From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail.byosoft.com.cn (mail.byosoft.com.cn [58.240.74.242]) by mx.groups.io with SMTP id smtpd.web10.15469.1625620686431567648 for ; Tue, 06 Jul 2021 18:18:07 -0700 Authentication-Results: mx.groups.io; dkim=missing; spf=none, err=permanent DNS error (domain: byosoft.com.cn, ip: 58.240.74.242, mailfrom: gaoliming@byosoft.com.cn) Received: from DESKTOPS6D0PVI ([58.246.60.130]) (envelope-sender ) by 192.168.6.13 with ESMTP for ; Wed, 07 Jul 2021 09:17:38 +0800 X-WM-Sender: gaoliming@byosoft.com.cn X-Originating-IP: 58.246.60.130 X-WM-AuthFlag: YES X-WM-AuthUser: gaoliming@byosoft.com.cn From: "gaoliming" To: , Cc: , , , , , , , , , , , , , , , , , , , , , , , , , References: <20210701091758.1057485-1-gjb@semihalf.com> In-Reply-To: <20210701091758.1057485-1-gjb@semihalf.com> Subject: =?UTF-8?B?5Zue5aSNOiBbZWRrMi1kZXZlbF0gW1BBVENIIHY1IDAwLzEwXSBTZWN1cmUgQm9vdCBkZWZhdWx0IGtleXM=?= Date: Wed, 7 Jul 2021 09:17:38 +0800 Message-ID: <007901d772cd$e098a040$a1c9e0c0$@byosoft.com.cn> MIME-Version: 1.0 X-Mailer: Microsoft Outlook 16.0 Thread-Index: AQJ0KR/w1hrTplfawTPmkB/UimO7CKn9SS+w Content-Type: text/plain; charset="gb2312" Content-Transfer-Encoding: quoted-printable Content-Language: zh-cn Grzegorz Bernacki: This is a new feature. Can you submit one BZ (https://bugzilla.tianocore.org/) for it? Then, I can add it into edk2 stable tag feature planning.=20 Thanks Liming > -----=D3=CA=BC=FE=D4=AD=BC=FE----- > =B7=A2=BC=FE=C8=CB: devel@edk2.groups.io =B4=FA= =B1=ED Grzegorz > Bernacki > =B7=A2=CB=CD=CA=B1=BC=E4: 2021=C4=EA7=D4=C21=C8=D5 17:18 > =CA=D5=BC=FE=C8=CB: devel@edk2.groups.io > =B3=AD=CB=CD: leif@nuviainc.com; ardb+tianocore@kernel.org; > Samer.El-Haj-Mahmoud@arm.com; sunny.Wang@arm.com; > mw@semihalf.com; upstream@semihalf.com; jiewen.yao@intel.com; > jian.j.wang@intel.com; min.m.xu@intel.com; lersek@redhat.com; > sami.mujawar@arm.com; afish@apple.com; ray.ni@intel.com; > jordan.l.justen@intel.com; rebecca@bsdio.com; grehan@freebsd.org; > thomas.abraham@arm.com; chasel.chiu@intel.com; > nathaniel.l.desimone@intel.com; gaoliming@byosoft.com.cn; > eric.dong@intel.com; michael.d.kinney@intel.com; zailiang.sun@intel.com; > yi.qian@intel.com; graeme@nuviainc.com; rad@semihalf.com; pete@akeo.ie; > Grzegorz Bernacki > =D6=F7=CC=E2: [edk2-devel] [PATCH v5 00/10] Secure Boot default keys >=20 > This patchset adds support for initialization of default > Secure Boot variables based on keys content embedded in > flash binary. This feature is active only if Secure Boot > is enabled and DEFAULT_KEY is defined. The patchset > consist also application to enroll keys from default > variables and secure boot menu change to allow user > to reset key content to default values. > Discussion on design can be found at: > https://edk2.groups.io/g/rfc/topic/82139806#600 >=20 > Built with: > GCC > - RISC-V (U500, U540) [requires fixes in dsc to build] > - Intel (Vlv2TbltDevicePkg (X64/IA32), Quark, MinPlatformPkg, > EmulatorPkg (X64), Bhyve, OvmfPkg (X64/IA32)) > - ARM (Sgi75,SbsaQemu,DeveloperBox, RPi3/RPi4) >=20 > RISC-V, Quark, Vlv2TbltDevicePkg, Bhyve requires additional fixes to be built, > will be post on edk2 maillist later >=20 > VS2019 > - Intel (OvmfPkgX64) >=20 > Test with: > GCC5/RPi4 > VS2019/OvmfX64 (requires changes to enable feature) >=20 > Tests: > 1. Try to enroll key in incorrect format. > 2. Enroll with only PKDefault keys specified. > 3. Enroll with all keys specified. > 4. Enroll when keys are enrolled. > 5. Reset keys values. > 6. Running signed & unsigned app after enrollment. >=20 > Changes since v1: > - change names: > SecBootVariableLib =3D> SecureBootVariableLib > SecBootDefaultKeysDxe =3D> SecureBootDefaultKeysDxe > SecEnrollDefaultKeysApp =3D> EnrollFromDefaultKeysApp > - change name of function CheckSetupMode