From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-lf1-f41.google.com (mail-lf1-f41.google.com [209.85.167.41]) by mx.groups.io with SMTP id smtpd.web09.5122.1622022157621237185 for ; Wed, 26 May 2021 02:42:38 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@semihalf-com.20150623.gappssmtp.com header.s=20150623 header.b=zFFd6r8B; spf=none, err=SPF record not found (domain: semihalf.com, ip: 209.85.167.41, mailfrom: gjb@semihalf.com) Received: by mail-lf1-f41.google.com with SMTP id q7so1580841lfr.6 for ; Wed, 26 May 2021 02:42:37 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=semihalf-com.20150623.gappssmtp.com; s=20150623; h=from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=0UhfihB/h3mqbCxFOH8+6fWPQfd9mokEh7qYAYx+nMU=; b=zFFd6r8B45TwiJwq9aNpJuRgcYifNUqOVWFqBCbXtEYffFQtOp8wnOoA0fNqBtEiS7 SbuboMopJO1BHJcsRhH14pVlJxEt09GzHWKWNPIwP2syDPRkfiVVFIqOzSWO4c+6u7W5 hXEQ8BMcjQFBrSjk2eOMEAAd6KjLa9q4ps0+OKyWqDnjmi0/2er3HBGfp65/24hbjIxF HK14sumjf9H/bYd2vwwkf6UGHjorStE0IAr6mKUoyMQH2JIT7WXbkDXJ14XxXkVAuKKN 5NHfy4bw+eTVW++4Kr8OKhdyo3qsEHFz8ITLh2JAUVrBDiCd6JDVZ9yqbXrINBhJLrqo ICEA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=0UhfihB/h3mqbCxFOH8+6fWPQfd9mokEh7qYAYx+nMU=; b=PlDHo4SxAaDzo/mXtksNLBmwQABfHMsv60QbUPSKE6CvMwciV0Ub2WP1opTDBEzV9h 4uKNlZC+Ru91G4i0CeVyrtk0lAhFWLxLobTF9Vx26wI/na97ZRlO+06bvcRjICQvbMM/ RkqaB7Orr+8PD7tQTTOu/y8ZkOIvugq9Np8WtYeFNlwAIsK3t8fLeLJMOuNoOPtER+gO EQQY5EGIKek4FB9sOiJJNqPDTUx7Uz3oePrbq+g8cub3LxmMKZPeL5vJeHRFxEmtTXrH Mb5nAxJdBM6IvhHEaFwD/9A1qK7JGAbUnHIHuc2FCvuaFKopbluCP1aBC8UJyPbmMoCQ yFUA== X-Gm-Message-State: AOAM533C33mn+mV9OpNAEcPxVhzjr8rOwXcy6HGjtVAT93kDbFBhLQaV odkrJYchnR1VyOqTjHu02qZ79hfZV0+kxPO/gEA= X-Google-Smtp-Source: ABdhPJx5/Se538Amr8YRjUWdvLNvz15BGz65TdNBdThnLfsM6fSaq+EkPH24+51El1xjgHwLqw+iBw== X-Received: by 2002:a05:6512:209:: with SMTP id a9mr1598741lfo.219.1622022155348; Wed, 26 May 2021 02:42:35 -0700 (PDT) Return-Path: Received: from gilgamesh.lab.semihalf.net ([83.142.187.85]) by smtp.gmail.com with ESMTPSA id y19sm2380268ljy.32.2021.05.26.02.42.34 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 26 May 2021 02:42:34 -0700 (PDT) From: "Grzegorz Bernacki" To: devel@edk2.groups.io Cc: leif@nuviainc.com, ardb+tianocore@kernel.org, Samer.El-Haj-Mahmoud@arm.com, sunny.Wang@arm.com, gjb@semihalf.com, upstream@semihalf.com, jiewen.yao@intel.com, jian.j.wang@intel.com, min.m.xu@intel.com, lersek@redhat.com Subject: [PATCH 0/6] Secure Boot default keys Date: Wed, 26 May 2021 11:41:57 +0200 Message-Id: <20210526094204.73600-1-gjb@semihalf.com> X-Mailer: git-send-email 2.29.0 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit This patchset adds support for initialization of default Secure Boot variables based on keys content embedded in flash binary. This feature is active only if Secure Boot is enabled and DEFAULT_KEY is defined. The patchset consist also application to enroll keys from default variables and secure boot menu change to allow user to reset key content to default values. Discussion on design can be found at: https://edk2.groups.io/g/rfc/topic/82139806#600 I also added patch for RPi4 which enables this feature for that platform. Grzegorz Bernacki (6): [edk2] SecurityPkg: Create library for setting Secure Boot variables. SecurityPkg: Create include file for default key content. SecurityPkg: Add SecBootDefaultKeysDxe driver SecurityPkg: Add SecEnrollDefaultKeys application. SecurityPkg: Add new modules to Security package. SecurityPkg: Add option to reset secure boot keys. [edk2-platforms] Platform/RaspberryPi: Enable default Secure Boot variables initialization SecurityPkg/SecurityPkg.dec | 14 + SecurityPkg/SecurityPkg.dsc | 5 + SecurityPkg/Library/SecBootVariableLib/SecBootVariableLib.inf | 79 ++ SecurityPkg/SecEnrollDefaultKeysApp/SecEnrollDefaultKeysApp.inf | 48 + SecurityPkg/VariableAuthenticated/SecBootDefaultKeysDxe/SecBootDefaultKeysDxe.inf | 46 + SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf | 2 + SecurityPkg/Include/Library/SecBootVariableLib.h | 252 +++++ SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigNvData.h | 2 + SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfig.vfr | 6 + SecurityPkg/Library/SecBootVariableLib/SecBootVariableLib.c | 979 ++++++++++++++++++++ SecurityPkg/SecEnrollDefaultKeysApp/SecEnrollDefaultKeysApp.c | 108 +++ SecurityPkg/VariableAuthenticated/SecBootDefaultKeysDxe/SecBootDefaultKeysDxe.c | 69 ++ SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c | 343 ++++--- SecurityPkg/Library/SecBootVariableLib/SecBootVariableLib.uni | 16 + SecurityPkg/SecureBootDefaultKeys.fdf.inc | 62 ++ SecurityPkg/VariableAuthenticated/SecBootDefaultKeysDxe/SecBootDefaultKeysDxe.uni | 17 + SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigStrings.uni | 4 + 17 files changed, 1864 insertions(+), 188 deletions(-) create mode 100644 SecurityPkg/Library/SecBootVariableLib/SecBootVariableLib.inf create mode 100644 SecurityPkg/SecEnrollDefaultKeysApp/SecEnrollDefaultKeysApp.inf create mode 100644 SecurityPkg/VariableAuthenticated/SecBootDefaultKeysDxe/SecBootDefaultKeysDxe.inf create mode 100644 SecurityPkg/Include/Library/SecBootVariableLib.h create mode 100644 SecurityPkg/Library/SecBootVariableLib/SecBootVariableLib.c create mode 100644 SecurityPkg/SecEnrollDefaultKeysApp/SecEnrollDefaultKeysApp.c create mode 100644 SecurityPkg/VariableAuthenticated/SecBootDefaultKeysDxe/SecBootDefaultKeysDxe.c create mode 100644 SecurityPkg/Library/SecBootVariableLib/SecBootVariableLib.uni create mode 100644 SecurityPkg/SecureBootDefaultKeys.fdf.inc create mode 100644 SecurityPkg/VariableAuthenticated/SecBootDefaultKeysDxe/SecBootDefaultKeysDxe.uni -- 2.25.1