summaryrefslogtreecommitdiffstats
path: root/SecurityPkg/SecurityPkg.dec
Commit message (Collapse)AuthorAgeFilesLines
* SecurityPkg: Tpm2DeviceLib: Enable CapCRBIdleBypass supportZhang, Chao B2018-06-271-0/+10
| | | | | | | | | | | Directly transition from CMD completion to CMD Ready state if device supports IdleByPass Cc: Long Qin <qin.long@intel.com> Cc: Yao Jiewen <jiewen.yao@intel.com> Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Chao Zhang <chao.b.zhang@intel.com> Reviewed-by: Long Qin <qin.long@intel.com>
* SecurityPkg: Cache TPM interface type infoZhang, Chao B2018-06-251-1/+11
| | | | | | | | | | Cache TPM interface type info to avoid excessive interface ID register read Cc: Long Qin <qin.long@intel.com> Cc: Yao Jiewen <jiewen.yao@intel.com> Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Chao Zhang <chao.b.zhang@intel.com> Reviewed-by: Long Qin <qin.long@intel.com>
* SecurityPkg/dec: remove TrEE.Jiewen Yao2018-03-161-17/+1
| | | | | | | | | TrEE is deprecated. We need use Tcg2. Cc: Chao B Zhang <chao.b.zhang@intel.com> Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Jiewen Yao <jiewen.yao@intel.com> Reviewed-by: Chao B Zhang <chao.b.zhang@intel.com>
* SecurityPkg OpalPasswordSupportLib: Remove itStar Zeng2018-03-081-4/+0
| | | | | | | | | | | | Remove OpalPasswordSupportLib as it is not been used anymore. Cc: Jiewen Yao <jiewen.yao@intel.com> Cc: Eric Dong <eric.dong@intel.com> Cc: Chao Zhang <chao.b.zhang@intel.com> Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Star Zeng <star.zeng@intel.com> Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
* SecurityPkg: Disable TPM interrupt in DECZhang, Chao B2018-01-301-2/+2
| | | | | | | | | | | Disable TPM interrupt support in DEC by default to keep compatibility Cc: Yao Jiewen <jiewen.yao@intel.com> Cc: Long Qin <qin.long@intel.com> Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Chao Zhang <chao.b.zhang@intel.com> Reviewed-by: Yao Jiewen <jiewen.yao@intel.com> Reviewed-by: Long Qin <qin.long@intel.com>
* SecurityPkg: Tcg2Smm: Enable TPM2.0 interrupt supportZhang, Chao B2018-01-291-0/+10
| | | | | | | | | | | 1. Expose _CRS, _SRS, _PRS control method to support TPM interrupt 2. Provide 2 PCDs to configure _CRS and _PRS returned data Cc: Yao Jiewen <jiewen.yao@intel.com> Cc: Ronald Aigner <Ronald.Aigner@microsoft.com> Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Chao Zhang <chao.b.zhang@intel.com> Reviewed-by: Yao Jiewen <jiewen.yao@intel.com>
* SecurityPkg: Update package version to 0.98Zhang, Chao B2018-01-231-2/+2
| | | | | | | | | Update package version of SecurityPkg to 0.98. Cc: Qin Long <qin.long@intel.com> Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Chao Zhang <chao.b.zhang@intel.com> Reviewed-by: Qin Long <qin.long@intel.com>
* SecurityPkg: make PcdOptionRomImageVerificationPolicy dynamicBrijesh Singh2017-10-171-12/+12
| | | | | | | | | | | | | | | | | | | | | | | | By default the image verification policy for option ROM images is 0x4 (DENY_EXECUTE_ON_SECURITY_VIOLATION) but the following OvmfPkg commit: 1fea9ddb4e3f OvmfPkg: execute option ROM images regardless of Secure Boot set it to 0x0 (ALWAYS_EXECUTE). This is fine because typically option ROMs comes from host-side and most of the time cloud provider (i.e hypervisor) have full access over a guest anyway. But when secure boot is enabled, we would like to deny the execution of option ROM when SEV is active. Having dynamic Pcd will give us flexibility to set the security policy at the runtime. Fixes: https://bugzilla.tianocore.org/show_bug.cgi?id=728 Cc: Chao Zhang <chao.b.zhang@intel.com> Cc: Jordan Justen <jordan.l.justen@intel.com> Cc: Laszlo Ersek <lersek@redhat.com> Cc: Tom Lendacky <thomas.lendacky@amd.com> Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Brijesh Singh <brijesh.singh@amd.com> Reviewed-by: Jiewen Yao <jiewen.yao@intel.com> Reviewed-by: Long Qin <qin.long@intel.com>
* SecurityPkg\Tcg2Pei: FV measure performance enhancementZhang, Chao B2017-10-151-1/+6
