Fix Secure Boot build

First, there's a build failure.  The inclusion of SecureBootConfig.inf isn't
allowed because embedded has no configuration menus

Then we hit asserts on running, so remove them.  The first one is a simple
ASSERT(FALSE) that Intel put into the code to prevent anyone running secure
boot.  The next is an assert on a now non-existent Quark lockdown variable and
the final few are asserting the presence of various secure boot keys we don't
want.

Finally we need to patch edk2 to compute hashes correctly on IA 32 and add
secure boot to the build and away we go.

Signed-off-by: James Bottomley <JBottomley@Parallels.com>
diff --git a/DxeImageVerificationLib-fix.diff b/DxeImageVerificationLib-fix.diff
new file mode 100644
index 0000000..19dc895
--- /dev/null
+++ b/DxeImageVerificationLib-fix.diff
@@ -0,0 +1,37 @@
+diff --git a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
+index b3be566..a2523f5 100644
+--- a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
++++ b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
+@@ -544,6 +544,18 @@ HashPeImage (
+       if (!Status) {

+         goto Done;

+       }

++      /*

++       * Problem: some unsigned PECOFF binaries don't always end on an aligned

++       * size. For this case, pad them with zeros up to the aligned size

++       */

++      if (ALIGN_SIZE(mImageSize)) {

++	UINT64 zerofill = 0;

++

++	Status  = mHash[HashAlg].HashUpdate(HashCtx, &zerofill, ALIGN_SIZE(mImageSize));

++	if (!Status) {

++	  goto Done;

++	}

++      }

+     } else if (mImageSize < CertSize + SumOfBytesHashed) {

+       Status = FALSE;

+       goto Done;

+diff --git a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.h b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.h
+index 55371e9..bdf27ac 100644
+--- a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.h
++++ b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.h
+@@ -43,6 +43,9 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
+ #define MAX_NOTIFY_STRING_LEN             64

+ #define TWO_BYTE_ENCODE                   0x82

+ 

++#define ALIGNMENT_SIZE                    8

++#define ALIGN_SIZE(a) (((a) % ALIGNMENT_SIZE) ? ALIGNMENT_SIZE - ((a) % ALIGNMENT_SIZE) : 0)

++

+ //

+ // Image type definitions

+ //

diff --git a/QuarkPlatformPkg/Library/PlatformBootManagerLib/BdsPlatform.c b/QuarkPlatformPkg/Library/PlatformBootManagerLib/BdsPlatform.c
index 25e54a8..f998c1d 100755
--- a/QuarkPlatformPkg/Library/PlatformBootManagerLib/BdsPlatform.c
+++ b/QuarkPlatformPkg/Library/PlatformBootManagerLib/BdsPlatform.c
@@ -318,7 +318,8 @@
     //

     // UEFI Secure boot not supported / validated for this firmware release.

     //

-    ASSERT (FALSE);

+    DEBUG ((EFI_D_INFO, "GOT PAST PLATFORM SECURE BOOT ASSERTION FAILURE"));
+    //ASSERT (FALSE);

 

   }

 

diff --git a/QuarkPlatformPkg/Library/PlatformHelperLib/PlatformHelperDxe.c b/QuarkPlatformPkg/Library/PlatformHelperLib/PlatformHelperDxe.c
index c95059c..3a1d430 100644
--- a/QuarkPlatformPkg/Library/PlatformHelperLib/PlatformHelperDxe.c
+++ b/QuarkPlatformPkg/Library/PlatformHelperLib/PlatformHelperDxe.c
@@ -479,7 +479,9 @@
                  (VOID *)NULL

                  );

 

-    ASSERT_EFI_ERROR (Status);

+    //ASSERT_EFI_ERROR (Status);

+
+    DEBUG((EFI_D_INFO, "No QUARK LOCK VARIABLE %s status %r\n", QUARK_VARIABLE_LOCK_NAME, Status));
   }

 }

 

diff --git a/QuarkPlatformPkg/Library/PlatformHelperLib/PlatformSecureBoot.c b/QuarkPlatformPkg/Library/PlatformHelperLib/PlatformSecureBoot.c
index a29b87f..534a058 100644
--- a/QuarkPlatformPkg/Library/PlatformHelperLib/PlatformSecureBoot.c
+++ b/QuarkPlatformPkg/Library/PlatformHelperLib/PlatformSecureBoot.c
@@ -490,7 +490,7 @@
         Stats.DbEnrolled,

         Stats.DbxEnrolled

         ));

