tianocore · kraxel · Jul 10, 2022 · Jul 10, 2022 · Dec 10, 2024 · Dec 10, 2024
diff --git a/OvmfPkg/AmdSev/AmdSevX64.dsc b/OvmfPkg/AmdSev/AmdSevX64.dsc
@@ -25,12 +25,12 @@
   BUILD_TARGETS                  = NOOPT|DEBUG|RELEASE
   SKUID_IDENTIFIER               = DEFAULT
   FLASH_DEFINITION               = OvmfPkg/AmdSev/AmdSevX64.fdf
-  PREBUILD                       = sh OvmfPkg/AmdSev/Grub/grub.sh
 
   #
   # Defines for default states.  These can be changed on the command line.
   # -D FLAG=VALUE
   #
+  DEFINE SECURE_BOOT_ENABLE      = TRUE
   DEFINE SOURCE_DEBUG_ENABLE     = FALSE
 
 !include OvmfPkg/Include/Dsc/OvmfTpmDefines.dsc.inc
@@ -39,6 +39,7 @@
   # Shell can be useful for debugging but should not be enabled for production
   #
   DEFINE BUILD_SHELL             = FALSE
+  DEFINE SD_BOOT_ENABLE          = FALSE
 
   #
   # Device drivers
@@ -189,7 +190,15 @@
   OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf
   RngLib|MdeModulePkg/Library/BaseRngLibTimerLib/BaseRngLibTimerLib.inf
 
+!if $(SECURE_BOOT_ENABLE) == TRUE
+  PlatformSecureLib|OvmfPkg/Library/PlatformSecureLib/PlatformSecureLib.inf
+  AuthVariableLib|SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf
+  SecureBootVariableLib|SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf
+  PlatformPKProtectionLib|SecurityPkg/Library/PlatformPKProtectionLibVarPolicy/PlatformPKProtectionLibVarPolicy.inf
+  SecureBootVariableProvisionLib|SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootVariableProvisionLib.inf
+!else
   AuthVariableLib|MdeModulePkg/Library/AuthVariableLibNull/AuthVariableLibNull.inf
+!endif
   VarCheckLib|MdeModulePkg/Library/VarCheckLib/VarCheckLib.inf
   VariablePolicyLib|MdeModulePkg/Library/VariablePolicyLib/VariablePolicyLib.inf
   VariablePolicyHelperLib|MdeModulePkg/Library/VariablePolicyHelperLib/VariablePolicyHelperLib.inf
@@ -385,6 +394,10 @@
   gEfiMdeModulePkgTokenSpaceGuid.PcdConOutGopSupport|TRUE
   gEfiMdeModulePkgTokenSpaceGuid.PcdConOutUgaSupport|FALSE
   gEfiMdeModulePkgTokenSpaceGuid.PcdInstallAcpiSdtProtocol|TRUE
+!if $(SECURE_BOOT_ENABLE) == TRUE
+  gUefiOvmfPkgTokenSpaceGuid.PcdSecureBootSupported|TRUE
+  gEfiMdeModulePkgTokenSpaceGuid.PcdRequireSelfSignedPk|TRUE
+!endif
 
 [PcdsFixedAtBuild]
   gEfiMdeModulePkgTokenSpaceGuid.PcdStatusCodeMemorySize|1
@@ -606,6 +619,9 @@
 
   MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf {
     <LibraryClasses>
+!if $(SECURE_BOOT_ENABLE) == TRUE
+      NULL|SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.inf
+!endif
 !include OvmfPkg/Include/Dsc/OvmfTpmSecurityStub.dsc.inc
   }
 
@@ -728,11 +744,19 @@
   MdeModulePkg/Bus/Usb/UsbMassStorageDxe/UsbMassStorageDxe.inf
 
   OvmfPkg/AmdSev/SecretDxe/SecretDxe.inf
+!if $(SD_BOOT_ENABLE) == TRUE
+  OvmfPkg/SdBootDxe/SdBoot.inf
+!else
   OvmfPkg/AmdSev/Grub/Grub.inf
+!endif
 
 !include OvmfPkg/Include/Dsc/ShellComponents.dsc.inc
 !include OvmfPkg/Include/Dsc/OvmfRngComponents.dsc.inc
 
+!if $(SECURE_BOOT_ENABLE) == TRUE
+  SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
+!endif
+
   OvmfPkg/PlatformDxe/Platform.inf
   OvmfPkg/AmdSevDxe/AmdSevDxe.inf {
     <LibraryClasses>

diff --git a/OvmfPkg/AmdSev/AmdSevX64.fdf b/OvmfPkg/AmdSev/AmdSevX64.fdf
@@ -238,6 +238,10 @@ INF  OvmfPkg/MptScsiDxe/MptScsiDxe.inf
 INF  OvmfPkg/LsiScsiDxe/LsiScsiDxe.inf
 !endif
 
+!if $(SECURE_BOOT_ENABLE) == TRUE
+  INF  SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
+!endif
+
 INF  MdeModulePkg/Universal/WatchdogTimerDxe/WatchdogTimer.inf
 INF  MdeModulePkg/Universal/MonotonicCounterRuntimeDxe/MonotonicCounterRuntimeDxe.inf
 INF  MdeModulePkg/Universal/CapsuleRuntimeDxe/CapsuleRuntimeDxe.inf
@@ -282,8 +286,12 @@ INF  MdeModulePkg/Universal/Acpi/BootGraphicsResourceTableDxe/BootGraphicsResour
 INF  FatPkg/EnhancedFatDxe/Fat.inf
 INF  MdeModulePkg/Universal/Disk/UdfDxe/UdfDxe.inf
 
