From ed3710712c1ecd6be7584f2c9913e3e16494a53e Mon Sep 17 00:00:00 2001 From: Kun Qin Date: Wed, 7 Sep 2022 17:53:45 +0000 Subject: [PATCH] Merged PR 5990: Conditionally supply the unsigned xml list to DFCI This is a platform change to supply the unsigned xml list to DFCI. By default, the system will populate the default dynamic PCD of file GUID during build time. During PEI phase, the `ConfDfciUnsignedListInit` will check the system operation state and potentially invalidate the PCD with a null value to prevent system accepting any incoming unsigned settings. --- Common/MU_OEM_SAMPLE | 2 +- .../ConfigSystemModeLib.c | 29 +++++++++++++++ .../ConfigSystemModeLib.inf | 35 +++++++++++++++++++ Platforms/QemuQ35Pkg/QemuQ35Pkg.ci.yaml | 3 +- Platforms/QemuQ35Pkg/QemuQ35Pkg.dec | 3 ++ Platforms/QemuQ35Pkg/QemuQ35Pkg.dsc | 10 +++++- Platforms/QemuQ35Pkg/QemuQ35Pkg.fdf | 3 +- mu_config_ext_dep.yaml | 2 +- 8 files changed, 82 insertions(+), 5 deletions(-) create mode 100644 Platforms/QemuQ35Pkg/Library/ConfigSystemModeLibQ35/ConfigSystemModeLib.c create mode 100644 Platforms/QemuQ35Pkg/Library/ConfigSystemModeLibQ35/ConfigSystemModeLib.inf diff --git a/Common/MU_OEM_SAMPLE b/Common/MU_OEM_SAMPLE index 84aed7aa..20cb4a03 160000 --- a/Common/MU_OEM_SAMPLE +++ b/Common/MU_OEM_SAMPLE @@ -1 +1 @@ -Subproject commit 84aed7aa4433427d40af809f28f5db86d6c513ab +Subproject commit 20cb4a03df74656e48200f1ff18613fc8679e7b8 diff --git a/Platforms/QemuQ35Pkg/Library/ConfigSystemModeLibQ35/ConfigSystemModeLib.c b/Platforms/QemuQ35Pkg/Library/ConfigSystemModeLibQ35/ConfigSystemModeLib.c new file mode 100644 index 00000000..c4da5749 --- /dev/null +++ b/Platforms/QemuQ35Pkg/Library/ConfigSystemModeLibQ35/ConfigSystemModeLib.c @@ -0,0 +1,29 @@ +/* @file ConfigSystemModeLib.c + + MFCI based library instance for system mode related functions for + configuration modules on QEMU Q35 platform. + + Copyright (c) Microsoft Corporation. + SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ +#include + +#include + +/** + This routine indicates if the system is in Manufacturing Mode. + Platforms may have a manufacturing mode. Configuration update + will only be allowed in such mode. + + @retval TRUE The device is in Manufacturing Mode. + @retval FALSE The device is in Customer Mode. +**/ +BOOLEAN +EFIAPI +IsSystemInManufacturingMode ( + VOID + ) +{ + return (GetMfciSystemOperationMode () == OEM_UEFI_MANUFACTURING_MODE); +} diff --git a/Platforms/QemuQ35Pkg/Library/ConfigSystemModeLibQ35/ConfigSystemModeLib.inf b/Platforms/QemuQ35Pkg/Library/ConfigSystemModeLibQ35/ConfigSystemModeLib.inf new file mode 100644 index 00000000..abfe2da3 --- /dev/null +++ b/Platforms/QemuQ35Pkg/Library/ConfigSystemModeLibQ35/ConfigSystemModeLib.inf @@ -0,0 +1,35 @@ +## @file ConfigSystemModeLib.inf +# +# MFCI based library instance for system mode related functions for +# configuration modules. +# +# Copyright (c) Microsoft Corporation. +# SPDX-License-Identifier: BSD-2-Clause-Patent +# +## + + +[Defines] + INF_VERSION = 0x00010017 + BASE_NAME = ConfigSystemModeLib + FILE_GUID = 82554E59-4F01-41EE-A3FF-C6C806761FE5 + VERSION_STRING = 1.0 + MODULE_TYPE = BASE + LIBRARY_CLASS = ConfigSystemModeLib + +# +# The following information is for reference only and not required by the build tools. +# +# VALID_ARCHITECTURES = ANY +# + +[Sources] + ConfigSystemModeLib.c + +[LibraryClasses] + OemMfciLib + +[Packages] + MdePkg/MdePkg.dec + MfciPkg/MfciPkg.dec + OemPkg/OemPkg.dec diff --git a/Platforms/QemuQ35Pkg/QemuQ35Pkg.ci.yaml b/Platforms/QemuQ35Pkg/QemuQ35Pkg.ci.yaml index a9e13384..b1fa36f1 100644 --- a/Platforms/QemuQ35Pkg/QemuQ35Pkg.ci.yaml +++ b/Platforms/QemuQ35Pkg/QemuQ35Pkg.ci.yaml @@ -40,8 +40,9 @@ "PcBdsPkg/PcBdsPkg.dec", "PolicyServicePkg/PolicyServicePkg.dec", "SetupDataPkg/SetupDataPkg.dec", + "MfciPkg/MfciPkg.dec", + "OemPkg/OemPkg.dec", "QemuQ35Pkg/QemuQ35Pkg.dec" - ], # For host based unit tests "AcceptableDependencies-HOST_APPLICATION":[ diff --git a/Platforms/QemuQ35Pkg/QemuQ35Pkg.dec b/Platforms/QemuQ35Pkg/QemuQ35Pkg.dec index ca8c81e0..4cda87bb 100644 --- a/Platforms/QemuQ35Pkg/QemuQ35Pkg.dec +++ b/Platforms/QemuQ35Pkg/QemuQ35Pkg.dec @@ -31,6 +31,9 @@ ## The Generic Profile (flavor) will be stored in FV under this GUID gQemuQ35PkgGenericProfileGuid = { 0xa53c06b5, 0x669f, 0x4b5f, {0x93, 0x86, 0x47, 0x12, 0x12, 0xf5, 0x41, 0xdb } } + ## The Platform DFCI Unsigned list file GUID + gQemuQ35PkgDfciUnsignedXmlGuid = { 0x62cf29ad, 0xfeee, 0x4930, { 0xb7, 0x1b, 0x48, 0x6, 0xc7, 0x87, 0xc6, 0xaa } } + [Ppis] [Protocols] diff --git a/Platforms/QemuQ35Pkg/QemuQ35Pkg.dsc b/Platforms/QemuQ35Pkg/QemuQ35Pkg.dsc index 6db14038..89090c56 100644 --- a/Platforms/QemuQ35Pkg/QemuQ35Pkg.dsc +++ b/Platforms/QemuQ35Pkg/QemuQ35Pkg.dsc @@ -286,6 +286,7 @@ ConfigBlobBaseLib |SetupDataPkg/Library/ConfigBlobBaseLib/ConfigBlobBaseLib.inf ConfigDataLib |SetupDataPkg/Library/ConfigDataLib/ConfigDataLib.inf ConfigVariableListLib|SetupDataPkg/Library/ConfigVariableListLib/ConfigVariableListLib.inf + ConfigSystemModeLib |QemuQ35Pkg/Library/ConfigSystemModeLibQ35/ConfigSystemModeLib.inf # Network libraries NetLib |NetworkPkg/Library/DxeNetLib/DxeNetLib.inf @@ -599,6 +600,7 @@ QemuFwCfgLib |OvmfPkg/Library/QemuFwCfgLib/QemuFwCfgPeiLib.inf BaseCryptLib |CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf PcdDatabaseLoaderLib |MdeModulePkg/Library/PcdDatabaseLoaderLib/Pei/PcdDatabaseLoaderLibPei.inf + OemMfciLib |OemPkg/Library/OemMfciLib/OemMfciLibPei.inf !if $(SOURCE_DEBUG_ENABLE) == TRUE DebugAgentLib |SourceLevelDebugPkg/Library/DebugAgent/SecPeiDebugAgentLib.inf !endif @@ -638,6 +640,8 @@ RngLib |MdePkg/Library/BaseRngLibTimerLib/BaseRngLibTimerLib.inf # MU_CHANGE use timer lib as the source of random PciLib |OvmfPkg/Library/DxePciLibI440FxQ35/DxePciLibI440FxQ35.inf + OemMfciLib |OemPkg/Library/OemMfciLib/OemMfciLibDxe.inf + [LibraryClasses.common.DXE_CORE] HobLib |MdePkg/Library/DxeCoreHobLib/DxeCoreHobLib.inf MemoryAllocationLib |MdeModulePkg/Library/DxeCoreMemoryAllocationLib/DxeCoreMemoryAllocationLib.inf @@ -915,7 +919,10 @@ PlatformSmmProtectionsTestLib|UefiTestingPkg/Library/PlatformSmmProtectionsTestL [PcdsDynamicExDefault] # Default this to gQemuQ35PkgGenericProfileGuid - gSetupDataPkgTokenSpaceGuid.PcdSetupConfigActiveProfileFile|{ 0xb5, 0x06, 0x3c, 0xa5, 0x9f, 0x66, 0x5f, 0x4b, 0x93, 0x86, 0x47, 0x12, 0x12, 0xf5, 0x41, 0xdb } + gSetupDataPkgTokenSpaceGuid.PcdSetupConfigActiveProfileFile|{GUID("A53C06B5-669F-4B5F-9386-471212F541DB")} + + # Default this to gQemuQ35PkgDfciUnsignedXmlGuid + gDfciPkgTokenSpaceGuid.PcdUnsignedPermissionsFile|{GUID("62CF29AD-FEEE-4930-B71B-4806C787C6AA")} [PcdsDynamicHii] !if $(TPM_ENABLE) == TRUE && $(TPM_CONFIG_ENABLE) == TRUE @@ -1015,6 +1022,7 @@ PlatformSmmProtectionsTestLib|UefiTestingPkg/Library/PlatformSmmProtectionsTestL OemPkg/DeviceStatePei/DeviceStatePei.inf MfciPkg/MfciPei/MfciPei.inf + SetupDataPkg/ConfDfciUnsignedListInit/ConfDfciUnsignedListInit.inf PolicyServicePkg/PolicyService/Pei/PolicyPei.inf QemuQ35Pkg/ConfigDataGfx/ConfigDataGfx.inf diff --git a/Platforms/QemuQ35Pkg/QemuQ35Pkg.fdf b/Platforms/QemuQ35Pkg/QemuQ35Pkg.fdf index 7f57fe6c..05a73a23 100644 --- a/Platforms/QemuQ35Pkg/QemuQ35Pkg.fdf +++ b/Platforms/QemuQ35Pkg/QemuQ35Pkg.fdf @@ -263,6 +263,7 @@ INF MsGraphicsPkg/MsUiTheme/Pei/MsUiThemePpi.inf INF MsGraphicsPkg/MsEarlyGraphics/Pei/MsEarlyGraphics.inf INF MdeModulePkg/Universal/Acpi/FirmwarePerformanceDataTablePei/FirmwarePerformancePei.inf +INF SetupDataPkg/ConfDfciUnsignedListInit/ConfDfciUnsignedListInit.inf INF PolicyServicePkg/PolicyService/Pei/PolicyPei.inf INF QemuQ35Pkg/ConfigDataGfx/ConfigDataGfx.inf @@ -567,7 +568,7 @@ FILE FREEFORM = PCD(gZeroTouchPkgTokenSpaceGuid.PcdZeroTouchCertificateFile) { FILE FREEFORM = gQemuQ35PkgGenericProfileGuid { SECTION RAW = $(CONF_BIN_FILE) } - FILE FREEFORM = PCD(gDfciPkgTokenSpaceGuid.PcdUnsignedPermissionsFile) { + FILE FREEFORM = gQemuQ35PkgDfciUnsignedXmlGuid { SECTION RAW = QemuQ35Pkg/UnsignedPermissions.xml } diff --git a/mu_config_ext_dep.yaml b/mu_config_ext_dep.yaml index 0a9ea72a..05e0c6aa 100644 --- a/mu_config_ext_dep.yaml +++ b/mu_config_ext_dep.yaml @@ -9,6 +9,6 @@ "name": "FEATURE_CONFIG", "var_name": "FEATURE_CONFIG_PATH", "source": "https://github.com/microsoft/mu_feature_config.git", - "version": "ccd5eb19c07cfb16508b93824e4f3edd8c18dee8", + "version": "d2a08dcc2d09a34a7c3a13fcc534138f6efe08aa", "flags": ["set_build_var"] }