system76-edk2

Author	SHA1	Message	Date
Jan Bobek	cc18c503e0	SecurityPkg: don't require PK to be self-signed by default REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2506 Change the default value of PcdRequireSelfSignedPk to FALSE in accordance with UEFI spec, which states that PK need not be self-signed when enrolling in setup mode. Note that this relaxes the legacy behavior, which required the PK to be self-signed in this case. Cc: Jiewen Yao <jiewen.yao@intel.com> Cc: Jian J Wang <jian.j.wang@intel.com> Signed-off-by: Jan Bobek <jbobek@nvidia.com> Reviewed-by: Sean Brogan <sean.brogan@microsoft.com> Acked-by: Jiewen Yao <jiewen.yao@intel.com>	2023-02-04 11:53:59 +00:00
Jan Bobek	566cdfc675	SecurityPkg: limit verification of enrolled PK in setup mode REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2506 Per UEFI spec, enrolling a new PK in setup mode should not require a self-signature. Introduce a feature PCD called PcdRequireSelfSignedPk to control this requirement. Default to TRUE in order to preserve the legacy behavior. Cc: Jiewen Yao <jiewen.yao@intel.com> Cc: Jian J Wang <jian.j.wang@intel.com> Cc: Min Xu <min.m.xu@intel.com> Co-authored-by: Matthew Carlson <macarl@microsoft.com> Signed-off-by: Jan Bobek <jbobek@nvidia.com> Reviewed-by: Sean Brogan <sean.brogan@microsoft.com> Acked-by: Jiewen Yao <jiewen.yao@intel.com>	2023-02-04 11:53:59 +00:00
Min M Xu	5654ce1d2c	SecurityPkg: Move TdTcg2Dxe from OvmfPkg to SecurityPkg BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=4194 The TdTcg2Dxe lives in the OvmfPkg instead of the SecurityPkg. Having the TdTcg2Dxe at the same place as Tcg2Dxe will be easier for platforms to consume. Definition of PcdCcEventlogAcpiTableLaml and PcdCcEventlogAcpiTableLasa are also moved from OvmfPkg.dec to SecurityPkg.dec. Cc: Jiewen Yao <jiewen.yao@intel.com> Cc: Jian J Wang <jian.j.wang@intel.com> Cc: Arti Gupta <ARGU@microsoft.com> Signed-off-by: Min Xu <min.m.xu@intel.com> Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>	2023-01-06 09:55:14 +00:00
Jian J Wang	b2d76fdd42	SecurityPkg: deprecate RpmcLib and VariableKeyLib REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2594 There's no real usage of these two libraries. They're deprecated. Cc: Jiewen Yao <jiewen.yao@intel.com> Cc: Michael D Kinney <michael.d.kinney@intel.com> Cc: Nishant C Mistry <nishant.c.mistry@intel.com> Cc: Judah Vang <judah.vang@intel.com> Signed-off-by: Jian J Wang <jian.j.wang@intel.com> Reviewed-by: Jiewen Yao <jiewen.yao@intel.com> Acked-by: Michael D Kinney <michael.d.kinney@intel.com>	2022-12-21 05:49:48 +00:00
Kun Qin	d6bee54c45	SecurityPkg: PlatformPKProtectionLib: Added PK protection interface REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3911 This patch provides an abstracted interface for platform to implement PK variable related protection interface, which is designed to be used when PK variable is about to be changed by UEFI firmware. This change also provided a variable policy based library implementation to accomodate platforms that supports variable policy for variable protections. Cc: Jiewen Yao <jiewen.yao@intel.com> Cc: Jian J Wang <jian.j.wang@intel.com> Cc: Min Xu <min.m.xu@intel.com> Signed-off-by: Kun Qin <kun.qin@microsoft.com> Reviewed-by: Jiewen Yao <Jiewen.yao@intel.com> Acked-by: Michael Kubacki <michael.kubacki@microsoft.com>	2022-07-07 01:07:00 +00:00
Min Xu	dc443e4437	SecurityPkg: Add definition of EFI_CC_EVENT_HOB_GUID RFC: https://bugzilla.tianocore.org/show_bug.cgi?id=3853 EFI_CC_EVENT_HOB_GUID is the global ID of a GUIDed HOB used to pass TDX_DIGEST_VALUE from SEC to a DXE Driver ( This DXE driver will be introduced in the following commit in this patch-sets ). In that DXE driver this GUIDed HOB will be parsed and the TDX_DIGEST_VALUE then will be extracted. After that a EFI_CC_EVENT will be created based on it. Cc: Gerd Hoffmann <kraxel@redhat.com> Cc: Jiewen Yao <jiewen.yao@intel.com> Cc: Sami Mujawar <sami.mujawar@arm.com> Cc: Jian J Wang <jian.j.wang@intel.com> Reviewed-by: Jiewen Yao <jiewen.yao@intel.com> Signed-off-by: Min Xu <min.m.xu@intel.com>	2022-06-03 11:41:36 +00:00