-INF OvmfPkg/AmdSev/SecretDxe/SecretDxe.inf
+INF  OvmfPkg/AmdSev/SecretDxe/SecretDxe.inf
+!if $(SD_BOOT_ENABLE) == TRUE
+INF  OvmfPkg/SdBootDxe/SdBoot.inf
+!else
 INF  OvmfPkg/AmdSev/Grub/Grub.inf
+!endif
 
 INF MdeModulePkg/Logo/LogoDxe.inf
 

diff --git a/OvmfPkg/AmdSev/BlobVerifierLibSevHashes/BlobVerifierSevHashes.c b/OvmfPkg/AmdSev/BlobVerifierLibSevHashes/BlobVerifierSevHashes.c
@@ -234,10 +234,23 @@ BlobVerifierLibSevHashesConstructor (
   Ptr  = (void *)(UINTN)FixedPcdGet64 (PcdQemuHashTableBase);
   Size = FixedPcdGet32 (PcdQemuHashTableSize);
 
+  DEBUG ((
+    DEBUG_INFO,
+    "%a: hash table: 0x%p +0x%x\n",
+    __func__,
+    Ptr,
+    Size
+    ));
+
   if ((Ptr == NULL) || (Size < sizeof *Ptr) ||
       !CompareGuid (&Ptr->Guid, &SEV_HASH_TABLE_GUID) ||
       (Ptr->Len < sizeof *Ptr) || (Ptr->Len > Size))
   {
+    DEBUG ((
+      DEBUG_INFO,
+      "%a: hash table: 404\n",
+      __func__
+      ));
     return RETURN_SUCCESS;
   }
 
@@ -251,7 +264,7 @@ BlobVerifierLibSevHashesConstructor (
   mHashesTableSize = Ptr->Len - sizeof Ptr->Guid - sizeof Ptr->Len;
 
   DEBUG ((
-    DEBUG_VERBOSE,
+    DEBUG_INFO,
     "%a: mHashesTable=0x%p, Size=%u\n",
     __func__,
     mHashesTable,

diff --git a/OvmfPkg/Library/PlatformBootManagerLib/BdsPlatform.c b/OvmfPkg/Library/PlatformBootManagerLib/BdsPlatform.c
@@ -1854,6 +1854,15 @@ PlatformBootManagerAfterConsole (
     LOAD_OPTION_ACTIVE
     );
 
+  //
+  // Register systemd-boot
+  //
+  PlatformRegisterFvBootOption (
+    &gSdBootFileGuid,
+    L"systemd boot",
+    LOAD_OPTION_ACTIVE
+    );
+
   RemoveStaleFvFileOptions ();
   SetBootOrderFromQemu ();
 

diff --git a/OvmfPkg/Library/PlatformBootManagerLib/PlatformBootManagerLib.inf b/OvmfPkg/Library/PlatformBootManagerLib/PlatformBootManagerLib.inf
@@ -87,3 +87,4 @@
   gRootBridgesConnectedEventGroupGuid
   gUefiShellFileGuid
   gGrubFileGuid
+  gSdBootFileGuid
diff --git a/OvmfPkg/OvmfPkg.dec b/OvmfPkg/OvmfPkg.dec
@@ -173,6 +173,7 @@
   gOvmfVariableGuid                     = {0x50bea1e5, 0xa2c5, 0x46e9, {0x9b, 0x3a, 0x59, 0x59, 0x65, 0x16, 0xb0, 0x0a}}
   gQemuFirmwareResourceHobGuid          = {0x3cc47b04, 0x0d3e, 0xaa64, {0x06, 0xa6, 0x4b, 0xdc, 0x9a, 0x2c, 0x61, 0x19}}
   gRtcRegisterBaseAddressHobGuid        = {0x40435d97, 0xeb37, 0x4a4b, {0x7f, 0xad, 0xb7, 0xed, 0x72, 0xa1, 0x43, 0xc5}}
+  gSdBootFileGuid                       = {0x2b86cc73, 0x1c22, 0x4179, {0x87, 0xaa, 0x8e, 0x31, 0xfa, 0x8c, 0x86, 0x7b}}
 
 [Ppis]
   # PPI whose presence in the PPI database signals that the TPM base address

diff --git a/OvmfPkg/SdBootDxe/SdBoot.inf b/OvmfPkg/SdBootDxe/SdBoot.inf
@@ -0,0 +1,23 @@
+##  @file
+#
+#  SPDX-License-Identifier: BSD-2-Clause-Patent
+#
+##
+
+[Defines]
+  INF_VERSION                    = 0x00010006
+  BASE_NAME                      = SdBoot
+  FILE_GUID                      = 2b86cc73-1c22-4179-87aa-8e31fa8c867b # gSdBootFileGuid
+  MODULE_TYPE                    = UEFI_APPLICATION
+  VERSION_STRING                 = 1.0
+  ENTRY_POINT                    = UefiMain
+
+[Packages]
+  OvmfPkg/OvmfPkg.dec
+
+[Binaries.X64]
+   PE32|/usr/lib/systemd/boot/efi/systemd-bootx64.efi|*
+
+[Binaries.AA64]
+   PE32|/usr/lib/systemd/boot/efi/systemd-bootaa64.efi|*
+