Skip to content

Commit ac6b04f

Browse files
apalosSughosh Ganu
authored and
Sughosh Ganu
committed
StMMRpmb: Add support for building StandaloneMm image for OP-TEE
With some recent changes in OP-TEE [1] and U-Boot [2] we can compile StMM and launch it from an OP-TEE secure partition which is mimicking SPM. There's a number of advantages in this approach. In Arm world SPM, currently used for dispatching StMM, and SPD used for OP-TEE, are mutually exclusive. Since there's no application in OP-TEE for managing EFI variables, this means that one can have a secure OS or secure variable storage. By re-using StMM we have EDK2s approved application controlling variable storage and the ability to run a secure world OS. This also allows various firmware implementations to adopt EDK2 way of storing variables (including the FTW implementation), as long as OP-TEE is available on that given platform (or any other secure OS that can launch StMM and has a supplicant for handling the RPMB partition). Another advantage is that OP-TEE has the ability to access an eMMC RPMB partition to store those variables. This requires a normal world supplicant, which is implemented in U-Boot currently. The supplicant picks up the encrypted buffer from OP-TEE and wires it to the eMMC driver(s). Similar functionality can be added in EDK2 by porting the supplicant and adapt it to using the native eMMC drivers. There's is one drawback in using OP-TEE. The current SPM calls need to run to completion. This contradicts the current OP-TEE RPC call requirements, used to access the RPMB storage. Thats leads to two different SMC calls for entering secure world to access StMM. So let's add support for a platform that compiles StMM and an RPMB driver that communicates with OP-TEE to read/write the variables. For anyone interested in testing this there's repo that builds all the sources and works on QEMU [3]. [1] OP-TEE/optee_os#3973 [2] http://u-boot.10912.n7.nabble.com/PATCH-0-7-v4-EFI-variable-support-via-OP-TEE-td412499.html [3] https://git.linaro.org/people/ilias.apalodimas/efi_optee_variables.git/ Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
1 parent e20b999 commit ac6b04f

