Linaro-uefi June 2017

linaro-uefi@lists.linaro.org

15 participants
15 discussions

OpenPlatformPkg/Platforms/ARM/Juno: Enable Secure Boot

by Tommy Huynh

Hi Leif/Ard, Currently, what security properties does secure boot in edk2 on arm guarantee? How should one enable secure boot on the ARM Juno platform? I've tried copying sections related to "SECURE_BOOT_ENABLE" from OpenPlatformPkg/Platforms/ARM/VExpress/* into corresponding files in OpenPlatformPkg/Platforms/ARM/Juno/ and setting SECURE_BOOT_ENABLE = True. After rebuilding edk2 and arm-tf for Juno, I did a sanity test to check if the kernel image is verified during boot. I didn't sign the kernel image or provide any certificate, etc. so I expect the boot process to fail at kernel verification. However, the boot process continue until the Linux shell prompt. What did I miss here? I also came across this doc which includes some instructions on secure boot: https://github.com/tianocore/tianocore.github.io/wiki/How-to-Enable-Security Could you elaborate on how the DATA block (which include VARIABLE_STORE_HEADER) is created? Best Regards, Tommy IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.

8 years

[PATCH v2 1/1] MM: Add SPM_BIN to support prebuilt secure partition image.

by Supreeth Venkatesh

This patch adds SPM_BIN to suport prebuilt secure partition image. For the moment, it assumes that secure partition image is STANDALONESMM image. The path is relative to $EDK2_DIR/Build/StandaloneSmmPkg/$BUILD_PROFILE/FV/. Also, this patch adds commandline "SPM=1" implicitly to build flags, when SPM_BIN is defined. SPM_BIN prebuilt image is passed in as a bl32 image to arm trusted firmware. Signed-off-by: Supreeth Venkatesh <supreeth.venkatesh(a)arm.com> --- Changes since v1: (*) Reword Commit Message. (*) Avoid references to SPD or TOS, though it still needs to evolve, since the final SPM code in arm-tf is not merged to master branch. --- atf-build.sh | 23 +++++++++++------------ platforms.config | 8 +++++--- 2 files changed, 16 insertions(+), 15 deletions(-) diff --git a/atf-build.sh b/atf-build.sh index 5c45708..b72cfbb 100755 --- a/atf-build.sh +++ b/atf-build.sh @@ -118,21 +118,20 @@ function build_platform fi else # - # BL32 could be the secure partition. - # If TOS_DIR is not set and the SPD is none then include BL32 as a - # prebuilt secure partition. + # Since TOS_DIR is not set, user does not want a Trusted OS + # even if the source directory and/or binary for it exists. + # Next, Check whether user wants secure partition image. + # If SPM_BIN is set then include pre-built secure partition image as a + # BL32 Image and implicitly set SPM=1. # - SPD="`$TOOLS_DIR/parse-platforms.py $PLATFORM_CONFIG -p $1 get -o atf_spd`" - TOS_BIN="`$TOOLS_DIR/parse-platforms.py $PLATFORM_CONFIG -p $1 get -o tos_bin`" + SPM_BIN="`$TOOLS_DIR/parse-platforms.py $PLATFORM_CONFIG -p $1 get -o spm_bin`" - if [ X"$SPD" == X"none" ] && [ X"$TOS_BIN" != X"" ]; then - BL32=$EDK2_DIR/$TOS_BIN - SPD_OPTION="BL32=$BL32" - else - echo "WARNING: Proceeding without Secure Partition!" - echo " Please specify both ATF_SPD=none and TOS_BIN" - echo " if you wish to use a Secure Partition!" + if [ X"$SPM_BIN" != X"" ]; then + BL32=$EDK2_DIR/Build/StandaloneSmmPkg/$BUILD_PROFILE/FV/$SPM_BIN + PLATFORM_BUILDFLAGS="$PLATFORM_BUILDFLAGS SPM=1" fi + # We assume that user does not want secure partition either. + # Todo: Revisit if either one of Trusted OS or Secure Partition Image is Mandatory. fi diff --git a/platforms.config b/platforms.config index 0639583..6db1340 100644 --- a/platforms.config +++ b/platforms.config @@ -46,6 +46,9 @@ # - ATF_SPD Name of Secure Payload Dispatcher # To actually build the Trusted OS, you must also set # TOS_BIN. +# - SPM_BIN Prebuilt Secure Partition image to pass to ARM Trusted Firmware. +# The path is relative to +# $EDK2_DIR/Build/StandaloneSmmPkg/$BUILD_PROFILE/FV/. # # Optional options: # - BUILDFLAGS Any special flags you want to pass to the build command. @@ -107,9 +110,8 @@ BUILD_ATF=debug UEFI_BIN=FVP_AARCH64_EFI.fd UEFI_IMAGE_DIR=ArmVExpress-FVP-AArch64-MM-Normal ATF_PLATFORM=fvp -TOS_BIN=Build/StandaloneSmmPkg/DEBUG_GCC49/FV/STANDALONESMM.fd -ATF_SPD=none -ATF_BUILDFLAGS=ARM_BL31_IN_DRAM=1 SPM=1 +SPM_BIN=STANDALONESMM.fd +ATF_BUILDFLAGS=ARM_BL31_IN_DRAM=1 [tc2] LONGNAME=Versatile Express TC2 -- 2.7.4

8 years

[PATCH] MM: Corrected TOS_BIN Path for STANDALONESMM image.

by Supreeth Venkatesh

This patch corrects TOS_BIN Path from "Build/StandaloneSmmPkg/DEBUG_GCC49/FV/STANDALONESMM.fd" to "Build/StandaloneSmmPkg/DEBUG_GCC5/FV/STANDALONESMM.fd"so that normal world firmware image package(fip) is generated successfully. Also, this patch adds commandline "SPM=1", when there is no secure payload dispatcher defined but TOS_BIN exists. Signed-off-by: Supreeth Venkatesh <supreeth.venkatesh(a)arm.com> --- atf-build.sh | 2 +- platforms.config | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/atf-build.sh b/atf-build.sh index 5c45708..1eb1c44 100755 --- a/atf-build.sh +++ b/atf-build.sh @@ -127,7 +127,7 @@ function build_platform if [ X"$SPD" == X"none" ] && [ X"$TOS_BIN" != X"" ]; then BL32=$EDK2_DIR/$TOS_BIN - SPD_OPTION="BL32=$BL32" + SPD_OPTION="SPM=1" else echo "WARNING: Proceeding without Secure Partition!" echo " Please specify both ATF_SPD=none and TOS_BIN" diff --git a/platforms.config b/platforms.config index 0639583..82b959c 100644 --- a/platforms.config +++ b/platforms.config @@ -107,9 +107,9 @@ BUILD_ATF=debug UEFI_BIN=FVP_AARCH64_EFI.fd UEFI_IMAGE_DIR=ArmVExpress-FVP-AArch64-MM-Normal ATF_PLATFORM=fvp -TOS_BIN=Build/StandaloneSmmPkg/DEBUG_GCC49/FV/STANDALONESMM.fd +TOS_BIN=Build/StandaloneSmmPkg/DEBUG_GCC5/FV/STANDALONESMM.fd ATF_SPD=none -ATF_BUILDFLAGS=ARM_BL31_IN_DRAM=1 SPM=1 +ATF_BUILDFLAGS=ARM_BL31_IN_DRAM=1 [tc2] LONGNAME=Versatile Express TC2 -- 2.7.4

8 years, 1 month

[PATCH 0/5] OpenPlatformPkg: hacks to support RAS+SDEI on the FVP

by James Morse

Hi Leif, Achin, These are the OpenPlatformPkg parts of the RAS with SDEI demo on the FVP. There is no intention of upstreaming this, it's intended as a short-lived staging/topic branch, to be replaced by a proper version incorporating the MM work. This is just a bunch of hacks that let us work on the ATF<->Linux and MM stuff separately. Unfortunately this is based on an old commit: 4e9cfc934508 ("Platforms/ARM: Juno - add Uhci/Xhci drivers"). due to a mixture of ignorance and laziness, (shuffle compiler versions and branches until you find a combination that builds). MangleHEST? This is a short-lived efi-application that runs before the kernel to fixup the hard-coded HEST by allocating memory for the CPER records and re-writing the table. Obviously no real system should ever do this, this too will be replaced by a proper version that generates a correct HEST all in one go. Thanks, James Ard Biesheuvel (1): Platforms/FVP: Fix MADT to run the Foundation model in GICv3 mode with 4 CPUs James Morse (4): Platforms/FVP: Update FADT to ACPIv6 Platforms/FVP: Build MangleHEST, not LinuxLoader Platforms/FVP: Add SDEI and HEST ACPI tables Platforms/FVP: Correct PMU IRQ and GTDT timer offset .../AcpiTables/rtsm_ve-aemv8a/AcpiTables.inf | 2 + .../VExpress/AcpiTables/rtsm_ve-aemv8a/apic.asl | 124 ++++----------------- .../VExpress/AcpiTables/rtsm_ve-aemv8a/facp.asl | 6 +- .../VExpress/AcpiTables/rtsm_ve-aemv8a/gtdt.asl | 2 +- .../VExpress/AcpiTables/rtsm_ve-aemv8a/hest.asl | 48 ++++++++ .../VExpress/AcpiTables/rtsm_ve-aemv8a/sdei.asl | 18 +++ Platforms/ARM/VExpress/ArmVExpress-FVP-AArch64.dsc | 2 + Platforms/ARM/VExpress/ArmVExpress-FVP-AArch64.fdf | 2 +- Platforms/ARM/VExpress/ArmVExpress.dsc.inc | 2 +- 9 files changed, 100 insertions(+), 106 deletions(-) create mode 100644 Platforms/ARM/VExpress/AcpiTables/rtsm_ve-aemv8a/hest.asl create mode 100644 Platforms/ARM/VExpress/AcpiTables/rtsm_ve-aemv8a/sdei.asl -- 2.11.0

8 years, 1 month

[PATCH 0/6] OpenPlatformPkg/AMD updates

by Ard Biesheuvel

This is what I have queued up for AMD Overdrive over the past couple of months. Some fixes and some features that would be good to get merged. Note that this only contains the SMMU support for the OS, not for UEFI itself. Most notably, there is now a dynamic PCD + UEFI var that needs to be set for the DT SMMU nodes and the ACPI IORT table to appear. Ard Biesheuvel (6): Platforms/AMD/Styx: remove unused PCD 'PcdStyxFdt' Platforms/AMD/Overdrive: add dynamic PCD to control SMMU availibility Platforms/AMD/Styx: enable SMMUs in the ACPI IORT table Platforms/AMD/Styx: enable SMMUs in the device tree Platforms/AMD/Overdrive: fix GIC MMIO region sizes Platforms/AMD/Styx: align UEFI PCI bus range with DT/ACPI descriptions Platforms/AMD/Styx/AcpiTables/AcpiTables.inf | 1 + Platforms/AMD/Styx/AcpiTables/Iort.c | 375 ++++++++++++++++++++ Platforms/AMD/Styx/AmdStyx.dec | 10 +- Platforms/AMD/Styx/Common/AmdStyxAcpiLib.h | 1 + Platforms/AMD/Styx/Drivers/AcpiPlatformDxe/AcpiPlatform.c | 6 +- Platforms/AMD/Styx/Drivers/AcpiPlatformDxe/AcpiPlatformDxe.inf | 6 +- Platforms/AMD/Styx/Library/StyxDtbLoaderLib/StyxDtbLoaderLib.c | 51 +++ Platforms/AMD/Styx/Library/StyxDtbLoaderLib/StyxDtbLoaderLib.inf | 3 +- Platforms/AMD/Styx/OverdriveBoard/FdtBlob/styx-overdrive.dtb | Bin 8293 -> 9357 bytes Platforms/AMD/Styx/OverdriveBoard/FdtBlob/styx-overdrive.dts | 76 +++- Platforms/AMD/Styx/OverdriveBoard/OverdriveBoard.dsc | 6 +- 11 files changed, 523 insertions(+), 12 deletions(-) create mode 100644 Platforms/AMD/Styx/AcpiTables/Iort.c -- 2.9.3

8 years, 1 month

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

Linaro-uefi June 2017