Stefan Berger	3b69fcf5f8	SecurityPkg: Add references to header and inf files to SecurityPkg Signed-off-by: Stefan Berger <stefanb@linux.ibm.com> Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>	2021-09-13 16:53:14 +00:00
Stefan Berger	f108178c56	SecurityPkg: Introduce new PCD PcdRandomizePlatformHierarchy Introduce the new PCD gEfiSecurityPkgTokenSpaceGuid.PcdRandomizePlatformHierarchy. We need it for TpmPlatformHierarchyLib. Signed-off-by: Stefan Berger <stefanb@linux.ibm.com> Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>	2021-09-13 16:53:14 +00:00
Grzegorz Bernacki	45f3dd2ce9	SecurityPkg: Add new modules to Security package. This commits adds modules and dependencies related to initialization and usage of default Secure Boot key variables to SecurityPkg. Signed-off-by: Grzegorz Bernacki <gjb@semihalf.com> Reviewed-by: Sunny Wang <sunny.wang@arm.com> Reviewed-by: Jiewen Yao <Jiewen.yao@intel.com> Reviewed-by: Pete Batard <pete@akeo.ie> Tested-by: Pete Batard <pete@akeo.ie> # on Raspberry Pi 4	2021-08-03 07:26:41 +00:00
Grzegorz Bernacki	9732659698	SecurityPkg: Create library for enrolling Secure Boot variables. This commits add library, which consist functions to enrolll Secure Boot keys and initialize Secure Boot default variables. Some of the functions was moved from SecureBootConfigImpl.c file. Signed-off-by: Grzegorz Bernacki <gjb@semihalf.com> Reviewed-by: Sunny Wang <sunny.wang@arm.com> Reviewed-by: Jiewen Yao <Jiewen.yao@intel.com>	2021-08-03 07:26:41 +00:00
Grzegorz Bernacki	bb806a6e88	SecurityPkg: Create SecureBootVariableLib. This commits add library, which consist helper functions related to creation/removal Secure Boot variables. Some of the functions was moved from SecureBootConfigImpl.c file. Signed-off-by: Grzegorz Bernacki <gjb@semihalf.com> Reviewed-by: Sunny Wang <sunny.wang@arm.com> Reviewed-by: Jiewen Yao <Jiewen.yao@intel.com>	2021-08-03 07:26:41 +00:00
Rebecca Cran	4e5ecdbac8	SecurityPkg: Add support for RngDxe on AARCH64 AARCH64 support has been added to BaseRngLib via the optional ARMv8.5 FEAT_RNG. Refactor RngDxe to support AARCH64, note support for it in the VALID_ARCHITECTURES line of RngDxe.inf and enable it in SecurityPkg.dsc. Signed-off-by: Rebecca Cran <rebecca@nuviainc.com> Reviewed-by: Liming Gao <gaoliming@byosoft.com.cn> Acked-by: Jiewen Yao <Jiewen.yao@intel.com> Reviewed-by: Sami Mujawar <sami.mujawar@arm.com>	2021-05-11 16:26:05 +00:00
Kun Qin	8802583c48	SecurityPkg: Tcg2Smm: Added support for Standalone Mm https://bugzilla.tianocore.org/show_bug.cgi?id=3169 This change added Standalone MM instance of Tcg2. The notify function for Standalone MM instance is left empty. A dependency DXE driver with a Depex of gEfiMmCommunication2ProtocolGuid was created to indicate the readiness of Standalone MM Tcg2 driver. Lastly, the support of CI build for Tcg2 Standalone MM module is added. Cc: Jiewen Yao <jiewen.yao@intel.com> Cc: Jian J Wang <jian.j.wang@intel.com> Cc: Qi Zhang <qi1.zhang@intel.com> Cc: Rahul Kumar <rahul1.kumar@intel.com> Signed-off-by: Kun Qin <kun.q@outlook.com> Reviewed-by: Jiewen Yao <Jiewen.yao@intel.com> Message-Id: <MWHPR06MB3102C3F99CBADFCC5F8A821CF3969@MWHPR06MB3102.namprd06.prod.outlook.com>	2021-03-05 15:25:07 +00:00