File tree

2 files changed

+279
-0
lines changed

2 files changed

+279
-0
lines changed
+168
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,168 @@
1+
#
2+
# Copyright (c) 2018, ARM Limited. All rights reserved.
3+
# Copyright (c) 2020, Linaro Ltd. All rights reserved.
4+
#
5+
# SPDX-License-Identifier: BSD-2-Clause-Patent
6+
#
7+
8+
################################################################################
9+
#
10+
# Defines Section - statements that will be processed to create a Makefile.
11+
#
12+
################################################################################
13+
[Defines]
14+
PLATFORM_NAME = MmStandaloneRpmb
15+
PLATFORM_GUID = A27A486E-D7B9-4D70-9F37-FED9ABE041A2
16+
PLATFORM_VERSION = 1.0
17+
DSC_SPECIFICATION = 0x00010011
18+
OUTPUT_DIRECTORY = Build/$(PLATFORM_NAME)
19+
SUPPORTED_ARCHITECTURES = AARCH64
20+
BUILD_TARGETS = DEBUG|RELEASE|NOOPT
21+
SKUID_IDENTIFIER = DEFAULT
22+
FLASH_DEFINITION = Platform/StMMRpmb/PlatformStandaloneMm.fdf
23+
DEFINE DEBUG_MESSAGE = TRUE
24+
25+
# LzmaF86
26+
DEFINE COMPRESSION_TOOL_GUID = D42AE6BD-1352-4bfb-909A-CA72A6EAE889
27+
28+
################################################################################
29+
#
30+
# Library Class section - list of all Library Classes needed by this Platform.
31+
#
32+
################################################################################
33+
[LibraryClasses]
34+
ArmSvcLib|ArmPkg/Library/ArmSvcLib/ArmSvcLib.inf
35+
ArmLib|ArmPkg/Library/ArmLib/ArmBaseLib.inf
36+
BaseLib|MdePkg/Library/BaseLib/BaseLib.inf
37+
SafeIntLib|MdePkg/Library/BaseSafeIntLib/BaseSafeIntLib.inf
38+
VariablePolicyHelperLib|MdeModulePkg/Library/VariablePolicyHelperLib/VariablePolicyHelperLib.inf
39+
BaseMemoryLib|MdePkg/Library/BaseMemoryLib/BaseMemoryLib.inf
40+
DebugLib|MdePkg/Library/BaseDebugLibSerialPort/BaseDebugLibSerialPort.inf
41+
DebugPrintErrorLevelLib|MdePkg/Library/BaseDebugPrintErrorLevelLib/BaseDebugPrintErrorLevelLib.inf
42+
ExtractGuidedSectionLib|EmbeddedPkg/Library/PrePiExtractGuidedSectionLib/PrePiExtractGuidedSectionLib.inf
43+
FvLib|StandaloneMmPkg/Library/FvLib/FvLib.inf
44+
HobLib|StandaloneMmPkg/Library/StandaloneMmCoreHobLib/StandaloneMmCoreHobLib.inf
45+
IoLib|MdePkg/Library/BaseIoLibIntrinsic/BaseIoLibIntrinsic.inf
46+
MemLib|StandaloneMmPkg/Library/StandaloneMmMemLib/StandaloneMmMemLib.inf
47+
MemoryAllocationLib|StandaloneMmPkg/Library/StandaloneMmCoreMemoryAllocationLib/StandaloneMmCoreMemoryAllocationLib.inf
48+
PcdLib|MdePkg/Library/BasePcdLibNull/BasePcdLibNull.inf
49+
PeCoffLib|MdePkg/Library/BasePeCoffLib/BasePeCoffLib.inf
50+
PrintLib|MdePkg/Library/BasePrintLib/BasePrintLib.inf
51+
VariablePolicyLib|MdeModulePkg/Library/VariablePolicyLib/VariablePolicyLib.inf
52+
ReportStatusCodeLib|MdePkg/Library/BaseReportStatusCodeLibNull/BaseReportStatusCodeLibNull.inf
53+
54+
#
55+
# Entry point
56+
#
57+
#StandaloneMmCoreEntryPoint|StandaloneMmPkg/Library/StandaloneMmCoreEntryPoint/StandaloneMmCoreEntryPoint.inf
58+
StandaloneMmCoreEntryPoint|StandaloneMmPkg/Library/StandaloneMmCoreEntryPoint/StandaloneMmCoreEntryPoint.inf
59+
StandaloneMmDriverEntryPoint|MdePkg/Library/StandaloneMmDriverEntryPoint/StandaloneMmDriverEntryPoint.inf
60+
61+
StandaloneMmMmuLib|ArmPkg/Library/StandaloneMmMmuLib/ArmMmuStandaloneMmLib.inf
62+
#CacheMaintenanceLib|ArmPkg/Library/ArmCacheMaintenanceLib/ArmCacheMaintenanceLib.inf
63+
CacheMaintenanceLib|MdePkg/Library/BaseCacheMaintenanceLibNull/BaseCacheMaintenanceLibNull.inf
64+
PeCoffExtraActionLib|StandaloneMmPkg/Library/StandaloneMmPeCoffExtraActionLib/StandaloneMmPeCoffExtraActionLib.inf
65+
RngLib|MdePkg/Library/BaseRngLibNull/BaseRngLibNull.inf
66+
67+
SerialPortLib|MdePkg/Library/BaseSerialPortLibNull/BaseSerialPortLibNull.inf
68+
DebugLib|MdePkg/Library/BaseDebugLibNull/BaseDebugLibNull.inf
69+
70+
#
71+
# It is not possible to prevent the ARM compiler for generic intrinsic functions.
72+
# This library provides the intrinsic functions generate by a given compiler.
73+
# NULL means link this library into all ARM images.
74+
#
75+
NULL|ArmPkg/Library/CompilerIntrinsicsLib/CompilerIntrinsicsLib.inf
76+
77+
[LibraryClasses.common.MM_STANDALONE]
78+
HobLib|StandaloneMmPkg/Library/StandaloneMmHobLib/StandaloneMmHobLib.inf
79+
MmServicesTableLib|MdePkg/Library/StandaloneMmServicesTableLib/StandaloneMmServicesTableLib.inf
80+
MemoryAllocationLib|StandaloneMmPkg/Library/StandaloneMmMemoryAllocationLib/StandaloneMmMemoryAllocationLib.inf
81+
82+
IntrinsicLib|CryptoPkg/Library/IntrinsicLib/IntrinsicLib.inf
83+
OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLib.inf
84+
PlatformSecureLib|SecurityPkg/Library/PlatformSecureLibNull/PlatformSecureLibNull.inf
85+
SynchronizationLib|MdePkg/Library/BaseSynchronizationLib/BaseSynchronizationLib.inf
86+
TimerLib|MdePkg/Library/BaseTimerLibNullTemplate/BaseTimerLibNullTemplate.inf
87+
################################################################################
88+
#
89+
# Pcd Section - list of all EDK II PCD Entries defined by this Platform
90+
#
91+
################################################################################
92+
93+
[PcdsFeatureFlag.common]
94+
gArmTokenSpaceGuid.PcdFfaEnable|TRUE
95+
96+
[PcdsFixedAtBuild]
97+
gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x800000CF
98+
gEfiMdePkgTokenSpaceGuid.PcdDebugPropertyMask|0xff
99+
gEfiMdePkgTokenSpaceGuid.PcdReportStatusCodePropertyMask|0x0f
100+
101+
gEfiMdePkgTokenSpaceGuid.PcdMaximumGuidedExtractHandler|0x2
102+
# Secure Storage
103+
gEfiSecurityPkgTokenSpaceGuid.PcdUserPhysicalPresence|TRUE
104+
gEfiMdeModulePkgTokenSpaceGuid.PcdMaxVariableSize|0x2000
105+
gEfiMdeModulePkgTokenSpaceGuid.PcdMaxAuthVariableSize|0x2800
106+
107+
gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageVariableSize|0x00004000
108+
gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageFtwWorkingSize|0x00004000
109+
gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageFtwSpareSize|0x00004000
110+
gEfiMdeModulePkgTokenSpaceGuid.PcdVariableStoreSize|0x00004000
111+
112+
[PcdsPatchableInModule]
113+
# Allocated memory for EDK2 uppers layers
114+
gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageVariableBase|0x0
115+
gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageFtwWorkingBase|0x0
116+
gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageFtwSpareBase|0x0
117+
118+
###################################################################################################
119+
#
120+
# Components Section - list of the modules and components that will be processed by compilation
121+
# tools and the EDK II tools to generate PE32/PE32+/Coff image files.
122+
#
123+
# Note: The EDK II DSC file is not used to specify how compiled binary images get placed
124+
# into firmware volume images. This section is just a list of modules to compile from
125+
# source into UEFI-compliant binaries.
126+
# It is the FDF file that contains information on combining binary files into firmware
127+
# volume images, whose concept is beyond UEFI and is described in PI specification.
128+
# Binary modules do not need to be listed in this section, as they should be
129+
# specified in the FDF file. For example: Shell binary (Shell_Full.efi), FAT binary (Fat.efi),
130+
# Logo (Logo.bmp), and etc.
131+
# There may also be modules listed in this section that are not required in the FDF file,
132+
# When a module listed here is excluded from FDF file, then UEFI-compliant binary will be
133+
# generated for it, but the binary will not be put into any firmware volume.
134+
#
135+
###################################################################################################
136+
[Components.common]
137+
#
138+
# Standalone MM components
139+
#
140+
Drivers/OpTeeRpmb/OpTeeRpmbFv.inf
141+
StandaloneMmPkg/Core/StandaloneMmCore.inf
142+
StandaloneMmPkg/Drivers/StandaloneMmCpu/AArch64/StandaloneMmCpu.inf
143+
MdeModulePkg/Universal/FaultTolerantWriteDxe/FaultTolerantWriteStandaloneMm.inf {
144+
<LibraryClasses>
145+
NULL|Drivers/OpTeeRpmb/FixupPcd.inf
146+
}
147+
MdeModulePkg/Universal/Variable/RuntimeDxe/VariableStandaloneMm.inf {
148+
<LibraryClasses>
149+
AuthVariableLib|SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf
150+
BaseCryptLib|CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf
151+
DevicePathLib|MdePkg/Library/UefiDevicePathLib/UefiDevicePathLib.inf
152+
VarCheckLib|MdeModulePkg/Library/VarCheckLib/VarCheckLib.inf
153+
NULL|MdeModulePkg/Library/VarCheckUefiLib/VarCheckUefiLib.inf
154+
NULL|Drivers/OpTeeRpmb/FixupPcd.inf
155+
}
156+
157+
###################################################################################################
158+
#
159+
# BuildOptions Section - Define the module specific tool chain flags that should be used as
160+
# the default flags for a module. These flags are appended to any
161+
# standard flags that are defined by the build process. They can be
162+
# applied for any modules or only those modules with the specific
163+
# module style (EDK or EDKII) specified in [Components] section.
164+
#
165+
###################################################################################################
