From d285d5a0fbd1cfd624824c8e473f87462b121bb8 Mon Sep 17 00:00:00 2001 From: jiangfangjie Date: Wed, 5 Aug 2020 18:42:45 +0800 Subject: [PATCH] ArmvirtPkg/ArmVirtQemu: enable TPM2 based measured boot and enable the TPM2 configuration module Signed-off-by: jiangfangjie --- ...igPei-introduce-a-signalling-PPI-to-.patch | 61 ++++ ...ormPeiLib-make-PcdLib-dependency-exp.patch | 37 ++ ...ormPeiLib-discover-the-TPM-base-addr.patch | 318 ++++++++++++++++++ ...plement-ArmVirtPsciResetSystemPeiLib.patch | 311 +++++++++++++++++ ...rtQemu-add-ResetSystem-PEIM-for-upco.patch | 89 +++++ ...rtQemu-enable-TPM2-support-in-the-PE.patch | 99 ++++++ ...-DxeTpmMeasurementLib-in-shared-.DSC.patch | 48 +++ ...re-TpmMeasurementLib-resolution-betw.patch | 72 ++++ ...rtQemu-enable-the-DXE-phase-TPM2-sup.patch | 115 +++++++ ...rtQemu-enable-the-TPM2-configuration.patch | 81 +++++ ...rtQemu-enable-TPM2-based-measured-bo.patch | 37 ++ edk2.spec | 21 +- 12 files changed, 1287 insertions(+), 2 deletions(-) create mode 100644 0003-OvmfPkg-Tcg2ConfigPei-introduce-a-signalling-PPI-to-.patch create mode 100644 0004-ArmVirtPkg-PlatformPeiLib-make-PcdLib-dependency-exp.patch create mode 100644 0005-ArmVirtPkg-PlatformPeiLib-discover-the-TPM-base-addr.patch create mode 100644 0006-ArmVirtPkg-implement-ArmVirtPsciResetSystemPeiLib.patch create mode 100644 0007-ArmVirtPkg-ArmVirtQemu-add-ResetSystem-PEIM-for-upco.patch create mode 100644 0008-ArmVirtPkg-ArmVirtQemu-enable-TPM2-support-in-the-PE.patch create mode 100644 0009-ArmVirtPkg-avoid-DxeTpmMeasurementLib-in-shared-.DSC.patch create mode 100644 0010-ArmVirtPkg-unshare-TpmMeasurementLib-resolution-betw.patch create mode 100644 0011-ArmVirtPkg-ArmVirtQemu-enable-the-DXE-phase-TPM2-sup.patch create mode 100644 0012-ArmVirtPkg-ArmVirtQemu-enable-the-TPM2-configuration.patch create mode 100644 0013-ArmVirtPkg-ArmVirtQemu-enable-TPM2-based-measured-bo.patch diff --git a/0003-OvmfPkg-Tcg2ConfigPei-introduce-a-signalling-PPI-to-.patch b/0003-OvmfPkg-Tcg2ConfigPei-introduce-a-signalling-PPI-to-.patch new file mode 100644 index 0000000..670aaa0 --- /dev/null +++ b/0003-OvmfPkg-Tcg2ConfigPei-introduce-a-signalling-PPI-to-.patch @@ -0,0 +1,61 @@ +From bf5008f94fd887f7f9c1daf1a09f47c0733d38ed Mon Sep 17 00:00:00 2001 +From: Ard Biesheuvel +Date: Wed, 26 Feb 2020 20:05:06 +0100 +Subject: [PATCH 03/13] OvmfPkg/Tcg2ConfigPei: introduce a signalling PPI to + depex on + +On ARM systems, the TPM does not live at a fixed address, and so we +need the platform to discover it first. So introduce a PPI that signals +that the TPM address has been discovered and recorded in the appropriate +PCD, and make Tcg2ConfigPei depex on it when built for ARM or AARCH64. + +Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=2560 +Signed-off-by: Ard Biesheuvel +Reviewed-by: Laszlo Ersek +Signed-off-by: jiangfangjie +--- + OvmfPkg/OvmfPkg.dec | 5 +++++ + OvmfPkg/Tcg/Tcg2Config/Tcg2ConfigPei.inf | 6 +++++- + 2 files changed, 10 insertions(+), 1 deletion(-) + +diff --git a/OvmfPkg/OvmfPkg.dec b/OvmfPkg/OvmfPkg.dec +index 4c5b651..7c27f01 100644 +--- a/OvmfPkg/OvmfPkg.dec ++++ b/OvmfPkg/OvmfPkg.dec +@@ -87,6 +87,11 @@ + gEfiLegacyBiosGuid = {0x2E3044AC, 0x879F, 0x490F, {0x97, 0x60, 0xBB, 0xDF, 0xAF, 0x69, 0x5F, 0x50}} + gEfiLegacyDevOrderVariableGuid = {0xa56074db, 0x65fe, 0x45f7, {0xbd, 0x21, 0x2d, 0x2b, 0xdd, 0x8e, 0x96, 0x52}} + ++[Ppis] ++ # PPI whose presence in the PPI database signals that the TPM base address ++ # has been discovered and recorded ++ gOvmfTpmDiscoveredPpiGuid = {0xb9a61ad0, 0x2802, 0x41f3, {0xb5, 0x13, 0x96, 0x51, 0xce, 0x6b, 0xd5, 0x75}} ++ + [Protocols] + gVirtioDeviceProtocolGuid = {0xfa920010, 0x6785, 0x4941, {0xb6, 0xec, 0x49, 0x8c, 0x57, 0x9f, 0x16, 0x0a}} + gXenBusProtocolGuid = {0x3d3ca290, 0xb9a5, 0x11e3, {0xb7, 0x5d, 0xb8, 0xac, 0x6f, 0x7d, 0x65, 0xe6}} +diff --git a/OvmfPkg/Tcg/Tcg2Config/Tcg2ConfigPei.inf b/OvmfPkg/Tcg/Tcg2Config/Tcg2ConfigPei.inf +index e34cd62..6673ce0 100644 +--- a/OvmfPkg/Tcg/Tcg2Config/Tcg2ConfigPei.inf ++++ b/OvmfPkg/Tcg/Tcg2Config/Tcg2ConfigPei.inf +@@ -25,6 +25,7 @@ + [Packages] + MdePkg/MdePkg.dec + MdeModulePkg/MdeModulePkg.dec ++ OvmfPkg/OvmfPkg.dec + SecurityPkg/SecurityPkg.dec + + [LibraryClasses] +@@ -43,5 +44,8 @@ + [Pcd] + gEfiSecurityPkgTokenSpaceGuid.PcdTpmInstanceGuid ## PRODUCES + +-[Depex] ++[Depex.IA32, Depex.X64] + TRUE ++ ++[Depex.ARM, Depex.AARCH64] ++ gOvmfTpmDiscoveredPpiGuid +-- +2.18.2 + diff --git a/0004-ArmVirtPkg-PlatformPeiLib-make-PcdLib-dependency-exp.patch b/0004-ArmVirtPkg-PlatformPeiLib-make-PcdLib-dependency-exp.patch new file mode 100644 index 0000000..33ef20c --- /dev/null +++ b/0004-ArmVirtPkg-PlatformPeiLib-make-PcdLib-dependency-exp.patch @@ -0,0 +1,37 @@ +From 4b9b1a6908eae0440b0d230d3ac39c6ff2a3f15f Mon Sep 17 00:00:00 2001 +From: Ard Biesheuvel +Date: Wed, 26 Feb 2020 20:05:07 +0100 +Subject: [PATCH 04/13] ArmVirtPkg/PlatformPeiLib: make PcdLib dependency + explicit in .INF + +We currently include PcdLib.h in PlatformPeiLib, without declaring +this dependency in its .INF description. Since all the PCDs we use +resolve to fixed type in practice, this does not really matter at +the moment, but since we will be adding dynamic PCD references in +a subsequent patch, let's make the PcdLib dependency explicit, so +that its dispatch is guaranteed to be ordered correctly with respect +to the provider of the dynamic PCD PPI. + +Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=2560 +Signed-off-by: Ard Biesheuvel +Reviewed-by: Laszlo Ersek +Signed-off-by: jiangfangjie +--- + ArmVirtPkg/Library/PlatformPeiLib/PlatformPeiLib.inf | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/ArmVirtPkg/Library/PlatformPeiLib/PlatformPeiLib.inf b/ArmVirtPkg/Library/PlatformPeiLib/PlatformPeiLib.inf +index 46db117..1ef04d1 100644 +--- a/ArmVirtPkg/Library/PlatformPeiLib/PlatformPeiLib.inf ++++ b/ArmVirtPkg/Library/PlatformPeiLib/PlatformPeiLib.inf +@@ -29,6 +29,7 @@ + DebugLib + HobLib + FdtLib ++ PcdLib + + [FixedPcd] + gArmTokenSpaceGuid.PcdFvSize +-- +2.18.2 + diff --git a/0005-ArmVirtPkg-PlatformPeiLib-discover-the-TPM-base-addr.patch b/0005-ArmVirtPkg-PlatformPeiLib-discover-the-TPM-base-addr.patch