Kun Qin	3c2dc30d1b	SecurityPkg: Tcg2Smm: Separate Tcg2Smm into 2 modules REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3169 This change separated the original Tcg2Smm module into 2 drivers: the SMM driver that registers callback for physical presence and memory clear; the Tcg2Acpi driver that patches and publishes ACPI table for runtime use. Tcg2Smm introduced an SMI root handler to allow Tcg2Acpi to communicate the NVS region used by Tpm.asl and exchange the registered SwSmiValue. Lastly, Tcg2Smm driver will publish gTcg2MmSwSmiRegisteredGuid at the end of entrypoint to ensure Tcg2Acpi to load after Tcg2Smm is ready to communicate. Cc: Jiewen Yao <jiewen.yao@intel.com> Cc: Jian J Wang <jian.j.wang@intel.com> Cc: Qi Zhang <qi1.zhang@intel.com> Cc: Rahul Kumar <rahul1.kumar@intel.com> Signed-off-by: Kun Qin <kun.q@outlook.com> Reviewed-by: Jiewen Yao <Jiewen.yao@intel.com> Message-Id: <MWHPR06MB310295CC623EF7C062844DFFF3969@MWHPR06MB3102.namprd06.prod.outlook.com>	2021-03-05 15:25:07 +00:00
Qi Zhang	6847329af2	SecurityPkg/dsc: add FvEventLogRecordLib REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2376 Cc: Jiewen Yao <jiewen.yao@intel.com> Cc: Jian J Wang <jian.j.wang@intel.com> Signed-off-by: Qi Zhang <qi1.zhang@intel.com> Message-Id: <20200818062618.3698-6-qi1.zhang@intel.com> Reviewed-by: Jiewen Yao <Jiewen.yao@intel.com> Reviewed-by: Jian J Wang <jian.j.wang@intel.com>	2020-08-26 15:56:11 +00:00
Jiewen Yao	91e2b4b6ec	SecurityPkg/dec: Add TcgPpi. REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2841 Cc: Jiewen Yao <jiewen.yao@intel.com> Cc: Jian J Wang <jian.j.wang@intel.com> Cc: Qi Zhang <qi1.zhang@intel.com> Signed-off-by: Jiewen Yao <jiewen.yao@intel.com> Reviewed-by: Qi Zhang <qi1.zhang@intel.com> Reviewed-by: Jian J Wang <jian.j.wang@intel.com>	2020-07-23 01:31:43 +00:00
Maggie Chu	1a2ad3ba9e	SecurityPkg: Change default value source https://bugzilla.tianocore.org/show_bug.cgi?id=2713 In current code, If TCG2_PHYSICAL_PRESENCE_FLAGS_VARIABLE variable is not exist, code will get default value from two places. This fix is to make the default value comes from the PCD gEfiSecurityPkgTokenSpaceGuid.PcdTcg2PhysicalPresenceFlags Signed-off-by: Maggie Chu <maggie.chu@intel.com> Cc: Eric Dong <eric.dong@intel.com> Cc: Jian J Wang <jian.j.wang@intel.com> Cc: Chao Zhang <chao.b.zhang@intel.com> Cc: Jiewen Yao <jiewen.yao@intel.com> Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>	2020-05-21 15:48:57 +00:00
Michael Kubacki	cda6f9455c	SecurityPkg: Add PCD for SW SMI Command port REF:https://bugzilla.tianocore.org/show_bug.cgi?id=2416 Adds a PCD to SecurityPkg used to specify the SW SMI Command port. This value may vary across platforms and is current hardcoded to 0xB2 in package code. Cc: Kun Qin <Kun.Qin@microsoft.com> Cc: Jian J Wang <jian.j.wang@intel.com> Cc: Jiewen Yao <jiewen.yao@intel.com> Cc: Chao Zhang <chao.b.zhang@intel.com> Signed-off-by: Michael Kubacki <michael.kubacki@microsoft.com> Reviewed-by: Guomin Jiang <guomin.jiang@intel.com> Reviewed-by: Bret Barkelew <bret.barkelew@microsoft.com>	2020-04-21 02:20:51 +00:00
Jian J Wang	5042ee43d9	SecurityPkg: add RpmcLib and VariableKeyLib public headers REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2594 RpmcLib.h and VariableKeyLib.h are header files required to access RPMC device and Key generator from platform. They will be used to ensure the integrity and confidentiality of NV variables. Cc: Jiewen Yao <jiewen.yao@intel.com> Cc: Chao Zhang <chao.b.zhang@intel.com> Cc: Nishant C Mistry <nishant.c.mistry@intel.com> Signed-off-by: Jian J Wang <jian.j.wang@intel.com> Reviewed-by: Michael Kubacki <michael.kubacki@microsoft.com> Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>	2020-03-27 16:41:05 +00:00
Jiewen Yao	df73a69faf	SecurityPkg/Guid: Add TCG 800-155 event GUID definition. REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2439 The PEIM can produce the 800-155 event and the event will be recorded to TCG event log by the TCG2 DXE. Cc: Jian J Wang <jian.j.wang@intel.com> Cc: Chao Zhang <chao.b.zhang@intel.com> Signed-off-by: Jiewen Yao <jiewen.yao@intel.com> Reviewed-by: Jian J Wang <jian.j.wang@intel.com>	2020-01-06 06:23:19 +00:00
Sean Brogan	d6b926e76e	SecurityPkg: Fix spelling errors https://bugzilla.tianocore.org/show_bug.cgi?id=2265 Cc: Jiewen Yao <jiewen.yao@intel.com> Cc: Jian J Wang <jian.j.wang@intel.com> Cc: Chao Zhang <chao.b.zhang@intel.com> Signed-off-by: Michael D Kinney <michael.d.kinney@intel.com> Reviewed-by: Jiewen Yao <Jiewen.yao@intel.com> Reviewed-by: Jian J Wang <jian.j.wang@intel.com>	2019-10-23 10:23:23 -07:00
Jiewen Yao	1fca55285b	SecurityPkg/dsc: Add PCD for Laml, Lasa for TPM2. REF: https://bugzilla.tianocore.org/show_bug.cgi?id=978 Those PCDs will be used for TPM2 ACPI table. Tcg2Dxe need produce those for event log address. Tcg2Smm need consume those to fill TPM2 ACPI table. Cc: Jian J Wang <jian.j.wang@intel.com> Cc: Chao Zhang <chao.b.zhang@intel.com> Signed-off-by: Jiewen Yao <jiewen.yao@intel.com> Reviewed-by: Jian J Wang <jian.j.wang@intel.com>	2019-10-11 10:06:51 +08:00
Shenglei Zhang	49a2f8ceee	SecurityPkg/SecurityPkg.dec: Update TcgPpVendorLib.h to Tcg2PpVendorLib.h Tcg2PpVendorLib library class header should be Include/Library/Tcg2PpVendorLib.h instead of Include/Library/TcgPpVendorLib.h. https://bugzilla.tianocore.org/show_bug.cgi?id=2146 Cc: Jiewen Yao <jiewen.yao@intel.com> Cc: Jian Wang <jian.j.wang@intel.com> Cc: Chao Zhang <chao.b.zhang@intel.com> Signed-off-by: Shenglei Zhang <shenglei.zhang@intel.com> Reviewed-by: Jian J Wang <jian.j.wang@intel.com> Reviewed-by: Liming Gao <liming.gao@intel.com> Reviewed-by: Chao Zhang <chao.b.zhang@intel.com>	2019-09-17 09:37:23 +08:00
Shenglei Zhang	e18d1c37e8	SecurityPkg/SecurityPkg.dec: Remove trailing white space Cc: Jiewen Yao <jiewen.yao@intel.com> Cc: Jian Wang <jian.j.wang@intel.com> Cc: Chao Zhang <chao.b.zhang@intel.com> Signed-off-by: Shenglei Zhang <shenglei.zhang@intel.com> Reviewed-by: Philippe Mathieu-Daude <philmd@redhat.com> Reviewed-by: Jian J Wang <jian.j.wang@intel.com>	2019-08-05 09:33:06 +08:00
Imran Desai	c027f68030	SecurityPkg: set SM3 bit in TPM 2.0 hash mask by default BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=1781 GITHUB: https://github.com/idesai/edk2/tree/enable_sm3_measured_boot_v6 EDK2 Support for SM3 digest algorithm is needed to enable TPM with SM3 PCR banks. This digest algorithm is part of the China Crypto algorithm suite. This integration has dependency on the openssl_1_1_1b integration into edk2. This patch sets SM3 bit in TPM2.0 hash mask by default. Cc: Chao Zhang <chao.b.zhang@intel.com> Cc: Jiewen Yao <jiewen.yao@intel.com> Cc: Jian Wang <jian.j.wang@intel.com> Signed-off-by: Imran Desai <imran.desai@intel.com> Reviewed-by: Jian J Wang <jian.j.wang@intel.com> Message-Id: <20190718225326.40839-4-imran.desai@intel.com> Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>	2019-07-19 14:31:59 +02:00
Laszlo Ersek	0d823bfd8d	Revert "SecurityPkg: set SM3 bit in TPM 2.0 hash mask by default" This reverts commit `d5af8fc5a9`. The reason is that said commit indirectly depends on commit `49c1e683c4` ("MdePkg/Protocol/Hash: introduce GUID for SM3", 2019-07-03), and the latter commit is going to be reverted, due to its review process not having followed established edk2 norms. Cc: Chao Zhang <chao.b.zhang@intel.com> Cc: Imran Desai <imran.desai@intel.com> Cc: Jian Wang <jian.j.wang@intel.com> Cc: Jiewen Yao <jiewen.yao@intel.com> Cc: Leif Lindholm <leif.lindholm@linaro.org> Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=1781 Signed-off-by: Laszlo Ersek <lersek@redhat.com> Reviewed-by: Leif Lindholm <leif.lindholm@linaro.org> Reviewed-by: Philippe Mathieu-Daude <philmd@redhat.com>	2019-07-04 17:50:44 +02:00
Imran Desai	d5af8fc5a9	SecurityPkg: set SM3 bit in TPM 2.0 hash mask by default BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=1781 EDK2 Support for SM3 digest algorithm is needed to enable TPM with SM3 PCR banks. This digest algorithm is part of the China Crypto algorithm suite. This integration has dependency on the openssl_1_1_1b integration into edk2. This patch sets SM3 bit in TPM2.0 hash mask by default. Signed-off-by: Imran Desai <imran.desai@intel.com> Cc: Chao Zhang <chao.b.zhang@intel.com> Cc: Jiewen Yao <jiewen.yao@intel.com> Cc: Jian Wang <jian.j.wang@intel.com> Reviewed-by: Jian J Wang <jian.j.wang@intel.com> Reviewed-by: jiewen.yao@intel.com	2019-07-03 16:31:55 +08:00
Jian J Wang	beda3f76af	SecurityPkg: add definitions for OBB verification https://bugzilla.tianocore.org/show_bug.cgi?id=1617 gEdkiiPeiFirmwareVolumeInfoStoredHashFvPpiGuid should be installed by platform to pass FV hash information to the common FV verify/report driver, in which the hash value will be calculated again based on the information fed in and then verified. The information passed in this PPI include: - FVs location in flash and length - Hash values for different boot mode The hash value must be calculated in following way (if 3 FVs to calc): FV1 -> Hash1 FV2 -> Hash2 FV3 -> Hash3 Hash1 + Hash2 + Hash3 -> HashAll Only HashAll is stored in this PPI. The purposes for this algorithm are two: 1. To report each FV's hash to TCG driver and verify HashAll at the same time without the burden to calculate the hash twice; 2. To save hash value storage due to potential hardware limitation Different boot mode may have its own hash value so that each mode can decide which FV will be verified. For example, for the sake of performance, S3 may choose to skip some FVs verification and normal boot will verify all FVs it concerns. So in this PPI, each FV information has flag to indicate which boot mode it will be taken into hash calculation. And if multiple hash values passed in this PPI, each has a flag to indicate which boot mode it's used for. Note one hash value supports more than one boot modes if they're just the same. PcdStatusCodeFvVerificationPass and PcdStatusCodeFvVerificationFail are introduced to report status back to platform, and platform can choose how to act upon verification success and failure. Cc: Chao Zhang <chao.b.zhang@intel.com> Cc: Jiewen Yao <jiewen.yao@intel.com> Cc: "Hernandez Beltran, Jorge" <jorge.hernandez.beltran@intel.com> Cc: Harry Han <harry.han@intel.com> Signed-off-by: Jian J Wang <jian.j.wang@intel.com> Reviewed-by: Jiewen Yao <jiewen.yao@intel.com> Reviewed-by: Chao Zhang <chao.b.zhang@intel.com>	2019-06-26 21:18:43 +08:00
Chu, Maggie	9e2416ae2e	SecurityPkg/HddPassword: Add a PCD to skip Hdd password prompt https://bugzilla.tianocore.org/show_bug.cgi?id=1876 Add a PCD for skipping Hdd password prompt. If device is in the locked status while attempting to skip password prompt, device will keep locked and system continue to boot. If device is in the unlocked status while attempting to skip password prompt, system will be forced shutdown. Signed-off-by: Maggie Chu <maggie.chu@intel.com> Cc: Chao Zhang <chao.b.zhang@intel.com> Cc: Jiewen Yao <jiewen.yao@intel.com> Reviewed-by: Eric Dong <eric.dong@intel.com>	2019-06-12 09:12:05 +08:00
Chu, Maggie	6cbed0e36f	SecurityPkg/OpalPassword: Add PCD to skip password prompt https://bugzilla.tianocore.org/show_bug.cgi?id=1801 Add a PCD for skipping password prompt in device unlocked status. Previous change only support if storage device is in locked status. This change is added to support the case that security status of the storage device is unlocked. Signed-off-by: Maggie Chu <maggie.chu@intel.com> Reviewed-by: Eric Dong <eric.dong@intel.com> Cc: Chao Zhang <chao.b.zhang@intel.com> Cc: Jiewen Yao <jiewen.yao@intel.com>	2019-06-10 14:16:07 +08:00
