.PcdTpmInstanceGuid
[Depex]
TRUE
diff --git a/UefiPayloadPkg/UefiPayloadPkg.dec b/UefiPayloadPkg/UefiPayloadPkg.dec
index 8d111f3a90..63138500dd 100644
--- a/UefiPayloadPkg/UefiPayloadPkg.dec
+++ b/UefiPayloadPkg/UefiPayloadPkg.dec
@@ -3,7 +3,7 @@
#
# Provides drivers and definitions to create uefi payload for bootloaders.
#
-# Copyright (c) 2014 - 2021, Intel Corporation. All rights reserved.<BR>
+# Copyright (c) 2014 - 2023, Intel Corporation. All rights reserved.<BR>
# SPDX-License-Identifier: BSD-2-Clause-Patent
#
##
@@ -42,6 +42,8 @@
gSpiFlashInfoGuid = { 0x2d4aac1b, 0x91a5, 0x4cd5, { 0x9b, 0x5c, 0xb4, 0x0f, 0x5d, 0x28, 0x51, 0xa1 } }
gSmmRegisterInfoGuid = { 0xaa9bd7a7, 0xcafb, 0x4499, { 0xa4, 0xa9, 0xb, 0x34, 0x6b, 0x40, 0xa6, 0x22 } }
gS3CommunicationGuid = { 0x88e31ba1, 0x1856, 0x4b8b, { 0xbb, 0xdf, 0xf8, 0x16, 0xdd, 0x94, 0xa, 0xef } }
+ gUniversalPayloadSecureBootInfoGuid = { 0xd970f847, 0x07dd, 0x4b24, { 0x9e, 0x1e, 0xae, 0x6c, 0x80, 0x9b, 0x1d, 0x38 } }
+
[Ppis]
gEfiPayLoadHobBasePpiGuid = { 0xdbe23aa1, 0xa342, 0x4b97, {0x85, 0xb6, 0xb2, 0x26, 0xf1, 0x61, 0x73, 0x89} }
diff --git a/UefiPayloadPkg/UefiPayloadPkg.dsc b/UefiPayloadPkg/UefiPayloadPkg.dsc
index 998d222909..0e7093cc7d 100644
--- a/UefiPayloadPkg/UefiPayloadPkg.dsc
+++ b/UefiPayloadPkg/UefiPayloadPkg.dsc
@@ -584,6 +584,8 @@
gPcAtChipsetPkgTokenSpaceGuid.PcdRtcIndexRegister|$(RTC_INDEX_REGISTER)
gPcAtChipsetPkgTokenSpaceGuid.PcdRtcTargetRegister|$(RTC_TARGET_REGISTER)
+ gEfiSecurityPkgTokenSpaceGuid.PcdFirmwareDebuggerInitialized|FALSE
+ gEfiSecurityPkgTokenSpaceGuid.PcdTpmInstanceGuid|{0x5a, 0xf2, 0x6b, 0x28, 0xc3, 0xc2, 0x8c, 0x40, 0xb3, 0xb4, 0x25, 0xe6, 0x75, 0x8b, 0x73, 0x17}
################################################################################
#
--
2.39.1.windows.1
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#104992): https://edk2.groups.io/g/devel/message/104992
Mute This Topic: https://groups.io/mt/98982073/1813853
Group Owner: devel+owner at edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [edk2-devel-archive at redhat.com]
-=-=-=-=-=-=-=-=-=-=-=-
More information about the edk2-devel-archive
mailing list