diff --git a/UefiPayloadPkg/UefiPayloadPkg.ci.yaml b/UefiPayloadPkg/UefiPayloadPkg.ci.yaml index ac43a7a8ee46..84e3f14b6864 100644 --- a/UefiPayloadPkg/UefiPayloadPkg.ci.yaml +++ b/UefiPayloadPkg/UefiPayloadPkg.ci.yaml @@ -96,5 +96,6 @@ "BLD_*_DISABLE_RESET_SYSTEM": "TRUE", "BLD_*_SERIAL_DRIVER_ENABLE": "FALSE", "BLD_*_BUILD_ARCH": "", + "BLD_*_SECURE_BOOT_ENABLE": "TRUE", } } diff --git a/UefiPayloadPkg/UefiPayloadPkg.dsc b/UefiPayloadPkg/UefiPayloadPkg.dsc index fe7987f8f010..61b5f8f992f0 100644 --- a/UefiPayloadPkg/UefiPayloadPkg.dsc +++ b/UefiPayloadPkg/UefiPayloadPkg.dsc @@ -154,6 +154,11 @@ DEFINE MULTIPLE_DEBUG_PORT_SUPPORT = FALSE + # + # Security + # + DEFINE SECURE_BOOT_ENABLE = FALSE + [BuildOptions] *_*_*_CC_FLAGS = -D DISABLE_NEW_DEPRECATED_INTERFACES !if $(USE_CBMEM_FOR_CONSOLE) == FALSE @@ -305,7 +310,17 @@ LockBoxLib|MdeModulePkg/Library/LockBoxNullLib/LockBoxNullLib.inf !endif FileExplorerLib|MdeModulePkg/Library/FileExplorerLib/FileExplorerLib.inf + +!if $(SECURE_BOOT_ENABLE) == TRUE + PlatformSecureLib|SecurityPkg/Library/PlatformSecureLibNull/PlatformSecureLibNull.inf + AuthVariableLib|SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf + SecureBootVariableLib|SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf + PlatformPKProtectionLib|SecurityPkg/Library/PlatformPKProtectionLibVarPolicy/PlatformPKProtectionLibVarPolicy.inf + SecureBootVariableProvisionLib|SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootVariableProvisionLib.inf +!else AuthVariableLib|MdeModulePkg/Library/AuthVariableLibNull/AuthVariableLibNull.inf +!endif + !if $(VARIABLE_SUPPORT) == "EMU" TpmMeasurementLib|MdeModulePkg/Library/TpmMeasurementLibNull/TpmMeasurementLibNull.inf !elseif $(VARIABLE_SUPPORT) == "SPI" @@ -396,6 +411,9 @@ !endif [LibraryClasses.common.DXE_RUNTIME_DRIVER] +!if $(SECURE_BOOT_ENABLE) == TRUE + BaseCryptLib|CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf +!endif PcdLib|MdePkg/Library/DxePcdLib/DxePcdLib.inf MemoryAllocationLib|MdePkg/Library/UefiMemoryAllocationLib/UefiMemoryAllocationLib.inf ReportStatusCodeLib|MdeModulePkg/Library/RuntimeDxeReportStatusCodeLib/RuntimeDxeReportStatusCodeLib.inf @@ -527,6 +545,13 @@ !endif +!if $(SECURE_BOOT_ENABLE) == TRUE + # Override the default values from SecurityPkg to ensure images from all sources are verified in secure boot + gEfiSecurityPkgTokenSpaceGuid.PcdOptionRomImageVerificationPolicy|0x04 + gEfiSecurityPkgTokenSpaceGuid.PcdFixedMediaImageVerificationPolicy|0x04 + gEfiSecurityPkgTokenSpaceGuid.PcdRemovableMediaImageVerificationPolicy|0x04 +!endif + [PcdsPatchableInModule.X64] !if $(NETWORK_DRIVER_ENABLE) == TRUE gEfiNetworkPkgTokenSpaceGuid.PcdAllowHttpConnections|TRUE @@ -716,8 +741,18 @@ # Components that produce the architectural protocols # !if $(SECURITY_STUB_ENABLE) == TRUE - MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf + MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf { + +!if $(SECURE_BOOT_ENABLE) == TRUE + NULL|SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.inf +!endif + } +!endif + +!if $(SECURE_BOOT_ENABLE) == TRUE + SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf !endif + UefiCpuPkg/CpuDxe/CpuDxe.inf MdeModulePkg/Universal/BdsDxe/BdsDxe.inf !if $(BOOTSPLASH_IMAGE) diff --git a/UefiPayloadPkg/UefiPayloadPkg.fdf b/UefiPayloadPkg/UefiPayloadPkg.fdf index c1b1e35f325c..e788f27cc122 100644 --- a/UefiPayloadPkg/UefiPayloadPkg.fdf +++ b/UefiPayloadPkg/UefiPayloadPkg.fdf @@ -17,8 +17,8 @@ DEFINE FD_SIZE = 0x00850000 