* [PATCH edk2-platforms] Platform/DeveloperBox: actually enable secure boot checking
@ 2019-04-10 18:06 Ard Biesheuvel
2019-04-11 19:29 ` Leif Lindholm
0 siblings, 1 reply; 3+ messages in thread
From: Ard Biesheuvel @ 2019-04-10 18:06 UTC (permalink / raw)
To: devel; +Cc: leif.lindholm, Ard Biesheuvel
The current secure boot enabled DeveloperBox build contains all the
pieces to maintain the authenticated variable store, but doesn't
actually bother to check the signature on anything it boots. Fix that.
Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
---
Platform/Socionext/DeveloperBox/DeveloperBox.dsc | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/Platform/Socionext/DeveloperBox/DeveloperBox.dsc b/Platform/Socionext/DeveloperBox/DeveloperBox.dsc
index 39077ab5ee79..4ddb0d427f13 100644
--- a/Platform/Socionext/DeveloperBox/DeveloperBox.dsc
+++ b/Platform/Socionext/DeveloperBox/DeveloperBox.dsc
@@ -245,7 +245,12 @@
}
MdeModulePkg/Universal/ResetSystemRuntimeDxe/ResetSystemRuntimeDxe.inf
MdeModulePkg/Core/RuntimeDxe/RuntimeDxe.inf
- MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf
+ MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf {
+ <LibraryClasses>
+!if $(SECURE_BOOT_ENABLE) == TRUE
+ NULL|SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.inf
+!endif
+ }
ArmPkg/Drivers/TimerDxe/TimerDxe.inf
ArmPkg/Drivers/GenericWatchdogDxe/GenericWatchdogDxe.inf
MdeModulePkg/Universal/CapsuleRuntimeDxe/CapsuleRuntimeDxe.inf
--
2.17.1
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [PATCH edk2-platforms] Platform/DeveloperBox: actually enable secure boot checking
2019-04-10 18:06 [PATCH edk2-platforms] Platform/DeveloperBox: actually enable secure boot checking Ard Biesheuvel
@ 2019-04-11 19:29 ` Leif Lindholm
2019-04-11 21:10 ` Ard Biesheuvel
0 siblings, 1 reply; 3+ messages in thread
From: Leif Lindholm @ 2019-04-11 19:29 UTC (permalink / raw)
To: Ard Biesheuvel; +Cc: devel
On Wed, Apr 10, 2019 at 11:06:02AM -0700, Ard Biesheuvel wrote:
> The current secure boot enabled DeveloperBox build contains all the
> pieces to maintain the authenticated variable store, but doesn't
> actually bother to check the signature on anything it boots. Fix that.
>
> Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
We haven't actually dropped the CLA from edk2-platforms (yet), so we
probably still need the contributed-under for now. If you add that
before committing:
Reviewed-by: Leif Lindholm <leif.lindholm@linaro.org>
> ---
> Platform/Socionext/DeveloperBox/DeveloperBox.dsc | 7 ++++++-
> 1 file changed, 6 insertions(+), 1 deletion(-)
>
> diff --git a/Platform/Socionext/DeveloperBox/DeveloperBox.dsc b/Platform/Socionext/DeveloperBox/DeveloperBox.dsc
> index 39077ab5ee79..4ddb0d427f13 100644
> --- a/Platform/Socionext/DeveloperBox/DeveloperBox.dsc
> +++ b/Platform/Socionext/DeveloperBox/DeveloperBox.dsc
> @@ -245,7 +245,12 @@
> }
> MdeModulePkg/Universal/ResetSystemRuntimeDxe/ResetSystemRuntimeDxe.inf
> MdeModulePkg/Core/RuntimeDxe/RuntimeDxe.inf
> - MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf
> + MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf {
> + <LibraryClasses>
> +!if $(SECURE_BOOT_ENABLE) == TRUE
> + NULL|SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.inf
> +!endif
> + }
> ArmPkg/Drivers/TimerDxe/TimerDxe.inf
> ArmPkg/Drivers/GenericWatchdogDxe/GenericWatchdogDxe.inf
> MdeModulePkg/Universal/CapsuleRuntimeDxe/CapsuleRuntimeDxe.inf
> --
> 2.17.1
>
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH edk2-platforms] Platform/DeveloperBox: actually enable secure boot checking
2019-04-11 19:29 ` Leif Lindholm
@ 2019-04-11 21:10 ` Ard Biesheuvel
0 siblings, 0 replies; 3+ messages in thread
From: Ard Biesheuvel @ 2019-04-11 21:10 UTC (permalink / raw)
To: Leif Lindholm; +Cc: edk2-devel-groups-io
On Thu, 11 Apr 2019 at 12:29, Leif Lindholm <leif.lindholm@linaro.org> wrote:
>
> On Wed, Apr 10, 2019 at 11:06:02AM -0700, Ard Biesheuvel wrote:
> > The current secure boot enabled DeveloperBox build contains all the
> > pieces to maintain the authenticated variable store, but doesn't
> > actually bother to check the signature on anything it boots. Fix that.
> >
> > Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
>
> We haven't actually dropped the CLA from edk2-platforms (yet), so we
> probably still need the contributed-under for now. If you add that
> before committing:
>
> Reviewed-by: Leif Lindholm <leif.lindholm@linaro.org>
>
Thanks. Pushed as 7d8dc6544c93..11c98f35af40
> > ---
> > Platform/Socionext/DeveloperBox/DeveloperBox.dsc | 7 ++++++-
> > 1 file changed, 6 insertions(+), 1 deletion(-)
> >
> > diff --git a/Platform/Socionext/DeveloperBox/DeveloperBox.dsc b/Platform/Socionext/DeveloperBox/DeveloperBox.dsc
> > index 39077ab5ee79..4ddb0d427f13 100644
> > --- a/Platform/Socionext/DeveloperBox/DeveloperBox.dsc
> > +++ b/Platform/Socionext/DeveloperBox/DeveloperBox.dsc
> > @@ -245,7 +245,12 @@
> > }
> > MdeModulePkg/Universal/ResetSystemRuntimeDxe/ResetSystemRuntimeDxe.inf
> > MdeModulePkg/Core/RuntimeDxe/RuntimeDxe.inf
> > - MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf
> > + MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf {
> > + <LibraryClasses>
> > +!if $(SECURE_BOOT_ENABLE) == TRUE
> > + NULL|SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.inf
> > +!endif
> > + }
> > ArmPkg/Drivers/TimerDxe/TimerDxe.inf
> > ArmPkg/Drivers/GenericWatchdogDxe/GenericWatchdogDxe.inf
> > MdeModulePkg/Universal/CapsuleRuntimeDxe/CapsuleRuntimeDxe.inf
> > --
> > 2.17.1
> >
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2019-04-11 21:10 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2019-04-10 18:06 [PATCH edk2-platforms] Platform/DeveloperBox: actually enable secure boot checking Ard Biesheuvel
2019-04-11 19:29 ` Leif Lindholm
2019-04-11 21:10 ` Ard Biesheuvel
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox