-
Notifications
You must be signed in to change notification settings - Fork 2.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
UefiPayloadPkg: Add Secure Boot support #6222
Conversation
4ab9598
to
118e5b5
Compare
a78bc3d
to
0367460
Compare
This always adds SecureBootConfigDxe into the main UefiPayload FV. I'm assuming that the purpose of the SECURITY_FV is for UPL, to allow builders to override features at the security/network/BDS scope. Shouldn't we follow the example of BdsDxe, for example, and not include it in the main FV in the case of UPL? Also, this isn't yet hooked up for UPL. I believe 05da2d2 is an example of how you can do it, but the script has changed a bit since. |
44b4d6a
to
ce60f17
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think we should follow the example of other 'UPL' FVs, and conditionally compile the drivers into either the main FV or a feature-specific 'UPL' one, but not both.
@gdong1 wonder if @Sean-StarLabs should also add secureboot to yaml CI like this?616b048 But we have no idea how would it work, wonder if you know? |
ce60f17
to
ae8b731
Compare
@Sean-StarLabs do you want to mark those comments as resolved? Only you can do it I think. |
ae8b731
to
93e5a81
Compare
⚠ WARNING: Cannot add some reviewers: A user specified as a reviewer for this PR is not a collaborator of the repository. Please add them as a collaborator to the repository so they can be requested in the future. Non-collaborators requested: Attn Admins: Admin Instructions:
|
@Sean-StarLabs can you rebase it? or how can maintainer help to rebase it? |
To merge this PR, need fix the CI failures. |
Introduce Secure Boot functionality within UefiPayloadPkg by adding necessary modules and configurations. A new build flag, `SECURE_BOOT_ENABLE`, is introduced to control the activation of Secure Boot. This patch also overrides values in SecurityPkg to enforce image verification from all sources. A new FV (`SECURITY_FV`) for security modules is added for components and the firmware volume sizes to accommodate additional Secure Boot components. Cc: Guo Dong <guo.dong@intel.com> Cc: Ray Ni <ray.ni@intel.com> Cc: James Lu <james.lu@intel.com> Cc: Gua Guo <gua.guo@intel.com> Signed-off-by: Sean Rhodes <sean@starlabs.systems>
93e5a81
to
3a606c0
Compare
Introduce Secure Boot functionality within UefiPayloadPkg by adding necessary modules and configurations. A new build flag,
SECURE_BOOT_ENABLE
, is introduced to control the activation of Secure Boot.This patch also overrides values in SecurityPkg to enforce image verification from all sources.
A new FV (
SECURITY_FV
) for security modules is added for components and the firmware volume sizes to accommodate additional Secure Boot components.Cc: Guo Dong guo.dong@intel.com
Cc: Ray Ni ray.ni@intel.com
Cc: James Lu james.lu@intel.com
Cc: Gua Guo gua.guo@intel.com