回复: [edk2-devel] [PATCH v6 00/11] Secure Boot default keys

["gaoliming" <gaoliming@byosoft.com.cn>]

Sami:
  For EmulatorPkg, Reviewed-by: Liming Gao <gaoliming@byosoft.com.cn>

Thanks
Liming
> -----邮件原件-----
> 发件人: Samer El-Haj-Mahmoud <Samer.El-Haj-Mahmoud@arm.com>
> 发送时间: 2021年7月16日 20:00
> 收件人: devel@edk2.groups.io; gjb@semihalf.com
> 抄送: leif@nuviainc.com; ardb+tianocore@kernel.org; Sunny Wang
> <Sunny.Wang@arm.com>; mw@semihalf.com; upstream@semihalf.com;
> jiewen.yao@intel.com; jian.j.wang@intel.com; min.m.xu@intel.com;
> lersek@redhat.com; Sami Mujawar <Sami.Mujawar@arm.com>;
> afish@apple.com; ray.ni@intel.com; jordan.l.justen@intel.com;
> rebecca@bsdio.com; grehan@freebsd.org; Thomas Abraham
> <thomas.abraham@arm.com>; chasel.chiu@intel.com;
> nathaniel.l.desimone@intel.com; gaoliming@byosoft.com.cn;
> eric.dong@intel.com; michael.d.kinney@intel.com; zailiang.sun@intel.com;
> yi.qian@intel.com; graeme@nuviainc.com; rad@semihalf.com; pete@akeo.ie;
> Samer El-Haj-Mahmoud <Samer.El-Haj-Mahmoud@arm.com>
> 主题: RE: [edk2-devel] [PATCH v6 00/11] Secure Boot default keys
> 
> The v6 of this series seems to have all the necessary Reviewed-By (and
some
> Tested-By) of all parts, except the following platform specific parts.
Could we
> get help from maintainers to review these please?
> 
> Much appreciated!
> 
> - ArmVirtPkg : https://edk2.groups.io/g/devel/message/77772
> - ArmPlatformPkg: https://edk2.groups.io/g/devel/message/77775
> - EmulatorPkg: https://edk2.groups.io/g/devel/message/77773
> - Intel Platforms (Platform/Intel/QuarkPlatformPkg,
> Platform/Intel/MinPlatformPkg, Platform/Intel/Vlv2TbltDevicePkg):
> https://edk2.groups.io/g/devel/message/77781
> 
> Thanks,
> --Samer
> 
> 
> 
> 
> 
> > -----Original Message-----
> > From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of
> > Grzegorz Bernacki via groups.io
> > Sent: Wednesday, July 14, 2021 8:30 AM
> > To: devel@edk2.groups.io
> > Cc: leif@nuviainc.com; ardb+tianocore@kernel.org; Samer
> El-Haj-Mahmoud
> > <Samer.El-Haj-Mahmoud@arm.com>; Sunny Wang
> > <Sunny.Wang@arm.com>; mw@semihalf.com; upstream@semihalf.com;
> > jiewen.yao@intel.com; jian.j.wang@intel.com; min.m.xu@intel.com;
> > lersek@redhat.com; Sami Mujawar <Sami.Mujawar@arm.com>;
> > afish@apple.com; ray.ni@intel.com; jordan.l.justen@intel.com;
> > rebecca@bsdio.com; grehan@freebsd.org; Thomas Abraham
> > <thomas.abraham@arm.com>; chasel.chiu@intel.com;
> > nathaniel.l.desimone@intel.com; gaoliming@byosoft.com.cn;
> > eric.dong@intel.com; michael.d.kinney@intel.com; zailiang.sun@intel.com;
> > yi.qian@intel.com; graeme@nuviainc.com; rad@semihalf.com;
> > pete@akeo.ie; Grzegorz Bernacki <gjb@semihalf.com>
> > Subject: [edk2-devel] [PATCH v6 00/11] Secure Boot default keys
> >
> > This patchset adds support for initialization of default
> > Secure Boot variables based on keys content embedded in
> > flash binary. This feature is active only if Secure Boot
> > is enabled and DEFAULT_KEY is defined. The patchset
> > consist also application to enroll keys from default
> > variables and secure boot menu change to allow user
> > to reset key content to default values.
> > Discussion on design can be found at:
> > https://edk2.groups.io/g/rfc/topic/82139806#600
> >
> > Built with:
> > GCC
> > - RISC-V (U500, U540) [requires fixes in dsc to build]
> > - Intel (Vlv2TbltDevicePkg (X64/IA32), Quark, MinPlatformPkg,
> >   EmulatorPkg (X64), Bhyve, OvmfPkg (X64/IA32))
> > - ARM (Sgi75,SbsaQemu,DeveloperBox, RPi3/RPi4)
> >
> > RISC-V, Quark, Vlv2TbltDevicePkg, Bhyve requires additional fixes to be
> built,
> > will be post on edk2 maillist later
> >
> > VS2019
> > - Intel (OvmfPkgX64)
> >
> > Test with:
> > GCC5/RPi4
> > VS2019/OvmfX64 (requires changes to enable feature)
> >
> > Tests:
> > 1. Try to enroll key in incorrect format.
> > 2. Enroll with only PKDefault keys specified.
> > 3. Enroll with all keys specified.
> > 4. Enroll when keys are enrolled.
> > 5. Reset keys values.
> > 6. Running signed & unsigned app after enrollment.
> >
> > Changes since v1:
> > - change names:
> >   SecBootVariableLib => SecureBootVariableLib
> >   SecBootDefaultKeysDxe => SecureBootDefaultKeysDxe
> >   SecEnrollDefaultKeysApp => EnrollFromDefaultKeysApp
> > - change name of function CheckSetupMode to GetSetupMode
> > - remove ShellPkg dependecy from EnrollFromDefaultKeysApp
> > - rebase to master
> >
> > Changes since v2:
> > - fix coding style for functions headers in SecureBootVariableLib.h
> > - add header to SecureBootDefaultKeys.fdf.inc
> > - remove empty line spaces in SecureBootDefaultKeysDxe files
> > - revert FAIL macro in EnrollFromDefaultKeysApp
> > - remove functions duplicates and  add SecureBootVariableLib
> >   to platforms which used it
> >
> > Changes since v3:
> > - move SecureBootDefaultKeys.fdf.inc to ArmPlatformPkg
> > - leave duplicate of CreateTimeBasedPayload in PlatformVarCleanupLib