new file mode 100644 index 0000000..c80e7db --- /dev/null +++ b/0005-ArmVirtPkg-PlatformPeiLib-discover-the-TPM-base-addr.patch @@ -0,0 +1,318 @@ +From f1bb8ca123be4d0194a9f65b93a9c65c85861b50 Mon Sep 17 00:00:00 2001 +From: Ard Biesheuvel +Date: Wed, 26 Feb 2020 20:05:08 +0100 +Subject: [PATCH 05/13] ArmVirtPkg/PlatformPeiLib: discover the TPM base + address from the DT + +Introduce a boolean PCD that tells us whether TPM support is enabled +in the build, and if it is, record the TPM base address in the existing +routine that traverses the device tree in the platform PEIM. + +If a TPM is found, install the gOvmfTpmDiscoveredPpiGuid signalling PPI +that will unlock the dispatch of OvmfPkg's Tcg2ConfigPei. If TPM2 +support is enabled in the build but no TPM2 device is found, install the +gPeiTpmInitializationDonePpiGuid PPI, which is normally installed by +Tcg2ConfigPei if no TPM2 is found, but in our case Tcg2ConfigPei will +never run so let's do it here instead. + +Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=2560 +Signed-off-by: Ard Biesheuvel +Acked-by: Laszlo Ersek +Signed-off-by: jiangfangjie +--- + ArmVirtPkg/ArmVirtPkg.dec | 6 ++ + ArmVirtPkg/ArmVirtQemu.dsc | 5 + + ArmVirtPkg/ArmVirtQemuKernel.dsc | 6 ++ + ArmVirtPkg/ArmVirtXen.dsc | 6 ++ + .../Library/PlatformPeiLib/PlatformPeiLib.c | 101 ++++++++++++++++-- + .../Library/PlatformPeiLib/PlatformPeiLib.inf | 19 +++- + 6 files changed, 129 insertions(+), 14 deletions(-) + +diff --git a/ArmVirtPkg/ArmVirtPkg.dec b/ArmVirtPkg/ArmVirtPkg.dec +index a019cc2..0619efc 100644 +--- a/ArmVirtPkg/ArmVirtPkg.dec ++++ b/ArmVirtPkg/ArmVirtPkg.dec +@@ -36,6 +36,12 @@ + [Protocols] + gFdtClientProtocolGuid = { 0xE11FACA0, 0x4710, 0x4C8E, { 0xA7, 0xA2, 0x01, 0xBA, 0xA2, 0x59, 0x1B, 0x4C } } + ++[PcdsFeatureFlag] ++ # ++ # Feature Flag PCD that defines whether TPM2 support is enabled ++ # ++ gArmVirtTokenSpaceGuid.PcdTpm2SupportEnabled|FALSE|BOOLEAN|0x00000004 ++ + [PcdsFixedAtBuild, PcdsPatchableInModule] + # + # This is the physical address where the device tree is expected to be stored +diff --git a/ArmVirtPkg/ArmVirtQemu.dsc b/ArmVirtPkg/ArmVirtQemu.dsc +index 7ae6702..984df5c 100644 +--- a/ArmVirtPkg/ArmVirtQemu.dsc ++++ b/ArmVirtPkg/ArmVirtQemu.dsc +@@ -237,6 +237,11 @@ + gEfiMdeModulePkgTokenSpaceGuid.PcdSmbiosDocRev|0x0 + gUefiOvmfPkgTokenSpaceGuid.PcdQemuSmbiosValidated|FALSE + ++ # ++ # TPM2 support ++ # ++ gEfiSecurityPkgTokenSpaceGuid.PcdTpmBaseAddress|0x0 ++ + [PcdsDynamicHii] + gArmVirtTokenSpaceGuid.PcdForceNoAcpi|L"ForceNoAcpi"|gArmVirtVariableGuid|0x0|FALSE|NV,BS + +diff --git a/ArmVirtPkg/ArmVirtQemuKernel.dsc b/ArmVirtPkg/ArmVirtQemuKernel.dsc +index 3b0f049..8243876 100644 +--- a/ArmVirtPkg/ArmVirtQemuKernel.dsc ++++ b/ArmVirtPkg/ArmVirtQemuKernel.dsc +@@ -172,6 +172,12 @@ + gEfiMdePkgTokenSpaceGuid.PcdReportStatusCodePropertyMask|3 + + [PcdsPatchableInModule.common] ++ # we need to provide a resolution for this PCD that supports PcdSet64() ++ # being called from ArmVirtPkg/Library/PlatformPeiLib/PlatformPeiLib.c, ++ # even though that call will be compiled out on this platform as it does ++ # not (and cannot) support the TPM2 driver stack ++ gEfiSecurityPkgTokenSpaceGuid.PcdTpmBaseAddress|0x0 ++ + # + # This will be overridden in the code + # +diff --git a/ArmVirtPkg/ArmVirtXen.dsc b/ArmVirtPkg/ArmVirtXen.dsc +index 1b42a9a..8a6ace2 100644 +--- a/ArmVirtPkg/ArmVirtXen.dsc ++++ b/ArmVirtPkg/ArmVirtXen.dsc +@@ -95,6 +95,12 @@ + gEfiMdeModulePkgTokenSpaceGuid.PcdEmuVariableNvModeEnable|TRUE + + [PcdsPatchableInModule.common] ++ # we need to provide a resolution for this PCD that supports PcdSet64() ++ # being called from ArmVirtPkg/Library/PlatformPeiLib/PlatformPeiLib.c, ++ # even though that call will be compiled out on this platform as it does ++ # not (and cannot) support the TPM2 driver stack ++ gEfiSecurityPkgTokenSpaceGuid.PcdTpmBaseAddress|0x0 ++ + # + # This will be overridden in the code + # +diff --git a/ArmVirtPkg/Library/PlatformPeiLib/PlatformPeiLib.c b/ArmVirtPkg/Library/PlatformPeiLib/PlatformPeiLib.c +index 0a14695..eabd800 100644 +--- a/ArmVirtPkg/Library/PlatformPeiLib/PlatformPeiLib.c ++++ b/ArmVirtPkg/Library/PlatformPeiLib/PlatformPeiLib.c +@@ -1,7 +1,7 @@ + /** @file + * + * Copyright (c) 2011-2014, ARM Limited. All rights reserved. +-* Copyright (c) 2014, Linaro Limited. All rights reserved. ++* Copyright (c) 2014-2020, Linaro Limited. All rights reserved. + * + * SPDX-License-Identifier: BSD-2-Clause-Patent + * +@@ -13,11 +13,24 @@ + #include + #include + #include ++#include + #include + + #include + #include + ++STATIC CONST EFI_PEI_PPI_DESCRIPTOR mTpm2DiscoveredPpi = { ++ EFI_PEI_PPI_DESCRIPTOR_PPI | EFI_PEI_PPI_DESCRIPTOR_TERMINATE_LIST, ++ &gOvmfTpmDiscoveredPpiGuid, ++ NULL ++}; ++ ++STATIC CONST EFI_PEI_PPI_DESCRIPTOR mTpm2InitializationDonePpi = { ++ EFI_PEI_PPI_DESCRIPTOR_PPI | EFI_PEI_PPI_DESCRIPTOR_TERMINATE_LIST, ++ &gPeiTpmInitializationDonePpiGuid, ++ NULL ++}; ++ + EFI_STATUS + EFIAPI + PlatformPeim ( +@@ -31,14 +44,18 @@ PlatformPeim ( + UINT64 *FdtHobData; + UINT64 *UartHobData; + INT32 Node, Prev; ++ INT32 Parent, Depth; + CONST CHAR8 *Compatible; + CONST CHAR8 *CompItem; + CONST CHAR8 *NodeStatus; + INT32 Len; ++ INT32 RangesLen; + INT32 StatusLen; + CONST UINT64 *RegProp; ++ CONST UINT32 *RangesProp; + UINT64 UartBase; +- ++ UINT64 TpmBase; ++ EFI_STATUS Status; + + Base = (VOID*)(UINTN)PcdGet64 (PcdDeviceTreeInitialBaseAddress); + ASSERT (Base != NULL); +@@ -58,18 +75,18 @@ PlatformPeim ( + ASSERT (UartHobData != NULL); + *UartHobData = 0; + +- // +- // Look for a UART node +- // +- for (Prev = 0;; Prev = Node) { +- Node = fdt_next_node (Base, Prev, NULL); ++ TpmBase = 0; ++ ++ for (Prev = Depth = 0;; Prev = Node) { ++ Node = fdt_next_node (Base, Prev, &Depth); + if (Node < 0) { + break; + } + +- // +- // Check for UART node +- // ++ if (Depth == 1) { ++ Parent = Node; ++ } ++ + Compatible = fdt_getprop (Base, Node, "compatible", &Len); + + // +@@ -93,10 +110,74 @@ PlatformPeim ( + + *UartHobData = UartBase; + break; ++ } else if (FeaturePcdGet (PcdTpm2SupportEnabled) && ++ AsciiStrCmp (CompItem, "tcg,tpm-tis-mmio") == 0) { ++ ++ RegProp = fdt_getprop (Base, Node, "reg", &Len); ++ ASSERT (Len == 8 || Len == 16); ++ if (Len == 8) { ++ TpmBase = fdt32_to_cpu (RegProp[0]); ++ } else if (Len == 16) { ++ TpmBase = fdt64_to_cpu (ReadUnaligned64 ((UINT64 *)RegProp)); ++ } ++ ++ if (Depth > 1) { ++ // ++ // QEMU/mach-virt may put the TPM on the platform bus, in which case ++ // we have to take its 'ranges' property into account to translate the ++ // MMIO address. This consists of a ++ // tuple, where the child base and the size use the same number of ++ // cells as the 'reg' property above, and the parent base uses 2 cells ++ // ++ RangesProp = fdt_getprop (Base, Parent, "ranges", &RangesLen); ++ ASSERT (RangesProp != NULL); ++ ++ // ++ // a plain 'ranges' attribute without a value implies a 1:1 mapping ++ // ++ if (RangesLen != 0) { ++ // ++ // assume a single translated range with 2 cells for the parent base ++ // ++ if (RangesLen != Len + 2 * sizeof (UINT32)) { ++ DEBUG ((DEBUG_WARN, ++ "%a: 'ranges' property has unexpected size %d\n", ++ __FUNCTION__, RangesLen)); ++ break; ++ } ++ ++ if (Len == 8) { ++ TpmBase -= fdt32_to_cpu (RangesProp[0]); ++ } else { ++ TpmBase -= fdt64_to_cpu (ReadUnaligned64 ((UINT64 *)RangesProp)); ++ } ++ ++ // ++ // advance RangesProp to the parent bus address ++ // ++ RangesProp = (UINT32 *)((UINT8 *)RangesProp + Len / 2); ++ TpmBase += fdt64_to_cpu (ReadUnaligned64 ((UINT64 *)RangesProp)); ++ } ++ } ++ break; + } + } + } + ++ if (FeaturePcdGet (PcdTpm2SupportEnabled)) { ++ if (TpmBase != 0) { ++ DEBUG ((DEBUG_INFO, "%a: TPM @ 0x%lx\n", __FUNCTION__, TpmBase)); ++ ++ Status = (EFI_STATUS)PcdSet64S (PcdTpmBaseAddress, TpmBase); ++ ASSERT_EFI_ERROR (Status); ++ ++ Status = PeiServicesInstallPpi (&mTpm2DiscoveredPpi); ++ } else { ++ Status = PeiServicesInstallPpi (&mTpm2InitializationDonePpi); ++ } ++ ASSERT_EFI_ERROR (Status); ++ } ++ + BuildFvHob (PcdGet64 (PcdFvBaseAddress), PcdGet32 (PcdFvSize)); + + return EFI_SUCCESS; +diff --git a/ArmVirtPkg/Library/PlatformPeiLib/PlatformPeiLib.inf b/ArmVirtPkg/Library/PlatformPeiLib/PlatformPeiLib.inf +index 1ef04d1..5dae4df 100644 +--- a/ArmVirtPkg/Library/PlatformPeiLib/PlatformPeiLib.inf ++++ b/ArmVirtPkg/Library/PlatformPeiLib/PlatformPeiLib.inf +@@ -1,7 +1,7 @@ + #/** @file + # + # Copyright (c) 2011-2015, ARM Limited. All rights reserved. +-# Copyright (c) 2014, Linaro Limited. All rights reserved. ++# Copyright (c) 2014-2020, Linaro Limited. All rights reserved. + # + # SPDX-License-Identifier: BSD-2-Clause-Patent + # +@@ -11,7 +11,7 @@ + INF_VERSION = 0x00010005 + BASE_NAME = PlatformPeiLib + FILE_GUID = 59C11815-F8DA-4F49-B4FB-EC1E41ED1F06 +- MODULE_TYPE = SEC ++ MODULE_TYPE = BASE + VERSION_STRING = 1.0 + LIBRARY_CLASS = PlatformPeiLib + +@@ -21,15 +21,21 @@ + [Packages] + ArmPkg/ArmPkg.dec + ArmVirtPkg/ArmVirtPkg.dec +- MdePkg/MdePkg.dec +- MdeModulePkg/MdeModulePkg.dec + EmbeddedPkg/EmbeddedPkg.dec ++ MdeModulePkg/MdeModulePkg.dec ++ MdePkg/MdePkg.dec ++ OvmfPkg/OvmfPkg.dec ++ SecurityPkg/SecurityPkg.dec ++ ++[FeaturePcd] ++ gArmVirtTokenSpaceGuid.PcdTpm2SupportEnabled + + [LibraryClasses] + DebugLib + HobLib + FdtLib + PcdLib ++ PeiServicesLib + + [FixedPcd] + gArmTokenSpaceGuid.PcdFvSize +@@ -38,6 +44,11 @@ + [Pcd] + gArmTokenSpaceGuid.PcdFvBaseAddress + gArmVirtTokenSpaceGuid.PcdDeviceTreeInitialBaseAddress ++ gEfiSecurityPkgTokenSpaceGuid.PcdTpmBaseAddress ## SOMETIMES_PRODUCES ++ ++[Ppis] ++ gOvmfTpmDiscoveredPpiGuid ## SOMETIMES_PRODUCES ++ gPeiTpmInitializationDonePpiGuid ## SOMETIMES_PRODUCES + + [Guids] + gEarlyPL011BaseAddressGuid +-- +2.18.2 + diff --git a/0006-ArmVirtPkg-implement-ArmVirtPsciResetSystemPeiLib.patch b/0006-ArmVirtPkg-implement-ArmVirtPsciResetSystemPeiLib.patch new file mode 100644 index 0000000..e6458bc --- /dev/null +++ b/0006-ArmVirtPkg-implement-ArmVirtPsciResetSystemPeiLib.patch @@ -0,0 +1,311 @@ +From be6f854c61807ab26d7cc6db797876ed00d54469 Mon Sep 17 00:00:00 2001 +From: Ard Biesheuvel +Date: Wed, 26 Feb 2020 20:05:09 +0100 +Subject: [PATCH 06/13] ArmVirtPkg: implement ArmVirtPsciResetSystemPeiLib + +Implement a ArmVirtPkg specific version of the PSCI ResetSystemLib that +is usable in the PEI phase, as the existing one relies on the FDT client +protocol, making it unsuitable. + +Note that accessing the device tree passed by QEMU via its initial base +address is guaranteed to be safe at any time during the PEI phase, so we +can defer discovery of the PSCI method until the time the reset library +is actually invoked (which is rarely) + +Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=2560 +Signed-off-by: Ard Biesheuvel +Acked-by: Laszlo Ersek +Signed-off-by: jiangfangjie +--- + .../ArmVirtPsciResetSystemPeiLib.c | 232 ++++++++++++++++++ + .../ArmVirtPsciResetSystemPeiLib.inf | 39 +++ + 2 files changed, 271 insertions(+) + create mode 100644 ArmVirtPkg/Library/ArmVirtPsciResetSystemPeiLib/ArmVirtPsciResetSystemPeiLib.c + create mode 100644 ArmVirtPkg/Library/ArmVirtPsciResetSystemPeiLib/ArmVirtPsciResetSystemPeiLib.inf + +diff --git a/ArmVirtPkg/Library/ArmVirtPsciResetSystemPeiLib/ArmVirtPsciResetSystemPeiLib.c b/ArmVirtPkg/Library/ArmVirtPsciResetSystemPeiLib/ArmVirtPsciResetSystemPeiLib.c +new file mode 100644 +index 0000000..9cfd55d +--- /dev/null ++++ b/ArmVirtPkg/Library/ArmVirtPsciResetSystemPeiLib/ArmVirtPsciResetSystemPeiLib.c +@@ -0,0 +1,232 @@ ++/** @file ++ Reset System lib using PSCI hypervisor or secure monitor calls ++ ++ Copyright (c) 2008 - 2009, Apple Inc. All rights reserved.
++ Copyright (c) 2013, ARM Ltd. All rights reserved.
++ Copyright (c) 2014-2020, Linaro Ltd. All rights reserved.
++ Copyright (c) 2019, Intel Corporation. All rights reserved.
++ ++ SPDX-License-Identifier: BSD-2-Clause-Patent ++ ++**/ ++ ++#include ++ ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++ ++#include ++ ++typedef enum { ++ PsciMethodUnknown, ++ PsciMethodSmc, ++ PsciMethodHvc, ++} PSCI_METHOD; ++ ++STATIC ++PSCI_METHOD ++DiscoverPsciMethod ( ++ VOID ++ ) ++{ ++ VOID *DeviceTreeBase; ++ INT32 Node, Prev; ++ INT32 Len; ++ CONST CHAR8 *Compatible; ++ CONST CHAR8 *CompatibleItem; ++ CONST VOID *Prop; ++ ++ DeviceTreeBase = (VOID*)(UINTN)PcdGet64 (PcdDeviceTreeInitialBaseAddress); ++ ASSERT (fdt_check_header (DeviceTreeBase) == 0); ++ ++ // ++ // Enumerate all FDT nodes looking for the PSCI node and capture the method ++ // ++ for (Prev = 0;; Prev = Node) { ++ Node = fdt_next_node (DeviceTreeBase, Prev, NULL); ++ if (Node < 0) { ++ break; ++ } ++ ++ Compatible = fdt_getprop (DeviceTreeBase, Node, "compatible", &Len); ++ if (Compatible == NULL) { ++ continue; ++ } ++ ++ // ++ // Iterate over the NULL-separated items in the compatible string ++ // ++ for (CompatibleItem = Compatible; CompatibleItem < Compatible + Len; ++ CompatibleItem += 1 + AsciiStrLen (CompatibleItem)) { ++ ++ if (AsciiStrCmp (CompatibleItem, "arm,psci-0.2") != 0) { ++ continue; ++ } ++ ++ Prop = fdt_getprop (DeviceTreeBase, Node, "method", NULL); ++ if (!Prop) { ++ DEBUG ((DEBUG_ERROR, "%a: Missing PSCI method property\n", ++ __FUNCTION__)); ++ return PsciMethodUnknown; ++ } ++ ++ if (AsciiStrnCmp (Prop, "hvc", 3) == 0) { ++ return PsciMethodHvc; ++ } else if (AsciiStrnCmp (Prop, "smc", 3) == 0) { ++ return PsciMethodSmc; ++ } else { ++ DEBUG ((DEBUG_ERROR, "%a: Unknown PSCI method \"%a\"\n", __FUNCTION__, ++ Prop)); ++ return PsciMethodUnknown; ++ } ++ } ++ } ++ return PsciMethodUnknown; ++} ++ ++STATIC ++VOID ++PerformPsciAction ( ++ IN UINTN Arg0 ++ ) ++{ ++ ARM_SMC_ARGS ArmSmcArgs; ++ ARM_HVC_ARGS ArmHvcArgs; ++ ++ ArmSmcArgs.Arg0 = Arg0; ++ ArmHvcArgs.Arg0 = Arg0; ++ ++ switch (DiscoverPsciMethod ()) { ++ case PsciMethodHvc: ++ ArmCallHvc (&ArmHvcArgs); ++ break; ++ ++ case PsciMethodSmc: ++ ArmCallSmc (&ArmSmcArgs); ++ break; ++ ++ default: ++ DEBUG ((DEBUG_ERROR, "%a: no PSCI method defined\n", __FUNCTION__)); ++ ASSERT (FALSE); ++ } ++} ++ ++/** ++ This function causes a system-wide reset (cold reset), in which ++ all circuitry within the system returns to its initial state. This type of reset ++ is asynchronous to system operation and operates without regard to ++ cycle boundaries. ++ ++ If this function returns, it means that the system does not support cold reset. ++**/ ++VOID ++EFIAPI ++ResetCold ( ++ VOID ++ ) ++{ ++ // Send a PSCI 0.2 SYSTEM_RESET command ++ PerformPsciAction (ARM_SMC_ID_PSCI_SYSTEM_RESET); ++} ++ ++/** ++ This function causes a system-wide initialization (warm reset), in which all processors ++ are set to their initial state. Pending cycles are not corrupted. ++ ++ If this function returns, it means that the system does not support warm reset. ++**/ ++VOID ++EFIAPI ++ResetWarm ( ++ VOID ++ ) ++{ ++ // Map a warm reset into a cold reset ++ ResetCold (); ++} ++ ++/** ++ This function causes the system to enter a power state equivalent ++ to the ACPI G2/S5 or G3 states. ++ ++ If this function returns, it means that the system does not support shutdown reset. ++**/ ++VOID ++EFIAPI ++ResetShutdown ( ++ VOID ++ ) ++{ ++ // Send a PSCI 0.2 SYSTEM_OFF command ++ PerformPsciAction (ARM_SMC_ID_PSCI_SYSTEM_OFF); ++} ++ ++/** ++ This function causes a systemwide reset. The exact type of the reset is ++ defined by the EFI_GUID that follows the Null-terminated Unicode string passed ++ into ResetData. If the platform does not recognize the EFI_GUID in ResetData ++ the platform must pick a supported reset type to perform.The platform may ++ optionally log the parameters from any non-normal reset that occurs. ++ ++ @param[in] DataSize The size, in bytes, of ResetData. ++ @param[in] ResetData The data buffer starts with a Null-terminated string, ++ followed by the EFI_GUID. ++**/ ++VOID ++EFIAPI ++ResetPlatformSpecific ( ++ IN UINTN DataSize, ++ IN VOID *ResetData ++ ) ++{ ++ // Map the platform specific reset as reboot ++ ResetCold (); ++} ++ ++/** ++ The ResetSystem function resets the entire platform. ++ ++ @param[in] ResetType The type of reset to perform. ++ @param[in] ResetStatus The status code for the reset. ++ @param[in] DataSize The size, in bytes, of ResetData. ++ @param[in] ResetData For a ResetType of EfiResetCold, EfiResetWarm, or EfiResetShutdown ++ the data buffer starts with a Null-terminated string, optionally ++ followed by additional binary data. The string is a description ++ that the caller may use to further indicate the reason for the ++ system reset. ++**/ ++VOID ++EFIAPI ++ResetSystem ( ++ IN EFI_RESET_TYPE ResetType, ++ IN EFI_STATUS ResetStatus, ++ IN UINTN DataSize, ++ IN VOID *ResetData OPTIONAL ++ ) ++{ ++ switch (ResetType) { ++ case EfiResetWarm: ++ ResetWarm (); ++ break; ++ ++ case EfiResetCold: ++ ResetCold (); ++ break; ++ ++ case EfiResetShutdown: ++ ResetShutdown (); ++ return; ++ ++ case EfiResetPlatformSpecific: ++ ResetPlatformSpecific (DataSize, ResetData); ++ return; ++ ++ default: ++ return; ++ } ++} +diff --git a/ArmVirtPkg/Library/ArmVirtPsciResetSystemPeiLib/ArmVirtPsciResetSystemPeiLib.inf b/ArmVirtPkg/Library/ArmVirtPsciResetSystemPeiLib/ArmVirtPsciResetSystemPeiLib.inf +new file mode 100644 +index 0000000..b480cae +--- /dev/null ++++ b/ArmVirtPkg/Library/ArmVirtPsciResetSystemPeiLib/ArmVirtPsciResetSystemPeiLib.inf +@@ -0,0 +1,39 @@ ++#/** @file ++# Reset System lib using PSCI hypervisor or secure monitor calls ++# ++# Copyright (c) 2008, Apple Inc. All rights reserved.
++# Copyright (c) 2014-2020, Linaro Ltd. All rights reserved.
++# ++# SPDX-License-Identifier: BSD-2-Clause-Patent ++# ++# ++#**/ ++ ++[Defines] ++ INF_VERSION = 1.27 ++ BASE_NAME = ArmVirtPsciResetSystemPeiLib ++ FILE_GUID = 551cfb98-c185-41a3-86bf-8cdb7e2a530c ++ MODULE_TYPE = BASE ++ VERSION_STRING = 1.0 ++ LIBRARY_CLASS = ResetSystemLib|PEIM ++ ++[Sources] ++ ArmVirtPsciResetSystemPeiLib.c ++ ++[Packages] ++ ArmPkg/ArmPkg.dec ++ ArmVirtPkg/ArmVirtPkg.dec ++ EmbeddedPkg/EmbeddedPkg.dec ++ MdeModulePkg/MdeModulePkg.dec ++ MdePkg/MdePkg.dec ++ ++[LibraryClasses] ++ ArmSmcLib ++ ArmHvcLib ++ BaseLib ++ DebugLib ++ FdtLib ++ HobLib ++ ++[Pcd] ++ gArmVirtTokenSpaceGuid.PcdDeviceTreeInitialBaseAddress +-- +2.18.2 + diff --git a/0007-ArmVirtPkg-ArmVirtQemu-add-ResetSystem-PEIM-for-upco.patch b/0007-ArmVirtPkg-ArmVirtQemu-add-ResetSystem-PEIM-for-upco.patch new file mode 100644 index 0000000..f934745 --- /dev/null +++ b/0007-ArmVirtPkg-ArmVirtQemu-add-ResetSystem-PEIM-for-upco.patch @@ -0,0 +1,89 @@ +From 1cb4d8d12542e95274881c7fce1c95816bd883ff Mon Sep 17 00:00:00 2001 +From: Ard Biesheuvel +Date: Wed, 26 Feb 2020 20:05:10 +0100 +Subject: [PATCH 07/13] ArmVirtPkg/ArmVirtQemu: add ResetSystem PEIM for + upcoming TPM2 support + +As a first step in gradually adding TPM2 support to ArmVirtQemu, add +the TPM2_ENABLE configurable to the [Defines] section, and if it is +set, add the ResetSystem PEIM to the build, along with the library +class references that we will need to support it: +- wire ArmVirtPsciResetSystemPeiLib into the ResetSystem PEIM itself, + which will be in charge of performing the actual reset +- add PeiResetSystemLib as the common ResetSystemLib resolution for + PEIM class modules, so that other PEIMs will invoke the PPI + published by the ResetSystem PEIM. + +Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=2560 +Signed-off-by: Ard Biesheuvel +Reviewed-by: Laszlo Ersek +Signed-off-by: jiangfangjie +--- + ArmVirtPkg/ArmVirtQemu.dsc | 14 ++++++++++++++ + ArmVirtPkg/ArmVirtQemu.fdf | 4 ++++ + 2 files changed, 18 insertions(+) + +diff --git a/ArmVirtPkg/ArmVirtQemu.dsc b/ArmVirtPkg/ArmVirtQemu.dsc +index 984df5c..3bbc79c 100644 +--- a/ArmVirtPkg/ArmVirtQemu.dsc ++++ b/ArmVirtPkg/ArmVirtQemu.dsc +@@ -29,6 +29,7 @@ + # + DEFINE TTY_TERMINAL = FALSE + DEFINE SECURE_BOOT_ENABLE = FALSE ++ DEFINE TPM2_ENABLE = FALSE + + # + # Network definition +@@ -77,6 +78,10 @@ + [LibraryClasses.common.PEIM] + ArmVirtMemInfoLib|ArmVirtPkg/Library/QemuVirtMemInfoLib/QemuVirtMemInfoPeiLib.inf + ++!if $(TPM2_ENABLE) == TRUE ++ ResetSystemLib|MdeModulePkg/Library/PeiResetSystemLib/PeiResetSystemLib.inf ++!endif ++ + [LibraryClasses.common.DXE_DRIVER] + ReportStatusCodeLib|MdeModulePkg/Library/DxeReportStatusCodeLib/DxeReportStatusCodeLib.inf + +@@ -100,6 +105,8 @@ + + gEfiMdeModulePkgTokenSpaceGuid.PcdTurnOffUsbLegacySupport|TRUE + ++ gArmVirtTokenSpaceGuid.PcdTpm2SupportEnabled|$(TPM2_ENABLE) ++ + [PcdsFixedAtBuild.common] + !if $(ARCH) == AARCH64 + gArmTokenSpaceGuid.PcdVFPEnabled|1 +@@ -266,6 +273,13 @@ + + MdeModulePkg/Universal/Variable/Pei/VariablePei.inf + ++!if $(TPM2_ENABLE) == TRUE ++ MdeModulePkg/Universal/ResetSystemPei/ResetSystemPei.inf { ++ ++ ResetSystemLib|ArmVirtPkg/Library/ArmVirtPsciResetSystemPeiLib/ArmVirtPsciResetSystemPeiLib.inf ++ } ++!endif ++ + MdeModulePkg/Core/DxeIplPeim/DxeIpl.inf { + + NULL|MdeModulePkg/Library/LzmaCustomDecompressLib/LzmaCustomDecompressLib.inf +diff --git a/ArmVirtPkg/ArmVirtQemu.fdf b/ArmVirtPkg/ArmVirtQemu.fdf +index 2c8936a..69fa501 100644 +--- a/ArmVirtPkg/ArmVirtQemu.fdf ++++ b/ArmVirtPkg/ArmVirtQemu.fdf +@@ -113,6 +113,10 @@ READ_LOCK_STATUS = TRUE + INF MdeModulePkg/Universal/Variable/Pei/VariablePei.inf + INF MdeModulePkg/Core/DxeIplPeim/DxeIpl.inf + ++!if $(TPM2_ENABLE) == TRUE ++ INF MdeModulePkg/Universal/ResetSystemPei/ResetSystemPei.inf ++!endif ++ + FILE FV_IMAGE = 9E21FD93-9C72-4c15-8C4B-E77F1DB2D792 { + SECTION GUIDED EE4E5898-3914-4259-9D6E-DC7BD79403CF PROCESSING_REQUIRED = TRUE { + SECTION FV_IMAGE = FVMAIN +-- +2.18.2 + diff --git a/0008-ArmVirtPkg-ArmVirtQemu-enable-TPM2-support-in-the-PE.patch b/0008-ArmVirtPkg-ArmVirtQemu-enable-TPM2-support-in-the-PE.patch new file mode 100644 index 0000000..2d513d8 --- /dev/null +++ b/0008-ArmVirtPkg-ArmVirtQemu-enable-TPM2-support-in-the-PE.patch @@ -0,0 +1,99 @@ +From 806d668dee96ddbb81737675b9f074e04334fb13 Mon Sep 17 00:00:00 2001 +From: Ard Biesheuvel +Date: Wed, 26 Feb 2020 20:05:11 +0100 +Subject: [PATCH 08/13] ArmVirtPkg/ArmVirtQemu: enable TPM2 support in the PEI + phase + +Incorporate the PEI components and the associated library class +resolutions and PCD declarations to enable TPM2 support in the +PEI phase. + +This patch ports (parts of) the following OvmfPkg commits to +ArmVirtQemu: +- 6cf1880fb5b6 ("OvmfPkg: add customized Tcg2ConfigPei clone", + 2018-03-09) +- 4672a4892867 ("OvmfPkg: include Tcg2Pei module", 2018-03-09) +- b9130c866dc0 ("OvmfPkg: link Sha384 and Sha512 support into Tcg2Pei + and Tcg2Dxe", 2018-08-16) +- 5d3ef15da7c3 ("OvmfPkg: link SM3 support into Tcg2Pei and Tcg2Dxe", + 2019-07-19) + +gEfiSecurityPkgTokenSpaceGuid.PcdTpm2HashMask defaults to 0x0 so +that the TPM init code adopts the currently active PCR banks as +the ones that are enabled by default. + +Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=2560 +Signed-off-by: Ard Biesheuvel +Reviewed-by: Laszlo Ersek +Signed-off-by: jiangfangjie +--- + ArmVirtPkg/ArmVirtQemu.dsc | 20 ++++++++++++++++++++ + ArmVirtPkg/ArmVirtQemu.fdf | 2 ++ + 2 files changed, 22 insertions(+) + +diff --git a/ArmVirtPkg/ArmVirtQemu.dsc b/ArmVirtPkg/ArmVirtQemu.dsc +index 3bbc79c..44138e5 100644 +--- a/ArmVirtPkg/ArmVirtQemu.dsc ++++ b/ArmVirtPkg/ArmVirtQemu.dsc +@@ -75,11 +75,17 @@ + PciSegmentLib|MdePkg/Library/BasePciSegmentLibPci/BasePciSegmentLibPci.inf + PciHostBridgeLib|ArmVirtPkg/Library/FdtPciHostBridgeLib/FdtPciHostBridgeLib.inf + ++!if $(TPM2_ENABLE) == TRUE ++ Tpm2CommandLib|SecurityPkg/Library/Tpm2CommandLib/Tpm2CommandLib.inf ++!endif ++ + [LibraryClasses.common.PEIM] + ArmVirtMemInfoLib|ArmVirtPkg/Library/QemuVirtMemInfoLib/QemuVirtMemInfoPeiLib.inf + + !if $(TPM2_ENABLE) == TRUE ++ BaseCryptLib|CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf + ResetSystemLib|MdeModulePkg/Library/PeiResetSystemLib/PeiResetSystemLib.inf ++ Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2DeviceLibDTpm.inf + !endif + + [LibraryClasses.common.DXE_DRIVER] +@@ -248,6 +254,10 @@ + # TPM2 support + # + gEfiSecurityPkgTokenSpaceGuid.PcdTpmBaseAddress|0x0 ++!if $(TPM2_ENABLE) == TRUE ++ gEfiSecurityPkgTokenSpaceGuid.PcdTpmInstanceGuid|{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00} ++ gEfiSecurityPkgTokenSpaceGuid.PcdTpm2HashMask|0 ++!endif + + [PcdsDynamicHii] + gArmVirtTokenSpaceGuid.PcdForceNoAcpi|L"ForceNoAcpi"|gArmVirtVariableGuid|0x0|FALSE|NV,BS +@@ -278,6 +288,16 @@ + + ResetSystemLib|ArmVirtPkg/Library/ArmVirtPsciResetSystemPeiLib/ArmVirtPsciResetSystemPeiLib.inf + } ++ OvmfPkg/Tcg/Tcg2Config/Tcg2ConfigPei.inf ++ SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.inf { ++ ++ HashLib|SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRouterPei.inf ++ NULL|SecurityPkg/Library/HashInstanceLibSha1/HashInstanceLibSha1.inf ++ NULL|SecurityPkg/Library/HashInstanceLibSha256/HashInstanceLibSha256.inf ++ NULL|SecurityPkg/Library/HashInstanceLibSha384/HashInstanceLibSha384.inf ++ NULL|SecurityPkg/Library/HashInstanceLibSha512/HashInstanceLibSha512.inf ++ NULL|SecurityPkg/Library/HashInstanceLibSm3/HashInstanceLibSm3.inf ++ } + !endif + + MdeModulePkg/Core/DxeIplPeim/DxeIpl.inf { +diff --git a/ArmVirtPkg/ArmVirtQemu.fdf b/ArmVirtPkg/ArmVirtQemu.fdf +index 69fa501..8488300 100644 +--- a/ArmVirtPkg/ArmVirtQemu.fdf ++++ b/ArmVirtPkg/ArmVirtQemu.fdf +@@ -115,6 +115,8 @@ READ_LOCK_STATUS = TRUE + + !if $(TPM2_ENABLE) == TRUE + INF MdeModulePkg/Universal/ResetSystemPei/ResetSystemPei.inf ++ INF OvmfPkg/Tcg/Tcg2Config/Tcg2ConfigPei.inf ++ INF SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.inf + !endif + + FILE FV_IMAGE = 9E21FD93-9C72-4c15-8C4B-E77F1DB2D792 { +-- +2.18.2 + diff --git a/0009-ArmVirtPkg-avoid-DxeTpmMeasurementLib-in-shared-.DSC.patch b/0009-ArmVirtPkg-avoid-DxeTpmMeasurementLib-in-shared-.DSC.patch new file mode 100644 index 0000000..8f96125 --- /dev/null +++ b/0009-ArmVirtPkg-avoid-DxeTpmMeasurementLib-in-shared-.DSC.patch @@ -0,0 +1,48 @@ +From 785f0c94c6fa7bfbf307d2e5faa90964dca155a9 Mon Sep 17 00:00:00 2001 +From: Ard Biesheuvel +Date: Thu, 27 Feb 2020 15:12:32 +0100 +Subject: [PATCH 09/13] ArmVirtPkg; avoid DxeTpmMeasurementLib in shared .DSC + +DxeTpmMeasurementLib should only be used on platforms that implement +measured boot, which we will do in a future patch, but only for +ArmVirtQemu, as the remaining ones are fundamentally incompatible, +given that they do not implement a PEI phase. + +So use TpmMeasurementLibNull as the default resolution for all +ArmVirtPkg platforms, regardless of how they are built. + +This mirrors commit 1ec05b81e59f ("OvmfPkg: use DxeTpmMeasurementLib +if and only if TPM2_ENABLE", 2019-07-04). + +Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=2560 +Signed-off-by: Ard Biesheuvel +Reviewed-by: Laszlo Ersek +Signed-off-by: jiangfangjie +--- + ArmVirtPkg/ArmVirt.dsc.inc | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/ArmVirtPkg/ArmVirt.dsc.inc b/ArmVirtPkg/ArmVirt.dsc.inc +index 10037c9..398aa7b 100644 +--- a/ArmVirtPkg/ArmVirt.dsc.inc ++++ b/ArmVirtPkg/ArmVirt.dsc.inc +@@ -165,15 +165,14 @@ + # Secure Boot dependencies + # + !if $(SECURE_BOOT_ENABLE) == TRUE +- TpmMeasurementLib|SecurityPkg/Library/DxeTpmMeasurementLib/DxeTpmMeasurementLib.inf + AuthVariableLib|SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf + + # re-use the UserPhysicalPresent() dummy implementation from the ovmf tree + PlatformSecureLib|OvmfPkg/Library/PlatformSecureLib/PlatformSecureLib.inf + !else +- TpmMeasurementLib|MdeModulePkg/Library/TpmMeasurementLibNull/TpmMeasurementLibNull.inf + AuthVariableLib|MdeModulePkg/Library/AuthVariableLibNull/AuthVariableLibNull.inf + !endif ++ TpmMeasurementLib|MdeModulePkg/Library/TpmMeasurementLibNull/TpmMeasurementLibNull.inf + VarCheckLib|MdeModulePkg/Library/VarCheckLib/VarCheckLib.inf + UefiBootManagerLib|MdeModulePkg/Library/UefiBootManagerLib/UefiBootManagerLib.inf + +-- +2.18.2 + diff --git a/0010-ArmVirtPkg-unshare-TpmMeasurementLib-resolution-betw.patch b/0010-ArmVirtPkg-unshare-TpmMeasurementLib-resolution-betw.patch new file mode 100644 index 0000000..65affb2 --- /dev/null +++ b/0010-ArmVirtPkg-unshare-TpmMeasurementLib-resolution-betw.patch @@ -0,0 +1,72 @@ +From 454595840418dce7e227a70ff297b1d11593e768 Mon Sep 17 00:00:00 2001 +From: Ard Biesheuvel +Date: Thu, 27 Feb 2020 15:24:21 +0100 +Subject: [PATCH 10/13] ArmVirtPkg: unshare TpmMeasurementLib resolution + between platforms + +In preparation of conditializing the choice of resolution based on +TPM2_ENABLE for ArmVirtQemu, move the TpmMeasurementLib out of the +shared .DSC include and into the individual DSCs. + +Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=2560 +Signed-off-by: Ard Biesheuvel +Reviewed-by: Laszlo Ersek +Signed-off-by: jiangfangjie +--- + ArmVirtPkg/ArmVirt.dsc.inc | 1 - + ArmVirtPkg/ArmVirtQemu.dsc | 1 + + ArmVirtPkg/ArmVirtQemuKernel.dsc | 1 + + ArmVirtPkg/ArmVirtXen.dsc | 1 + + 4 files changed, 3 insertions(+), 1 deletion(-) + +diff --git a/ArmVirtPkg/ArmVirt.dsc.inc b/ArmVirtPkg/ArmVirt.dsc.inc +index 398aa7b..0a28d3a 100644 +--- a/ArmVirtPkg/ArmVirt.dsc.inc ++++ b/ArmVirtPkg/ArmVirt.dsc.inc +@@ -172,7 +172,6 @@ + !else + AuthVariableLib|MdeModulePkg/Library/AuthVariableLibNull/AuthVariableLibNull.inf + !endif +- TpmMeasurementLib|MdeModulePkg/Library/TpmMeasurementLibNull/TpmMeasurementLibNull.inf + VarCheckLib|MdeModulePkg/Library/VarCheckLib/VarCheckLib.inf + UefiBootManagerLib|MdeModulePkg/Library/UefiBootManagerLib/UefiBootManagerLib.inf + +diff --git a/ArmVirtPkg/ArmVirtQemu.dsc b/ArmVirtPkg/ArmVirtQemu.dsc +index 44138e5..83c4dea 100644 +--- a/ArmVirtPkg/ArmVirtQemu.dsc ++++ b/ArmVirtPkg/ArmVirtQemu.dsc +@@ -74,6 +74,7 @@ + PciPcdProducerLib|ArmVirtPkg/Library/FdtPciPcdProducerLib/FdtPciPcdProducerLib.inf + PciSegmentLib|MdePkg/Library/BasePciSegmentLibPci/BasePciSegmentLibPci.inf + PciHostBridgeLib|ArmVirtPkg/Library/FdtPciHostBridgeLib/FdtPciHostBridgeLib.inf ++ TpmMeasurementLib|MdeModulePkg/Library/TpmMeasurementLibNull/TpmMeasurementLibNull.inf + + !if $(TPM2_ENABLE) == TRUE + Tpm2CommandLib|SecurityPkg/Library/Tpm2CommandLib/Tpm2CommandLib.inf +diff --git a/ArmVirtPkg/ArmVirtQemuKernel.dsc b/ArmVirtPkg/ArmVirtQemuKernel.dsc +index 8243876..7bd50e4 100644 +--- a/ArmVirtPkg/ArmVirtQemuKernel.dsc ++++ b/ArmVirtPkg/ArmVirtQemuKernel.dsc +@@ -73,6 +73,7 @@ + PciPcdProducerLib|ArmVirtPkg/Library/FdtPciPcdProducerLib/FdtPciPcdProducerLib.inf + PciSegmentLib|MdePkg/Library/BasePciSegmentLibPci/BasePciSegmentLibPci.inf + PciHostBridgeLib|ArmVirtPkg/Library/FdtPciHostBridgeLib/FdtPciHostBridgeLib.inf ++ TpmMeasurementLib|MdeModulePkg/Library/TpmMeasurementLibNull/TpmMeasurementLibNull.inf + + [LibraryClasses.common.DXE_DRIVER] + ReportStatusCodeLib|MdeModulePkg/Library/DxeReportStatusCodeLib/DxeReportStatusCodeLib.inf +diff --git a/ArmVirtPkg/ArmVirtXen.dsc b/ArmVirtPkg/ArmVirtXen.dsc +index 8a6ace2..2a4ef8d 100644 +--- a/ArmVirtPkg/ArmVirtXen.dsc ++++ b/ArmVirtPkg/ArmVirtXen.dsc +@@ -47,6 +47,7 @@ + BootLogoLib|MdeModulePkg/Library/BootLogoLib/BootLogoLib.inf + PlatformBootManagerLib|ArmPkg/Library/PlatformBootManagerLib/PlatformBootManagerLib.inf + CustomizedDisplayLib|MdeModulePkg/Library/CustomizedDisplayLib/CustomizedDisplayLib.inf ++ TpmMeasurementLib|MdeModulePkg/Library/TpmMeasurementLibNull/TpmMeasurementLibNull.inf + + [LibraryClasses.common.UEFI_DRIVER] + UefiScsiLib|MdePkg/Library/UefiScsiLib/UefiScsiLib.inf +-- +2.18.2 + diff --git a/0011-ArmVirtPkg-ArmVirtQemu-enable-the-DXE-phase-TPM2-sup.patch b/0011-ArmVirtPkg-ArmVirtQemu-enable-the-DXE-phase-TPM2-sup.patch new file mode 100644 index 0000000..ae03320 --- /dev/null +++ b/0011-ArmVirtPkg-ArmVirtQemu-enable-the-DXE-phase-TPM2-sup.patch @@ -0,0 +1,115 @@ +From d77e86c43972cd56b37d8f4b34c253f82aa65f54 Mon Sep 17 00:00:00 2001 +From: Ard Biesheuvel +Date: Wed, 26 Feb 2020 20:05:12 +0100 +Subject: [PATCH 11/13] ArmVirtPkg/ArmVirtQemu: enable the DXE phase TPM2 + support module + +Enable the TPM2 support module in the DXE phase, and the associated +libraries and PCDs that it requires. This will be wired into the +measured boot support code in a subsequent patch. + +Note that Tcg2Dxe.inf is added to ArmVirtQemuFvMain.fdf.inc, which +is shared with other platforms in ArmVirtPkg, but as those will not +set the TPM2_ENABLE define, this change does not affect them. + +This patch ports (parts of) the following OvmfPkg commits to +ArmVirtQemu: + +- 0c0a50d6b3ff ("OvmfPkg: include Tcg2Dxe module", 2018-03-09) + +- b9777bb42e4f ("OvmfPkg: add Tcg2PhysicalPresenceLibQemu", 2018-05-22) + -- only to match OVMF's current lib class resolutions + +- 1ec05b81e59f ("OvmfPkg: use DxeTpmMeasurementLib if and only if + TPM2_ENABLE", 2019-07-04) + +- b9130c866dc0 ("OvmfPkg: link Sha384 and Sha512 support into Tcg2Pei + and Tcg2Dxe", 2018-08-16) + +- 5d3ef15da7c3 ("OvmfPkg: link SM3 support into Tcg2Pei and Tcg2Dxe", + 2019-07-19) + +Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=2560 +Signed-off-by: Ard Biesheuvel +Reviewed-by: Laszlo Ersek +Signed-off-by: jiangfangjie +--- + ArmVirtPkg/ArmVirtQemu.dsc | 26 +++++++++++++++++++++++++- + ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc | 7 +++++++ + 2 files changed, 32 insertions(+), 1 deletion(-) + +diff --git a/ArmVirtPkg/ArmVirtQemu.dsc b/ArmVirtPkg/ArmVirtQemu.dsc +index 83c4dea..291210a 100644 +--- a/ArmVirtPkg/ArmVirtQemu.dsc ++++ b/ArmVirtPkg/ArmVirtQemu.dsc +@@ -74,10 +74,13 @@ + PciPcdProducerLib|ArmVirtPkg/Library/FdtPciPcdProducerLib/FdtPciPcdProducerLib.inf + PciSegmentLib|MdePkg/Library/BasePciSegmentLibPci/BasePciSegmentLibPci.inf + PciHostBridgeLib|ArmVirtPkg/Library/FdtPciHostBridgeLib/FdtPciHostBridgeLib.inf +- TpmMeasurementLib|MdeModulePkg/Library/TpmMeasurementLibNull/TpmMeasurementLibNull.inf + + !if $(TPM2_ENABLE) == TRUE + Tpm2CommandLib|SecurityPkg/Library/Tpm2CommandLib/Tpm2CommandLib.inf ++ Tcg2PhysicalPresenceLib|OvmfPkg/Library/Tcg2PhysicalPresenceLibQemu/DxeTcg2PhysicalPresenceLib.inf ++ TpmMeasurementLib|SecurityPkg/Library/DxeTpmMeasurementLib/DxeTpmMeasurementLib.inf ++!else ++ TpmMeasurementLib|MdeModulePkg/Library/TpmMeasurementLibNull/TpmMeasurementLibNull.inf + !endif + + [LibraryClasses.common.PEIM] +@@ -92,6 +95,10 @@ + [LibraryClasses.common.DXE_DRIVER] + ReportStatusCodeLib|MdeModulePkg/Library/DxeReportStatusCodeLib/DxeReportStatusCodeLib.inf + ++!if $(TPM2_ENABLE) == TRUE ++ Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibTcg2/Tpm2DeviceLibTcg2.inf ++!endif ++ + [LibraryClasses.common.UEFI_DRIVER] + UefiScsiLib|MdePkg/Library/UefiScsiLib/UefiScsiLib.inf + +@@ -470,6 +477,23 @@ + MdeModulePkg/Bus/Usb/UsbKbDxe/UsbKbDxe.inf + MdeModulePkg/Bus/Usb/UsbMassStorageDxe/UsbMassStorageDxe.inf + ++ # ++ # TPM2 support ++ # ++!if $(TPM2_ENABLE) == TRUE ++ SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.inf { ++ ++ HashLib|SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRouterDxe.inf ++ Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibRouter/Tpm2DeviceLibRouterDxe.inf ++ NULL|SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2InstanceLibDTpm.inf ++ NULL|SecurityPkg/Library/HashInstanceLibSha1/HashInstanceLibSha1.inf ++ NULL|SecurityPkg/Library/HashInstanceLibSha256/HashInstanceLibSha256.inf ++ NULL|SecurityPkg/Library/HashInstanceLibSha384/HashInstanceLibSha384.inf ++ NULL|SecurityPkg/Library/HashInstanceLibSha512/HashInstanceLibSha512.inf ++ NULL|SecurityPkg/Library/HashInstanceLibSm3/HashInstanceLibSm3.inf ++ } ++!endif ++ + # + # ACPI Support + # +diff --git a/ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc b/ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc +index 31f615a..047e99c 100644 +--- a/ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc ++++ b/ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc +@@ -173,6 +173,13 @@ READ_LOCK_STATUS = TRUE + INF MdeModulePkg/Bus/Usb/UsbKbDxe/UsbKbDxe.inf + INF MdeModulePkg/Bus/Usb/UsbMassStorageDxe/UsbMassStorageDxe.inf + ++ # ++ # TPM2 support ++ # ++!if $(TPM2_ENABLE) == TRUE ++ INF SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.inf ++!endif ++ + # + # TianoCore logo (splash screen) + # +-- +2.18.2 + diff --git a/0012-ArmVirtPkg-ArmVirtQemu-enable-the-TPM2-configuration.patch b/0012-ArmVirtPkg-ArmVirtQemu-enable-the-TPM2-configuration.patch new file mode 100644 index 0000000..bf95bc0 --- /dev/null +++ b/0012-ArmVirtPkg-ArmVirtQemu-enable-the-TPM2-configuration.patch @@ -0,0 +1,81 @@ +From c3b182fe9189137280a5397426cc08b1110aac39 Mon Sep 17 00:00:00 2001 +From: Ard Biesheuvel +Date: Wed, 26 Feb 2020 20:05:13 +0100 +Subject: [PATCH 12/13] ArmVirtPkg/ArmVirtQemu: enable the TPM2 configuration + module + +Enable the DXE phase component that publishes the HII pages and +associated logic to enable TPM2 parameters to be configured by +the user via the setup menu. + +This patch ports (parts of) the following commits to ArmVirtQemu: + +- 3103389043bd ("OvmfPkg: Add TCG2 Configuration menu to the Device + Manager menu", 2019-02-11) + +- cf3ad972a210 ("OvmfPkg: reorganize TPM2 support in DSC/FDF files", + 