| | | | | | | | | | | | | | 1. Leverage Pre-Hashed FV PPI to reduce duplicated hash 2. Only measure BFV at the beginning. Other FVs are measured in FVinfo callback with nested FV check. https://bugzilla.tianocore.org/show_bug.cgi?id=662 Cc: Long Qin <qin.long@intel.com> Cc: Yao Jiewen <jiewen.yao@intel.com> Cc: Sean Brogan <sean.brogan@microsoft.com> Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Chao Zhang <chao.b.zhang@intel.com> Reviewed-by: Long Qin <qin.long@intel.com> Reviewed-by: Yao Jiewen <jiewen.yao@intel.com>
* SecurityPkg: Update package version to 0.97Zhang, Chao B2017-05-051-1/+1
| | | | | | | | | Update package version of SecurityPkg to 0.97. Cc: Qin Long <qin.long@intel.com> Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Chao Zhang <chao.b.zhang@intel.com> Reviewed-by: Qin Long <qin.long@intel.com>
* SecurityPkg/SecurityPkg.dec: Update PcdPkcs7CertBuffer PCD.Long Qin2017-04-121-1/+1
| | | | | | | | | | | | | | | | This patch updates the PcdPkcs7CertBuffer PCD to use the new generated test certificate data for PKCS7 verification. This was used as sample trusted certificate in the verification of Signed Capsule Update. (The updated value is still only for test purpose.) Cc: Jiewen Yao <jiewen.yao@intel.com> Cc: Eric Dong <eric.dong@intel.com> Cc: Chao Zhang <chao.b.zhang@intel.com> Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Long Qin <qin.long@intel.com> Reviewed-by: Jiewen Yao <jiewen.yao@intel.com> Reviewed-by: Chao Zhang <chao.b.zhang@intel.com>
* SecurityPkg HashLibRouter: Avoid incorrect PcdTcg2HashAlgorithmBitmapStar Zeng2017-02-081-0/+4
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | REF: https://bugzilla.tianocore.org/show_bug.cgi?id=244 Currently, when software HashLib (HashLibBaseCryptoRouter) and related HashInstanceLib instances are used, PcdTcg2HashAlgorithmBitmap is expected to be configured to 0 in platform dsc. But PcdTcg2HashAlgorithmBitmap has default value 0xFFFFFFFF in SecurityPkg.dec, and some platforms forget to configure it to 0 or still configure it to 0xFFFFFFFF in platform dsc, that will make final PcdTcg2HashAlgorithmBitmap value incorrect. This patch is to add CONSTRUCTOR in HashLib (HashLibBaseCryptoRouter) and PcdTcg2HashAlgorithmBitmap will be set to 0 in the CONSTRUCTOR. Current HASH_LIB_PEI_ROUTER_GUID HOB created in HashLibBaseCryptoRouterPei is shared between modules that link HashLibBaseCryptoRouterPei. To avoid mutual interference, separated HASH_LIB_PEI_ROUTER_GUID HOBs with gEfiCallerIdGuid Identifier will be created for those modules. This patch is also to add check in HashLib (HashLibBaseCryptoRouter) for the mismatch of supported HashMask between modules that may link different HashInstanceLib instances, warning will be reported if mismatch is found. Cc: Jiewen Yao <jiewen.yao@intel.com> Cc: Chao Zhang <chao.b.zhang@intel.com> Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Star Zeng <star.zeng@intel.com> Reviewed-by: Jiewen Yao <jiewen.yao@intel.com> Reviewed-by: Chao Zhang <chao.b.zhang@intel.com>
* SecurityPkg: Tcg2Dxe: Log Startup Locality EventZhang, Chao B2017-01-241-0/+4
| | | | | | | | | | | | Log Startup Locality Event according to TCG PC Client PFP 00.21. Event should be placed before any extend to PCR[0] http://www.trustedcomputinggroup.org/wp-content/uploads/PC-ClientSpecific_Platform_Profile_for_TPM_2p0_Systems_v21.pdf Cc: Star Zeng <star.zeng@intel.com> Cc: Yao Jiewen <jiewen.yao@intel.com> Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Chao Zhang <chao.b.zhang@intel.com> Reviewed-by: Yao Jiewen <jiewen.yao@intel.com>
* SecurityPkg: Tcg2Config: TPM2 ACPI Table Rev OptionZhang, Chao B2017-01-101-0/+7
| | | | | | | | | | | | Add TPM2 ACPI Table Rev Option in Tcg2Config UI. Rev 4 is defined in TCG ACPI Specification 00.37 Cc: Star Zeng <star.zeng@intel.com> Cc: Yao Jiewen <jiewen.yao@intel.com> Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Chao Zhang <chao.b.zhang@intel.com> Reviewed-by: Star Zeng <star.zeng@intel.com> Reviewed-by: Yao Jiewen <jiewen.yao@intel.com>
* SecurityPkg Tcg2ConfigDxe: Add setup option to configure PPI versionStar Zeng2017-01-061-5/+8
| | | | | | | | | | | | | | | | | | | | | REF: https://bugzilla.tianocore.org/show_bug.cgi?id=288 gEfiSecurityPkgTokenSpaceGuid.PcdTcgPhysicalPresenceInterfaceVer was introduced to configure physical presence interface version. but test or user needs to build different images to support different versions separately as the PCD does not support Dynamic types. This patch is to extend the PCD to support Dynamic types and add a setup option in Tcg2ConfigDxe driver to configure the physical presence interface version, the PCD needs to be DynamicHii type and maps to the setup option. Cc: Jiewen Yao <jiewen.yao@intel.com> Cc: Chao Zhang <chao.b.zhang@intel.com> Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Star Zeng <star.zeng@intel.com> Reviewed-by: Jiewen Yao <jiewen.yao@intel.com> Reviewed-by: Chao Zhang <chao.b.zhang@intel.com>
* SecurityPkg: Add Pcd PROMPT/HELP & Chang default settingZhang, Chao B2017-01-051-2/+2
| | | | | | | | | | Update PCD PcdTcg2PhysicalPresenceFlags default setting. Also add PROMPT, HELP string. Cc: Star Zeng <star.zeng@intel.com> Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Chao Zhang <chao.b.zhang@intel.com> Reviewed-by: Star Zeng <star.zeng@intel.com>
* SecurityPkg: Tcg2PhysicalPresence: Define TCG2 PP Flags Initial PcdZhang, Chao B2016-12-291-0/+6
| | | | | | | | | | | Define PcdTcg2PhysicalPresenceFlags to initialize TCG2 PP Flags setting. Cc: Yao Jiewen <jiewen.yao@intel.com> Cc: Star Zeng <star.zeng@intel.com> Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Chao Zhang <chao.b.zhang@intel.com> Reviewed-by: Yao Jiewen <jiewen.yao@intel.com> Reviewed-by: Star Zeng <star.zeng@intel.com>
* Revert old "Enable BlockSid related PP actions" patch series.Eric Dong2016-11-231-9/+0
| | | | | | | | | | | New solution for this issue will be provided. This reverts commits from d1947ce509d745f32db6b7fecc03dc9c778b9350 to bda034c34deea6eb43edcef28018a9ace8f04637. Reviewed-by: Jiewen Yao <jiewen.yao@intel.com> Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Eric Dong <eric.dong@intel.com>
* SecurityPkg: Add DxeTcgPhysicalPresenceStorageLib.Eric Dong2016-11-211-0/+9
| | | | | | | | | | | Tcg Physical Presence spec defined some actions used for storage device. Add Dxe version library to handles these actions. Reviewed-by: Jiewen Yao <jiewen.yao@intel.com> Reviewed-by: Chao Zhang <chao.b.zhang@intel.com> Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Eric Dong <eric.dong@intel.com>
* SecurityPkg/SecurityPkg.dec: Add PcdPkcs7CertBuffer PCD.Jiewen Yao2016-11-081-1/+7
| | | | | | | | | | | | | | | | | | | | | This PCD is similar to PcdRsa2048Sha256PublicKeyBuffer. It provides trusted cert for PKCS7 verification. It can be used for Recovery and Capsule Update images. We added warning message for both PcdPkcs7CertBuffer and PcdRsa2048Sha256PublicKeyBuffer. The default value is only for test purpose. Cc: Feng Tian <feng.tian@intel.com> Cc: Star Zeng <star.zeng@intel.com> Cc: Michael D Kinney <michael.d.kinney@intel.com> Cc: Liming Gao <liming.gao@intel.com> Cc: Chao Zhang <chao.b.zhang@intel.com> Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Jiewen Yao <jiewen.yao@intel.com> Reviewed-by: Chao Zhang <chao.b.zhang@intel.com> Reviewed-by: Michael Kinney <michael.d.kinney@intel.com> Tested-by: Michael Kinney <michael.d.kinney@intel.com>
* SecurityPkg: Add PcdUserPhysicalPresence to indicate use physical presence.Liming Gao2016-06-291-0/+6
| | | | | | | | This PCD supports all configuration type. Its default value is FALSE. Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Liming Gao <liming.gao@intel.com> Reviewed-by: Giri P Mudusuru <giri.p.mudusuru@intel.com>
* SecurityPkg: Tcg2Smm: Make TCG2 PP version configurableZhang, Chao B2016-06-121-0/+4
| | | | | | | | | Make TCG2 PP version configurable to meet different request. Current default version is 1.3. http://www.trustedcomputinggroup.org/physical-presence-interface_1-30_0-52/ Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Chao Zhang <chao.b.zhang@intel.com> Reviewed-by: Yao Jiewen <jiewen.yao@intel.com>
* SecurityPkg: Remove gEdkiiSecureBootModeGuid definitionZhang, Chao B2016-05-041-4/+0
| | | | | | | | | | | | | | Remove gEdkiiSecureBootModeGuid definition for Customized Secure Boot feature defined in UEFI2.5 Mantis 1263. It is a private variable GUID. The feature has been moved to https://github.com/tianocore/edk2-staging/tree/Customized-Secure-Boot Previous check-in hash is SHA-1: af9af05bec5b1880f8e4f9142ecc0044fd0acb33 Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Chao Zhang <chao.b.zhang@intel.com> Reviewed-by: El-Haj-Mahmoud Samer <samer.el-haj-mahmoud@hpe.com> Reviewed-by: Fu Siyuan <siyuan.fu@intel.com>
* SecurityPkg: OpalPasswordSupportLib: Add Opal password support library.Eric Dong2016-03-291-0/+16
| | | | | | | | APIs used to support opal password solution to trig opal command. Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Eric Dong <eric.dong@intel.com> Reviewed-by: Feng Tian <feng.tian@intel.com>
* SecurityPkg: AuthVariableLib: Add new cert database for volatile time based ↵Chao Zhang2016-02-021-1/+1
| | | | | | | | | | | | | | Auth variable Add a new cert data base "certdbv" to store signer certs for volatile time based Auth variable. Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Chao Zhang <chao.b.zhang@intel.com> Reviewed-by: Star Zeng <star.zeng@intel.com> Reviewed-by: Fu Siyuan <siyuan.fu@intel.com> git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@19786 6f19259b-4bc3-4df7-8a09-765794883524
* SecurityPkg: TcgDxe,Tcg2Dxe,TrEEDxe: New PCD for TCG event log and TCG2 ↵Chao Zhang2016-01-121-1/+10
| | | | | | | | | | | | | | | | final event log area TCG event log and TCG2 final event log area length can be configurable to meet platform event log requirement. PcdTcgLogAreaMinLen : 0x10000 based on minimum requirement in TCG ACPI Spec 00.37 PcdTcg2FinalLogAreaLen : 0x8000 based on experience value Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Chao Zhang <chao.b.zhang@intel.com> Reviewed-by: Yao Jiewen <jiewen.yao@intel.com> Reviewed-by: Qin Long <qin.long@intel.com> git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@19639 6f19259b-4bc3-4df7-8a09-765794883524
* SecurityPkg: Add gEdkiiSecureBootModeGuid definitionChao Zhang2015-12-071-1/+5
| | | | | | | | | | | | | Add gEdkiiSecureBootModeGuid definition for Enable Secure Boot feature defined in UEFI2.5 Mantis 1263. It is a private variable GUID. https://mantis.uefi.org/mantis/view.php?id=1263 Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Chao Zhang <chao.b.zhang@intel.com> Reviewed-by: Zeng Star <star.zeng@intel.com> Reviewed-by: Long Qin <qin.long@intel.com> git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@19132 6f19259b-4bc3-4df7-8a09-765794883524
* SecurityPkg: Add missing Lib definition in DEC file.Qiu Shumin2015-08-271-0/+9
| | | | | | | | Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Qiu Shumin <shumin.qiu@intel.com> Reviewed-by: Yao Jiewen <Jiewen.Yao@intel.com> git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@18334 6f19259b-4bc3-4df7-8a09-765794883524
* SecurityPkg: Add missing PCD usage information.Qiu Shumin2015-08-271-0/+2
| | | | | | | | Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Qiu Shumin <shumin.qiu@intel.com> Reviewed-by: Chao Zhang <chao.b.zhang@intel.com> git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@18333 6f19259b-4bc3-4df7-8a09-765794883524
* SecurityPkg: Update Package version to 0.96Chao Zhang2015-08-201-1/+1
| | | | | | | | | | Update Package version to 0.96 Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Chao Zhang <chao.b.zhang@intel.com> Reviewed-by: Qin Long <qin.long@intel.com> git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@18240 6f19259b-4bc3-4df7-8a09-765794883524
* SecurityPkg: Fixed build error due to FixedAtBuild PcdTcg2HashAlgorithmBitmapSamer El-Haj-Mahmoud2015-08-181-16/+19
| | | | | | | | | | | | | | | | PcdTcg2HashAlgorithmBitmap is declared in a section that allows it to be Fixed or PatchableAtBuild, but there is code that sets it. This breaks the build on some platforms. Changed it to be PcdsDynamic and PcdsDynamicEx only. We move PcdTpm2HashMask to Dynamic section too, because now Tcg2Pei will set this PCD according to TPM2 device capability. Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: "Samer El-Haj-Mahmoud" <samer.el-haj-mahmoud@hp.com> Reviewed-by: "Yao, Jiewen" <Jiewen.Yao@intel.com> git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@18233 6f19259b-4bc3-4df7-8a09-765794883524
* Add TPM2 support defined in trusted computing group.Yao, Jiewen2015-08-131-0/+21
| | | | | | | | | | | | | | | | | | TCG EFI Protocol Specification for TPM Family 2.0 Revision 1.0 Version 9 at http://www.trustedcomputinggroup.org/resources/tcg_efi_protocol_specification TCG Physical Presence Interface Specification Version 1.30, Revision 00.52 at http://www.trustedcomputinggroup.org/resources/tcg_physical_presence_interface_specification Add Tcg2XXX, similar file/directory as TrEEXXX. Old TrEE driver/library can be deprecated. 1) Add Tcg2Pei/Dxe/Smm driver to log event and provide services. 2) Add Dxe/Pei/SmmTcg2PhysicalPresenceLib to support TCG PP. 3) Update Tpm2 library to use TCG2 protocol instead of TrEE protocol. Test Win8/Win10 with SecureBoot enabled, PCR7 shows bound. Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: "Yao, Jiewen" <Jiewen.Yao@intel.com> Reviewed-by: "Zhang, Chao B" <chao.b.zhang@intel.com> git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@18219 6f19259b-4bc3-4df7-8a09-765794883524
* SecurityPkg: Delete Auth Variable driverStar Zeng2015-07-011-10/+2
| | | | | | | | | | | | | | | | | | | | | | | 1. Delete TpmMeasurementLib LibraryClass from SecurityPkg after it moved to MdeModulePkg. 2. Update DxeTpmMeasurementLib.inf to include MdeModulePkg.dec. 3. Delete authenticated variable definition from AuthenticatedVariableFormat.h after them moved to VariableFormat.h. 4. Replace VARIABLE_HEADER with AUTHENTICATED_VARIABLE_HEADER in EsalVariableDxeSal. 5. Delete VariableInfo from SecurityPkg after it merged to VariableInfo in MdeModulePkg. 6. Delete VariablePei from SecurityPkg after it merged to VariablePei in MdeModulePkg. 7. Delete Auth Variable driver from SecurityPkg after it merged to Variable driver in MdeModulePkg. 8. Also update PACKAGE_GUID and PACKAGE_VERSION in SecurityPkg.dec after the deletion of authenticated variable definition, VariableInfo, VariablePei and Auth Variable driver from SecurityPkg; update PLATFORM_VERSION in SecurityPkg.dsc. Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Star Zeng <star.zeng@intel.com> Reviewed-by: Jiewen Yao <jiewen.yao@intel.com> Reviewed-by: Liming Gao <liming.gao@intel.com> Reviewed-by: Jaben Carsey <jaben.carsey@intel.com> git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@17772 6f19259b-4bc3-4df7-8a09-765794883524
* SecurityPkg: Add more comments for PcdTpmInstanceGuidLiming Gao2015-05-141-0/+1
| | | | | | | | | | | When PcdTpmInstanceGuid is configured to other value, it means other TPM 2.0 device. Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Liming Gao <liming.gao@intel.com> Reviewed-by: "Yao, Jiewen" <Jiewen.Yao@intel.com> git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@17446 6f19259b-4bc3-4df7-8a09-765794883524
* Add performance optimization for Tcg/TrEE.Yao, Jiewen2015-03-041-0/+1
| | | | | | | | | | | Add error check for Tcg/TrEE Pei/Dxe driver to avoid unnecessary hardware check for performance optimization. Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: "Yao, Jiewen" <jiewen.yao@intel.com> Reviewed-by: "Zeng, Star" <star.zeng@intel.com> git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@17004 6f19259b-4bc3-4df7-8a09-765794883524
* Add TpmInitializationDonePpi to TPM PEI module.Yao, Jiewen2015-01-221-0/+4
| | | | | | | | | | | | | | This PPI will always be installed to notify other drivers that TPM initialization action is done. TPM initialization may success or fail, or even not present. Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: "Yao, Jiewen" <jiewen.yao@intel.com> Reviewed-by: "Dong, Guo" <guo.dong@intel.com> Reviewed-by: "Chiu, Chasel" <chasel.chiu@intel.com> git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@16638 6f19259b-4bc3-4df7-8a09-765794883524
* Handle TPM device error and avoid deadloop in BDS.Yao, Jiewen2015-01-121-0/+10
| | | | | | | | | | | | | | If TPM error happens, set TPM flag to NOT present, so that trusted boot patch is disabled. Also report status code for failure, so that platform may register handler to apply policy like force system reset, or disable TPM permanently. Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: "Yao, Jiewen" <jiewen.yao@intel.com> Reviewed-by: "Dong, Guo" <guo.dong@intel.com> git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@16598 6f19259b-4bc3-4df7-8a09-765794883524
* Add TPM Physical Presence >=128 operation value support.Yao, Jiewen2015-01-121-1/+9
| | | | | | | | | | | | | | | The Tcg/TrEE PhysicalPresence library will depend on Tcg/TrEE PpVendor library. The default NULL library instance is provided in this package. OEM can create OemPpVendorLib as override to handle >=128 operation value. Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: "Yao, Jiewen" <jiewen.yao@intel.com> Reviewed-by: "Dong, Guo" <guo.dong@intel.com> git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@16597 6f19259b-4bc3-4df7-8a09-765794883524
* Update SecurityPkg package version to 0.94.Dong, Guo2014-09-021-1/+1
| | | | | | | | Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Dong, Guo <guo.dong@intel.com> git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@16032 6f19259b-4bc3-4df7-8a09-765794883524
* SecurityPkg: INF/DEC file updates to EDK II packagesDong, Guo2014-08-281-107/+153
| | | | | | | | | | | 4. PCD information in DEC file comment blocks are either incomplete or incorrect. This includes detailed description, @Prompt, @ValidRange, @ValidList, @Expression, and [Error.<TokenSpaceGuid>] validation error messages. Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Dong, Guo <guo.dong@intel.com> Reviewed-by: Gao, Liming <liming.gao@intel.com> git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@15952 6f19259b-4bc3-4df7-8a09-765794883524
* 1) Update code to use PcdFixedUsbCredentialProviderTokenFileName and ↵Dong, Guo2014-08-151-4/+6
| | | | | | | | | | | | | PcdMaxVariableSize as patchable PCD instead of FixedAtBuild PCD. 2) Correct a typo in file comments of Tpm12Ownership.c Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Dong, Guo <guo.dong@intel.com> Reviewed-by: Gao, Liming <liming.gao@intel.com> Reviewed-by: Yao, Jiewen <jiewen.yao@intel.com> git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@15811 6f19259b-4bc3-4df7-8a09-765794883524
* Contributed-under: TianoCore Contribution Agreement 1.0Michael Kinney2014-08-141-0/+7
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Signed-off-by: Michael Kinney <michael.d.kinney@intel.com> Reviewed-by: Dong, Guo <guo.dong@intel.com> Add support for RSA 2048 SHA 256 signing and verification encoded in a PI FFS GUIDED Encapsulation Section. The primary use case of this feature is in support of signing and verification of encapsulated FVs for Recovery and Capsule Update, but can potentially be used for signing and verification of any content that can be stored in a PI conformant FFS file. Signing operations are performed from python scripts that wrap OpenSsl command line utilities. Verification operations are performed using the OpenSsl libraries in the CryptoPkg. The guided encapsulation sections uses the UEFI 2.4 Specification defined GUID called EFI_CERT_TYPE_RSA2048_SHA256_GUID. The data layout for the encapsulation section starts with the UEFI 2.4 Specification defined structure called EFI_CERT_BLOCK_RSA_2048_SHA256 followed immediately by the data. The signing tool included in these patches performs encode/decode operations using this data layout. HashType is set to the UEFI 2.4 Specification defined GUID called EFI_HASH_ALGORITHM_SHA256_GUID. MdePkg/Include/Guid/WinCertificate.h ================================= // // WIN_CERTIFICATE_UEFI_GUID.CertType // #define EFI_CERT_TYPE_RSA2048_SHA256_GUID \ {0xa7717414, 0xc616, 0x4977, {0x94, 0x20, 0x84, 0x47, 0x12, 0xa7, 0x35, 0xbf } } /// /// WIN_CERTIFICATE_UEFI_GUID.CertData /// typedef struct { EFI_GUID HashType; UINT8 PublicKey[256]; UINT8 Signature[256]; } EFI_CERT_BLOCK_RSA_2048_SHA256; MdePkg/Include/Protocol/Hash.h ================================= #define EFI_HASH_ALGORITHM_SHA256_GUID \ { \ 0x51aa59de, 0xfdf2, 0x4ea3, {0xbc, 0x63, 0x87, 0x5f, 0xb7, 0x84, 0x2e, 0xe9 } \ } The verification operations require the use of public key(s). A new PCD called gEfiSecurityPkgTokenSpaceGuid.PcdRsa2048Sha256PublicKeyBuffer is added to the SecurityPkg that supports one or more SHA 256 hashes of the public keys. A SHA 256 hash is performed to minimize the FLASH overhead of storing the public keys. When a verification operation is performed, a SHA 256 hash is performed on EFI_CERT_BLOCK_RSA_2048_SHA256.PublicKey and a check is made to see if that hash matches any of the hashes in the new PCD. It is recommended that this PCD always be configured in the DSC file as storage type of [PcdsDynamixExVpd], so the public keys are stored in a protected read-only region. While working on this feature, I noticed that the CRC32 signing and verification feature was incomplete. It only supported CRC32 based verification in the DXE Phase, so the attached patches also provide support for CRC32 based verification in the PEI Phase. I also noticed that the most common method for incorporating guided section extraction libraries was to directly link them to the DXE Core, which is not very flexible. The attached patches also add a generic section extraction PEIM and a generic section extraction DXE driver that can each be linked against one or more section extraction libraries. This provides a platform developer with the option of providing section extraction services with the DXE Core or providing section extraction services with these generic PEIM/DXE Drivers. Patch Summary ============== 1) BaseTools - Rsa2049Sha256Sign python script that can perform test signing or custom signing of PI FFS file GUIDed sections a. Wrapper for a set of OpenSsl command line utility operations b. OpenSsl command line tool must be installed in location that is in standard OS path or in path specified by OS environment variable called OPENSSL_PATH c. Provides standard EDK II command line arguments for a tool that encodes/decodes guided encapsulation section Rsa2048Sha256Sign - Copyright (c) 2013 - 2014, Intel Corporation. All rights reserved. usage: Rsa2048Sha256Sign -e|-d [options] <input_file> positional arguments: input_file specify the input filename optional arguments: -e encode file -d decode file -o filename, --output filename specify the output filename --private-key PRIVATEKEYFILE specify the private key filename. If not specified, a test signing key is used. -v, --verbose increase output messages -q, --quiet reduce output messages --debug [0-9] set debug level --version display the program version and exit -h, --help display this help text 2) BaseTools - Rsa2049Sha256GenerateKeys python script that can generate new private/public key and PCD value that is SHA 256 hash of public key using OpenSsl command line utilities. a. Wrapper for a set of OpenSsl command line utility operations b. OpenSsl command line tool must be installed in location that is in standard path or in path specified by OS environment variable called OPENSSL_PATH Rsa2048Sha256GenerateKeys - Copyright (c) 2013 - 2014, Intel Corporation. All rights reserved. usage: Rsa2048Sha256GenerateKeys [options] optional arguments: -o [filename [filename ...]], --output [filename [filename ...]] specify the output private key filename in PEM format -i [filename [filename ...]], --input [filename [filename ...]] specify the input private key filename in PEM format --public-key-hash PUBLICKEYHASHFILE specify the public key hash filename that is SHA 256 hash of 2048 bit RSA public key in binary format --public-key-hash-c PUBLICKEYHASHCFILE specify the public key hash filename that is SHA 256 hash of 2048 bit RSA public key in C structure format -v, --verbose increase output messages -q, --quiet reduce output messages --debug [0-9] set debug level --version display the program version and exit -h, --help display this help text 3) BaseTools\Conf\tools_def.template a. Define GUID/Tool to perform RSA 2048 SHA 256 test signing and instructions on how to use alternate private/public key b. GUID is EFI_CERT_TYPE_RSA2048_SHA256_GUID c. Tool is Rsa2049Sha256Sign 4) MdeModulePkg\Library\PeiCrc32GuidedSectionExtractionLib a. Add peer for DxeCrc32GuidedSectionExtractionLib so both PEI and DXE phases can perform basic integrity checks of PEI and DXE components 5) MdeModulePkg\Universal\SectionExtractionPei a. Generic PEIM that can link against one or more NULL section extraction library instances to provided one or more GUIDED Section Extraction PPIs 6) MdeModulePkg\Universal\SectionExtractionDxe a. Generic DXE Driver that can link against one or more NULL section extraction library instances to provide one or more GUIDED Section Extraction Protocols. 