From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail.byosoft.com.cn (mail.byosoft.com.cn [58.240.74.242]) by mx.groups.io with SMTP id smtpd.web11.31745.1600649340545321961 for ; Sun, 20 Sep 2020 17:49:02 -0700 Authentication-Results: mx.groups.io; dkim=missing; spf=none, err=permanent DNS error (domain: byosoft.com.cn, ip: 58.240.74.242, mailfrom: gaoliming@byosoft.com.cn) Received: from DESKTOPS6D0PVI ([58.246.60.130]) (envelope-sender ) by 192.168.6.13 with ESMTP for ; Mon, 21 Sep 2020 08:48:51 +0800 X-WM-Sender: gaoliming@byosoft.com.cn X-WM-AuthFlag: YES X-WM-AuthUser: gaoliming@byosoft.com.cn From: "gaoliming" To: , , "'Ni, Ray'" Cc: "'Andrew Fish'" , "'Justen, Jordan L'" , "'Kinney, Michael D'" References: <1635DEE2A50DFCCF.13985@groups.io>, In-Reply-To: Subject: =?UTF-8?B?5Zue5aSNOiBbZWRrMi1kZXZlbF0gW1BBVENIIHYyXSBFbXVsYXRvclBrZzogRW5hYmxlIHN1cHBvcnQgZm9yIFNlY3VyZSBCb290?= Date: Mon, 21 Sep 2020 08:48:50 +0800 Message-ID: <004101d68fb0$f8f5e950$eae1bbf0$@byosoft.com.cn> MIME-Version: 1.0 X-Mailer: Microsoft Outlook 16.0 Thread-Index: AQFTrKBsFhzNjct04yyGCocl5fzbNALLIqV7ANPx6LoBhcaL+AJcUPArAns3iAkBlpNargKviMHSAnNrjV2p8liz8A== Content-Type: multipart/alternative; boundary="----=_NextPart_000_0042_01D68FF4.071CD2D0" Content-Language: zh-cn ------=_NextPart_000_0042_01D68FF4.071CD2D0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Yes. Current CI for EmulatorPkg is the default build. It doesn=E2=80=99t co= ver the build with SECURE_BOOT_ENABLE enable. Please submit one BZ for this= request.=20 =20 Thanks Liming =E5=8F=91=E4=BB=B6=E4=BA=BA: bounce+27952+65409+4905953+8761045@groups.io = =E4=BB=A3=E8=A1=A8 Wadhawan,= Divneil R =E5=8F=91=E9=80=81=E6=97=B6=E9=97=B4: 2020=E5=B9=B49=E6=9C=8819=E6=97=A5 1= 3:34 =E6=94=B6=E4=BB=B6=E4=BA=BA: Ni, Ray ; devel@edk2.groups= .io =E6=8A=84=E9=80=81: gaoliming ; 'Andrew Fish' ; Justen, Jordan L ; Kinney, Mich= ael D ; Wadhawan, Divneil R =E4=B8=BB=E9=A2=98: Re: [edk2-devel] [PATCH v2] EmulatorPkg: Enable suppor= t for Secure Boot =20 The CI may be missing SECURE_BOOT_ENABLE configuration for EmulatorPkg. If you can help with the steps to add a configuration in CI, I can work on= that. =20 From: Ni, Ray >=20 Sent: Saturday, September 19, 2020 5:31 AM To: Wadhawan, Divneil R >; devel@edk2.groups.io =20 Cc: gaoliming = >; 'Andrew Fish' >; Justen, Jorda= n L >; Kinney= , Michael D = >; Wadhawan, Divneil R > Subject: Re: [edk2-devel] [PATCH v2] EmulatorPkg: Enable support for Secur= e Boot =20 It=E2=80=99s very strange that the build test cannot detect this. To follow today=E2=80=99s process, you need to send another patch for revi= ew. =20 _____ =E5=8F=91=E4=BB=B6=E4=BA=BA: Wadhawan, Divneil R > =E5=8F=91=E9=80=81=E6=97=B6=E9=97=B4: Saturday, September 19, 2020 3:41:11= AM =E6=94=B6=E4=BB=B6=E4=BA=BA: devel@edk2.groups.io >; Wadhawan, Div= neil R = >; Ni, Ray > =E6=8A=84=E9=80=81: gaoliming >; 'Andrew Fish' = >; Justen, Jordan L >; Kinney, Michael D >; Wadhawan, Divneil R > =E4=B8=BB=E9=A2=98: RE: [edk2-devel] [PATCH v2] EmulatorPkg: Enable suppor= t for Secure Boot=20 =20 Hi Ray, =20 I saw that a patch merged few hours ago before my patch added RngLib in [L= ibraryClasses] section of OpensslLib. This caused the EmulatorPkg Secure boot enable build to fail. I have generated a PR for fixing it: https://github.com/tianocore/edk2/pul= l/942 =20 Regards, Divneil =20 From: devel@edk2.groups.io > On Behalf Of Wadhawan, Divneil R Sent: Friday, September 18, 2020 5:28 PM To: Ni, Ray >; devel@edk2.grou= ps.io =20 Cc: gaoliming = >; 'Andrew Fish' >; Justen, Jorda= n L >; Kinney= , Michael D = >; Wadhawan, Divneil R > Subject: Re: [edk2-devel] [PATCH v2] EmulatorPkg: Enable support for Secur= e Boot =20 Hi Ray, =20 Thanks for your help. I see the patch is merged now. :) =20 Regards, Divneil =20 From: Ni, Ray >=20 Sent: Friday, September 18, 2020 5:17 PM To: Wadhawan, Divneil R >; devel@edk2.groups.io =20 Cc: gaoliming = >; 'Andrew Fish' >; Justen, Jorda= n L >; Kinney= , Michael D = > Subject: RE: [edk2-devel] [PATCH v2] EmulatorPkg: Enable support for Secur= e Boot =20 Divneil, pull request is created: https://github.com/tianocore/edk2/pull/941 =20 If it succeeds, the patch will be merged automatically. If it fails, please check the specific failure message and provide updated= patch. =20 Thanks, Ray =20 From: Ni, Ray=20 Sent: Thursday, September 17, 2020 4:19 PM To: Wadhawan, Divneil R >; devel@edk2.groups.io =20 Cc: gaoliming = >; 'Andrew Fish' >; Justen, Jorda= n L >; Kinney= , Michael D = > Subject: RE: [edk2-devel] [PATCH v2] EmulatorPkg: Enable support for Secur= e Boot =20 Reviewed-by: Ray Ni > =20 From: Wadhawan, Divneil R >=20 Sent: Thursday, September 17, 2020 3:43 PM To: Ni, Ray >; devel@edk2.grou= ps.io =20 Cc: gaoliming = >; 'Andrew Fish' >; Justen, Jorda= n L >; Kinney= , Michael D = >; Wadhawan, Divneil R > Subject: RE: [edk2-devel] [PATCH v2] EmulatorPkg: Enable support for Secur= e Boot =20 Hi Ray, =20 Yes, I have tested the following: =20 A. SECURE_BOOT_ENABLE=3Dtrue * Key Enrollment (PK, KEK, db) via custom mode * Execution of unit test shell application (signed one works okay, unsigne= d gives an Access denied) =20 B. SECURE_BOOT_ENABLE=3Dfalse (default case) * Secure Boot Configuration menu is not visible (Same as existing default = case) * Execution of Unit Test Application (Signed/Unsigned both works okay) =20 I am planning to post the script in BZ: https://bugzilla.tianocore.org/sho= w_bug.cgi?id=3D2949 in a day or too. The script generates the full key hierarchy that makes it easy to test thi= s patch. The patch in BZ requires modifications as per Mike=E2=80=99s comment, so, = you can skip the patches in BZ for now. =20 Regards, Divneil =20 From: Ni, Ray >=20 Sent: Thursday, September 17, 2020 12:49 PM To: Wadhawan, Divneil R >; devel@edk2.groups.io =20 Cc: gaoliming = >; 'Andrew Fish' >; Justen, Jorda= n L >; Kinney= , Michael D = > Subject: RE: [edk2-devel] [PATCH v2] EmulatorPkg: Enable support for Secur= e Boot =20 Divneil, Just want to double confirm: did you test the secure boot and non-secure b= oot? =20 Thanks, Ray =20 From: Wadhawan, Divneil R >=20 Sent: Wednesday, September 16, 2020 11:53 PM To: devel@edk2.groups.io =20 Cc: Ni, Ray >; gaoliming >; 'Andrew Fish' >; Justen, Jordan L >; Kinney, Michael D >; Wadhawan, Divnei= l R > Subject: [edk2-devel] [PATCH v2] EmulatorPkg: Enable support for Secure Bo= ot =20 SECURE_BOOT_ENABLE feature flag is introduced to enable Secure Boot. The following gets enabled with this patch: o Secure Boot Menu in "Device Manager" for enrolling keys o Storage space for Authenticated Variables o Authenticated execution of 3rd party images =20 Signed-off-by: Divneil Rai Wadhawan > --- EmulatorPkg/EmulatorPkg.dsc | 37 +++++++++++++++++++++++++++++++++++-- EmulatorPkg/EmulatorPkg.fdf | 14 ++++++++++++++ 2 files changed, 49 insertions(+), 2 deletions(-) =20 diff --git a/EmulatorPkg/EmulatorPkg.dsc b/EmulatorPkg/EmulatorPkg.dsc index 86a6271735..c6e25c745e 100644 --- a/EmulatorPkg/EmulatorPkg.dsc +++ b/EmulatorPkg/EmulatorPkg.dsc @@ -32,6 +32,7 @@ DEFINE NETWORK_TLS_ENABLE =3D FALSE DEFINE NETWORK_HTTP_BOOT_ENABLE =3D FALSE DEFINE NETWORK_ISCSI_ENABLE =3D FALSE + DEFINE SECURE_BOOT_ENABLE =3D FALSE =20 [SkuIds] 0|DEFAULT @@ -106,12 +107,20 @@ LockBoxLib|MdeModulePkg/Library/LockBoxNullLib/LockBoxNullLib.inf CpuExceptionHandlerLib|MdeModulePkg/Library/CpuExceptionHandlerLibNull/= CpuExceptionHandlerLibNull.inf TpmMeasurementLib|MdeModulePkg/Library/TpmMeasurementLibNull/TpmMeasure= mentLibNull.inf - AuthVariableLib|MdeModulePkg/Library/AuthVariableLibNull/AuthVariableLi= bNull.inf VarCheckLib|MdeModulePkg/Library/VarCheckLib/VarCheckLib.inf SortLib|MdeModulePkg/Library/BaseSortLib/BaseSortLib.inf ShellLib|ShellPkg/Library/UefiShellLib/UefiShellLib.inf FileHandleLib|MdePkg/Library/UefiFileHandleLib/UefiFileHandleLib.inf =20 +!if $(SECURE_BOOT_ENABLE) =3D=3D TRUE + IntrinsicLib|CryptoPkg/Library/IntrinsicLib/IntrinsicLib.inf + OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf + PlatformSecureLib|SecurityPkg/Library/PlatformSecureLibNull/PlatformSec= ureLibNull.inf + AuthVariableLib|SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf +!else + AuthVariableLib|MdeModulePkg/Library/AuthVariableLibNull/AuthVariableLi= bNull.inf +!endif + [LibraryClasses.common.SEC] PeiServicesLib|EmulatorPkg/Library/SecPeiServicesLib/SecPeiServicesLib.