summaryrefslogtreecommitdiffstats
path: root/SecurityPkg/SecurityPkg.dsc
Commit message (Collapse)AuthorAgeFilesLines
* SecurityPkg/dsc: remove TrEE.Jiewen Yao2018-03-161-43/+1
| | | | | | | | | TrEE is deprecated. We need use Tcg2. Cc: Chao B Zhang <chao.b.zhang@intel.com> Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Jiewen Yao <jiewen.yao@intel.com> Reviewed-by: Chao B Zhang <chao.b.zhang@intel.com>
* SecurityPkg OpalPasswordSupportLib: Remove itStar Zeng2018-03-081-2/+0
| | | | | | | | | | | | Remove OpalPasswordSupportLib as it is not been used anymore. Cc: Jiewen Yao <jiewen.yao@intel.com> Cc: Eric Dong <eric.dong@intel.com> Cc: Chao Zhang <chao.b.zhang@intel.com> Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Star Zeng <star.zeng@intel.com> Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
* SecurityPkg OpalPassword: Remove old solutionStar Zeng2018-03-081-2/+0
| | | | | | | | | Cc: Jiewen Yao <jiewen.yao@intel.com> Cc: Eric Dong <eric.dong@intel.com> Cc: Chao Zhang <chao.b.zhang@intel.com> Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Star Zeng <star.zeng@intel.com> Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
* SecurityPkg OpalPassword: Add solution without SMM device codeStar Zeng2018-03-081-0/+2
| | | | | | | | | | | | | | | | | | | After IOMMU is enabled in S3, original solution with SMM device code (OpalPasswordSmm) to unlock OPAL device for S3 will not work as the DMA operation will be aborted without granted DMA buffer. Instead, this solution is to add OpalPasswordPei to eliminate SMM device code, and OPAL setup UI produced by OpalPasswordDxe will be updated to send requests (set password, update password, and etc), and then the requests will be processed in next boot before SmmReadyToLock, password and device info will be saved to lock box used by OpalPasswordPei to unlock OPAL device for S3. Cc: Jiewen Yao <jiewen.yao@intel.com> Cc: Eric Dong <eric.dong@intel.com> Cc: Chao Zhang <chao.b.zhang@intel.com> Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Star Zeng <star.zeng@intel.com> Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
* SecurityPkg: Don't build AuthVariableLib for EBC archLiming Gao2018-02-071-0/+1
| | | | | | | | | | | | | | | EBC build failure is caused by d7a09cb86a0416c099fa3a9e0fbe2c8f399b28de. It changes MAX_UINTN definition as below. AuthVariableLib uses MAX_UINTN in the global data initialization. New style has >> operator, and not supported by EBC compiler. The fix is not to build AuthVariableLib for EBC. #define MAX_UINTN ((UINTN) ~0) ==> #define MAX_UINTN ((UINTN)(~0ULL >> (64 - sizeof (INTN) * 8))) Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Liming Gao <liming.gao@intel.com> Reviewed-by: Chao Zhang <chao.b.zhang@intel.com>
* SecurityPkg: Update package version to 0.98Zhang, Chao B2018-01-231-2/+2
| | | | | | | | | Update package version of SecurityPkg to 0.98. Cc: Qin Long <qin.long@intel.com> Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Chao Zhang <chao.b.zhang@intel.com> Reviewed-by: Qin Long <qin.long@intel.com>
* SecurityPkg: Remove RngTest Application from SecurityPkgLong Qin2017-12-271-5/+0
| | | | | | | | | | | BZ#: https://bugzilla.tianocore.org/show_bug.cgi?id=820 Remove the RngTest application from SecurityPkg, which was only for unit test. Cc: Chao Zhang <chao.b.zhang@intel.com> Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Long Qin <qin.long@intel.com> Reviewed-by: Chao Zhang <chao.b.zhang@intel.com>
* SecurityPkg: Add ARM/AARCH64 arch to enable RngTest module build.Long Qin2017-08-301-1/+1
| | | | | | | | | | | | | | | Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=680 Adding ARM and AARCH64 to SUPPORTED_ARCHITECTURES in SecurityPkg.dsc to enable RngTest module build, since this is one platform-independent application. Cc: Chao Zhang <chao.b.zhang@intel.com> Cc: Laszlo Ersek <lersek@redhat.com> Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Qin Long <qin.long@intel.com> Reviewed-by: Ard Biesheuvel <ard.biesheuvel@linaro.org> Reviewed-by: Laszlo Ersek <lersek@redhat.com>
* SecurityPkg: Update package version to 0.97Zhang, Chao B2017-05-051-1/+1
| | | | | | | | | Update package version of SecurityPkg to 0.97. Cc: Qin Long <qin.long@intel.com> Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Chao Zhang <chao.b.zhang@intel.com> Reviewed-by: Qin Long <qin.long@intel.com>
* SecurityPkg: Consume SmmIoLib.Eric Dong2017-05-041-0/+1
| | | | | | | | Update code to consume SmmIoLib to pass build. Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Eric Dong <eric.dong@intel.com> Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
* SecurityPkg: Tcg2Config: TPM2 ACPI Table Rev OptionZhang, Chao B2017-01-101-0/+1
| | | | | | | | | | | | Add TPM2 ACPI Table Rev Option in Tcg2Config UI. Rev 4 is defined in TCG ACPI Specification 00.37 Cc: Star Zeng <star.zeng@intel.com> Cc: Yao Jiewen <jiewen.yao@intel.com> Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Chao Zhang <chao.b.zhang@intel.com> Reviewed-by: Star Zeng <star.zeng@intel.com> Reviewed-by: Yao Jiewen <jiewen.yao@intel.com>
* SecurityPkg Tcg2ConfigDxe: Add setup option to configure PPI versionStar Zeng2017-01-061-1/+4
| | | | | | | | | | | | | | | | | | | | | REF: https://bugzilla.tianocore.org/show_bug.cgi?id=288 gEfiSecurityPkgTokenSpaceGuid.PcdTcgPhysicalPresenceInterfaceVer was introduced to configure physical presence interface version. but test or user needs to build different images to support different versions separately as the PCD does not support Dynamic types. This patch is to extend the PCD to support Dynamic types and add a setup option in Tcg2ConfigDxe driver to configure the physical presence interface version, the PCD needs to be DynamicHii type and maps to the setup option. Cc: Jiewen Yao <jiewen.yao@intel.com> Cc: Chao Zhang <chao.b.zhang@intel.com> Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Star Zeng <star.zeng@intel.com> Reviewed-by: Jiewen Yao <jiewen.yao@intel.com> Reviewed-by: Chao Zhang <chao.b.zhang@intel.com>
* Revert old "Enable BlockSid related PP actions" patch series.Eric Dong2016-11-231-4/+0
| | | | | | | | | | | New solution for this issue will be provided. This reverts commits from d1947ce509d745f32db6b7fecc03dc9c778b9350 to bda034c34deea6eb43edcef28018a9ace8f04637. Reviewed-by: Jiewen Yao <jiewen.yao@intel.com> Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Eric Dong <eric.dong@intel.com>
* SecurityPkg: Add SmmTcgPhysicalPresenceStorageLib.Eric Dong2016-11-211-0/+2
| | | | | | | | | | | Tcg Physical Presence spec defined some actions used for storage device. Add Smm version library to handles these actions. Reviewed-by: Jiewen Yao <jiewen.yao@intel.com> Reviewed-by: Chao Zhang <chao.b.zhang@intel.com> Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Eric Dong <eric.dong@intel.com>
* SecurityPkg: Add DxeTcgPhysicalPresenceStorageLib.Eric Dong2016-11-211-0/+2
| | | | | | | | | | | Tcg Physical Presence spec defined some actions used for storage device. Add Dxe version library to handles these actions. Reviewed-by: Jiewen Yao <jiewen.yao@intel.com> Reviewed-by: Chao Zhang <chao.b.zhang@intel.com> Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Eric Dong <eric.dong@intel.com>
* SecurityPkg/SecurityPkg.dsc: Add FmpAuthenticationLib*.Jiewen Yao2016-11-081-0/+3
| | | | | | | | | | | | | | | Add FmpAuthenticationLib* to check build. Cc: Feng Tian <feng.tian@intel.com> Cc: Star Zeng <star.zeng@intel.com> Cc: Michael D Kinney <michael.d.kinney@intel.com> Cc: Liming Gao <liming.gao@intel.com> Cc: Chao Zhang <chao.b.zhang@intel.com> Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Jiewen Yao <jiewen.yao@intel.com> Reviewed-by: Chao Zhang <chao.b.zhang@intel.com> Reviewed-by: Michael Kinney <michael.d.kinney@intel.com> Tested-by: Michael Kinney <michael.d.kinney@intel.com>
* SecurityPkg/TPM2: Sync PcrAllocations and PcrMaskJiewen Yao2016-09-211-0/+1
| | | | | | | | | | | | | Current TCG2 implementation will set Tpm2HashMask PCD value according to TPM2 PCR bank. However, there might be misconfiguration in BIOS build phase. The enhanced logic makes sure that the current PCR allocations, the TPM supported PCRs, and the PcdTpm2HashMask are all in agreement. Cc: Chao B Zhang <chao.b.zhang@intel.com> Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Jiewen Yao <jiewen.yao@intel.com> Reviewed-by: Star Zeng <star.zeng@intel.com> Reviewed-by: Chao Zhang <chao.b.zhang@intel.com>
* SecurityPkg/SecurityPkg.dsc: Declare PciSegmentLibStar Zeng2016-09-051-0/+1
| | | | | | | | | | | | | | PiDxeS3BootScriptLib will be updated to consume PciSegmentLib instead of PciLib to support multiple PCI segment. Cc: Jiewen Yao <jiewen.yao@intel.com> Cc: Michael D Kinney <michael.d.kinney@intel.com> Cc: Amy Chan <amy.chan@intel.com> Cc: Chao Zhang <chao.b.zhang@intel.com> Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Star Zeng <star.zeng@intel.com> Reviewed-by: Jiewen Yao <jiewen.yao@intel.com> Reviewed-by: Michael Kinney <michael.d.kinney@intel.com>
* SecurityPkg DSC: Add build option to disable deprecated APIsHao Wu2016-08-081-0/+1
| | | | | | | | | | | | | Add the following definition in the [BuildOptions] section in package DSC files to disable APIs that are deprecated: [BuildOptions] *_*_*_CC_FLAGS = -D DISABLE_NEW_DEPRECATED_INTERFACES Cc: Chao Zhang <chao.b.zhang@intel.com> Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Hao Wu <hao.a.wu@intel.com> Reviewed-by: Chao Zhang <chao.b.zhang@intel.com>
* SecurityPkg SecureBootConfigDxe: Add check for the external PE/COFF image.Liming Gao2016-07-141-0/+2
| | | | | | | | | | | | Use BasePeCoffLib PeCoffLoaderGetImageInfo() to check the PE/COFF image. In V2, add specific ImageRead() to make sure the PE/COFF image content read is within the image buffer. Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Liming Gao <liming.gao@intel.com> Reviewed-by: Jiewen Yao <jiewen.yao@intel.com> Reviewed-by: Chao Zhang <chao.b.zhang@intel.com>
* SecurityPkg: Enable Opal password solution build.Eric Dong2016-03-291-4/+25
| | | | | | | | | This patch used to enable opal password solution build in Security package level build. Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Eric Dong <eric.dong@intel.com> Reviewed-by: Feng Tian <feng.tian@intel.com>
* SecurityPkg: Add FileExplorerLib.inf to the dsc fileDandan Bi2016-02-261-0/+1
| | | | | | | | | | | | Add FileExplorerLib to SecurePkg DSC to pass build, as SecureBootConfigDxe requires this library now. Cc: Chao Zhang <chao.b.zhang@intel.com> Cc: Eric Dong <eric.dong@intel.com> Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Dandan Bi <dandan.bi@intel.com> Reviewed-by: Eric Dong <eric.dong@intel.com> Reviewed-by: Chao Zhang <chao.b.zhang@intel.com>
* SecurityPkg: Add NOOPT target in SecurityPkg.dscHao Wu2016-01-191-2/+2
| | | | | | | | Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Hao Wu <hao.a.wu@intel.com> Reviewed-by: Liming Gao <liming.gao@intel.com> git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@19678 6f19259b-4bc3-4df7-8a09-765794883524
* SecurityPkg: Integrate new RngLib into RngDxeThomas Palmer2015-10-091-0/+3
