From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail.byosoft.com.cn (mail.byosoft.com.cn [58.240.74.242]) by mx.groups.io with SMTP id smtpd.web08.2101.1626744821669600270 for ; Mon, 19 Jul 2021 18:33:42 -0700 Authentication-Results: mx.groups.io; dkim=missing; spf=none, err=permanent DNS error (domain: byosoft.com.cn, ip: 58.240.74.242, mailfrom: gaoliming@byosoft.com.cn) Received: from DESKTOPS6D0PVI ([58.246.60.130]) (envelope-sender ) by 192.168.6.13 with ESMTP for ; Tue, 20 Jul 2021 09:32:49 +0800 X-WM-Sender: gaoliming@byosoft.com.cn X-Originating-IP: 58.246.60.130 X-WM-AuthFlag: YES X-WM-AuthUser: gaoliming@byosoft.com.cn From: "gaoliming" To: "'Samer El-Haj-Mahmoud'" , , Cc: , , "'Sunny Wang'" , , , , , , , "'Sami Mujawar'" , , , , , , "'Thomas Abraham'" , , , , , , , , , References: <20210714122952.1340890-1-gjb@semihalf.com> In-Reply-To: Subject: =?UTF-8?B?5Zue5aSNOiBbZWRrMi1kZXZlbF0gW1BBVENIIHY2IDAwLzExXSBTZWN1cmUgQm9vdCBkZWZhdWx0IGtleXM=?= Date: Tue, 20 Jul 2021 09:32:49 +0800 Message-ID: <003d01d77d07$26fc48f0$74f4dad0$@byosoft.com.cn> MIME-Version: 1.0 X-Mailer: Microsoft Outlook 16.0 Thread-Index: AQGP+hd709HA8H9bmSnIuqkfaBxVAwJjxhTaq8b7zvA= Content-Type: text/plain; charset="gb2312" Content-Transfer-Encoding: quoted-printable Content-Language: zh-cn Sami: For EmulatorPkg, Reviewed-by: Liming Gao Thanks Liming > -----=D3=CA=BC=FE=D4=AD=BC=FE----- > =B7=A2=BC=FE=C8=CB: Samer El-Haj-Mahmoud > =B7=A2=CB=CD=CA=B1=BC=E4: 2021=C4=EA7=D4=C216=C8=D5 20:00 > =CA=D5=BC=FE=C8=CB: devel@edk2.groups.io; gjb@semihalf.com > =B3=AD=CB=CD: leif@nuviainc.com; ardb+tianocore@kernel.org; Sunny Wang > ; mw@semihalf.com; upstream@semihalf.com; > jiewen.yao@intel.com; jian.j.wang@intel.com; min.m.xu@intel.com; > lersek@redhat.com; Sami Mujawar ; > afish@apple.com; ray.ni@intel.com; jordan.l.justen@intel.com; > rebecca@bsdio.com; grehan@freebsd.org; Thomas Abraham > ; chasel.chiu@intel.com; > nathaniel.l.desimone@intel.com; gaoliming@byosoft.com.cn; > eric.dong@intel.com; michael.d.kinney@intel.com; zailiang.sun@intel.com; > yi.qian@intel.com; graeme@nuviainc.com; rad@semihalf.com; pete@akeo.ie; > Samer El-Haj-Mahmoud > =D6=F7=CC=E2: RE: [edk2-devel] [PATCH v6 00/11] Secure Boot default keys >=20 > The v6 of this series seems to have all the necessary Reviewed-By (and some > Tested-By) of all parts, except the following platform specific parts. Could we > get help from maintainers to review these please? >=20 > Much appreciated! >=20 > - ArmVirtPkg : https://edk2.groups.io/g/devel/message/77772 > - ArmPlatformPkg: https://edk2.groups.io/g/devel/message/77775 > - EmulatorPkg: https://edk2.groups.io/g/devel/message/77773 > - Intel Platforms (Platform/Intel/QuarkPlatformPkg, > Platform/Intel/MinPlatformPkg, Platform/Intel/Vlv2TbltDevicePkg): > https://edk2.groups.io/g/devel/message/77781 >=20 > Thanks, > --Samer >=20 >=20 >=20 >=20 >=20 > > -----Original Message----- > > From: devel@edk2.groups.io On Behalf Of > > Grzegorz Bernacki via groups.io > > Sent: Wednesday, July 14, 2021 8:30 AM > > To: devel@edk2.groups.io > > Cc: leif@nuviainc.com; ardb+tianocore@kernel.org; Samer > El-Haj-Mahmoud > > ; Sunny Wang > > ; mw@semihalf.com; upstream@semihalf.com; > > jiewen.yao@intel.com; jian.j.wang@intel.com; min.m.xu@intel.com; > > lersek@redhat.com; Sami Mujawar ; > > afish@apple.com; ray.ni@intel.com; jordan.l.justen@intel.com; > > rebecca@bsdio.com; grehan@freebsd.org; Thomas Abraham > > ; chasel.chiu@intel.com; > > nathaniel.l.desimone@intel.com; gaoliming@byosoft.com.cn; > > eric.dong@intel.com; michael.d.kinney@intel.com; zailiang.sun@intel.co= m; > > yi.qian@intel.com; graeme@nuviainc.com; rad@semihalf.com; > > pete@akeo.ie; Grzegorz Bernacki > > Subject: [edk2-devel] [PATCH v6 00/11] Secure Boot default keys > > > > This patchset adds support for initialization of default > > Secure Boot variables based on keys content embedded in > > flash binary. This feature is active only if Secure Boot > > is enabled and DEFAULT_KEY is defined. The patchset > > consist also application to enroll keys from default > > variables and secure boot menu change to allow user > > to reset key content to default values. > > Discussion on design can be found at: > > https://edk2.groups.io/g/rfc/topic/82139806#600 > > > > Built with: > > GCC > > - RISC-V (U500, U540) [requires fixes in dsc to build] > > - Intel (Vlv2TbltDevicePkg (X64/IA32), Quark, MinPlatformPkg, > > EmulatorPkg (X64), Bhyve, OvmfPkg (X64/IA32)) > > - ARM (Sgi75,SbsaQemu,DeveloperBox, RPi3/RPi4) > > > > RISC-V, Quark, Vlv2TbltDevicePkg, Bhyve requires additional fixes to b= e > built, > > will be post on edk2 maillist later > > > > VS2019 > > - Intel (OvmfPkgX64) > > > > Test with: > > GCC5/RPi4 > > VS2019/OvmfX64 (requires changes to enable feature) > > > > Tests: > > 1. Try to enroll key in incorrect format. > > 2. Enroll with only PKDefault keys specified. > > 3. Enroll with all keys specified. > > 4. Enroll when keys are enrolled. > > 5. Reset keys values. > > 6. Running signed & unsigned app after enrollment. > > > > Changes since v1: > > - change names: > > SecBootVariableLib =3D> SecureBootVariableLib > > SecBootDefaultKeysDxe =3D> SecureBootDefaultKeysDxe > > SecEnrollDefaultKeysApp =3D> EnrollFromDefaultKeysApp > > - change name of function CheckSetupMode to GetSetupMode > > - remove ShellPkg dependecy from EnrollFromDefaultKeysApp > > - rebase to master > > > > Changes since v2: > > - fix coding style for functions headers in SecureBootVariableLib.h > > - add header to SecureBootDefaultKeys.fdf.inc > > - remove empty line spaces in SecureBootDefaultKeysDxe files > > - revert FAIL macro in EnrollFromDefaultKeysApp > > - remove functions duplicates and add SecureBootVariableLib > > to platforms which used it > > > > Changes since v3: > > - move SecureBootDefaultKeys.fdf.inc to ArmPlatformPkg > > - leave duplicate of CreateTimeBasedPayload in PlatformVarCleanupLib > > - fix typo in guid description > > > > Changes since v4: > > - reorder patches to make it bisectable > > - split commits related to more than one platform > > - move edk2-platform commits to separate patchset > > > > Changes since v5: > > - split SecureBootVariableLib into SecureBootVariableLib and > > SecureBootVariableProvisionLib > > > > Grzegorz Bernacki (11): > > SecurityPkg: Create SecureBootVariableLib. > > SecurityPkg: Create library for enrolling Secure Boot variables. > > ArmVirtPkg: add SecureBootVariableLib class resolution > > OvmfPkg: add SecureBootVariableLib class resolution > > EmulatorPkg: add SecureBootVariableLib class resolution > > SecurityPkg: Remove duplicated functions from SecureBootConfigDxe. > > ArmPlatformPkg: Create include file for default key content. > > SecurityPkg: Add SecureBootDefaultKeysDxe driver > > SecurityPkg: Add EnrollFromDefaultKeys application. > > SecurityPkg: Add new modules to Security package. > > SecurityPkg: Add option to reset secure boot keys. > > > > SecurityPkg/SecurityPkg.dec > | 14 + > > ArmVirtPkg/ArmVirt.dsc.inc > | 2 + > > EmulatorPkg/EmulatorPkg.dsc > | 2 + > > OvmfPkg/Bhyve/BhyveX64.dsc > | 2 + > > OvmfPkg/OvmfPkgIa32.dsc > | 2 + > > OvmfPkg/OvmfPkgIa32X64.dsc > | 2 + > > OvmfPkg/OvmfPkgX64.dsc > | 2 + > > SecurityPkg/SecurityPkg.dsc > | 5 + > > SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.inf > > | 48 ++ > > SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf > > | 80 +++ > > > > > SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootVariablePro > > visionLib.inf | 80 +++ > > > > SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfi > > gDxe.inf | 3 + > > > > SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBoot > > DefaultKeysDxe.inf | 46 ++ > > SecurityPkg/Include/Library/SecureBootVariableLib.h > | 153 > > ++++++ > > SecurityPkg/Include/Library/SecureBootVariableProvisionLib.h > > | 134 +++++ > > > > SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfi > > gNvData.h | 2 + > > > > SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfi > > g.vfr | 6 + > > SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.c > > | 110 +++++ > > SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.c > > | 511 ++++++++++++++++++++ > > > > > SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootVariablePro > > visionLib.c | 491 +++++++++++++++++++ > > > > SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfi > > gImpl.c | 344 ++++++------- > > > > SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBoot > > DefaultKeysDxe.c | 69 +++ > > ArmPlatformPkg/SecureBootDefaultKeys.fdf.inc > | 70 > > +++ > > SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.uni > > | 17 + > > > > > SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootVariablePro > > visionLib.uni | 16 + > > > > SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfi > > gStrings.uni | 4 + > > > > SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBoot > > DefaultKeysDxe.uni | 16 + > > 27 files changed, 2043 insertions(+), 188 deletions(-) > > create mode 100644 > > SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.inf > > create mode 100644 > > SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf > > create mode 100644 > > > SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootVariablePro > > visionLib.inf > > create mode 100644 > > SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBoot > > DefaultKeysDxe.inf > > create mode 100644 > SecurityPkg/Include/Library/SecureBootVariableLib.h > > create mode 100644 > > SecurityPkg/Include/Library/SecureBootVariableProvisionLib.h > > create mode 100644 > > SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.c > > create mode 100644 > > SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.c > > create mode 100644 > > > SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootVariablePro > > visionLib.c > > create mode 100644 > > SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBoot > > DefaultKeysDxe.c > > create mode 100644 ArmPlatformPkg/SecureBootDefaultKeys.fdf.inc > > create mode 100644 > > SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.uni > > create mode 100644 > > > SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootVariablePro > > visionLib.uni > > create mode 100644 > > SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBoot > > DefaultKeysDxe.uni > > > > -- > > 2.25.1 > > > > > > > >=20 > > >=20 > IMPORTANT NOTICE: The contents of this email and any attachments are > confidential and may also be privileged. If you are not the intended recipient, > please notify the sender immediately and do not disclose the contents to any > other person, use it for any purpose, or store or copy the information i= n any > medium. Thank you.