From mboxrd@z Thu Jan 1 00:00:00 1970 Authentication-Results: mx.groups.io; dkim=missing; spf=pass (domain: redhat.com, ip: 209.132.183.28, mailfrom: lersek@redhat.com) Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by groups.io with SMTP; Fri, 26 Apr 2019 17:54:07 -0700 Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.phx2.redhat.com [10.5.11.15]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id CE06B50F64; Sat, 27 Apr 2019 00:54:06 +0000 (UTC) Received: from lacos-laptop-7.usersys.redhat.com (ovpn-121-104.rdu2.redhat.com [10.10.121.104]) by smtp.corp.redhat.com (Postfix) with ESMTP id B9D365D70A; Sat, 27 Apr 2019 00:54:04 +0000 (UTC) From: "Laszlo Ersek" To: edk2-devel-groups-io Cc: Anthony Perard , Ard Biesheuvel , Jordan Justen , Julien Grall Subject: [PATCH 11/16] OvmfPkg/EnrollDefaultKeys: extract MICROSOFT_VENDOR_GUID Date: Sat, 27 Apr 2019 02:53:23 +0200 Message-Id: <20190427005328.27005-12-lersek@redhat.com> In-Reply-To: <20190427005328.27005-1-lersek@redhat.com> References: <20190427005328.27005-1-lersek@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.15 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.30]); Sat, 27 Apr 2019 00:54:06 +0000 (UTC) Content-Transfer-Encoding: quoted-printable The GUID 77FA9ABD-0359-4D32-BD60-28F4E78F784B is specified in MSDN, at , therefore it deserves an entry in the package DEC file, and a header file under "Include/Guid". (Arguably, this GUID declaration / definition could even live under SecurityPkg, but the edk2 tradition has been to hoist GUIDs, protocols/PPIs, and lib classes from OvmfPkg to a core package only when dependent C code is added to the core package.) Cc: Anthony Perard Cc: Ard Biesheuvel Cc: Jordan Justen Cc: Julien Grall Bugzilla: https://bugzilla.tianocore.org/show_bug.cgi?id=3D1747 Signed-off-by: Laszlo Ersek --- OvmfPkg/OvmfPkg.dec | 1 + OvmfPkg/Include/Guid/MicrosoftVendor.h | 55 +++++++++++++++++++= + OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf | 2 + OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.h | 2 - OvmfPkg/EnrollDefaultKeys/AuthData.c | 28 ---------- OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c | 7 +-- 6 files changed, 62 insertions(+), 33 deletions(-) diff --git a/OvmfPkg/OvmfPkg.dec b/OvmfPkg/OvmfPkg.dec index cc2a4909afd4..922e061cc85c 100644 --- a/OvmfPkg/OvmfPkg.dec +++ b/OvmfPkg/OvmfPkg.dec @@ -72,16 +72,17 @@ [LibraryClasses] [Guids] gUefiOvmfPkgTokenSpaceGuid =3D {0x93bb96af, 0xb9f2, 0x4eb8, {= 0x94, 0x62, 0xe0, 0xba, 0x74, 0x56, 0x42, 0x36}} gEfiXenInfoGuid =3D {0xd3b46f3b, 0xd441, 0x1244, {= 0x9a, 0x12, 0x0, 0x12, 0x27, 0x3f, 0xc1, 0x4d}} gOvmfPlatformConfigGuid =3D {0x7235c51c, 0x0c80, 0x4cab, {= 0x87, 0xac, 0x3b, 0x08, 0x4a, 0x63, 0x04, 0xb1}} gVirtioMmioTransportGuid =3D {0x837dca9e, 0xe874, 0x4d82, {= 0xb2, 0x9a, 0x23, 0xfe, 0x0e, 0x23, 0xd1, 0xe2}} gQemuRamfbGuid =3D {0x557423a1, 0x63ab, 0x406c, {= 0xbe, 0x7e, 0x91, 0xcd, 0xbc, 0x08, 0xc4, 0x57}} gXenBusRootDeviceGuid =3D {0xa732241f, 0x383d, 0x4d9c, {= 0x8a, 0xe1, 0x8e, 0x09, 0x83, 0x75, 0x89, 0xd7}} gRootBridgesConnectedEventGroupGuid =3D {0x24a2d66f, 0xeedd, 0x4086, {= 0x90, 0x42, 0xf2, 0x6e, 0x47, 0x97, 0xee, 0x69}} + gMicrosoftVendorGuid =3D {0x77fa9abd, 0x0359, 0x4d32, {= 0xbd, 0x60, 0x28, 0xf4, 0xe7, 0x8f, 0x78, 0x4b}} =20 [Protocols] gVirtioDeviceProtocolGuid =3D {0xfa920010, 0x6785, 0x4941, {= 0xb6, 0xec, 0x49, 0x8c, 0x57, 0x9f, 0x16, 0x0a}} gXenBusProtocolGuid =3D {0x3d3ca290, 0xb9a5, 0x11e3, {= 0xb7, 0x5d, 0xb8, 0xac, 0x6f, 0x7d, 0x65, 0xe6}} gXenIoProtocolGuid =3D {0x6efac84f, 0x0ab0, 0x4747, {= 0x81, 0xbe, 0x85, 0x55, 0x62, 0x59, 0x04, 0x49}} gIoMmuAbsentProtocolGuid =3D {0xf8775d50, 0x8abd, 0x4adf, {= 0x92, 0xac, 0x85, 0x3e, 0x51, 0xf6, 0xc8, 0xdc}} gEfiLegacy8259ProtocolGuid =3D {0x38321dba, 0x4fe0, 0x4e17, {= 0x8a, 0xec, 0x41, 0x30, 0x55, 0xea, 0xed, 0xc1}} =20 diff --git a/OvmfPkg/Include/Guid/MicrosoftVendor.h b/OvmfPkg/Include/Gui= d/MicrosoftVendor.h new file mode 100644 index 000000000000..db7a326c3194 --- /dev/null +++ b/OvmfPkg/Include/Guid/MicrosoftVendor.h @@ -0,0 +1,55 @@ +/** @file + Declare the GUID that is expected: + + - as EFI_SIGNATURE_DATA.SignatureOwner GUID in association with X509 a= nd + RSA2048 Secure Boot certificates issued by/for Microsoft, + + - as UEFI variable vendor GUID in association with (unspecified) + Microsoft-owned variables. + + Copyright (C) 2014-2019, Red Hat, Inc. + + SPDX-License-Identifier: BSD-2-Clause-Patent + + @par Specification Reference: + - MSDN: System.Fundamentals.Firmware at + . +**/ + +#ifndef MICROSOFT_VENDOR_H_ +#define MICROSOFT_VENDOR_H_ + +#include + +// +// The following test cases of the Secure Boot Logo Test in the Microsof= t +// Hardware Certification Kit: +// +// - Microsoft.UefiSecureBootLogo.Tests.OutOfBoxVerifyMicrosoftKEKpresen= t +// - Microsoft.UefiSecureBootLogo.Tests.OutOfBoxConfirmMicrosoftSignatur= eInDB +// +// expect the EFI_SIGNATURE_DATA.SignatureOwner GUID to be +// 77FA9ABD-0359-4D32-BD60-28F4E78F784B, when the +// EFI_SIGNATURE_DATA.SignatureData field carries any of the following X= 509 +// certificates: +// +// - "Microsoft Corporation KEK CA 2011" (in KEK) +// - "Microsoft Windows Production PCA 2011" (in db) +// - "Microsoft Corporation UEFI CA 2011" (in db) +// +// This is despite the fact that the UEFI specification requires +// EFI_SIGNATURE_DATA.SignatureOwner to reflect the agent (i.e., OS, +// application or driver) that enrolled and therefore owns +// EFI_SIGNATURE_DATA.SignatureData, and not the organization that issue= d +// EFI_SIGNATURE_DATA.SignatureData. +// +#define MICROSOFT_VENDOR_GUID \ + { 0x77fa9abd, \ + 0x0359, \ + 0x4d32, \ + { 0xbd, 0x60, 0x28, 0xf4, 0xe7, 0x8f, 0x78, 0x4b }, \ + } + +extern EFI_GUID gMicrosoftVendorGuid; + +#endif /* MICROSOFT_VENDOR_H_ */ diff --git a/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf b/OvmfPkg/En= rollDefaultKeys/EnrollDefaultKeys.inf index 3f093c768585..28db52586a9b 100644 --- a/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf +++ b/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf @@ -17,27 +17,29 @@ [Defines] [Sources] AuthData.c EnrollDefaultKeys.c EnrollDefaultKeys.h =20 [Packages] MdeModulePkg/MdeModulePkg.dec MdePkg/MdePkg.dec + OvmfPkg/OvmfPkg.dec SecurityPkg/SecurityPkg.dec ShellPkg/ShellPkg.dec =20 [Guids] gEfiCertPkcs7Guid gEfiCertSha256Guid gEfiCertX509Guid gEfiCustomModeEnableGuid gEfiGlobalVariableGuid gEfiImageSecurityDatabaseGuid gEfiSecureBootEnableDisableGuid + gMicrosoftVendorGuid =20 [LibraryClasses] BaseMemoryLib DebugLib MemoryAllocationLib ShellCEntryLib UefiLib UefiRuntimeServicesTableLib diff --git a/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.h b/OvmfPkg/Enro= llDefaultKeys/EnrollDefaultKeys.h index 07f4aa04e469..e3a7e43da4e3 100644 --- a/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.h +++ b/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.h @@ -133,11 +133,9 @@ extern CONST UINT8 mMicrosoftPca[]; extern CONST UINTN mSizeOfMicrosoftPca; =20 extern CONST UINT8 mMicrosoftUefiCa[]; extern CONST UINTN mSizeOfMicrosoftUefiCa; =20 extern CONST UINT8 mSha256OfDevNull[]; extern CONST UINTN mSizeOfSha256OfDevNull; =20 -extern CONST EFI_GUID mMicrosoftOwnerGuid; - #endif /* ENROLL_DEFAULT_KEYS_H_ */ diff --git a/OvmfPkg/EnrollDefaultKeys/AuthData.c b/OvmfPkg/EnrollDefault= Keys/AuthData.c index e0a543785fb5..9a96dcc440b3 100644 --- a/OvmfPkg/EnrollDefaultKeys/AuthData.c +++ b/OvmfPkg/EnrollDefaultKeys/AuthData.c @@ -518,36 +518,8 @@ CONST UINTN mSizeOfMicrosoftUefiCa =3D sizeof mMicro= softUefiCa; // CONST UINT8 mSha256OfDevNull[] =3D { 0xe3, 0xb0, 0xc4, 0x42, 0x98, 0xfc, 0x1c, 0x14, 0x9a, 0xfb, 0xf4, 0xc8= , 0x99, 0x6f, 0xb9, 0x24, 0x27, 0xae, 0x41, 0xe4, 0x64, 0x9b, 0x93, 0x4c, 0xa4= , 0x95, 0x99, 0x1b, 0x78, 0x52, 0xb8, 0x55 }; =20 CONST UINTN mSizeOfSha256OfDevNull =3D sizeof mSha256OfDevNull; - - -// -// The following test cases of the Secure Boot Logo Test in the Microsof= t -// Hardware Certification Kit: -// -// - Microsoft.UefiSecureBootLogo.Tests.OutOfBoxVerifyMicrosoftKEKpresen= t -// - Microsoft.UefiSecureBootLogo.Tests.OutOfBoxConfirmMicrosoftSignatur= eInDB -// -// expect the EFI_SIGNATURE_DATA.SignatureOwner GUID to be -// 77FA9ABD-0359-4D32-BD60-28F4E78F784B, when the -// EFI_SIGNATURE_DATA.SignatureData field carries any of the following X= 509 -// certificates: -// -// - "Microsoft Corporation KEK CA 2011" (in KEK) -// - "Microsoft Windows Production PCA 2011" (in db) -// - "Microsoft Corporation UEFI CA 2011" (in db) -// -// This is despite the fact that the UEFI specification requires -// EFI_SIGNATURE_DATA.SignatureOwner to reflect the agent (i.e., OS, -// application or driver) that enrolled and therefore owns -// EFI_SIGNATURE_DATA.SignatureData, and not the organization that issue= d -// EFI_SIGNATURE_DATA.SignatureData. -// -CONST EFI_GUID mMicrosoftOwnerGuid =3D { - 0x77fa9abd, 0x0359, 0x4d32, - { 0xbd, 0x60, 0x28, 0xf4, 0xe7, 0x8f, 0x78, 0x4b }, -}; diff --git a/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c b/OvmfPkg/Enro= llDefaultKeys/EnrollDefaultKeys.c index 528718b15ae9..e4f6a50e008b 100644 --- a/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c +++ b/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c @@ -3,16 +3,17 @@ =20 Copyright (C) 2014-2019, Red Hat, Inc. =20 SPDX-License-Identifier: BSD-2-Clause-Patent **/ #include // gEfiCustomModeEnable= Guid #include // EFI_SETUP_MODE_NAME #include // EFI_IMAGE_SECURITY_D= ATABASE +#include // gMicrosoftVendorGuid #include // CopyGuid() #include // ASSERT() #include // FreePool() #include // ShellAppMain() #include // AsciiPrint() #include // gRT =20 #include "EnrollDefaultKeys.h" @@ -310,18 +311,18 @@ ShellAppMain ( return 1; } } =20 Status =3D EnrollListOfCerts ( EFI_IMAGE_SECURITY_DATABASE, &gEfiImageSecurityDatabaseGuid, &gEfiCertX509Guid, - mMicrosoftPca, mSizeOfMicrosoftPca, &mMicrosoftOwnerG= uid, - mMicrosoftUefiCa, mSizeOfMicrosoftUefiCa, &mMicrosoftOwnerG= uid, + mMicrosoftPca, mSizeOfMicrosoftPca, &gMicrosoftVendor= Guid, + mMicrosoftUefiCa, mSizeOfMicrosoftUefiCa, &gMicrosoftVendor= Guid, NULL); if (EFI_ERROR (Status)) { return 1; } =20 Status =3D EnrollListOfCerts ( EFI_IMAGE_SECURITY_DATABASE1, &gEfiImageSecurityDatabaseGuid, @@ -332,17 +333,17 @@ ShellAppMain ( return 1; } =20 Status =3D EnrollListOfCerts ( EFI_KEY_EXCHANGE_KEY_NAME, &gEfiGlobalVariableGuid, &gEfiCertX509Guid, mRedHatPkKek1, mSizeOfRedHatPkKek1, &gEfiCallerIdGuid, - mMicrosoftKek, mSizeOfMicrosoftKek, &mMicrosoftOwnerGuid, + mMicrosoftKek, mSizeOfMicrosoftKek, &gMicrosoftVendorGuid, NULL); if (EFI_ERROR (Status)) { return 1; } =20 Status =3D EnrollListOfCerts ( EFI_PLATFORM_KEY_NAME, &gEfiGlobalVariableGuid, --=20 2.19.1.3.g30247aa5d201