2020-01-09) + +- f55477fe2d62 ("OvmfPkg: use HII type PCDs for TPM2 config related + variables", 2020-01-09) + +Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=2560 +Signed-off-by: Ard Biesheuvel +Reviewed-by: Laszlo Ersek +Signed-off-by: jiangfangjie +--- + ArmVirtPkg/ArmVirtQemu.dsc | 9 +++++++++ + ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc | 3 +++ + 2 files changed, 12 insertions(+) + +diff --git a/ArmVirtPkg/ArmVirtQemu.dsc b/ArmVirtPkg/ArmVirtQemu.dsc +index 291210a..93b982a 100644 +--- a/ArmVirtPkg/ArmVirtQemu.dsc ++++ b/ArmVirtPkg/ArmVirtQemu.dsc +@@ -30,6 +30,7 @@ + DEFINE TTY_TERMINAL = FALSE + DEFINE SECURE_BOOT_ENABLE = FALSE + DEFINE TPM2_ENABLE = FALSE ++ DEFINE TPM2_CONFIG_ENABLE = FALSE + + # + # Network definition +@@ -270,6 +271,11 @@ + [PcdsDynamicHii] + gArmVirtTokenSpaceGuid.PcdForceNoAcpi|L"ForceNoAcpi"|gArmVirtVariableGuid|0x0|FALSE|NV,BS + ++!if $(TPM2_CONFIG_ENABLE) == TRUE ++ gEfiSecurityPkgTokenSpaceGuid.PcdTcgPhysicalPresenceInterfaceVer|L"TCG2_VERSION"|gTcg2ConfigFormSetGuid|0x0|"1.3"|NV,BS ++ gEfiSecurityPkgTokenSpaceGuid.PcdTpm2AcpiTableRev|L"TCG2_VERSION"|gTcg2ConfigFormSetGuid|0x8|3|NV,BS ++!endif ++ + ################################################################################ + # + # Components Section - list of all EDK II Modules needed by this Platform +@@ -492,6 +498,9 @@ + NULL|SecurityPkg/Library/HashInstanceLibSha512/HashInstanceLibSha512.inf + NULL|SecurityPkg/Library/HashInstanceLibSm3/HashInstanceLibSm3.inf + } ++!if $(TPM2_CONFIG_ENABLE) == TRUE ++ SecurityPkg/Tcg/Tcg2Config/Tcg2ConfigDxe.inf ++!endif + !endif + + # +diff --git a/ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc b/ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc +index 047e99c..2fa69ce 100644 +--- a/ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc ++++ b/ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc +@@ -178,6 +178,9 @@ READ_LOCK_STATUS = TRUE + # + !if $(TPM2_ENABLE) == TRUE + INF SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.inf ++!if $(TPM2_CONFIG_ENABLE) == TRUE ++ INF SecurityPkg/Tcg/Tcg2Config/Tcg2ConfigDxe.inf ++!endif + !endif + + # +-- +2.18.2 + diff --git a/0013-ArmVirtPkg-ArmVirtQemu-enable-TPM2-based-measured-bo.patch b/0013-ArmVirtPkg-ArmVirtQemu-enable-TPM2-based-measured-bo.patch new file mode 100644 index 0000000..da79bcf --- /dev/null +++ b/0013-ArmVirtPkg-ArmVirtQemu-enable-TPM2-based-measured-bo.patch @@ -0,0 +1,37 @@ +From d9c8dd64dd827cea4a533d012f344d0db6569127 Mon Sep 17 00:00:00 2001 +From: Ard Biesheuvel +Date: Wed, 26 Feb 2020 20:05:14 +0100 +Subject: [PATCH 13/13] ArmVirtPkg/ArmVirtQemu: enable TPM2 based measured boot + +Now that all the TPM2 related plumbing is in place, we can add the +final piece that performs the measurements of loaded images into +the appropriate PCRs. + +This patch ports commit d5a002aba0aa ("OvmfPkg: plug +DxeTpm2MeasureBootLib into SecurityStubDxe", 2018-03-09) to ArmVirtQemu. + +Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=2560 +Signed-off-by: Ard Biesheuvel +Reviewed-by: Laszlo Ersek +Signed-off-by: jiangfangjie +--- + ArmVirtPkg/ArmVirtQemu.dsc | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/ArmVirtPkg/ArmVirtQemu.dsc b/ArmVirtPkg/ArmVirtQemu.dsc +index 93b982a..a07d546 100644 +--- a/ArmVirtPkg/ArmVirtQemu.dsc ++++ b/ArmVirtPkg/ArmVirtQemu.dsc +@@ -348,6 +348,9 @@ + MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf { + + NULL|SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.inf ++!if $(TPM2_ENABLE) == TRUE ++ NULL|SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLib.inf ++!endif + } + SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf + OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf +-- +2.18.2 + diff --git a/edk2.spec b/edk2.spec index 5615a52..059596f 100644 --- a/edk2.spec +++ b/edk2.spec @@ -5,7 +5,7 @@ Name: edk2 Version: %{stable_date} -Release: 2 +Release: 3 Summary: EFI Development Kit II License: BSD-2-Clause-Patent URL: https://github.com/tianocore/edk2 @@ -14,6 +14,17 @@ Source1: openssl-%{openssl_version}.tar.gz Patch0001: 0001-CryptoPkg-OpensslLib-Modify-process_files.pl-for-Ope.patch Patch0002: 0002-CryptoPkg-Upgrade-OpenSSL-to-1.1.1f.patch +Patch0003: 0003-OvmfPkg-Tcg2ConfigPei-introduce-a-signalling-PPI-to-.patch +Patch0004: 0004-ArmVirtPkg-PlatformPeiLib-make-PcdLib-dependency-exp.patch +Patch0005: 0005-ArmVirtPkg-PlatformPeiLib-discover-the-TPM-base-addr.patch +Patch0006: 0006-ArmVirtPkg-implement-ArmVirtPsciResetSystemPeiLib.patch +Patch0007: 0007-ArmVirtPkg-ArmVirtQemu-add-ResetSystem-PEIM-for-upco.patch +Patch0008: 0008-ArmVirtPkg-ArmVirtQemu-enable-TPM2-support-in-the-PE.patch +Patch0009: 0009-ArmVirtPkg-avoid-DxeTpmMeasurementLib-in-shared-.DSC.patch +Patch0010: 0010-ArmVirtPkg-unshare-TpmMeasurementLib-resolution-betw.patch +Patch0011: 0011-ArmVirtPkg-ArmVirtQemu-enable-the-DXE-phase-TPM2-sup.patch +Patch0012: 0012-ArmVirtPkg-ArmVirtQemu-enable-the-TPM2-configuration.patch +Patch0013: 0013-ArmVirtPkg-ArmVirtQemu-enable-TPM2-based-measured-bo.patch BuildRequires: acpica-tools gcc gcc-c++ libuuid-devel python3 bc nasm python2 @@ -69,7 +80,7 @@ tar -xf %{SOURCE1} -C CryptoPkg/Library/OpensslLib/openssl --strip-components=1 %build NCPUS=`/usr/bin/getconf _NPROCESSORS_ONLN` -BUILD_OPTION="-t GCC49 -n $NCPUS -b RELEASE" +BUILD_OPTION="-t GCC5 -n $NCPUS -b RELEASE" make -C BaseTools %{?_smp_mflags} EXTRA_OPTFLAGS="%{optflags}" EXTRA_LDFLAGS="%{__global_ldflags}" . ./edksetup.sh @@ -87,6 +98,8 @@ COMMON_FLAGS="-D NETWORK_IP6_ENABLE" BUILD_OPTION="$BUILD_OPTION -a IA32 -p OvmfPkg/OvmfPkgIa32.dsc" %endif BUILD_OPTION="$BUILD_OPTION -D SECURE_BOOT_ENABLE=TRUE" +BUILD_OPTION="$BUILD_OPTION -D TPM2_ENABLE=TRUE" +BUILD_OPTION="$BUILD_OPTION -D TPM2_CONFIG_ENABLE=TRUE" build $BUILD_OPTION %install @@ -209,6 +222,10 @@ chmod +x %{buildroot}%{_bindir}/Rsa2048Sha256GenerateKeys %endif %changelog +* Thu Jul 31 2020 jiangfangjie - 202002-3 +- ArmVirtPkg/ArmVirtQemu: enable TPM2 based measured boot +- ArmVirtPkg/ArmVirtQemu: enable the TPM2 configuration module + * Mon Jul 27 2020 zhangxinhao - 202002-2 - add build option "-D SECURE_BOOT_ENABLE=TRUE" to enable secure boot -- Gitee