= inf PcdLib|MdePkg/Library/BasePcdLibNull/BasePcdLibNull.inf @@ -162,6 +171,16 @@ TimerLib|EmulatorPkg/Library/DxeCoreTimerLib/DxeCoreTimerLib.inf EmuThunkLib|EmulatorPkg/Library/DxeEmuLib/DxeEmuLib.inf =20 +[LibraryClasses.common.DXE_DRIVER, LibraryClasses.common.UEFI_DRIVER, Lib= raryClasses.common.UEFI_APPLICATION] +!if $(SECURE_BOOT_ENABLE) =3D=3D TRUE + BaseCryptLib|CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf +!endif + +[LibraryClasses.common.DXE_RUNTIME_DRIVER] +!if $(SECURE_BOOT_ENABLE) =3D=3D TRUE + BaseCryptLib|CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf +!endif + [LibraryClasses.common.DXE_RUNTIME_DRIVER, LibraryClasses.common.UEFI_DRIV= ER, LibraryClasses.common.DXE_DRIVER, LibraryClasses.common.UEFI_APPLICATIO= N] HobLib|MdePkg/Library/DxeHobLib/DxeHobLib.inf PcdLib|MdePkg/Library/DxePcdLib/DxePcdLib.inf @@ -190,6 +209,10 @@ gEmulatorPkgTokenSpaceGuid.PcdEmuFirmwareFdSize|0x002a0000 gEmulatorPkgTokenSpaceGuid.PcdEmuFirmwareBlockSize|0x10000 gEmulatorPkgTokenSpaceGuid.PcdEmuFirmwareVolume|L"../FV/FV_RECOVERY.fd" +!if $(SECURE_BOOT_ENABLE) =3D=3D TRUE + gEfiMdeModulePkgTokenSpaceGuid.PcdMaxAuthVariableSize|0x2800 + gEfiSecurityPkgTokenSpaceGuid.PcdUserPhysicalPresence|TRUE +!endif =20 gEmulatorPkgTokenSpaceGuid.PcdEmuMemorySize|L"64!64" =20 @@ -306,7 +329,14 @@ EmulatorPkg/ResetRuntimeDxe/Reset.inf MdeModulePkg/Core/RuntimeDxe/RuntimeDxe.inf EmulatorPkg/FvbServicesRuntimeDxe/FvbServicesRuntimeDxe.inf - MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf + + MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf { + +!if $(SECURE_BOOT_ENABLE) =3D=3D TRUE + NULL|SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificati= onLib.inf +!endif + } + MdeModulePkg/Universal/EbcDxe/EbcDxe.inf MdeModulePkg/Universal/MemoryTest/NullMemoryTestDxe/NullMemoryTestDxe.i= nf EmulatorPkg/EmuThunkDxe/EmuThunk.inf @@ -315,6 +345,9 @@ EmulatorPkg/PlatformSmbiosDxe/PlatformSmbiosDxe.inf EmulatorPkg/TimerDxe/Timer.inf =20 +!if $(SECURE_BOOT_ENABLE) =3D=3D TRUE + SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigD= xe.inf +!endif =20 MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf { diff --git a/EmulatorPkg/EmulatorPkg.fdf b/EmulatorPkg/EmulatorPkg.fdf index 295f6f1db8..b256aa9397 100644 --- a/EmulatorPkg/EmulatorPkg.fdf +++ b/EmulatorPkg/EmulatorPkg.fdf @@ -46,10 +46,17 @@ DATA =3D { # Blockmap[1]: End 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, ## This is the VARIABLE_STORE_HEADER +!if $(SECURE_BOOT_ENABLE) =3D=3D FALSE #Signature: gEfiVariableGuid =3D # { 0xddcf3616, 0x3275, 0x4164, { 0x98, 0xb6, 0xfe, 0x85, 0x70, 0x7f, = 0xfe, 0x7d }} 0x16, 0x36, 0xcf, 0xdd, 0x75, 0x32, 0x64, 0x41, 0x98, 0xb6, 0xfe, 0x85, 0x70, 0x7f, 0xfe, 0x7d, +!else + # Signature: gEfiAuthenticatedVariableGuid =3D + # { 0xaaf32c78, 0x947b, 0x439a, { 0xa1, 0x80, 0x2e, 0x14, 0x4e, 0xc3, = 0x77, 0x92 }} + 0x78, 0x2c, 0xf3, 0xaa, 0x7b, 0x94, 0x9a, 0x43, + 0xa1, 0x80, 0x2e, 0x14, 0x4e, 0xc3, 0x77, 0x92, +!endif #Size: 0xc000 (gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageVariable= Size) - 0x48 (size of EFI_FIRMWARE_VOLUME_HEADER) =3D 0xBFB8 # This can speed up the Variable Dispatch a bit. 0xB8, 0xBF, 0x00, 0x00, @@ -186,6 +193,13 @@ INF RuleOverride =3D UI MdeModulePkg/Application/UiA= pp/UiApp.inf INF MdeModulePkg/Application/BootManagerMenuApp/BootManagerMenuApp.inf INF MdeModulePkg/Universal/DriverSampleDxe/DriverSampleDxe.inf =20 +# +# Secure Boot Key Enroll +# +!if $(SECURE_BOOT_ENABLE) =3D=3D TRUE +INF SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfi= gDxe.inf +!endif + # # Network stack drivers # --=20 2.24.1.windows.2 =20 ------=_NextPart_000_0042_01D68FF4.071CD2D0 Content-Type: text/html; charset="utf-8" Content-Transfer-Encoding: quoted-printable

