diff --git a/ArmPlatformPkg/ArmVirtualizationPkg/ArmVirtualization.dsc.inc b/ArmPlatformPkg/ArmVirtualizationPkg/ArmVirtualization.dsc.inc index 59a08640ae..2fa0aeba19 100644 --- a/ArmPlatformPkg/ArmVirtualizationPkg/ArmVirtualization.dsc.inc +++ b/ArmPlatformPkg/ArmVirtualizationPkg/ArmVirtualization.dsc.inc @@ -113,6 +113,19 @@ XenIoMmioLib|OvmfPkg/Library/XenIoMmioLib/XenIoMmioLib.inf + # + # Secure Boot dependencies + # +!if $(SECURE_BOOT_ENABLE) == TRUE + IntrinsicLib|CryptoPkg/Library/IntrinsicLib/IntrinsicLib.inf + OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLib.inf + TpmMeasurementLib|SecurityPkg/Library/DxeTpmMeasurementLib/DxeTpmMeasurementLib.inf + BaseCryptLib|CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf + + # re-use the UserPhysicalPresent() dummy implementation from the ovmf tree + PlatformSecureLib|OvmfPkg/Library/PlatformSecureLib/PlatformSecureLib.inf +!endif + [LibraryClasses.common.SEC] PcdLib|MdePkg/Library/BasePcdLibNull/BasePcdLibNull.inf ArmPlatformSecExtraActionLib|ArmPlatformPkg/Library/DebugSecExtraActionLib/DebugSecExtraActionLib.inf @@ -198,6 +211,10 @@ ReportStatusCodeLib|IntelFrameworkModulePkg/Library/DxeReportStatusCodeLibFramework/DxeReportStatusCodeLib.inf CapsuleLib|MdeModulePkg/Library/DxeCapsuleLibNull/DxeCapsuleLibNull.inf +!if $(SECURE_BOOT_ENABLE) == TRUE + BaseCryptLib|CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf +!endif + [LibraryClasses.ARM] # # It is not possible to prevent the ARM compiler for generic intrinsic functions. @@ -324,6 +341,13 @@ # gArmTokenSpaceGuid.PcdArmUncachedMemoryMask|0x0000000000000000 +!if $(SECURE_BOOT_ENABLE) == TRUE + # override the default values from SecurityPkg to ensure images from all sources are verified in secure boot + gEfiSecurityPkgTokenSpaceGuid.PcdOptionRomImageVerificationPolicy|0x04 + gEfiSecurityPkgTokenSpaceGuid.PcdFixedMediaImageVerificationPolicy|0x04 + gEfiSecurityPkgTokenSpaceGuid.PcdRemovableMediaImageVerificationPolicy|0x04 +!endif + [Components.common] # # Networking stack diff --git a/ArmPlatformPkg/ArmVirtualizationPkg/ArmVirtualizationQemu.dsc b/ArmPlatformPkg/ArmVirtualizationPkg/ArmVirtualizationQemu.dsc index a25fd7a45b..69bf34e29a 100644 --- a/ArmPlatformPkg/ArmVirtualizationPkg/ArmVirtualizationQemu.dsc +++ b/ArmPlatformPkg/ArmVirtualizationPkg/ArmVirtualizationQemu.dsc @@ -28,6 +28,12 @@ SKUID_IDENTIFIER = DEFAULT FLASH_DEFINITION = ArmPlatformPkg/ArmVirtualizationPkg/ArmVirtualizationQemu.fdf + # + # Defines for default states. These can be changed on the command line. + # -D FLAG=VALUE + # + DEFINE SECURE_BOOT_ENABLE = FALSE + !include ArmPlatformPkg/ArmVirtualizationPkg/ArmVirtualization.dsc.inc [LibraryClasses.AARCH64] @@ -48,6 +54,7 @@ ArmPlatformSysConfigLib|ArmPlatformPkg/Library/ArmPlatformSysConfigLibNull/ArmPlatformSysConfigLibNull.inf TimerLib|ArmPkg/Library/ArmArchTimerLib/ArmArchTimerLib.inf + NorFlashPlatformLib|ArmPlatformPkg/ArmVirtualizationPkg/Library/NorFlashQemuLib/NorFlashQemuLib.inf !ifdef INTEL_BDS CapsuleLib|MdeModulePkg/Library/DxeCapsuleLibNull/DxeCapsuleLibNull.inf @@ -233,7 +240,15 @@ ArmPlatformPkg/MemoryInitPei/MemoryInitPeim.inf ArmPkg/Drivers/CpuPei/CpuPei.inf +!if $(SECURE_BOOT_ENABLE) == TRUE + SecurityPkg/VariableAuthenticated/Pei/VariablePei.inf { + + BaseCryptLib|CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf + } +!else MdeModulePkg/Universal/Variable/Pei/VariablePei.inf +!endif + MdeModulePkg/Core/DxeIplPeim/DxeIpl.inf { NULL|MdeModulePkg/Library/LzmaCustomDecompressLib/LzmaCustomDecompressLib.inf @@ -253,9 +268,22 @@ # ArmPkg/Drivers/CpuDxe/CpuDxe.inf MdeModulePkg/Core/RuntimeDxe/RuntimeDxe.inf +!if $(SECURE_BOOT_ENABLE) == TRUE + MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf { + + NULL|SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.inf + } + SecurityPkg/VariableAuthenticated/RuntimeDxe/VariableRuntimeDxe.inf { + + BaseCryptLib|CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf + OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLib.inf + } + SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf +!else MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf - MdeModulePkg/Universal/CapsuleRuntimeDxe/CapsuleRuntimeDxe.inf MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf +!endif + MdeModulePkg/Universal/CapsuleRuntimeDxe/CapsuleRuntimeDxe.inf MdeModulePkg/Universal/FaultTolerantWriteDxe/FaultTolerantWriteDxe.inf MdeModulePkg/Universal/MonotonicCounterRuntimeDxe/MonotonicCounterRuntimeDxe.inf EmbeddedPkg/ResetRuntimeDxe/ResetRuntimeDxe.inf @@ -272,10 +300,11 @@ ArmPkg/Drivers/ArmGic/ArmGicDxe.inf ArmPkg/Drivers/TimerDxe/TimerDxe.inf - ArmPlatformPkg/Drivers/NorFlashDxe/NorFlashDxe.inf { - - NorFlashPlatformLib|ArmPlatformPkg/ArmVirtualizationPkg/Library/NorFlashQemuLib/NorFlashQemuLib.inf - } +!if $(SECURE_BOOT_ENABLE) == TRUE + ArmPlatformPkg/Drivers/NorFlashDxe/NorFlashAuthenticatedDxe.inf +!else + ArmPlatformPkg/Drivers/NorFlashDxe/NorFlashDxe.inf +!endif MdeModulePkg/Universal/WatchdogTimerDxe/WatchdogTimer.inf # diff --git a/ArmPlatformPkg/ArmVirtualizationPkg/ArmVirtualizationQemu.fdf b/ArmPlatformPkg/ArmVirtualizationPkg/ArmVirtualizationQemu.fdf index e0ec44bf3f..33cb495222 100644 --- a/ArmPlatformPkg/ArmVirtualizationPkg/ArmVirtualizationQemu.fdf +++ b/ArmPlatformPkg/ArmVirtualizationPkg/ArmVirtualizationQemu.fdf @@ -116,7 +116,12 @@ READ_LOCK_STATUS = TRUE INF MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf INF MdeModulePkg/Universal/CapsuleRuntimeDxe/CapsuleRuntimeDxe.inf INF MdeModulePkg/Universal/FaultTolerantWriteDxe/FaultTolerantWriteDxe.inf +!if $(SECURE_BOOT_ENABLE) == TRUE + INF SecurityPkg/VariableAuthenticated/RuntimeDxe/VariableRuntimeDxe.inf + INF SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf +!else INF MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf +!endif INF MdeModulePkg/Universal/MonotonicCounterRuntimeDxe/MonotonicCounterRuntimeDxe.inf INF EmbeddedPkg/ResetRuntimeDxe/ResetRuntimeDxe.inf INF EmbeddedPkg/RealTimeClockRuntimeDxe/RealTimeClockRuntimeDxe.inf @@ -134,7 +139,11 @@ READ_LOCK_STATUS = TRUE INF ArmPkg/Drivers/ArmGic/ArmGicDxe.inf INF ArmPkg/Drivers/TimerDxe/TimerDxe.inf +!if $(SECURE_BOOT_ENABLE) == TRUE + INF ArmPlatformPkg/Drivers/NorFlashDxe/NorFlashAuthenticatedDxe.inf +!else INF ArmPlatformPkg/Drivers/NorFlashDxe/NorFlashDxe.inf +!endif INF MdeModulePkg/Universal/WatchdogTimerDxe/WatchdogTimer.inf # @@ -255,7 +264,11 @@ READ_LOCK_STATUS = TRUE INF ArmPlatformPkg/MemoryInitPei/MemoryInitPeim.inf INF ArmPkg/Drivers/CpuPei/CpuPei.inf INF MdeModulePkg/Universal/PCD/Pei/Pcd.inf +!if $(SECURE_BOOT_ENABLE) == TRUE + INF SecurityPkg/VariableAuthenticated/Pei/VariablePei.inf +!else INF MdeModulePkg/Universal/Variable/Pei/VariablePei.inf +!endif INF MdeModulePkg/Core/DxeIplPeim/DxeIpl.inf FILE FV_IMAGE = 9E21FD93-9C72-4c15-8C4B-E77F1DB2D792 {