Fix Secure Boot build

First, there's a build failure. The inclusion of SecureBootConfig.inf isn't allowed because embedded has no configuration menus Then we hit asserts on running, so remove them. The first one is a simple ASSERT(FALSE) that Intel put into the code to prevent anyone running secure boot. The next is an assert on a now non-existent Quark lockdown variable and the final few are asserting the presence of various secure boot keys we don't want. Finally we need to patch edk2 to compute hashes correctly on IA 32 and add secure boot to the build and away we go. Signed-off-by: James Bottomley <JBottomley@Parallels.com>
author: James Bottomley <JBottomley@Parallels.com> 2015-01-25 10:36:30 -0800
committer: James Bottomley <JBottomley@Parallels.com> 2015-01-25 10:44:13 -0800
commit: e6873827a21b7b6549591b2fc48d5b30a6df9864 (patch)
tree: 4e2845a5fa7690136df33bca84d08ff3e81ad39e
parent: 116c84d551b121fb8098fa000bfec4af260ade60 (diff)
download: Quark_EDKII-e6873827a21b7b6549591b2fc48d5b30a6df9864.tar.gz
7 files changed, 58 insertions, 13 deletions
diff --git a/DxeImageVerificationLib-fix.diff b/DxeImageVerificationLib-fix.diff
new file mode 100644
index 0000000..19dc895
--- /dev/null
+++ b/DxeImageVerificationLib-fix.diff
@@ -0,0 +1,37 @@
+diff --git a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
+index b3be566..a2523f5 100644
+--- a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
++++ b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
+@@ -544,6 +544,18 @@ HashPeImage (
+       if (!Status) {
+         goto Done;
+       }
++      /*
++       * Problem: some unsigned PECOFF binaries don't always end on an aligned
++       * size. For this case, pad them with zeros up to the aligned size
++       */
++      if (ALIGN_SIZE(mImageSize)) {
++	UINT64 zerofill = 0;
++
++	Status  = mHash[HashAlg].HashUpdate(HashCtx, &zerofill, ALIGN_SIZE(mImageSize));
++	if (!Status) {
++	  goto Done;
++	}
++      }
+     } else if (mImageSize < CertSize + SumOfBytesHashed) {
+       Status = FALSE;
+       goto Done;
+diff --git a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.h b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.h
+index 55371e9..bdf27ac 100644
+--- a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.h
++++ b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.h
+@@ -43,6 +43,9 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
+ #define MAX_NOTIFY_STRING_LEN             64
+ #define TWO_BYTE_ENCODE                   0x82
+ 
++#define ALIGNMENT_SIZE                    8
++#define ALIGN_SIZE(a) (((a) % ALIGNMENT_SIZE) ? ALIGNMENT_SIZE - ((a) % ALIGNMENT_SIZE) : 0)
++
+ //
+ // Image type definitions
+ //
diff --git a/QuarkPlatformPkg/Library/PlatformBootManagerLib/BdsPlatform.c b/QuarkPlatformPkg/Library/PlatformBootManagerLib/BdsPlatform.c
index 25e54a8..f998c1d 100755
--- a/QuarkPlatformPkg/Library/PlatformBootManagerLib/BdsPlatform.c
+++ b/QuarkPlatformPkg/Library/PlatformBootManagerLib/BdsPlatform.c
@@ -318,7 +318,8 @@ PlatformBootManagerBeforeConsole (
     //
     // UEFI Secure boot not supported / validated for this firmware release.
     //
-    ASSERT (FALSE);
+    DEBUG ((EFI_D_INFO, "GOT PAST PLATFORM SECURE BOOT ASSERTION FAILURE"));
+    //ASSERT (FALSE);
 
   }
 
diff --git a/QuarkPlatformPkg/Library/PlatformHelperLib/PlatformHelperDxe.c b/QuarkPlatformPkg/Library/PlatformHelperLib/PlatformHelperDxe.c
index c95059c..3a1d430 100644
--- a/QuarkPlatformPkg/Library/PlatformHelperLib/PlatformHelperDxe.c
+++ b/QuarkPlatformPkg/Library/PlatformHelperLib/PlatformHelperDxe.c
@@ -479,7 +479,9 @@ PlatformFlashLockPolicy (
                  (VOID *)NULL
                  );
 
-    ASSERT_EFI_ERROR (Status);
+    //ASSERT_EFI_ERROR (Status);
+
+    DEBUG((EFI_D_INFO, "No QUARK LOCK VARIABLE %s status %r\n", QUARK_VARIABLE_LOCK_NAME, Status));
   }
 }
 
diff --git a/QuarkPlatformPkg/Library/PlatformHelperLib/PlatformSecureBoot.c b/QuarkPlatformPkg/Library/PlatformHelperLib/PlatformSecureBoot.c
index a29b87f..534a058 100644
--- a/QuarkPlatformPkg/Library/PlatformHelperLib/PlatformSecureBoot.c
+++ b/QuarkPlatformPkg/Library/PlatformHelperLib/PlatformSecureBoot.c
@@ -490,7 +490,7 @@ PlatformValidateSecureBootVars (
         Stats.DbEnrolled,
         Stats.DbxEnrolled
         ));
-      ASSERT (Stats.PkEnrolled && Stats.KekEnrolled && Stats.DbEnrolled && Stats.DbxEnrolled);
+      //ASSERT (Stats.PkEnrolled && Stats.KekEnrolled && Stats.DbEnrolled && Stats.DbxEnrolled);
       DEBUG (
         (EFI_D_INFO, "ValidateSecureBoot: Attributes pk:kek:db:dbx 0x%08x:0x%08x:0x%08x:0x%08x\n",
         Stats.PkAttributes,
@@ -498,18 +498,18 @@ PlatformValidateSecureBootVars (
         Stats.DbAttributes,
         Stats.DbxAttributes
         ));
-      ASSERT (
-        ((Stats.PkAttributes & EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS) != 0) &&
-        ((Stats.KekAttributes & EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS) != 0) &&
-        ((Stats.DbAttributes & EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS) != 0) &&
-        ((Stats.DbxAttributes & EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS) != 0)
-        );
+      //ASSERT (
+      //((Stats.PkAttributes & EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS) != 0) &&
+      //((Stats.KekAttributes & EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS) != 0) &&
+      //((Stats.DbAttributes & EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS) != 0) &&
+      //((Stats.DbxAttributes & EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS) != 0)
+      //);
       DEBUG (
         (EFI_D_INFO, "ValidateSecureBoot: KekCertCounts X509:Rsa2048 %d:%d\n",
         Stats.KekX509CertCount,
         Stats.KekRsa2048CertCount
         ));
-      ASSERT (Stats.KekX509CertCount > 0 || Stats.KekRsa2048CertCount > 0);
+      //ASSERT (Stats.KekX509CertCount > 0 || Stats.KekRsa2048CertCount > 0);
     }
   }
 }
diff --git a/QuarkPlatformPkg/QuarkPlatformPkg.dsc b/QuarkPlatformPkg/QuarkPlatformPkg.dsc
index a2fb5b6..3619d7e 100755
--- a/QuarkPlatformPkg/QuarkPlatformPkg.dsc
+++ b/QuarkPlatformPkg/QuarkPlatformPkg.dsc
@@ -512,7 +512,7 @@
   !ifdef SECURE_BOOT
     SecurityPkg/VariableAuthenticated/RuntimeDxe/VariableSmmRuntimeDxe.inf
     SecurityPkg/VariableAuthenticated/RuntimeDxe/VariableSmm.inf
-    SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
+#    SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
   !else
     MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmmRuntimeDxe.inf
     QuarkPlatformPkg/Override/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmm.inf
diff --git a/QuarkPlatformPkg/QuarkPlatformPkg.fdf b/QuarkPlatformPkg/QuarkPlatformPkg.fdf
index 75861a9..bd85d50 100755
--- a/QuarkPlatformPkg/QuarkPlatformPkg.fdf
+++ b/QuarkPlatformPkg/QuarkPlatformPkg.fdf
@@ -800,7 +800,7 @@ INF  QuarkPlatformPkg/Override/MdeModulePkg/Universal/FaultTolerantWriteDxe/Faul
 !ifdef SECURE_BOOT
 INF  SecurityPkg/VariableAuthenticated/RuntimeDxe/VariableSmmRuntimeDxe.inf
 INF  SecurityPkg/VariableAuthenticated/RuntimeDxe/VariableSmm.inf
-INF  SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
+#INF  SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
 !else
 INF  MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmmRuntimeDxe.inf
 INF  QuarkPlatformPkg/Override/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmm.inf
diff --git a/build.sh b/build.sh
index 399b5d3..dba78ad 100644
--- a/build.sh
+++ b/build.sh
@@ -18,6 +18,11 @@ if [ ! -d openssl-0.9.8w ]; then
     sh ./Install.sh
 fi
 popd
+#
+# Need to apply patch for generating correct hashes on IA32
+if [ ! -f SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c.orig ]; then
+    patch -p1 < DxeImageVerificationLib-fix.diff
+fi
 # now initialise the edk2environment using the QuarkPlatformPkg Overrides
 cp .module/edk2/edksetup.sh .
 mkdir Conf
@@ -36,7 +41,7 @@ flags="-DDEBUG_PRINT_ERROR_LEVEL=0x80000042 -DDEBUG_PROPERTY_MASK=0x27"
 ##
 # You probably have gcc 4.8 or 4.9, but this doesn't seem to matter
 toolchain=GCC47
-build -a IA32 -b ${type} -y Report.log -t ${toolchain} -p QuarkPlatformPkg/QuarkPlatformPkg.dsc ${flags}
+build -a IA32 -b ${type} -y Report.log -t ${toolchain} -p QuarkPlatformPkg/QuarkPlatformPkg.dsc ${flags} -DSECURE_BOOT
 # finally, the spi flash tools are going to need the capsule creator, so build it
 make -C QuarkPlatformPkg/Tools/CapsuleCreate
 #
author	James Bottomley <JBottomley@Parallels.com>	2015-01-25 10:36:30 -0800
committer	James Bottomley <JBottomley@Parallels.com>	2015-01-25 10:44:13 -0800
commit	e6873827a21b7b6549591b2fc48d5b30a6df9864 (patch)
tree	4e2845a5fa7690136df33bca84d08ff3e81ad39e
parent	116c84d551b121fb8098fa000bfec4af260ade60 (diff)
download	Quark_EDKII-e6873827a21b7b6549591b2fc48d5b30a6df9864.tar.gz