Yes. Cu= rrent CI for EmulatorPkg is the default build. It doesn=E2=80=99t cover the= build with SECURE_BOOT_ENABLE enable= . Please submit one BZ for this request.

 

Thanks

Liming=

=E5=8F=91=E4=BB=B6=E4=BA= =BA: bounce+27952+65409+4905953+876= 1045@groups.io <bounce+27952+65409+4905953+8761045@groups.io> = =E4=BB= =A3=E8=A1=A8 Wadhawan, Divneil R
=E5=8F=91=E9=80=81=E6=97= =B6=E9=97=B4: 2020=E5=B9=B49=E6=9C=8819=E6=97=A5 13:34
=E6=94=B6=E4=BB=B6=E4=BA=BA: Ni, Ray <ray.ni@intel.com>; devel@ed= k2.groups.io
=E6=8A=84=E9=80=81:= gaoliming <gaoliming@byosoft.com.cn>; 'Andrew Fis= h' <afish@apple.com>; Justen, Jordan L <jordan.l.justen@intel.com&= gt;; Kinney, Michael D <michael.d.kinney@intel.com>; Wadhawan, Divnei= l R <divneil.r.wadhawan@intel.com>
=E4=B8=BB=E9=A2=98:
Re: [edk2-devel] [PATCH v2]= EmulatorPkg: Enable support for Secure Boot

 <= /p>

The CI may be missin= g SECURE_BOOT_ENABLE configuration for EmulatorPkg.