to GetSetupMode > - remove ShellPkg dependecy from EnrollFromDefaultKeysApp > - rebase to master >=20 > Changes since v2: > - fix coding style for functions headers in SecureBootVariableLib.h > - add header to SecureBootDefaultKeys.fdf.inc > - remove empty line spaces in SecureBootDefaultKeysDxe files > - revert FAIL macro in EnrollFromDefaultKeysApp > - remove functions duplicates and add SecureBootVariableLib > to platforms which used it >=20 > Changes since v3: > - move SecureBootDefaultKeys.fdf.inc to ArmPlatformPkg > - leave duplicate of CreateTimeBasedPayload in PlatformVarCleanupLib > - fix typo in guid description >=20 > Changes since v4: > - reorder patches to make it bisectable > - split commits related to more than one platform > - move edk2-platform commits to separate patchset >=20 > Grzegorz Bernacki (10): > SecurityPkg: Create library for setting Secure Boot variables. > ArmVirtPkg: add SecureBootVariableLib class resolution > OvmfPkg: add SecureBootVariableLib class resolution > EmulatorPkg: add SecureBootVariableLib class resolution > SecurityPkg: Remove duplicated functions from SecureBootConfigDxe. > ArmPlatformPkg: Create include file for default key content. > SecurityPkg: Add SecureBootDefaultKeysDxe driver > SecurityPkg: Add EnrollFromDefaultKeys application. > SecurityPkg: Add new modules to Security package. > SecurityPkg: Add option to reset secure boot keys. >=20 > SecurityPkg/SecurityPkg.dec > | 14 + > ArmVirtPkg/ArmVirt.dsc.inc > | 1 + > EmulatorPkg/EmulatorPkg.dsc > | 1 + > OvmfPkg/Bhyve/BhyveX64.dsc > | 1 + > OvmfPkg/OvmfPkgIa32.dsc > | 1 + > OvmfPkg/OvmfPkgIa32X64.dsc > | 1 + > OvmfPkg/OvmfPkgX64.dsc > | 1 + > SecurityPkg/SecurityPkg.dsc > | 4 + > SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.inf > | 47 + > SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf > | 79 ++ >=20 > SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigD > xe.inf | 2 + >=20 > SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootD > efaultKeysDxe.inf | 45 + > SecurityPkg/Include/Library/SecureBootVariableLib.h > | 251 +++++ >=20 > SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigN > vData.h | 2 + >=20 > SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfig.v > fr | 6 + > SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.c > | 109 +++ > SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.c > | 980 ++++++++++++++++++++ >=20 > SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigI > mpl.c | 343 ++++--- >=20 > SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootD > efaultKeysDxe.c | 68 ++ > ArmPlatformPkg/SecureBootDefaultKeys.fdf.inc > | 70 ++ > SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.uni > | 16 + >=20 > SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigS > trings.uni | 4 + >=20 > SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootD > efaultKeysDxe.uni | 16 + > 23 files changed, 1874 insertions(+), 188 deletions(-) > create mode 100644 > SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.inf > create mode 100644 > SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf > create mode 100644 > SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootD > efaultKeysDxe.inf > create mode 100644 SecurityPkg/Include/Library/SecureBootVariableLib.h > create mode 100644 > SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.c > create mode 100644 > SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.c > create mode 100644 > SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootD > efaultKeysDxe.c > create mode 100644 ArmPlatformPkg/SecureBootDefaultKeys.fdf.inc > create mode 100644 > SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.uni > create mode 100644 > SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootD > efaultKeysDxe.uni >=20 > -- > 2.25.1 >=20 >=20 >=20 >=20 >=20