Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

UefiPayloadPkg: Add Secure Boot support #6222

Merged
merged 1 commit into from
Oct 9, 2024
Merged

UefiPayloadPkg: Add Secure Boot support #6222

merged 1 commit into from
Oct 9, 2024

Conversation

Sean-StarLabs
Copy link
Contributor

@Sean-StarLabs Sean-StarLabs commented Sep 19, 2024
edited
Loading

Introduce Secure Boot functionality within UefiPayloadPkg by adding necessary modules and configurations. A new build flag, SECURE_BOOT_ENABLE, is introduced to control the activation of Secure Boot.

This patch also overrides values in SecurityPkg to enforce image verification from all sources.

A new FV (SECURITY_FV) for security modules is added for components and the firmware volume sizes to accommodate additional Secure Boot components.

Cc: Guo Dong [email protected]
Cc: Ray Ni [email protected]
Cc: James Lu [email protected]
Cc: Gua Guo [email protected]

@Sean-StarLabs Sean-StarLabs requested review from gguo11837463 and removed request for jameslu8 and gguo11837463 September 19, 2024 19:47
@Sean-StarLabs Sean-StarLabs force-pushed the wip/sean/sb branch 2 times, most recently from a78bc3d to 0367460 Compare September 23, 2024 15:32
@benjamindoron
Copy link
Contributor

benjamindoron commented Sep 24, 2024
edited
Loading

This always adds SecureBootConfigDxe into the main UefiPayload FV. I'm assuming that the purpose of the SECURITY_FV is for UPL, to allow builders to override features at the security/network/BDS scope. Shouldn't we follow the example of BdsDxe, for example, and not include it in the main FV in the case of UPL?

Also, this isn't yet hooked up for UPL. I believe 05da2d2 is an example of how you can do it, but the script has changed a bit since.

@Sean-StarLabs Sean-StarLabs force-pushed the wip/sean/sb branch 2 times, most recently from 44b4d6a to ce60f17 Compare September 25, 2024 07:56
benjamindoron
benjamindoron suggested changes Sep 25, 2024
View reviewed changes
Copy link
Contributor

@benjamindoron benjamindoron left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we should follow the example of other 'UPL' FVs, and conditionally compile the drivers into either the main FV or a feature-specific 'UPL' one, but not both.

@benjamindoron benjamindoron mentioned this pull request Sep 25, 2024
Closed
@LeanSheng
Copy link
Contributor

@gdong1 wonder if @Sean-StarLabs should also add secureboot to yaml CI like this?616b048

But we have no idea how would it work, wonder if you know?

@LeanSheng
Copy link
Contributor

@Sean-StarLabs do you want to mark those comments as resolved? Only you can do it I think.

@tianocore-assign-reviewers
Copy link

WARNING: Cannot add some reviewers: A user specified as a reviewer for this PR is not a collaborator of the repository. Please add them as a collaborator to the repository so they can be requested in the future.

Non-collaborators requested:

Attn Admins:

Admin Instructions:

  • Add the non-collaborators as collaborators to the appropriate team(s) listed in teams
  • If they are no longer needed as reviewers, remove them from Maintainers.txt

@benjamindoron benjamindoron added the push Auto push patch series in PR if all checks pass label Oct 9, 2024
@LeanSheng
Copy link
Contributor

@Sean-StarLabs can you rebase it? or how can maintainer help to rebase it?

@gdong1
Copy link
Contributor

gdong1 commented Oct 9, 2024

To merge this PR, need fix the CI failures.

@Sean-StarLabs
UefiPayloadPkg: Add Secure Boot support
3a606c0 
Introduce Secure Boot functionality within UefiPayloadPkg by adding
necessary modules and configurations. A new build flag,
`SECURE_BOOT_ENABLE`, is introduced to control the activation of
Secure Boot.

This patch also overrides values in SecurityPkg to enforce image
verification from all sources.

A new FV (`SECURITY_FV`) for security modules is added for components
and the firmware volume sizes to accommodate additional Secure Boot
components.

Cc: Guo Dong <[email protected]>
Cc: Ray Ni <[email protected]>
Cc: James Lu <[email protected]>
Cc: Gua Guo <[email protected]>
Signed-off-by: Sean Rhodes <[email protected]>
@mergify mergify bot merged commit da1c6dd into tianocore:master Oct 9, 2024
126 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@LeanSheng LeanSheng LeanSheng left review comments

@gguo11837463 gguo11837463 gguo11837463 approved these changes

@gdong1 gdong1 gdong1 approved these changes

@benjamindoron benjamindoron benjamindoron approved these changes

@LiuZhiguang001 LiuZhiguang001 Awaiting requested review from LiuZhiguang001

@jameslu8 jameslu8 Awaiting requested review from jameslu8

Assignees
No one assigned
Labels
push Auto push patch series in PR if all checks pass
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@Sean-StarLabs @benjamindoron @LeanSheng @gdong1 @gguo11837463