-      ASSERT (Stats.PkEnrolled && Stats.KekEnrolled && Stats.DbEnrolled && Stats.DbxEnrolled);

+      //ASSERT (Stats.PkEnrolled && Stats.KekEnrolled && Stats.DbEnrolled && Stats.DbxEnrolled);

       DEBUG (

         (EFI_D_INFO, "ValidateSecureBoot: Attributes pk:kek:db:dbx 0x%08x:0x%08x:0x%08x:0x%08x\n",

         Stats.PkAttributes,

@@ -498,18 +498,18 @@
         Stats.DbAttributes,

         Stats.DbxAttributes

         ));

-      ASSERT (

-        ((Stats.PkAttributes & EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS) != 0) &&

-        ((Stats.KekAttributes & EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS) != 0) &&

-        ((Stats.DbAttributes & EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS) != 0) &&

-        ((Stats.DbxAttributes & EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS) != 0)

-        );

+      //ASSERT (

+      //((Stats.PkAttributes & EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS) != 0) &&

+      //((Stats.KekAttributes & EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS) != 0) &&

+      //((Stats.DbAttributes & EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS) != 0) &&

+      //((Stats.DbxAttributes & EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS) != 0)

+      //);

       DEBUG (

         (EFI_D_INFO, "ValidateSecureBoot: KekCertCounts X509:Rsa2048 %d:%d\n",

         Stats.KekX509CertCount,

         Stats.KekRsa2048CertCount

         ));

-      ASSERT (Stats.KekX509CertCount > 0 || Stats.KekRsa2048CertCount > 0);

+      //ASSERT (Stats.KekX509CertCount > 0 || Stats.KekRsa2048CertCount > 0);

     }

   }

 }

diff --git a/QuarkPlatformPkg/QuarkPlatformPkg.dsc b/QuarkPlatformPkg/QuarkPlatformPkg.dsc
index a2fb5b6..3619d7e 100755
--- a/QuarkPlatformPkg/QuarkPlatformPkg.dsc
+++ b/QuarkPlatformPkg/QuarkPlatformPkg.dsc
@@ -512,7 +512,7 @@
   !ifdef SECURE_BOOT

     SecurityPkg/VariableAuthenticated/RuntimeDxe/VariableSmmRuntimeDxe.inf

     SecurityPkg/VariableAuthenticated/RuntimeDxe/VariableSmm.inf

-    SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf

+#    SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf

   !else

     MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmmRuntimeDxe.inf

     QuarkPlatformPkg/Override/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmm.inf

diff --git a/QuarkPlatformPkg/QuarkPlatformPkg.fdf b/QuarkPlatformPkg/QuarkPlatformPkg.fdf
index 75861a9..bd85d50 100755
--- a/QuarkPlatformPkg/QuarkPlatformPkg.fdf
+++ b/QuarkPlatformPkg/QuarkPlatformPkg.fdf
@@ -800,7 +800,7 @@
 !ifdef SECURE_BOOT

 INF  SecurityPkg/VariableAuthenticated/RuntimeDxe/VariableSmmRuntimeDxe.inf

 INF  SecurityPkg/VariableAuthenticated/RuntimeDxe/VariableSmm.inf

-INF  SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf

+#INF  SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf

 !else

 INF  MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmmRuntimeDxe.inf

 INF  QuarkPlatformPkg/Override/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmm.inf

diff --git a/build.sh b/build.sh
index 399b5d3..dba78ad 100644
--- a/build.sh
+++ b/build.sh
@@ -18,6 +18,11 @@
     sh ./Install.sh
 fi
 popd
+#
+# Need to apply patch for generating correct hashes on IA32
+if [ ! -f SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c.orig ]; then
+    patch -p1 < DxeImageVerificationLib-fix.diff
+fi
 # now initialise the edk2environment using the QuarkPlatformPkg Overrides
 cp .module/edk2/edksetup.sh .
 mkdir Conf
@@ -36,7 +41,7 @@
 ##
 # You probably have gcc 4.8 or 4.9, but this doesn't seem to matter
 toolchain=GCC47
-build -a IA32 -b ${type} -y Report.log -t ${toolchain} -p QuarkPlatformPkg/QuarkPlatformPkg.dsc ${flags}
+build -a IA32 -b ${type} -y Report.log -t ${toolchain} -p QuarkPlatformPkg/QuarkPlatformPkg.dsc ${flags} -DSECURE_BOOT
 # finally, the spi flash tools are going to need the capsule creator, so build it
 make -C QuarkPlatformPkg/Tools/CapsuleCreate
 #