If you can help with the = steps to add a configuration in CI, I can work on that.

 

From: Ni, = Ray <ray.ni@intel.com>
Sent: Saturday, September 19, 2020 5:31 AM
To: Wadhawan, Div= neil R <divneil.r.wadhaw= an@intel.com>; devel@edk2.gr= oups.io
Cc: gaoliming <gaoliming@byosoft.com.cn>; 'Andrew Fish' <afish@apple.com>; Justen, Jordan L <jordan.l.justen@intel.com>; K= inney, Michael D <michael.= d.kinney@intel.com>; Wadhawan, Divneil R <divneil.r.wadhawan@intel.com>
Subject= : Re: [edk2-devel] [PATCH v2] EmulatorPkg: Enable support for Secure Bo= ot

 

It=E2=80=99s very strange that the = build test cannot detect this.

To follow today=E2=80=99s process, you need to send another patch for review.<= /p>

 


=E5=8F=91=E4=BB=B6=E4=BA=BA: Wadhawan, Divneil R <divneil.r.wadhawan@intel.com= >
=E5=8F=91=E9= = =80=81=E6=97=B6=E9=97=B4: Saturday, September 19, 2020 3:41:11 AM
=E6=94=B6=E4=BB=B6=E4=BA=BA: devel@edk2.groups.io <devel@edk2.groups.io>; Wadhawan, Divneil R <divneil.r.wadhawan@intel.com>; Ni, R= ay <ray.ni@intel.com>
=E6=8A=84=E9=80=81: gaoliming <gaoliming@byosoft.com.cn>; 'An= drew Fish' <afish@apple.com>; = Justen, Jordan L <jordan.l.= justen@intel.com>; Kinney, Michael D <michael.d.kinney@intel.com>; Wadhawan, Divneil R = <divneil.r.wadhawan@inte= l.com>
=E4= = =B8=BB=E9=A2=98: = RE: [edk2-devel] [PATCH v2] EmulatorPkg: Enable support for Secure Boot

 

Hi Ray,

 

I saw that a patch merged few hours ago before my pa= tch added RngLib in [LibraryClasses] section of OpensslLib.

This caused the EmulatorPkg = Secure boot enable build to fail.

I have generated a PR for fixing it: https://github.com/tianocore/edk2/pul= l/942

&nb= sp;

Regards,<= o:p>

Divneil<= /o:p>

 <= /span>

From: devel@= edk2.groups.io <devel@edk2.g= roups.io> On Behalf Of Wadhawan, Divneil R
Sent: Fr= iday, September 18, 2020 5:28 PM
To: Ni, Ray <ray.ni@intel.com>; devel@edk2.groups.io
Cc: gaoliming <gaoliming@byosoft.com.cn>; 'Andrew = Fish' <afish@apple.com>; Juste= n, Jordan L <jordan.l.juste= n@intel.com>; Kinney, Michael D <michael.d.kinney@intel.com>; Wadhawan, Divneil R <<= a href=3D"mailto:divneil.r.wadhawan@intel.com">divneil.r.wadhawan@intel.com= >
Subject: Re: [edk2-devel] [PATCH v2] EmulatorPkg: Enable= support for Secure Boot

 

<= span lang=3DEN-US>Hi Ray,

 

Thanks for your help.

= I see the patch is merged now. :)

<= p class=3Dxmsonormal> 

Regards,

Divneil

 

From: Ni= , Ray <ray.ni@intel.com>
= Sent: Friday, September 18, 2020 5:17 PM
To: Wadhawan, Div= neil R <divneil.r.wadhaw= an@intel.com>; devel@edk2.gr= oups.io
Cc: gaoliming <gaoliming@byosoft.com.cn>; 'Andrew Fish' <afish@apple.com>; Justen, Jordan L <jordan.l.justen@intel.com>; K= inney, Michael D <michael.= d.kinney@intel.com>
Subject: RE: [edk2-devel] [PATCH v2] E= mulatorPkg: Enable support for Secure Boot

 

Divneil,

pull request is created: https://github.com/tianocore/edk2/pu= ll/941

&n= bsp;

If it su= cceeds, the patch will be merged automatically.

If it fails, please check the specific f= ailure message and provide updated patch.

 

Thanks,

<= span lang=3DEN-US>Ray

 

From: Ni, Ray Sent: Thursday, September 17, 2020 4:19 PM
To: Wadhawan, = Divneil R <divneil.r.wad= hawan@intel.com>; devel@edk2= .groups.io
Cc: gaoliming <gaoliming@byosoft.com.cn>; 'Andrew Fish' <afish@apple.com>; Justen, Jordan L <jordan.l.justen@intel.com>; = Kinney, Michael D <michael= .d.kinney@intel.com>
Subject: RE: [edk2-devel] [PATCH v2] = EmulatorPkg: Enable support for Secure Boot

 

Reviewed-by: Ray Ni <ray.ni@intel.com>

 

<= div style=3D'border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0cm 0= cm 0cm'>

From: Wadhawan, Divneil R <divneil.r.wadhawan@intel.com>
Sent: Thursday, S= eptember 17, 2020 3:43 PM
To: Ni, Ray <ray.ni@intel.com>; devel@edk2.groups.io
Cc: gaoliming <gaoliming@byosoft.com.cn>; 'Andrew Fish' &= lt;afish@apple.com>; Justen, Jord= an L <jordan.l.justen@intel= .com>; Kinney, Michael D <michael.d.kinney@intel.com>; Wadhawan, Divneil R <divneil.r.wadhawan@intel.com&= gt;
Subject: RE: [edk2-devel] [PATCH v2] EmulatorPkg: Enable supp= ort for Secure Boot

=  

Hi Ray,

 

Yes, I have tested the following:

 

A.     <= /span>SECURE_BOOT_ENABLE=3Dtrue<= o:p>

  • Key Enrollment (PK, KEK, db) via custom mode
  • Execution of unit test shell application (signed= one works okay, unsigned gives an Access denied)
  •  

    B. =     SECURE= _BOOT_ENABLE=3Dfalse (default case)

    • Secure Boot Configuration m= enu is not visible (Same as existing default case)
    • Execution of Unit Test Application (Signed/Unsigned = both works okay)

     

    I am planning to post the script in BZ: https://bugzilla.tianocore.org/show_bug.= cgi?id=3D2949 in a day or too.

    The script generates the full key hierarchy that make= s it easy to test this patch.

    The patch in BZ requires modifications as per Mike=E2=80= =99s comment, so, you can skip the patches in BZ for now.

     

    <= p class=3Dxmsonormal>Regards,

    Divneil

     

    From: Ni, Ray <ray.ni@intel.com&= gt;
    Sent: Thursday, September 17, 2020 12:49 PM
    To: Wa= dhawan, Divneil R <divne= il.r.wadhawan@intel.com>; de= vel@edk2.groups.io
    Cc: gaoliming <gaoliming@byosoft.com.cn>; 'Andrew Fish' <afish@apple.com>; Justen, Jordan L &= lt;jordan.l.justen@intel.com>; Kinney, Michael D <michael.d.kinney@intel.com>
    Subject: RE: [edk2-devel] [PA= TCH v2] EmulatorPkg: Enable support for Secure Boot

     =

    Divneil,

    =

    Just want to double confirm: did y= ou test the secure boot and non-secure boot?

     

    Thanks,

    Ray

     

    From: Wadhawa= n, Divneil R <divneil.r.= wadhawan@intel.com>
    Sent: Wednesday, September 16, 2020 1= 1:53 PM
    To: devel@edk2.gr= oups.io
    Cc: Ni, Ray <r= ay.ni@intel.com>; gaoliming <gaoliming@byosoft.com.cn>; 'Andrew Fish' <afish@apple.com>; Justen, Jordan L <jordan.l.justen@intel.com>; K= inney, Michael D <michael.= d.kinney@intel.com>; Wadhawan, Divneil R <divneil.r.wadhawan@intel.com>
    Subject= : [edk2-devel] [PATCH v2] EmulatorPkg: Enable support for Secure Boot

    &n= bsp;

    SECURE_B= OOT_ENABLE feature flag is introduced to enable Secure Boot.

    The following gets enabled = with this patch:

    o Secure Boot Menu in "Device Manager" for enrolling keys

    o Storage space = for Authenticated Variables

    o Authenticated execution of 3rd party images

     

    Signed-off-by: Divneil Rai Wadhaw= an <divneil.r.wadhawan@i= ntel.com>

    ---

    Emula= torPkg/EmulatorPkg.dsc | 37 +++++++++++++++++++++++++++++++++++--

    EmulatorPkg/EmulatorPk= g.fdf | 14 ++++++++++++++

    2 files changed, 49 insertions(+), 2 deletions(-)

     <= /p>

    diff --git a/EmulatorPkg/Emulat= orPkg.dsc b/EmulatorPkg/EmulatorPkg.dsc

    index 86a6271735..c6e25c745e 100644

    --- a/EmulatorPkg/Emulato= rPkg.dsc

    +++ = b/EmulatorPkg/EmulatorPkg.dsc

    @@ -32,6 +32,7 @@

       DEFINE NETWORK_TLS_ENABLE  &nb= sp;    =3D FALSE

    =    DEFINE NETWORK_HTTP_BOOT_ENABLE =3D FALSE

       D= EFINE NETWORK_ISCSI_ENABLE     =3D FALSE

    +  DEFINE SECURE_BOOT_= ENABLE       =3D FALSE

    <= p class=3Dxmsonormal> 

     [SkuIds]

       0|DEFAULT

    @@ -106,12 +107,20 @@

       LockBox= Lib|MdeModulePkg/Library/LockBoxNullLib/LockBoxNullLib.inf

       CpuExceptionHand= lerLib|MdeModulePkg/Library/CpuExceptionHandlerLibNull/CpuExceptionHandlerL= ibNull.inf

    &n= bsp;  TpmMeasurementLib|MdeModulePkg/Library/TpmMeasurementLibNull/Tpm= MeasurementLibNull.inf

    -  AuthVariableLib|MdeModulePkg/Library/AuthVariableLibNull/= AuthVariableLibNull.inf

       VarCheckLib|MdeModulePkg/Library/VarCheckLib/VarChe= ckLib.inf

    &nb= sp;  SortLib|MdeModulePkg/Library/BaseSortLib/BaseSortLib.inf

       ShellLib= |ShellPkg/Library/UefiShellLib/UefiShellLib.inf

       FileHandleLib|MdePkg/Librar= y/UefiFileHandleLib/UefiFileHandleLib.inf

     

    +!if $(SECURE_BOOT_ENABLE) =3D=3D TRUE

    +  IntrinsicLib|Crypt= oPkg/Library/IntrinsicLib/IntrinsicLib.inf

    +  OpensslLib|CryptoPkg/Library/OpensslL= ib/OpensslLibCrypto.inf

    +  PlatformSecureLib|SecurityPkg/Library/PlatformSecureLibN= ull/PlatformSecureLibNull.inf

    +  AuthVariableLib|SecurityPkg/Library/AuthVariableLi= b/AuthVariableLib.inf

    +!else

    +  AuthVariableLib|MdeModulePkg/Library/AuthVariableLibNull/AuthVa= riableLibNull.inf

    +!endif

    = +

    [LibraryCla= sses.common.SEC]

       PeiServicesLib|EmulatorPkg/Library/SecPeiServicesLib/SecPe= iServicesLib.inf

       PcdLib|MdePkg/Library/BasePcdLibNull/BasePcdLibNull.inf

    @@ -162,6 +171,= 16 @@

     &= nbsp; TimerLib|EmulatorPkg/Library/DxeCoreTimerLib/DxeCoreTimerLib.inf=

      EmuTh= unkLib|EmulatorPkg/Library/DxeEmuLib/DxeEmuLib.inf

     

    +[LibraryClasses.common.DXE_DRIVER, Libra= ryClasses.common.UEFI_DRIVER, LibraryClasses.common.UEFI_APPLICATION]<= /o:p>

    +!if $(SECURE_BOOT= _ENABLE) =3D=3D TRUE

    +  BaseCryptLib|CryptoPkg/Library/BaseCryptLib/BaseCryptLib.= inf

    +!endif

    +

    +[LibraryClasses.common.D= XE_RUNTIME_DRIVER]

    +!if $(SECURE_BOOT_ENABLE) =3D=3D TRUE

    +  BaseCryptLib|CryptoPkg/Library/Ba= seCryptLib/RuntimeCryptLib.inf

    <= span lang=3DEN-US>+!endif

    +

    [LibraryClasses.common.DXE_RUNTIME_DRIVER, LibraryClasses.common.UEFI_DRI= VER, LibraryClasses.common.DXE_DRIVER, LibraryClasses.common.UEFI_APPLICATI= ON]

     &nb= sp; HobLib|MdePkg/Library/DxeHobLib/DxeHobLib.inf

       PcdLib|MdePkg/Library/Dxe= PcdLib/DxePcdLib.inf

    @@ -190,6 +209,10 @@

    <= span lang=3DEN-US>   gEmulatorPkgTokenSpaceGuid.PcdEmuFirmwareFdS= ize|0x002a0000

       gEmulatorPkgTokenSpaceGuid.PcdEmuFirmwareBlockSize|0x10000

       g= EmulatorPkgTokenSpaceGuid.PcdEmuFirmwareVolume|L"../FV/FV_RECOVERY.fd&= quot;

    +!if $(= SECURE_BOOT_ENABLE) =3D=3D TRUE

    = +  gEfiMdeModulePkgTokenSpaceGuid.PcdMaxAuthVariabl= eSize|0x2800

    = +  gEfiSecurityPkgTokenSpaceGuid.PcdUserPhysicalPresence|TRUE

    +!endif

     

       gEmulatorPkgTo= kenSpaceGuid.PcdEmuMemorySize|L"64!64"

     

    @@ -306,7 +329,14 @@

       EmulatorPkg/ResetRuntime= Dxe/Reset.inf

       MdeModulePkg/Core/RuntimeDxe/RuntimeDxe.inf=

       EmulatorPkg/FvbSe= rvicesRuntimeDxe/FvbServicesRuntimeDxe.inf

    -  MdeModulePkg/Universal/SecurityStubDx= e/SecurityStubDxe.inf

    +

    +=   MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf {

    +    = <LibraryClasses>

    +!if $(SECURE_BOOT_ENABLE) =3D=3D TRUE

    +      NULL|Se= curityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.inf<= /o:p>

    +!endif=

    +  }

    +

       MdeModulePkg/Universal/E= bcDxe/EbcDxe.inf

       MdeModulePkg/Universal/MemoryTest/NullMemoryTestDxe/NullMe= moryTestDxe.inf

       EmulatorPkg/EmuThunkDxe/EmuThunk.inf

    <= p class=3Dxmsonormal>@@ -315,6 +345,9 @@

       EmulatorPkg/Pla= tformSmbiosDxe/PlatformSmbiosDxe.inf

       EmulatorPkg/TimerDxe/Timer.inf

     

    +!if $(SECURE_BOOT_ENABLE)= =3D=3D TRUE

    = +  SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootCon= figDxe.inf

    +!= endif

     <= o:p>

      &= nbsp;MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf {

      &nb= sp;  <LibraryClasses>

    diff --git a/EmulatorPkg/EmulatorPkg.fdf b/EmulatorPkg/= EmulatorPkg.fdf

    index 295f6f1db8..b256aa9397 100644

    --- a/EmulatorPkg/EmulatorPkg.fdf

    +++ b/EmulatorPkg/EmulatorPk= g.fdf

    @@ -46,= 10 +46,17 @@ DATA =3D {

       # Blockmap[1]: End

       0x00, 0x00, 0x00, 0x00, 0x00, 0x= 00, 0x00, 0x00,

       ## This is the VARIABLE_STORE_HEADER

    <= p class=3Dxmsonormal>+!if $(SECURE_BOOT_ENABLE) =3D=3D F= ALSE

     &n= bsp; #Signature: gEfiVariableGuid =3D

       #  { 0xddcf3616, 0x3275, 0x4164,= { 0x98, 0xb6, 0xfe, 0x85, 0x70, 0x7f, 0xfe, 0x7d }}

    <= p class=3Dxmsonormal>   0x16, 0x36, 0xcf, 0xdd= , 0x75, 0x32, 0x64, 0x41,

       0x98, 0xb6, 0xfe, 0x85, 0x70, 0x7f, 0xfe, 0x7d,

    +!else

    +  # Signature:= gEfiAuthenticatedVariableGuid =3D

    +  #  { 0xaaf32c78, 0x947b, 0x439a, { 0xa1,= 0x80, 0x2e, 0x14, 0x4e, 0xc3, 0x77, 0x92 }}

    +  0x78, 0x2c, 0xf3, 0xaa, 0x7b, 0x9= 4, 0x9a, 0x43,

    +  0xa1, 0x80, 0x2e, 0x14, 0x4e, 0xc3, 0x77, 0x92,=

    +!endif

    <= p class=3Dxmsonormal>   #Size: 0xc000 (gEfiMde= ModulePkgTokenSpaceGuid.PcdFlashNvStorageVariableSize) - 0x48 (size of EFI_= FIRMWARE_VOLUME_HEADER) =3D 0xBFB8

       # This can speed up the Variable Dispatc= h a bit.

    &nbs= p;  0xB8, 0xBF, 0x00, 0x00,

    @@ -186,6 +193,13 @@ INF  RuleOverride =3D UI MdeM= odulePkg/Application/UiApp/UiApp.inf

    INF  MdeModulePkg/Application/BootManagerMenuA= pp/BootManagerMenuApp.inf

    INF  MdeModulePkg/Universal/DriverSampleDxe/DriverSampleD= xe.inf

     =

    +#

    +# Secure Boot Key Enr= oll

    +#

    +!if $(SECURE_BOOT_= ENABLE) =3D=3D TRUE

    +INF SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/Secure= BootConfigDxe.inf

    +!endif

    = +

    #

    # Network stack driver= s

    #

    -- <= /p>

    2.24.1.windows.2

 

<= /o:p>

------=_NextPart_000_0042_01D68FF4.071CD2D0--