Enable secure boot to fix AuthVar issue: RT.SetVariable - Set Invalid Time Base Auth Variable – FAILURE; RT.SetVariable - Create one Time Base Auth Variable, the expect return status should be EFI_SUCCESS – FAILURE.
Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Ming Huang ming.huang@linaro.org --- Silicon/Hisilicon/Hisilicon.dsc.inc | 16 ++++++++++++++++ Platform/Hisilicon/D06/D06.dsc | 2 +- 2 files changed, 17 insertions(+), 1 deletion(-)
diff --git a/Silicon/Hisilicon/Hisilicon.dsc.inc b/Silicon/Hisilicon/Hisilicon.dsc.inc index 3ac8e20232..6515c0d703 100644 --- a/Silicon/Hisilicon/Hisilicon.dsc.inc +++ b/Silicon/Hisilicon/Hisilicon.dsc.inc @@ -89,8 +89,15 @@
SemihostLib|ArmPkg/Library/SemihostLib/SemihostLib.inf
+!if $(SECURE_BOOT_ENABLE) == TRUE + TpmMeasurementLib|SecurityPkg/Library/DxeTpmMeasurementLib/DxeTpmMeasurementLib.inf + AuthVariableLib|SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf + # re-use the UserPhysicalPresent() dummy implementation from the ovmf tree + PlatformSecureLib|OvmfPkg/Library/PlatformSecureLib/PlatformSecureLib.inf +!else TpmMeasurementLib|MdeModulePkg/Library/TpmMeasurementLibNull/TpmMeasurementLibNull.inf AuthVariableLib|MdeModulePkg/Library/AuthVariableLibNull/AuthVariableLibNull.inf +!endif
# BDS Libraries FdtLib|EmbeddedPkg/Library/FdtLib/FdtLib.inf @@ -217,6 +224,9 @@ !if $(TARGET) != RELEASE DebugLib|MdePkg/Library/DxeRuntimeDebugLibSerialPort/DxeRuntimeDebugLibSerialPort.inf !endif +!if $(SECURE_BOOT_ENABLE) == TRUE + BaseCryptLib|CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf +!endif
[LibraryClasses.AARCH64] ArmGenericTimerCounterLib|ArmPkg/Library/ArmGenericTimerPhyCounterLib/ArmGenericTimerPhyCounterLib.inf @@ -326,6 +336,12 @@ gEmbeddedTokenSpaceGuid.PcdTimerPeriod|10000 gArmTokenSpaceGuid.PcdVFPEnabled|1 gEfiMdePkgTokenSpaceGuid.PcdUartDefaultReceiveFifoDepth|32 +!if $(SECURE_BOOT_ENABLE) == TRUE + # override the default values from SecurityPkg to ensure images from all sources are verified in secure boot + gEfiSecurityPkgTokenSpaceGuid.PcdOptionRomImageVerificationPolicy|0x04 + gEfiSecurityPkgTokenSpaceGuid.PcdFixedMediaImageVerificationPolicy|0x04 + gEfiSecurityPkgTokenSpaceGuid.PcdRemovableMediaImageVerificationPolicy|0x04 +!endif
[PcdsDynamicHii.common.DEFAULT] gEfiMdePkgTokenSpaceGuid.PcdPlatformBootTimeOut|L"Timeout"|gEfiGlobalVariableGuid|0x0|10 # Variable: L"Timeout" diff --git a/Platform/Hisilicon/D06/D06.dsc b/Platform/Hisilicon/D06/D06.dsc index b6ef9fedf0..8ee20342b1 100644 --- a/Platform/Hisilicon/D06/D06.dsc +++ b/Platform/Hisilicon/D06/D06.dsc @@ -30,7 +30,7 @@ FLASH_DEFINITION = Platform/Hisilicon/$(PLATFORM_NAME)/$(PLATFORM_NAME).fdf DEFINE NETWORK_IP6_ENABLE = FALSE DEFINE HTTP_BOOT_ENABLE = FALSE - DEFINE SECURE_BOOT_ENABLE = FALSE + DEFINE SECURE_BOOT_ENABLE = TRUE
!include Silicon/Hisilicon/Hisilicon.dsc.inc