166+
[BuildOptions.AARCH64]
167+
GCC:*_*_*_DLINK_FLAGS = -z common-page-size=0x1000 -march=armv8-a+nofp
168+
GCC:*_*_*_CC_FLAGS = -mstrict-align
+111
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,111 @@
1+
#
2+
# Copyright (c) 2018, ARM Limited. All rights reserved.
3+
# Copyright (c) 2020, Linaro Ltd. All rights reserved.
4+
#
5+
# SPDX-License-Identifier: BSD-2-Clause-Patent
6+
#
7+
8+
################################################################################
9+
#
10+
# FD Section
11+
# The [FD] Section is made up of the definition statements and a
12+
# description of what goes into the Flash Device Image. Each FD section
13+
# defines one flash "device" image. A flash device image may be one of
14+
# the following: Removable media bootable image (like a boot floppy
15+
# image,) an Option ROM image (that would be "flashed" into an add-in
16+
# card,) a System "Flash" image (that would be burned into a system's
17+
# flash) or an Update ("Capsule") image that will be used to update and
18+
# existing system flash.
19+
#
20+
################################################################################
21+
22+
[FD.BL32_AP_MM]
23+
BaseAddress = 0x1000 # any address apart from 0x0
24+
Size = 0x00300000
25+
ErasePolarity = 1
26+
27+
BlockSize = 0x00001000
28+
NumBlocks = 0x0300
29+
30+
################################################################################
31+
#
32+
# Following are lists of FD Region layout which correspond to the locations of different
33+
# images within the flash device.
34+
#
35+
# Regions must be defined in ascending order and may not overlap.
36+
#
37+
# A Layout Region start with a eight digit hex offset (leading "0x" required) followed by
38+
# the pipe "|" character, followed by the size of the region, also in hex with the leading
39+
# "0x" characters. Like:
40+
# Offset|Size
41+
# PcdOffsetCName|PcdSizeCName
42+
# RegionType <FV, DATA, or FILE>
43+
#
44+
################################################################################
45+
46+
0x00000000|0x00280000
47+
FV = FVMAIN_COMPACT
48+
49+
[FV.FVMAIN_COMPACT]
50+
FvAlignment = 8
51+
ERASE_POLARITY = 1
52+
MEMORY_MAPPED = TRUE
53+
STICKY_WRITE = TRUE
54+
LOCK_CAP = TRUE
55+
LOCK_STATUS = TRUE
56+
WRITE_DISABLED_CAP = TRUE
57+
WRITE_ENABLED_CAP = TRUE
58+
WRITE_STATUS = TRUE
59+
WRITE_LOCK_CAP = TRUE
60+
WRITE_LOCK_STATUS = TRUE
61+
READ_DISABLED_CAP = TRUE
62+
READ_ENABLED_CAP = TRUE
63+
READ_STATUS = TRUE
64+
READ_LOCK_CAP = TRUE
65+
READ_LOCK_STATUS = TRUE
66+
67+
INF StandaloneMmPkg/Core/StandaloneMmCore.inf
68+
INF Drivers/OpTeeRpmb/OpTeeRpmbFv.inf
69+
INF MdeModulePkg/Universal/FaultTolerantWriteDxe/FaultTolerantWriteStandaloneMm.inf
70+
INF MdeModulePkg/Universal/Variable/RuntimeDxe/VariableStandaloneMm.inf
71+
INF StandaloneMmPkg/Drivers/StandaloneMmCpu/AArch64/StandaloneMmCpu.inf
72+
################################################################################
73+
#
74+
# Rules are use with the [FV] section's module INF type to define
75+
# how an FFS file is created for a given INF file. The following Rule are the default
76+
# rules for the different module type. User can add the customized rules to define the
77+
# content of the FFS file.
78+
#
79+
################################################################################
80+
81+
82+
############################################################################
83+
# Example of a DXE_DRIVER FFS file with a Checksum encapsulation section #
84+
############################################################################
85+
#
86+
#[Rule.Common.DXE_DRIVER]
87+
# FILE DRIVER = $(NAMED_GUID) {
88+
# DXE_DEPEX DXE_DEPEX Optional $(INF_OUTPUT)/$(MODULE_NAME).depex
89+
# COMPRESS PI_STD {
90+
# GUIDED {
91+
# PE32 PE32 $(INF_OUTPUT)/$(MODULE_NAME).efi
92+
# UI STRING="$(MODULE_NAME)" Optional
93+
# VERSION STRING="$(INF_VERSION)" Optional BUILD_NUM=$(BUILD_NUMBER)
94+
# }
95+
# }
96+
# }
97+
#
98+
############################################################################
99+
100+
[Rule.Common.MM_CORE_STANDALONE]
101+
FILE SEC = $(NAMED_GUID) FIXED {
102+
PE32 PE32 Align = Auto $(INF_OUTPUT)/$(MODULE_NAME).efi
103+
}
104+
105+
[Rule.Common.MM_STANDALONE]
106+
FILE MM_STANDALONE = $(NAMED_GUID) {
107+
SMM_DEPEX SMM_DEPEX Optional $(INF_OUTPUT)/$(MODULE_NAME).depex
108+
PE32 PE32 $(INF_OUTPUT)/$(MODULE_NAME).efi
109+
UI STRING="$(MODULE_NAME)" Optional
110+
VERSION STRING="$(INF_VERSION)" Optional BUILD_NUM=$(BUILD_NUMBER)
111+
}

0 commit comments

Comments
 (0)