7) SecurityPkg\Library\PeiRsa2048Sha256GuidedSectionExtractLib a. NULL library instances that performs PEI phase RSA 2048 SHA 256 signature verification using OpenSsl libraries from CryptoPkg. b. Based on algorithms from SecurityPkg Authenticated Variable services c. Uses public key from gEfiSecurityPkgTokenSpaceGuid.PcdRsa2048Sha256PublicKeyBuffer. 8) SecurityPkg\Library\DxeRsa2048Sha256GuidedSectionExtractLib a. NULL library instances that performs DXE phase RSA 2048 SHA 256 signature verification using OpenSsl libraries from CryptoPkg. b. Based on algorithms from SecurityPkg Authenticated Variable services c. Uses public key from gEfiSecurityPkgTokenSpaceGuid.PcdRsa2048Sha256PublicKeyBuffer. git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@15801 6f19259b-4bc3-4df7-8a09-765794883524
* Remove unused [PcdsDynamic, PcdsDynamicEx] section.Dong Guo2014-03-311-1/+0
| | | | | | | | | Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Dong Guo <guo.dong@intel.com> Reviewed-by: Fan, Jeff <jeff.fan@intel.com> Reviewed-by: Ni, Ruiyu <ruiyu.ni@intel.com> git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@15416 6f19259b-4bc3-4df7-8a09-765794883524
* Remove hide TPM support.Dong Guo2014-03-271-8/+0
| | | | | | | | | Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Dong Guo <guo.dong@intel.com> Reviewed-by: Yao Jiewen <jiewen.yao@intel.com> Reviewed-by: Ni, Ruiyu <ruiyu.ni@intel.com> git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@15405 6f19259b-4bc3-4df7-8a09-765794883524
* Add comments for PcdHideTpmSupport.Dong Guo2014-03-171-0/+1
| | | | | | | | | | Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Dong Guo <guo.dong@intel.com> Reviewed-by: Fu Siyuan <siyuan.fu@intel.com> Reviewed-by: Yao Jiewen <jiewen.yao@intel.com> git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@15334 6f19259b-4bc3-4df7-8a09-765794883524
* Add description information for the GUID and Library class defined in DEC fileDong Guo2014-01-281-15/+76
| | | | | | | | | | Signed-off-by: Dong Guo <guo.dong@intel.com> Reviewed-by: Gao, Liming <liming.gao@intel.com> Reviewed-by: Yao Jiewen <jiewen.yao@intel.com> git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@15194 6f19259b-4bc3-4df7-8a09-765794883524
* Fix PCD help information format and a typo.Dong Guo2014-01-231-26/+26
| | | | | | | | | | Signed-off-by: Dong Guo <guo.dong@intel.com> Reviewed-by: Gao, Liming <liming.gao@intel.com> Reviewed-by: Yao Jiewen <jiewen.yao@intel.com> git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@15171 6f19259b-4bc3-4df7-8a09-765794883524
* Fix typo in PCD description in SecurityPkg.jyao12014-01-131-4/+4
| | | | | | | Signed-off by: jiewen yao <jiewen.yao@intel.com> Reviewed by: guo dong <guo.dong@intel.com> git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@15105 6f19259b-4bc3-4df7-8a09-765794883524
* Upgrade package version to 0.93Dong Guo2014-01-101-2/+2
| | | | | | | | | | Signed-off-by: Dong Guo <guo.dong@intel.com> Reviewed-by: Tian, Hot <hot.tian@intel.com> git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@15081 6f19259b-4bc3-4df7-8a09-765794883524
* Update DEC file and DxeImageVerificationLib to note user that ↵Fu Siyuan2013-12-021-3/+6
| | | | | | | | | ALLOW_EXECUTE_ON_SECURITY_VIOLATION is no longer supported. Signed-off-by: Fu Siyuan <siyuan.fu@intel.com> Reviewed-by: Dong, Guo <guo.dong@intel.com> git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@14923 6f19259b-4bc3-4df7-8a09-765794883524
generated by cgit v1.2.3 (git 2.25.1) at 2024-08-12 05:24:35 +0000