Eric Dong	e0972cfc7d	SecurityPkg/SecurityPkg.dec: Change BlockSID default policy https://bugzilla.tianocore.org/show_bug.cgi?id=1782 Change BlockSID default policy, default enable BlockSid. Signed-off-by: Eric Dong <eric.dong@intel.com> Reviewed-by: Hao A Wu <hao.a.wu@intel.com>	2019-05-09 14:32:46 +08:00
Michael D Kinney	289b714b77	SecurityPkg: Replace BSD License with BSD+Patent License https://bugzilla.tianocore.org/show_bug.cgi?id=1373 Replace BSD 2-Clause License with BSD+Patent License. This change is based on the following emails: https://lists.01.org/pipermail/edk2-devel/2019-February/036260.html https://lists.01.org/pipermail/edk2-devel/2018-October/030385.html RFCs with detailed process for the license change: V3: https://lists.01.org/pipermail/edk2-devel/2019-March/038116.html V2: https://lists.01.org/pipermail/edk2-devel/2019-March/037669.html V1: https://lists.01.org/pipermail/edk2-devel/2019-March/037500.html Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Michael D Kinney <michael.d.kinney@intel.com> Reviewed-by: Jiewen Yao <Jiewen.yao@intel.com> Reviewed-by: Jian J Wang <jian.j.wang@intel.com>	2019-04-09 10:58:23 -07:00
Chu, Maggie	8a9301cdd7	SecurityPkg: Add a PCD to skip Opal password prompt https://bugzilla.tianocore.org/show_bug.cgi?id=1484 Add a PCD for skipping password prompt and device unlock flow. so that other pre-OS applications are able to take over Opal devices unlock flow. Cc: Chao Zhang <chao.b.zhang@intel.com> Cc: Jiewen Yao <jiewen.yao@intel.com> Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Maggie Chu <maggie.chu@intel.com> Reviewed-by: Eric Dong <eric.dong@intel.com>	2019-01-31 10:49:16 +08:00
Zhang, Chao B	b909b8b91d	SecurityPkg/TCG: Upgrade UEFI supporting TCG spec info Update "TCG ACPI Specification Level 00 Revision 00.37" to "TCG ACPI Specification 1.2 Revision 8" https://trustedcomputinggroup.org/wp-content/uploads/TCG_ACPIGeneralSpecification_v1.20_r8.pdf Upgrade TCG PC Client Platform Physical Presence Interface Specification Version 1.3 Revision 0.52" to Errata Version 0.4 https://trustedcomputinggroup.org/wp-content/uploads/Errata-Version-0.4-for-TCG-PC-Client-Platform-Physical-Presence-Interface-Version-1.30-Revision-0.52.pdf Upgrade "TCG EFI Protocol Specification for Family 2.0 Level 00" to Errata 0.5 https://trustedcomputinggroup.org/wp-content/uploads/EFI-Protocol-Specification-Errata-v.5.pdf Contributed-under: TianoCore Contribution Agreement 1.1 Cc: Yao Jiewen <jiewen.yao@intel.com> Signed-off-by: Zhang, Chao B <chao.b.zhang@intel.com> Reviewed-by: Yao Jiewen <jiewen.yao@intel.com>	2019-01-28 22:47:41 +08:00
Chen A Chen	514c55c185	SecurityPkg: Remove code under UserIdentification folder. BZ:https://bugzilla.tianocore.org/show_bug.cgi?id=1427 1. UserIdentifyManagerDxe is used to provide UserManagerProtocol. 2. UserProfileManagerDxe provides UI setting 3. PwdCredentialProviderDxe & UsbCredentialProviderDxe are implementation examples. Remove above features because of no platform use it. Cc: Zhang Chao B <chao.b.zhang@intel.com> Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Chen A Chen <chen.a.chen@intel.com> Reviewed-by: Zhang Chao B <chao.b.zhang@intel.com>	2019-01-14 08:55:35 +08:00
Liming Gao	b3548d32dd	SecurityPkg: Clean up source files 1. Do not use tab characters 2. No trailing white space in one line 3. All files must end with CRLF Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Liming Gao <liming.gao@intel.com>	2018-06-28 11:19:50 +08:00
Zhang, Chao B	631976706d	SecurityPkg: Tpm2DeviceLib: Enable CapCRBIdleBypass support Directly transition from CMD completion to CMD Ready state if device supports IdleByPass Cc: Long Qin <qin.long@intel.com> Cc: Yao Jiewen <jiewen.yao@intel.com> Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Chao Zhang <chao.b.zhang@intel.com> Reviewed-by: Long Qin <qin.long@intel.com>	2018-06-27 09:31:01 +08:00