DEFINE NUM_BLOCKS = 0x850 !else -DEFINE FD_SIZE = 0x00590000 -DEFINE NUM_BLOCKS = 0x590 +DEFINE FD_SIZE = 0x00700000 +DEFINE NUM_BLOCKS = 0x700 !endif ################################################################################ @@ -208,6 +208,12 @@ INF PcAtChipsetPkg/PcatRealTimeClockRuntimeDxe/PcatRealTimeClockRuntimeDxe.inf INF MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmmRuntimeDxe.inf !endif +!if $(UNIVERSAL_PAYLOAD) == FALSE + !if $(SECURE_BOOT_ENABLE) == TRUE + INF SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf + !endif +!endif + INF UefiCpuPkg/CpuIo2Dxe/CpuIo2Dxe.inf INF MdeModulePkg/Universal/DevicePathDxe/DevicePathDxe.inf !if $(MEMORY_TEST) == "GENERIC" @@ -333,6 +339,35 @@ INF ShellPkg/DynamicCommand/DpDynamicCommand/DpDynamicCommand.inf INF ShellPkg/Application/Shell/Shell.inf !endif +!if $(UNIVERSAL_PAYLOAD) == TRUE +!if $(SECURE_BOOT_ENABLE) == TRUE + +[FV.SECFV] +FvNameGuid = 2700E2F3-19D2-4E2D-9F13-BC891B9FC62C +BlockSize = $(FD_BLOCK_SIZE) +FvForceRebase = FALSE +FvAlignment = 16 +ERASE_POLARITY = 1 +MEMORY_MAPPED = TRUE +STICKY_WRITE = TRUE +LOCK_CAP = TRUE +LOCK_STATUS = TRUE +WRITE_DISABLED_CAP = TRUE +WRITE_ENABLED_CAP = TRUE +WRITE_STATUS = TRUE +WRITE_LOCK_CAP = TRUE +WRITE_LOCK_STATUS = TRUE +READ_DISABLED_CAP = TRUE +READ_ENABLED_CAP = TRUE +READ_STATUS = TRUE +READ_LOCK_CAP = TRUE +READ_LOCK_STATUS = TRUE + +INF SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf + +!endif +!endif + ################################################################################ # diff --git a/UefiPayloadPkg/UniversalPayloadBuild.py b/UefiPayloadPkg/UniversalPayloadBuild.py index c3d02cbc2915..404edfb57b25 100644 --- a/UefiPayloadPkg/UniversalPayloadBuild.py +++ b/UefiPayloadPkg/UniversalPayloadBuild.py @@ -144,6 +144,7 @@ def BuildUniversalPayload(Args): EntryModuleInf = os.path.normpath("UefiPayloadPkg/UefiPayloadEntry/{}.inf".format (UpldEntryFile)) DxeFvOutputDir = os.path.join(BuildDir, "{}_{}".format (BuildTarget, ToolChain), os.path.normpath("FV/DXEFV.Fv")) BdsFvOutputDir = os.path.join(BuildDir, "{}_{}".format (BuildTarget, ToolChain), os.path.normpath("FV/BDSFV.Fv")) + SecFvOutputDir = os.path.join(BuildDir, "{}_{}".format (BuildTarget, ToolChain), os.path.normpath("FV/SECFV.Fv")) NetworkFvOutputDir = os.path.join(BuildDir, "{}_{}".format (BuildTarget, ToolChain), os.path.normpath("FV/NETWORKFV.Fv")) PayloadReportPath = os.path.join(BuildDir, "UefiUniversalPayload.txt") ModuleReportPath = os.path.join(BuildDir, "UefiUniversalPayloadEntry.txt") @@ -212,6 +213,7 @@ def BuildUniversalPayload(Args): MultiFvList = [ ['uefi_fv', os.path.join(BuildDir, "{}_{}".format (BuildTarget, ToolChain), os.path.normpath("FV/DXEFV.Fv")) ], ['bds_fv', os.path.join(BuildDir, "{}_{}".format (BuildTarget, ToolChain), os.path.normpath("FV/BDSFV.Fv")) ], + ['sec_fv', os.path.join(BuildDir, "{}_{}".format (BuildTarget, ToolChain), os.path.normpath("FV/SECFV.Fv")) ], ['network_fv', os.path.join(BuildDir, "{}_{}".format (BuildTarget, ToolChain), os.path.normpath("FV/NETWORKFV.Fv"))], ] @@ -234,6 +236,7 @@ def BuildUniversalPayload(Args): fit_image_info_header.TargetPath = os.path.join(BuildDir, 'UniversalPayload.fit') fit_image_info_header.UefifvPath = DxeFvOutputDir fit_image_info_header.BdsfvPath = BdsFvOutputDir + fit_image_info_header.SecfvPath = SecFvOutputDir fit_image_info_header.NetworkfvPath = NetworkFvOutputDir fit_image_info_header.DataOffset = 0x1000 fit_image_info_header.LoadAddr = Args.LoadAddress