> > - fix typo in guid description
> >
> > Changes since v4:
> > - reorder patches to make it bisectable
> > - split commits related to more than one platform
> > - move edk2-platform commits to separate patchset
> >
> > Changes since v5:
> > - split SecureBootVariableLib into SecureBootVariableLib and
> >   SecureBootVariableProvisionLib
> >
> > Grzegorz Bernacki (11):
> >   SecurityPkg: Create SecureBootVariableLib.
> >   SecurityPkg: Create library for enrolling Secure Boot variables.
> >   ArmVirtPkg: add SecureBootVariableLib class resolution
> >   OvmfPkg: add SecureBootVariableLib class resolution
> >   EmulatorPkg: add SecureBootVariableLib class resolution
> >   SecurityPkg: Remove duplicated functions from SecureBootConfigDxe.
> >   ArmPlatformPkg: Create include file for default key content.
> >   SecurityPkg: Add SecureBootDefaultKeysDxe driver
> >   SecurityPkg: Add EnrollFromDefaultKeys application.
> >   SecurityPkg: Add new modules to Security package.
> >   SecurityPkg: Add option to reset secure boot keys.
> >
> >  SecurityPkg/SecurityPkg.dec
> |  14 +
> >  ArmVirtPkg/ArmVirt.dsc.inc
> |   2 +
> >  EmulatorPkg/EmulatorPkg.dsc
> |   2 +
> >  OvmfPkg/Bhyve/BhyveX64.dsc
> |   2 +
> >  OvmfPkg/OvmfPkgIa32.dsc
> |   2 +
> >  OvmfPkg/OvmfPkgIa32X64.dsc
> |   2 +
> >  OvmfPkg/OvmfPkgX64.dsc
> |   2 +
> >  SecurityPkg/SecurityPkg.dsc
> |   5 +
> >  SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.inf
> > |  48 ++
> >  SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf
> > |  80 +++
> >
> >
> SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootVariablePro
> > visionLib.inf   |  80 +++
> >
> > SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfi
> > gDxe.inf           |   3 +
> >
> > SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBoot
> > DefaultKeysDxe.inf |  46 ++
> >  SecurityPkg/Include/Library/SecureBootVariableLib.h
> | 153
> > ++++++
> >  SecurityPkg/Include/Library/SecureBootVariableProvisionLib.h
> > | 134 +++++
> >
> > SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfi
> > gNvData.h          |   2 +
> >
> > SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfi
> > g.vfr              |   6 +
> >  SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.c
> > | 110 +++++
> >  SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.c
> > | 511 ++++++++++++++++++++
> >
> >
> SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootVariablePro
> > visionLib.c     | 491 +++++++++++++++++++
> >
> > SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfi
> > gImpl.c            | 344 ++++++-------
> >
> > SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBoot
> > DefaultKeysDxe.c   |  69 +++
> >  ArmPlatformPkg/SecureBootDefaultKeys.fdf.inc
> |  70
> > +++
> >  SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.uni
> > |  17 +
> >
> >
> SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootVariablePro
> > visionLib.uni   |  16 +
> >
> > SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfi
> > gStrings.uni       |   4 +
> >
> > SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBoot
> > DefaultKeysDxe.uni |  16 +
> >  27 files changed, 2043 insertions(+), 188 deletions(-)
> >  create mode 100644
> > SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.inf
> >  create mode 100644
> > SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf
> >  create mode 100644
> >
> SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootVariablePro
> > visionLib.inf
> >  create mode 100644
> > SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBoot
> > DefaultKeysDxe.inf
> >  create mode 100644
> SecurityPkg/Include/Library/SecureBootVariableLib.h
> >  create mode 100644
> > SecurityPkg/Include/Library/SecureBootVariableProvisionLib.h
> >  create mode 100644
> > SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.c
> >  create mode 100644
> > SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.c
> >  create mode 100644
> >
> SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootVariablePro
> > visionLib.c
> >  create mode 100644
> > SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBoot
> > DefaultKeysDxe.c
> >  create mode 100644 ArmPlatformPkg/SecureBootDefaultKeys.fdf.inc
> >  create mode 100644
> > SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.uni
> >  create mode 100644
> >
> SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootVariablePro
> > visionLib.uni
> >  create mode 100644
> > SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBoot
> > DefaultKeysDxe.uni
> >
> > --
> > 2.25.1
> >
> >
> >
> > 
> >
> 
> IMPORTANT NOTICE: The contents of this email and any attachments are
> confidential and may also be privileged. If you are not the intended
recipient,
> please notify the sender immediately and do not disclose the contents to
any
> other person, use it for any purpose, or store or copy the information in
any
> medium. Thank you.