Zhang, Chao B	f15cb995bb	SecurityPkg: Cache TPM interface type info Cache TPM interface type info to avoid excessive interface ID register read Cc: Long Qin <qin.long@intel.com> Cc: Yao Jiewen <jiewen.yao@intel.com> Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Chao Zhang <chao.b.zhang@intel.com> Reviewed-by: Long Qin <qin.long@intel.com>	2018-06-25 10:55:08 +08:00
Jiewen Yao	89b1612fcf	SecurityPkg/dec: remove TrEE. TrEE is deprecated. We need use Tcg2. Cc: Chao B Zhang <chao.b.zhang@intel.com> Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Jiewen Yao <jiewen.yao@intel.com> Reviewed-by: Chao B Zhang <chao.b.zhang@intel.com>	2018-03-16 14:19:54 +08:00
Star Zeng	1101ffbf84	SecurityPkg OpalPasswordSupportLib: Remove it Remove OpalPasswordSupportLib as it is not been used anymore. Cc: Jiewen Yao <jiewen.yao@intel.com> Cc: Eric Dong <eric.dong@intel.com> Cc: Chao Zhang <chao.b.zhang@intel.com> Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Star Zeng <star.zeng@intel.com> Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>	2018-03-08 21:33:51 +08:00
Zhang, Chao B	5552ac4231	SecurityPkg: Disable TPM interrupt in DEC Disable TPM interrupt support in DEC by default to keep compatibility Cc: Yao Jiewen <jiewen.yao@intel.com> Cc: Long Qin <qin.long@intel.com> Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Chao Zhang <chao.b.zhang@intel.com> Reviewed-by: Yao Jiewen <jiewen.yao@intel.com> Reviewed-by: Long Qin <qin.long@intel.com>	2018-01-30 10:24:05 +08:00
Zhang, Chao B	c4122dcaad	SecurityPkg: Tcg2Smm: Enable TPM2.0 interrupt support 1. Expose _CRS, _SRS, _PRS control method to support TPM interrupt 2. Provide 2 PCDs to configure _CRS and _PRS returned data Cc: Yao Jiewen <jiewen.yao@intel.com> Cc: Ronald Aigner <Ronald.Aigner@microsoft.com> Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Chao Zhang <chao.b.zhang@intel.com> Reviewed-by: Yao Jiewen <jiewen.yao@intel.com>	2018-01-29 15:09:23 +08:00
Zhang, Chao B	b921c62943	SecurityPkg: Update package version to 0.98 Update package version of SecurityPkg to 0.98. Cc: Qin Long <qin.long@intel.com> Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Chao Zhang <chao.b.zhang@intel.com> Reviewed-by: Qin Long <qin.long@intel.com>	2018-01-23 08:47:03 +08:00
Brijesh Singh	071f1d19dd	SecurityPkg: make PcdOptionRomImageVerificationPolicy dynamic By default the image verification policy for option ROM images is 0x4 (DENY_EXECUTE_ON_SECURITY_VIOLATION) but the following OvmfPkg commit: `1fea9ddb4e` OvmfPkg: execute option ROM images regardless of Secure Boot set it to 0x0 (ALWAYS_EXECUTE). This is fine because typically option ROMs comes from host-side and most of the time cloud provider (i.e hypervisor) have full access over a guest anyway. But when secure boot is enabled, we would like to deny the execution of option ROM when SEV is active. Having dynamic Pcd will give us flexibility to set the security policy at the runtime. Fixes: https://bugzilla.tianocore.org/show_bug.cgi?id=728 Cc: Chao Zhang <chao.b.zhang@intel.com> Cc: Jordan Justen <jordan.l.justen@intel.com> Cc: Laszlo Ersek <lersek@redhat.com> Cc: Tom Lendacky <thomas.lendacky@amd.com> Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Brijesh Singh <brijesh.singh@amd.com> Reviewed-by: Jiewen Yao <jiewen.yao@intel.com> Reviewed-by: Long Qin <qin.long@intel.com>	2017-10-17 21:28:26 +02:00
Zhang, Chao B	d7c054f985	SecurityPkg\Tcg2Pei: FV measure performance enhancement 1. Leverage Pre-Hashed FV PPI to reduce duplicated hash 2. Only measure BFV at the beginning. Other FVs are measured in FVinfo callback with nested FV check. https://bugzilla.tianocore.org/show_bug.cgi?id=662 Cc: Long Qin <qin.long@intel.com> Cc: Yao Jiewen <jiewen.yao@intel.com> Cc: Sean Brogan <sean.brogan@microsoft.com> Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Chao Zhang <chao.b.zhang@intel.com> Reviewed-by: Long Qin <qin.long@intel.com> Reviewed-by: Yao Jiewen <jiewen.yao@intel.com>	2017-10-15 08:16:36 +08:00
Zhang, Chao B	de8e4dc4df	SecurityPkg: Update package version to 0.97 Update package version of SecurityPkg to 0.97. Cc: Qin Long <qin.long@intel.com> Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Chao Zhang <chao.b.zhang@intel.com> Reviewed-by: Qin Long <qin.long@intel.com>	2017-05-05 13:27:00 +08:00
Long Qin	d3e0c996d5	SecurityPkg/SecurityPkg.dec: Update PcdPkcs7CertBuffer PCD. This patch updates the PcdPkcs7CertBuffer PCD to use the new generated test certificate data for PKCS7 verification. This was used as sample trusted certificate in the verification of Signed Capsule Update. (The updated value is still only for test purpose.) Cc: Jiewen Yao <jiewen.yao@intel.com> Cc: Eric Dong <eric.dong@intel.com> Cc: Chao Zhang <chao.b.zhang@intel.com> Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Long Qin <qin.long@intel.com> Reviewed-by: Jiewen Yao <jiewen.yao@intel.com> Reviewed-by: Chao Zhang <chao.b.zhang@intel.com>	2017-04-12 13:18:06 +08:00
Star Zeng	9fe9cf9acb	SecurityPkg HashLibRouter: Avoid incorrect PcdTcg2HashAlgorithmBitmap REF: https://bugzilla.tianocore.org/show_bug.cgi?id=244 Currently, when software HashLib (HashLibBaseCryptoRouter) and related HashInstanceLib instances are used, PcdTcg2HashAlgorithmBitmap is expected to be configured to 0 in platform dsc. But PcdTcg2HashAlgorithmBitmap has default value 0xFFFFFFFF in SecurityPkg.dec, and some platforms forget to configure it to 0 or still configure it to 0xFFFFFFFF in platform dsc, that will make final PcdTcg2HashAlgorithmBitmap value incorrect. This patch is to add CONSTRUCTOR in HashLib (HashLibBaseCryptoRouter) and PcdTcg2HashAlgorithmBitmap will be set to 0 in the CONSTRUCTOR. Current HASH_LIB_PEI_ROUTER_GUID HOB created in HashLibBaseCryptoRouterPei is shared between modules that link HashLibBaseCryptoRouterPei. To avoid mutual interference, separated HASH_LIB_PEI_ROUTER_GUID HOBs with gEfiCallerIdGuid Identifier will be created for those modules. This patch is also to add check in HashLib (HashLibBaseCryptoRouter) for the mismatch of supported HashMask between modules that may link different HashInstanceLib instances, warning will be reported if mismatch is found. Cc: Jiewen Yao <jiewen.yao@intel.com> Cc: Chao Zhang <chao.b.zhang@intel.com> Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Star Zeng <star.zeng@intel.com> Reviewed-by: Jiewen Yao <jiewen.yao@intel.com> Reviewed-by: Chao Zhang <chao.b.zhang@intel.com>	2017-02-08 18:52:07 +08:00
Zhang, Chao B	18458db1d4	SecurityPkg: Tcg2Dxe: Log Startup Locality Event Log Startup Locality Event according to TCG PC Client PFP 00.21. Event should be placed before any extend to PCR[0] http://www.trustedcomputinggroup.org/wp-content/uploads/PC-ClientSpecific_Platform_Profile_for_TPM_2p0_Systems_v21.pdf Cc: Star Zeng <star.zeng@intel.com> Cc: Yao Jiewen <jiewen.yao@intel.com> Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Chao Zhang <chao.b.zhang@intel.com> Reviewed-by: Yao Jiewen <jiewen.yao@intel.com>	2017-01-24 10:22:25 +08:00
Zhang, Chao B	fca4228907	SecurityPkg: Tcg2Config: TPM2 ACPI Table Rev Option Add TPM2 ACPI Table Rev Option in Tcg2Config UI. Rev 4 is defined in TCG ACPI Specification 00.37 Cc: Star Zeng <star.zeng@intel.com> Cc: Yao Jiewen <jiewen.yao@intel.com> Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Chao Zhang <chao.b.zhang@intel.com> Reviewed-by: Star Zeng <star.zeng@intel.com> Reviewed-by: Yao Jiewen <jiewen.yao@intel.com>	2017-01-10 14:18:42 +08:00

1 2 3

101 Commits