| | | | | | | | | | | | | | | | | Use the new RngLib to provide the IA32/X64 random data for RngDxe. Remove x86 specific functions from RdRand files. Simplify RngDxe by using WriteUnaligned64 for all platforms. Use GetRandomNumber128 in RngDxe to leverage 128 bit support provided by some HW RNG devices. Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Thomas Palmer <thomas.palmer@hpe.com> Reviewed-by: Samer El-Haj-Mahmoud <elhaj@hpe.com> Reviewed-by: Michael Kinney <michael.d.kinney@intel.com> Reviewed-by: Chao Zhang <chao.b.zhang@intel.com> Reviewed-by: Qin Long <qin.long@intel.com> git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@18591 6f19259b-4bc3-4df7-8a09-765794883524
* SecurityPkg: Update Package version to 0.96Chao Zhang2015-08-201-1/+1
| | | | | | | | | | Update Package version to 0.96 Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Chao Zhang <chao.b.zhang@intel.com> Reviewed-by: Qin Long <qin.long@intel.com> git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@18240 6f19259b-4bc3-4df7-8a09-765794883524
* Add TPM2 support defined in trusted computing group.Yao, Jiewen2015-08-131-6/+55
| | | | | | | | | | | | | | | | | | TCG EFI Protocol Specification for TPM Family 2.0 Revision 1.0 Version 9 at http://www.trustedcomputinggroup.org/resources/tcg_efi_protocol_specification TCG Physical Presence Interface Specification Version 1.30, Revision 00.52 at http://www.trustedcomputinggroup.org/resources/tcg_physical_presence_interface_specification Add Tcg2XXX, similar file/directory as TrEEXXX. Old TrEE driver/library can be deprecated. 1) Add Tcg2Pei/Dxe/Smm driver to log event and provide services. 2) Add Dxe/Pei/SmmTcg2PhysicalPresenceLib to support TCG PP. 3) Update Tpm2 library to use TCG2 protocol instead of TrEE protocol. Test Win8/Win10 with SecureBoot enabled, PCR7 shows bound. Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: "Yao, Jiewen" <Jiewen.Yao@intel.com> Reviewed-by: "Zhang, Chao B" <chao.b.zhang@intel.com> git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@18219 6f19259b-4bc3-4df7-8a09-765794883524
* Add Secure MOR implementation.Yao, Jiewen2015-07-281-0/+2
| | | | | | | | | | | | Add a new module MemoryOverwriteRequestControlLock to register VarCheck handler to enforce MorLock Policy. Only SMM version is added because MOR is only supported in SMM variable case. Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: "Yao, Jiewen" <Jiewen.Yao@intel.com> Reviewed-by: "Chao Zhang" <chao.b.zhang@intel.com> git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@18092 6f19259b-4bc3-4df7-8a09-765794883524
* SecurityPkg: Delete Auth Variable driverStar Zeng2015-07-011-6/+1
| | | | | | | | | | | | | | | | | | | | | | | 1. Delete TpmMeasurementLib LibraryClass from SecurityPkg after it moved to MdeModulePkg. 2. Update DxeTpmMeasurementLib.inf to include MdeModulePkg.dec. 3. Delete authenticated variable definition from AuthenticatedVariableFormat.h after them moved to VariableFormat.h. 4. Replace VARIABLE_HEADER with AUTHENTICATED_VARIABLE_HEADER in EsalVariableDxeSal. 5. Delete VariableInfo from SecurityPkg after it merged to VariableInfo in MdeModulePkg. 6. Delete VariablePei from SecurityPkg after it merged to VariablePei in MdeModulePkg. 7. Delete Auth Variable driver from SecurityPkg after it merged to Variable driver in MdeModulePkg. 8. Also update PACKAGE_GUID and PACKAGE_VERSION in SecurityPkg.dec after the deletion of authenticated variable definition, VariableInfo, VariablePei and Auth Variable driver from SecurityPkg; update PLATFORM_VERSION in SecurityPkg.dsc. Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Star Zeng <star.zeng@intel.com> Reviewed-by: Jiewen Yao <jiewen.yao@intel.com> Reviewed-by: Liming Gao <liming.gao@intel.com> Reviewed-by: Jaben Carsey <jaben.carsey@intel.com> git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@17772 6f19259b-4bc3-4df7-8a09-765794883524
* SecurityPkg: Implement AuthVariableLib library instanceStar Zeng2015-07-011-1/+3
| | | | | | | | | | | | | | | | | | | | | What to do: 1. Implement AuthVariableLib library instance. 2. Temporarily add VARIABLE_ENTRY_CONSISTENCY and variable attribute combinations definitions to AuthenticatedVariableFormat.h for git bisect. Why to do: 1. Share code. Separate auth variable service from Auth Variable driver in SecurityPkg to AuthVariableLib. Then the AuthVariableLib could benefit and be used by different implementation of Auth Variable drivers. Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Star Zeng <star.zeng@intel.com> Reviewed-by: Jiewen Yao <jiewen.yao@intel.com> Reviewed-by: Liming Gao <liming.gao@intel.com> git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@17758 6f19259b-4bc3-4df7-8a09-765794883524
* SecurityPkg: Add UEFI-2.5 PKCS7 Verification Protocol SupportQin Long2015-06-191-0/+5
| | | | | | | | | | | | | This patch adds the support for PKCS7 Verification Protocol which was defined in UEFI 2.5. (NOTE: The VerifySignature interface was not supported in this version, due to openssl interface limitation) Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Qin Long <qin.long@intel.com> Reviewed-by: Chao Zhang <chao.b.zhang@intel.com> git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@17670 6f19259b-4bc3-4df7-8a09-765794883524
* Hash2 driver to [Components.IA32, Components.X64, Components.IPF] section.Yao, Jiewen2015-05-081-5/+5
| | | | | | | | | | | | Because Hash2 need CryptoLib/Openssl, while latter does not support EBC build. Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: "Yao, Jiewen" <Jiewen.Yao@intel.com> git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@17365 6f19259b-4bc3-4df7-8a09-765794883524
* Add UEFI2.5 HASH protocol implementation.Yao, Jiewen2015-05-051-0/+8
| | | | | | | | | | | Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: "Yao, Jiewen" <Jiewen.Yao@intel.com> Reviewed-by: "Long, Qin" <Qin.Long@intel.com> git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@17288 6f19259b-4bc3-4df7-8a09-765794883524
* Use SmmMemLib to check communication buffer.Yao, Jiewen2015-02-021-0/+1
| | | | | | | | | | Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: "Yao, Jiewen" <jiewen.yao@intel.com> Reviewed-by: "Gao, Liming" <liming.gao@intel.com> Reviewed-by: "Fan, Jeff" <jeff.fan@intel.com> git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@16695 6f19259b-4bc3-4df7-8a09-765794883524
* Correct file path.Yao, Jiewen2015-01-131-2/+2
| | | | | | | | | | Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: "Yao, Jiewen" <jiewen.yao@intel.com> git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@16603 6f19259b-4bc3-4df7-8a09-765794883524
* Check in missing patch for TPM error handling.Yao, Jiewen2015-01-131-0/+5
| | | | | | | | | | Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: "Yao, Jiewen" <jiewen.yao@intel.com> git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@16602 6f19259b-4bc3-4df7-8a09-765794883524
* Add TPM Physical Presence >=128 operation value support.Yao, Jiewen2015-01-121-1/+3
| | | | | | | | | | | | | | | The Tcg/TrEE PhysicalPresence library will depend on Tcg/TrEE PpVendor library. The default NULL library instance is provided in this package. OEM can create OemPpVendorLib as override to handle >=128 operation value. Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: "Yao, Jiewen" <jiewen.yao@intel.com> Reviewed-by: "Dong, Guo" <guo.dong@intel.com> git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@16597 6f19259b-4bc3-4df7-8a09-765794883524
* Update SecurityPkg package version to 0.94.Dong, Guo2014-09-021-1/+1
| | | | | | | | Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Dong, Guo <guo.dong@intel.com> git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@16032 6f19259b-4bc3-4df7-8a09-765794883524
* Contributed-under: TianoCore Contribution Agreement 1.0Michael Kinney2014-08-141-0/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Signed-off-by: Michael Kinney <michael.d.kinney@intel.com> Reviewed-by: Dong, Guo <guo.dong@intel.com> Add support for RSA 2048 SHA 256 signing and verification encoded in a PI FFS GUIDED Encapsulation Section. The primary use case of this feature is in support of signing and verification of encapsulated FVs for Recovery and Capsule Update, but can potentially be used for signing and verification of any content that can be stored in a PI conformant FFS file. Signing operations are performed from python scripts that wrap OpenSsl command line utilities. Verification operations are performed using the OpenSsl libraries in the CryptoPkg. The guided encapsulation sections uses the UEFI 2.4 Specification defined GUID called EFI_CERT_TYPE_RSA2048_SHA256_GUID. The data layout for the encapsulation section starts with the UEFI 2.4 Specification defined structure called EFI_CERT_BLOCK_RSA_2048_SHA256 followed immediately by the data. The signing tool included in these patches performs encode/decode operations using this data layout. HashType is set to the UEFI 2.4 Specification defined GUID called EFI_HASH_ALGORITHM_SHA256_GUID. MdePkg/Include/Guid/WinCertificate.h ================================= // // WIN_CERTIFICATE_UEFI_GUID.CertType // #define EFI_CERT_TYPE_RSA2048_SHA256_GUID \ {0xa7717414, 0xc616, 0x4977, {0x94, 0x20, 0x84, 0x47, 0x12, 0xa7, 0x35, 0xbf } } /// /// WIN_CERTIFICATE_UEFI_GUID.CertData /// typedef struct { EFI_GUID HashType; UINT8 PublicKey[256]; UINT8 Signature[256]; } EFI_CERT_BLOCK_RSA_2048_SHA256; MdePkg/Include/Protocol/Hash.h ================================= #define EFI_HASH_ALGORITHM_SHA256_GUID \ { \ 0x51aa59de, 0xfdf2, 0x4ea3, {0xbc, 0x63, 0x87, 0x5f, 0xb7, 0x84, 0x2e, 0xe9 } \ } The verification operations require the use of public key(s). A new PCD called gEfiSecurityPkgTokenSpaceGuid.PcdRsa2048Sha256PublicKeyBuffer is added to the SecurityPkg that supports one or more SHA 256 hashes of the public keys. A SHA 256 hash is performed to minimize the FLASH overhead of storing the public keys. When a verification operation is performed, a SHA 256 hash is performed on EFI_CERT_BLOCK_RSA_2048_SHA256.PublicKey and a check is made to see if that hash matches any of the hashes in the new PCD. It is recommended that this PCD always be configured in the DSC file as storage type of [PcdsDynamixExVpd], so the public keys are stored in a protected read-only region. While working on this feature, I noticed that the CRC32 signing and verification feature was incomplete. It only supported CRC32 based verification in the DXE Phase, so the attached patches also provide support for CRC32 based verification in the PEI Phase. I also noticed that the most common method for incorporating guided section extraction libraries was to directly link them to the DXE Core, which is not very flexible. The attached patches also add a generic section extraction PEIM and a generic section extraction DXE driver that can each be linked against one or more section extraction libraries. This provides a platform developer with the option of providing section extraction services with the DXE Core or providing section extraction services with these generic PEIM/DXE Drivers. Patch Summary ============== 1) BaseTools - Rsa2049Sha256Sign python script that can perform test signing or custom signing of PI FFS file GUIDed sections a. Wrapper for a set of OpenSsl command line utility operations b. OpenSsl command line tool must be installed in location that is in standard OS path or in path specified by OS environment variable called OPENSSL_PATH c. Provides standard EDK II command line arguments for a tool that encodes/decodes guided encapsulation section Rsa2048Sha256Sign - Copyright (c) 2013 - 2014, Intel Corporation. All rights reserved. usage: Rsa2048Sha256Sign -e|-d [options] <input_file> positional arguments: input_file specify the input filename optional arguments: -e encode file -d decode file -o filename, --output filename specify the output filename --private-key PRIVATEKEYFILE specify the private key filename. If not specified, a test signing key is used. -v, --verbose increase output messages -q, --quiet reduce output messages --debug [0-9] set debug level --version display the program version and exit -h, --help display this help text 2) BaseTools - Rsa2049Sha256GenerateKeys python script that can generate new private/public key and PCD value that is SHA 256 hash of public key using OpenSsl command line utilities. a. Wrapper for a set of OpenSsl command line utility operations b. OpenSsl command line tool must be installed in location that is in standard path or in path specified by OS environment variable called OPENSSL_PATH Rsa2048Sha256GenerateKeys - Copyright (c) 2013 - 2014, Intel Corporation. All rights reserved. usage: Rsa2048Sha256GenerateKeys [options] optional arguments: -o [filename [filename ...]], --output [filename [filename ...]] specify the output private key filename in PEM format -i [filename [filename ...]], --input [filename [filename ...]] specify the input private key filename in PEM format --public-key-hash PUBLICKEYHASHFILE specify the public key hash filename that is SHA 256 hash of 2048 bit RSA public key in binary format --public-key-hash-c PUBLICKEYHASHCFILE specify the public key hash filename that is SHA 256 hash of 2048 bit RSA public key in C structure format -v, --verbose increase output messages -q, --quiet reduce output messages --debug [0-9] set debug level --version display the program version and exit -h, --help display this help text 3) BaseTools\Conf\tools_def.template a. Define GUID/Tool to perform RSA 2048 SHA 256 test signing and instructions on how to use alternate private/public key b. GUID is EFI_CERT_TYPE_RSA2048_SHA256_GUID c. Tool is Rsa2049Sha256Sign 4) MdeModulePkg\Library\PeiCrc32GuidedSectionExtractionLib a. Add peer for DxeCrc32GuidedSectionExtractionLib so both PEI and DXE phases can perform basic integrity checks of PEI and DXE components 5) MdeModulePkg\Universal\SectionExtractionPei a. Generic PEIM that can link against one or more NULL section extraction library instances to provided one or more GUIDED Section Extraction PPIs 6) MdeModulePkg\Universal\SectionExtractionDxe a. Generic DXE Driver that can link against one or more NULL section extraction library instances to provide one or more GUIDED Section Extraction Protocols. 7) SecurityPkg\Library\PeiRsa2048Sha256GuidedSectionExtractLib a. NULL library instances that performs PEI phase RSA 2048 SHA 256 signature verification using OpenSsl libraries from CryptoPkg. b. Based on algorithms from SecurityPkg Authenticated Variable services c. Uses public key from gEfiSecurityPkgTokenSpaceGuid.PcdRsa2048Sha256PublicKeyBuffer. 8) SecurityPkg\Library\DxeRsa2048Sha256GuidedSectionExtractLib a. NULL library instances that performs DXE phase RSA 2048 SHA 256 signature verification using OpenSsl libraries from CryptoPkg. b. Based on algorithms from SecurityPkg Authenticated Variable services c. Uses public key from gEfiSecurityPkgTokenSpaceGuid.PcdRsa2048Sha256PublicKeyBuffer. git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@15801 6f19259b-4bc3-4df7-8a09-765794883524
* Comment PwdCredential driver.Dong Guo2014-03-231-1/+1
| | | | | | | | | Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Dong Guo <guo.dong@intel.com> Reviewed-by: Yao Jiewen <jiewen.yao@intel.com> git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@15376 6f19259b-4bc3-4df7-8a09-765794883524
* Force UID modules build error to warn user that currently it is just a sample.Dong Guo2014-03-211-4/+4
| | | | | | | | | Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Dong Guo <guo.dong@intel.com> Reviewed-by: Yao Jiewen <jiewen.yao@intel.com> git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@15356 6f19259b-4bc3-4df7-8a09-765794883524
* Upgrade package version to 0.93Dong Guo2014-01-101-2/+2
| | | | | | | | | | Signed-off-by: Dong Guo <guo.dong@intel.com> Reviewed-by: Tian, Hot <hot.tian@intel.com> git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@15081 6f19259b-4bc3-4df7-8a09-765794883524
* Add UEFI RNG Protocol support. The driver will leverage Intel Secure Key ↵Long, Qin2013-11-191-0/+5
| | | | | | | | | | | technology to produce the Random Number Generator protocol, which is used to provide high-quality random numbers for use in applications, or entropy for seeding other random number generators. Refer to http://software.intel.com/en-us/articles/intel-digital-random-number-generator-drng-software-implementation-guide/ for more information about Intel Secure Key technology. Signed-off-by: Long, Qin <qin.long@intel.com> Reviewed-by: Fu, Siyuan <siyuan.fu@intel.com> Reviewed-by: Rosenbaum, Lee G <lee.g.rosenbaum@intel.com> git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@14858 6f19259b-4bc3-4df7-8a09-765794883524
* Add TPM2 implementation.jyao12013-09-181-1/+88
| | | | | | | signed off by: jiewen.yao@intel.com reviewed by: guo.dong@intel.com git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@14687 6f19259b-4bc3-4df7-8a09-765794883524
* Update Code to pass EBC compiler.lgao42013-05-131-13/+17
| | | | | | | Signed-off-by: Liming Gao <liming.gao@intel.com> Reviewed-by: Star Zeng <star.zeng@intel.com> git-svn-id: https://edk2.svn.sourceforge.net/svnroot/edk2/trunk/edk2@14352 6f19259b-4bc3-4df7-8a09-765794883524
* 1.Measure ACPI table data comes from flash event type EV_POST_CODE ACPI DATA ↵czhang462012-11-271-0/+1
| | | | | | | | | | | | to PCR[0] 2.Re-measure ACPI table after fix up with event type EV_EFI_HANDOFF_TABLES to PCR[1] Signed-off-by : Chao Zhang<chao.b.zhang@intel.com> Reviewed-by : Dong Guo<guo.dong@intel.com> Reviewed-by : Yao Jiewen<jiewen.yao@intel.com> git-svn-id: https://edk2.svn.sourceforge.net/svnroot/edk2/trunk/edk2@13964 6f19259b-4bc3-4df7-8a09-765794883524
* Add ImageAuthenticationStatusLib to SAP to check Authentication Status ↵czhang462012-09-131-0/+1
| | | | | | | | | | | | returned from Section Extraction Protocol Signed-off-by: Chao Zhang<chao.b.zhang@intel.com> Reviewed-by : Gao Liming<liming.gao@intel.com> git-svn-id: https://edk2.svn.sourceforge.net/svnroot/edk2/trunk/edk2@13729 6f19259b-4bc3-4df7-8a09-765794883524
* Adjust library instances used in SecurityPkg by proper module type.tye12012-07-201-7/+11
| | | | | | | | Signed-off-by: Ye Ting <ting.ye@intel.com> Reviewed-by: Fu, Siyuan <Siyuan.fu@intel.com> git-svn-id: https://edk2.svn.sourceforge.net/svnroot/edk2/trunk/edk2@13544 6f19259b-4bc3-4df7-8a09-765794883524
* Update SecurityPkg package versions from 0.91 to 0.92.gdong12011-12-141-1/+1
| | | | | | | | Signed-off-by: gdong1 Reviewed-by: hhtian Reviewed-by: tye git-svn-id: https://edk2.svn.sourceforge.net/svnroot/edk2/trunk/edk2@12850 6f19259b-4bc3-4df7-8a09-765794883524
* Update code to follow coding style. Mainly change about:ydong102011-11-231-1/+0
| | | | | | | | | | | | 1. Remove duplicate lib 2. Refine the name for enum member. Signed-off-by: ydong10 Reviewed-by: lgao4 Reviewed-by: gdong1 Reviewed-by: vanjeff git-svn-id: https://edk2.svn.sourceforge.net/svnroot/edk2/trunk/edk2@12767 6f19259b-4bc3-4df7-8a09-765794883524
* Correct file path separator to Linux style for all OS.lgao42011-10-291-1/+1
| | | | | | | Signed-off-by: lgao4 git-svn-id: https://edk2.svn.sourceforge.net/svnroot/edk2/trunk/edk2@12603 6f19259b-4bc3-4df7-8a09-765794883524
generated by cgit v1.2.3 (git 2.25.1) at 2024-08-12 07:53:22 +0000