From: "Grzegorz Bernacki" <gjb@semihalf.com>
To: devel@edk2.groups.io
Cc: leif@nuviainc.com, ardb+tianocore@kernel.org,
Samer.El-Haj-Mahmoud@arm.com, sunny.Wang@arm.com,
gjb@semihalf.com, upstream@semihalf.com, jiewen.yao@intel.com,
jian.j.wang@intel.com, min.m.xu@intel.com, lersek@redhat.com
Subject: [PATCH 0/6] Secure Boot default keys
Date: Wed, 26 May 2021 11:41:57 +0200 [thread overview]
Message-ID: <20210526094204.73600-1-gjb@semihalf.com> (raw)
This patchset adds support for initialization of default
Secure Boot variables based on keys content embedded in
flash binary. This feature is active only if Secure Boot
is enabled and DEFAULT_KEY is defined. The patchset
consist also application to enroll keys from default
variables and secure boot menu change to allow user
to reset key content to default values.
Discussion on design can be found at:
https://edk2.groups.io/g/rfc/topic/82139806#600
I also added patch for RPi4 which enables this feature for
that platform.
Grzegorz Bernacki (6):
[edk2]
SecurityPkg: Create library for setting Secure Boot variables.
SecurityPkg: Create include file for default key content.
SecurityPkg: Add SecBootDefaultKeysDxe driver
SecurityPkg: Add SecEnrollDefaultKeys application.
SecurityPkg: Add new modules to Security package.
SecurityPkg: Add option to reset secure boot keys.
[edk2-platforms]
Platform/RaspberryPi: Enable default Secure Boot variables initialization
SecurityPkg/SecurityPkg.dec | 14 +
SecurityPkg/SecurityPkg.dsc | 5 +
SecurityPkg/Library/SecBootVariableLib/SecBootVariableLib.inf | 79 ++
SecurityPkg/SecEnrollDefaultKeysApp/SecEnrollDefaultKeysApp.inf | 48 +
SecurityPkg/VariableAuthenticated/SecBootDefaultKeysDxe/SecBootDefaultKeysDxe.inf | 46 +
SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf | 2 +
SecurityPkg/Include/Library/SecBootVariableLib.h | 252 +++++
SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigNvData.h | 2 +
SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfig.vfr | 6 +
SecurityPkg/Library/SecBootVariableLib/SecBootVariableLib.c | 979 ++++++++++++++++++++
SecurityPkg/SecEnrollDefaultKeysApp/SecEnrollDefaultKeysApp.c | 108 +++
SecurityPkg/VariableAuthenticated/SecBootDefaultKeysDxe/SecBootDefaultKeysDxe.c | 69 ++
SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c | 343 ++++---
SecurityPkg/Library/SecBootVariableLib/SecBootVariableLib.uni | 16 +
SecurityPkg/SecureBootDefaultKeys.fdf.inc | 62 ++
SecurityPkg/VariableAuthenticated/SecBootDefaultKeysDxe/SecBootDefaultKeysDxe.uni | 17 +
SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigStrings.uni | 4 +
17 files changed, 1864 insertions(+), 188 deletions(-)
create mode 100644 SecurityPkg/Library/SecBootVariableLib/SecBootVariableLib.inf
create mode 100644 SecurityPkg/SecEnrollDefaultKeysApp/SecEnrollDefaultKeysApp.inf
create mode 100644 SecurityPkg/VariableAuthenticated/SecBootDefaultKeysDxe/SecBootDefaultKeysDxe.inf
create mode 100644 SecurityPkg/Include/Library/SecBootVariableLib.h
create mode 100644 SecurityPkg/Library/SecBootVariableLib/SecBootVariableLib.c
create mode 100644 SecurityPkg/SecEnrollDefaultKeysApp/SecEnrollDefaultKeysApp.c
create mode 100644 SecurityPkg/VariableAuthenticated/SecBootDefaultKeysDxe/SecBootDefaultKeysDxe.c
create mode 100644 SecurityPkg/Library/SecBootVariableLib/SecBootVariableLib.uni
create mode 100644 SecurityPkg/SecureBootDefaultKeys.fdf.inc
create mode 100644 SecurityPkg/VariableAuthenticated/SecBootDefaultKeysDxe/SecBootDefaultKeysDxe.uni
--
2.25.1
next reply other threads:[~2021-05-26 9:42 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-05-26 9:41 Grzegorz Bernacki [this message]
2021-05-26 9:41 ` [edk2-platforms PATCH] Platform/RaspberryPi: Enable default Secure Boot variables initialization Grzegorz Bernacki
2021-05-26 9:41 ` [PATCH 1/6] SecurityPkg: Create library for setting Secure Boot variables Grzegorz Bernacki
2021-05-26 9:58 ` Sunny Wang
[not found] ` <1682957906E2CAD3.2072@groups.io>
2021-05-26 10:11 ` [edk2-devel] " Sunny Wang
2021-05-26 12:55 ` Yao, Jiewen
2021-05-26 9:42 ` [PATCH 2/6] SecurityPkg: Create include file for default key content Grzegorz Bernacki
2021-05-26 9:42 ` [PATCH 3/6] SecurityPkg: Add SecBootDefaultKeysDxe driver Grzegorz Bernacki
2021-05-26 12:56 ` Yao, Jiewen
2021-05-26 9:42 ` [PATCH 4/6] SecurityPkg: Add SecEnrollDefaultKeys application Grzegorz Bernacki
2021-05-26 12:50 ` Yao, Jiewen
2021-05-26 9:42 ` [PATCH 5/6] SecurityPkg: Add new modules to Security package Grzegorz Bernacki
2021-05-26 9:42 ` [PATCH 6/6] SecurityPkg: Add option to reset secure boot keys Grzegorz Bernacki
2021-05-26 11:49 ` [PATCH 0/6] Secure Boot default keys Laszlo Ersek
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-list from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210526094204.73600-1-gjb@semihalf.com \
--to=devel@edk2.groups.io \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox